From patchwork Tue Apr 16 23:58:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Sharma X-Patchwork-Id: 1086747 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="k6mjR0ug"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44kMlM1KlQz9s9h for ; Wed, 17 Apr 2019 09:58:39 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id BEDB7E8C; Tue, 16 Apr 2019 23:58:12 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 9B046E82 for ; Tue, 16 Apr 2019 23:58:11 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 2FC2C710 for ; Tue, 16 Apr 2019 23:58:10 +0000 (UTC) Received: from pps.filterd (m0127844.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x3GNsiLN019630 for ; Tue, 16 Apr 2019 16:58:09 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=BLWlYf6twznYoevsplapMDzEaW6agj+ytyh1o0DV1Sw=; b=k6mjR0uguaChsjZu9Zz+QzFIfMJS3LbIWFfaEBFTxlVbjk88DAQnkZylHUUaVa0vtMDI rxIxuJuMiPEiKsib+b05p9UbdmWQ4+P4BThcW0KSRnK8CYp3liiD77ZWD+KcGS/0u9Ie Ei4SnN7GYtp4es33y7ipkEGsP4x6ugykxUKrrmFd8F2xMikMINoKs8vWm7HXHO/JSb10 lrOoOxTNjeS35lpoaVYcf9vDSaRhTxKFxREb94grZiSWhVpZE5P3S6Es15CGhWtXbJ37 Ynyo9zlQSLJn0NAXCa0hdWnGGFvYaGufZ5saf4Um3og68MY3NOFuV/iTsIaLIK97Bcjv wQ== Received: from nam05-dm3-obe.outbound.protection.outlook.com (mail-dm3nam05lp2059.outbound.protection.outlook.com [104.47.49.59]) by mx0b-002c1b01.pphosted.com with ESMTP id 2ruf9ydd83-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Tue, 16 Apr 2019 16:58:09 -0700 Received: from MW2PR02MB3899.namprd02.prod.outlook.com (52.132.178.28) by MW2PR02MB3756.namprd02.prod.outlook.com (52.132.177.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.12; Tue, 16 Apr 2019 23:58:07 +0000 Received: from MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::908f:c38c:a9ee:651c]) by MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::908f:c38c:a9ee:651c%2]) with mapi id 15.20.1792.018; Tue, 16 Apr 2019 23:58:07 +0000 From: Ankur Sharma To: "ovs-dev@openvswitch.org" Thread-Topic: [PATCH v3 1/3] OVN ACL: Replace the usage of ct_label with ct_mark Thread-Index: AQHU9LA8qx4JeJdFRUCUR9x1OZ+n4Q== Date: Tue, 16 Apr 2019 23:58:07 +0000 Message-ID: <1555459154-103091-2-git-send-email-ankur.sharma@nutanix.com> References: <1555459154-103091-1-git-send-email-ankur.sharma@nutanix.com> In-Reply-To: <1555459154-103091-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR11CA0079.namprd11.prod.outlook.com (2603:10b6:a03:f4::20) To MW2PR02MB3899.namprd02.prod.outlook.com (2603:10b6:907:4::28) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.8.3.1 x-originating-ip: [192.146.154.1] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 4c71f817-8c5e-4235-4839-08d6c2c75f49 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600140)(711020)(4605104)(2017052603328)(7193020); SRVR:MW2PR02MB3756; x-ms-traffictypediagnostic: MW2PR02MB3756: x-proofpoint-crosstenant: true x-microsoft-antispam-prvs: x-forefront-prvs: 000947967F x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(396003)(366004)(39860400002)(136003)(199004)(189003)(105586002)(99286004)(2906002)(107886003)(478600001)(14454004)(102836004)(6916009)(386003)(186003)(6506007)(6436002)(26005)(5660300002)(11346002)(486006)(52116002)(446003)(5640700003)(44832011)(4720700003)(106356001)(2351001)(476003)(2616005)(76176011)(6116002)(3846002)(6486002)(256004)(14444005)(66574012)(81156014)(53946003)(30864003)(4326008)(305945005)(7736002)(71200400001)(71190400001)(53936002)(36756003)(66066001)(316002)(50226002)(6512007)(8676002)(86362001)(97736004)(8936002)(81166006)(25786009)(68736007)(2501003)(64030200001)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR02MB3756; H:MW2PR02MB3899.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: 4nirfbxkLVYkv4sEtakEmIjdV1PkpG7iue/Hh6K6hKg5XYOS1x/LHMpKmTzY9F5gaVdCGpYBei3cpS123zB2Z2nGoCipoxW9FQs3LThzfGjaj0Auqn0xVwgQbcggx/Fox84GbtmgMzsHxz68Y3ur/H3J2rQN7n4c4e1nvrI8OmFmVmLVf2Fy4sgbqPF33oR111wvWYHr+Ri2wV4h0qcnPfCuKGBP2JGoUUZV7XtRhLTbKxduwZRnInzib+XJmLTrVco3+BwS7JqFscssm3rWiW40LOxK739hs3soYQB5o9FVXXZOJW0bxAr2/l/lk6zcwcv4ZxoV1ppv2b6LHapqxBvZfdARcBtwGO2P0jIzAigxOgTkgQX6gJA3oUopQLG8ZYN6n1AhvctFEsTcnsGDnr1h8Imk+OBuRiNF9ZhkMRY= MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4c71f817-8c5e-4235-4839-08d6c2c75f49 X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2019 23:58:07.5734 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR02MB3756 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-16_10:, , signatures=0 X-Proofpoint-Spam-Reason: safe X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, KHOP_DYNAMIC, RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v3 1/3] OVN ACL: Replace the usage of ct_label with ct_mark X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org OVN ACL implementation used ct_label to indicate if a previosuly allowed connection shoudl not be allowed anymore and vice versa. However, ct_label is a 128 bit value and we should rather leverage on ct_mark which is a 32 bit value. Using ct_mark for this purpose, allows us to use ct_label for storing other values like, identifier for corresponidng OVN ACL/Security group etc. Signed-off-by: Ankur Sharma --- Documentation/tutorials/ovn-openstack.rst | 12 ++++---- ovn/lib/logical-fields.c | 3 ++ ovn/northd/ovn-northd.8.xml | 14 ++++----- ovn/northd/ovn-northd.c | 48 +++++++++++++++---------------- tests/ovn.at | 11 +++---- 5 files changed, 46 insertions(+), 