From patchwork Thu Jun 30 20:14:05 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Russell Bryant X-Patchwork-Id: 642763 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (archives.nicira.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 3rgW3J1yQpz9sxS for ; Fri, 1 Jul 2016 06:14:20 +1000 (AEST) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 814F010A1F; Thu, 30 Jun 2016 13:14:16 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id 0BC62108B7 for ; Thu, 30 Jun 2016 13:14:15 -0700 (PDT) Received: from bar6.cudamail.com (localhost [127.0.0.1]) by mx3v3.cudamail.com (Postfix) with ESMTPS id 96BCF1633A6 for ; Thu, 30 Jun 2016 14:14:14 -0600 (MDT) X-ASG-Debug-ID: 1467317654-0b32373fc636190001-byXFYA Received: from mx3-pf2.cudamail.com ([192.168.14.1]) by bar6.cudamail.com with ESMTP id E3ca7CA5Re5MeR0N (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 30 Jun 2016 14:14:14 -0600 (MDT) X-Barracuda-Envelope-From: russell@ovn.org X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.1 Received: from unknown (HELO mx1.redhat.com) (209.132.183.28) by mx3-pf2.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted); 30 Jun 2016 20:14:13 -0000 Received-SPF: neutral (mx3-pf2.cudamail.com: 209.132.183.28 is neither permitted nor denied by SPF record at ovn.org) X-Barracuda-Apparent-Source-IP: 209.132.183.28 X-Barracuda-RBL-IP: 209.132.183.28 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0EDC9C04B31D; Thu, 30 Jun 2016 20:14:13 +0000 (UTC) Received: from x1c.redhat.com (ovpn-112-65.phx2.redhat.com [10.3.112.65]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u5UKE8wV017838; Thu, 30 Jun 2016 16:14:11 -0400 X-CudaMail-Envelope-Sender: russell@ovn.org From: Russell Bryant To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V2-629049459 X-CudaMail-DTE: 063016 X-CudaMail-Originating-IP: 209.132.183.28 Date: Thu, 30 Jun 2016 16:14:05 -0400 X-ASG-Orig-Subj: [##CM-V2-629049459##][PATCH v6 1/1] ovn: Apply ACL changes to existing connections. Message-Id: <1467317645-9483-2-git-send-email-russell@ovn.org> In-Reply-To: <1467317645-9483-1-git-send-email-russell@ovn.org> References: <1467317645-9483-1-git-send-email-russell@ovn.org> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 30 Jun 2016 20:14:13 +0000 (UTC) X-Barracuda-Connect: UNKNOWN[192.168.14.1] X-Barracuda-Start-Time: 1467317654 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [PATCH v6 1/1] ovn: Apply ACL changes to existing connections. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" Prior to this commit, once a connection had been committed to the connection tracker, the connection would continue to be allowed, even if the policy defined in the ACL table changed. This patch changes the implementation so that existing connections are affected by policy changes. The implementation is based on the suggested approach in this mailing list thread: http://openvswitch.org/pipermail/dev/2016-February/065716.html Instead of always allowing packets associated with an established connection, we now put all packets in the request direction through the flows generated based on OVN ACLs. If a packet associated with an established connection hits a "drop" ACL, that means we have encountered a policy change and should drop packets associated with this connection from now on. We handle this by setting "ct_label" on the associated connection tracking entry. These changes also account for re-allowing a known connection after ct_label had been set on it. This can happen if you delete an ACL and then re-create it while connection state is still known. The proposal on the mailing list also discussed the idea that ovn-controller could periodically sweep the connection tracker and delete entries with ct_label set. That is not implemented in this patch. Instead, we rely on connections dying since we're dropping its packets and then allowing the connection tracking entry to eventually time out. More proactively clearing them out could be a future enhancement. As a realistic example of how this works, consider this security policy from an OpenStack+OVN development environment. +---------+-----------------------+ | name | security_group_rules | +---------+-----------------------+ | default | egress, IPv4 | | | egress, IPv6 | | | ingress, IPv4, 22/tcp | | | ingress, IPv4, icmp | +---------+-----------------------+ The OpenStack Neutron plugin creates ACLs that drop traffic by default and higher priority ACLs for each type of traffic that is allowed. In this case, the ACLs for a port using the "default" security group are: from-lport 1002 (inport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip4) allow-related from-lport 1002 (inport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip6) allow-related from-lport 1001 (inport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip) drop to-lport 1002 (outport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip4 && icmp4) allow-related to-lport 1002 (outport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip4 && tcp && tcp.dst == 22) allow-related to-lport 1001 (outport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip) drop which results in the following logical flows: table=1( ls_in_pre_acl), priority= 100, match=(ip), action=(ct_next;) table=1( ls_in_pre_acl), priority= 0, match=(1), action=(next;) table=2( ls_in_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label[0] == 0), action=(next;) table=2( ls_in_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label[0] == 0), action=(next;) table=2( ls_in_acl), priority=65535, match=(ct.inv || (ct.est && ct.rpl && ct_label[0] == 1)), action=(drop;) table=2( ls_in_acl), priority= 2002, match=(!ct.new && ct.est && !ct.rpl && ct_label[0] == 0 && (inport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip4)), action=(next;) table=2( ls_in_acl), priority= 2002, match=(!ct.new && ct.est && !ct.rpl && ct_label[0] == 0 && (inport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip6)), action=(next;) table=2( ls_in_acl), priority= 2002, match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label[0] == 1)) && (inport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip4)), action=(ct_commit(ct_label=0/1); next;) table=2( ls_in_acl), priority= 2002, match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label[0] == 1)) && (inport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip6)), action=(ct_commit(ct_label=0/1); next;) table=2( ls_in_acl), priority= 2001, match=((!ct.est || (ct.est && ct_label[0] == 1)) && (inport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip)), action=(drop;) table=2( ls_in_acl), priority= 2001, match=(ct.est && ct_label[0] == 0 && (inport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip)), action=(ct_commit(ct_label=1/1);) table=2( ls_in_acl), priority= 1, match=(ip && (!ct.est || (ct.est && ct_label[0] == 1))), action=(ct_commit(ct_label=0/1); next;) table=2( ls_in_acl), priority= 0, match=(1), action=(next;) table=0( ls_out_pre_acl), priority= 100, match=(ip), action=(ct_next;) table=0( ls_out_pre_acl), priority= 0, match=(1), action=(next;) table=1( ls_out_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label[0] == 0), action=(next;) table=1( ls_out_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label[0] == 0), action=(next;) table=1( ls_out_acl), priority=65535, match=(ct.inv || (ct.est && ct.rpl && ct_label[0] == 1)), action=(drop;) table=1( ls_out_acl), priority= 2002, match=(!ct.new && ct.est && !ct.rpl && ct_label[0] == 0 && (outport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip4 && icmp4)), action=(next;) table=1( ls_out_acl), priority= 2002, match=(!ct.new && ct.est && !ct.rpl && ct_label[0] == 0 && (outport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip4 && tcp && tcp.dst == 22)), action=(next;) table=1( ls_out_acl), priority= 2002, match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label[0] == 1)) && (outport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip4 && icmp4)), action=(ct_commit(ct_label=0/1); next;) table=1( ls_out_acl), priority= 2002, match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label[0] == 1)) && (outport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip4 && tcp && tcp.dst == 22)), action=(ct_commit(ct_label=0/1); next;) table=1( ls_out_acl), priority= 2001, match=((!ct.est || (ct.est && ct_label[0] == 1)) && (outport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip)), action=(drop;) table=1( ls_out_acl), priority= 2001, match=(ct.est && ct_label[0] == 0 && (outport == "0a7409c8-d179-4915-9eb2-f53426ae16dd" && ip)), action=(ct_commit(ct_label=1/1);) table=1( ls_out_acl), priority= 1, match=(ip && (!ct.est || (ct.est && ct_label[0] == 1))), action=(ct_commit(ct_label=0/1); next;) table=1( ls_out_acl), priority= 0, match=(1), action=(next;) One way I tested this by leaving ping running, ensuring that it was blocked when the rule for ICMP was deleted, and then re-allowed when the rule allowing ICMP was restored. In this case, the ICMP connection is still known by the connection tracker, but the flows ensure that ct_label gets reset back to 0. Reported-by: Xiao Li Xu Reported-at: https://bugs.launchpad.net/networking-ovn/+bug/1536080 Suggested-by: Justin Pettit Signed-off-by: Russell Bryant Acked-by: Han Zhou Acked-by: Ben Pfaff Acked-by: Justin Pettit --- ovn/northd/ovn-northd.8.xml | 58 +++++++++++--- ovn/northd/ovn-northd.c | 182 +++++++++++++++++++++++++++++++++----------- 2 files changed, 185 insertions(+), 55 deletions(-) diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index 260cc14..d2bddcb 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -247,7 +247,8 @@ in table 4. It contains a priority-0 flow that simply moves traffic to table 4. If stateful ACLs are used in the logical datapath, a priority-100 flow is added that sends IP packets to - the connection tracker before advancing to table 4. + the connection tracker with the ct_next; action + before advancing to table 4.

