[ovs-discuss] Port Groups and DHCP lflows

Han Zhou zhouhan at gmail.com
Thu Jul 5 21:34:10 UTC 2018 

On Thu, Jul 5, 2018 at 6:00 AM, Daniel Alvarez Sanchez <dalvarez at redhat.com>
wrote:
>
> Hi Han, all
>
> While implementing Port Groups in OpenStack I have noticed that we are
duplicating the lflows for the DHCP now with the current code. Seeking for
advice here:
>
> When we create a Neutron subnet, I'm creating a Port Group with the ACL
for the DHCP:
>
> _uuid               : 7f2b64eb-090b-4bb4-85fd-09576329c21b
> action              : allow
> direction           : from-lport
> external_ids        : {}
> log                 : false
> match               : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28
&& ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src ==
68 && udp.dst == 67"
> name                : []
> priority            : 1002
> severity            : []
>
>
> This generates the proper lflow in the Logical_Flow table:
>
> _uuid               : a2a970ec-82ee-4474-bf0e-43f1cdedd7ed
> actions             : "next;"
> external_ids        : {source="ovn-northd.c:3192", stage-hint="7f2b64eb",
stage-name=ls_in_acl}
> logical_datapath    : e1bdb553-5bbf-4b76-a19d-cf385612a3ff
> match               : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28
&& ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src ==
68 && udp.dst == 67"
> pipeline            : ingress
> priority            : 2002
> table_id            : 6
> hash                : 0
>
>
> However, all the ports belonging in that subnet also have a lflow for
DHCP (different stages though)
>
> _uuid               : f159803f-6b8d-4c8a-9339-b89ee267c2eb
> actions             : "next;"
> external_ids        : {source="ovn-northd.c:2579",
stage-name=ls_in_port_sec_ip}
> logical_datapath    : 2b3126db-74d4-48a1-9e81-192066748de6
> match               : "inport == \"240edf21-5a9c-4edd-98b5-8dadc343b9de\"
&& eth.src == fa:16:3e:07:85:91 && ip4.src == 0.0.0.0 && ip4.dst ==
255.255.255.255 && udp.src == 68 && udp.dst == 67"
> pipeline            : ingress
> priority            : 90
> table_id            : 1
> hash                : 0
>
>
> My questions are:
>
> 1) Do I really need to create the Port Group for every subnet just to
take care of the DHCP?

Yes, I think it is the right way to do in networking-ovn. Otherwise, we
will have to create per-port ACL to allow DHCP. The example you gave above
are NOT redundant flows, as you mentioned they are in different stages (for
different purposes), and they will end up as ovs flows in different ovs
flow tables.

> 2) We have per-port DHCP lflows, is it worth to implement port groups
around them too?

For the per-port DHCP flows in port-security stage, they can't be "grouped"
because eth.src is in match condition, which is different for each port.

>
> Thanks!
> Daniel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20180705/ea386f60/attachment.html>

More information about the discuss mailing list