42 deletions(-) diff --git a/Documentation/tutorials/ovn-openstack.rst b/Documentation/tutorials/ovn-openstack.rst index c6dff5e..dfd18da 100644 --- a/Documentation/tutorials/ovn-openstack.rst +++ b/Documentation/tutorials/ovn-openstack.rst @@ -1201,7 +1201,7 @@ as the output port:: ct_next(ct_state=est|trk /* default (use --ct to customize) */) --------------------------------------------------------------- - 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == "ap" && ip4), priority 2002, uuid a12b39f0 + 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (inport == "ap" && ip4), priority 2002, uuid a12b39f0 next; 13. ls_in_l2_lkup (ovn-northd.c:3529): eth.dst == fa:16:3e:f6:e2:8f, priority 50, uuid c43ead31 outport = "17d870"; @@ -1270,7 +1270,7 @@ Finally the logical switch for ``n2`` runs through the same logic as ct_next(ct_state=est|trk /* default (use --ct to customize) */) --------------------------------------------------------------- - 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == "cp" && ip4 && ip4.src == $as_ip4_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid a746fa0d + 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (outport == "cp" && ip4 && ip4.src == $as_ip4_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid a746fa0d next; 7. ls_out_port_sec_ip (ovn-northd.c:2364): outport == "cp" && eth.dst == fa:16:3e:89:f2:36 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.1.2.7}, priority 90, uuid 4d9862b5 next; @@ -1497,7 +1497,7 @@ firewall and is output to ``d``:: ct_next(ct_state=est|trk /* default (use --ct to customize) */) --------------------------------------------------------------- - 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == "dp" && ip4 && ip4.src == 0.0.0.0/0 && icmp4), priority 2002, uuid b860fc9f + 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (outport == "dp" && ip4 && ip4.src == 0.0.0.0/0 && icmp4), priority 2002, uuid b860fc9f next; 7. ls_out_port_sec_ip (ovn-northd.c:2364): outport == "dp" && eth.dst == fa:16:3e:c1:f5:a2 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.0.0.6}, priority 90, uuid 15655a98 next; @@ -1609,7 +1609,7 @@ closely to those for IPv4 which we already discussed back under ct_next(ct_state=est|trk /* default (use --ct to customize) */) --------------------------------------------------------------- - 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == "ap" && ip6), priority 2002, uuid 7fdd607e + 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (inport == "ap" && ip6), priority 2002, uuid 7fdd607e next; 13. ls_in_l2_lkup (ovn-northd.c:3529): eth.dst == fa:16:3e:ef:2f:8b, priority 50, uuid e1d87fc5 outport = "ad952e"; @@ -1667,7 +1667,7 @@ closely to those for IPv4 which we already discussed back under ct_next(ct_state=est|trk /* default (use --ct to customize) */) --------------------------------------------------------------- - 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == "cp" && ip6 && ip6.src == $as_ip6_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid 12fc96f9 + 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (outport == "cp" && ip6 && ip6.src == $as_ip6_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid 12fc96f9 next; 7. ls_out_port_sec_ip (ovn-northd.c:2390): outport == "cp" && eth.dst == fa:16:3e:89:f2:36 && ip6.dst == {fe80::f816:3eff:fe89:f236, ff00::/8, fc22::7}, priority 90, uuid c622596a next; @@ -1858,7 +1858,7 @@ action replaces a DHCPDISCOVER or DHCPREQUEST packet by a reply. Table 12 flips the packet's source and destination and sends it back the way it came in:: - 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == "ap" && ip4 && ip4.dst == {255.255.255.255, 10.1.1.0/24} && udp && udp.src == 68 && udp.dst == 67), priority 2002, uuid 9c90245d + 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (inport == "ap" && ip4 && ip4.dst == {255.255.255.255, 10.1.1.0/24} && udp && udp.src == 68 && udp.dst == 67), priority 2002, uuid 9c90245d next; 11. ls_in_dhcp_options (ovn-northd.c:3409): inport == "ap" && eth.src == fa:16:3e:a9:4c:c7 && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67, priority 100, uuid 8d63f29c reg0[3] = put_dhcp_opts(offerip = 10.1.1.5, lease_time = 43200, mtu = 1442, netmask = 255.255.255.0, router = 10.1.1.1, server_id = 10.1.1.1); diff --git a/ovn/lib/logical-fields.c b/ovn/lib/logical-fields.c index a8b5e3c..ad223b5 100644 --- a/ovn/lib/logical-fields.c +++ b/ovn/lib/logical-fields.c @@ -108,8 +108,11 @@ ovn_init_symtab(struct shash *symtab) /* Connection tracking state. */ expr_symtab_add_field(symtab, "ct_mark", MFF_CT_MARK, NULL, false); + expr_symtab_add_subfield(symtab, "ct.blocked", NULL, "ct_mark[0]"); expr_symtab_add_field(symtab, "ct_label", MFF_CT_LABEL, NULL, false); + + /* ct_label.blocked has been kept for backward compatibility. */ expr_symtab_add_subfield(symtab, "ct_label.blocked", NULL, "ct_label[0]"); expr_symtab_add_field(symtab, "ct_state", MFF_CT_STATE, NULL, false); diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index 15d57fd..a027019 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -286,14 +286,14 @@
  • allow-related ACLs translate into logical - flows with the ct_commit(ct_label=0/1); next; actions + flows with the ct_commit(ct_mark=0/1); next; actions for new connections and reg0[1] = 1; next; for existing connections.
