John, see my comments inline. Pls take some time to look at my comments about https://review.openstack.org/#/c/333172/, if not right, pls correct me, thanks.
Regards, Juno Zhu IBM China Development Labs (CDL) Cloud IaaS Lab Email: na...@cn.ibm.com 5F, Building 10, 399 Keyuan Road, Zhangjiang Hi-Tech Park, Pudong New District, Shanghai, China (201203) From: John McDowall <jmcdow...@paloaltonetworks.com> To: "dev@openvswitch.org" <dev@openvswitch.org> Cc: "Ryan Moats" <rmo...@us.ibm.com>, Na Zhu/China/IBM@IBMCN Date: 2016/07/13 06:33 Subject: SFC ACL and Flow Classifier Based on Ryan’s suggestions, here is my proposal for implementing the SFC flowClassifier as ACLs. I wanted to get some feedback before I get into another round of changes in the code. Currently I have implemented SFC by adding a new table (ls_in_chain) in the ova-stage of ovn-northd.c as follows: /* Logical switch ingress stages. */ \ PIPELINE_STAGE(SWITCH, IN, PORT_SEC_L2, 0, "ls_in_port_sec_l2") \ PIPELINE_STAGE(SWITCH, IN, PORT_SEC_IP, 1, "ls_in_port_sec_ip") \ PIPELINE_STAGE(SWITCH, IN, PORT_SEC_ND, 2, "ls_in_port_sec_nd") \ PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 3, "ls_in_pre_acl") \ PIPELINE_STAGE(SWITCH, IN, ACL, 4, "ls_in_acl") \ PIPELINE_STAGE(SWITCH, IN, ARP_RSP, 5, "ls_in_arp_rsp") \ PIPELINE_STAGE(SWITCH, IN, CHAIN, 6, "ls_in_chain") \ PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 7, "ls_in_l2_lkup") \ In that table I insert four rules, two for the ingress direction and two for the egress direction. The pseudo code for the rules is as follows: Ingress Direction Rule 1: Priority 100: if [ dst_ip == flow classifier source ] then [send to first input port of chain] --> Juno: what does the "flow classifier source" mean? Is it source ip in 5-tuple or logical-source-port ip address? Rule 2: Priority 150: if [ dst_ip == flow classifier source && in_port == chain out_port ] then [send to next chain in_port] (if out_port is last port-pair in ingress direction then send to flow classifier source port) --> Juno: what does the sentence mean in parenthesis, do you want to handle the packet in return direction? Can you explain why [dst_ip == flow classifier source]? I think in ingress direction, should match src_ip and in egress direction, should match dst_ip, right? Egress Direction Rule 3: Priority 125: if [ src_ip == flow classifier source ] then [send to first output port of chain] Rule 4 Priority 150: if [src_ip == flow classifier source && in_port == chain in_port ] then [send to next chain out_port] ( if in_port is in last port-pair in egress direction then send to final destination ) --> Juno: this is handle the packet in return direction, right? if yes, should be [src_ip == flow classifier destination], and should put it in ingress direction. The design goal is to have Rule 1 and 3 be set as ACL rules, where the ACL is the flow-classifier for the SFC. I propose to remove Rule 1 and 3 from the ls-in-chain table and add a new ACL action “sfc” so that rules like: acl-add lsw0 to-lport 1000 'eth.type == 0x1236 && inport == app-port’ sfc Will direct the flows into the service chain. The SFC action will resubmit the flow to the ls-in-chain table (OVS table 22 in my current implementation), including the to/from info to direct to rule 2 or 4. This approach has the advantage of using any parameter to classify flows that is supported by OVS/OVN. The only area that users need to be careful about is the priority setting in the ACL rule. If not set correcyl the sfc rule could be skipped but that is a normal issue with ACL rules. Thoughts? John _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
