Hi all,
I think you can disregard the request below. I made the silly mistake of
forgetting that logical routers and logical switches don't use registers
the same way. There are several general purpose registers that switches
can use, and so there is no need to do any of the items suggested below.
Thanks,
Mark Michelson
On 2/6/23 09:18, Mark Michelson wrote:
Hi everyone,
I am currently implementing
https://bugzilla.redhat.com/show_bug.cgi?id=2134138 , a request for
hierarchical ACLs. I am at a point in the design where I would like to
reach out for developer opinions about how to proceed. I'm going to
leave out some details for the sake of keeping the email short, but if
anything is unclear, feel free to ask for more info.
The first part of the strategy is to copy ACLs from the northbound to
the southbound DB. The southbound ACLs will be assigned a unique integer
key by northd.
Let's assume we have a drop ACL, and ovn-northd has assigned 1 as the
ACL ID. The relevant logical flows will look something like this:
/* This jumps to a high-numbered table where the ACL matches are
evaluated, and if a match is found, the ACL ID is put into reg??
*/
table=8 (ls_in_acl_evalĀ ), priority=1, match=(1), action=(reg?? =
evaluate_acls();)
/* If ACL with ID 1 is matched, we drop the packet. This table is also
where we can log the ACL and commit to conntrack if policy dictates
*/
table=9 (ls_in_acl_action), priority=1, match=(reg?? == 1), action=(drop;)
/* If reg?? is 0, then no ACL was matched and so we perform the default
ACL action.
*/
table=9 (ls_in_acl_action), priority=1, match=(reg?? == 0), action=(next;)
Notice that I've used "reg??" in the example. This is where my question
for the list comes in. We don't have any free general purpose registers
to use in OVN at this point. I've come up with a couple of ideas for
what "reg??" should be.
Idea 1:
Use reg10[16..31]. We currently only use bits 0-14 of reg10 for logical
flags. We could use the final 16 bits to store the ACL ID.
Idea 2:
Push reg10 to the stack before evaluating ACLs. Then evaluate_acls()
sets a 32-bit result into reg10. When we perform the ACL action, we then
pop from the stack back into reg10 to restore reg10's original values.
Idea 1 has the advantage that it's easier to implement and it doesn't
muddy the use of reg10. It has the disadvantages that it has a limited
number of ACL IDs (up to 65535), and it leaves only 1 bit of reg10 for
further use. It basically runs us out of registers.
Idea 2 has the advantage that it can assign more ACL IDS (up to ~4
billion), and it still leaves 17 bits of general purpose use in reg10.
However, it now makes reg10 have different meanings depending on where
in the pipeline a packet is being evaluated.
What are your thoughts on this? Do you like idea 1 or idea 2? Have I
forgotten about the existence of a general purpose register that I can
use for storing the ACL ID? Is there another way I could store the ACL
ID that I'm not aware of?
Thanks for your feedback,
Mark Michelson
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