  • Other ACLs translate to drop; for new or untracked - connections and ct_commit(ct_label=1/1); for known - connections. Setting ct_label marks a connection + connections and ct_commit(ct_mark=1/1); for known + connections. Setting ct_mark marks a connection as one that was previously allowed, but should no longer be allowed due to a policy change.
    • @@ -319,12 +319,12 @@ A priority-65535 flow that allows any traffic in the reply direction for a connection that has been committed to the connection tracker (i.e., established flows), as long as - the committed flow does not have ct_label.blocked set. + the committed flow does not have ct.blocked set. We only handle traffic in the reply direction here because we want all packets going in the request direction to still go through the flows that implement the currently defined policy based on ACLs. If a connection is no longer allowed by - policy, ct_label.blocked will get set and packets in the + policy, ct.blocked will get set and packets in the reply direction will no longer be allowed, either. @@ -332,7 +332,7 @@ A priority-65535 flow that allows any traffic that is considered related to a committed flow in the connection tracker (e.g., an ICMP Port Unreachable from a non-listening UDP port), as long - as the committed flow does not have ct_label.blocked set. + as the committed flow does not have ct.blocked set.
  • @@ -342,7 +342,7 @@
  • A priority-65535 flow that drops all trafic in the reply direction - with ct_label.blocked set meaning that the connection + with ct.blocked set meaning that the connection should no longer be allowed due to a policy change. Packets in the request direction are skipped here to let a newly created ACL re-allow this connection. diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 40df86d..cf84c35 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -3707,13 +3707,13 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, * It's also possible that a known connection was marked for * deletion after a policy was deleted, but the policy was * re-added while that connection is still known. We catch - * that case here and un-set ct_label.blocked (which will be done + * that case here and un-set ct.blocked (which will be done * by ct_commit in the "stateful" stage) to indicate that the * connection should be allowed to resume. */ ds_put_format(&match, "((ct.new && !ct.est)" " || (!ct.new && ct.est && !ct.rpl " - "&& ct_label.blocked == 1)) " + "&& ct.blocked == 1)) " "&& (%s)", acl->match); ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; "); build_acl_log(&actions, acl); @@ -3734,7 +3734,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, ds_clear(&actions); ds_put_format(&match, "!ct.new && ct.est && !ct.rpl" - " && ct_label.blocked == 0 && (%s)", + " && ct.blocked == 0 && (%s)", acl->match); build_acl_log(&actions, acl); @@ -3760,7 +3760,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, /* If the packet is not part of an established connection, then * we can simply reject/drop it. */ ds_put_cstr(&match, - "(!ct.est || (ct.est && ct_label.blocked == 1))"); + "(!ct.est || (ct.est && ct.blocked == 1))"); if (!strcmp(acl->action, "reject")) { build_reject_acl_rules(od, lflows, stage, acl, &match, &actions); @@ -3772,11 +3772,11 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, acl->priority + OVN_ACL_PRI_OFFSET, ds_cstr(&match), ds_cstr(&actions)); } - /* For an existing connection without ct_label set, we've + /* For an existing connection without ct_mark set, we've * encountered a policy change. ACLs previously allowed * this connection and we committed the connection tracking * entry. Current policy says that we should drop this - * connection. First, we set bit 0 of ct_label to indicate + * connection. First, we set bit 0 of ct_mark to indicate * that this connection is set for deletion. By not * specifying "next;", we implicitly drop the packet after * updating conntrack state. We would normally defer @@ -3785,8 +3785,8 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, */ ds_clear(&match); ds_clear(&actions); - ds_put_cstr(&match, "ct.est && ct_label.blocked == 0"); - ds_put_cstr(&actions, "ct_commit(ct_label=1/1); "); + ds_put_cstr(&match, "ct.est && ct.blocked == 0"); + ds_put_cstr(&actions, "ct_commit(ct_mark=1/1); "); if (!strcmp(acl->action, "reject")) { build_reject_acl_rules(od, lflows, stage, acl, &match, &actions); @@ -3909,56 +3909,56 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows, * subsequent