Ingress table 4: from-lport ACLs

@@ -255,15 +256,31 @@

Logical flows in this table closely reproduce those in the ACL table in the OVN_Northbound database - for the from-lport direction. allow - ACLs translate into logical flows with the next; - action, allow-related ACLs translate into logical - flows with the ct_commit; next; actions, other ACLs - translate to drop;. The priority values - from the ACL table have a limited range and have 1000 - added to them to leave room for OVN default flows at both higher - and lower priorities. + for the from-lport direction. The priority + values from the ACL table have a limited range and have + 1000 added to them to leave room for OVN default flows at both + higher and lower priorities.

+
    +
  • + allow ACLs translate into logical flows with + the next; action. If there are any stateful ACLs + on this datapath, then allow ACLs translate to + ct_commit; next;. +
    • +
  • + allow-related ACLs translate into logical + flows with the ct_commit(ct_label=0/1); next; actions + for new connections and next; for existing connections. +
    • +
  • + Other ACLs translate to drop; for new or untracked + connections and ct_commit(ct_label=1/1); for known + connections. Setting ct_label marks a connection + as one that was previously allowed, but should no longer be + allowed due to a policy change. +
    • +

Ingress table 4 also contains a priority 0 flow with action @@ -282,20 +299,37 @@

  • - A priority-65535 flow that allows any traffic that has been - committed to the connection tracker (i.e., established flows). + A priority-65535 flow that allows any traffic in the reply + direction for a connection that has been committed to the + connection tracker (i.e., established flows), as long as + the committed flow does not have ct_label[0]=1 set. + We only handle traffic in the reply direction here because + we want all packets going in the request direction to still + go through the flows that implement the currently defined + policy based on ACLs. If a connection is no longer allowed by + policy, ct_label[0] will get set and packets in the + reply direction will no longer be allowed, either.
  • A priority-65535 flow that allows any traffic that is considered related to a committed flow in the connection tracker (e.g., an - ICMP Port Unreachable from a non-listening UDP port). + ICMP Port Unreachable from a non-listening UDP port), as long + as the committed flow does not have ct_label[0]=1 set.
  • A priority-65535 flow that drops all traffic marked by the connection tracker as invalid.
