From patchwork Fri Oct 16 07:25:33 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Justin Pettit X-Patchwork-Id: 531062 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id 693C41402D0 for ; Fri, 16 Oct 2015 18:25:41 +1100 (AEDT) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 3E5BA10C4B; Fri, 16 Oct 2015 00:25:40 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v1.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id 2547210C4A for ; Fri, 16 Oct 2015 00:25:39 -0700 (PDT) Received: from bar4.cudamail.com (bar2 [192.168.15.2]) by mx3v1.cudamail.com (Postfix) with ESMTP id 86BB061806E for ; Fri, 16 Oct 2015 01:25:38 -0600 (MDT) X-ASG-Debug-ID: 1444980337-03dc210f7a3b4f0001-byXFYA Received: from mx3-pf1.cudamail.com ([192.168.14.2]) by bar4.cudamail.com with ESMTP id hq4dzKrhKc6D8U9v (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 16 Oct 2015 01:25:37 -0600 (MDT) X-Barracuda-Envelope-From: jpettit@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.2 Received: from unknown (HELO mail-io0-f181.google.com) (209.85.223.181) by mx3-pf1.cudamail.com with ESMTPS (RC4-SHA encrypted); 16 Oct 2015 07:25:37 -0000 Received-SPF: unknown (mx3-pf1.cudamail.com: Multiple SPF records returned) X-Barracuda-RBL-Trusted-Forwarder: 209.85.223.181 Received: by iofl186 with SMTP id l186so115489647iof.2 for ; Fri, 16 Oct 2015 00:25:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=+sDVd1Shzm2+qnAjwaWFfvEzKECsABOUKwlSRKxnMtY=; b=lHeaeZw40SLA8Bx+5bv/Qb/y5WkdnqRAxgKqlbYG7TGewvLa5SBdLsrfHltkdIYrZ9 DSYfjkN6ViN0rZW+JyumKanEbLirA6vSjek4I1+4LqdK8StaKgPT4pOvLEnlMj4S4t+W KtvlOKNioQrQcq3g9lsiWMC/emSbT7wzKeNFbW/++58ZJivxUQzUNtM1O/DJ8jy+Gx3C ee4+Bkjhmsx8jgwo8HrhHwAoqMRG953JXxGmx8e55DwbnD/RVwi4a5gihgMTeK3xJaW2 /oe5a94z3D/bPhkcPie8oDQHODbzvx2iauJxfd40DLww1/xuKoFHxGZFj+pbKjSvof6a q7DA== X-Gm-Message-State: ALoCoQlqlJipPb1TwHPv2n/3ok7pzcxkea3TlJ2GS13CzKtHI32uFJYf9/jykfOGc26hXewki14L X-Received: by 10.107.151.195 with SMTP id z186mr1436299iod.8.1444980335602; Fri, 16 Oct 2015 00:25:35 -0700 (PDT) Received: from [10.0.1.54] (c-67-161-8-206.hsd1.ca.comcast.net. [67.161.8.206]) by smtp.gmail.com with ESMTPSA id n3sm1419723iga.0.2015.10.16.00.25.34 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 16 Oct 2015 00:25:34 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\)) X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V1-1015001492 X-CudaMail-DTE: 101615 X-CudaMail-Originating-IP: 209.85.223.181 X-CudaMail-Envelope-Sender: jpettit@nicira.com X-ASG-Orig-Subj: [##CM-V1-1015001492##]Re: [ovs-dev] [PATCH] ovn: Add stateful ACL support. From: Justin Pettit In-Reply-To: <20151016002106.GA26905@nicira.com> Date: Fri, 16 Oct 2015 00:25:33 -0700 Message-Id: References: <1444930371-49447-1-git-send-email-jpettit@nicira.com> <20151016002106.GA26905@nicira.com> To: Ben Pfaff X-Mailer: Apple Mail (2.3094) X-Barracuda-Connect: UNKNOWN[192.168.14.2] X-Barracuda-Start-Time: 1444980337 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Cc: dev@openvswitch.org Subject: Re: [ovs-dev] [PATCH] ovn: Add stateful ACL support. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@openvswitch.org Sender: "dev" > On Oct 15, 2015, at 5:21 PM, Ben Pfaff wrote: > > On Thu, Oct 15, 2015 at 10:32:51AM -0700, Justin Pettit wrote: >> Add support for the "allow-related" ACL action. This is dependent on >> the OVS conntrack functionality, which is not available on all platforms >> or kernel versions. >> >> Here is a sample policy that will allow all tenants in logical switch >> "ls0" to SSH to each other. Anyone can make an HTTP request to "lp0". >> All other IP traffic is dropped: >> >> ovn-nbctl acl-add ls0 from-lport 100 ip allow-related >> ovn-nbctl acl-add ls0 to-lport 100 tcp.dst==22 allow-related >> ovn-nbctl acl-add ls0 to-lport 100 "outport == \"lp0\" \ >> && tcp.dst==80" allow-related >> ovn-nbctl acl-add ls0 to-lport 1 ip drop >> >> Note: Kernel conntrack support is checked into the mainline Linux >> kernel, but hasn't been backported to the main OVS repo yet. >> --- >> I've pushed this patch on a partial backport of conntrack here: >> >> https://github.com/justinpettit/ovs/tree/ovn-acl > > Thanks! This is going to be awesome. > > This lacks a Signed-off-by. Whoops. Fixed. > ovn-northd.xml needs an update to explain all the new flows and > renumbered flow tables. I totally missed that. Thanks. > I get one "sparse" warning: > > ../ovn/lib/actions.c:151:13: warning: incorrect type in assignment (different base types) > ../ovn/lib/actions.c:151:13: expected unsigned short [unsigned] [usertype] alg > ../ovn/lib/actions.c:151:13: got restricted ovs_be16 D'oh. Fixed. > In symtab_init() in ovn/controller/lflow.c, I think it would be a little > better to define ct.trk as a subfield, instead of a predicate, since > subfields are a little more general-purpose. I couldn't get it to work by making it a predicate. I think it's related to the other ct_state fields depending on it, but let's discuss it tomorrow, because I'm probably missing something. > Acked-by: Ben Pfaff Thanks! I went ahead an pushed it. I've appended an incremental. --Justin -=-=-=-=-=-=-=-=-=-=-=- diff --git a/ovn/lib/actions.c b/ovn/lib/actions.c index 5a9562e..aebe5ce 100644 --- a/ovn/lib/actions.c +++ b/ovn/lib/actions.c @@ -206,7 +206,7 @@ emit_ct(struct action_context *ctx, bool recirc_next, bool c ct->zone_src.n_bits = 16; /* We do not support ALGs yet. */ - ct->alg = htons(0); + ct->alg = 0; /* CT only works with IP, so set up a prerequisite. */ struct expr *expr; diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index 3c5d362..f51852e 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -137,24 +137,63 @@ be dropped.