packets will hit the flow at priority 0 that just * uses "next;" * - * We also check for established connections that have ct_label.blocked + * We also check for established connections that have ct.blocked * set on them. That's a connection that was disallowed, but is * now allowed by policy again since it hit this default-allow flow. - * We need to set ct_label.blocked=0 to let the connection continue, + * We need to set ct.blocked=0 to let the connection continue, * which will be done by ct_commit() in the "stateful" stage. * Subsequent packets will hit the flow at priority 0 that just * uses "next;". */ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, - "ip && (!ct.est || (ct.est && ct_label.blocked == 1))", + "ip && (!ct.est || (ct.est && ct.blocked == 1))", REGBIT_CONNTRACK_COMMIT" = 1; next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, - "ip && (!ct.est || (ct.est && ct_label.blocked == 1))", + "ip && (!ct.est || (ct.est && ct.blocked == 1))", REGBIT_CONNTRACK_COMMIT" = 1; next;"); /* Ingress and Egress ACL Table (Priority 65535). * * Always drop traffic that's in an invalid state. Also drop * reply direction packets for connections that have been marked - * for deletion (bit 0 of ct_label is set). + * for deletion (bit 0 of ct_mark is set). * * This is enforced at a higher priority than ACLs can be defined. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, - "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)", + "ct.inv || (ct.est && ct.rpl && ct.blocked == 1)", "drop;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, - "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)", + "ct.inv || (ct.est && ct.rpl && ct.blocked == 1)", "drop;"); /* Ingress and Egress ACL Table (Priority 65535). * * Allow reply traffic that is part of an established * conntrack entry that has not been marked for deletion - * (bit 0 of ct_label). We only match traffic in the + * (bit 0 of ct_mark). We only match traffic in the * reply direction because we want traffic in the request * direction to hit the currently defined policy from ACLs. * * This is enforced at a higher priority than ACLs can be defined. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "ct.est && !ct.rel && !ct.new && !ct.inv " - "&& ct.rpl && ct_label.blocked == 0", + "&& ct.rpl && ct.blocked == 0", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "ct.est && !ct.rel && !ct.new && !ct.inv " - "&& ct.rpl && ct_label.blocked == 0", + "&& ct.rpl && ct.blocked == 0", "next;"); /* Ingress and Egress ACL Table (Priority 65535). * * Allow traffic that is related to an existing conntrack entry that - * has not been marked for deletion (bit 0 of ct_label). + * has not been marked for deletion (bit 0 of ct_mark). * * This is enforced at a higher priority than ACLs can be defined. * @@ -3968,11 +3968,11 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows, * that's generated from a non-listening UDP port. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "!ct.est && ct.rel && !ct.new && !ct.inv " - "&& ct_label.blocked == 0", + "&& ct.blocked == 0", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "!ct.est && ct.rel && !ct.new && !ct.inv " - "&& ct_label.blocked == 0", + "&& ct.blocked == 0", "next;"); /* Ingress and Egress ACL Table (Priority 65535). @@ -4154,13 +4154,13 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows) ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 0, "1", "next;"); /* If REGBIT_CONNTRACK_COMMIT is set as 1, then the packets should be - * committed to conntrack. We always set ct_label.blocked to 0 here as + * committed to conntrack. We always set ct.blocked to 0 here as * any packet that makes it this far is part of a connection we * want to allow to continue. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100, - REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_label=0/1); next;"); + REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_mark=0/1); next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 100, - REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_label=0/1); next;"); + REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_mark=0/1); next;"); /* If REGBIT_CONNTRACK_NAT is set as 1, then packets should just be sent * through nat (without committing). diff --git a/tests/ovn.at b/tests/ovn.at index b3500e8..b546e9a 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -160,7 +160,8 @@ AT_CLEANUP dnl Check that the OVN conntrack