@@ -5480,7 +5480,14 @@ build_lswitch_input_port_sec_op(
if (queue_id) {
ds_put_format(actions, "set_queue(%s); ", queue_id);
}
- ds_put_cstr(actions, "next;");
+
+ if (!strcmp(op->nbsp->type, "vtep")) {
+ ds_put_format(actions, "next(pipeline=ingress, table=%d);",
+ S_SWITCH_IN_L2_LKUP);
+ } else {
+ ds_put_cstr(actions, "next;");
+ }
+
ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2,
50, ds_cstr(match), ds_cstr(actions),
op->key, &op->nbsp->header_);
@@ -262,6 +262,15 @@
logical ports on which port security is not enabled, these advance all
packets that match the <code>inport</code>.
</li>
+ <li>
+ For logical ports of type <code>vtep</code>, the above logical flow
+ will apply the action
+ <code>next(pipeline=ingress, table=S_SWITCH_IN_L2_LKUP) = 1;</code>
+ to skip most stages of ingress pipeline and go directly to ingress L2
+ lookup table to determine the output port. Packets from VTEP (RAMP)
+ switch should not be subjected to any ACL checks. Egress pipeline will
+ do the ACL checks.
+ </li>
</ul>
<p>
@@ -3468,9 +3468,19 @@ for (&SwitchPort(.lsp = lsp, .sw = sw, .json_name = json_name, .ps_eth_addresses
} else {
i"inport == ${json_name} && eth.src == {${ps_eth_addresses.join(\" \")}}"
} in
- var actions = match (pbinding.options.get(i"qdisc_queue_id")) {
- None -> i"next;",
- Some{id} -> i"set_queue(${id}); next;"
+
+ var actions = {
+ var queue = match (pbinding.options.get(i"qdisc_queue_id")) {
+ None -> i"next;",
+ Some{id} -> i"set_queue(${id}); "
+ };
+ var ramp = if (lsp.__type == i"vtep") {
+ i"next(pipeline=ingress, table=${s_SWITCH_IN_L2_LKUP()});"
+ } else {
+ i"next;"
+ } in
+ };
+ i"${queue}${ramp}"
} in
Flow(.logical_datapath = sw._uuid,
.stage = s_SWITCH_IN_PORT_SEC_L2(),
Recently the patch [1] fixed the ingress pipeline for packets coming from HW VTEP switch within a stateful datapath. This patch assumes the [1] is reverted and applies more efficient "next(pipeline=ingress, table=S_SWITCH_IN_L2_LKUP);" action to skip unneeded stages for such packets. 1: https://github.com/ovn-org/ovn/commit/62ca8b9620cc1168ace6905575b7d36438363aed Signed-off-by: Vladislav Odintsov <odivlad@gmail.com> --- northd/northd.c | 9 ++++++++- northd/ovn-northd.8.xml | 9 +++++++++ northd/ovn_northd.dl | 16 +++++++++++++--- 3 files changed, 30 insertions(+), 4 deletions(-)