On 3/3/23 13:20, Abhiram Sangana wrote: > > >> On 13 Feb 2023, at 16:35, Abhiram Sangana <[email protected]> >> wrote: >> >> This patch adds support to commit connections dropped/rejected by >> ACLs to the connection tracking table. Dropped connections are >> committed to conntrack only if NB_Global options:ct_commit_acl_drop >> is set to true (false by default) and ACL dropping/rejecting the >> connection has label configured. The dropped connections are >> committed in a separate conntrack zone so that they can be managed >> independently and do not interact with the connection tracking state >> of allowed connections. >> >> This provides a new approach to identify connections dropped by ACLs >> besides the existing ACL logging and drop sampling approaches. >> >> Each logical switch is assigned a new conntrack zone for committing >> dropped flows. The zone is loaded into register MFF_LOG_ACL_DROP_ZONE. >> A new lflow action "ct_commit_drop" is introduced that commits flows >> to connection tracking table in a zone identified by >> MFF_LOG_ACL_DROP_ZONE register. An ACL with "drop" or "reject" action >> and non-empty label translates to include "ct_commit_drop" in its >> actions instead of simply dropping/rejecting the packet. >> >> Signed-off-by: Abhiram Sangana <[email protected]> >> --- >> controller/ovn-controller.c | 14 +++- >> controller/physical.c | 32 ++++++++- >> include/ovn/actions.h | 1 + >> include/ovn/logical-fields.h | 1 + >> lib/actions.c | 65 +++++++++++++++++ >> lib/ovn-util.c | 4 +- >> lib/ovn-util.h | 2 +- >> northd/northd.c | 25 ++++++- >> northd/ovn-northd.8.xml | 30 +++++++- >> ovn-nb.xml | 17 +++-- >> ovn-sb.xml | 22 ++++++ >> tests/ovn-nbctl.at | 10 ++- >> tests/ovn-northd.at | 133 ++++++++++++++++++++++++----------- >> tests/ovn.at | 90 +++++++++++++++++++++++- >> utilities/ovn-nbctl.c | 7 -- >> utilities/ovn-trace.c | 2 + >> 16 files changed, 383 insertions(+), 72 deletions(-) >> > > Can someone please review this patch? > > Thank you, > Abhiram Sangana
Sorry for the delay, Abhiram. I'll try to get to this early next week. Regards, Dumitru _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