field definitions are correct. AT_SETUP([ovn -- conntrack fields]) AT_CHECK([ovstest test-ovn dump-symtab | grep ^ct | sort], [0], -[[ct.dnat = ct_state[7] +[[ct.blocked = ct_mark[0] +ct.dnat = ct_state[7] ct.est = ct_state[1] ct.inv = ct_state[4] ct.new = ct_state[0] @@ -356,7 +357,7 @@ eth.src == {$set3, badmac, 00:00:00:00:00:01} => Syntax error at `badmac' expect ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) => Parentheses nested too deeply. -ct_label > $set4 => Only == and != operators may be used to compare a field against an empty value set. +ct_mark > $set4 => Only == and != operators may be used to compare a field against an empty value set. ]]) sed 's/ =>.*//' test-cases.txt > input.txt sed 's/.* => //' test-cases.txt > expout @@ -703,10 +704,10 @@ ip,nw_src=10.0.0.2: conjunction(1, 1/2) ip,nw_src=10.0.0.3: conjunction(1, 1/2) ]) -lflow="ip && (!ct.est || (ct.est && ct_label.blocked == 1))" +lflow="ip && (!ct.est || (ct.est && ct.blocked == 1))" AT_CHECK([expr_to_flow "$lflow"], [0], [dnl -ct_state=+est+trk,ct_label=0x1/0x1,ip -ct_state=+est+trk,ct_label=0x1/0x1,ipv6 +ct_state=+est+trk,ct_mark=0x1/0x1,ip +ct_state=+est+trk,ct_mark=0x1/0x1,ipv6 ct_state=-est+trk,ip ct_state=-est+trk,ipv6 ]) From patchwork Tue Apr 16 23:58:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Sharma X-Patchwork-Id: 1086748 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="hmNrGRUP"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44kMm40fTSz9s9h for ; Wed, 17 Apr 2019 09:59:16 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 972BDE8D; Tue, 16 Apr 2019 23:58:15 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 3BEC3E82 for ; Tue, 16 Apr 2019 23:58:12 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7F79A855 for ; Tue, 16 Apr 2019 23:58:11 +0000 (UTC) Received: from pps.filterd (m0127841.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x3GNpuXE006042 for ; Tue, 16 Apr 2019 16:58:10 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=0a5Lko4tYGvMIj0H8EXPUoBnI7Lr7ZM++cRkR9A4Iss=; b=hmNrGRUPzKRcYOMXYgbNljCAJoxeYyr/yTogBz/KVbXuv5No35savKQb0DjqgfCGz0Ib Zfah5hUv4hoWN9SPJLS/+GAj6Bg3lx+uNzG/5DAUa4jqBdqZL/npdm8BWR0VEDsIJ7S6 eCBA66m+8mJ4VlGS+371TmXW1N28I/NehhTIMXyS8495GJAbLnC/Gk84idauym8x2jCH esMPSK/eJJzH/6lLfmFZCGz6e1hxrI/jnOATeDDvWAVaBgi73Xp9Of6Sj9mLL2P4vPFM LrRbgWLfg1GxKM8IVCnT05TX7DJ8z9K3j1xsGKfjrUOPOxcCU+QquK/AU0G2aikvTvry eA== Received: from nam05-dm3-obe.outbound.protection.outlook.com (mail-dm3nam05lp2051.outbound.protection.outlook.com [104.47.49.51]) by mx0b-002c1b01.pphosted.com with ESMTP id 2ruda7nh8m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Tue, 16 Apr 2019 16:58:10 -0700 Received: from MW2PR02MB3899.namprd02.prod.outlook.com (52.132.178.28) by MW2PR02MB3756.namprd02.prod.outlook.com (52.132.177.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.12; Tue, 16 Apr 2019 23:58:09 +0000 Received: from MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::908f:c38c:a9ee:651c]) by MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::908f:c38c:a9ee:651c%2]) with mapi id 15.20.1792.018; Tue, 16 Apr 2019 23:58:09 +0000 From: Ankur Sharma To: "ovs-dev@openvswitch.org" Thread-Topic: [PATCH v3 2/3] OVN ACL: Allow ct_mark and ct_label values to be set from register as well Thread-Index: AQHU9LA9l4DK0kTqvkOWO9zd/+ljgg== Date: Tue, 16 Apr 2019 23:58:08 +0000 Message-ID: <1555459154-103091-3-git-send-email-ankur.sharma@nutanix.com> References: <1555459154-103091-1-git-send-email-ankur.sharma@nutanix.com> In-Reply-To: <1555459154-103091-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR11CA0079.namprd11.prod.outlook.com (2603:10b6:a03:f4::20) To MW2PR02MB3899.namprd02.prod.outlook.com (2603:10b6:907:4::28) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.8.3.1 x-originating-ip: [192.146.154.1] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e7d65c82-88a0-4f2e-6dcc-08d6c2c7602b x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600140)(711020)(4605104)(2017052603328)(7193020); SRVR:MW2PR02MB3756; x-ms-traffictypediagnostic: MW2PR02MB3756: x-proofpoint-crosstenant: true x-microsoft-antispam-prvs: x-forefront-prvs: 000947967F x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(396003)(366004)(39860400002)(136003)(199004)(189003)(105586002)(99286004)(2906002)(107886003)(478600001)(14454004)(102836004)(6916009)(386003)(186003)(6506007)(6436002)(26005)(5660300002)(11346002)(486006)(52116002)(446003)(5640700003)(44832011)(4720700003)(106356001)(2351001)(476003)(2616005)(76176011)(6116002)(3846002)(6486002)(256004)(81156014)(4326008)(305945005)(7736002)(71200400001)(71190400001)(53936002)(36756003)(66066001)(316002)(50226002)(6512007)(8676002)(86362001)(97736004)(8936002)(81166006)(25786009)(68736007)(2501003)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR02MB3756; H:MW2PR02MB3899.