ovn-northd: Optimize acl of localnet-port.

Localnet port is not an endpoint, and have no security requirements
to use localnet port at present. So, for performance consideration, we
could do not use ct for localnet port.

The more specific discussion can be found from
https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/335048.html

Signed-off-by: wangqianyu <wang.qianyu@zte.com.cn>
Acked-by: Han Zhou <zhouhan@gmail.com>
Signed-off-by: Russell Bryant <russell@ovn.org>

3 files changed, 26 insertions, 9 deletions

diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index 7ff524508..1527e8a60 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -220,7 +220,9 @@
       logical datapath, a priority-100 flow is added that sets a hint
       (with <code>reg0[0] = 1; next;</code>) for table
       <code>Pre-stateful</code> to send IP packets to the connection tracker
-      before eventually advancing to ingress table <code>ACLs</code>.
+      before eventually advancing to ingress table <code>ACLs</code>. If
+      special ports such as route ports or localnet ports can't use ct(), a
+      priority-110 flow is added to skip over stateful ACLs.
     </p>
 
     <h3>Ingress Table 4: Pre-LB</h3>
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index a3f138d44..5f59d4bb7 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -417,6 +417,7 @@ struct ovn_datapath {
     /* The "derived" OVN port representing the instance of l3dgw_port on
      * the "redirect-chassis". */
     struct ovn_port *l3redirect_port;
+    struct ovn_port *localnet_port;
 };
 
 struct macam_node {
@@ -1352,6 +1353,10 @@ join_logical_ports(struct northd_context *ctx,
                     ovs_list_push_back(nb_only, &op->list);
                 }
 
+                if (!strcmp(nbsp->type, "localnet")) {
+                   od->localnet_port = op;
+                }
+
                 op->lsp_addrs
                     = xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses);
                 for (size_t j = 0; j < nbsp->n_addresses; j++) {
@@ -2843,6 +2848,23 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
             ds_destroy(&match_in);
             ds_destroy(&match_out);
         }
+        if (od->localnet_port) {
+            struct ds match_in = DS_EMPTY_INITIALIZER;
+            struct ds match_out = DS_EMPTY_INITIALIZER;
+
+            ds_put_format(&match_in, "ip && inport == %s",
+                          od->localnet_port->json_key);
+            ds_put_format(&match_out, "ip && outport == %s",
+                          od->localnet_port->json_key);
+            ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
+                          ds_cstr(&match_in), "next;");
+            ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
+                          ds_cstr(&match_out), "next;");
+
+            ds_destroy(&match_in);
+            ds_destroy(&match_out);
+        }
+
         /* Ingress and Egress Pre-ACL Table (Priority 110).
          *
          * Not to do conntrack on ND packets. */
diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
index 1e7346566..61522f140 100644
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@@ -1007,14 +1007,7 @@
 
       <p>
         Note that you can not create an ACL matching on a port with
-        type=router.
-      </p>
-
-      <p>
-        Note that when <code>localnet</code> port exists in a lswitch, for
-        <code>to-lport</code> direction, the <code>inport</code> works only if
-        the <code>to-lport</code> is located on the same chassis as the
-        <code>inport</code>.
+        type=router or type=localnet.
       </p>
     </column>