[ovs-git] [openvswitch/ovs] 3d2848: ovn: Support port groups in ACLs

GitHub noreply at github.com
Fri Apr 13 19:48:35 UTC 2018


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: 3d2848bafa93a2b483a4504c5de801454671dccf
      https://github.com/openvswitch/ovs/commit/3d2848bafa93a2b483a4504c5de801454671dccf
  Author: Han Zhou <zhouhan at gmail.com>
  Date:   2018-04-13 (Fri, 13 Apr 2018)

  Changed paths:
    M NEWS
    M include/ovn/expr.h
    M include/ovn/lex.h
    M ovn/controller/lflow.c
    M ovn/controller/lflow.h
    M ovn/controller/ofctrl.c
    M ovn/controller/ofctrl.h
    M ovn/controller/ovn-controller.c
    M ovn/lib/actions.c
    M ovn/lib/expr.c
    M ovn/lib/lex.c
    M ovn/northd/ovn-northd.c
    M ovn/ovn-nb.ovsschema
    M ovn/ovn-nb.xml
    M ovn/ovn-sb.ovsschema
    M ovn/ovn-sb.xml
    M ovn/utilities/ovn-trace.c
    M tests/ovn.at
    M tests/test-ovn.c

  Log Message:
  -----------
  ovn: Support port groups in ACLs

This patch enables using port group names in ACL match conditions.
Users can create a port group in northbound DB Port_Group table,
and then use the name of the port group in ACL match conditions
for "inport" or "outport". It can help reduce the number of ACLs
for CMS clients such as OpenStack Neutron, for the use cases
where a group of logical ports share same ACL rules except the
"inport"/"outport" part. Without this patch, the clients have to
create N (N = number of lports) ACLs, and this patch helps achieve
the same goal with only one ACL. E.g.:

to-lport 1000 "outport == @port_group1 && ip4.src == {IP1, IP2, ...}" allow-related

There was a similar attempt by Zong Kai Li in 2016 [1]. This patch
takes a slightly different approach by using weak refs instead of
strings, which requires a new table instead of reusing the address
set table. This way it will also benefit for a follow up patch that
enables generating address sets automatically from port groups to
avoid a lot a trouble from client perspective [2].

An extra benefit of this patch is that it could enable conjunctive
match effectively. As reported at [3], this patch was tested together
with the conjunctive match enhancement patch [4], and huge performance
improvement (more than 10x faster) was seen because of this.

[1] https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/077118.html
[2] https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046260.html
[3] https://mail.openvswitch.org/pipermail/ovs-dev/2018-March/344873.html
[4] https://patchwork.ozlabs.org/patch/874433/

Reported-by: Daniel Alvarez Sanchez <dalvarez at redhat.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046166.html
Tested-by: Mark Michelson <mmichels at redhat.com>
Reviewed-by: Mark Michelson <mmichels at redhat.com>
Reviewed-by: Daniel Alvarez <dalvarez at redhat.com>
Signed-off-by: Han Zhou <hzhou8 at ebay.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>




More information about the git mailing list