| Message ID | 20220519151706.987120-1-numans@ovn.org |
|---|---|
| Headers | show |
| Series | Adding generic port security flows. | expand |
Thank you for the rebase, Numan. I pushed the series to main. On 5/19/22 11:17, numans@ovn.org wrote: > From: Numan Siddique <numans@ovn.org> > > This patch series adds generic logical flows for port security in > the logical switch pipeline and pushes the actual port security > implementation logic to ovn-controller from ovn-northd. > > ovn-northd will now add logical flows like: > > table=0 (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[14] = check_in_port_sec(); next;) > table=1 (ls_in_apply_port_sec), priority=50 , match=(reg0[14] == 1), action=(drop;) > table=1 (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > > OVN action check_in_port_sec() resubmits the packet to openflow table > 73. ovn-controller will add port security flows in table 73,74 and 75 > for all the logical ports it has claimed. The port security information > is passed down the Port_Binding table in Southbound database. > > The main motivation for the patch is to address scale concerns. > This patch series reduces the number of logical flows and ovn-northd > CPU utilization time. > > Did some scale testing and below are the results: > > Used a Northbound database from a deployment of 120 node cluster. > Number of logical switch ports with port security configured: 13711 > > With vanilla ovn-northd > ----------------------- > Number of logical flows : 208061 > Avg time taken to run build_lflows() : 1301 msec > Size of Southbound database after compaction: 104M > > With ovn-northd using this feature > --------------------------------- > Number of logical flows : 83396 > Avg time taken to run build_lflows() : 560 msec > Size of Southbound database after compaction: 45M > > > v1 -> v2 > ------- > * Rebased to resolve conflicts. > * Added Mark's Acks. > > Numan Siddique (3): > ovn-controller: Add OF rules for port security. > actions: Add new actions check_in_port_sec and check_out_port_sec. > northd: Add generic port security logical flows. > > controller/binding.c | 78 +++- > controller/binding.h | 23 +- > controller/lflow.c | 792 ++++++++++++++++++++++++++++++++++- > controller/lflow.h | 4 + > controller/ovn-controller.c | 21 +- > include/ovn/actions.h | 6 + > include/ovn/logical-fields.h | 1 + > lib/actions.c | 75 +++- > northd/northd.c | 557 +++++------------------- > northd/ovn-northd.8.xml | 263 ++++++------ > ovn-sb.ovsschema | 7 +- > ovn-sb.xml | 54 +++ > tests/ovn-northd.at | 431 ++++++++++++------- > tests/ovn.at | 381 +++++++++++++++-- > tests/test-ovn.c | 2 + > utilities/ovn-trace.c | 313 ++++++++++++++ > 16 files changed, 2182 insertions(+), 826 deletions(-) >
On Thu, May 19, 2022 at 1:47 PM Mark Michelson <mmichels@redhat.com> wrote: > > Thank you for the rebase, Numan. I pushed the series to main. Thanks for applying. Unfortunately while rebasing I made a mistake and a test case is failing. Can you please take a look at this - https://patchwork.ozlabs.org/project/ovn/patch/20220519201733.2184302-1-numans@ovn.org/ Numan > > On 5/19/22 11:17, numans@ovn.org wrote: > > From: Numan Siddique <numans@ovn.org> > > > > This patch series adds generic logical flows for port security in > > the logical switch pipeline and pushes the actual port security > > implementation logic to ovn-controller from ovn-northd. > > > > ovn-northd will now add logical flows like: > > > > table=0 (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[14] = check_in_port_sec(); next;) > > table=1 (ls_in_apply_port_sec), priority=50 , match=(reg0[14] == 1), action=(drop;) > > table=1 (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > > > > OVN action check_in_port_sec() resubmits the packet to openflow table > > 73. ovn-controller will add port security flows in table 73,74 and 75 > > for all the logical ports it has claimed. The port security information > > is passed down the Port_Binding table in Southbound database. > > > > The main motivation for the patch is to address scale concerns. > > This patch series reduces