[ovs-build] Passed: dceara/ovn#176 (bz1871931-conflicting-conj-actions - 9551fcb)
builds at travis-ci.org
Fri Sep 11 10:46:08 UTC 2020
Build Update for dceara/ovn
Duration: 18 mins and 25 secs
Commit: 9551fcb (bz1871931-conflicting-conj-actions)
Author: Dumitru Ceara
Message: ofctrl: Add a predictable resolution for conflicting flow actions.
Until now, in case the ACL configuration generates openflows that have
the same match but different actions, ovn-controller was using the
1. If the flow being added contains conjunctive actions, merge its
actions with the already existing flow.
2. Otherwise, if the flow is being added incrementally
(update_installed_flows_by_track), don't install the new flow but
instead keep the old one.
3. Otherwise, (update_installed_flows_by_compare), don't install the
new flow but instead keep the old one.
Even though one can argue that having an ACL with a match that includes
the match of another ACL is a misconfiguration, it can happen that the
users perform such configuration. Depending on the order of reading and
installing the logical flows, the above operations can yield
unpredictable results, e.g., allow specific traffic but then after
ovn-controller is restarted (or a recompute happens) that specific
traffic starts being dropped.
A simple example of ACL configuration is:
ovn-nbctl acl-add ls to-lport 3 '(ip4.src==10.0.0.1 ||
ip4.src==10.0.0.2) && (ip4.dst == 10.0.0.3 || ip4.dst == 10.0.0.4)' allow
ovn-nbctl acl-add ls to-lport 3 'ip4.src==10.0.0.1' allow
ovn-nbctl acl-add ls to-lport 2 'arp' allow
ovn-nbctl acl-add ls to-lport 1 'ip4' drop
This is follows a pattern used by most CMSs:
- define a default deny policy.
- punch holes in the default deny policy based on user specific
Without this commit the behavior for traffic from 10.0.0.1 to 10.0.0.5
is unpredictable. Depending on the order of operations traffic might be
dropped or allowed.
It's also quite hard to force the CMS to ensure that such match overlaps
To address this issue we now resolve conflicts between flows with the
same match and different actions by giving precedence to less
restrictive flows. This means that if the installed flow has action
"conjunction" and the desired flow doesn't then we prefer the desired
flow. Similarly, if the desired flow has action "conjunction" and the
desired flow doesn't then we prefer the already installed flow.
CC: Daniel Alvarez <dalvarez at redhat.com>
CC: Han Zhou <hzhou at ovn.org>
CC: Mark Michelson <mmichels at redhat.com>
CC: Numan Siddique <numans at ovn.org>
Signed-off-by: Dumitru Ceara <dceara at redhat.com>
View the changeset: https://github.com/dceara/ovn/compare/94a32fca2d2b^...9551fcbf3fd1
View the full build log and details: https://travis-ci.org/github/dceara/ovn/builds/726227129?utm_medium=notification&utm_source=email
You can unsubscribe from build emails from the dceara/ovn repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=25507942&utm_medium=notification&utm_source=email.
Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email.
Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the build