    • + +
  • + A priority-65535 flow that drops all trafic in the reply direction + with ct_label[0]=1 set meaning that the connection + should no longer be allowed due to a policy change. Packets + in the request direction are skipped here to let a newly created + ACL re-allow this connection. +

    • Ingress Table 5: ARP responder

    diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index c2cf15e..7604447 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -1393,48 +1393,76 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows, struct hmap *ports) * commit IP flows. This is because, while the initiater's * direction may not have any stateful rules, the server's may * and then its return traffic would not have an associated - * conntrack entry and would return "+invalid". */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, "ip", - "ct_commit; next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, "ip", - "ct_commit; next;"); + * conntrack entry and would return "+invalid". + * + * We use "ct_commit" for a connection that is not already known + * by the connection tracker. Once a connection is committed, + * subsequent packets will hit the flow at priority 0 that just + * uses "next;" + * + * We also check for established connections that have ct_label[0] + * set on them. That's a connection that was disallowed, but is + * now allowed by policy again since it hit this default-allow flow. + * We need to set ct_label[0]=0 to let the connection continue. + * Subsequent packets will hit the flow at priority 0 that just + * uses "next;". */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, + "ip && (!ct.est || (ct.est && ct_label[0] == 1))", + "ct_commit(ct_label=0/1); next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, + "ip && (!ct.est || (ct.est && ct_label[0] == 1))", + "ct_commit(ct_label=0/1); next;"); /* Ingress and Egress ACL Table (Priority 65535). * - * Always drop traffic that's in an invalid state. This is - * enforced at a higher priority than ACLs can be defined. */ + * Always drop traffic that's in an invalid state. Also drop + * reply direction packets for connections that have been marked + * for deletion (bit 0 of ct_label is set). + * + * This is enforced at a higher priority than ACLs can be defined. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, - "ct.inv", "drop;"); + "ct.inv || (ct.est && ct.rpl && ct_label[0] == 1)", + "drop;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, - "ct.inv", "drop;"); + "ct.inv || (ct.est && ct.rpl && ct_label[0] == 1)", + "drop;"); /* Ingress and Egress ACL Table (Priority 65535). * - * Always allow traffic that is established to a committed - * conntrack entry. This is enforced at a higher priority than - * ACLs can be defined. */ + * Allow reply traffic that is part of an established + * conntrack entry that has not been marked for deletion + * (bit 0 of ct_label). We only match traffic in the + * reply direction because we want traffic in the request + * direction to hit the currently defined policy from ACLs. + * + * This is enforced at a higher priority than ACLs can be defined. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, - "ct.est && !ct.rel && !ct.new && !ct.inv", + "ct.est && !ct.rel && !ct.new && !ct.inv " + "&& ct.rpl && ct_label[0] == 0", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, - "ct.est && !ct.rel && !ct.new && !ct.inv", + "ct.est && !ct.rel && !ct.new && !ct.inv " + "&& ct.rpl && ct_label[0] == 0", "next;"); /* Ingress and Egress ACL Table (Priority 65535). * - * Always allow traffic that is related to an existing conntrack - * entry. This is enforced at a higher priority than ACLs can - * be defined. + * Allow traffic that is related to an existing conntrack entry that + * has not been marked for deletion (bit 0 of ct_label). + * + * This is enforced at a higher priority than ACLs can be defined. * * NOTE: This does not support related data sessions (eg, * a dynamically negotiated FTP data channel), but will allow * related traffic such as an ICMP Port Unreachable through * that's generated from a non-listening UDP port. