From patchwork Fri Oct 16 07:25:33 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Justin Pettit
X-Patchwork-Id: 531062
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (unknown
[IPv6:2600:3c00::f03c:91ff:fe6e:bdf7])
by ozlabs.org (Postfix) with ESMTP id 693C41402D0
for ;
Fri, 16 Oct 2015 18:25:41 +1100 (AEDT)
Received: from archives.nicira.com (localhost [127.0.0.1])
by archives.nicira.com (Postfix) with ESMTP id 3E5BA10C4B;
Fri, 16 Oct 2015 00:25:40 -0700 (PDT)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx3v1.cudamail.com (mx3.cudamail.com [64.34.241.5])
by archives.nicira.com (Postfix) with ESMTPS id 2547210C4A
for ; Fri, 16 Oct 2015 00:25:39 -0700 (PDT)
Received: from bar4.cudamail.com (bar2 [192.168.15.2])
by mx3v1.cudamail.com (Postfix) with ESMTP id 86BB061806E
for ; Fri, 16 Oct 2015 01:25:38 -0600 (MDT)
X-ASG-Debug-ID: 1444980337-03dc210f7a3b4f0001-byXFYA
Received: from mx3-pf1.cudamail.com ([192.168.14.2]) by bar4.cudamail.com
with
ESMTP id hq4dzKrhKc6D8U9v (version=TLSv1 cipher=DHE-RSA-AES256-SHA
bits=256 verify=NO) for ;
Fri, 16 Oct 2015 01:25:37 -0600 (MDT)
X-Barracuda-Envelope-From: jpettit@nicira.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.2
Received: from unknown (HELO mail-io0-f181.google.com) (209.85.223.181)
by mx3-pf1.cudamail.com with ESMTPS (RC4-SHA encrypted);
16 Oct 2015 07:25:37 -0000
Received-SPF: unknown (mx3-pf1.cudamail.com: Multiple SPF records returned)
X-Barracuda-RBL-Trusted-Forwarder: 209.85.223.181
Received: by iofl186 with SMTP id l186so115489647iof.2
for ; Fri, 16 Oct 2015 00:25:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:content-type:mime-version:subject:from
:in-reply-to:date:cc:content-transfer-encoding:message-id:references
:to; bh=+sDVd1Shzm2+qnAjwaWFfvEzKECsABOUKwlSRKxnMtY=;
b=lHeaeZw40SLA8Bx+5bv/Qb/y5WkdnqRAxgKqlbYG7TGewvLa5SBdLsrfHltkdIYrZ9
DSYfjkN6ViN0rZW+JyumKanEbLirA6vSjek4I1+4LqdK8StaKgPT4pOvLEnlMj4S4t+W
KtvlOKNioQrQcq3g9lsiWMC/emSbT7wzKeNFbW/++58ZJivxUQzUNtM1O/DJ8jy+Gx3C
ee4+Bkjhmsx8jgwo8HrhHwAoqMRG953JXxGmx8e55DwbnD/RVwi4a5gihgMTeK3xJaW2
/oe5a94z3D/bPhkcPie8oDQHODbzvx2iauJxfd40DLww1/xuKoFHxGZFj+pbKjSvof6a
q7DA==
X-Gm-Message-State:
ALoCoQlqlJipPb1TwHPv2n/3ok7pzcxkea3TlJ2GS13CzKtHI32uFJYf9/jykfOGc26hXewki14L
X-Received: by 10.107.151.195 with SMTP id z186mr1436299iod.8.1444980335602;
Fri, 16 Oct 2015 00:25:35 -0700 (PDT)
Received: from [10.0.1.54] (c-67-161-8-206.hsd1.ca.comcast.net.
[67.161.8.206]) by smtp.gmail.com with ESMTPSA id
n3sm1419723iga.0.2015.10.16.00.25.34
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Fri, 16 Oct 2015 00:25:34 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\))
X-CudaMail-Whitelist-To: dev@openvswitch.org
X-CudaMail-MID: CM-V1-1015001492
X-CudaMail-DTE: 101615
X-CudaMail-Originating-IP: 209.85.223.181
X-CudaMail-Envelope-Sender: jpettit@nicira.com
X-ASG-Orig-Subj: [##CM-V1-1015001492##]Re: [ovs-dev] [PATCH] ovn: Add
stateful ACL support.
From: Justin Pettit
In-Reply-To: <20151016002106.GA26905@nicira.com>
Date: Fri, 16 Oct 2015 00:25:33 -0700
Message-Id:
References: <1444930371-49447-1-git-send-email-jpettit@nicira.com>
<20151016002106.GA26905@nicira.com>
To: Ben Pfaff
X-Mailer: Apple Mail (2.3094)
X-Barracuda-Connect: UNKNOWN[192.168.14.2]
X-Barracuda-Start-Time: 1444980337
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?=
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
Cc: dev@openvswitch.org
Subject: Re: [ovs-dev] [PATCH] ovn: Add stateful ACL support.
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Errors-To: dev-bounces@openvswitch.org
Sender: "dev"
> On Oct 15, 2015, at 5:21 PM, Ben Pfaff wrote:
>
> On Thu, Oct 15, 2015 at 10:32:51AM -0700, Justin Pettit wrote:
>> Add support for the "allow-related" ACL action. This is dependent on
>> the OVS conntrack functionality, which is not available on all platforms
>> or kernel versions.
