On Thu, Jul 5, 2018 at 6:00 AM, Daniel Alvarez Sanchez <dalva...@redhat.com> wrote: > > Hi Han, all > > While implementing Port Groups in OpenStack I have noticed that we are duplicating the lflows for the DHCP now with the current code. Seeking for advice here: > > When we create a Neutron subnet, I'm creating a Port Group with the ACL for the DHCP: > > _uuid : 7f2b64eb-090b-4bb4-85fd-09576329c21b > action : allow > direction : from-lport > external_ids : {} > log : false > match : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28 && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src == 68 && udp.dst == 67" > name : [] > priority : 1002 > severity : [] > > > This generates the proper lflow in the Logical_Flow table: > > _uuid : a2a970ec-82ee-4474-bf0e-43f1cdedd7ed > actions : "next;" > external_ids : {source="ovn-northd.c:3192", stage-hint="7f2b64eb", stage-name=ls_in_acl} > logical_datapath : e1bdb553-5bbf-4b76-a19d-cf385612a3ff > match : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28 && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src == 68 && udp.dst == 67" > pipeline : ingress > priority : 2002 > table_id : 6 > hash : 0 > > > However, all the ports belonging in that subnet also have a lflow for DHCP (different stages though) > > _uuid : f159803f-6b8d-4c8a-9339-b89ee267c2eb > actions : "next;" > external_ids : {source="ovn-northd.c:2579", stage-name=ls_in_port_sec_ip} > logical_datapath : 2b3126db-74d4-48a1-9e81-192066748de6 > match : "inport == \"240edf21-5a9c-4edd-98b5-8dadc343b9de\" && eth.src == fa:16:3e:07:85:91 && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67" > pipeline : ingress > priority : 90 > table_id : 1 > hash : 0 > > > My questions are: > > 1) Do I really need to create the Port Group for every subnet just to take care of the DHCP?
Yes, I think it is the right way to do in networking-ovn. Otherwise, we will have to create per-port ACL to allow DHCP. The example you gave above are NOT redundant flows, as you mentioned they are in different stages (for different purposes), and they will end up as ovs flows in different ovs flow tables. > 2) We have per-port DHCP lflows, is it worth to implement port groups around them too? For the per-port DHCP flows in port-security stage, they can't be "grouped" because eth.src is in match condition, which is different for each port. > > Thanks! > Daniel >
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss