Ryan,
I think we are in agreement on the basic mechanism. I am just struggling with
the implementation details.
A part of the issue maybe how I have constructed the rules. The FC/ACL rule has
lower precedence than the rule for the ppg.
The rule for the FC/ACL is:
Match(FC) then Action(First InPort in Chain)
The rule for the Port Chain is:
Match("FC" and "From Port Chain Outport") then Action(Next InPort in Chain)
To make sure the rules fired in the right order I put both rules in the same
table and give them appropriate priorities - just the shortest path to make
something work.
I am struggling with the "metadata" part that instructs the flow to skip the
rule in the ACL table. Is there some example code I can look at?
Regards
John
From: Ryan Moats <rmo...@us.ibm.com<mailto:rmo...@us.ibm.com>>
Date: Monday, June 27, 2016 at 8:11 PM
To: John McDowall
<jmcdow...@paloaltonetworks.com<mailto:jmcdow...@paloaltonetworks.com>>
Cc: "dev@openvswitch.org<mailto:dev@openvswitch.org>"
<dev@openvswitch.org<mailto:dev@openvswitch.org>>
Subject: Re: [ovs-dev] SFC summary: ACL and Flow-Classifier
John McDowall
<jmcdow...@paloaltonetworks.com<mailto:jmcdow...@paloaltonetworks.com>> wrote
on 06/27/2016 09:28:16 PM:
> From: John McDowall
> <jmcdow...@paloaltonetworks.com<mailto:jmcdow...@paloaltonetworks.com>>
> To: Ryan Moats/Omaha/IBM@IBMUS
> Cc: "dev@openvswitch.org<mailto:dev@openvswitch.org>"
> <dev@openvswitch.org<mailto:dev@openvswitch.org>>
> Date: 06/27/2016 09:28 PM
> Subject: Re: [ovs-dev] SFC summary: ACL and Flow-Classifier
>
> Previous thread contents are here:
> http://openvswitch.org/pipermail/<https://urldefense.proofpoint.com/v2/url?u=http-3A__openvswitch.org_pipermail_&d=CwMGaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=XAwCBcCzh3Y_HxVPyd0TE2qNLJ87TxMKiJggXgUf8gg&s=idFjoYPfbxABfxXQH8Y_RtfOqHyAq1FMpnfChZy9Rr0&e=>
> dev/2016-June/073836.html
>
> Ryan,
>
> The flow-classifier rules need to have a lower priority than the ppg
> rules as they steer the traffic into the chain. Therefore I could do
> this two ways:
> I can put the flow-classifier rules into the ACL table and insert
> them from their into the chain table,
> I can move the chain table before the ACL table.
> If either case the action would be to send the traffic to the first
> port pair input put of the first port-pair. This rule would then be
> fired in the chain table to steer traffic through the chain.
>
> Both seem a little "hacky" to me the first because it might set
> rules on flows that get modified before they hit the chain table,
> but the current ACL code sets both egress and ingress tables so
> there is precedent.
>
> The second approach is just bad as we could process a bunch of flows
> that are dropped in the ACL table.
>
> Thoughts?
>
> John
I'll admit that I must be missing something because I just don't
understand where you are coming from here. I'm working from the
following assumptions:
1. The FCs steer traffic from outside the port chain into the first
PPG of the port chain in the ACL table of the ingress pipeline.
2. Once I'm in the port chain, the current port I come in on steers
traffic to the next PPG of the port chain in the first table of
ingress pipeline (table 0) and makes sure we skip the FCs in the
ACL table (I admit I forgot this in previous emails).
3. I select the output port for the next PPG in the chain
table of the ingress pipeline.
Because I'm doing these in three different tables, I don't quite see
why I need to worry about priorities.
As an exampke, consider a two PPG chain. A packet from vif1
come into the switch and are processed normally until the ACL table.
If they match the FCs for the port chain, metadata is set to say
the packet needs to go to PPG1. In the chain table, the output port
of the first PPG is selected and the packets gets sent to that
output port by the normal mechanism.
Now the packet comes back in from the input port of that first VNF.
Table 1 is programmed to set the metadata to show this packet needs
to go to the second PPG. It flows through the other tables
(skipping the FCs in the ACL table) until it reaches the chain table,
at which point the output port of the second PPG is selected and
the packet gets sent to that output port by the normal mechanism.
Now the packet comes back in from the input port of the second VNF.
Table 1 is programmed to set the metadata to show this packet has
finished the port chain. It flows through the other tables
(again skipping the FCs in the ACL table) being sent to the dIP
on the packet.
What am I missing?
Ryan
Because of the
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
