[ovs-dev] [PATCH ovn v3 2/3] ovn-northd: Optimize logical flow generation for reject ACLs.

Dumitru Ceara dceara at redhat.com
Mon Oct 19 11:03:32 UTC 2020


On 10/19/20 9:27 AM, numans at ovn.org wrote:
> From: Numan Siddique <numans at ovn.org>
> 
> ovn-northd adds below lflows for a reject ACL with a match - M
> 
> match = (ip4 && tcp && 'M') action = tcp_reject{}
> match = (ip6 && tcp && 'M') action = tcp_reject{}
> match = (ip4 && 'M') action = icmp4{}
> match = (ip6 && 'M') action = icmp6{}
> 
> This approach has a couple of problems:
>    - ovn-controller can reject the lflows if there are invalid matches.
>      Eg. If match 'M' is - 'ip4 && udp'.
> 
>    - In a large scale deployment, this could result in lot of invalid
>      logical flows and increase the size of the SB DB.
> 
> This patch addresses this problem by using newly added reject OVN action.
> With this patch, there will be just one lflow for each reject ACL.
> 
> Signed-off-by: Numan Siddique <numans at ovn.org>
> ---

Acked-by: Dumitru Ceara <dceara at redhat.com>

Thanks,
Dumitru



More information about the dev mailing list