From patchwork Wed Sep 2 15:05:09 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dumitru Ceara ct_next;
action.
from-lport
ACLsfrom-lport
ACL hints
+ This table consists of logical flows that set hints
+ (reg0
bits) to be used in the next stage, in the ACL
+ processing table. Multiple hints can be set for the same packet.
+ The possible hints are:
+
reg0[7]
: the packet might match an
+ allow-related
ACL and might have to commit the
+ connection to conntrack.
+ reg0[8]
: the packet might match an
+ allow-related
ACL but there will be no need to commit
+ the connection to conntrack because it already exists.
+ reg0[9]
: the packet might match a
+ drop/reject
.
+ reg0[10]
: the packet might match a
+ drop/reject
ACL but the connection was previously
+ allowed so it might have to be committed again with
+ ct_label=1/1
.
+ + The table contains the following flows: +
+reg0[7]
and reg0[9]
and
+ then advances to the next table.
+ reg0[7]
and
+ reg0[9]
and then advances to the next table.
+ reg0[8]
and reg0[9]
and then advances to
+ the next table.
+ reg0[8]
and
+ reg0[10]
and then advances to the next table.
+ reg0[9]
and then
+ advances to the next table.
+ reg0[9]
and then advances to the next
+ table.
+ reg0[10]
and then advances to the next
+ table.
+ from-lport
ACLsLogical flows in this table closely reproduce those in the @@ -494,7 +573,7 @@ -
from-lport
QoS Markingfrom-lport
QoS MarkingLogical flows in this table closely reproduce those in the @@ -516,7 +595,7 @@ -
from-lport
QoS Meterfrom-lport
QoS MeterLogical flows in this table closely reproduce those in the @@ -538,7 +617,7 @@ -
It contains a priority-0 flow that simply moves traffic to the next @@ -564,7 +643,7 @@ connection.)
-This table implements ARP/ND responder in a logical switch for known @@ -930,7 +1009,7 @@ output; -
This table adds the DHCPv4 options to a DHCPv4 packet from the @@ -987,11 +1066,11 @@ next;
This table implements DHCP responder for the DHCP replies generated by @@ -1068,11 +1147,11 @@ output;
This table looks up and resolves the DNS names to the corresponding @@ -1101,7 +1180,7 @@ reg0[4] = dns_lookup(); next; -
This table implements DNS responder for the DNS replies generated by @@ -1136,7 +1215,7 @@ output; -
Traffic from the external
logical ports enter the ingress
@@ -1175,11 +1254,11 @@ output;
This table implements switching behavior. It contains these logical
@@ -1412,7 +1491,12 @@ output;
This is similar to ingress table LB
.
to-lport
ACLsfrom-lport
ACL hints
+ This is similar to ingress table ACL hints
.
+
to-lport
ACLs
This is similar to ingress table ACLs
except for
@@ -1427,14 +1511,14 @@ output;
A priority 34000 logical flow is added for each logical port which
has DHCPv4 options defined to allow the DHCPv4 reply packet and which has
DHCPv6 options defined to allow the DHCPv6 reply packet from the
- Ingress Table 15: DHCP responses
.
+ Ingress Table 16: DHCP responses
.
udp.dst = 53
to allow the DNS reply packet from the
- Ingress Table 17: DNS responses
.
+ Ingress Table 18: DNS responses
.
to-lport
QoS Markingto-lport
QoS Marking
This is similar to ingress table QoS marking
except
they apply to to-lport
QoS rules.
to-lport
QoS Meterto-lport
QoS Meter
This is similar to ingress table QoS meter
except
they apply to to-lport
QoS rules.
This is similar to ingress table Stateful
except that
there are no rules added for load balancing new connections.