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: XdCZ4E7/GI/8V0ZVLlnfusfxbagkSuL1QdrkyqO/1jDtYTOALtyzXdYPjqwGL5TX3/IvS5Pzo/QVe51fl3wH+zbhJAUe8P8ic2KwaSuoB7gZbgKn+g1StsGKcKldh9DLTwrjJIeDGBx5YT8jqNLtUpUt4XRTr7jYyjvHCes9YMhV9qGTiODjSLyau7brgabywjlOj39qQKqAY1vWQVcwc2CWP4wL8vYVI1Cgzk9cJ23aJAJS7K7uCe85Ai/kT/ZRn+rzYRLHZYBqdmNSh05D9aFuUFC5hPJLGm64IgB29znW6hZWfj2XUcpQVOaq+4krfN1Pi4ZRoXSsx4tuk9UUTTbB7StJXmLmEigNSwxmM3MU0asf9JUjN6iHJ3kfsaUkuTq4kzdJjafaF/akZY0GvTU4Sz+q9FZl1YqjlE9n6m0= MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: e7d65c82-88a0-4f2e-6dcc-08d6c2c7602b X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2019 23:58:08.9875 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR02MB3756 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-16_10:, , signatures=0 X-Proofpoint-Spam-Reason: safe X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, KHOP_DYNAMIC, RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v3 2/3] OVN ACL: Allow ct_mark and ct_label values to be set from register as well X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org OVN allows only an integer (or masked integer) to be assigned to ct_mark and ct_label. This patch, enhances the parser code to allow ct_mark and ct_label to be assigned from 32 bit registers (MFF_REG0 - MFF_REG15) and 128 bit registers (MFF_XXREG0 - MFF_XXREG3) respectively. Signed-off-by: Ankur Sharma --- include/ovn/actions.h | 3 ++ ovn/lib/actions.c | 77 +++++++++++++++++++++++++++++++++++++++++++++------ ovn/ovn-sb.xml | 20 +++++++------ tests/ovn.at | 16 +++++++++++ 4 files changed, 99 insertions(+), 17 deletions(-) diff --git a/include/ovn/actions.h b/include/ovn/actions.h index 1c0c67c..58b96a1 100644 --- a/include/ovn/actions.h +++ b/include/ovn/actions.h @@ -24,6 +24,7 @@ #include "openvswitch/dynamic-string.h" #include "openvswitch/hmap.h" #include "openvswitch/uuid.h" +#include "openvswitch/meta-flow.h" #include "util.h" struct expr; @@ -196,8 +197,10 @@ struct ovnact_ct_next { /* OVNACT_CT_COMMIT. */ struct ovnact_ct_commit { struct ovnact ovnact; + bool is_ct_mark_reg, is_ct_label_reg; /* If the value is from a register */ uint32_t ct_mark, ct_mark_mask; ovs_be128 ct_label, ct_label_mask; + enum mf_field_id ct_mark_reg, ct_label_reg; }; /* OVNACT_CT_DNAT, OVNACT_CT_SNAT. */ diff --git a/ovn/lib/actions.c b/ovn/lib/actions.c index eb7e5ba..d8b86dc 100644 --- a/ovn/lib/actions.c +++ b/ovn/lib/actions.c @@ -627,8 +627,28 @@ parse_ct_commit_arg(struct action_context *ctx, } else if (ctx->lexer->token.type == LEX_T_MASKED_INTEGER) { cc->ct_mark = ntohll(ctx->lexer->token.value.integer); cc->ct_mark_mask = ntohll(ctx->lexer->token.mask.integer); + } else if (ctx->lexer->token.type == LEX_T_ID) { + + cc->ct_mark_mask = UINT32_MAX; + + const struct mf_field *mf = mf_from_name(ctx->lexer->token.s); + if (mf) { + + if (mf->id >= MFF_REG0 && mf->id <= MFF_REG15) { + cc->is_ct_mark_reg = true; + cc->ct_mark_reg = mf->id; + } else { + lexer_syntax_error(ctx->lexer, "input: %s, not a 32 bit " + "register", mf->name); + return; + } + } else { + lexer_syntax_error(ctx->lexer, "invalid field name: %s", + ctx->lexer->token.s); + return; + } } else { - lexer_syntax_error(ctx->lexer, "expecting integer"); + lexer_syntax_error(ctx->lexer, "invalid token type"); return; } lexer_get(ctx->lexer); @@ -642,9 +662,28 @@ parse_ct_commit_arg(struct action_context *ctx, } else if (ctx->lexer->token.type == LEX_T_MASKED_INTEGER) { cc->ct_label = ctx->lexer->token.value.be128_int; cc->ct_label_mask = ctx->lexer->token.mask.be128_int; + } else if (ctx->lexer->token.type == LEX_T_ID) { + + cc->ct_label_mask = OVS_BE128_MAX; + const struct mf_field *mf = mf_from_name(ctx->lexer->token.s); + if (mf) { + if (mf->id >= MFF_XXREG0 && mf->id <= MFF_XXREG3) { + cc->is_ct_label_reg = true; + cc->ct_label_reg = mf->id; + } else { + lexer_syntax_error(ctx->lexer, "input: %s, not a 128 bit " + "register", mf->name); + return; + } + } else { + lexer_syntax_error(ctx->lexer, "invalid field name: %s", + ctx->lexer->token.s); + return; + } + } else { - lexer_syntax_error(ctx->lexer, "expecting integer"); - return; + lexer_syntax_error(ctx->lexer, "invalid