| Message ID | 1441996587-615-3-git-send-email-blp@nicira.com |
|---|---|
| State | Accepted |
| Headers | show |
Looks good. Thanks for writing it! Do you think we should put a comment in build_lflows() that says to update this file? Acked-by: Justin Pettit <jpettit@nicira.com> --Justin > On Sep 11, 2015, at 11:36 AM, Ben Pfaff <blp@nicira.com> wrote: > > Signed-off-by: Ben Pfaff <blp@nicira.com> > --- > ovn/northd/ovn-northd.8.xml | 106 ++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 106 insertions(+) > > diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml > index 316f729..1655958 100644 > --- a/ovn/northd/ovn-northd.8.xml > +++ b/ovn/northd/ovn-northd.8.xml > @@ -100,4 +100,110 @@ > </dl> > </p> > > + <h1>Logical Flow Table Structure</h1> > + > + <p> > + One of the main purposes of <code>ovn-northd</code> is to populate the > + <code>Logical_Flow</code> table in the <code>OVN_Southbound</code> > + database. This section describes how <code>ovn-northd</code> does this > + for logical datapaths. > + </p> > + > + <h2>Ingress Table 0: Admission Control and Ingress Port Security</h2> > + > + <p> > + Ingress table 0 contains these logical flows: > + </p> > + > + <ul> > + <li> > + Priority 100 flows to drop packets with VLAN tags or multicast Ethernet > + source addresses. > + </li> > + > + <li> > + Priority 50 flows that implement ingress port security for each enabled > + logical port. For logical ports on which port security is enabled, > + these match the <code>inport</code> and the valid <code>eth.src</code> > + address(es) and advance only those packets to the next flow table. For > + logical ports on which port security is not enabled, these advance all > + packets that match the <code>inport</code>. > + </li> > + </ul> > + > + <p> > + There are no flows for disabled logical ports because the default-drop > + behavior of logical flow tables causes packets that ingress from them to > + be dropped. > + </p> > + > + <h2>Ingress table 1: <code>from-lport</code> ACLs</h2> > + > + <p> > + Logical flows in this table closely reproduce those in the > + <code>ACL</code> table in the <code>OVN_Northbound</code> database for > + the <code>from-lport</code> direction. <code>allow</code> and > + <code>allow-related</code> ACLs translate into logical flows with the > + <code>next;</code> action, others to <code>drop;</code>. The > + <code>priority</code> values from the <code>ACL</code> table are used > + directly. > + </p> > + > + <p> > + Ingress table 1 also contains a priority 0 flow with action > + <code>next;</code>, so that ACLs allow packets by default. > + </p> > + > + <h2>Ingress Table 2: Destination Lookup</h2> > + > + <p> > + This table implements switching behavior. It contains these logical > + flows: > + </p> > + > + <ul> > + <li> > + A priority-100 flow that outputs all packets with an Ethernet broadcast > + or multicast <code>eth.dst</code> to the <code>MC_FLOOD</code> > + multicast group, which <code>ovn-northd</code> populates with all > + enabled logical ports. > + </li> > + > + <li> > + One priority-50 flow that matches each known Ethernet address against > + <code>eth.dst</code> and outputs the packet to the single associated > + output port. > + </li> > + > + <li> > + One priority-0 fallback flow that matches all packets and outputs them > + to the <code>MC_UNKNOWN</code> multicast group, which > + <code>ovn-northd</code> populates with all enabled logical ports that > + accept unknown destination packets. As a small optimization, if no > + logical ports accept unknown destination packets, > + <code>ovn-northd</code> omits this multicast group and logical flow. > + </li> > + </ul> > + > + <h2>Egress Table 0: <code>to-lport</code> ACLs</h2> > + > + <p> > + This is similar to ingress table 1 except for <code>to-lport</code> ACLs. > + </p> > + > + <h2>Egress Table 1: Egress Port Security</h2> > + > + <p> > + This is similar to the ingress port security logic in ingress table 0, > + but with important differences. Most obviously, <code>outport</code> and > + <code>eth.dst</code> are checked instead of <code>inport</code> and > + <code>eth.src</code>. Second, packets directed to broadcast or multicast > + <code>eth.dst</code> are always accepted instead of being subject to the > + port security rules; this is implemented through a priority-100 flow that > + matches on <code>eth.dst[40]</code> with action <code>output;</code>. > + Finally, to ensure that even broadcast and multicast packets are not > + delivered to disabled logical ports, a priority-150 flow for each > + disabled logical <code>outport</code> overrides the priority-100 flow > + with a <code>drop;</code> action. > + </p> > </manpage> > -- > 2.1.3 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev
On Fri, Sep 11, 2015 at 01:54:45PM -0700, Justin Pettit wrote: > Looks good. Thanks for writing it! Do you think we should put a > comment in build_lflows() that says to update this file? Done, thanks for the reminder. > Acked-by: Justin Pettit <jpettit@nicira.com> Thanks, I applied this to master.
diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index 316f729..1655958 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -100,4 +100,110 @@ </dl> </p> + <h1>Logical Flow Table Structure</h1> + + <p> + One of the main purposes of <code>ovn-northd</code> is to populate the + <code>Logical_Flow</code> table in the <code>OVN_Southbound</code> + database. This section describes how <code>ovn-northd</code> does this + for logical datapaths. + </p> + + <h2>Ingress Table 0: Admission Control and Ingress Port Security</h2> + + <p> + Ingress table 0 contains these logical flows: + </p> + + <ul> + <li> + Priority 100 flows to drop packets with VLAN tags or multicast Ethernet + source addresses. + </li> + + <li> + Priority 50 flows that implement ingress port security for each enabled + logical port. For logical ports on which port security is enabled, + these match the <code>inport</code> and the valid <code>eth.src</code> + address(es) and advance only those packets to the next flow table. For + logical ports on which port security is not enabled, these advance all + packets that match the <code>inport</code>. + </li> + </ul> + + <p> + There are no flows for disabled logical ports because the default-drop + behavior of logical flow tables causes packets that ingress from them to + be dropped. + </p> + + <h2>Ingress table 1: <code>from-lport</code> ACLs</h2> + + <p> + Logical flows in this table closely reproduce those in the + <code>ACL</code> table in the <code>OVN_Northbound</code> database for + the <code>from-lport</code> direction. <code>allow</code> and + <code>allow-related</code> ACLs translate into logical flows with the + <code>next;</code> action, others to <code>drop;</code>. The + <code>priority</code> values from the <code>ACL</code> table are used + directly. + </p> + + <p> + Ingress table 1 also contains a priority 0 flow with action + <code>next;</code>, so that ACLs allow packets by default. + </p> + + <h2>Ingress Table 2: Destination Lookup</h2> + + <p> + This table implements switching behavior. It contains these logical + flows: + </p> + + <ul> + <li> + A priority-100 flow that outputs all packets with an Ethernet broadcast + or multicast <code>eth.dst</code> to the <code>MC_FLOOD</code> + multicast group, which <code>ovn-northd</code> populates with all + enabled logical ports. + </li> + + <li> + One priority-50 flow that matches each known Ethernet address against + <code>eth.dst</code> and outputs the packet to the single associated + output port. + </li> + + <li> + One priority-0 fallback flow that matches all packets and outputs them + to the <code>MC_UNKNOWN</code> multicast group, which + <code>ovn-northd</code> populates with all enabled logical ports that + accept unknown destination packets. As a small optimization, if no + logical ports accept unknown destination packets, + <code>ovn-northd</code> omits this multicast group and logical flow. + </li> + </ul> + + <h2>Egress Table 0: <code>to-lport</code> ACLs</h2> + + <p> + This is similar to ingress table 1 except for <code>to-lport</code> ACLs. + </p> + + <h2>Egress Table 1: Egress Port Security</h2> + + <p> + This is similar to the ingress port security logic in ingress table 0, + but with important differences. Most obviously, <code>outport</code> and + <code>eth.dst</code> are checked instead of <code>inport</code> and + <code>eth.src</code>. Second, packets directed to broadcast or multicast + <code>eth.dst</code> are always accepted instead of being subject to the + port security rules; this is implemented through a priority-100 flow that + matches on <code>eth.dst[40]</code> with action <code>output;</code>. + Finally, to ensure that even broadcast and multicast packets are not + delivered to disabled logical ports, a priority-150 flow for each + disabled logical <code>outport</code> overrides the priority-100 flow + with a <code>drop;</code> action. + </p> </manpage>
Signed-off-by: Ben Pfaff <blp@nicira.com> --- ovn/northd/ovn-northd.8.xml | 106 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+)