On 3/7/22 18:46, [email protected] wrote: > From: Numan Siddique <[email protected]> > > Presently for ACLs and LBs we do the following in the logical switch > ingress pipeline > > 1. Send the packet to conntrack. > 2. Apply ACLs (from-lport) > 3a. If the packet is a new connection and it is destined to the LB > VIP, then select a backend (and commit to conntrack with DNAT). > 3b. If the packet is a new connection and it doesn't match 3a, then > commit to conntrack. > > With the above approach, we cannot address the scenario of applying > ACLs after the load balancing. There can be ACLs which could match > on the load balancer backend ips. > > This patch addresses this usecase by > > 1. Send the packet to conntrack. > 2. Apply ACLs (from-lport, not configured with apply-after-lb=true) > 3. If the packet is a new connection and it is destined to the LB > VIP, then select a backend (and commit to conntrack with DNAT). > 4. Apply ACLs (from-lport, configured with apply-after-lb=true) > 5. If the packet is a new connection and it didn't match (2), then > commit to conntrack. > > In order to support this usecase, this patch supports an option > "apply-after-lb=true" in the ACL table. This option is valid > only for "from-lport" ACLs. > > Suggested-by: Dumitru Ceara <[email protected]> > Signed-off-by: Numan Siddique <[email protected]> > ---
Aside from Han's comments, the rest looks good to me, thanks! Acked-by: Dumitru Ceara <[email protected]> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
