On 30 June 2016 at 01:33, Zong Kai LI <zealo...@gmail.com> wrote:

> >
> > @@ -1377,13 +1381,34 @@ build_pre_acls(struct ovn_datapath *od, struct
> > hmap *lflows,
> >           *
> >           * Regardless of whether the ACL is "from-lport" or "to-lport",
> >           * we need rules in both the ingress and egress table, because
> > -         * the return traffic needs to be followed. */
> > -        ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 100, "ip",
> > "ct_next;");
> > -        ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip",
> > "ct_next;");
> > +         * the return traffic needs to be followed.
> > +         *
> > +         * 'REGBIT_CONNTRACK_DEFRAG' is set to let the pre-stateful
> table
> > send
> > +         * it to conntrack for tracking and defragmentation. */
> > +        ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 100, "ip",
> > +                      REGBIT_CONNTRACK_DEFRAG" = 1; next;");
> > +        ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip",
> > +                      REGBIT_CONNTRACK_DEFRAG" = 1; next;");
> >      }
> >  }
> >
> >  static void
> > +build_pre_stateful(struct ovn_datapath *od, struct hmap *lflows)
> > +{
> > +    /* Ingress and Egress pre-stateful Table (Priority 0): Packets are
> > +     * allowed by default. */
> > +    ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 0, "1",
> "next;");
> > +    ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 0, "1",
> "next;");
> > +
> > +    /* If REGBIT_CONNTRACK_DEFRAG is set as 1, then the packets should
> be
> > +     * sent to conntrack for tracking and defragmentation. */
> > +    ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 100,
> > +                  REGBIT_CONNTRACK_DEFRAG" == 1", "ct_next;");
> > +    ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 100,
> > +                  REGBIT_CONNTRACK_DEFRAG" == 1", "ct_next;");
> > +}
> >
>
> I hope you can also modify the default next lflow with 0 priority for
> PRE_ACL, instead of using "next;" as action, try to directly resubmit to
> table ACL.
> Since in PRE_STATEFUL table, for non-stateful stuff, there is just another
> "next;", this is not fun.
>

A future commit in this series introduces a "pre-lb" table between
"pre-acl" and "pre-stateful". If I jump directly from "pre-acl" to "acl" as
you suggest, I will miss any load balancing rules added in "pre-lb" table.



> Thanks,
> Zong Kai, LI
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to