ovn-northd: Optimize acl of localnet-port.

Localnet port is not an endpoint, and have no security requirements to use localnet port at present. So, for performance consideration, we could do not use ct for localnet port. The more specific discussion can be found from https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/335048.html Signed-off-by: wangqianyu <wang.qianyu@zte.com.cn> Acked-by: Han Zhou <zhouhan@gmail.com> Signed-off-by: Russell Bryant <russell@ovn.org>
openvswitch · Jul 26, 2017 · 5b29422 · 5b29422
1 parent d962bad
commit 5b29422
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 9 deletions.
diff --git a/AUTHORS.rst b/AUTHORS.rst
@@ -317,6 +317,7 @@ Tonghao Zhang                   xiangxia.m.yue@gmail.com
 Valient Gough                   vgough@pobox.com
 Venkata Anil Kommaddi           vkommadi@redhat.com
 Vivien Bernet-Rollande          vbr@soprive.net
+wangqianyu                      wang.qianyu@zte.com.cn
 Wang Sheng-Hui                  shhuiw@gmail.com
 Wei Li                          liw@dtdream.com
 Wei Yongjun                     yjwei@cn.fujitsu.com

diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
@@ -220,7 +220,9 @@
       logical datapath, a priority-100 flow is added that sets a hint
       (with <code>reg0[0] = 1; next;</code>) for table
       <code>Pre-stateful</code> to send IP packets to the connection tracker
-      before eventually advancing to ingress table <code>ACLs</code>.
+      before eventually advancing to ingress table <code>ACLs</code>. If
+      special ports such as route ports or localnet ports can't use ct(), a
+      priority-110 flow is added to skip over stateful ACLs.
     </p>
 
     <h3>Ingress Table 4: Pre-LB</h3>

diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
@@ -417,6 +417,7 @@ struct ovn_datapath {
     /* The "derived" OVN port representing the instance of l3dgw_port on
      * the "redirect-chassis". */
     struct ovn_port *l3redirect_port;
+    struct ovn_port *localnet_port;
 };
 
 struct macam_node {
@@ -1352,6 +1353,10 @@ join_logical_ports(struct northd_context *ctx,
                     ovs_list_push_back(nb_only, &op->list);
                 }
 
+                if (!strcmp(nbsp->type, "localnet")) {
+                   od->localnet_port = op;
+                }
+
                 op->lsp_addrs
                     = xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses);
                 for (size_t j = 0; j < nbsp->n_addresses; j++) {
@@ -2843,6 +2848,23 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
             ds_destroy(&match_in);
             ds_destroy(&match_out);
         }
+        if (od->localnet_port) {
+            struct ds match_in = DS_EMPTY_INITIALIZER;
+            struct ds match_out = DS_EMPTY_INITIALIZER;
+
+            ds_put_format(&match_in, "ip && inport == %s",
+                          od->localnet_port->json_key);
+            ds_put_format(&match_out, "ip && outport == %s",
+                          od->localnet_port->json_key);
+            ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
+                          ds_cstr(&match_in), "next;");
+            ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
+                          ds_cstr(&match_out), "next;");
+
+            ds_destroy(&match_in);
+            ds_destroy(&match_out);
+        }
+
         /* Ingress and Egress Pre-ACL Table (Priority 110).
          *
          * Not to do conntrack on ND packets. */

diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
@@ -1007,14 +1007,7 @@
 
       <p>
         Note that you can not create an ACL matching on a port with
-        type=router.
-      </p>
-
-      <p>
-        Note that when <code>localnet</code> port exists in a lswitch, for
-        <code>to-lport</code> direction, the <code>inport</code> works only if
-        the <code>to-lport</code> is located on the same chassis as the
-        <code>inport</code>.
+        type=router or type=localnet.
       </p>
     </column>