From patchwork Mon Oct 19 22:47:02 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Justin Pettit <jpettit@nicira.com>
X-Patchwork-Id: 532693
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (unknown
	[IPv6:2600:3c00::f03c:91ff:fe6e:bdf7])
	by ozlabs.org (Postfix) with ESMTP id 8048914012C
	for <incoming@patchwork.ozlabs.org>;
	Tue, 20 Oct 2015 09:47:17 +1100 (AEDT)
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id 9E57C10653;
	Mon, 19 Oct 2015 15:47:15 -0700 (PDT)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx1e3.cudamail.com (mx1.cudamail.com [69.90.118.67])
	by archives.nicira.com (Postfix) with ESMTPS id 8C82D1064F
	for <dev@openvswitch.org>; Mon, 19 Oct 2015 15:47:14 -0700 (PDT)
Received: from bar5.cudamail.com (localhost [127.0.0.1])
	by mx1e3.cudamail.com (Postfix) with ESMTPS id F00BA42020F
	for <dev@openvswitch.org>; Mon, 19 Oct 2015 16:47:13 -0600 (MDT)
X-ASG-Debug-ID: 1445294833-09eadd7a010be40001-byXFYA
Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar5.cudamail.com
	with
	ESMTP id CGjyLkLqckDIR3p0 (version=TLSv1 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=NO) for <dev@openvswitch.org>;
	Mon, 19 Oct 2015 16:47:13 -0600 (MDT)
X-Barracuda-Envelope-From: jpettit@nicira.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2
Received: from unknown (HELO mail-pa0-f45.google.com) (209.85.220.45)
	by mx1-pf2.cudamail.com with ESMTPS (RC4-SHA encrypted);
	19 Oct 2015 22:47:12 -0000
Received-SPF: unknown (mx1-pf2.cudamail.com: Multiple SPF records returned)
X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.45
Received: by padhk11 with SMTP id hk11so42258948pad.1
	for <dev@openvswitch.org>; Mon, 19 Oct 2015 15:47:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:subject:date:message-id;
	bh=kPDp3/US2VQSXmVP4k5fXY317XEj0BU+2T+Pm1MNb3k=;
	b=KwbcjGYoF9IN2HKkQr69rwhDMyI+5GtCGBs/u9rwKPkpDkNuDcOe9O2KoN1Cqq8uKH
	dm/2HZme8DJf3WEG/8JFv3X8DsET+1xRa6lmxGGQmhmShISFRMRy4lNK7XfhWhVl0PWT
	1MRz4O4VgszFWEqyQTRPBxfhQzuj8J+dQKsvWVib3DNOlLPkTpSfZhGBwvoW+LZzj/Pj
	pRZGiO3p3EsySeqx8EGf90xRxCOjg+t3KTeJVYC0ckbXLUktFqy/WPXuWkzopnvSUhy6
	jtsZPbipKOAjhzjgWa55Pv9VyZ05cGwwNMcd76yUvRRvBCrq7lUo1xgM5xwn05Umt574
	jNuQ==
X-Gm-Message-State: 
 ALoCoQkn8Z4Z61Yyf7/c8/dRQiaMBDGXkiLVoGn5ykjb75j16D7wapUWk5A5P+QeSfEAMeXfTzvM
X-Received: by 10.66.227.230 with SMTP id sd6mr37298201pac.60.1445294832259;
	Mon, 19 Oct 2015 15:47:12 -0700 (PDT)
Received: from localhost.localdomain ([208.91.2.4])
	by smtp.gmail.com with ESMTPSA id
	ir4sm38131728pbb.93.2015.10.19.15.47.11 for <dev@openvswitch.org>
	(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Mon, 19 Oct 2015 15:47:11 -0700 (PDT)
X-CudaMail-Envelope-Sender: jpettit@nicira.com
X-Barracuda-Apparent-Source-IP: 208.91.2.4
From: Justin Pettit <jpettit@nicira.com>
To: dev@openvswitch.org
X-CudaMail-Whitelist-To: dev@openvswitch.org
X-CudaMail-MID: CM-E2-1018108731
X-CudaMail-DTE: 101915
X-CudaMail-Originating-IP: 209.85.220.45
Date: Mon, 19 Oct 2015 15:47:02 -0700
X-ASG-Orig-Subj: [##CM-E2-1018108731##][PATCH] ovn: Reduce range of ACL
	priorities.
Message-Id: <1445294822-115676-1-git-send-email-jpettit@nicira.com>
X-Mailer: git-send-email 1.7.5.4
X-Barracuda-Connect: UNKNOWN[192.168.24.2]
X-Barracuda-Start-Time: 1445294833
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?=
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
Subject: [ovs-dev] [PATCH] ovn: Reduce range of ACL priorities.
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

