[ovs-dev] [PATCH v4 0/3] Associate identifier with OVN ACL connection tracking entry

Wed, 17 Apr 2019 16:02:30 -0700 

What:
====
a. Goal is to be able to associate some identifier with a connection tracking
entry.

b. This identifier can be used to map OVN ACL which added this entry or
higher level constructs like openstack security group etc.

c. There are 2 connection tracking fields which can be used for it.
ct.mark (32 bits) and ct.label (128 bits).

d. Patch intends to use ct.label, as this is a longer field and
hence would be put to a better use, if it stores the identifier.

Why:
====
a. Adding an identifier would help in debugging.
b. Now, we can map a connection tracking entry to corresponding
   acl, security group etc.
c. One of the use cases for this mapping would be to identify
   ACLs which added corresponding connection tracker entry, which
   is causing unexpected drops/leaks.

How:
====
Following is the sequence of changes:

Patch 1:
   i.  Current implementation uses a bit ct.label to handle policy update cases,
       where we use a bit in ct.label to indicate that reply traffic should
       be dropped now.
  ii. Swap the usage of ct.label in current implementation with ct.mark.

Patch 2:
   i. Add support in parser to allow ct.label and mark to be set from registers
      as well (as of now only integer/masked integer is allowed).

Patch 3:
   i. Add a new column (named 'label') to Table ACL in northbound schema.
  ii. ovn-northd changes to enhance logical flows to set ct.label to acl->label.
      For example:
      table=4 (ls_out_acl         ), .... action=(reg0[1] = 1; reg0[3] = 1; 
xxreg1 = 0x1234; next;)
      .
      .
      .
      table=7 (ls_out_stateful    ), ... match=(reg0[1] == 1 && reg0[3] == 1),
                                         action=(ct_commit(ct_mark=0/1, 
ct_label=xxreg1); next;)

Ankur Sharma (3):
  OVN ACL: Replace the usage of ct_label with ct_mark
  OVN ACL: Allow ct_mark and ct_label values to be set from register as
    well
  OVN ACL: Allow a user to input ct.label value for an acl

 Documentation/tutorials/ovn-openstack.rst | 12 ++---
 include/ovn/actions.h                     |  3 ++
 ovn/lib/actions.c                         | 78 ++++++++++++++++++++++++---
 ovn/lib/logical-fields.c                  |  3 ++
 ovn/northd/ovn-northd.8.xml               | 14 ++---
 ovn/northd/ovn-northd.c                   | 87 ++++++++++++++++++++-----------
 ovn/ovn-nb.ovsschema                      |  5 +-
 ovn/ovn-nb.xml                            | 12 +++++
 ovn/ovn-sb.xml                            | 39 ++++++++++----
 ovn/utilities/ovn-nbctl.c                 | 24 ++++++++-
 tests/ovn-nbctl.at                        | 12 ++++-
 tests/ovn.at                              | 84 +++++++++++++++++++++++++++--
 12 files changed, 300 insertions(+), 73 deletions(-)

--
1.8.3.1

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to