From patchwork Fri Jan 11 00:16:29 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Sharma X-Patchwork-Id: 1023283 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="fGcHefaO"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43bNhP1nfNz9sN1 for ; Fri, 11 Jan 2019 11:16:36 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id A5ABE1574; Fri, 11 Jan 2019 00:16:34 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 8965A156A for ; Fri, 11 Jan 2019 00:16:33 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 239C382C for ; Fri, 11 Jan 2019 00:16:32 +0000 (UTC) Received: from pps.filterd (m0127839.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0B0FOMr015778 for ; Thu, 10 Jan 2019 16:16:32 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=N2wl4aAX/ZyXLHVPmRi6jgCwhbcP8FV4AkjqIniLbrU=; b=fGcHefaOOfNv1eMBrWQqaIx2rA9oGpAzqwaDKOoItKudIYkvCbLg/ku66ZuncfNaCiP0 L0LRLGXEyOyN2vvbBpIF5R9rWNOSxGWZJyDpFjMeYyX731Wpu2kscww9VdzAnR7aQgbM 8Xo/+RTyQSnqBpQtDwr41L2hGCU+hxnU43Sfc1qc/+LvHp9zA7Na7OwXC3w718BKlkgA P5NKUSg20iILgDQTvVY1I84WzvNypS25R3XBeYn2Bx8dx98TewyRfifWpjT1XbOENXGj k8D8LiMiElJE/U/rf81Q6gTkxoPbP7IuylWK0+eRJJgdtpN39KxusO3H/z5jrbsrhOlC hw== Received: from nam02-cy1-obe.outbound.protection.outlook.com (mail-cys01nam02lp2053.outbound.protection.outlook.com [104.47.37.53]) by mx0a-002c1b01.pphosted.com with ESMTP id 2pvwepqst6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Thu, 10 Jan 2019 16:16:32 -0800 Received: from MW2PR02MB3899.namprd02.prod.outlook.com (52.132.178.28) by MW2PR02MB3899.namprd02.prod.outlook.com (52.132.178.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1495.7; Fri, 11 Jan 2019 00:16:30 +0000 Received: from MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::a90d:65fc:4096:c260]) by MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::a90d:65fc:4096:c260%5]) with mapi id 15.20.1495.011; Fri, 11 Jan 2019 00:16:30 +0000 From: Ankur Sharma To: "ovs-dev@openvswitch.org" Thread-Topic: [RFC PATCH v1 0/3] Associate identifier with OVN ACL connection tracking entry Thread-Index: AQHUqULmILNdt9FPVEOIm1KrbpIRgQ== Date: Fri, 11 Jan 2019 00:16:29 +0000 Message-ID: <1547165793-14659-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR08CA0012.namprd08.prod.outlook.com (2603:10b6:a03:100::25) To MW2PR02MB3899.namprd02.prod.outlook.com (2603:10b6:907:4::28) x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [192.146.154.1] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; MW2PR02MB3899; 6:8dUP15HQEnxpCKwYpQP1amE1Y5d3uHH+EsXxsH3kL5/GI+WxUrWrxzOKrbpnVRVIAjRfFz3h7I2ZQCv3FxINEs1ovfpnA1VmSFISfYAMmW+9xeqKnDF7wh1xaIqSieV5MRDt2O2jQSa/Qsnd+OD4VBfIz3g02mylx4LIiJA7ud6wj4MY1AQawzc6eijCOPx1Y/osliDXFAF/82RrOIiKQRGBeeBs7SzcScPIV4AB9+YWUedT4DKG4wBhs/zZkzKYm87xJsUQxlcOkBPkAzAut5bmGWY0AIMgeSpcPb4az9skCbVMw7TK4bvH9Ees5cYiEe4JYI6KRe/oSGSK63hLopljQLk3Sg+5yif5v8ZFXCnQd7GLR5p3fbVirNvarLnzt1omEBQ0TRdbwXW6jkBaNWYp17DqUykpWxdZyPtJJy6xXNio43WSR+/oD8CKZqu9I9uLs3tVnlJsV04orSg0Ng==; 5:KATSXJqQ6Hz4yIwRxZ25CAetv9xUdrcuyXWaJT6Gk95ERtDTRfGAC2D8j7rFxSRvPV+2Rt3YULTMqJzv+ZJN0bHjzi7keGoFXtleuEMjT2pt+O36jAz3GXI1dXHSsxPdAHtSglt98sPMNEYbFesP9vINmK5Yy/XNjb45CgzcaudmGwCJ9qa7+LnB6YTZTunqlqM7UrI1vvag2Yebi1dIRQ==; 7:CskrddPCbP69w9TMHme3IVSB5Q5ubr8Rfk5pwvSAWXhsSJGh95ggpsXaQMWILjf3ldXTiqHTlkkJ+ygrh+AsRHySWJgRLS1AEXPN4kdHKTICKrxaq49Jnv0FhO8bxXTP3zTCTKwxvsVIzkg/geiWzQ== x-ms-office365-filtering-correlation-id: d8d16192-5f8a-43cf-cfa9-08d6775a088d x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:MW2PR02MB3899; x-ms-traffictypediagnostic: MW2PR02MB3899: x-microsoft-antispam-prvs: x-forefront-prvs: 09144DB0F7 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(346002)(396003)(366004)(39860400002)(376002)(199004)(189003)(2501003)(6506007)(386003)(81156014)(81166006)(8676002)(217873002)(3846002)(6486002)(6116002)(2616005)(36756003)(14444005)(8936002)(102836004)(44832011)(25786009)(26005)(256004)(4326008)(2906002)(52116002)(186003)(99286004)(478600001)(68736007)(53936002)(7736002)(86362001)(305945005)(486006)(97736004)(316002)(107886003)(71200400001)(71190400001)(6512007)(6436002)(5640700003)(6916009)(14454004)(106356001)(105586002)(2351001)(476003)(66066001)(5660300001)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR02MB3899; H:MW2PR02MB3899.