@@ -108,6 +108,7 @@ ovn_init_symtab(struct shash *symtab)
/* Connection tracking state. */
expr_symtab_add_field(symtab, "ct_mark", MFF_CT_MARK, NULL, false);
+ expr_symtab_add_subfield(symtab, "ct_mark.blocked", NULL, "ct_mark[0]");
expr_symtab_add_field(symtab, "ct_label", MFF_CT_LABEL, NULL, false);
expr_symtab_add_subfield(symtab, "ct_label.blocked", NULL, "ct_label[0]");
@@ -286,14 +286,14 @@
</li>
<li>
<code>allow-related</code> ACLs translate into logical
- flows with the <code>ct_commit(ct_label=0/1); next;</code> actions
+ flows with the <code>ct_commit(ct_mark=0/1); next;</code> actions
for new connections and <code>reg0[1] = 1; next;</code> for existing
connections.
</li>
<li>
Other ACLs translate to <code>drop;</code> for new or untracked
- connections and <code>ct_commit(ct_label=1/1);</code> for known
- connections. Setting <code>ct_label</code> marks a connection
+ connections and <code>ct_commit(ct_mark=1/1);</code> for known
+ connections. Setting <code>ct_mark</code> marks a connection
as one that was previously allowed, but should no longer be
allowed due to a policy change.
</li>
@@ -319,12 +319,12 @@
A priority-65535 flow that allows any traffic in the reply
direction for a connection that has been committed to the
connection tracker (i.e., established flows), as long as
- the committed flow does not have <code>ct_label.blocked</code> set.
+ the committed flow does not have <code>ct_mark.blocked</code> set.
We only handle traffic in the reply direction here because
we want all packets going in the request direction to still
go through the flows that implement the currently defined
policy based on ACLs. If a connection is no longer allowed by
- policy, <code>ct_label.blocked</code> will get set and packets in the
+ policy, <code>ct_mark.blocked</code> will get set and packets in the
reply direction will no longer be allowed, either.
</li>
@@ -332,7 +332,7 @@
A priority-65535 flow that allows any traffic that is considered
related to a committed flow in the connection tracker (e.g., an
ICMP Port Unreachable from a non-listening UDP port), as long
- as the committed flow does not have <code>ct_label.blocked</code> set.
+ as the committed flow does not have <code>ct_mark.blocked</code> set.
</li>
<li>
@@ -342,7 +342,7 @@
<li>
A priority-65535 flow that drops all trafic in the reply direction
- with <code>ct_label.blocked</code> set meaning that the connection
+ with <code>ct_mark.blocked</code> set meaning that the connection
should no longer be allowed due to a policy change. Packets
in the request direction are skipped here to let a newly created
ACL re-allow this connection.
@@ -3546,13 +3546,13 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
* It's also possible that a known connection was marked for
* deletion after a policy was deleted, but the policy was
* re-added while that connection is still known. We catch
- * that case here and un-set ct_label.blocked (which will be done
+ * that case here and un-set ct_mark.blocked (which will be done
* by ct_commit in the "stateful" stage) to indicate that the
* connection should be allowed to resume.
*/
ds_put_format(&match, "((ct.new && !ct.est)"
" || (!ct.new && ct.est && !ct.rpl "
- "&& ct_label.blocked == 1)) "
+ "&& ct_mark.blocked == 1)) "
"&& (%s)", acl->match);
ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
build_acl_log(&actions, acl);
@@ -3573,7 +3573,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
ds_clear(&actions);
ds_put_format(&match,
"!ct.new && ct.est && !ct.rpl"
- " && ct_label.blocked == 0 && (%s)",
+ " && ct_mark.blocked == 0 && (%s)",
acl->match);
build_acl_log(&actions, acl);
@@ -3599,7 +3599,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
/* If the packet is not part of an established connection, then
* we can simply reject/drop it. */
ds_put_cstr(&match,
- "(!ct.est || (ct.est && ct_label.blocked == 1))");
+ "(!ct.est || (ct.est && ct_mark.blocked == 1))");
if (!strcmp(acl->action, "reject")) {
build_reject_acl_rules(od, lflows, stage, acl, &match,
&actions);
@@ -3611,11 +3611,11 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
acl->priority + OVN_ACL_PRI_OFFSET,
ds_cstr(&match), ds_cstr(&actions));
}
- /* For an existing connection without ct_label set, we've
+ /* For an existing connection without ct_mark set, we've
* encountered a policy change. ACLs previously allowed
* this connection and we committed the connection tracking
* entry. Current policy says that we should drop this
- * connection. First, we set bit 0 of ct_label to indicate
+ * connection. First, we set bit 0 of ct_mark to indicate
* that this connection is set for deletion. By not
* specifying "next;", we implicitly drop the packet after
* updating conntrack state. We would normally defer
@@ -3624,8 +3624,8 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
*/
ds_clear(&match);
ds_clear(&actions);
- ds_put_cstr(&match, "ct.est && ct_label.blocked == 0");
- ds_put_cstr(&actions, "ct_commit(ct_label=1/1); ");
+ ds_put_cstr(&match, "ct.est && ct_mark.blocked == 0");
+ ds_put_cstr(&actions, "ct_commit(ct_mark=1/1); ");
if (!strcmp(acl->action, "reject")) {
build_reject_acl_rules(od, lflows, stage, acl, &match,
&actions);
@@ -3748,56 +3748,56 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
* subsequent packets will hit the flow at priority 0 that just
* uses "next;"
*
- * We also check for established connections that have ct_label.blocked
+ * We also check for established connections that have ct_mark.blocked
* set on them. That's a connection that was disallowed, but is
* now allowed by policy again since it hit this default-allow flow.
- * We need to set ct_label.blocked=0 to let the connection continue,
+ * We need to set ct_mark.blocked=0 to let the connection continue,
* which will be done by ct_commit() in the "stateful" stage.
* Subsequent packets will hit the flow at priority 0 that just
* uses "next;". */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1,
- "ip && (!ct.est || (ct.est && ct_label.blocked == 1))",
+ "ip && (!ct.est || (ct.est && ct_mark.blocked == 1))",
REGBIT_CONNTRACK_COMMIT" = 1; next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1,
- "ip && (!ct.est || (ct.est && ct_label.blocked == 1))",
+ "ip && (!ct.est || (ct.est && ct_mark.blocked == 1))",
REGBIT_CONNTRACK_COMMIT" = 1; next;");
/* Ingress and Egress ACL Table (Priority 65535).
*
* Always drop traffic that's in an invalid state. Also drop
* reply direction packets for connections that have been marked
- * for deletion (bit 0 of ct_label is set).
+ * for deletion (bit 0 of ct_mark is set).
*
* This is enforced at a higher priority than ACLs can be defined. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
- "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)",
+ "ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)",
"drop;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
- "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)",
+ "ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)",
"drop;");
/* Ingress and Egress ACL Table (Priority 65535).
*
* Allow reply traffic that is part of an established
* conntrack entry that has not been marked for deletion
- * (bit 0 of ct_label). We only match traffic in the
+ * (bit 0 of ct_mark). We only match traffic in the
* reply direction because we want traffic in the request
* direction to hit the currently defined policy from ACLs.
*
* This is enforced at a higher priority than ACLs can be defined. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
"ct.est && !ct.rel && !ct.new && !ct.inv "
- "&& ct.rpl && ct_label.blocked == 0",
+ "&& ct.rpl && ct_mark.blocked == 0",
"next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
"ct.est && !ct.rel && !ct.new && !ct.inv "
- "&& ct.rpl && ct_label.blocked == 0",
+ "&& ct.rpl && ct_mark.blocked == 0",
"next;");
/* Ingress and Egress ACL Table (Priority 65535).
