commit 053a9d24eca2c9372bd2b767504dd6b6db30643f
Author: LIU Yulong <email address hidden>
Date: Fri Aug 6 14:11:00 2021 +0800
Add table for pps limitaion
Table 59 will be used for pps limitation, the pipeline change is:
all original flows with ``goto table 60`` will be changed to
``goto table 59``, while table 59 has a default rule is goto
table 60. Then we can add pps flows to table 59 for all ports.
Basic limit pipeline is:
Ingress: packets get into br-int table 0, before send to table 60,
in table 59, check the destanation MAC and local_vlan ID, if the
dest is resident in this host, do the meter pps action and send
to table 60.
Egress: match src MAC and in_port, before send to table 60,
in table 59, do the meter pps action and send to table 60.
Why table 59? Because for ovs-agent flow structure, all packets
will be send to table 60 to do next actions such as security group.
Between table 0 and table 60, there are tables for ARP poison/spoofing
prevention rules and MAC spoof filtering. We want similar security
checks to take effect first, so it can drop packets before filling
our limit queues (pps limitation based on data forwarding queue).
And we do not want packets go through the long march of security group
flows, in case of performance side effect when there are large amount
of packets try to send, so limit it before goto security group flows.
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/804213 /opendev. org/openstack/ neutron/ commit/ 053a9d24eca2c93 72bd2b767504dd6 b6db30643f
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 053a9d24eca2c93 72bd2b767504dd6 b6db30643f
Author: LIU Yulong <email address hidden>
Date: Fri Aug 6 14:11:00 2021 +0800
Add table for pps limitaion
Table 59 will be used for pps limitation, the pipeline change is:
all original flows with ``goto table 60`` will be changed to
``goto table 59``, while table 59 has a default rule is goto
table 60. Then we can add pps flows to table 59 for all ports.
Basic limit pipeline is:
Ingress: packets get into br-int table 0, before send to table 60,
in table 59, check the destanation MAC and local_vlan ID, if the
dest is resident in this host, do the meter pps action and send
to table 60.
Egress: match src MAC and in_port, before send to table 60,
in table 59, do the meter pps action and send to table 60.
Why table 59? Because for ovs-agent flow structure, all packets
will be send to table 60 to do next actions such as security group.
Between table 0 and table 60, there are tables for ARP poison/spoofing
prevention rules and MAC spoof filtering. We want similar security
checks to take effect first, so it can drop packets before filling
our limit queues (pps limitation based on data forwarding queue).
And we do not want packets go through the long march of security group
flows, in case of performance side effect when there are large amount
of packets try to send, so limit it before goto security group flows.
Partially- Implements: bp/packet- rate-limit 05e2e752ca3b579 81f523f88a8
Related-Bug: #1938966
Related-Bug: #1912460
Change-Id: I943f610c3b6bcf