This is similar to the port security logic in table
@@ -1480,7 +1564,7 @@ output;
ip4.src
and ip6.src
This is similar to the ingress port security logic in ingress table
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 7be0e85..2025446 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -138,32 +138,34 @@ enum ovn_stage {
PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 3, "ls_in_pre_acl") \
PIPELINE_STAGE(SWITCH, IN, PRE_LB, 4, "ls_in_pre_lb") \
PIPELINE_STAGE(SWITCH, IN, PRE_STATEFUL, 5, "ls_in_pre_stateful") \
- PIPELINE_STAGE(SWITCH, IN, ACL, 6, "ls_in_acl") \
- PIPELINE_STAGE(SWITCH, IN, QOS_MARK, 7, "ls_in_qos_mark") \
- PIPELINE_STAGE(SWITCH, IN, QOS_METER, 8, "ls_in_qos_meter") \
- PIPELINE_STAGE(SWITCH, IN, LB, 9, "ls_in_lb") \
- PIPELINE_STAGE(SWITCH, IN, STATEFUL, 10, "ls_in_stateful") \
- PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 11, "ls_in_pre_hairpin") \
- PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 12, "ls_in_hairpin") \
- PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 13, "ls_in_arp_rsp") \
- PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 14, "ls_in_dhcp_options") \
- PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 15, "ls_in_dhcp_response") \
- PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 16, "ls_in_dns_lookup") \
- PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 17, "ls_in_dns_response") \
- PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 18, "ls_in_external_port") \
- PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 19, "ls_in_l2_lkup") \
+ PIPELINE_STAGE(SWITCH, IN, ACL_HINT, 6, "ls_in_acl_hint") \
+ PIPELINE_STAGE(SWITCH, IN, ACL, 7, "ls_in_acl") \
+ PIPELINE_STAGE(SWITCH, IN, QOS_MARK, 8, "ls_in_qos_mark") \
+ PIPELINE_STAGE(SWITCH, IN, QOS_METER, 9, "ls_in_qos_meter") \
+ PIPELINE_STAGE(SWITCH, IN, LB, 10, "ls_in_lb") \
+ PIPELINE_STAGE(SWITCH, IN, STATEFUL, 11, "ls_in_stateful") \
+ PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 12, "ls_in_pre_hairpin") \
+ PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 13, "ls_in_hairpin") \
+ PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 14, "ls_in_arp_rsp") \
+ PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 15, "ls_in_dhcp_options") \
+ PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 16, "ls_in_dhcp_response") \
+ PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 17, "ls_in_dns_lookup") \
+ PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 18, "ls_in_dns_response") \
+ PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 19, "ls_in_external_port") \
+ PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 20, "ls_in_l2_lkup") \
\
/* Logical switch egress stages. */ \
PIPELINE_STAGE(SWITCH, OUT, PRE_LB, 0, "ls_out_pre_lb") \
PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 1, "ls_out_pre_acl") \
PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") \
PIPELINE_STAGE(SWITCH, OUT, LB, 3, "ls_out_lb") \
- PIPELINE_STAGE(SWITCH, OUT, ACL, 4, "ls_out_acl") \
- PIPELINE_STAGE(SWITCH, OUT, QOS_MARK, 5, "ls_out_qos_mark") \
- PIPELINE_STAGE(SWITCH, OUT, QOS_METER, 6, "ls_out_qos_meter") \
- PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 7, "ls_out_stateful") \
- PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP, 8, "ls_out_port_sec_ip") \
- PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2, 9, "ls_out_port_sec_l2") \
+ PIPELINE_STAGE(SWITCH, OUT, ACL_HINT, 4, "ls_out_acl_hint") \
+ PIPELINE_STAGE(SWITCH, OUT, ACL, 5, "ls_out_acl") \
+ PIPELINE_STAGE(SWITCH, OUT, QOS_MARK, 6, "ls_out_qos_mark") \
+ PIPELINE_STAGE(SWITCH, OUT, QOS_METER, 7, "ls_out_qos_meter") \
+ PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 8, "ls_out_stateful") \
+ PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP, 9, "ls_out_port_sec_ip") \
+ PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2, 10, "ls_out_port_sec_l2") \
\
/* Logical router ingress stages. */ \
PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") \
@@ -205,13 +207,17 @@ enum ovn_stage {
#define OVN_ACL_PRI_OFFSET 1000
/* Register definitions specific to switches. */
-#define REGBIT_CONNTRACK_DEFRAG "reg0[0]"
-#define REGBIT_CONNTRACK_COMMIT "reg0[1]"
-#define REGBIT_CONNTRACK_NAT "reg0[2]"
-#define REGBIT_DHCP_OPTS_RESULT "reg0[3]"
-#define REGBIT_DNS_LOOKUP_RESULT "reg0[4]"