-

Ingress table 1: from-lport ACLs

+

Ingress Table 1: from-lport Pre-ACLs

+ +

+ Ingress table 1 prepares flows for possible stateful ACL processing + in table 2. It contains a priority-0 flow that simply moves + traffic to table 2. If stateful ACLs are used in the logical + datapath, a priority-100 flow is added that sends IP packets to + the connection tracker before advancing to table 2. +

+ +

Ingress table 2: from-lport ACLs

Logical flows in this table closely reproduce those in the - ACL table in the OVN_Northbound database for - the from-lport direction. allow and - allow-related ACLs translate into logical flows with the - next; action, others to drop;. The - priority values from the ACL table are used - directly. + ACL table in the OVN_Northbound database + for the from-lport direction. allow + ACLs translate into logical flows with the next; + action, allow-related ACLs translate into logical + flows with the ct_next; action, other ACLs translate + to drop;. The priority values from the + ACL table are used directly.

- Ingress table 1 also contains a priority 0 flow with action - next;, so that ACLs allow packets by default. + Ingress table 2 also contains a priority 0 flow with action + next;, so that ACLs allow packets by default. If the + logical datapath has a statetful ACL, the following flows will + also be added:

-

Ingress Table 2: Destination Lookup

+
    +
  • + A priority-1 flow to commit IP traffic to the connection + tracker. This is needed for the default allow policy because, + while the initiater's direction may not have any stateful rules, + the server's may and then its return traffic would not be known + and marked as invalid. +
    • + +
  • + A priority-65535 flow that allows any traffic that has been + committed to the connection tracker (i.e., established flows). +
    • + +
  • + A priority-65535 flow that allows any traffic that is considered + related to a committed flow in the connection tracker (e.g., an + ICMP Port Unreachable from a non-listening UDP port). +
    • + +
  • + A priority-65535 flow that drops all traffic marked by the + connection tracker as invalid. +
    • +
+ +

Ingress Table 3: Destination Lookup

This table implements switching behavior. It contains these logical @@ -185,13 +224,20 @@ -

Egress Table 0: to-lport ACLs

+

Egress Table 0: to-lport Pre-ACLs

+ +

+ This is similar to ingress table 1 except for to-lport + traffic. +

+ +

Egress Table 1: to-lport ACLs

- This is similar to ingress table 1 except for to-lport ACLs. + This is similar to ingress table 2 except for to-lport ACLs.

-

Egress Table 1: Egress Port Security

+

Egress Table 2: Egress Port Security

This is similar to the ingress port security logic in ingress table 0,