[ovs-dev] Reset ct_mark and ct_lables in conntrack entry

Mon, 13 Jul 2020 11:00:11 -0700 

Hi Alin/Anand,

We have a project that needs to support ALG FTP on Windows OVS. I have added 
CT_HELP and CT_TUPLE_MASTER in previous merged patch. Now, we also need to 
support ct_mark and ct_labels. We have tested that FTP data traffic cannot 
inherit ct_mark and ct_labels from its master FTP control traffic in current 
implementation. I have cooked a patch to implement it. But I have a confusion 
that need to discuss with you guys.

In our project, there is a rule like “ruleid (0x1000) from(any) to(any) 
service(ftp) allow”. This rule will be pushed to OVS by controller. The ruleid 
will be set in ct_mark field only in ftp control flow:
actions=ct(commit,zone=61439,mark=0x3f1/0xffffffff,label=0x1018/0xffffffff000000000000000000001fff,helper=ftp),
 the ftp data flow has no ct_mark field: 
actions=ct(commit,zone=61439,label=0x80/0xffffffff0000000000001380).

In general, the CT entry cannot derive the ct_mark at connection commit because 
there is no ct_mark field in flow rule’s ct actions. For FTP data traffic, it 
has master conntrack entry. If its master conntrack entry has ct_mark, should 
FTP data conntrack entry inherit its master’s ct_mark even though it has no 
ct_mark field in ct actions?

I checked userspace datapath ALG FTP support code. Seems it will not inherit 
master’s ct_mark/ct_labels if it has no ct_mark/ct_labels field in ct commit 
actions.
https://github.com/openvswitch/ovs/blob/master/lib/conntrack.c#L1374
     if (conn && setmark) {.  <<<< setmark should be NULL if there is no 
ct_mark field in ct commit actions. If setmark is NULL in FTP data traffic, it 
will cannot inherit master’s mark even master has mark.
        set_mark(pkt, conn, setmark[0], setmark[1]);
    }

    if (conn && setlabel) { <<<<
        set_label(pkt, conn, &setlabel[0], &setlabel[1]);
    }

I don’t know Linux datapath how to implement it, but for the same ALG FTP rule 
in our project, the FTP data traffic can inherit master’s mark in Linux OVS 
even though it has no ct_mark field in ct commit actions.
Here, do you have any suggestion? The FTP data flow should always inherit 
master’s mark/labels even though it has no ct_mark/ct_labels field in ct commit 
actions. Or it should always consider its ct_mark/ct_labels field in ct commit 
actions at firstly.

Thanks,
- Jinjun

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to