-#define REGBIT_ND_RA_OPTS_RESULT "reg0[5]"
-#define REGBIT_HAIRPIN "reg0[6]"
+#define REGBIT_CONNTRACK_DEFRAG "reg0[0]"
+#define REGBIT_CONNTRACK_COMMIT "reg0[1]"
+#define REGBIT_CONNTRACK_NAT "reg0[2]"
+#define REGBIT_DHCP_OPTS_RESULT "reg0[3]"
+#define REGBIT_DNS_LOOKUP_RESULT "reg0[4]"
+#define REGBIT_ND_RA_OPTS_RESULT "reg0[5]"
+#define REGBIT_HAIRPIN "reg0[6]"
+#define REGBIT_ACL_HINT_ALLOW_NEW "reg0[7]"
+#define REGBIT_ACL_HINT_ALLOW "reg0[8]"
+#define REGBIT_ACL_HINT_DROP "reg0[9]"
+#define REGBIT_ACL_HINT_BLOCK "reg0[10]"
/* Register definitions for switches and routers. */
@@ -246,11 +252,12 @@ enum ovn_stage {
* OVS register usage:
*
* Logical Switch pipeline:
- * +---------+-------------------------------------+
- * | R0 | REGBIT_{CONNTRACK/DHCP/DNS/HAIRPIN} |
- * +---------+-------------------------------------+
- * | R1 - R9 | UNUSED |
- * +---------+-------------------------------------+
+ * +---------+----------------------------------------------+
+ * | R0 | REGBIT_{CONNTRACK/DHCP/DNS/HAIRPIN} |
+ * | | REGBIT_ACL_HINT_{ALLOW_NEW/ALLOW/DROP/BLOCK} |
+ * +---------+----------------------------------------------+
+ * | R1 - R9 | UNUSED |
+ * +---------+----------------------------------------------+
*
* Logical Router pipeline:
* +-----+--------------------------+---+-----------------+---+---------------+
@@ -5140,6 +5147,96 @@ build_pre_stateful(struct ovn_datapath *od, struct hmap *lflows)
}
static void
+build_acl_hints(struct ovn_datapath *od, struct hmap *lflows)
+{
+ /* This stage builds hints for the IN/OUT_ACL stage. Based on various
+ * combinations of ct flags packets may hit only a subset of the logical
+ * flows in the IN/OUT_ACL stage.
+ *
+ * Populating ACL hints first and storing them in registers simplifies
+ * the logical flow match expressions in the IN/OUT_ACL stage and
+ * generates less openflows.
+ *
+ * Certain combinations of ct flags might be valid matches for multiple
+ * types of ACL logical flows (e.g., allow/drop). In such cases hints
+ * corresponding to all potential matches are set.
+ */
+
+ enum ovn_stage stages[] = {
+ S_SWITCH_IN_ACL_HINT,
+ S_SWITCH_OUT_ACL_HINT,
+ };
+
+ for (size_t i = 0; i < ARRAY_SIZE(stages); i++) {
+ enum ovn_stage stage = stages[i];
+
+ /* New, not already established connections, may hit either allow
+ * or drop ACLs. For allow ACLs, the connection must also be committed
+ * to conntrack so we set REGBIT_ACL_HINT_ALLOW_NEW.
+ */
+ ovn_lflow_add(lflows, od, stage, 7, "ct.new && !ct.est",
+ REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
+ REGBIT_ACL_HINT_DROP " = 1; "
+ "next;");
+
+ /* Already established connections in the "request" direction that
+ * are already marked as "blocked" may hit either:
+ * - allow ACLs for connections that were previously allowed by a
+ * policy that was deleted and is being readded now. In this case
+ * the connection should be recommitted so we set
+ * REGBIT_ACL_HINT_ALLOW_NEW.
+ * - drop ACLs.
+ */
+ ovn_lflow_add(lflows, od, stage, 6,
+ "!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1",
+ REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
+ REGBIT_ACL_HINT_DROP " = 1; "
+ "next;");
+
+ /* Not tracked traffic can either be allowed or dropped. */
+ ovn_lflow_add(lflows, od, stage, 5, "!ct.trk",
+ REGBIT_ACL_HINT_ALLOW " = 1; "
+ REGBIT_ACL_HINT_DROP " = 1; "
+ "next;");
+
+ /* Already established connections in the "request" direction may hit
+ * either:
+ * - allow ACLs in which case the traffic should be allowed so we set
+ * REGBIT_ACL_HINT_ALLOW.
+ * - drop ACLs in which case the traffic should be blocked and the
+ * connection must be committed with ct_label.blocked set so we set
+ * REGBIT_ACL_HINT_BLOCK.
+ */
+ ovn_lflow_add(lflows, od, stage, 4,
+ "!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0",
+ REGBIT_ACL_HINT_ALLOW " = 1; "
+ REGBIT_ACL_HINT_BLOCK " = 1; "
+ "next;");
+
+ /* Not established or established and already blocked connections may
+ * hit drop ACLs.
+ */
+ ovn_lflow_add(lflows, od, stage, 3, "!ct.est",
+ REGBIT_ACL_HINT_DROP " = 1; "
+ "next;");
+ ovn_lflow_add(lflows, od, stage, 2, "ct.est && ct_label.blocked == 1",
+ REGBIT_ACL_HINT_DROP " = 1; "
+ "next;");
+
+ /* Established connections that were previously allowed might hit
+ * drop ACLs in which case the connection must be committed with
+ * ct_label.blocked set.
