Re: [ovs-dev] [PATCH 7/7] ovn-northd: Logical flows for load balancers.

Fri, 01 Jul 2016 07:31:13 -0700 

>
>
> So the only case to make pre_lb tables are necessary is, logical switch
> doesn't contain an "allow-related" action ACL rule. It seems possible, but
> I cannot figure out why people choose to not using "allow-related" action,
> that will make ACL table hard to maintain.
>

That is a bad assumption. Firewall rules are not compulsory.


>
> +
> > +        sset_destroy(&all_ips);
> > +
> > +        if (vip_configured) {
> > +            ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB,
> > +                          100, "ip", REGBIT_CONNTRACK_DEFRAG" = 1;
> > next;");
> > +        }
> > +    }
> > +}
>
>
>
>
>
> > +    if (od->nbs->load_balancer) {
> > +        struct nbrec_load_balancer *lb = od->nbs->load_balancer;
> > +        struct smap *vips = &lb->vips;
> > +        struct smap_node *node;
> > +
> > +        SMAP_FOR_EACH (node, vips) {
> > +            uint16_t port = 0;
> > +
> > +            /* node->key contains IP:port or just IP. */
> > +            char *ip_address = NULL;
> > +            ip_address_and_port_from_lb_key(node->key, &ip_address,
> > &port);
> > +            if (!ip_address) {
> > +                continue;
> > +            }
> > +
> > +            /* New connections in Ingress table. */
> > +            char *action = xasprintf("ct_lb(\"%s\");", node->value);
> > +            struct ds match = DS_EMPTY_INITIALIZER;
> > +            ds_put_format(&match, "ct.new && ip && ip4.dst == %s",
> > ip_address);
> > +            if (port) {
> > +                if (lb->protocol && !strcmp(lb->protocol, "udp")) {
> > +                    ds_put_format(&match, "&& udp && udp.dst == %d",
> > port);
> > +                } else {
> > +                    ds_put_format(&match, "&& tcp && tcp.dst == %d",
> > port);
> > +                }
> > +                ovn_lflow_add(lflows, od, S_SWITCH_IN_LB,
> > +                              120, ds_cstr(&match), action);
> > +            } else {
> > +                ovn_lflow_add(lflows, od, S_SWITCH_IN_LB,
> > +                              110, ds_cstr(&match), action);
> > +            }
> >
>
> S_SWITCH_IN_LB, I think you missed to put them into method build_lb.
>
Thank you for noticing. I should either move this part of the code to
build_lb() function or change it to S_SWITCH_IN_STATEFUL. I will do this as
part of v2.

>
>
> > +
> > +            ds_destroy(&match);
> > +            free(action);
> > +       }
> > +    }
> >  }
> >
> >
> Thanks.
> Zong Kai, LI
> _______________________________________________
> dev mailing list
> [email protected]
> http://openvswitch.org/mailman/listinfo/dev
>
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev

Reply via email to