From patchwork Tue Apr 28 20:36:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ihar Hrachyshka X-Patchwork-Id: 1278715 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=N+cVy4of; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49BYNW3JqNz9sSK for ; Wed, 29 Apr 2020 06:37:14 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id E1FB68833C; Tue, 28 Apr 2020 20:37:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id txVs5rm2ZgH6; Tue, 28 Apr 2020 20:37:10 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by hemlock.osuosl.org (Postfix) with ESMTP id 3F6DA8780D; Tue, 28 Apr 2020 20:37:10 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 246C0C0864; Tue, 28 Apr 2020 20:37:10 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id DBA6BC0172 for ; Tue, 28 Apr 2020 20:37:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id CB6D28648E for ; Tue, 28 Apr 2020 20:37:08 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQKzHaRp037E for ; Tue, 28 Apr 2020 20:37:06 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 2141786881 for ; Tue, 28 Apr 2020 20:37:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1588106224; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vtbPvZ3ceFBALrZvWwViAUro5nXpZ1bcExcGac8T67E=; b=N+cVy4ofJuLSkfY7BLMrjD85myF2VX6gr32paiRCpbHCycKH9IxSwESxpkkZ3QGqGw8l3A oDERF4U40V/e4TNQVy2YnHECp7sgw5Vi3hhwHxZpx22DKbKST1rnKw2jn3qmnrx3UiyzeC FfK9mrrwX0E1X787BCnTc4mJ68il8EI= Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com [209.85.219.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-125-4c1AAKHOOC2dhzFz8l9OMA-1; Tue, 28 Apr 2020 16:37:02 -0400 X-MC-Unique: 4c1AAKHOOC2dhzFz8l9OMA-1 Received: by mail-qv1-f69.google.com with SMTP id r10so23879566qvw.23 for ; Tue, 28 Apr 2020 13:37:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Ka4vbOByAmxjY82FeeEnCZWyVfnUKJmbRCXYh6jCX6o=; b=DMiYCUdwHH7YMwQelMkOXqamesIsdM9lLxInRlsyVaqRDS4KLzROK+va4gbZaMOVau l0c7I3yFAG3Ed/cdWyby/cnPUGlkc5BPb2m8/lChX7atwq8TlW2oVeP1XaShs+M65Wsl Flaaz/jYUIMq732x9DBD2VwT/k59fe5ODxaCJEDZit4MTFFWUNnZnmH2H7vJPnCHVvz1 nti2+Al+SA/yJal9y3ough34ZjDV13naQ0g0GnlGvmqWGTbpfS6mBl6V85i4S3BqTH7f DBUEerKI4ai4GwKYCTFuXUh6j3uVZDssYxWTg4h4IIYf9SLh6vCGk/Uj0/VeKtMWXTHX G7QQ== X-Gm-Message-State: AGi0PubW/oiwuaUHDSrbT3NJ3g0fuvXGtKVWKHC+dyRrGZXQab74fMuD /eeoQ6sn5S/r76D8/tx981TR7eTHCa6fzipu0OHQLgUmgd+DhCQS6YDVMDBV7MfyzDZM1X8v1iL xUNi7wpk2y1OE X-Received: by 2002:aed:3f30:: with SMTP id p45mr31648060qtf.49.1588106221225; Tue, 28 Apr 2020 13:37:01 -0700 (PDT) X-Google-Smtp-Source: APiQypJWqGaARVecivJWEvT1cjvPzajFvl/0e8OdhKZk4xWvhzkVvOP5Sw7F4KxetVXKEfzzzfAnPQ== X-Received: by 2002:aed:3f30:: with SMTP id p45mr31648041qtf.49.1588106220982; Tue, 28 Apr 2020 13:37:00 -0700 (PDT) Received: from localhost.localdomain.com (cpe-172-73-180-250.carolina.res.rr.com. [172.73.180.250]) by smtp.googlemail.com with ESMTPSA id p4sm14246879qkg.48.2020.04.28.13.36.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Apr 2020 13:37:00 -0700 (PDT) From: Ihar Hrachyshka To: dev@openvswitch.org Date: Tue, 28 Apr 2020 16:36:32 -0400 Message-Id: <20200428203635.21822-3-ihrachys@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200428203635.21822-1-ihrachys@redhat.com> References: <20200428203635.21822-1-ihrachys@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 3/6] Spin out flow generation into build_pre_acl_flows_for_nbsp X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Signed-off-by: Ihar Hrachyshka --- northd/ovn-northd.c | 75 ++++++++++++++++++++------------------------- 1 file changed, 33 insertions(+), 42 deletions(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 6715d38a3..4ad558c08 