From patchwork Wed Sep 2 15:04:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1355892 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=c8k/oxfE; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BhS4b4GCzz9sVC for ; Thu, 3 Sep 2020 01:08:31 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 077D58672E; Wed, 2 Sep 2020 15:08:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nuETss3zavCv; Wed, 2 Sep 2020 15:08:28 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by whitealder.osuosl.org (Postfix) with ESMTP id C2585866BA; Wed, 2 Sep 2020 15:08:28 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id A78BEC0051; Wed, 2 Sep 2020 15:08:28 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id F31D4C0052 for ; Wed, 2 Sep 2020 15:08:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id F0117844FB for ; Wed, 2 Sep 2020 15:08:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kf0oVeNaG_-r for ; Wed, 2 Sep 2020 15:08:26 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 4E27881ECB for ; Wed, 2 Sep 2020 15:08:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1599059305; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rx8YlwgRDfTv4/wyufISucbHvhNm4NVObv+dHhxjgc8=; b=c8k/oxfEnSSuy6SDkfKNaxfniMuUkghvnv/ZtSZt8pJm4otreQZcXJvBi4jwx6mTF6uWjp 5eLuSmXM5AAirq05OBwgP86n/u6NPQm6APbkj5+sw3eoAFUhtQtLrOy0ZjcRxaxiHqcumh 4PapiibJZqZPB5TMnvgdgdf1goMXgTg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-526-aEOwWSNfMTih26i2mGTyjw-1; Wed, 02 Sep 2020 11:04:59 -0400 X-MC-Unique: aEOwWSNfMTih26i2mGTyjw-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C46D0800400 for ; Wed, 2 Sep 2020 15:04:58 +0000 (UTC) Received: from dceara.remote.csb (ovpn-112-132.ams2.redhat.com [10.36.112.132]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3FDB219C59 for ; Wed, 2 Sep 2020 15:04:58 +0000 (UTC) From: Dumitru Ceara To: dev@openvswitch.org Date: Wed, 2 Sep 2020 17:04:52 +0200 Message-Id: <20200902150447.20965.95083.stgit@dceara.remote.csb> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dceara@redhat.com X-Mimecast-Spam-Score: 0.001 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH v3 ovn 0/2] Optimize Stateful ACL flow generation and add Stateless_Filter. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" The first patch of the series adds a new stage in the ingress/egress to help classifying the type of traffic that will be processed in the ACL stage. The effect is that ACL logical flow matches are simplified and will generate less openflows (due to not having as many OR clauses as before). The second patch of the series adds support for Stateless_Filters, a mechanism that allows bypassing conntrack for ACLs for specific types of traffic. CC: Han Zhou CC: Numan Siddique Signed-off-by: Dumitru Ceara Dumitru Ceara (2): ovn-northd: Reduce number of flows generated for stateful ACLs. ovn-northd: Support mixing stateless/stateful ACLs with Stateless_Filter. NEWS | 3 northd/ovn-northd.8.xml | 159 +++++++++++++++++++---- northd/ovn-northd.c | 281 +++++++++++++++++++++++++++++++--------- ovn-nb.ovsschema | 26 +++- ovn-nb.xml | 56 ++++++++ tests/ovn-nbctl.at | 53 ++++++++ tests/ovn-northd.at | 289 +++++++++++++++++++++++++++++++++++++++-- tests/ovn.at | 58 ++++---- tests/system-common-macros.at | 8 + tests/system-ovn.at | 117 ++++++++++++++++- utilities/ovn-detrace.in | 12 ++ utilities/ovn-nbctl.c | 213 +++++++++++++++++++++++++++++- 12 files changed, 1132 insertions(+), 143 deletions(-) --- V3: - split the patch in a series. - patch1: - implement Han's suggestion to optimize openflow generation for ACLs. - patch2: - address Han's comments regarding Stateless_Filters. V2: - address Numan's comments: - fix spacing in the logical flow match. - add a new table to the NB DB instead of using a config option on the logical switch. - add ovn-nbctl CLI commands for the new table and also unit tests for them. - reword the commit message. NOTE: checkpatch.py will complain about lines lacking whitespacec around operators in the ovn-nbctl help string but this is a false positive and should be ignored.