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: RBRybqf5JD/B/A+NdfHEgAJV5Z+tg4ob4tsPO+gz3D13j04vEmCCbtwUdIqwMR1vhfpk7gnCDh/UPzCW0vSMnvd8sUifHtGfXfz3X8VDZpEikiBepQd9PZpByuVq02GMjC8hfEIIGquQltw500qjWgOcnls5JI7t0pOBQgtjJRVIsLJPjk8oWByPUUUMD6HZWFe5zZWwMJTevqjRJ7i0aYqzEnRJ81yB2nPxbqHCMQmJWoGYZPwr87IFyKaLMKAarKDAzCRHnFf3CKDyMENBfuPOqtzCyj9hFH1GEkTiD8ICtX06JkmK+27MXwBTV+HfJaFpZt0dmgbHw9hlrmwc52TBz7UNRLkgZIH8+pDeenQm5XVZvvzJkWOurnwVQ0cCLqy9XVuQJL/PYluo+96qBt5gFQHdxGknZY2/asHBaAM= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: d8d16192-5f8a-43cf-cfa9-08d6775a088d X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2019 00:16:30.0252 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR02MB3899 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-10_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=737 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901110000 X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, KHOP_DYNAMIC, RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [RFC PATCH v1 0/3] Associate identifier with OVN ACL connection tracking entry X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org What: ==== a. Goal is to be able to associate some identifier with a connection tracking entry. b. This identifier can be used to map OVN ACL which added this entry or higher level constructs like openstack security group etc. c. There are 2 connection tracking fields which can be used for it. ct.mark (32 bits) and ct.label (128 bits). d. Patch intends to use ct.label, as this is a longer field and hence would be put to a better use, if it stores the identifier. Why: ==== a. Adding an identifier would help in debugging. b. Now, we can map a connection tracking entry to corresponding acl, security group etc. How: ==== Following is the sequence of changes: Patch 1: i. Current implementation uses a bit ct.label to handle policy update cases, where we use a bit in ct.label to indicate that reply traffic should be dropped now. ii. Swap the usage of ct.label in current implementation with ct.mark. Patch 2: i. Add support in parser to allow ct.label and mark to be set from registers as well (as of now only integer/masked integer is allowed). Patch 3: i. Add a new column (named 'label') to Table ACL in northbound schema. ii. ovn-northd changes to enhance logical flows to set ct.label to acl->label. For example: table=4 (ls_out_acl ), .... action=(reg0[1] = 1; reg0[3] = 1; xxreg1 = 0x1234; next;) . . . table=7 (ls_out_stateful ), ... match=(reg0[1] == 1 && reg0[3] == 1), action=(ct_commit(ct_mark=0/1, ct_label=xxreg1); next;) Ankur Sharma (3): OVN ACL: Replace the usage of ct_label with ct_mark OVN ACL: Allow ct_mark and ct_label values to be set from register as well OVN ACL: Allow a user to input ct.label value for an acl include/ovn/actions.h | 3 ++ ovn/lib/actions.c | 73 ++++++++++++++++++++++++++++++++++---- ovn/lib/logical-fields.c | 1 + ovn/northd/ovn-northd.8.xml | 14 ++++---- ovn/northd/ovn-northd.c | 85 ++++++++++++++++++++++++++++----------------- ovn/ovn-nb.ovsschema | 5 +-- ovn/ovn-nb.xml | 9 +++++ ovn/utilities/ovn-nbctl.c | 24 ++++++++++++- tests/ovn-nbctl.at | 12 +++++-- tests/ovn.at | 66 ++++++++++++++++++++++++++++++++--- 10 files changed, 239 insertions(+), 53 deletions(-)