I think consuming a bit in reg to indicate if a packet is mirror packet or regular packet is doable as well. And it is easy to implement. Other table like port_security can check if it a mirror packet and do the right actions(drop or forwarding to next table).
Thanks Zhenyu Gao 2017-08-07 13:37 GMT+08:00 <wang.qia...@zte.com.cn>: > If we do not add a new type of switch, we should write flag to a reg to > indicate the matched packets which are cloned to monitor. > > This reg should add to all the pipeline stages of logical switch(both > ingress and egress) to distinguish from normal flow. Is this right for > Russell's point? > > If we add a new type of switch, we could define a new pipeline like bellow > for the monitor function, this have no influence on normal pipeline. > > /* Logical mirror switch ingress stages. */ \ > PIPELINE_STAGE(MSWITCH, IN, MIRROR_IN, 0, "lms_in_port") \ > PIPELINE_STAGE(MSWITCH, IN, FLOW_FILTER, 1, "lms_in_flow_filter")\ > PIPELINE_STAGE(MSWITCH, IN, OUT_LK, 2, "lms_in_out_lk") \ > \ > /* Logical mirror switch egress stages. */ \ > PIPELINE_STAGE(MSWITCH, OUT, FLOW_FILTER, 0, "lms_out_flow_filter")\ > PIPELINE_STAGE(MSWITCH, OUT, DELIVERY, 1, "lms_out_delivery") > > I think the new defined switch is easy to understand. > > Thanks > > > > > > > Ben Pfaff <b...@ovn.org> > 2017/08/07 11:03 > > 收件人: wang.qia...@zte.com.cn, > 抄送: Russell Bryant <russ...@ovn.org>, ovs dev > <d...@openvswitch.org>, zhou.huij...@zte.com.cn, xurong00037997 > <xu.r...@zte.com.cn>, Miguel Angel Ajo Pelayo <majop...@redhat.com> > 主题: Re: [ovs-dev] 答复: Re: 答复: Re: [PATCH] ovn: Support > for taas(tap-as-a-service) function > > > I am having a very hard time understanding what you're writing here. > Russell's point makes sense to me, but I don't understand your response. > Can you give some examples? > > On Mon, Aug 07, 2017 at 09:40:06AM +0800, wang.qia...@zte.com.cn wrote: > > Not add new logical_mirror_switch, just use logical_switch of course can > > > capture the use case. But logical_switch pipeline is complex for flow > > monitor. Flow monitor should ignore some tables such as port_security, > lb > > and so on. And also should consider normal function for normal ports. I > > think add a new type of switch and the corresponding pipeline may be > more > > clear in logical. > > > > Is there some adverse effect to add new type switch? > > > > Thanks. > > > > > > > > > > Russell Bryant <russ...@ovn.org> > > 2017/08/04 22:06 > > > > 收件人: wang.qia...@zte.com.cn, > > 抄送: Miguel Angel Ajo Pelayo <majop...@redhat.com>, ovs dev > > <d...@openvswitch.org>, xurong00037997 <xu.r...@zte.com.cn>, > > zhou.huij...@zte.com.cn > > 主题: Re: 答复: Re: [ovs-dev] [PATCH] ovn: Support for > > taas(tap-as-a-service) function > > > > > > > > > > On Thu, Aug 3, 2017 at 8:52 PM, <wang.qia...@zte.com.cn> wrote: > > Miguel Ángel and Russell > > > > Thanks for your reviews. > > > > Current taas function just for port monitor, in this situation, we can > > simplify the design by just add new port type. But we have the plane to > > add flow_classifier to tap_flow to monitor special flows of given port. > > The flow_classifier definition may like as follow: > > 'flow_classifiers': { > > 'id': {'allow_post': False, 'allow_put': False, > > 'validate': {'type:uuid': None}, 'is_visible': True, > > 'primary_key': True}, > > 'tenant_id': {'allow_post': True, 'allow_put': False, > > 'validate': {'type:string': None}, > > 'required_by_policy': True, 'is_visible': True}, > > 'name': {'allow_post': True, 'allow_put': True, > > 'validate': {'type:string': None}, > > 'is_visible': True, 'default': ''}, > > 'description': {'allow_post': True, 'allow_put': True, > > 'validate': {'type:string': None}, > > 'is_visible': True, 'default': ''}, > > 'protocol': {'allow_post': True, 'allow_put': True, > > 'validate': {'type:string': None}, > > 'is_visible': True, 'default': ''}, > > 'src_port_range_min': {'allow_post': True, 'allow_put': True, > > 'convert_to': attr.convert_to_int, > > 'is_visible': True, 'default': 0}, > > 'src_port_range_max': {'allow_post': True, 'allow_put': True, > > 'convert_to': attr.convert_to_int, > > 'is_visible': True, 'default': 0}, > > 'dst_port_range_min': {'allow_post': True, 'allow_put': True, > > 'convert_to': attr.convert_to_int, > > 'is_visible': True, 'default': 0}, > > 'dst_port_range_max': {'allow_post': True, 'allow_put': True, > > 'convert_to': attr.convert_to_int, > > 'is_visible': True, 'default': 0}, > > 'src_ip_prefix': {'allow_post': True, 'allow_put': True, > > 'validate': {'type:subnet': > > attr._validate_subnet}, > > 'is_visible': True, 'default': '0.0.0.0/0'}, > > 'dst_ip_prefix': {'allow_post': True, 'allow_put': True, > > 'validate': {'type:subnet': > > attr._validate_subnet}, > > 'is_visible': True, 'default': '0.0.0.0/0'} > > } > > > > This may need more complex pipeline. So I think add a new table and new > > pipeline may be a easier way. > > > > Thanks for sharing the info on future capabilities. > > > > We have a very flexible syntax for traffic classification in OVN. It's > > the logical flow match syntax (see logical flows in the southbound > > database). We expose this syntax in the northbound database in the > > "match" column of the ACL table. > > > > This would be another use case where we could use this syntax in the > > northbound database. Expanding on my preview proposal: > > > > - a new port type of 'mirror' > > > > - when port type=mirror, an option to identify which port is being > > mirrored > > > > - (the new part) when port type=mirror, an option that may be used to > > specify traffic classification for the subset of traffic on a port to > > mirror, in "match" syntax > > > > Do you think this captures the use case? > > > > -- > > Russell Bryant > > > > _______________________________________________ > > dev mailing list > > d...@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > _______________________________________________ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev