From patchwork Fri May 13 00:42:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Numan Siddique X-Patchwork-Id: 1630463 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4Kzqcn5FYBz9sG0 for ; Fri, 13 May 2022 10:43:03 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 55EA2826C2; Fri, 13 May 2022 00:43:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TfM-Hs_JW_73; Fri, 13 May 2022 00:43:00 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id 924FC81521; Fri, 13 May 2022 00:42:59 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 73C2CC0032; Fri, 13 May 2022 00:42:59 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 803E4C002D for ; Fri, 13 May 2022 00:42:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 7C9FC404D7 for ; Fri, 13 May 2022 00:42:58 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id byM058Z2_3z5 for ; Fri, 13 May 2022 00:42:57 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by smtp2.osuosl.org (Postfix) with ESMTPS id 7CA5840328 for ; Fri, 13 May 2022 00:42:57 +0000 (UTC) Received: (Authenticated sender: numans@ovn.org) by mail.gandi.net (Postfix) with ESMTPSA id C3288FF802; Fri, 13 May 2022 00:42:53 +0000 (UTC) From: numans@ovn.org To: dev@openvswitch.org Date: Thu, 12 May 2022 20:42:28 -0400 Message-Id: <20220513004228.3947905-1-numans@ovn.org> X-Mailer: git-send-email 2.35.3 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn 0/3] Adding generic port security flows. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Numan Siddique This patch series adds generic logical flows for port security in the logical switch pipeline and pushes the actual port security implementation logic to ovn-controller from ovn-northd. ovn-northd will now add logical flows like: table=0 (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[14] = check_in_port_sec(); next;) table=1 (ls_in_apply_port_sec), priority=50 , match=(reg0[14] == 1), action=(drop;) table=1 (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) OVN action check_in_port_sec() resubmits the packet to openflow table 73. ovn-controller will add port security flows in table 73,74 and 75 for all the logical ports it has claimed. The port security information is passed down the Port_Binding table in Southbound database. The main motivation for the patch is to address scale concerns. This patch series reduces the number of logical flows and ovn-northd CPU utilization time. Did some scale testing and below are the results: Used a Northbound database from a deployment of 120 node cluster. Number of logical switch ports with port security configured: 13711 With vanilla ovn-northd ----------------------- Number of logical flows : 208061 Avg time taken to run build_lflows() : 1301 msec Size of Southbound database after compaction: 104M With ovn-northd using this feature --------------------------------- Number of logical flows : 83396 Avg time taken to run build_lflows() : 560 msec Size of Southbound database after compaction: 45M Numan Siddique (3): ovn-controller: Add OF rules for port security. actions: Add new actions check_in_port_sec and check_out_port_sec. northd: Add generic port security logical flows. controller/binding.c | 78 +++- controller/binding.h | 23 +- controller/lflow.c | 792 ++++++++++++++++++++++++++++++++++- controller/lflow.h | 4 + controller/ovn-controller.c | 21 +- include/ovn/actions.h | 6 + include/ovn/logical-fields.h | 1 + lib/actions.c | 75 +++- northd/northd.c | 557 +++++------------------- northd/ovn-northd.8.xml | 263 ++++++------ ovn-sb.ovsschema | 7 +- ovn-sb.xml | 54 +++ tests/ovn-northd.at | 431 ++++++++++++------- tests/ovn.at | 369 ++++++++++++++-- tests/test-ovn.c | 2 + utilities/ovn-trace.c | 313 ++++++++++++++ 16 files changed, 2175 insertions(+), 821 deletions(-) Acked-by: Mark Michelson