On Sun, Feb 28, 2016 at 10:33:19PM -0800, Gurucharan Shetty wrote: > Currently, the only use of stateful services in conntrack is > OVN ACLs. In table pre-ACL, we send the packet to conntrack > to track it (to get its status) via the ct_next action. > > As we introduce more stateful services, the ACL feature will > have to share the conntrack module with others. As > preparation for more stateful features like NAT and > loadbalancing, this commit introduces a new pre-stateful > table that is responsible to send packets through conntrack > via ct_next action. If pre-ACL table needs to send a packet > through conntrack, it just sets the 'reg0' as 1. > Pre-stateful table in-turn will send the packet to conntrack > if 'reg0' is 1. > > Signed-off-by: Gurucharan Shetty <g...@ovn.org>
I noticed that STATEFUL is often written in all-caps like that, especially in "pre-STATEFUL", but I don't know why. The documentation says that packets get sent to the connection tracker but not that they advance to the next table afterward, which I think they do: + <p> + Ingress table 2 prepares flows for all possible stateful processing + in next tables. It contains a priority-0 flow that simply moves + traffic to table 3. A priority-100 flow sends the packets to connection + tracker based on a hint provided by the previous tables (with a match + for reg0 == 1). + </p> Acked-by: Ben Pfaff <b...@ovn.org> _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
