[ovs-git] [ovn-org/ovn] 0e0228: northd: Add ACL label

Priyankar Jain noreply at github.com
Thu Aug 12 16:03:35 UTC 2021 

  Branch: refs/heads/master
  Home:   https://github.com/ovn-org/ovn
  Commit: 0e0228beae38cccd2a3d2b00c2ffcad93d6a63e4
      https://github.com/ovn-org/ovn/commit/0e0228beae38cccd2a3d2b00c2ffcad93d6a63e4
  Author: Priyankar Jain <priyankar.jain at nutanix.com>
  Date:   2021-08-12 (Thu, 12 Aug 2021)

  Changed paths:
    M NEWS
    M lib/logical-fields.c
    M northd/ovn-northd.8.xml
    M northd/ovn-northd.c
    M northd/ovn_northd.dl
    M ovn-nb.ovsschema
    M ovn-nb.xml
    M tests/ovn-nbctl.at
    M tests/ovn-northd.at
    M tests/ovn.at
    M tests/system-ovn.at
    M utilities/ovn-nbctl.8.xml
    M utilities/ovn-nbctl.c

  Log Message:
  -----------
  northd: Add ACL label

Allow adding label to an ACL to identify which ACL allowed a particular
flow in the connection tracking table.

The ACL label covers 32 bits at the end of ct_label. Since only allowed
connections are committed, only "allow" and "allow-related" ACLs can
have the label.

If the ACL allowing the connection changes, the label associated with the
new ACL gets updated in the ct_label field. This is achieved by committing
every packet that hits the ACL with the label to the connection tracking
table.
In case the new ACL doesn't have a label, the ct_label field is not
cleared. This is done to prevent any performance change with ACLs that
don't have label set.
For the packets which hits an ACL without label, the behaviour remains the
same as before with respect to the conntrack commit.

Performance:
We used ftrace to measure the time taken by an extra conntrack commit for
the packets hitting the ACL with label. We measured the time taken to
execute the ovs_ct_execute call inside the sock_sendmsg call.

ACL used :-
 from-lport  2000 (tcp && ip4.src == 10.0.0.11 && ip4.dst == 10.0.0.12) allow-related --label=1234

It was observed that the extra ovs_ct_execute call accounted for 1-2%
of the round trip time (sock_sendmsg duration). The actual percentage
is expected to be lesser since it doesn't take into account the tracing
overhead which is substantial for smaller functions.

Signed-off-by: Priyankar Jain <priyankar.jain at nutanix.com>
Acked-by: Numan Siddique <numans at ovn.org>
Signed-off-by: Numan Siddique <numans at ovn.org>

More information about the git mailing list