the number of logical flows and ovn-northd > > CPU utilization time. > > > > Did some scale testing and below are the results: > > > > Used a Northbound database from a deployment of 120 node cluster. > > Number of logical switch ports with port security configured: 13711 > > > > With vanilla ovn-northd > > ----------------------- > > Number of logical flows : 208061 > > Avg time taken to run build_lflows() : 1301 msec > > Size of Southbound database after compaction: 104M > > > > With ovn-northd using this feature > > --------------------------------- > > Number of logical flows : 83396 > > Avg time taken to run build_lflows() : 560 msec > > Size of Southbound database after compaction: 45M > > > > > > v1 -> v2 > > ------- > > * Rebased to resolve conflicts. > > * Added Mark's Acks. > > > > Numan Siddique (3): > > ovn-controller: Add OF rules for port security. > > actions: Add new actions check_in_port_sec and check_out_port_sec. > > northd: Add generic port security logical flows. > > > > controller/binding.c | 78 +++- > > controller/binding.h | 23 +- > > controller/lflow.c | 792 ++++++++++++++++++++++++++++++++++- > > controller/lflow.h | 4 + > > controller/ovn-controller.c | 21 +- > > include/ovn/actions.h | 6 + > > include/ovn/logical-fields.h | 1 + > > lib/actions.c | 75 +++- > > northd/northd.c | 557 +++++------------------- > > northd/ovn-northd.8.xml | 263 ++++++------ > > ovn-sb.ovsschema | 7 +- > > ovn-sb.xml | 54 +++ > > tests/ovn-northd.at | 431 ++++++++++++------- > > tests/ovn.at | 381 +++++++++++++++-- > > tests/test-ovn.c | 2 + > > utilities/ovn-trace.c | 313 ++++++++++++++ > > 16 files changed, 2182 insertions(+), 826 deletions(-) > > > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
From: Numan Siddique <numans@ovn.org> This patch series adds generic logical flows for port security in the logical switch pipeline and pushes the actual port security implementation logic to ovn-controller from ovn-northd. ovn-northd will now add logical flows like: table=0 (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[14] = check_in_port_sec(); next;) table=1 (ls_in_apply_port_sec), priority=50 , match=(reg0[14] == 1), action=(drop;) table=1 (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) OVN action check_in_port_sec() resubmits the packet to openflow table 73. ovn-controller will add port security flows in table 73,74 and 75 for all the logical ports it has claimed. The port security information is passed down the Port_Binding table in Southbound database. The main motivation for the patch is to address scale concerns. This patch series reduces the number of logical flows and ovn-northd CPU utilization time. Did some scale testing and below are the results: Used a Northbound database from a deployment of 120 node cluster. Number of logical switch ports with port security configured: 13711 With vanilla ovn-northd ----------------------- Number of logical flows : 208061 Avg time taken to run build_lflows() : 1301 msec Size of Southbound database after compaction: 104M With ovn-northd using this feature --------------------------------- Number of logical flows : 83396 Avg time taken to run build_lflows() : 560 msec Size of Southbound database after compaction: 45M v1 -> v2 ------- * Rebased to resolve conflicts. * Added Mark's Acks. Numan Siddique (3): ovn-controller: Add OF rules for port security. actions: Add new actions check_in_port_sec and check_out_port_sec. northd: Add generic port security logical flows. controller/binding.c | 78 +++- controller/binding.h | 23 +- controller/lflow.c | 792 ++++++++++++++++++++++++++++++++++- controller/lflow.h | 4 + controller/ovn-controller.c | 21 +- include/ovn/actions.h | 6 + include/ovn/logical-fields.h | 1 + lib/actions.c | 75 +++- northd/northd.c | 557 +++++------------------- northd/ovn-northd.8.xml | 263 ++++++------ ovn-sb.ovsschema | 7 +- ovn-sb.xml | 54 +++ tests/ovn-northd.at | 431 ++++++++++++------- tests/ovn.at | 381 +++++++++++++++-- tests/test-ovn.c | 2 + utilities/ovn-trace.c | 313 ++++++++++++++ 16 files changed, 2182 insertions(+), 826 deletions(-)