From patchwork Thu May 19 15:17:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Numan Siddique X-Patchwork-Id: 1633322 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4L3tl23RRwz9t6h for ; Fri, 20 May 2022 01:17:34 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id E11CA40B81; Thu, 19 May 2022 15:17:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zDJapNGtcrhq; Thu, 19 May 2022 15:17:32 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 1E38F4012A; Thu, 19 May 2022 15:17:31 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id E70A7C0032; Thu, 19 May 2022 15:17:30 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id A237FC002D for ; Thu, 19 May 2022 15:17:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 729E540912 for ; Thu, 19 May 2022 15:17:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zyaFPS5_Y8yQ for ; Thu, 19 May 2022 15:17:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by smtp4.osuosl.org (Postfix) with ESMTPS id 401364087C for ; Thu, 19 May 2022 15:17:26 +0000 (UTC) Received: (Authenticated sender: numans@ovn.org) by mail.gandi.net (Postfix) with ESMTPSA id 6E4BD20008; Thu, 19 May 2022 15:17:23 +0000 (UTC) From: numans@ovn.org To: dev@openvswitch.org Date: Thu, 19 May 2022 11:17:06 -0400 Message-Id: <20220519151706.987120-1-numans@ovn.org> X-Mailer: git-send-email 2.35.3 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v2 0/3] Adding generic port security flows. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Numan Siddique This patch series adds generic logical flows for port security in the logical switch pipeline and pushes the actual port security implementation logic to ovn-controller from ovn-northd. ovn-northd will now add logical flows like: table=0 (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[14] = check_in_port_sec(); next;) table=1 (ls_in_apply_port_sec), priority=50 , match=(reg0[14] == 1), action=(drop;) table=1 (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) OVN action check_in_port_sec() resubmits the packet to openflow table 73. ovn-controller will add port security flows in table 73,74 and 75 for all the logical ports it has claimed. The port security information is passed down the Port_Binding table in Southbound database. The main motivation for the patch is to address scale concerns. This patch series reduces the number of logical flows and ovn-northd CPU utilization time. Did some scale testing and below are the results: Used a Northbound database from a deployment of 120 node cluster. Number of logical switch ports with port security configured: 13711 With vanilla ovn-northd ----------------------- Number of logical flows : 208061 Avg time taken to run build_lflows() : 1301 msec Size of Southbound database after compaction: 104M With ovn-northd using this feature --------------------------------- Number of logical flows : 83396 Avg time taken to run build_lflows() : 560 msec Size of Southbound database after compaction: 45M v1 -> v2 ------- * Rebased to resolve conflicts. * Added Mark's Acks. Numan Siddique (3): ovn-controller: Add OF rules for port security. actions: Add new actions check_in_port_sec and check_out_port_sec. northd: Add generic port security logical flows. controller/binding.c | 78 +++- controller/binding.h | 23 +- controller/lflow.c | 792 ++++++++++++++++++++++++++++++++++- controller/lflow.h | 4 + controller/ovn-controller.c | 21 +- include/ovn/actions.h | 6 + include/ovn/logical-fields.h | 1 + lib/actions.c | 75 +++- northd/northd.c | 557 +++++------------------- northd/ovn-northd.8.xml | 263 ++++++------ ovn-sb.ovsschema | 7 +- ovn-sb.xml | 54 +++ tests/ovn-northd.at | 431 ++++++++++++------- tests/ovn.at | 381 +++++++++++++++-- tests/test-ovn.c | 2 + utilities/ovn-trace.c | 313 ++++++++++++++ 16 files changed, 2182 insertions(+), 826 deletions(-)