Comment 10 for bug 1938966

Reviewed: https://review.opendev.org/c/openstack/neutron/+/804213
Committed: https://opendev.org/openstack/neutron/commit/053a9d24eca2c9372bd2b767504dd6b6db30643f
Submitter: "Zuul (22348)"
Branch: master

commit 053a9d24eca2c9372bd2b767504dd6b6db30643f
Author: LIU Yulong <email address hidden>
Date: Fri Aug 6 14:11:00 2021 +0800

    Add table for pps limitaion

    Table 59 will be used for pps limitation, the pipeline change is:
    all original flows with ``goto table 60`` will be changed to
    ``goto table 59``, while table 59 has a default rule is goto
    table 60. Then we can add pps flows to table 59 for all ports.

    Basic limit pipeline is:
    Ingress: packets get into br-int table 0, before send to table 60,
    in table 59, check the destanation MAC and local_vlan ID, if the
    dest is resident in this host, do the meter pps action and send
    to table 60.
    Egress: match src MAC and in_port, before send to table 60,
    in table 59, do the meter pps action and send to table 60.

    Why table 59? Because for ovs-agent flow structure, all packets
    will be send to table 60 to do next actions such as security group.
    Between table 0 and table 60, there are tables for ARP poison/spoofing
    prevention rules and MAC spoof filtering. We want similar security
    checks to take effect first, so it can drop packets before filling
    our limit queues (pps limitation based on data forwarding queue).
    And we do not want packets go through the long march of security group
    flows, in case of performance side effect when there are large amount
    of packets try to send, so limit it before goto security group flows.

    Partially-Implements: bp/packet-rate-limit
    Related-Bug: #1938966
    Related-Bug: #1912460
    Change-Id: I943f610c3b6bcf05e2e752ca3b57981f523f88a8