@@ -4647,6 +4647,36 @@ build_lswitch_output_port_sec(struct hmap *ports, struct hmap *datapaths,
ds_destroy(&actions);
}
+static void
+build_pre_acl_flows_for_nbsp(struct ovn_datapath *od, struct hmap *lflows,
+ const struct nbrec_logical_switch_port *nbsp,
+ const char *json_key)
+{
+ /* Can't use ct() for router ports. Consider the following configuration:
+ * lp1(10.0.0.2) on hostA--ls1--lr0--ls2--lp2(10.0.1.2) on hostB, For a
+ * ping from lp1 to lp2, First, the response will go through ct() with a
+ * zone for lp2 in the ls2 ingress pipeline on hostB. That ct zone knows
+ * about this connection. Next, it goes through ct() with the zone for the
+ * router port in the egress pipeline of ls2 on hostB. This zone does not
+ * know about the connection, as the icmp request went through the logical
+ * router on hostA, not hostB. This would only work with distributed
+ * conntrack state across all chassis. */
+ struct ds match_in = DS_EMPTY_INITIALIZER;
+ struct ds match_out = DS_EMPTY_INITIALIZER;
+
+ ds_put_format(&match_in, "ip && inport == %s", json_key);
+ ds_put_format(&match_out, "ip && outport == %s", json_key);
+ ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
+ ds_cstr(&match_in), "next;",
+  ->header_);
+ ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
+ ds_cstr(&match_out), "next;",
+  ->header_);
+
+ ds_destroy(&match_in);
+ ds_destroy(&match_out);
+}
+
static void
build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
{
@@ -4673,50 +4703,11 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
if (has_stateful) {
for (size_t i = 0; i < od->n_router_ports; i++) {
struct ovn_port *op = od->router_ports[i];
- /* Can't use ct() for router ports. Consider the
- * following configuration: lp1(10.0.0.2) on
- * hostA--ls1--lr0--ls2--lp2(10.0.1.2) on hostB, For a
- * ping from lp1 to lp2, First, the response will go
- * through ct() with a zone for lp2 in the ls2 ingress
- * pipeline on hostB. That ct zone knows about this
- * connection. Next, it goes through ct() with the zone
- * for the router port in the egress pipeline of ls2 on
- * hostB. This zone does not know about the connection,
- * as the icmp request went through the logical router
- * on hostA, not hostB. This would only work with
- * distributed conntrack state across all chassis. */
- struct ds match_in = DS_EMPTY_INITIALIZER;
- struct ds match_out = DS_EMPTY_INITIALIZER;
-
- ds_put_format(&match_in, "ip && inport == %s", op->json_key);
- ds_put_format(&match_out, "ip && outport == %s", op->json_key);
- ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
- ds_cstr(&match_in), "next;",
- &op->nbsp->header_);
- ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
- ds_cstr(&match_out), "next;",
- &op->nbsp->header_);
-
- ds_destroy(&match_in);
- ds_destroy(&match_out);
+ build_pre_acl_flows_for_nbsp(od, lflows, op->nbsp, op->json_key);
}
if (od->localnet_port) {
- struct ds match_in = DS_EMPTY_INITIALIZER;
- struct ds match_out = DS_EMPTY_INITIALIZER;
-
- ds_put_format(&match_in, "ip && inport == %s",
- od->localnet_port->json_key);
- ds_put_format(&match_out, "ip && outport == %s",
- od->localnet_port->json_key);
- ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
- ds_cstr(&match_in), "next;",
- &od->localnet_port->nbsp->header_);
- ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
- ds_cstr(&match_out), "next;",
- &od->localnet_port->nbsp->header_);
-
- ds_destroy(&match_in);
- ds_destroy(&match_out);
+ build_pre_acl_flows_for_nbsp(od, lflows, od->localnet_port->nbsp,
+ od->localnet_port->json_key);
}
/* Ingress and Egress Pre-ACL Table (Priority 110).
Signed-off-by: Ihar Hrachyshka <ihrachys@redhat.com> --- northd/ovn-northd.c | 75 ++++++++++++++++++++------------------------- 1 file changed, 33 insertions(+), 42 deletions(-)