[ovs-dev] [PATCH ovn v7 3/6] Spin out flow generation into build_pre_acl_flows
Ihar Hrachyshka
ihrachys at redhat.com
Wed May 13 13:38:50 UTC 2020
Signed-off-by: Ihar Hrachyshka <ihrachys at redhat.com>
---
northd/ovn-northd.c | 74 +++++++++++++++++++--------------------------
1 file changed, 31 insertions(+), 43 deletions(-)
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 339ed2dff..0236dcd5c 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -4680,6 +4680,35 @@ build_lswitch_output_port_sec(struct hmap *ports, struct hmap *datapaths,
ds_destroy(&actions);
}
+static void
+build_pre_acl_flows(struct ovn_datapath *od, struct ovn_port *op,
+ struct hmap *lflows)
+{
+ /* Can't use ct() for router ports. Consider the following configuration:
+ * lp1(10.0.0.2) on hostA--ls1--lr0--ls2--lp2(10.0.1.2) on hostB, For a
+ * ping from lp1 to lp2, First, the response will go through ct() with a
+ * zone for lp2 in the ls2 ingress pipeline on hostB. That ct zone knows
+ * about this connection. Next, it goes through ct() with the zone for the
+ * router port in the egress pipeline of ls2 on hostB. This zone does not
+ * know about the connection, as the icmp request went through the logical
+ * router on hostA, not hostB. This would only work with distributed
+ * conntrack state across all chassis. */
+ struct ds match_in = DS_EMPTY_INITIALIZER;
+ struct ds match_out = DS_EMPTY_INITIALIZER;
+
+ ds_put_format(&match_in, "ip && inport == %s", op->json_key);
+ ds_put_format(&match_out, "ip && outport == %s", op->json_key);
+ ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
+ ds_cstr(&match_in), "next;",
+ &op->nbsp->header_);
+ ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
+ ds_cstr(&match_out), "next;",
+ &op->nbsp->header_);
+
+ ds_destroy(&match_in);
+ ds_destroy(&match_out);
+}
+
static void
build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
{
@@ -4705,51 +4734,10 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
* defragmentation, in order to match L4 headers. */
if (has_stateful) {
for (size_t i = 0; i < od->n_router_ports; i++) {
- struct ovn_port *op = od->router_ports[i];
- /* Can't use ct() for router ports. Consider the
- * following configuration: lp1(10.0.0.2) on
- * hostA--ls1--lr0--ls2--lp2(10.0.1.2) on hostB, For a
- * ping from lp1 to lp2, First, the response will go
- * through ct() with a zone for lp2 in the ls2 ingress
- * pipeline on hostB. That ct zone knows about this
- * connection. Next, it goes through ct() with the zone
- * for the router port in the egress pipeline of ls2 on
- * hostB. This zone does not know about the connection,
- * as the icmp request went through the logical router
- * on hostA, not hostB. This would only work with
- * distributed conntrack state across all chassis. */
- struct ds match_in = DS_EMPTY_INITIALIZER;
- struct ds match_out = DS_EMPTY_INITIALIZER;
-
- ds_put_format(&match_in, "ip && inport == %s", op->json_key);
- ds_put_format(&match_out, "ip && outport == %s", op->json_key);
- ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
- ds_cstr(&match_in), "next;",
- &op->nbsp->header_);
- ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
- ds_cstr(&match_out), "next;",
- &op->nbsp->header_);
-
- ds_destroy(&match_in);
- ds_destroy(&match_out);
+ build_pre_acl_flows(od, od->router_ports[i], lflows);
}
if (od->localnet_port) {
- struct ds match_in = DS_EMPTY_INITIALIZER;
- struct ds match_out = DS_EMPTY_INITIALIZER;
-
- ds_put_format(&match_in, "ip && inport == %s",
- od->localnet_port->json_key);
- ds_put_format(&match_out, "ip && outport == %s",
- od->localnet_port->json_key);
- ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
- ds_cstr(&match_in), "next;",
- &od->localnet_port->nbsp->header_);
- ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
- ds_cstr(&match_out), "next;",
- &od->localnet_port->nbsp->header_);
-
- ds_destroy(&match_in);
- ds_destroy(&match_out);
+ build_pre_acl_flows(od, od->localnet_port, lflows);
}
/* Ingress and Egress Pre-ACL Table (Priority 110).
--
2.26.2
More information about the dev
mailing list