+ */
+ ovn_lflow_add(lflows, od, stage, 1, "ct.est && ct_label.blocked == 0",
+ REGBIT_ACL_HINT_BLOCK " = 1; "
+ "next;");
+
+ /* In any case, advance to the next stage. */
+ ovn_lflow_add(lflows, od, stage, 0, "1", "next;");
+ }
+}
+
+static void
build_acl_log(struct ds *actions, const struct nbrec_acl *acl)
{
if (!acl->log) {
@@ -5197,7 +5294,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
"eth.dst <-> eth.src; ip4.dst <-> ip4.src; "
"tcp_reset { outport <-> inport; %s };",
ingress ? "next(pipeline=egress,table=5);"
- : "next(pipeline=ingress,table=19);");
+ : "next(pipeline=ingress,table=20);");
ovn_lflow_add_with_hint(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET + 10,
ds_cstr(&match), ds_cstr(&actions), stage_hint);
@@ -5212,7 +5309,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
"eth.dst <-> eth.src; ip6.dst <-> ip6.src; "
"tcp_reset { outport <-> inport; %s };",
ingress ? "next(pipeline=egress,table=5);"
- : "next(pipeline=ingress,table=19);");
+ : "next(pipeline=ingress,table=20);");
ovn_lflow_add_with_hint(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET + 10,
ds_cstr(&match), ds_cstr(&actions), stage_hint);
@@ -5232,7 +5329,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
"icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; "
"outport <-> inport; %s };",
ingress ? "next(pipeline=egress,table=5);"
- : "next(pipeline=ingress,table=19);");
+ : "next(pipeline=ingress,table=20);");
ovn_lflow_add_with_hint(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
ds_cstr(&match), ds_cstr(&actions), stage_hint);
@@ -5250,7 +5347,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
"eth.dst <-> eth.src; ip6.dst <-> ip6.src; "
"outport <-> inport; %s };",
ingress ? "next(pipeline=egress,table=5);"
- : "next(pipeline=ingress,table=19);");
+ : "next(pipeline=ingress,table=20);");
ovn_lflow_add_with_hint(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
ds_cstr(&match), ds_cstr(&actions), stage_hint);
@@ -5298,10 +5395,8 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
* by ct_commit in the "stateful" stage) to indicate that the
* connection should be allowed to resume.
*/
- ds_put_format(&match, "((ct.new && !ct.est)"
- " || (!ct.new && ct.est && !ct.rpl "
- "&& ct_label.blocked == 1)) "
- "&& (%s)", acl->match);
+ ds_put_format(&match, REGBIT_ACL_HINT_ALLOW_NEW " == 1 && (%s)",
+ acl->match);
ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
build_acl_log(&actions, acl);
ds_put_cstr(&actions, "next;");
@@ -5319,9 +5414,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
* policy. Match untracked packets too. */
ds_clear(&match);
ds_clear(&actions);
- ds_put_format(&match,
- "(!ct.trk || (!ct.new && ct.est && !ct.rpl"
- " && ct_label.blocked == 0)) && (%s)",
+ ds_put_format(&match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)",
acl->match);
build_acl_log(&actions, acl);
@@ -5346,9 +5439,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
if (has_stateful) {
/* If the packet is not tracked or not part of an established
* connection, then we can simply reject/drop it. */
- ds_put_cstr(&match,
- "(!ct.trk || !ct.est"
- " || (ct.est && ct_label.blocked == 1))");
+ ds_put_cstr(&match, REGBIT_ACL_HINT_DROP " == 1");
if (!strcmp(acl->action, "reject")) {
build_reject_acl_rules(od, lflows, stage, acl, &match,
&actions, &acl->header_);
@@ -5374,7 +5465,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
*/
ds_clear(&match);
ds_clear(&actions);
- ds_put_cstr(&match, "ct.est && ct_label.blocked == 0");
+ ds_put_cstr(&match, REGBIT_ACL_HINT_BLOCK " == 1");
ds_put_cstr(&actions, "ct_commit { ct_label.blocked = 1; }; ");
if (!strcmp(acl->action, "reject")) {
build_reject_acl_rules(od, lflows, stage, acl, &match,
@@ -6621,6 +6712,7 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
build_pre_acls(od, lflows);
build_pre_lb(od, lflows, meter_groups, lbs);
build_pre_stateful(od, lflows);
+ build_acl_hints(od, lflows);
build_acls(od, lflows, port_groups);
build_qos(od, lflows);
build_lb(od, lflows);
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 8344c7f..87644bd 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -1185,7 +1185,7 @@ ovn-nbctl --wait=sb ls-lb-add sw0 lb1
ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
])
# Delete the Load_Balancer_Health_Check
@@ -1194,7 +1194,7 @@ OVS_WAIT_UNTIL([test 0 = `ovn-sbctl list service_monitor | wc -l`])
ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
])
