Also update ovn-northd to use the revised syntax.
Reported-by: Justin Pettit <jpettit@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Russell Bryant <rbryant@redhat.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
/* Broadcast/multicast source address is invalid. */
pipeline_add(&pc, lswitch, 0, 100, "eth.src[40]", "drop;");
- /* Port security flows have priority 50 (see below) and will resubmit
- * if packet source is acceptable. */
+ /* Port security flows have priority 50 (see below) and will continue
+ * to the next table if packet source is acceptable. */
/* Otherwise drop the packet. */
pipeline_add(&pc, lswitch, 0, 0, "1", "drop;");
build_port_security("eth.src",
lport->port_security, lport->n_port_security,
&match);
- pipeline_add(&pc, lport->lswitch, 0, 50, ds_cstr(&match), "resubmit;");
+ pipeline_add(&pc, lport->lswitch, 0, 50, ds_cstr(&match), "next;");
ds_destroy(&match);
}
if (lport->lswitch == lswitch) {
ds_put_cstr(&actions, "outport = ");
json_string_escape(lport->name, &actions);
- ds_put_cstr(&actions, "; resubmit; ");
+ ds_put_cstr(&actions, "; next; ");
}
}
ds_chomp(&actions, ' ');
ds_init(&actions);
ds_put_cstr(&actions, "outport = ");
json_string_escape(lport->name, &actions);
- ds_put_cstr(&actions, "; resubmit;");
+ ds_put_cstr(&actions, "; next;");
pipeline_add(&pc, lswitch, 1, 50,
ds_cstr(&match), ds_cstr(&actions));
ds_destroy(&actions);
ds_put_cstr(&ua->actions, "outport = ");
json_string_escape(lport->name, &ua->actions);
- ds_put_cstr(&ua->actions, "; resubmit;");
+ ds_put_cstr(&ua->actions, "; next;");
} else {
static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
action = (!strcmp(acl->action, "allow") ||
!strcmp(acl->action, "allow-related"))
- ? "resubmit;" : "drop;";
+ ? "next;" : "drop;";
pipeline_add(&pc, acl->lswitch, 2, acl->priority, acl->match, action);
}
NBREC_LOGICAL_SWITCH_FOR_EACH (lswitch, ctx->ovnnb_idl) {
- pipeline_add(&pc, lswitch, 2, 0, "1", "resubmit;");
+ pipeline_add(&pc, lswitch, 2, 0, "1", "next;");
}
/* Table 3: Egress port security. */
NBREC_LOGICAL_PORT_FOR_EACH (lport, ctx->ovnnb_idl) {
- struct ds match, actions;
+ struct ds match;
ds_init(&match);
ds_put_cstr(&match, "outport == ");
lport->port_security, lport->n_port_security,
&match);
- ds_init(&actions);
- ds_put_cstr(&actions, "output(");
- json_string_escape(lport->name, &actions);
- ds_put_cstr(&actions, ");");
-
- pipeline_add(&pc, lport->lswitch, 3, 50,
- ds_cstr(&match), ds_cstr(&actions));
+ pipeline_add(&pc, lport->lswitch, 3, 50, ds_cstr(&match), "output;");
- ds_destroy(&actions);
ds_destroy(&match);
}
<column name="actions">
<p>
- Below, a <var>value</var> is either a <var>constant</var> or a
- <var>field</var>. The following actions seem most likely to be useful:
+ Logical datapath actions, to be executed when the logical flow
+ represented by this row is the highest-priority match.
</p>
- <dl>
- <dt><code>drop;</code></dt>
- <dd>syntactic sugar for no actions</dd>
+ <p>
+ Actions share lexical syntax with the <ref column="match"/> column. An
+ empty set of actions (or one that contains just white space or
+ comments), or a set of actions that consists of just
+ <code>drop;</code>, causes the matched packets to be dropped.
+ Otherwise, the column should contain a sequence of actions, each
+ terminated by a semicolon.
+ </p>
- <dt><code>output(<var>value</var>);</code></dt>
- <dd>output to port, except that output to the ingress port is
- implicitly dropped</dd>
+ <p>
+ The following actions will be initially supported:
+ </p>
- <dt><code>broadcast;</code></dt>
- <dd>output to every logical port except ingress port</dd>
+ <dl>
+ <dt><code>output;</code></dt>
+ <dd>
+ Outputs the packet to the logical port current designated by
+ <code>outport</code>. Output to the ingress port is implicitly
+ dropped, that is, <code>output</code> becomes a no-op if
+ <code>outport</code> == <code>inport</code>.
+ </dd>
- <dt><code>resubmit;</code></dt>
- <dd>execute next logical datapath table as subroutine</dd>
+ <dt><code>next;</code></dt>
+ <dd>
+ Executes the next logical datapath table as a subroutine.
+ </dd>
- <dt><code>set(<var>field</var>=<var>value</var>);</code></dt>
- <dd>set data or metadata field, or copy between fields</dd>
+ <dt><code><var>field</var> = <var>constant</var>;</code></dt>
+ <dd>
+ Sets data or metadata field <var>field</var> to constant value
+ <var>constant</var>.
+ </dd>
</dl>
<p>
- Following are not well thought out:
+ The following actions will likely be useful later, but they have not
+ been thought out carefully.
</p>
<dl>
+ <dt><code><var>field1</var> = <var>field2</var>;</code></dt>
+ <dd>
+ Extends the assignment action to allow copying between fields.
+ </dd>
+
<dt><code>learn</code></dt>
<dt><code>conntrack</code></dt>
- <dt><code>with(<var>field</var>=<var>value</var>) { <var>action</var>, </code>...<code> }</code></dt>
- <dd>execute <var>actions</var> with temporary changes to <var>fields</var></dd>
-
- <dt><code>dec_ttl { <var>action</var>, </code>...<code> } { <var>action</var>; </code>...<code>}</code></dt>
+ <dt><code>dec_ttl { <var>action</var>, </code>...<code> } { <var>action</var>; </code>...<code>};</code></dt>
<dd>
decrement TTL; execute first set of actions if
successful, second set if TTL decrement fails
</dd>
- <dt><code>icmp_reply { <var>action</var>, </code>...<code> }</code></dt>
+ <dt><code>icmp_reply { <var>action</var>, </code>...<code> };</code></dt>
<dd>generate ICMP reply from packet, execute <var>action</var>s</dd>
<dt><code>arp { <var>action</var>, </code>...<code> }</code></dt>
<dd>generate ARP from packet, execute <var>action</var>s</dd>
</dl>
-
- <p>
- Other actions can be added as needed
- (e.g. <code>push_vlan</code>, <code>pop_vlan</code>,
- <code>push_mpls</code>, <code>pop_mpls</code>).
- </p>
-
- <p>
- Some of the OVN actions do not map directly to OpenFlow actions, e.g.:
- </p>
-
- <ul>
- <li>
- <code>with</code>: Implemented as <code>stack_push;
- set(</code>...<code>); <var>actions</var>; stack_pop</code>.
- </li>
-
- <li>
- <code>dec_ttl</code>: Implemented as <code>dec_ttl</code> followed
- by the successful actions. The failure case has to be implemented by
- ovn-controller interpreting packet-ins. It might be difficult to
- identify the particular place in the processing pipeline in
- <code>ovn-controller</code>; maybe some restrictions will be
- necessary.
- </li>
-
- <li>
- <code>icmp_reply</code>: Implemented by sending the packet to
- <code>ovn-controller</code>, which generates the ICMP reply and sends
- the packet back to <code>ovs-vswitchd</code>.
- </li>
- </ul>
</column>
</table>