@@ -4775,13 +4775,10 @@ build_lswitch_input_port_sec_od(
}
static void
-build_lswitch_output_port_sec(struct hmap *ports, struct hmap *datapaths,
- struct hmap *lflows)
+build_lswitch_output_port_sec_op(
+ struct ovn_port *op, struct hmap *lflows,
+ struct ds *match, struct ds *actions)
{
- struct ds actions = DS_EMPTY_INITIALIZER;
- struct ds match = DS_EMPTY_INITIALIZER;
- struct ovn_port *op;
-
/* Egress table 8: Egress port security - IP (priorities 90 and 80)
* if port security enabled.
*
@@ -4792,57 +4789,53 @@ build_lswitch_output_port_sec(struct hmap *ports, struct hmap *datapaths,
* Priority 150 rules drop packets to disabled logical ports, so that
* they don't even receive multicast or broadcast packets.
*/
- HMAP_FOR_EACH (op, key_node, ports) {
- if (!op->nbsp || lsp_is_external(op->nbsp)) {
- continue;
- }
+ if (!op->nbsp || lsp_is_external(op->nbsp)) {
+ return;
+ }
- ds_clear(&actions);
- ds_clear(&match);
+ ds_clear(actions);
+ ds_clear(match);
- ds_put_format(&match, "outport == %s", op->json_key);
- if (lsp_is_enabled(op->nbsp)) {
- build_port_security_l2("eth.dst", op->ps_addrs, op->n_ps_addrs,
- &match);
+ ds_put_format(match, "outport == %s", op->json_key);
+ if (lsp_is_enabled(op->nbsp)) {
+ build_port_security_l2("eth.dst", op->ps_addrs, op->n_ps_addrs,
+ match);
- if (!strcmp(op->nbsp->type, "localnet")) {
- const char *queue_id = smap_get(&op->sb->options,
- "qdisc_queue_id");
- if (queue_id) {
- ds_put_format(&actions, "set_queue(%s); ", queue_id);
- }
+ if (!strcmp(op->nbsp->type, "localnet")) {
+ const char *queue_id = smap_get(&op->sb->options,
+ "qdisc_queue_id");
+ if (queue_id) {
+ ds_put_format(actions, "set_queue(%s); ", queue_id);
}
- ds_put_cstr(&actions, "output;");
- ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_OUT_PORT_SEC_L2,
- 50, ds_cstr(&match), ds_cstr(&actions),
- &op->nbsp->header_);
- } else {
- ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_OUT_PORT_SEC_L2,
- 150, ds_cstr(&match), "drop;",
- &op->nbsp->header_);
}
+ ds_put_cstr(actions, "output;");
+ ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_OUT_PORT_SEC_L2,
+ 50, ds_cstr(match), ds_cstr(actions),
+ &op->nbsp->header_);
+ } else {
+ ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_OUT_PORT_SEC_L2,
+ 150, ds_cstr(match), "drop;",
+ &op->nbsp->header_);
+ }
- if (op->nbsp->n_port_security) {
- build_port_security_ip(P_OUT, op, lflows, &op->nbsp->header_);
- }
+ if (op->nbsp->n_port_security) {
+ build_port_security_ip(P_OUT, op, lflows, &op->nbsp->header_);
}
+}
+
+static void
+build_lswitch_output_port_sec_od(
+ struct ovn_datapath *od, struct hmap *lflows)
+{
/* Egress tables 8: Egress port security - IP (priority 0)
* Egress table 9: Egress port security L2 - multicast/broadcast
* (priority 100). */
- struct ovn_datapath *od;
- HMAP_FOR_EACH (od, key_node, datapaths) {
- if (!od->nbs) {
- continue;
- }
-
+ if (od->nbs) {
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_IP, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_L2, 100, "eth.mcast",
"output;");
}
-
- ds_destroy(&match);
- ds_destroy(&actions);
}
static void
@@ -6785,7 +6778,11 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
op, lflows, mcgroups, &match, &actions);
}
- /* Ingress table 19: Destination lookup for unknown MACs (priority 0). */
+ /* Ingress table 19: Destination lookup for unknown MACs (priority 0).
+ * This cannot be parallelised because has_unknown is modified in
+ * build_lswitch_destination_lookup_and_unicast_op() so leaving it
+ * "as is" */
+
HMAP_FOR_EACH (od, key_node, datapaths) {
if (!od->nbs) {
continue;
@@ -6797,7 +6794,14 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
}
}
- build_lswitch_output_port_sec(ports, datapaths, lflows);
+ HMAP_FOR_EACH (op, key_node, ports) {
+ build_lswitch_output_port_sec_op(
+ op, lflows, &match, &actions);
+ }
+
+ HMAP_FOR_EACH (od, key_node, datapaths) {
+ build_lswitch_output_port_sec_od(od, lflows);
+ }
ds_destroy(&match);
ds_destroy(&actions);