# Create the Load_Balancer_Health_Check again.
@@ -1207,7 +1207,7 @@ service_monitor | sed '/^$/d' | wc -l`])
ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
])
# Get the uuid of both the service_monitor
@@ -1223,7 +1223,7 @@ OVS_WAIT_UNTIL([
ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
])
# Set the service monitor for sw0-p1 to offline
@@ -1240,7 +1240,7 @@ AT_CHECK([cat lflows.txt], [0], [dnl
ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \
| grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
])
# Set the service monitor for sw0-p1 and sw1-p1 to online
@@ -1253,7 +1253,7 @@ OVS_WAIT_UNTIL([
ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
])
# Set the service monitor for sw1-p1 to error
@@ -1265,7 +1265,7 @@ OVS_WAIT_UNTIL([
ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \
| grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
])
# Add one more vip to lb1
@@ -1295,8 +1295,8 @@ service_monitor port=1000 | sed '/^$/d' | wc -l`])
ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000);)
])
# Set the service monitor for sw1-p1 to online
@@ -1308,16 +1308,16 @@ OVS_WAIT_UNTIL([
ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
])
# Associate lb1 to sw1
ovn-nbctl --wait=sb ls-lb-add sw1 lb1
ovn-sbctl dump-flows sw1 | grep ct_lb | grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
])
# Now create lb2 same as lb1 but udp protocol.
diff --git a/tests/ovn.at b/tests/ovn.at
index 5ad51c0..99861bf 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -14237,17 +14237,17 @@ ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys
AT_CHECK([ovn-sbctl dump-flows ls1 | grep "offerip = 10.0.0.6" | \
wc -l], [0], [0
])
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep "0a.00.00.06" | wc -l], [0], [0
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep "0a.00.00.06" | wc -l], [0], [0
])
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep tp_src=546 | grep \
"ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep tp_src=546 | grep \
"ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
])
@@ -14278,17 +14278,17 @@ port_binding logical_port=ls1-lp_ext1`
# No DHCPv4/v6 flows for the external port - ls1-lp_ext1 - 10.0.0.6 in hv1 and hv2
# as no localnet port added to ls1 yet.
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep "0a.00.00.06" | wc -l], [0], [0
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep "0a.00.00.06" | wc -l], [0], [0
])
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep tp_src=546 | grep \
"ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep tp_src=546 | grep \
"ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
])
@@ -14310,38 +14310,38 @@ logical_port=ls1-lp_ext1`
test "$chassis" = "$hv1_uuid"])
# There should be DHCPv4/v6 OF flows for the ls1-lp_ext1 port in hv1
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep "0a.00.00.06" | grep reg14=0x$ln_public_key | \
wc -l], [0], [3
])
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep tp_src=546 | grep \
"ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | \
grep reg14=0x$ln_public_key | wc -l], [0], [1
])
# There should be no DHCPv4/v6 flows for ls1-lp_ext1 on hv2
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep "0a.00.00.06" | wc -l], [0], [0
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep tp_src=546 | grep \
"ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0
])
# No DHCPv4/v6 flows for the external port - ls1-lp_ext2 - 10.0.0.7 in hv1 and
# hv2 as requested-chassis option is not set.
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep "0a.00.00.07" | wc -l], [0], [0
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep "0a.00.00.07" | wc -l], [0], [0
])
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep tp_src=546 | grep \
"ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.07" | wc -l], [0], [0
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep tp_src=546 | grep \
"ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.07" | wc -l], [0], [0
])
@@ -14593,21 +14593,21 @@ logical_port=ls1-lp_ext1`
test "$chassis" = "$hv2_uuid"])
# There should be OF flows for DHCP4/v6 for the ls1-lp_ext1 port in hv2
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep "0a.00.00.06" | grep reg14=0x$ln_public_key | \
wc -l], [0], [3
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep tp_src=546 | grep \
"ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | \
grep reg14=0x$ln_public_key | wc -l], [0], [1
])
# There should be no DHCPv4/v6 flows for ls1-lp_ext1 on hv1
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep "0a.00.00.06" | wc -l], [0], [0
])
