From patchwork Sat Nov 9 02:49:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Sharma X-Patchwork-Id: 1192353 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="lo2OinDO"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4791nr6WjLz9sPF for ; Sat, 9 Nov 2019 13:49:52 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id AA071BE4; Sat, 9 Nov 2019 02:49:49 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 64361BA0 for ; Sat, 9 Nov 2019 02:49:48 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9601BEC for ; Sat, 9 Nov 2019 02:49:47 +0000 (UTC) Received: from pps.filterd (m0127844.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xA92iQmX007287 for ; Fri, 8 Nov 2019 18:49:46 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=OAKASpsETMPgT0SlS2tygiBQrbI57PV3qRnOz6BUBMM=; b=lo2OinDObwDMwKlO9TBn8Er3GdyCgFfAX6Pp/tNJIPV4fcQBKz10Ed0ke6nWBS13n1ZM oT/96OxKUiTobNiGE0WHbAKQfcHOncuGvAfwfz61fK2475Wye0soQKvUIcW5x/n4muFg AicCa6Zf1j3CxrVNE5f8EF51CMw5eNJUaeKr3dd/d65Z/ms4MOt682naojtP0i/296PR sUH1tSmL2TZnXr7zDZljqpTR4luMJM4giyXTpJJ61HrNEp8mEnKqMmDN++hbiZn29lni BG1x3d1T4dwGVyWgkW23uytS8jDm8JzUrTcEXwmIJLs0h3mMRGLOPmjgaCbHErccSpXj yg== Received: from nam03-dm3-obe.outbound.protection.outlook.com (mail-dm3nam03lp2052.outbound.protection.outlook.com [104.47.41.52]) by mx0b-002c1b01.pphosted.com with ESMTP id 2w5m2p821j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Fri, 08 Nov 2019 18:49:46 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JGRfUK7N6d0gLtwu+1a+SB/RvYGPKTeTEjn7ErG938SUVJaA8iCxDNy60rcP8wloD6t+6Tm7iSijt9KWdrCR5/cGm3Ex0ytJwWCExH1/+cItIv87t3Cc5E2R+l3twiA4abFkLzu3BxXxYGEukHBdM0sk0aUTBFF1BHyYP0PpmXKAe+Ehi0vcrEi9ZGpQObx+IftkHjOBCEPsOLAAnWjMMCw2VLSbp8aKXMLGWrOVLiYhcb9bLNooovN1bhTLiCWO7o0mSSBayfBA6FjpfSz9Frib7MW8K/A4ZgIvYn7oKj2/dmMg0HiVrAKKPvQXkoq2VZ5EpWw4zriaLFgro0Byeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OAKASpsETMPgT0SlS2tygiBQrbI57PV3qRnOz6BUBMM=; b=VyA7FAdYHBwBBjXl1KpUwoz61L6qq9to06mij4Oz21gm1I/EdOrW3OtfWZonsBz2aA0eE6SOe1ab752c07tPx1p+Lxg1gCJT6UxtYPjvVFsN54JEnM98Ke/EwqFGC4KPedInoowSor65uV3l6I1KEmpaH6mN/HJJ6KYH8xvVObEc0MFIZYLpVmw4wMO7iqAr9b22BzIepsQVoghWqo6hsNgX0F0rM342DtscM9IWpvCW06ykqsm7j/1jSKw0lZxR+sz6xQlK0d7NpamKwNMf35M6e10/sklpynQg42Y7xgRP/TzHfXmFccEFKocB6w4spHGASVxJ5CKU/+14TRs/Ow== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none Received: from MW2PR02MB3899.namprd02.prod.outlook.com (52.132.177.158) by MW2PR02MB3803.namprd02.prod.outlook.com (52.132.177.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.20; Sat, 9 Nov 2019 02:49:44 +0000 Received: from MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::f097:1b5f:8315:3bcd]) by MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::f097:1b5f:8315:3bcd%5]) with mapi id 15.20.2430.020; Sat, 9 Nov 2019 02:49:43 +0000 From: Ankur Sharma To: "ovs-dev@openvswitch.org" Thread-Topic: [PATCH v4 0/3] Associate identifier with OVN ACL connection tracking entry Thread-Index: AQHVlqhW9gGlUJoVlUiy8uGilpXPlg== Date: Sat, 9 Nov 2019 02:49:43 +0000 Message-ID: <1573267855-102768-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BY5PR16CA0022.namprd16.prod.outlook.com (2603:10b6:a03:1a0::35) To MW2PR02MB3899.namprd02.prod.outlook.com (2603:10b6:907:3::30) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.8.3.1 x-originating-ip: [192.146.154.98] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e863745e-7ff8-4be2-ad3f-08d764bf7923 x-ms-traffictypediagnostic: MW2PR02MB3803: x-ms-exchange-purlcount: 1 x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-proofpoint-crosstenant: true x-ms-oob-tlc-oobclassifiers: OLM:9508; x-forefront-prvs: 021670B4D2 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(396003)(136003)(376002)(39860400002)(189003)(199004)(478600001)(6486002)(81166006)(81156014)(4720700003)(476003)(66446008)(50226002)(6306002)(6436002)(8676002)(486006)(966005)(86362001)(2616005)(2906002)(14454004)(6916009)(2501003)(5640700003)(36756003)(14444005)(66066001)(44832011)(256004)(52116002)(6512007)(66556008)(99286004)(386003)(64756008)(2351001)(66946007)(8936002)(186003)(66476007)(6506007)(316002)(4326008)(3846002)(7736002)(71190400001)(5660300002)(26005)(107886003)(25786009)(305945005)(6116002)(102836004)(71200400001)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR02MB3803; H:MW2PR02MB3899.