>>
>> Here is a sample policy that will allow all tenants in logical switch
>> "ls0" to SSH to each other. Anyone can make an HTTP request to "lp0".
>> All other IP traffic is dropped:
>>
>> ovn-nbctl acl-add ls0 from-lport 100 ip allow-related
>> ovn-nbctl acl-add ls0 to-lport 100 tcp.dst==22 allow-related
>> ovn-nbctl acl-add ls0 to-lport 100 "outport == \"lp0\" \
>> && tcp.dst==80" allow-related
>> ovn-nbctl acl-add ls0 to-lport 1 ip drop
>>
>> Note: Kernel conntrack support is checked into the mainline Linux
>> kernel, but hasn't been backported to the main OVS repo yet.
>> ---
>> I've pushed this patch on a partial backport of conntrack here:
>>
>> https://github.com/justinpettit/ovs/tree/ovn-acl
>
> Thanks! This is going to be awesome.
>
> This lacks a Signed-off-by.
Whoops. Fixed.
> ovn-northd.xml needs an update to explain all the new flows and
> renumbered flow tables.
I totally missed that. Thanks.
> I get one "sparse" warning:
>
> ../ovn/lib/actions.c:151:13: warning: incorrect type in assignment (different base types)
> ../ovn/lib/actions.c:151:13: expected unsigned short [unsigned] [usertype] alg
> ../ovn/lib/actions.c:151:13: got restricted ovs_be16
D'oh. Fixed.
> In symtab_init() in ovn/controller/lflow.c, I think it would be a little
> better to define ct.trk as a subfield, instead of a predicate, since
> subfields are a little more general-purpose.
I couldn't get it to work by making it a predicate. I think it's related to the other ct_state fields depending on it, but let's discuss it tomorrow, because I'm probably missing something.
> Acked-by: Ben Pfaff
Thanks!
I went ahead an pushed it. I've appended an incremental.
--Justin
-=-=-=-=-=-=-=-=-=-=-=-
diff --git a/ovn/lib/actions.c b/ovn/lib/actions.c
index 5a9562e..aebe5ce 100644
--- a/ovn/lib/actions.c
+++ b/ovn/lib/actions.c
@@ -206,7 +206,7 @@ emit_ct(struct action_context *ctx, bool recirc_next, bool c
ct->zone_src.n_bits = 16;
/* We do not support ALGs yet. */
- ct->alg = htons(0);
+ ct->alg = 0;
/* CT only works with IP, so set up a prerequisite. */
struct expr *expr;
diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index 3c5d362..f51852e 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -137,24 +137,63 @@
be dropped.
- Ingress table 1: from-lport
ACLs
+ Ingress Table 1: from-lport
Pre-ACLs
+
+
+ Ingress table 1 prepares flows for possible stateful ACL processing
+ in table 2. It contains a priority-0 flow that simply moves
+ traffic to table 2. If stateful ACLs are used in the logical
+ datapath, a priority-100 flow is added that sends IP packets to
+ the connection tracker before advancing to table 2.
+
+
+ Ingress table 2: from-lport
ACLs
Logical flows in this table closely reproduce those in the
- ACL
table in the OVN_Northbound
database for
- the from-lport
direction. allow
and
- allow-related
ACLs translate into logical flows with the
- next;
action, others to drop;
. The
- priority
values from the ACL
table are used
- directly.
+ ACL
table in the OVN_Northbound
database
+ for the from-lport
direction. allow
+ ACLs translate into logical flows with the next;
+ action, allow-related
ACLs translate into logical
+ flows with the ct_next;
action, other ACLs translate
+ to drop;
. The priority
values from the
+ ACL
table are used directly.
- Ingress table 1 also contains a priority 0 flow with action
- next;
, so that ACLs allow packets by default.
+ Ingress table 2 also contains a priority 0 flow with action
+ next;
, so that ACLs allow packets by default. If the
+ logical datapath has a statetful ACL, the following flows will
+ also be added:
- Ingress Table 2: Destination Lookup
+
+ -
+ A priority-1 flow to commit IP traffic to the connection
+ tracker. This is needed for the default allow policy because,
+ while the initiater's direction may not have any stateful rules,
+ the server's may and then its return traffic would not be known
+ and marked as invalid.
+
+
+ -
+ A priority-65535 flow that allows any traffic that has been
+ committed to the connection tracker (i.e., established flows).
+
+
+ -
+ A priority-65535 flow that allows any traffic that is considered
+ related to a committed flow in the connection tracker (e.g., an
+ ICMP Port Unreachable from a non-listening UDP port).
+
+
+ -
+ A priority-65535 flow that drops all traffic marked by the
+ connection tracker as invalid.
+
+
+
+ Ingress Table 3: Destination Lookup
This table implements switching behavior. It contains these logical
@@ -185,13 +224,20 @@
-
Egress Table 0: to-lport
ACLs
+ Egress Table 0: to-lport
Pre-ACLs
+
+
+ This is similar to ingress table 1 except for to-lport
+ traffic.
+
+
+ Egress Table 1: to-lport
ACLs
- This is similar to ingress table 1 except for to-lport
ACLs.
+ This is similar to ingress table 2 except for to-lport
ACLs.
- Egress Table 1: Egress Port Security
+ Egress Table 2: Egress Port Security
This is similar to the ingress port security logic in ingress table 0,