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=22 | \
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=23 | \
grep controller | grep tp_src=546 | grep \
"ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | \
grep reg14=0x$ln_public_key | wc -l], [0], [0
@@ -14873,7 +14873,7 @@ logical_port=ls1-lp_ext1`
# There should be a flow in hv2 to drop traffic from ls1-lp_ext1 destined
# to router mac.
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int \
-table=26,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \
+table=27,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \
grep -c "actions=drop"], [0], [1
])
@@ -16144,9 +16144,9 @@ ovn-nbctl --wait=hv sync
ovn-sbctl dump-flows sw0 | grep ls_in_arp_rsp | grep bind_vport > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=13(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
- table=13(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p2" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
- table=13(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
+ table=14(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
+ table=14(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p2" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
+ table=14(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
])
ovn-sbctl dump-flows lr0 | grep lr_in_arp_resolve | grep "reg0 == 10.0.0.10" \
@@ -16356,8 +16356,8 @@ ovn-nbctl --wait=hv set logical_switch_port sw0-vir options:virtual-ip=10.0.0.10
ovn-sbctl dump-flows sw0 | grep ls_in_arp_rsp | grep bind_vport > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=13(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
- table=13(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
+ table=14(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p1" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
+ table=14(ls_in_arp_rsp ), priority=100 , match=(inport == "sw0-p3" && ((arp.op == 1 && arp.spa == 10.0.0.10 && arp.tpa == 10.0.0.10) || (arp.op == 2 && arp.spa == 10.0.0.10))), action=(bind_vport("sw0-vir", inport); next;)
])
ovn-nbctl --wait=hv remove logical_switch_port sw0-vir options virtual-parents
@@ -18340,7 +18340,7 @@ test_ip vif11 f00000000011 000001010203 $sip $dip vif-north
OVN_CHECK_PACKETS_REMOVE_BROADCAST([hv4/vif-north-tx.pcap], [vif-north.expected])
# Confirm that packets did not go out via tunnel port.
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=32 | grep NXM_NX_TUN_METADATA0 | grep n_packets=0 | wc -l], [0], [[0
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=33 | grep NXM_NX_TUN_METADATA0 | grep n_packets=0 | wc -l], [0], [[0
]])
# Confirm that packet went out via localnet port
@@ -19087,7 +19087,7 @@ service_monitor | sed '/^$/d' | wc -l`])
ovn-sbctl dump-flows sw0 | grep ct_lb | grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
])
ovn-sbctl dump-flows lr0 | grep ct_lb | grep priority=120 > lflows.txt
@@ -19125,7 +19125,7 @@ grep "405400000003${svc_mon_src_mac}" | wc -l`]
ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \
| grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt], [0], [dnl
- table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
+ table=11(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
])
ovn-sbctl dump-flows lr0 | grep lr_in_dnat | grep priority=120 > lflows.txt
diff --git a/tests/system-ovn.at b/tests/system-ovn.at
index 40ba6e4..b9b5eaa 100644
--- a/tests/system-ovn.at
+++ b/tests/system-ovn.at
@@ -2163,7 +2163,7 @@ tcp,orig=(src=172.16.1.2,dst=30.0.0.2,sport=
+ For each record in table Stateless_Filter
in the
+ OVN_Northbound
database, a flow with
+ priority + 1000
is added and sets reg0[11] = 1
+ for traffic that matches the condition in the match
+ column and advances to next table. reg0[11]
acts as a hint
+ for tables ACL hints
and ACL
to avoid
+ sending this traffic to the connection tracker.
+
This table also has a priority-110 flow with the match
eth.dst == E
for all logical switch
datapaths to move traffic to the next table. Where E
@@ -422,6 +432,11 @@
reg0[8]
+ and reg0[9]
and then advances to the next table.
+ reg0[7]
and reg0[9]
and
then advances to the next table.
@@ -1445,6 +1460,16 @@ output;
+ For each record in table Stateless_Filter
in the
+ OVN_Northbound
database, a flow with
+ priority + 1000
is added and sets reg0[11] = 1
+ for traffic that matches the condition in the match
+ column and advances to next table. reg0[11]
acts as a hint
+ for tables ACL hints
and ACL
to avoid
+ sending this traffic to the connection tracker.
