John McDowall <jmcdow...@paloaltonetworks.com> wrote on 06/28/2016 10:43:11 AM:
> From: John McDowall <jmcdow...@paloaltonetworks.com> > To: Ryan Moats/Omaha/IBM@IBMUS > Cc: "dev@openvswitch.org" <dev@openvswitch.org> > Date: 06/28/2016 10:43 AM > Subject: Re: [ovs-dev] SFC summary: ACL and Flow-Classifier > > Ryan, > > I think we are in agreement on the basic mechanism. I am just > struggling with the implementation details. > > A part of the issue maybe how I have constructed the rules. The FC/ > ACL rule has lower precedence than the rule for the ppg. > > The rule for the FC/ACL is: > > Match(FC) then Action(First InPort in Chain) > > The rule for the Port Chain is: > > Match(“FC" and "From Port Chain Outport") then Action(Next InPort in Chain) > > To make sure the rules fired in the right order I put both rules in > the same table and give them appropriate priorities – just the > shortest path to make something work. > > I am struggling with the “metadata” part that instructs the flow to > skip the rule in the ACL table. Is there some example code I can look at? > > Regards > > John When you dump the flow tables, look for occurrences of OXM_OF_METADATA and NXM_NX_REGx (where x=0-7). Actions set values, matches test against stored values. This is what I'm referring to when I talk about "metadata". Ryan > > From: Ryan Moats <rmo...@us.ibm.com> > Date: Monday, June 27, 2016 at 8:11 PM > To: John McDowall <jmcdow...@paloaltonetworks.com> > Cc: "dev@openvswitch.org" <dev@openvswitch.org> > Subject: Re: [ovs-dev] SFC summary: ACL and Flow-Classifier > > John McDowall <jmcdow...@paloaltonetworks.com> wrote on 06/27/2016 > 09:28:16 PM: > > > From: John McDowall <jmcdow...@paloaltonetworks.com> > > To: Ryan Moats/Omaha/IBM@IBMUS > > Cc: "dev@openvswitch.org" <dev@openvswitch.org> > > Date: 06/27/2016 09:28 PM > > Subject: Re: [ovs-dev] SFC summary: ACL and Flow-Classifier > > > > Previous thread contents are here: http://openvswitch.org/pipermail/ > > dev/2016-June/073836.html > > > > Ryan, > > > > The flow-classifier rules need to have a lower priority than the ppg > > rules as they steer the traffic into the chain. Therefore I could do > > this two ways: > > I can put the flow-classifier rules into the ACL table and insert > > them from their into the chain table, > > I can move the chain table before the ACL table. > > If either case the action would be to send the traffic to the first > > port pair input put of the first port-pair. This rule would then be > > fired in the chain table to steer traffic through the chain. > > > > Both seem a little “hacky” to me the first because it might set > > rules on flows that get modified before they hit the chain table, > > but the current ACL code sets both egress and ingress tables so > > there is precedent. > > > > The second approach is just bad as we could process a bunch of flows > > that are dropped in the ACL table. > > > > Thoughts? > > > > John > > I'll admit that I must be missing something because I just don't > understand where you are coming from here. I'm working from the > following assumptions: > > 1. The FCs steer traffic from outside the port chain into the first > PPG of the port chain in the ACL table of the ingress pipeline. > 2. Once I'm in the port chain, the current port I come in on steers > traffic to the next PPG of the port chain in the first table of > ingress pipeline (table 0) and makes sure we skip the FCs in the > ACL table (I admit I forgot this in previous emails). > 3. I select the output port for the next PPG in the chain > table of the ingress pipeline. > > Because I'm doing these in three different tables, I don't quite see > why I need to worry about priorities. > > As an exampke, consider a two PPG chain. A packet from vif1 > come into the switch and are processed normally until the ACL table. > If they match the FCs for the port chain, metadata is set to say > the packet needs to go to PPG1. In the chain table, the output port > of the first PPG is selected and the packets gets sent to that > output port by the normal mechanism. > > Now the packet comes back in from the input port of that first VNF. > Table 1 is programmed to set the metadata to show this packet needs > to go to the second PPG. It flows through the other tables > (skipping the FCs in the ACL table) until it reaches the chain table, > at which point the output port of the second PPG is selected and > the packet gets sent to that output port by the normal mechanism. > > Now the packet comes back in from the input port of the second VNF. > Table 1 is programmed to set the metadata to show this packet has > finished the port chain. It flows through the other tables > (again skipping the FCs in the ACL table) being sent to the dIP > on the packet. > > What am I missing? > > Ryan > > > > Because of the _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