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -4647,6 +4647,36 @@ build_lswitch_output_port_sec(struct hmap *ports, struct hmap *datapaths, ds_destroy(&actions); } +static void +build_pre_acl_flows_for_nbsp(struct ovn_datapath *od, struct hmap *lflows, + const struct nbrec_logical_switch_port *nbsp, + const char *json_key) +{ + /* Can't use ct() for router ports. Consider the following configuration: + * lp1(10.0.0.2) on hostA--ls1--lr0--ls2--lp2(10.0.1.2) on hostB, For a + * ping from lp1 to lp2, First, the response will go through ct() with a + * zone for lp2 in the ls2 ingress pipeline on hostB. That ct zone knows + * about this connection. Next, it goes through ct() with the zone for the + * router port in the egress pipeline of ls2 on hostB. This zone does not + * know about the connection, as the icmp request went through the logical + * router on hostA, not hostB. This would only work with distributed + * conntrack state across all chassis. */ + struct ds match_in = DS_EMPTY_INITIALIZER; + struct ds match_out = DS_EMPTY_INITIALIZER; + + ds_put_format(&match_in, "ip && inport == %s", json_key); + ds_put_format(&match_out, "ip && outport == %s", json_key); + ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110, + ds_cstr(&match_in), "next;", +  ->header_); + ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, + ds_cstr(&match_out), "next;", +  ->header_); + + ds_destroy(&match_in); + ds_destroy(&match_out); +} + static void build_pre_acls(struct ovn_datapath *od, struct hmap *lflows) { @@ -4673,50 +4703,11 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows) if (has_stateful) { for (size_t i = 0; i < od->n_router_ports; i++) { struct ovn_port *op = od->router_ports[i]; - /* Can't use ct() for router ports. Consider the - * following configuration: lp1(10.0.0.2) on - * hostA--ls1--lr0--ls2--lp2(10.0.1.2) on hostB, For a - * ping from lp1 to lp2, First, the response will go - * through ct() with a zone for lp2 in the ls2 ingress - * pipeline on hostB. That ct zone knows about this - * connection. Next, it goes through ct() with the zone - * for the router port in the egress pipeline of ls2 on - * hostB. This zone does not know about the connection, - * as the icmp request went through the logical router - * on hostA, not hostB. This would only work with - * distributed conntrack state across all chassis. */ - struct ds match_in = DS_EMPTY_INITIALIZER; - struct ds match_out = DS_EMPTY_INITIALIZER; - - ds_put_format(&match_in, "ip && inport == %s", op->json_key); - ds_put_format(&match_out, "ip && outport == %s", op->json_key); - ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110, - ds_cstr(&match_in), "next;", - &op->nbsp->header_); - ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, - ds_cstr(&match_out), "next;", - &op->nbsp->header_); - - ds_destroy(&match_in); - ds_destroy(&match_out); + build_pre_acl_flows_for_nbsp(od, lflows, op->nbsp, op->json_key); } if (od->localnet_port) { - struct ds match_in = DS_EMPTY_INITIALIZER; - struct ds match_out = DS_EMPTY_INITIALIZER; - - ds_put_format(&match_in, "ip && inport == %s", - od->localnet_port->json_key); - ds_put_format(&match_out, "ip && outport == %s", - od->localnet_port->json_key); - ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110, - ds_cstr(&match_in), "next;", - &od->localnet_port->nbsp->header_); - ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, - ds_cstr(&match_out), "next;", - &od->localnet_port->nbsp->header_); - - ds_destroy(&match_in); - ds_destroy(&match_out); + build_pre_acl_flows_for_nbsp(od, lflows, od->localnet_port->nbsp, + od->localnet_port->json_key); } /* Ingress and Egress Pre-ACL Table (Priority 110).