@@ -6748,6 +6748,12 @@ build_lswitch_flows_pre_acl_and_acl(struct ovn_datapath *od,
struct hmap *lflows, struct hmap *port_groups,
struct shash *meter_groups, struct hmap *lbs);
+/* Logical switch ingress table 0: Admission control framework (priority
+ * 100). */
+static void
+build_lswitch_ingress_admission_control(struct ovn_datapath *od,
+ struct hmap *lflows);
+
/*
* Do not remove this comment - it is here as a marker to
* make diffs readable.
@@ -6779,23 +6785,8 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
build_fwd_group_lflows(od, lflows);
}
- /* Logical switch ingress table 0: Admission control framework (priority
- * 100). */
HMAP_FOR_EACH (od, key_node, datapaths) {
- if (!od->nbs) {
- continue;
- }
-
- /* Logical VLANs not supported. */
- ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "vlan.present",
- "drop;");
-
- /* Broadcast/multicast source address is invalid. */
- ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "eth.src[40]",
- "drop;");
-
- /* Port security flows have priority 50 (see below) and will continue
- * to the next table if packet source is acceptable. */
+ build_lswitch_ingress_admission_control(od, lflows);
}
build_lswitch_input_port_sec(ports, datapaths, lflows);
@@ -7462,6 +7453,25 @@ build_lswitch_flows_pre_acl_and_acl(struct ovn_datapath *od,
}
}
+static void
+build_lswitch_ingress_admission_control(struct ovn_datapath *od,
+ struct hmap *lflows)
+{
+ if (od->nbs) {
+
+ /* Logical VLANs not supported. */
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "vlan.present",
+ "drop;");
+
+ /* Broadcast/multicast source address is invalid. */
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "eth.src[40]",
+ "drop;");
+
+ /* Port security flows have priority 50 (see below) and will continue
+ * to the next table if packet source is acceptable. */
+ }
+}
+
/* Returns a string of the IP address of the router port 'op' that
* overlaps with 'ip_s". If one is not found, returns NULL.
*