diff mbox

[ovs-dev,RFC,2/8] ovn-northd: Split ACL and pre-ACL processing.

Message ID 1456727604-15784-3-git-send-email-guru@ovn.org
State Changes Requested
Headers show

Commit Message

Gurucharan Shetty Feb. 29, 2016, 6:33 a.m. UTC 
Future patches introduce more tables between
pre-ACL and ACL processing. As such, it looks
easier to separate these out into separate
functions to enhance code readability.

Signed-off-by: Gurucharan Shetty <guru@ovn.org>
---
 ovn/northd/ovn-northd.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

Comments

Ben Pfaff March 14, 2016, 5:43 p.m. UTC | #1 
On Sun, Feb 28, 2016 at 10:33:18PM -0800, Gurucharan Shetty wrote:
> Future patches introduce more tables between
> pre-ACL and ACL processing. As such, it looks
> easier to separate these out into separate
> functions to enhance code readability.
> 
> Signed-off-by: Gurucharan Shetty <guru@ovn.org>

Acked-by: Ben Pfaff <blp@ovn.org>
diff mbox

Patch

diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index d8e4824..4b2ac64 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -964,7 +964,8 @@  has_stateful_acl(struct ovn_datapath *od)
 }
 
 static void
-build_acls(struct ovn_datapath *od, struct hmap *lflows, struct hmap *ports)
+build_pre_acls(struct ovn_datapath *od, struct hmap *lflows,
+               struct hmap *ports)
 {
     bool has_stateful = has_stateful_acl(od);
     struct ovn_port *op;
@@ -975,12 +976,6 @@  build_acls(struct ovn_datapath *od, struct hmap *lflows, struct hmap *ports)
     ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 0, "1", "next;");
     ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 0, "1", "next;");
 
-    /* Ingress and Egress ACL Table (Priority 0): Packets are allowed by
-     * default.  A related rule at priority 1 is added below if there
-     * are any stateful ACLs in this datapath. */
-    ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", "next;");
-    ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", "next;");
-
     /* If there are any stateful ACL rules in this dapapath, we must
      * send all IP packets through the conntrack action, which handles
      * defragmentation, in order to match L4 headers. */
@@ -1016,7 +1011,21 @@  build_acls(struct ovn_datapath *od, struct hmap *lflows, struct hmap *ports)
          * the return traffic needs to be followed. */
         ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 100, "ip", "ct_next;");
         ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip", "ct_next;");
+    }
+}
 
+static void
+build_acls(struct ovn_datapath *od, struct hmap *lflows)
+{
+    bool has_stateful = has_stateful_acl(od);
+
+    /* Ingress and Egress ACL Table (Priority 0): Packets are allowed by
+     * default.  A related rule at priority 1 is added below if there
+     * are any stateful ACLs in this datapath. */
+    ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", "next;");
+    ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", "next;");
+
+    if (has_stateful) {
         /* Ingress and Egress ACL Table (Priority 1).
          *
          * By default, traffic is allowed.  This is partially handled by
@@ -1126,7 +1135,8 @@  build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
             continue;
         }
 
-        build_acls(od, lflows, ports);
+        build_pre_acls(od, lflows, ports);
+        build_acls(od, lflows);
     }
 
     /* Logical switch ingress table 0: Admission control framework (priority