[ovs-dev] [PATCH ovn v2 3/3] ovn-northd: Optimize logical flow generation for reject ACLs.

Dumitru Ceara dceara at redhat.com
Wed Oct 14 10:27:50 UTC 2020


On 10/14/20 11:15 AM, numans at ovn.org wrote:
> From: Numan Siddique <numans at ovn.org>
> 
> ovn-northd adds below lflows for a reject ACL with a match - M
> 
> match = (ip4 && tcp && 'M') action = tcp_reject{}
> match = (ip6 && tcp && 'M') action = tcp_reject{}
> match = (ip4 && 'M') action = icmp4{}
> match = (ip6 && 'M') action = icmp6{}
> 
> This approach has a couple of problems:
>    - ovn-controller can reject the lflows if there are invalid matches.
>      Eg. If match 'M' is - 'ip4 && udp'.
> 
>    - In a large scale deployment, this could result in lot of invalid
>      logical flows and increase the size of the SB DB.
> 
> This patch addresses this problem by using newly added reject OVN action.
> With this patch, there will be just one lflow for each reject ACL.
> 
> Signed-off-by: Numan Siddique <numans at ovn.org>
> ---

This is nice!  However, I'm waiting with the ack until the discussion on patch
2/3 is concluded.

Thanks,
Dumitru



More information about the dev mailing list