From patchwork Fri Jan 5 10:43:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Alvarez Sanchez X-Patchwork-Id: 856006 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3zCh924hZGz9s7g for ; Fri, 5 Jan 2018 21:43:34 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 4C8A4BBF; Fri, 5 Jan 2018 10:43:32 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 69D1E982 for ; Fri, 5 Jan 2018 10:43:31 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg0-f53.google.com (mail-pg0-f53.google.com [74.125.83.53]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D575C18A for ; Fri, 5 Jan 2018 10:43:30 +0000 (UTC) Received: by mail-pg0-f53.google.com with SMTP id o13so1865800pgp.4 for ; Fri, 05 Jan 2018 02:43:30 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=X7bNa283yJWZeJhZyXRoCm4yOaX18gAYXm6n+7zzbXw=; b=CPrMhg874Zbyi5lY2O+2m58hCa4pjfUl/bkfIFT+uQ1pC4YaNqQ3QunUy36zR2J3ui dYVkB9hf5GdHrU3bzqJhsNxkcEfgwUS4XX0IqEYKLKOdAen34sDiP3k/GXNtPL1PcRnx A6xAXtQQyeBdjrAcDBo3IeKyJEZAeSkvHUp+KGJKuZB0uS6SXwOqnIekljBCkKfhNvmA i3UsF/jyLA43i5yoFU48lUf7z0Hfc94laGEcn4FSph29yLXwlKiBPKa3UJBTeUgJlw3O yDt9h5nUZ6k15c/VPnMPSYQG9bP8E/deuEOwlNPyYB9MAt+orh6S7eIZvo7LcRkW6MPR g5yg== X-Gm-Message-State: AKGB3mJVVDi0wtgLmjJY0umvtvMmoY7Q0Tcv7EX2Cvbm/OAOVbdoSR6b hoISs9rfLvu6IecoW8gk05bxSQb3JDp0wA== X-Google-Smtp-Source: ACJfBoseRopVOVH9SMMUu13/YesRF//esxupBrE4WBgPaL6QYc5E3pCi4UMbTXDRthW9EH3MzUGu+w== X-Received: by 10.98.113.196 with SMTP id m187mr2597197pfc.56.1515149010221; Fri, 05 Jan 2018 02:43:30 -0800 (PST) Received: from devstack.rdocloud ([38.145.35.9]) by smtp.gmail.com with ESMTPSA id g17sm12356538pfj.66.2018.01.05.02.43.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jan 2018 02:43:29 -0800 (PST) From: Daniel Alvarez To: dev@openvswitch.org Date: Fri, 5 Jan 2018 10:43:16 +0000 Message-Id: <1515148996-1533-1-git-send-email-dalvarez@redhat.com> X-Mailer: git-send-email 1.8.3.1 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH] ovn-northd: Avoid duplicate logical flows in SB db X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org When there are two ACLs in a Logical Switch with same direction, priority, match and action fields, ovn-northd will generate the exact same logical flow for them into SB database. This will make ovn-controller log messages (INFO) saying that the duplicate flow is going to be dropped. This patch avoids adding duplicate lflows into SB database so that ovn-controller doesn't have to process them. Signed-off-by: Daniel Alvarez Acked-By: Miguel Angel Ajo --- This patch is needed as part of the consistency work we're doing in the OpenStack integration [0]. In our effort to ensure consistency across objects in Neutron and OVN databases we find some special cases like security group rules which match OVN ACLs but not in 1:1 relationship. Until now, two identical security group rules beloning each to a different security group would generate a single ACL in NB database. With this behavior, there's no way to map the ACL in OVN to the corresponding Neutron object. By implementing [0] we're trying to ensure this mapping so we make use of the external_ids column of every table for this purpose. It may happen that we'll have two identical ACLs but each referencing a different Neutron object in their external_ids field. However, this will make ovn-northd to generate two duplicate lflows into SB database which will make ovn-controller drop them when installing the actual flows. With this patch we'll avoid duplicate flows to be inserted in SB database in such cases. [0] https://docs.openstack.org/networking-ovn/latest/contributor/design/database_consistency.html ovn/northd/ovn-northd.c | 11 +++++++++++ tests/ovn-northd.at | 24 ++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 7e6b1d9..cc64861 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -428,6 +428,13 @@ struct macam_node { struct eth_addr mac_addr; /* Allocated MAC address. */ }; +static struct ovn_lflow *ovn_lflow_find(struct hmap *lflows, + struct ovn_datapath *od, + enum ovn_stage stage, + uint16_t priority, + const char *match, + const char *actions); + static void cleanup_macam(struct hmap *macam) { @@ -2298,6 +2305,10 @@ ovn_lflow_add_at(struct hmap *lflow_map, struct ovn_datapath *od, const char *stage_hint, const char *where) { ovs_assert(ovn_stage_to_datapath_type(stage) == ovn_datapath_get_type(od)); + + if (ovn_lflow_find(lflow_map, od, stage, priority, match, actions)) { + return; + } struct ovn_lflow *lflow = xmalloc(sizeof *lflow); ovn_lflow_init(lflow, od, stage, priority, diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 954e259..ba96c81 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -152,3 +152,27 @@ ovn-nbctl lsp-set-options S1-R1 router-port=R1-S1 AT_CHECK([test x`ovn-nbctl lsp-get-up S1-R1` = xup]) AT_CLEANUP + +AT_SETUP([ovn -- check that duplicate acls don't generate duplicate lflows]) +AT_SKIP_IF([test $HAVE_PYTHON = no]) +ovn_start + +ovn-nbctl ls-add S1 + +# Insert a duplicate ACL into NB database. +ovn-nbctl -- --id=@acl create acl direction=to-lport priority=1000 \ + match='"tcp.dst == 22"' action=drop -- add logical_switch S1 acl @acl +ovn-nbctl -- --id=@acl create acl direction=to-lport priority=1000 \ + match='"tcp.dst == 22"' action=drop -- add logical_switch S1 acl @acl + +# Check that there are two entries in ACL table in NB database. +AT_CHECK([ovn-nbctl find ACL match='"tcp.dst == 22"' | \ +grep _uuid | wc -l], [0], [2 +]) + +# Now make sure that only one logical flow is added to SB database. +AT_CHECK([ovn-sbctl find Logical_Flow match='"tcp.dst == 22"' | \ +grep _uuid | wc -l], [0], [1 +]) + +AT_CLEANUP