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, - "!ct.est && ct.rel && !ct.new && !ct.inv", + "!ct.est && ct.rel && !ct.new && !ct.inv " + "&& ct_label[0] == 0", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, - "!ct.est && ct.rel && !ct.new && !ct.inv", + "!ct.est && ct.rel && !ct.new && !ct.inv " + "&& ct_label[0] == 0", "next;"); } @@ -1444,38 +1472,106 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows, struct hmap *ports) bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; enum ovn_stage stage = ingress ? S_SWITCH_IN_ACL : S_SWITCH_OUT_ACL; - if (!strcmp(acl->action, "allow")) { + if (!strcmp(acl->action, "allow") + || !strcmp(acl->action, "allow-related")) { /* If there are any stateful flows, we must even commit "allow" * actions. This is because, while the initiater's * direction may not have any stateful rules, the server's * may and then its return traffic would not have an * associated conntrack entry and would return "+invalid". */ - const char *actions = has_stateful ? "ct_commit; next;" : "next;"; - ovn_lflow_add(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - acl->match, actions); - } else if (!strcmp(acl->action, "allow-related")) { + if (!has_stateful) { + ovn_lflow_add(lflows, od, stage, + acl->priority + OVN_ACL_PRI_OFFSET, + acl->match, "next;"); + } else { + struct ds match = DS_EMPTY_INITIALIZER; + + /* Commit the connection tracking entry if it's a new + * connection that matches this ACL. After this commit, + * the reply traffic is allowed by a flow we create at + * priority 65535, defined earlier. + * + * It's also possible that a known connection was marked for + * deletion after a policy was deleted, but the policy was + * re-added while that connection is still known. We catch + * that case here and un-set ct_label[0] to indicate that the + * connection should be allowed to resume. + */ + ds_put_format(&match, "((ct.new && !ct.est)" + " || (!ct.new && ct.est && !ct.rpl " + "&& ct_label[0] == 1)) " + "&& (%s)", acl->match); + ovn_lflow_add(lflows, od, stage, + acl->priority + OVN_ACL_PRI_OFFSET, + ds_cstr(&match), "ct_commit(ct_label=0/1); next;"); + + /* Match on traffic in the request direction for an established + * connection tracking entry that has not been marked for + * deletion. There is no need to commit here, so we can just + * proceed to the next table. We use this to ensure that this + * connection is still allowed by the currently defined + * policy. */ + ds_clear(&match); + ds_put_format(&match, + "!ct.new && ct.est && !ct.rpl" + " && ct_label[0] == 0 && (%s)", + acl->match); + ovn_lflow_add(lflows, od, stage, + acl->priority + OVN_ACL_PRI_OFFSET, + ds_cstr(&match), "next;"); + + ds_destroy(&match); + } + } else if (!strcmp(acl->action, "drop") + || !strcmp(acl->action, "reject")) { struct ds match = DS_EMPTY_INITIALIZER; - /* Commit the connection tracking entry, which allows all - * other traffic related to this entry to flow due to the - * 65535 priority flow defined earlier. */ - ds_put_format(&match, "ct.new && (%s)", acl->match); - ovn_lflow_add(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(&match), "ct_commit; next;"); + /* XXX Need to support "reject", treat it as "drop;" for now. */ + if (!strcmp(acl->action, "reject")) { + VLOG_INFO("reject is not a supported action"); + } - ds_destroy(&match); - } else if (!strcmp(acl->action, "drop")) { - ovn_lflow_add(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - acl->match, "drop;"); - } else if (!strcmp(acl->action, "reject")) { - /* xxx Need to support "reject". */ - VLOG_INFO("reject is not a supported action"); - ovn_lflow_add(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - acl->match, "drop;"); + if (has_stateful) { + /* The implementation of "drop" differs if stateful ACLs are in + * use for this datapath. In that case, the actions differ + * depending on whether the connection was previously committed + * to the connection tracker with ct_commit. + * + * If the packet is not part of an established connection, then + * we can simply drop it. */ + ds_put_format(&match, + "(!ct.est || (ct.est && ct_label[0] == 1)) " + "&& (%s)", + acl->match); + ovn_lflow_add(lflows, od, stage, acl->priority + + OVN_ACL_PRI_OFFSET, ds_cstr(&match), "drop;"); + + /* For an existing connection without ct_label set, we've + * encountered a policy change. ACLs previously allowed + * this connection and we committed the connection tracking + * entry. Current policy says that we should drop this + * connection. First, we set bit 0 of ct_label to indicate + * that this connection is set for deletion. By not + * specifying "next;", we implicitly drop the packet after + * updating conntrack state. */ + + ds_clear(&match); + ds_put_format(&match, + "ct.est && ct_label[0] == 0 && (%s)", + acl->match); + ovn_lflow_add(lflows, od, stage, + acl->priority + OVN_ACL_PRI_OFFSET, + ds_cstr(&match), "ct_commit(ct_label=1/1);"); + + ds_destroy(&match); + } else { + /* There are no stateful ACLs in use on this datapath, + * so a "drop" ACL is simply the "drop" logical flow action + * in all cases. */ + ovn_lflow_add(lflows, od, stage, + acl->priority + OVN_ACL_PRI_OFFSET, + acl->match, "drop;"); + } } } }