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: VbzTjSHPTgi6WL1uUAeWC4vOEsJavHGdGo3TSZl7vArXJJH4pENH67B91nfLBHI2k5FbZIz5JKI5ElpuUgyJ8WLgDS21F4GCJoM0dTW2vbs5GC4F852w8herT/EUqnVijUUYU1aAkTpO3Jl/KVWo2TtFphsWLeALEBQqcfLbFfQrPT6iT0y+7bmIqZh5wJtjNI336H0a0gslhmXtmHz8iEpL50msubjXgFnT4QZ9YdU8i22rK2cUKpqG9kdSNpYWK5Ir2UjeZRPCpw+UwFuj8g5c1Jplww2SHaHLJJgcNBKyO2lL8HdYgTK/xa+mnAABqMgwew6UCtbAIKW8lyigDCPdjsmMjcfIFN8MguSvg+R6VzKzAtq9PqiIq4Gi5i8ma5ZTVpjDYgDVARwmbYSvtvZT+s5c6xJJysQYOIViKf5V5wIt2I3uCmvF/vcNjqHKY0S8LAzuUNv6w76iD+7335Fju9Ut6gQ0YhrkDHulUuw= MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: e863745e-7ff8-4be2-ad3f-08d764bf7923 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2019 02:49:43.5453 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Rbo2v+U0hYpb9qaR6k4PKAPwN15TZHBUsBIUvzsyLTjI1T5CjsOWcdquChIT7oiAXJSbYyev29pX6LDRUQou0M1fcLWo1S6GiHDpuoODIEs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR02MB3803 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-11-08_09:2019-11-08, 2019-11-08 signatures=0 X-Proofpoint-Spam-Reason: safe X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v4 0/3] Associate identifier with OVN ACL connection tracking entry X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org I submitted this patch long time back and somehow lost track it. Resubmitting the series, calling it as V4, as it addresses the review comments given till v3. https://mail.openvswitch.org/pipermail/ovs-dev/2019-April/358280.html What: ==== a. Goal is to be able to associate some identifier with a connection tracking entry. b. This identifier can be used to map OVN ACL which added this entry or higher level constructs like openstack security group etc. c. There are 2 connection tracking fields which can be used for it. ct.mark (32 bits) and ct.label (128 bits). d. Patch intends to use ct.label, as this is a longer field and hence would be put to a better use, if it stores the identifier. Why: ==== a. Adding an identifier would help in debugging. b. Now, we can map a connection tracking entry to corresponding acl, security group etc. c. One of the use cases for this mapping would be to identify ACLs which added corresponding connection tracker entry, which is causing unexpected drops/leaks. How: ==== Following is the sequence of changes: Patch 1: i. Current implementation uses a bit ct.label to handle policy update cases, where we use a bit in ct.label to indicate that reply traffic should be dropped now. ii. Swap the usage of ct.label in current implementation with ct.mark. Patch 2: i. Add support in parser to allow ct.label and mark to be set from registers as well (as of now only integer/masked integer is allowed). Patch 3: i. Add a new column (named 'label') to Table ACL in northbound schema. ii. ovn-northd changes to enhance logical flows to set ct.label to acl->label. For example: table=4 (ls_out_acl ), .... action=(reg0[1] = 1; reg0[3] = 1; xxreg1 = 0x1234; next;) . . . table=7 (ls_out_stateful ), ... match=(reg0[1] == 1 && reg0[3] == 1), Ankur Sharma (3): OVN ACL: Replace the usage of ct_label with ct_mark OVN ACL: Allow ct_mark and ct_label values to be set from register as well OVN ACL: Allow a user to input ct.label value for an acl Documentation/tutorials/ovn-openstack.rst | 14 ++--- include/ovn/actions.h | 3 + lib/actions.c | 72 ++++++++++++++++++---- lib/logical-fields.c | 3 + northd/ovn-northd.8.xml | 14 ++--- northd/ovn-northd.c | 87 +++++++++++++++++---------- ovn-nb.ovsschema | 5 +- ovn-nb.xml | 12 ++++ ovn-sb.xml | 41 +++++++++---- tests/ovn-nbctl.at | 12 +++- tests/ovn.at | 99 +++++++++++++++++++++++++++++-- utilities/ovn-nbctl.c | 24 +++++++- 12 files changed, 310 insertions(+), 76 deletions(-)