To implement stateful ACLs, we've needed to reserve multiple logical
flow priorities in the ACL table.  Rather than continue to have a
strange range of ACL priorities, we'll make ACL priority range 0 to
32767 and then offset them by 1000 when inserting them into the logical
flow table.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
---
 ovn/northd/ovn-northd.c   |   18 ++++++++++++++----
 ovn/ovn-nb.ovsschema      |    6 +++---
 ovn/ovn-nb.xml            |    2 +-
 ovn/utilities/ovn-nbctl.c |    8 ++++----
 4 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index a1ad34c..e199937 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -111,6 +111,12 @@ enum ovn_stage {
 #undef PIPELINE_STAGE
 };
 
+/* Due to various hard-coded priorities need to implement ACLs, the
+ * northbound database supports a smaller range of ACL priorities than
+ * are available to logical flows.  This value is added to an ACL
+ * priority to determine the ACL's logical flow priority. */
+#define OVN_ACL_PRI_OFFSET 1000
+
 /* Returns an "enum ovn_stage" built from the arguments. */
 static enum ovn_stage
 ovn_stage_build(enum ovn_datapath_type dp_type, enum ovn_pipeline pipeline,
@@ -1056,7 +1062,8 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows)
              * may and then its return traffic would not have an
              * associated conntrack entry and would return "+invalid". */
             const char *actions = has_stateful ? "ct_commit; next;" : "next;";
-            ovn_lflow_add(lflows, od, stage, acl->priority,
+            ovn_lflow_add(lflows, od, stage,
+                          acl->priority + OVN_ACL_PRI_OFFSET,
                           acl->match, actions);
         } else if (!strcmp(acl->action, "allow-related")) {
             struct ds match = DS_EMPTY_INITIALIZER;
@@ -1065,17 +1072,20 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows)
              * other traffic related to this entry to flow due to the
              * 65535 priority flow defined earlier. */
             ds_put_format(&match, "ct.new && (%s)", acl->match);
-            ovn_lflow_add(lflows, od, stage, acl->priority,
+            ovn_lflow_add(lflows, od, stage,
+                          acl->priority + OVN_ACL_PRI_OFFSET,
                           ds_cstr(&match), "ct_commit; next;");
 
             ds_destroy(&match);
         } else if (!strcmp(acl->action, "drop")) {
-            ovn_lflow_add(lflows, od, stage, acl->priority,
+            ovn_lflow_add(lflows, od, stage,
+                          acl->priority + OVN_ACL_PRI_OFFSET,
                           acl->match, "drop;");
         } else if (!strcmp(acl->action, "reject")) {
             /* xxx Need to support "reject". */
             VLOG_INFO("reject is not a supported action");
-            ovn_lflow_add(lflows, od, stage, acl->priority,
+            ovn_lflow_add(lflows, od, stage,
+                          acl->priority + OVN_ACL_PRI_OFFSET,
                           acl->match, "drop;");
         }
     }
diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
index d45a682..3921e98 100644
--- a/ovn/ovn-nb.ovsschema
+++ b/ovn/ovn-nb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_Northbound",
     "version": "2.0.0",
-    "cksum": "4186002454 4601",
+    "cksum": "3039293926 4601",
     "tables": {
         "Logical_Switch": {
             "columns": {
@@ -51,8 +51,8 @@
         "ACL": {
             "columns": {
                 "priority": {"type": {"key": {"type": "integer",
-                                              "minInteger": 1,
-                                              "maxInteger": 65534}}},
+                                              "minInteger": 0,
+                                              "maxInteger": 32767}}},
                 "direction": {"type": {"key": {"type": "string",
                                             "enum": ["set", ["from-lport", "to-lport"]]}}},
                 "match": {"type": "string"},
diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
index 0bfb587..b6eef03 100644
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@@ -332,7 +332,7 @@
       column="action"/> column for the highest-<ref column="priority"/>
       matching row in this table determines a packet's treatment.  If no row
       matches, packets are allowed by default.  (Default-deny treatment is
-      possible: add a rule with <ref column="priority"/> 1, <code>1</code> as
+      possible: add a rule with <ref column="priority"/> 0, <code>0</code> as
       <ref column="match"/>, and <code>deny</code> as <ref column="action"/>.)
     </p>
 
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index aac4c27..947c58c 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -947,8 +947,8 @@ nbctl_acl_add(struct ctl_context *ctx)
     }
 
     /* Validate priority. */
-    if (!ovs_scan(ctx->argv[3], "%"SCNd64, &priority) || priority < 1
-        || priority > 65535) {
+    if (!ovs_scan(ctx->argv[3], "%"SCNd64, &priority) || priority < 0
+        || priority > 32767) {
         VLOG_WARN("Invalid priority '%s'", ctx->argv[3]);
         return;
     }
@@ -1035,8 +1035,8 @@ nbctl_acl_del(struct ctl_context *ctx)
     }
 
     /* Validate priority. */
-    if (!ovs_scan(ctx->argv[3], "%"SCNd64, &priority) || priority < 1
-        || priority > 65535) {
+    if (!ovs_scan(ctx->argv[3], "%"SCNd64, &priority) || priority < 0
+        || priority > 32767) {
         VLOG_WARN("Invalid priority '%s'", ctx->argv[3]);
         return;
     }