On 30 June 2016 at 01:33, Zong Kai LI <zealo...@gmail.com> wrote: > > > > @@ -1377,13 +1381,34 @@ build_pre_acls(struct ovn_datapath *od, struct > > hmap *lflows, > > * > > * Regardless of whether the ACL is "from-lport" or "to-lport", > > * we need rules in both the ingress and egress table, because > > - * the return traffic needs to be followed. */ > > - ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 100, "ip", > > "ct_next;"); > > - ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip", > > "ct_next;"); > > + * the return traffic needs to be followed. > > + * > > + * 'REGBIT_CONNTRACK_DEFRAG' is set to let the pre-stateful > table > > send > > + * it to conntrack for tracking and defragmentation. */ > > + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 100, "ip", > > + REGBIT_CONNTRACK_DEFRAG" = 1; next;"); > > + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip", > > + REGBIT_CONNTRACK_DEFRAG" = 1; next;"); > > } > > } > > > > static void > > +build_pre_stateful(struct ovn_datapath *od, struct hmap *lflows) > > +{ > > + /* Ingress and Egress pre-stateful Table (Priority 0): Packets are > > + * allowed by default. */ > > + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 0, "1", > "next;"); > > + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 0, "1", > "next;"); > > + > > + /* If REGBIT_CONNTRACK_DEFRAG is set as 1, then the packets should > be > > + * sent to conntrack for tracking and defragmentation. */ > > + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 100, > > + REGBIT_CONNTRACK_DEFRAG" == 1", "ct_next;"); > > + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 100, > > + REGBIT_CONNTRACK_DEFRAG" == 1", "ct_next;"); > > +} > > > > I hope you can also modify the default next lflow with 0 priority for > PRE_ACL, instead of using "next;" as action, try to directly resubmit to > table ACL. > Since in PRE_STATEFUL table, for non-stateful stuff, there is just another > "next;", this is not fun. >
A future commit in this series introduces a "pre-lb" table between "pre-acl" and "pre-stateful". If I jump directly from "pre-acl" to "acl" as you suggest, I will miss any load balancing rules added in "pre-lb" table. > Thanks, > Zong Kai, LI > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev