From patchwork Tue Apr 16 23:58:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Sharma X-Patchwork-Id: 1086746 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="IOhq1SrB"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44kMkq1dczz9s9h for ; Wed, 17 Apr 2019 09:58:11 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id D105DE75; Tue, 16 Apr 2019 23:58:09 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 4B381E23 for ; Tue, 16 Apr 2019 23:58:08 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 94357710 for ; Tue, 16 Apr 2019 23:58:07 +0000 (UTC) Received: from pps.filterd (m0127843.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x3GNpowi017146 for ; Tue, 16 Apr 2019 16:58:06 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=rQ3f1kzAmY8bF8jsTQQS/4yCLBkmJPbapQUfSqZXHEk=; b=IOhq1SrBx/y7wNS0dI1OzP1NayPLVFBIuKP+4xu6bKAQ/pfoapRhcE8wA67zQZevPAB7 K+cc+HDZr+obt/EkInlcvOnZxU6FKSi4vrXB7bLa3sDRnb9bzS826oURQy/q0GpN8k4o lcmJ177bxEGrCaypQ/RiLUjmuX/9pgQOOhgaWPxKPl6Wgx7r/m8Ancv3kYKHp7gXQ3qa 9TujCNMSMj7TNsIky+uhvYmQQHiOUswQefh9JO7Knqj7C/6+dzhpPAbmjgtKwbR8QbsE PIc5mgORSCMJwZkhV36eLxbDcvvj8M/SsvjtH3qopFwFC0tfvrRudpBvY4TuQNGGjuR9 5A== Received: from nam05-dm3-obe.outbound.protection.outlook.com (mail-dm3nam05lp2055.outbound.protection.outlook.com [104.47.49.55]) by mx0b-002c1b01.pphosted.com with ESMTP id 2rudvf5g6h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Tue, 16 Apr 2019 16:58:06 -0700 Received: from MW2PR02MB3899.namprd02.prod.outlook.com (52.132.178.28) by MW2PR02MB3756.namprd02.prod.outlook.com (52.132.177.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.12; Tue, 16 Apr 2019 23:58:04 +0000 Received: from MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::908f:c38c:a9ee:651c]) by MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::908f:c38c:a9ee:651c%2]) with mapi id 15.20.1792.018; Tue, 16 Apr 2019 23:58:04 +0000 From: Ankur Sharma To: "ovs-dev@openvswitch.org" Thread-Topic: [PATCH v3 0/3] Associate identifier with OVN ACL connection tracking entry Thread-Index: AQHU9LA7NGvwBL2Sc0WEjFZRhThFdg== Date: Tue, 16 Apr 2019 23:58:04 +0000 Message-ID: <1555459154-103091-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR11CA0079.namprd11.prod.outlook.com (2603:10b6:a03:f4::20) To MW2PR02MB3899.namprd02.prod.outlook.com (2603:10b6:907:4::28) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.8.3.1 x-originating-ip: [192.146.154.1] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 7263bfae-9e83-4ce8-40eb-08d6c2c75d4d x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600140)(711020)(4605104)(2017052603328)(7193020); SRVR:MW2PR02MB3756; x-ms-traffictypediagnostic: MW2PR02MB3756: x-proofpoint-crosstenant: true x-microsoft-antispam-prvs: x-forefront-prvs: 000947967F x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(396003)(366004)(39860400002)(136003)(199004)(189003)(105586002)(99286004)(2906002)(107886003)(478600001)(14454004)(102836004)(6916009)(386003)(186003)(6506007)(6436002)(26005)(5660300002)(486006)(52116002)(5640700003)(44832011)(4720700003)(106356001)(2351001)(476003)(2616005)(6116002)(3846002)(6486002)(256004)(14444005)(81156014)(4326008)(305945005)(7736002)(71200400001)(71190400001)(53936002)(36756003)(66066001)(316002)(50226002)(6512007)(8676002)(86362001)(97736004)(8936002)(81166006)(25786009)(68736007)(2501003)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR02MB3756; H:MW2PR02MB3899.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: a59NjEdcj6J1mj+Q0w+jLCPOCLn8sKsFzx69JATbIx+IK/u5MWotj1591zfTOf9HoW2Jd8oyjQqKuIhFAB/VgZUWZro0c6hEUqzF7ZnGooKNbHIuk0oaGmzlOmHJq1tbmRB8OLFEJvwQufI9yy7nEBPVKgb6XFt9Av4vc/gnMxJCQURHG2/eL5ZNqnAx+Ekzvma00PsPyPccZLH4PcWroTvcTnx0CeilT5Ep8cS/3S2S0PX0bO/V6ICqbqkC7oDPOG4XdnSuGBA/oWsUWyPp6QM3W8m9TLk/Mi5SwUdFrTpnqxTXPhObkm6iyCHUZ9YrpaZY5ElNcfb17LT/nhRt+xe+hibp8PcN/gWw+tpkcf57U4s0vBqPBcvxEaCSLKoWY6LD3kG2p3heybV5KSZvewqdUqImuXQQ2eDQjV5d4Cs= MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7263bfae-9e83-4ce8-40eb-08d6c2c75d4d X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2019 23:58:04.2370 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR02MB3756 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-16_10:, , signatures=0 X-Proofpoint-Spam-Reason: safe X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, KHOP_DYNAMIC, RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v3 0/3] Associate identifier with OVN ACL connection tracking entry X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org What: ==== a. Goal is to be able to associate some identifier with a connection tracking entry. b. This identifier can be used to map OVN ACL which added this entry or higher level constructs like openstack security group etc. c. There are 2 connection tracking fields which can be used for it. ct.mark (32 bits) and ct.label (128 bits). d. Patch intends to use ct.label, as this is a longer field and hence would be put to a better use, if it stores the identifier. Why: ==== a. Adding an identifier would help in debugging. b. Now, we can map a connection tracking entry to corresponding acl, security group etc. How: ==== Following is the sequence of changes: Patch 1: i. Current implementation uses a bit ct.label to handle policy update cases, where we use a bit in ct.label to indicate that reply traffic should be dropped now. ii. Swap the usage of ct.label in current implementation with ct.mark. Patch 2: i. Add support in parser to allow ct.label and mark to be set from registers as well (as of now only integer/masked integer is allowed). Patch 3: i. Add a new column (named 'label') to Table ACL in northbound schema. ii. ovn-northd changes to enhance logical flows to set ct.label to acl->label. For example: table=4 (ls_out_acl ), .... action=(reg0[1] = 1; reg0[3] = 1; xxreg1 = 0x1234; next;) . . . table=7 (ls_out_stateful ), ... match=(reg0[1] == 1 && reg0[3] == 1), action=(ct_commit(ct_mark=0/1, ct_label=xxreg1); next;) Ankur Sharma (3): OVN ACL: Replace the usage of ct_label with ct_mark OVN ACL: Allow ct_mark and ct_label values to be set from register as well OVN ACL: Allow a user to input ct.label value for an acl Documentation/tutorials/ovn-openstack.rst | 12 ++--- include/ovn/actions.h | 3 ++ ovn/lib/actions.c | 77 +++++++++++++++++++++++++++---- ovn/lib/logical-fields.c | 3 ++ ovn/northd/ovn-northd.8.xml | 14 +++--- ovn/northd/ovn-northd.c | 48 +++++++++---------- ovn/ovn-nb.ovsschema | 4 +- ovn/ovn-sb.xml | 20 ++++---- tests/ovn.at | 27 +++++++++-- 9 files changed, 147 insertions(+), 61 deletions(-)