token type"); + return; } lexer_get(ctx->lexer); } else { @@ -713,14 +752,36 @@ encode_CT_COMMIT(const struct ovnact_ct_commit *cc, ofpbuf_pull(ofpacts, set_field_offset); if (cc->ct_mark_mask) { - const ovs_be32 value = htonl(cc->ct_mark); - const ovs_be32 mask = htonl(cc->ct_mark_mask); - ofpact_put_set_field(ofpacts, mf_from_id(MFF_CT_MARK), &value, &mask); + if (cc->is_ct_mark_reg) { + struct ofpact_reg_move *move = ofpact_put_REG_MOVE(ofpacts); + + move->src.field = mf_from_id(cc->ct_mark_reg); + move->src.ofs = 0; + move->src.n_bits = 32; + move->dst.field = mf_from_id(MFF_CT_MARK); + move->dst.ofs = 0; + move->dst.n_bits = 32; + } else { + const ovs_be32 value = htonl(cc->ct_mark); + const ovs_be32 mask = htonl(cc->ct_mark_mask); + ofpact_put_set_field(ofpacts, mf_from_id(MFF_CT_MARK), &value, &mask); + } } if (!ovs_be128_is_zero(cc->ct_label_mask)) { - ofpact_put_set_field(ofpacts, mf_from_id(MFF_CT_LABEL), &cc->ct_label, - &cc->ct_label_mask); + if (cc->is_ct_label_reg) { + struct ofpact_reg_move *move = ofpact_put_REG_MOVE(ofpacts); + + move->src.field = mf_from_id(cc->ct_label_reg); + move->src.ofs = 0; + move->src.n_bits = 128; + move->dst.field = mf_from_id(MFF_CT_LABEL); + move->dst.ofs = 0; + move->dst.n_bits = 128; + } else { + ofpact_put_set_field(ofpacts, mf_from_id(MFF_CT_LABEL), &cc->ct_label, + &cc->ct_label_mask); + } } ofpacts->header = ofpbuf_push_uninit(ofpacts, set_field_offset); diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml index 5c4a852..35719c1 100644 --- a/ovn/ovn-sb.xml +++ b/ovn/ovn-sb.xml @@ -1180,19 +1180,21 @@
    ct_commit;
    -
    ct_commit(ct_mark=value[/mask]);
    -
    ct_commit(ct_label=value[/mask]);
    -
    ct_commit(ct_mark=value[/mask], ct_label=value[/mask]);
    +
    ct_commit(ct_mark=(value[/mask] OR regX));
    +
    ct_commit(ct_label=(value[/mask] OR xxregX));
    +
    ct_commit(ct_mark=(value[/mask] OR regX), ct_label=(value[/mask] OR xxregX));

    Commit the flow to the connection tracking entry associated with it - by a previous call to ct_next. When - ct_mark=value[/mask] and/or - ct_label=value[/mask] are supplied, + by a previous call to ct_next. When + ct_mark=value[/mask] OR xxregX and/or + ct_label=value[/mask] OR xxregX are supplied, ct_mark and/or ct_label will be set to the - values indicated by value[/mask] on the connection - tracking entry. ct_mark is a 32-bit field. - ct_label is a 128-bit field. The value[/mask] + values indicated by value[/mask] or 32 bit/128 bit registers + on the connection tracking entry. ct_mark is a 32-bit field + and hence will read value only from a 32 bit register (reg0 - reg9). + ct_label is a 128-bit field and hence will read value only + from a 128 bit register (xxreg0 - xxreg1). The value[/mask] should be specified in hex string if more than 64bits are to be used.

    diff --git a/tests/ovn.at b/tests/ovn.at index b546e9a..f4e3650 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -1021,6 +1021,22 @@ ct_commit(ct_label=18446744073709551615); ct_commit(ct_label=18446744073709551616); Decimal constants must be less than 2**64. +ct_commit(ct_label=xxreg1); + formats as ct_commit(ct_label=0); + encodes as ct(commit,zone=NXM_NX_REG13[0..15],exec(move:NXM_NX_XXREG1[]->NXM_NX_CT_LABEL[])) + has prereqs ip + +ct_commit(ct_mark=reg1); + formats as ct_commit(ct_mark=0); + encodes as ct(commit,zone=NXM_NX_REG13[0..15],exec(move:NXM_NX_REG1[]->NXM_NX_CT_MARK[])) + has prereqs ip + +ct_commit(ct_label=reg1); + Syntax error at `reg1' input: reg1, not a 128 bit register. + +ct_commit(ct_mark=xxreg1); + Syntax error at `xxreg1' input: xxreg1, not a 32 bit register. + # ct_dnat ct_dnat; encodes as ct(table=19,zone=NXM_NX_REG11[0..15],nat) From patchwork Tue Apr 16 23:58:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Sharma X-Patchwork-Id: 1086749 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="yK6P7ZCP"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44kMmc5Qqgz9s9h for ; Wed, 17 Apr 2019 09:59:44 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 40E4DE9D; Tue, 16 Apr 2019 23:58:16 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 4EFEDE92 for ; Tue, 16 Apr 2019 23:58:13 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E58D9710 for ; Tue, 16 Apr 2019 23:58:12 +0000 (UTC) Received: from pps.filterd (m0127843.