+
This table also has a priority-110 flow with the match
eth.src == E
for all logical switch
datapaths to move traffic to the next table. Where E
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 2025446..cf27431 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -218,6 +218,7 @@ enum ovn_stage {
#define REGBIT_ACL_HINT_ALLOW "reg0[8]"
#define REGBIT_ACL_HINT_DROP "reg0[9]"
#define REGBIT_ACL_HINT_BLOCK "reg0[10]"
+#define REGBIT_SKIP_ACL_CT "reg0[11]"
/* Register definitions for switches and routers. */
@@ -4889,7 +4890,47 @@ skip_port_from_conntrack(struct ovn_datapath *od, struct ovn_port *op,
}
static void
-build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
+build_stateless_filter(struct ovn_datapath *od,
+ const struct nbrec_stateless_filter *filter,
+ struct hmap *lflows)
+{
+ /* Stateless filters must be applied in both directions so that reply
+ * traffic bypasses conntrack too.
+ */
+ ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL,
+ filter->priority + OVN_ACL_PRI_OFFSET,
+ filter->match,
+ REGBIT_SKIP_ACL_CT" = 1; next;",
+ &filter->header_);
+ ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL,
+ filter->priority + OVN_ACL_PRI_OFFSET,
+ filter->match,
+ REGBIT_SKIP_ACL_CT" = 1; next;",
+ &filter->header_);
+}
+
+static void
+build_stateless_filters(struct ovn_datapath *od, struct hmap *port_groups,
+ struct hmap *lflows)
+{
+ for (size_t i = 0; i < od->nbs->n_stateless_filters; i++) {
+ build_stateless_filter(od, od->nbs->stateless_filters[i], lflows);
+ }
+
+ struct ovn_port_group *pg;
+ HMAP_FOR_EACH (pg, key_node, port_groups) {
+ if (ovn_port_group_ls_find(pg, &od->nbs->header_.uuid)) {
+ for (size_t i = 0; i < pg->nb_pg->n_stateless_filters; i++) {
+ build_stateless_filter(od, pg->nb_pg->stateless_filters[i],
+ lflows);
+ }
+ }
+ }
+}
+
+static void
+build_pre_acls(struct ovn_datapath *od, struct hmap *port_groups,
+ struct hmap *lflows)
{
bool has_stateful = has_stateful_acl(od);
@@ -4934,6 +4975,13 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
"nd || nd_rs || nd_ra || "
"(udp && udp.src == 546 && udp.dst == 547)", "next;");
+ /* Ingress and Egress Pre-ACL Table (Stateless_Filter).
+ *
+ * If the logical switch is configured to bypass conntrack for
+ * specific types of traffic, skip conntrack for that traffic.
+ */
+ build_stateless_filters(od, port_groups, lflows);
+
/* Ingress and Egress Pre-ACL Table (Priority 100).
*
* Regardless of whether the ACL is "from-lport" or "to-lport",
@@ -5170,6 +5218,15 @@ build_acl_hints(struct ovn_datapath *od, struct hmap *lflows)
for (size_t i = 0; i < ARRAY_SIZE(stages); i++) {
enum ovn_stage stage = stages[i];
+ /* Traffic that matches a Stateless_Filter may hit both allow or
+ * drop ACLs but should never commit connections to conntrack. Only
+ * set REGBIT_ACL_HINT_ALLOW and REGBIT_ACL_HINT_DROP.
+ */
+ ovn_lflow_add(lflows, od, stage, 8, REGBIT_SKIP_ACL_CT " == 1",
+ REGBIT_ACL_HINT_ALLOW " = 1; "
+ REGBIT_ACL_HINT_DROP " = 1; "
+ "next;");
+
/* New, not already established connections, may hit either allow
* or drop ACLs. For allow ACLs, the connection must also be committed
* to conntrack so we set REGBIT_ACL_HINT_ALLOW_NEW.
@@ -5383,7 +5440,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
struct ds match = DS_EMPTY_INITIALIZER;
struct ds actions = DS_EMPTY_INITIALIZER;
- /* Commit the connection tracking entry if it's a new
+ /* Otherwise commit the connection tracking entry if it's a new
* connection that matches this ACL. After this commit,
* the reply traffic is allowed by a flow we create at
* priority 65535, defined earlier.
@@ -5600,11 +5657,15 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
* Subsequent packets will hit the flow at priority 0 that just
* uses "next;". */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1,
- "ip && (!ct.est || (ct.est && ct_label.blocked == 1))",
- REGBIT_CONNTRACK_COMMIT" = 1; next;");
+ REGBIT_SKIP_ACL_CT " == 0 "
+ "&& ip "
+ "&& (!ct.est || (ct.est && ct_label.blocked == 1))",
+ REGBIT_CONNTRACK_COMMIT" = 1; next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1,
- "ip && (!ct.est || (ct.est && ct_label.blocked == 1))",
- REGBIT_CONNTRACK_COMMIT" = 1; next;");
+ REGBIT_SKIP_ACL_CT " == 0 "
+ "&& ip "
+ "&& (!ct.est || (ct.est && ct_label.blocked == 1))",
+ REGBIT_CONNTRACK_COMMIT" = 1; next;");
/* Ingress and Egress ACL Table (Priority 65535).
