diff mbox series

[ovs-dev,2/3] northd: send ingress packets from HW VTEP directly to L2_LKUP table

Message ID 20211201125608.36918-3-odivlad@gmail.com
State Accepted
Headers show
Series Support mixing stateless and stateful ACLs regardless of their priority | expand

Checks

Context Check Description
ovsrobot/apply-robot success apply and check: success
ovsrobot/github-robot-_Build_and_Test success github build: passed
ovsrobot/github-robot-_ovn-kubernetes success github build: passed

Commit Message

Vladislav Odintsov Dec. 1, 2021, 12:56 p.m. UTC 
Recently the patch [1] fixed the ingress pipeline for packets coming
from HW VTEP switch within a stateful datapath.
This patch assumes the [1] is reverted and applies more efficient
"next(pipeline=ingress, table=S_SWITCH_IN_L2_LKUP);" action to
skip unneeded stages for such packets.

1: https://github.com/ovn-org/ovn/commit/62ca8b9620cc1168ace6905575b7d36438363aed

Signed-off-by: Vladislav Odintsov <odivlad@gmail.com>
---
 northd/northd.c         |  9 ++++++++-
 northd/ovn-northd.8.xml |  9 +++++++++
 northd/ovn_northd.dl    | 16 +++++++++++++---
 3 files changed, 30 insertions(+), 4 deletions(-)
diff mbox series

Patch

diff --git a/northd/northd.c b/northd/northd.c
index 4c1a2a382..2efc4bb1f 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -5480,7 +5480,14 @@  build_lswitch_input_port_sec_op(
     if (queue_id) {
         ds_put_format(actions, "set_queue(%s); ", queue_id);
     }
-    ds_put_cstr(actions, "next;");
+
+    if (!strcmp(op->nbsp->type, "vtep")) {
+        ds_put_format(actions, "next(pipeline=ingress, table=%d);",
+                      S_SWITCH_IN_L2_LKUP);
+    } else {
+        ds_put_cstr(actions, "next;");
+    }
+
     ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2,
                                       50, ds_cstr(match), ds_cstr(actions),
                                       op->key, &op->nbsp->header_);
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index 00fb925f8..bd3c3aa26 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -262,6 +262,15 @@ 
         logical ports on which port security is not enabled, these advance all
         packets that match the <code>inport</code>.
       </li>
+      <li>
+        For logical ports of type <code>vtep</code>, the above logical flow
+        will apply the action
+        <code>next(pipeline=ingress, table=S_SWITCH_IN_L2_LKUP) = 1;</code>
+        to skip most stages of ingress pipeline and go directly to ingress L2
+        lookup table to determine the output port. Packets from VTEP (RAMP)
+        switch should not be subjected to any ACL checks. Egress pipeline will
+        do the ACL checks.
+      </li>
     </ul>
 
     <p>
diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl
index ffa2e06db..530bb1e9d 100644
--- a/northd/ovn_northd.dl
+++ b/northd/ovn_northd.dl
@@ -3468,9 +3468,19 @@  for (&SwitchPort(.lsp = lsp, .sw = sw, .json_name = json_name, .ps_eth_addresses
             } else {
                 i"inport == ${json_name} && eth.src == {${ps_eth_addresses.join(\" \")}}"
             } in
-        var actions = match (pbinding.options.get(i"qdisc_queue_id")) {
-                None -> i"next;",
-                Some{id} -> i"set_queue(${id}); next;"
+
+            var actions = {
+                var queue = match (pbinding.options.get(i"qdisc_queue_id")) {
+                    None -> i"next;",
+                    Some{id} -> i"set_queue(${id}); "
+                };
+                var ramp = if (lsp.__type == i"vtep") {
+                    i"next(pipeline=ingress, table=${s_SWITCH_IN_L2_LKUP()});"
+                } else {
+                    i"next;"
+                } in
+                };
+                i"${queue}${ramp}"
             } in
         Flow(.logical_datapath = sw._uuid,
              .stage            = s_SWITCH_IN_PORT_SEC_L2(),