[ovs-discuss] OVN SFC: Changes to include ACL based classifiers

Flaviof flavio at flaviof.com
Tue Nov 1 17:30:31 UTC 2016


On Tue, Nov 1, 2016 at 1:05 PM, John McDowall <
jmcdowall at paloaltonetworks.com> wrote:

> So we would have something like:
>
>
>
> $ ovn-nbctl acl-add sw0 to-lport 1003 'outport == "sw0-port1" && ip'
> sfc-action sfc-stage external_ids:lsp_chain_id=”chain-id”
>
>
>
> The chain-id would be passed as metadata with the packet to the
> ls_in_chain stage where it would be processed according to the current
> state of its in/out ports in the chain.
>
>
>
> Where sfc is the stage and the action – would the SFC ACL Table have any
> other action other than SFC? It seems a little redundant – not sure if
> there is a better way though.
>
>

Right. If I understood correctly, the sfc-stage is optional and may be
something we
may add later on to ACLs. For now, having it all in a sigle stage will not
invalidate
that effort.

Using the example comand, my main 'focus' is actually in regards to what
else goes as
external_ids. I can see that besides 'lsp_chain_id', we will need
'last_hop_port', and
possibly 'bidirectional'. Sounds right?

I will send an email with a proposed schema+xml on this shortly.

-- flaviof


>
> Regards
>
>
>
> John
>
>
>
>
>
>
>
> *From: *Flaviof <flavio at flaviof.com>
> *Date: *Tuesday, November 1, 2016 at 6:53 AM
> *To: *Russell Bryant <russell at ovn.org>
> *Cc: *discuss <discuss at openvswitch.org>, John McDowall <
> jmcdowall at paloaltonetworks.com>, Russell Bryant <russell at russellbryant.net>,
> Farhad Sunavala <Farhad.Sunavala at huawei.com>
> *Subject: *Re: [ovs-discuss] OVN SFC: Changes to include ACL based
> classifiers
>
>
>
>
>
>
>
> On Tue, Nov 1, 2016 at 8:55 AM, Russell Bryant <russell at ovn.org> wrote:
>
>
>
>
>
> On Tue, Nov 1, 2016 at 11:09 AM, Flaviof <flavio at flaviof.com> wrote:
>
> [cc: John, Louis, Farhad, Russell]
>
>
>
> Hi folks,
>
>
>
> Picking up from where we left off at the summit [1], I took
>
> a stab at the nb schema changes to represent what I
>
> understood Russell and others saying on how we could
>
> use a secondary table of ACLs to serve as the SFC
>
> classifiers: [2].
>
>
>
> What I had in mind was proceeding with a proposal like this one where we
> change ACLs to have multiple stages.  This patch proposed two, but I think
> we later talked about extending it to have more (8 perhaps?).
>
>
>
> http://openvswitch.org/pipermail/dev/2016-July/076674.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openvswitch.org_pipermail_dev_2016-2DJuly_076674.html&d=DQMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=Qcx3nInKFEOSnlKXJtFFNQKK58goOQs1a4EpsKii8Oo&s=wvhP2oSBZFyV_nQ-c2XcdksW3_eCKb3VJmtXZ9WEhrk&e=>
>
>
>
> Then if SFC was an ACL action, you could put it in any stage of ACLs you
> want, with other things before or after as desired.
>
>
>
>
>
> I see. I like that! Let me better understand the code changes from that
>
> email.
>
>
>
> Thanks,
>
>
>
> -- flaviof
>
>
>
>
>
> Does it look right to you? If so, I will start making the
>
> changes to incorporate that and obsolete the classifier based
>
> code [3]. I'm not sure if I will be able to migrate to this new
>
> table in time for the talk at OVSCon [4], but I will try.
>
>
>
> Thanks,
>
>
>
> -- flaviof
>
>
>
> [1]: https://etherpad.openstack.org/p/r.f7cebb215b63ae657d91a28ab0da42bf
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__etherpad.openstack.org_p_networking-2Dovn-2Docata-2Dsummit&d=DQMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=Qcx3nInKFEOSnlKXJtFFNQKK58goOQs1a4EpsKii8Oo&s=L2np7u37seRJXk1u6IKRGCbc9_CyxRnM_jRs5I3I6tM&e=>
>
>
>
> [2]: https://github.com/doonhammer/ovs/pull/3/commits/
> b10224a07de2970358eb5e105146ef1d5f5eca6d
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_doonhammer_ovs_pull_3_commits_b10224a07de2970358eb5e105146ef1d5f5eca6d&d=DQMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=Qcx3nInKFEOSnlKXJtFFNQKK58goOQs1a4EpsKii8Oo&s=RNYzurF4GoXhr8svoqHm31SEhh_vxggb75i7ZWoXx6o&e=>
>
>
>
> [3]: https://github.com/doonhammer/ovs/pull/3/commits/
> 2ebea7881c523dd356cd043a24531c268bddf6b4#diff-
> 2c35162acf6ad144624954fdc4c3d9f4R2505
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_doonhammer_ovs_pull_3_commits_2ebea7881c523dd356cd043a24531c268bddf6b4-23diff-2D2c35162acf6ad144624954fdc4c3d9f4R2505&d=DQMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=Qcx3nInKFEOSnlKXJtFFNQKK58goOQs1a4EpsKii8Oo&s=4AhPmbuGG7Pes0gDKq1rmhrtn4MRN21A3XzWc1uDOuI&e=>
>
>
>
> [4]: http://sched.co/8aZE
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__sched.co_8aZE&d=DQMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=Qcx3nInKFEOSnlKXJtFFNQKK58goOQs1a4EpsKii8Oo&s=wAosiaJVTnwkZz4KZQq00jBKyfdam0y0M6aaP0UXAQU&e=>
>
>
>
>
>
>
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> http://openvswitch.org/mailman/listinfo/discuss
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openvswitch.org_mailman_listinfo_discuss&d=DQMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=Qcx3nInKFEOSnlKXJtFFNQKK58goOQs1a4EpsKii8Oo&s=dah33q0ouBl8zSgAGHB8R5dBHqckveNUfwE7X-wR7XQ&e=>
>
>
>
>
>
> --
>
> Russell Bryant
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20161101/afaac6db/attachment-0002.html>


More information about the discuss mailing list