[ovs-dev] [RFC PATCH v1 0/3] Associate identifier with OVN ACL connection tracking entry

Thu, 10 Jan 2019 16:16:45 -0800 

What:
====
a. Goal is to be able to associate some identifier with a connection tracking
entry.

b. This identifier can be used to map OVN ACL which added this entry or
higher level constructs like openstack security group etc.

c. There are 2 connection tracking fields which can be used for it.
ct.mark (32 bits) and ct.label (128 bits).

d. Patch intends to use ct.label, as this is a longer field and
hence would be put to a better use, if it stores the identifier.

Why:
====
a. Adding an identifier would help in debugging.
b. Now, we can map a connection tracking entry to corresponding
   acl, security group etc.

How:
====
Following is the sequence of changes:

Patch 1:
i.  Current implementation uses a bit ct.label to handle policy update cases,
    where we use a bit in ct.label to indicate that reply traffic should
    be dropped now.
ii. Swap the usage of ct.label in current implementation with ct.mark.

Patch 2:
i. Add support in parser to allow ct.label and mark to be set from registers
as well (as of now only integer/masked integer is allowed).

Patch 3:
i. Add a new column (named 'label') to Table ACL in northbound schema.
ii. ovn-northd changes to enhance logical flows to set ct.label to acl->label.
For example:
table=4 (ls_out_acl         ), .... action=(reg0[1] = 1; reg0[3] = 1; xxreg1 = 
0x1234; next;)
.
.
.
table=7 (ls_out_stateful    ), ... match=(reg0[1] == 1 && reg0[3] == 1),
                                   action=(ct_commit(ct_mark=0/1, 
ct_label=xxreg1); next;)


Ankur Sharma (3):
  OVN ACL: Replace the usage of ct_label with ct_mark
  OVN ACL: Allow ct_mark and ct_label values to be set from register as
    well
  OVN ACL: Allow a user to input ct.label value for an acl

 include/ovn/actions.h       |  3 ++
 ovn/lib/actions.c           | 73 ++++++++++++++++++++++++++++++++++----
 ovn/lib/logical-fields.c    |  1 +
 ovn/northd/ovn-northd.8.xml | 14 ++++----
 ovn/northd/ovn-northd.c     | 85 ++++++++++++++++++++++++++++-----------------
 ovn/ovn-nb.ovsschema        |  5 +--
 ovn/ovn-nb.xml              |  9 +++++
 ovn/utilities/ovn-nbctl.c   | 24 ++++++++++++-
 tests/ovn-nbctl.at          | 12 +++++--
 tests/ovn.at                | 66 ++++++++++++++++++++++++++++++++---
 10 files changed, 239 insertions(+), 53 deletions(-)

-- 
1.8.3.1

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to