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x3GNporK017147 for ; Tue, 16 Apr 2019 16:58:12 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=o/vxzm9haQX4ZnbpyrYEUv8iMpg0RRzdvJTmcfvKRtI=; b=yK6P7ZCPkHFT+hz7ywgIXfZNuYBMxhqQJZlGM/d8+sW5ndJYPeEzZPDYG8gJ9kSUVnpy WJGcNxprz2Yr0zLVfr3skmrjHPZzCmbd9zr4B6A1tC8UUYGGKijMfl4TJbb5NHEMCaVP mI4hRIUSxIeo2CT89zLgcGgg8CHRQV+Wma8AX33qcuSe0CCLSsGLUeSduko20CAm4gyZ c2s75p6+QgMAUmxzWDp62cVW251Sgt5C3V2TrMu7BYJCYVNqsspgtkPPwagYbUkM0zno JCkuWDqB/cEglorRgWWah8TKLfmedlLofCPaj4KUxx3KUtTB+9UL89+ZM3fdAy7K4gr7 bA== Received: from nam05-dm3-obe.outbound.protection.outlook.com (mail-dm3nam05lp2057.outbound.protection.outlook.com [104.47.49.57]) by mx0b-002c1b01.pphosted.com with ESMTP id 2rudvf5g6v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Tue, 16 Apr 2019 16:58:12 -0700 Received: from MW2PR02MB3899.namprd02.prod.outlook.com (52.132.178.28) by MW2PR02MB3756.namprd02.prod.outlook.com (52.132.177.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.12; Tue, 16 Apr 2019 23:58:10 +0000 Received: from MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::908f:c38c:a9ee:651c]) by MW2PR02MB3899.namprd02.prod.outlook.com ([fe80::908f:c38c:a9ee:651c%2]) with mapi id 15.20.1792.018; Tue, 16 Apr 2019 23:58:10 +0000 From: Ankur Sharma To: "ovs-dev@openvswitch.org" Thread-Topic: [PATCH v3 3/3] OVN ACL: Allow a user to input ct.label value for an acl Thread-Index: AQHU9LA+GwCwLs/5Y0+GXAK3CWBunA== Date: Tue, 16 Apr 2019 23:58:10 +0000 Message-ID: <1555459154-103091-4-git-send-email-ankur.sharma@nutanix.com> References: <1555459154-103091-1-git-send-email-ankur.sharma@nutanix.com> In-Reply-To: <1555459154-103091-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR11CA0079.namprd11.prod.outlook.com (2603:10b6:a03:f4::20) To MW2PR02MB3899.namprd02.prod.outlook.com (2603:10b6:907:4::28) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.8.3.1 x-originating-ip: [192.146.154.1] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 26a2a6f1-cc9d-4e5f-e500-08d6c2c760d8 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600140)(711020)(4605104)(2017052603328)(7193020); SRVR:MW2PR02MB3756; x-ms-traffictypediagnostic: MW2PR02MB3756: x-proofpoint-crosstenant: true x-microsoft-antispam-prvs: x-forefront-prvs: 000947967F x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(396003)(366004)(39860400002)(136003)(199004)(189003)(105586002)(99286004)(2906002)(107886003)(478600001)(14454004)(102836004)(6916009)(386003)(186003)(6506007)(6436002)(26005)(5660300002)(11346002)(486006)(52116002)(446003)(5640700003)(44832011)(4720700003)(106356001)(2351001)(476003)(2616005)(76176011)(6116002)(3846002)(6486002)(256004)(14444005)(81156014)(4744005)(4326008)(305945005)(7736002)(71200400001)(71190400001)(53936002)(36756003)(66066001)(316002)(50226002)(6512007)(8676002)(86362001)(97736004)(8936002)(81166006)(25786009)(68736007)(2501003)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR02MB3756; H:MW2PR02MB3899.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: QIa403aQyGrSgKzGoubMjrNAwEdoKYw9FeUsghzES/4ul0TKF2/mvRb1TLv7Rp3UuUYX4vW4hB+ojUI8TgBS08oOFAs6UskVMQlAOFIciF9B4BuZzddmHV7fsR633N1hAHV3b72z7lDkEXxk9krFSP7+6aNFFYyelx2y5NvZnTUwhOoXO/ffTK6sSTf9Fzp29hvdB4CDkxlZBKB11g3ZAm/vDmXlrICwKzLGN3LfVfNsgyEYGMXdNYuEOBF4NKw7dOvLYMyMYSTZDYB8UbKPHHR0vNJ9l/fPvwEUFoSvSaziuaEgh2xEjytf1pD3mcvlEmEpU3gpzoRwbXom2U3eOlNwRjsvaQXJD9pG1axWTScSv/mku1S779dU9FcKRjVQodcyJtNPuc4SHc40CbH8PHBa1sYWGbhUeOd6vdEpOWM= MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 26a2a6f1-cc9d-4e5f-e500-08d6c2c760d8 X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2019 23:58:10.4375 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR02MB3756 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-16_10:, , signatures=0 X-Proofpoint-Spam-Reason: safe X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, KHOP_DYNAMIC, RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v3 3/3] OVN ACL: Allow a user to input ct.label value for an acl X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch allows user to associate a value with acl, which will be assigned to ct.label of the corresponding connection tracking entry. This value can be used to map a ct entry with corresponding OVN ACL or higher level constructs like security group. Signed-off-by: Ankur Sharma --- ovn/ovn-nb.ovsschema | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema index 2c87cbb..4391e3b 100644 --- a/ovn/ovn-nb.ovsschema +++ b/ovn/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "5.16.0", - "cksum": "923459061 23095", + "version": "5.17.0", + "cksum": "3491001412 23095", "tables": { "NB_Global": { "columns": {