[ovs-dev] [PATCH ovn 0/3] Adding generic port security flows.

Thu, 12 May 2022 17:43:07 -0700 

From: Numan Siddique <num...@ovn.org>

This patch series adds generic logical flows for port security in
the logical switch pipeline and pushes the actual port security
implementation logic to ovn-controller from ovn-northd.

ovn-northd will now add logical flows like:

table=0 (ls_in_check_port_sec), priority=50   , match=(1), action=(reg0[14] = 
check_in_port_sec(); next;)
table=1 (ls_in_apply_port_sec), priority=50   , match=(reg0[14] == 1), 
action=(drop;)
table=1 (ls_in_apply_port_sec), priority=0    , match=(1), action=(next;)

OVN action check_in_port_sec() resubmits the packet to openflow table
73.  ovn-controller will add port security flows in table 73,74 and 75
for all the logical ports it has claimed.  The port security information
is passed down the Port_Binding table in Southbound database.

The main motivation for the patch is to address scale concerns.
This patch series reduces the number of logical flows and ovn-northd
CPU utilization time.

Did some scale testing and below are the results:

Used a Northbound database from a deployment of 120 node cluster.
Number of logical switch ports with port security configured: 13711

With vanilla ovn-northd
-----------------------
Number of logical flows : 208061
Avg time taken to run build_lflows() : 1301 msec
Size of Southbound database after compaction: 104M

With ovn-northd using this feature
---------------------------------
Number of logical flows : 83396
Avg time taken to run build_lflows() : 560  msec
Size of Southbound database after compaction: 45M



Numan Siddique (3):
  ovn-controller: Add OF rules for port security.
  actions: Add new actions check_in_port_sec and check_out_port_sec.
  northd: Add generic port security logical flows.

 controller/binding.c         |  78 +++-
 controller/binding.h         |  23 +-
 controller/lflow.c           | 792 ++++++++++++++++++++++++++++++++++-
 controller/lflow.h           |   4 +
 controller/ovn-controller.c  |  21 +-
 include/ovn/actions.h        |   6 +
 include/ovn/logical-fields.h |   1 +
 lib/actions.c                |  75 +++-
 northd/northd.c              | 557 +++++-------------------
 northd/ovn-northd.8.xml      | 263 ++++++------
 ovn-sb.ovsschema             |   7 +-
 ovn-sb.xml                   |  54 +++
 tests/ovn-northd.at          | 431 ++++++++++++-------
 tests/ovn.at                 | 369 ++++++++++++++--
 tests/test-ovn.c             |   2 +
 utilities/ovn-trace.c        | 313 ++++++++++++++
 16 files changed, 2175 insertions(+), 821 deletions(-)

-- 
2.35.3

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to