[ovs-dev,RFC,v1,0/3] Associate identifier with OVN ACL connection tracking entry
mbox series

Message ID 1547165793-14659-1-git-send-email-ankur.sharma@nutanix.com
Headers show
Series
  • Associate identifier with OVN ACL connection tracking entry
Related show

Message

Ankur Sharma Jan. 11, 2019, 12:16 a.m. UTC
What:
====
a. Goal is to be able to associate some identifier with a connection tracking
entry.

b. This identifier can be used to map OVN ACL which added this entry or
higher level constructs like openstack security group etc.

c. There are 2 connection tracking fields which can be used for it.
ct.mark (32 bits) and ct.label (128 bits).

d. Patch intends to use ct.label, as this is a longer field and
hence would be put to a better use, if it stores the identifier.

Why:
====
a. Adding an identifier would help in debugging.
b. Now, we can map a connection tracking entry to corresponding
   acl, security group etc.

How:
====
Following is the sequence of changes:

Patch 1:
i.  Current implementation uses a bit ct.label to handle policy update cases,
    where we use a bit in ct.label to indicate that reply traffic should
    be dropped now.
ii. Swap the usage of ct.label in current implementation with ct.mark.

Patch 2:
i. Add support in parser to allow ct.label and mark to be set from registers
as well (as of now only integer/masked integer is allowed).

Patch 3:
i. Add a new column (named 'label') to Table ACL in northbound schema.
ii. ovn-northd changes to enhance logical flows to set ct.label to acl->label.
For example:
table=4 (ls_out_acl         ), .... action=(reg0[1] = 1; reg0[3] = 1; xxreg1 = 0x1234; next;)
.
.
.
table=7 (ls_out_stateful    ), ... match=(reg0[1] == 1 && reg0[3] == 1),
                                   action=(ct_commit(ct_mark=0/1, ct_label=xxreg1); next;)


Ankur Sharma (3):
  OVN ACL: Replace the usage of ct_label with ct_mark
  OVN ACL: Allow ct_mark and ct_label values to be set from register as
    well
  OVN ACL: Allow a user to input ct.label value for an acl

 include/ovn/actions.h       |  3 ++
 ovn/lib/actions.c           | 73 ++++++++++++++++++++++++++++++++++----
 ovn/lib/logical-fields.c    |  1 +
 ovn/northd/ovn-northd.8.xml | 14 ++++----
 ovn/northd/ovn-northd.c     | 85 ++++++++++++++++++++++++++++-----------------
 ovn/ovn-nb.ovsschema        |  5 +--
 ovn/ovn-nb.xml              |  9 +++++
 ovn/utilities/ovn-nbctl.c   | 24 ++++++++++++-
 tests/ovn-nbctl.at          | 12 +++++--
 tests/ovn.at                | 66 ++++++++++++++++++++++++++++++++---
 10 files changed, 239 insertions(+), 53 deletions(-)