From patchwork Fri Sep 11 18:36:26 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Pfaff X-Patchwork-Id: 516931 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id 2288D140518 for ; Sat, 12 Sep 2015 04:36:43 +1000 (AEST) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 18DFF22C3D9; Fri, 11 Sep 2015 11:36:39 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v1.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id CACA322C3D6 for ; Fri, 11 Sep 2015 11:36:37 -0700 (PDT) Received: from bar4.cudamail.com (bar2 [192.168.15.2]) by mx3v1.cudamail.com (Postfix) with ESMTP id 566BF618378 for ; Fri, 11 Sep 2015 12:36:37 -0600 (MDT) X-ASG-Debug-ID: 1441996596-03dc21562f04c30001-byXFYA Received: from mx3-pf3.cudamail.com ([192.168.14.3]) by bar4.cudamail.com with ESMTP id sLU76XUKNMcNPtGz (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 11 Sep 2015 12:36:36 -0600 (MDT) X-Barracuda-Envelope-From: blp@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.3 Received: from unknown (HELO mail-pa0-f41.google.com) (209.85.220.41) by mx3-pf3.cudamail.com with ESMTPS (RC4-SHA encrypted); 11 Sep 2015 18:36:35 -0000 Received-SPF: unknown (mx3-pf3.cudamail.com: Multiple SPF records returned) X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.41 Received: by padhk3 with SMTP id hk3so81637220pad.3 for ; Fri, 11 Sep 2015 11:36:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=jf2+tVKbQPwe9TcgVjYYDzpWYDmrN+rS9VlvBAYuicQ=; b=b4Oova3p3kupf4ewRCwqzJ/pQojMUAAuoNFUfla8ZmKtBNcKJjhX7R5ZGsscErVp+4 1nEEFX5BGjdE5Y7KVt0bAQYsn5JIgPDW6RUub0mbfxII3JrGFBh3siuQLwwSaU6uXV/F KGCKpYf9frWlaOa/uE8cpmtU6SVLmdKQx6cSXNyEsxvKsH+704GsC5RCP4Th5daw954A oy8oedCuHhJ5CfMjLE44tMYDX7yHt3Menfnj8wENbTr2Ld3bZVtvFD0OHtKT1KLL1FRR yDeDiaJJY83DpRcuVrOn/bBFIFsxqCQqO3qx1sF1LGjuR+Pvba4q3G127d3Od7xa+Yzk NKJg== X-Gm-Message-State: ALoCoQlI6U1HRzDvudH15+oxMNmis/LwsOBFYXTlCbKRCRWWhwTaowwFSegg8fjULkGfIcip9fqg X-Received: by 10.69.12.33 with SMTP id en1mr391765pbd.97.1441996595564; Fri, 11 Sep 2015 11:36:35 -0700 (PDT) Received: from sigabrt.benpfaff.org ([208.91.2.4]) by smtp.gmail.com with ESMTPSA id fd9sm1651640pab.34.2015.09.11.11.36.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 11 Sep 2015 11:36:34 -0700 (PDT) X-CudaMail-Envelope-Sender: blp@nicira.com X-Barracuda-Apparent-Source-IP: 208.91.2.4 From: Ben Pfaff To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V3-910039067 X-CudaMail-DTE: 091115 X-CudaMail-Originating-IP: 209.85.220.41 Date: Fri, 11 Sep 2015 11:36:26 -0700 X-ASG-Orig-Subj: [##CM-V3-910039067##][PATCH 2/3] ovn-northd: Minor logical flow table optimizations. Message-Id: <1441996587-615-2-git-send-email-blp@nicira.com> X-Mailer: git-send-email 2.1.3 In-Reply-To: <1441996587-615-1-git-send-email-blp@nicira.com> References: <1441996587-615-1-git-send-email-blp@nicira.com> X-Barracuda-Connect: UNKNOWN[192.168.14.3] X-Barracuda-Start-Time: 1441996596 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Cc: Ben Pfaff Subject: [ovs-dev] [PATCH 2/3] ovn-northd: Minor logical flow table optimizations. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" There's no need to add a priority-0 "drop" flow, because OVN logical flow tables always drop non-matching packets. There's no need to add a "drop" flow for ingress port security on disabled logical ports, because no other flow would allow those packets; it's more efficient to omit the logical flow entirely. Finally, there's no need to add disabled logical ports to the MC_UNKNOWN multicast group, since packets won't be delivered to a disabled logical port anyway. (This is just an optimization; the packets were dropped in the egress pipeline anyway.) Found by inspection. Signed-off-by: Ben Pfaff Acked-by: Justin Pettit --- ovn/northd/ovn-northd.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index a6572df..da7303e 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -744,22 +744,23 @@ build_lflows(struct northd_context *ctx, struct hmap *datapaths, /* Port security flows have priority 50 (see below) and will continue * to the next table if packet source is acceptable. */ - - /* Otherwise drop the packet. */ - ovn_lflow_add(&lflows, od, P_IN, S_IN_PORT_SEC, 0, "1", "drop;"); } /* Ingress table 0: Ingress port security (priority 50). */ struct ovn_port *op; HMAP_FOR_EACH (op, key_node, ports) { + if (!lport_is_enabled(op->nb)) { + continue; + } + struct ds match = DS_EMPTY_INITIALIZER; ds_put_cstr(&match, "inport == "); json_string_escape(op->key, &match); build_port_security("eth.src", op->nb->port_security, op->nb->n_port_security, &match); - ovn_lflow_add(&lflows, op->od, P_IN, S_IN_PORT_SEC, 50, ds_cstr(&match), - lport_is_enabled(op->nb) ? "next;" : "drop;"); + ovn_lflow_add(&lflows, op->od, P_IN, S_IN_PORT_SEC, 50, + ds_cstr(&match), "next;"); ds_destroy(&match); } @@ -816,8 +817,10 @@ build_lflows(struct northd_context *ctx, struct hmap *datapaths, ds_destroy(&actions); ds_destroy(&match); } else if (!strcmp(op->nb->macs[i], "unknown")) { - ovn_multicast_add(&mcgroups, &mc_unknown, op); - op->od->has_unknown = true; + if (lport_is_enabled(op->nb)) { + ovn_multicast_add(&mcgroups, &mc_unknown, op); + op->od->has_unknown = true; + } } else { static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);