Ryan, Thanks for putting together the summary - I have a simple VNF case working with a BiW VNF - very minimal testing. I have added the logic to support multiple port-pairs but have not tested yet. I have included a dump of the flows. The code is posted to https://github.com/doonhammer/ovs there is conflict with ovn-northd.c that I need to look at but apart from that it is sync'ed with main.
I like the idea of using the ACL table/feature for the flow-classifier and I think the networking-sfc team does too. I am just not quite sure how to implement. I create a new table "ls_in_chain" there I create four rule sets for each port-chain, 2 if the flow is treated as uni-directional. The lowest priority rule just steers the traffic into the port chain, using the flow-calssifer rules, the highest priority rule steers traffic through the port chain. So the first rule would live in the ACL table in your model and the action would send it to the start of the port-chain rule - somehow - not clear how to do that. I am struggling to understand how this breaks the pipeline model - just my lack of understanding. So any help/suggestions would be appreciated. The other big items IMHO are: Load-balancing within port-pairs, in port-pair-groups L2/L3 VNF Support As always suggestions/guidence is welcome. Regards John Snapshot of ovn-sbctl dump-flows: datapath: 6d684845-2a66-43e6-913e-f559ee66ade7 Pipeline: ingress table=0(ls_in_port_sec_l2), priority= 100, match=(eth.src[40]), action=(drop;) table=0(ls_in_port_sec_l2), priority= 100, match=(vlan.present), action=(drop;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "sw1-lport1"), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "sw1-lport2"), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "sw1-lportf1"), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "sw1-lportf2"), action=(next;) table=1(ls_in_port_sec_ip), priority= 0, match=(1), action=(next;) table=2(ls_in_port_sec_nd), priority= 0, match=(1), action=(next;) table=3( ls_in_pre_acl), priority= 0, match=(1), action=(next;) table=4( ls_in_acl), priority= 0, match=(1), action=(next;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 172.16.33.2 && arp.op == 1), action=(eth.dst = eth.src; eth.src = 52:54:00:bd:04:28; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = 52:54:00:bd:04:28; arp.tpa = arp.spa; arp.spa = 172.16.33.2; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 172.16.33.3 && arp.op == 1), action=(eth.dst = eth.src; eth.src = 52:54:00:20:47:62; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = 52:54:00:20:47:62; arp.tpa = arp.spa; arp.spa = 172.16.33.3; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 0, match=(1), action=(next;) table=6( ls_in_chain), priority= 150, match=(ip4.dst == 172.16.33.3 && inport == "sw1-lportf1"), action=(outport = "sw1-lport1"; output;) table=6( ls_in_chain), priority= 150, match=(ip4.src == 172.16.33.3 && inport == "sw1-lport1"), action=(outport = "sw1-lportf1"; output;) table=6( ls_in_chain), priority= 100, match=(inport == "sw1-lportf2" && ip4.dst == 172.16.33.2), action=(outport = "sw1-lport2"; output;) table=6( ls_in_chain), priority= 100, match=(inport == "sw1-lportf2" && ip4.dst == 172.16.33.3), action=(outport = "sw1-lport1"; output;) table=6( ls_in_chain), priority= 100, match=(ip4.dst == 172.16.33.3), action=(outport = "sw1-lportf2"; output;) table=6( ls_in_chain), priority= 0, match=(1), action=(next;) table=7( ls_in_l2_lkup), priority= 100, match=(eth.mcast), action=(outport = "_MC_flood"; output;) table=7( ls_in_l2_lkup), priority= 50, match=(eth.dst == 52:54:00:20:47:62), action=(outport = "sw1-lport1"; output;) table=7( ls_in_l2_lkup), priority= 50, match=(eth.dst == 52:54:00:a8:01:fa), action=(outport = "sw1-lportf2"; output;) table=7( ls_in_l2_lkup), priority= 50, match=(eth.dst == 52:54:00:af:74:f5), action=(outport = "sw1-lportf1"; output;) table=7( ls_in_l2_lkup), priority= 50, match=(eth.dst == 52:54:00:bd:04:28), action=(outport = "sw1-lport2"; output;) Datapath: 6d684845-2a66-43e6-913e-f559ee66ade7 Pipeline: egress _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
