This patch adds a new column to the Logical_Port table of the
OVN_Northbound database called 'enabled'. The purpose is to allow a
port to be administratively enabled or disabled. It is sometimes
useful to keep a port and its related configuration, but temporarily
disable it, which means no traffic is allowed in or out of the port.
The implementation is fairly non-invasive as it only required minor
changes to the logical pipeline.
Signed-off-by: Russell Bryant <rbry...@redhat.com>
---
ovn/northd/ovn-northd.c | 14 +++++++++++---
ovn/ovn-nb.ovsschema | 1 +
ovn/ovn-nb.xml | 7 +++++++
3 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 39df3b5..f37df77 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -235,6 +235,12 @@ build_port_security(const char *eth_addr_field,
}
}
+static bool
+lport_is_enabled(const struct nbrec_logical_port *lport)
+{
+ return !lport->enabled || *lport->enabled;
+}
+
/* Updates the Pipeline table in the OVN_SB database, constructing its contents
* based on the OVN_NB database. */
static void
@@ -283,7 +289,8 @@ build_pipeline(struct northd_context *ctx)
build_port_security("eth.src",
lport->port_security, lport->n_port_security,
&match);
- pipeline_add(&pc, lport->lswitch, 0, 50, ds_cstr(&match), "next;");
+ pipeline_add(&pc, lport->lswitch, 0, 50, ds_cstr(&match),
+ lport_is_enabled(lport) ? "next;" : "drop;");
ds_destroy(&match);
}
@@ -294,7 +301,7 @@ build_pipeline(struct northd_context *ctx)
ds_init(&actions);
NBREC_LOGICAL_PORT_FOR_EACH (lport, ctx->ovnnb_idl) {
- if (lport->lswitch == lswitch) {
+ if (lport->lswitch == lswitch && lport_is_enabled(lport)) {
ds_put_cstr(&actions, "outport = ");
json_string_escape(lport->name, &actions);
ds_put_cstr(&actions, "; next; ");
@@ -403,7 +410,8 @@ build_pipeline(struct northd_context *ctx)
lport->port_security, lport->n_port_security,
&match);
- pipeline_add(&pc, lport->lswitch, 3, 50, ds_cstr(&match), "output;");
+ pipeline_add(&pc, lport->lswitch, 3, 50, ds_cstr(&match),
+ lport_is_enabled(lport) ? "output;" : "drop;");
ds_destroy(&match);
}
diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
index fe69d31..bcbd94b 100644
--- a/ovn/ovn-nb.ovsschema
+++ b/ovn/ovn-nb.ovsschema
@@ -30,6 +30,7 @@
"min": 0,
"max": "unlimited"}},
"up": {"type": {"key": "boolean", "min": 0, "max": 1}},
+ "enabled": {"type": {"key": "boolean", "min": 0, "max": 1}},
"external_ids": {
"type": {"key": "string", "value": "string",
"min": 0, "max": "unlimited"}}},
diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
index b15aeac..a74bf4d 100644
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@@ -126,6 +126,13 @@
become active before it allows the VM (or container) to start.
</column>
+ <column name="enabled">
+ This column is used to administratively set port state. If this column
is
+ empty or is set to <code>true</code>, the port is enabled. If this
column
+ is set to <code>false</code>, the port is disabled. A disabled port has
all
+ ingress and egress traffic dropped.
+ </column>
+
<column name="macs">
The logical port's own Ethernet address or addresses, each in the form
<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>.
--
2.4.3
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
