[ovs-git] [ovn-org/ovn] 209ea4: ovn-northd: Reduce number of flows generated for s...

[Dumitru Ceara]

  Branch: refs/heads/master
  Home:   https://github.com/ovn-org/ovn
  Commit: 209ea46bbf9da51d18542c07aa687cd74652d6e2
      https://github.com/ovn-org/ovn/commit/209ea46bbf9da51d18542c07aa687cd74652d6e2
  Author: Dumitru Ceara <dceara at redhat.com>
  Date:   2020-09-11 (Fri, 11 Sep 2020)

  Changed paths:
    M northd/ovn-northd.8.xml
    M northd/ovn-northd.c
    M tests/ovn-northd.at
    M tests/ovn.at
    M tests/system-ovn.at

  Log Message:
  -----------
  ovn-northd: Reduce number of flows generated for stateful ACLs.

Introduce two new stages in the logical switch pipeline:
- ls_in_acl_hint
- ls_out_acl_hint

Flows in these stages match on various combinations of conntrack flags to
determine how traffic might be processed in the ACL stage. Four possible
hints are set (there may be more than one set at the same time per packet):
- REGBIT_ACL_HINT_ALLOW_NEW: the packet might match an allow-related ACL in
  which case it will have to commit or update a connection to conntrack.
- REGBIT_ACL_HINT_ALLOW: the packet might match an allow-related ACL but
  the session already exists so no commit will be needed.
- REGBIT_ACL_HINT_DROP: the packet might match a drop/reject ACL but the
  session already exists so no commit will be needed.
- REGBIT_ACL_HINT_BLOCK: the packet might match a drop/reject ACL in which
  case it will have to commit or update a connection in conntrack.

These hints are used in the ls_in_acl/ls_out_acl tables and simplify the
match expressions for logical flows generated for ACLs reducing the number
of disjunctions in the match, therefore reducing the number of openflows
by a factor of 2 for allow-related ACLs and by a factor of 3 for drop/reject
ACLs.

Suggested-by: Han Zhou <hzhou at ovn.org>
Signed-off-by: Dumitru Ceara <dceara at redhat.com>
Acked-by: Mark Michelson <mmichels at redhat.com>
Signed-off-by: Numan Siddique <numans at ovn.org>