*
* Allow traffic that is related to an existing conntrack entry that
- * has not been marked for deletion (bit 0 of ct_label).
+ * has not been marked for deletion (bit 0 of ct_mark).
*
* This is enforced at a higher priority than ACLs can be defined.
*
@@ -3807,11 +3807,11 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
* that's generated from a non-listening UDP port. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
"!ct.est && ct.rel && !ct.new && !ct.inv "
- "&& ct_label.blocked == 0",
+ "&& ct_mark.blocked == 0",
"next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
"!ct.est && ct.rel && !ct.new && !ct.inv "
- "&& ct_label.blocked == 0",
+ "&& ct_mark.blocked == 0",
"next;");
/* Ingress and Egress ACL Table (Priority 65535).
@@ -3989,13 +3989,13 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows)
ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 0, "1", "next;");
/* If REGBIT_CONNTRACK_COMMIT is set as 1, then the packets should be
- * committed to conntrack. We always set ct_label.blocked to 0 here as
+ * committed to conntrack. We always set ct_mark.blocked to 0 here as
* any packet that makes it this far is part of a connection we
* want to allow to continue. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100,
- REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_label=0/1); next;");
+ REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_mark=0/1); next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 100,
- REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_label=0/1); next;");
+ REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_mark=0/1); next;");
/* If REGBIT_CONNTRACK_NAT is set as 1, then packets should just be sent
* through nat (without committing).
@@ -171,6 +171,7 @@ ct.trk = ct_state[5]
ct_label = NXM_NX_CT_LABEL
ct_label.blocked = ct_label[0]
ct_mark = NXM_NX_CT_MARK
+ct_mark.blocked = ct_mark[0]
ct_state = NXM_NX_CT_STATE
]])
AT_CLEANUP
@@ -356,7 +357,7 @@ eth.src == {$set3, badmac, 00:00:00:00:00:01} => Syntax error at `badmac' expect
((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) => Parentheses nested too deeply.
-ct_label > $set4 => Only == and != operators may be used to compare a field against an empty value set.
+ct_mark > $set4 => Only == and != operators may be used to compare a field against an empty value set.
]])
sed 's/ =>.*//' test-cases.txt > input.txt
sed 's/.* => //' test-cases.txt > expout
@@ -703,10 +704,10 @@ ip,nw_src=10.0.0.2: conjunction(1, 1/2)
ip,nw_src=10.0.0.3: conjunction(1, 1/2)
])
-lflow="ip && (!ct.est || (ct.est && ct_label.blocked == 1))"
+lflow="ip && (!ct.est || (ct.est && ct_mark.blocked == 1))"
AT_CHECK([expr_to_flow "$lflow"], [0], [dnl
-ct_state=+est+trk,ct_label=0x1/0x1,ip
-ct_state=+est+trk,ct_label=0x1/0x1,ipv6
+ct_state=+est+trk,ct_mark=0x1/0x1,ip
+ct_state=+est+trk,ct_mark=0x1/0x1,ipv6
ct_state=-est+trk,ip
ct_state=-est+trk,ipv6
])
OVN ACL implementation used ct_label to indicate if a previosuly allowed connection shoudl not be allowed anymore and vice versa. However, ct_label is a 128 bit value and we should rather leverage on ct_mark which is a 32 bit value. Using ct_mark for this purpose, allows us to use ct_label for storing other values like, identifier for corresponidng OVN ACL/Security group etc. signed-off-by: Ankur Sharma <ankur.sharma@nutanix.com> --- ovn/lib/logical-fields.c | 1 + ovn/northd/ovn-northd.8.xml | 14 ++++++------- ovn/northd/ovn-northd.c | 48 ++++++++++++++++++++++----------------------- tests/ovn.at | 9 +++++---- 4 files changed, 37 insertions(+), 35 deletions(-)