[ovs-dev] [RFC PATCH] ovn: Add stateful ACL support.
jpettit at nicira.com
Tue Oct 13 22:35:36 UTC 2015
> On Sep 5, 2015, at 6:33 PM, Ben Pfaff <blp at nicira.com> wrote:
> Thanks! This is pretty clean, and not very much code.
> Is adding support for FTP a big project or a small one? (What about
> other ALGs?)
It's a little messy. We need to make a conntrack call with the ALG type for that particular flow, which means a different OpenFlow flow for each supported ALG. It's not clear to me whether we should expose that through the ACL definitions in the Northbound DB or just do it ourselves under the covers. As such, I'd like to just get this in without ALG support for the time-being, and then come back after we've discussed it with some people familiar with CMS integration.
Currently, the OVS conntrack code only supports FTP. I've asked Joe to also look into TFTP, since people will need it to PXE boot. We'll almost certainly need to support more, but Linux supports a fairly small number of them.
> In update_ct_zones() in binding.c, the bitmap_scan() call starts over
> from 0 every time. It would not be too much work to start from the
> previously allocated zone, and so that is probably worthwhile.
Good point. I just did it for the lifetime of that functional call and didn't make it static to live across calls. Let me know if you think that's worth doing, though.
> If ct_next is not the last action in a logical flow, will the actions
> that follow it get executed? If not, then we should document that and
> we should probably reject a set of actions where ct_next is followed by
> other actions.
Yes, follow on actions will be executed, but it's not generally useful, since the side-effects won't be available. I've added some documentation about that.
> It would be nice to test the parsing of the new actions, in the "ovn --
> action parsing" test in tests/ovn.at.
> I have some other suggestions too that seemed to be best expressed as
> patches that can be squashed in. I pushed them to:
> git at github.com:blp/ovs-reviews.git acl-suggestions
Thanks! I squashed them into my patches.
I'll send out a non-RFC version once the conntrack userspace changes gets committed upstream to OVS.
More information about the dev