@@ -4718,46 +4718,40 @@ has_stateful_acl(struct ovn_datapath *od)
}
static void
-build_lswitch_input_port_sec(struct hmap *ports, struct hmap *datapaths,
- struct hmap *lflows)
+build_lswitch_input_port_sec_op(
+ struct ovn_port *op, struct hmap *lflows,
+ struct ds *match, struct ds *actions)
{
/* Logical switch ingress table 0: Ingress port security - L2
* (priority 50).
* Ingress table 1: Ingress port security - IP (priority 90 and 80)
* Ingress table 2: Ingress port security - ND (priority 90 and 80)
*/
- struct ds actions = DS_EMPTY_INITIALIZER;
- struct ds match = DS_EMPTY_INITIALIZER;
- struct ovn_port *op;
-
- HMAP_FOR_EACH (op, key_node, ports) {
- if (!op->nbsp) {
- continue;
- }
+ if (op->nbsp) {
if (!lsp_is_enabled(op->nbsp)) {
/* Drop packets from disabled logical ports (since logical flow
* tables are default-drop). */
- continue;
+ return;
}
if (lsp_is_external(op->nbsp)) {
- continue;
+ return;
}
- ds_clear(&match);
- ds_clear(&actions);
- ds_put_format(&match, "inport == %s", op->json_key);
+ ds_clear(match);
+ ds_clear(actions);
+ ds_put_format(match, "inport == %s", op->json_key);
build_port_security_l2("eth.src", op->ps_addrs, op->n_ps_addrs,
- &match);
+ match);
const char *queue_id = smap_get(&op->sb->options, "qdisc_queue_id");
if (queue_id) {
- ds_put_format(&actions, "set_queue(%s); ", queue_id);
+ ds_put_format(actions, "set_queue(%s); ", queue_id);
}
- ds_put_cstr(&actions, "next;");
+ ds_put_cstr(actions, "next;");
ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50,
- ds_cstr(&match), ds_cstr(&actions),
+ ds_cstr(match), ds_cstr(actions),
&op->nbsp->header_);
if (op->nbsp->n_port_security) {
@@ -4765,22 +4759,19 @@ build_lswitch_input_port_sec(struct hmap *ports, struct hmap *datapaths,
build_port_security_nd(op, lflows, &op->nbsp->header_);
}
}
+}
+static void
+build_lswitch_input_port_sec_od(
+ struct ovn_datapath *od, struct hmap *lflows)
+{
/* Ingress table 1 and 2: Port security - IP and ND, by default
* goto next. (priority 0)
*/
- struct ovn_datapath *od;
- HMAP_FOR_EACH (od, key_node, datapaths) {
- if (!od->nbs) {
- continue;
- }
-
+ if (od->nbs) {
ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_ND, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_IP, 0, "1", "next;");
}
-
- ds_destroy(&match);
- ds_destroy(&actions);
}
static void
@@ -6638,6 +6629,8 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
struct ds actions = DS_EMPTY_INITIALIZER;
struct ovn_datapath *od;
+ struct ovn_port *op;
+
HMAP_FOR_EACH (od, key_node, datapaths) {
build_lswitch_flows_pre_acl_and_acl_od(od, lflows,
port_groups, meter_groups, lbs);
@@ -6651,12 +6644,17 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
build_lswitch_admission_control_od(od, lflows);
}
- build_lswitch_input_port_sec(ports, datapaths, lflows);
+ HMAP_FOR_EACH (op, key_node, ports) {
+ build_lswitch_input_port_sec_op(op, lflows, &match, &actions);
+ }
+
+ HMAP_FOR_EACH (od, key_node, datapaths) {
+ build_lswitch_input_port_sec_od(od, lflows);
+ }
/* Ingress table 13: ARP/ND responder, skip requests coming from localnet
* and vtep ports. (priority 100); see ovn-northd.8.xml for the
* rationale. */
- struct ovn_port *op;
HMAP_FOR_EACH (op, key_node, ports) {
if (!op->nbsp) {
continue;