*
@@ -5614,10 +5675,14 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
*
* This is enforced at a higher priority than ACLs can be defined. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
- "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)",
+ REGBIT_SKIP_ACL_CT " == 0 "
+ "&& (ct.inv "
+ "|| (ct.est && ct.rpl && ct_label.blocked == 1))",
"drop;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
- "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)",
+ REGBIT_SKIP_ACL_CT " == 0 "
+ "&& (ct.inv "
+ "|| (ct.est && ct.rpl && ct_label.blocked == 1))",
"drop;");
/* Ingress and Egress ACL Table (Priority 65535).
@@ -5630,11 +5695,13 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
*
* This is enforced at a higher priority than ACLs can be defined. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
- "ct.est && !ct.rel && !ct.new && !ct.inv "
+ REGBIT_SKIP_ACL_CT "== 0 "
+ "&& ct.est && !ct.rel && !ct.new && !ct.inv "
"&& ct.rpl && ct_label.blocked == 0",
"next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
- "ct.est && !ct.rel && !ct.new && !ct.inv "
+ REGBIT_SKIP_ACL_CT "== 0 "
+ "&& ct.est && !ct.rel && !ct.new && !ct.inv "
"&& ct.rpl && ct_label.blocked == 0",
"next;");
@@ -5650,11 +5717,13 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
* related traffic such as an ICMP Port Unreachable through
* that's generated from a non-listening UDP port. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
- "!ct.est && ct.rel && !ct.new && !ct.inv "
+ REGBIT_SKIP_ACL_CT "== 0 "
+ "&& !ct.est && ct.rel && !ct.new && !ct.inv "
"&& ct_label.blocked == 0",
"next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
- "!ct.est && ct.rel && !ct.new && !ct.inv "
+ REGBIT_SKIP_ACL_CT "== 0 "
+ "&& !ct.est && ct.rel && !ct.new && !ct.inv "
"&& ct_label.blocked == 0",
"next;");
@@ -6709,7 +6778,7 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
continue;
}
- build_pre_acls(od, lflows);
+ build_pre_acls(od, port_groups, lflows);
build_pre_lb(od, lflows, meter_groups, lbs);
build_pre_stateful(od, lflows);
build_acl_hints(od, lflows);
diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema
index 0c939b7..ef0121d 100644
--- a/ovn-nb.ovsschema
+++ b/ovn-nb.ovsschema
@@ -1,7 +1,7 @@
{
"name": "OVN_Northbound",
- "version": "5.25.0",
- "cksum": "1354137211 26116",
+ "version": "5.26.0",
+ "cksum": "1450952466 27225",
"tables": {
"NB_Global": {
"columns": {
@@ -35,6 +35,12 @@
"refType": "strong"},
"min": 0,
"max": "unlimited"}},
+ "stateless_filters": {
+ "type": {"key": {"type": "uuid",
+ "refTable": "Stateless_Filter",
+ "refType": "strong"},
+ "min": 0,
+ "max": "unlimited"}},
"acls": {"type": {"key": {"type": "uuid",
"refTable": "ACL",
"refType": "strong"},
@@ -150,6 +156,12 @@
"refType": "weak"},
"min": 0,
"max": "unlimited"}},
+ "stateless_filters": {
+ "type": {"key": {"type": "uuid",
+ "refTable": "Stateless_Filter",
+ "refType": "strong"},
+ "min": 0,
+ "max": "unlimited"}},
"acls": {"type": {"key": {"type": "uuid",
"refTable": "ACL",
"refType": "strong"},
@@ -201,6 +213,16 @@
"type": {"key": "string", "value": "string",
"min": 0, "max": "unlimited"}}},
"isRoot": false},
+ "Stateless_Filter": {
+ "columns": {
+ "priority": {"type": {"key": {"type": "integer",
+ "minInteger": 0,
+ "maxInteger": 32767}}},
+ "match": {"type": "string"},
+ "external_ids": {
+ "type": {"key": "string", "value": "string",
+ "min": 0, "max": "unlimited"}}},
+ "isRoot": false},
"ACL": {
"columns": {
"name": {"type": {"key": {"type": "string",
diff --git a/ovn-nb.xml b/ovn-nb.xml
index 1f2dbb9..81373ce 100644
--- a/ovn-nb.xml
+++ b/ovn-nb.xml
@@ -271,9 +271,16 @@
ip addresses.
-