[ovs-dev] [PATCH] ovn: Add second ACL stage

Guru Shetty guru at ovn.org
Tue Aug 2 19:17:15 UTC 2016


On 2 August 2016 at 12:01, Russell Bryant <russell at ovn.org> wrote:

>
> On Tue, Aug 2, 2016 at 1:29 PM, Guru Shetty <guru at ovn.org> wrote:
>
>> The 2 ct_commit for deletion of firewall rules will likely be tricky. This
>> will need unit tests.
>>
>
> I don't think I understand the concern.  Can you expand a bit on what you
> mean by "2 ct_commit for deletion of firewall rules"?
>

My memory on how ct_commit(ct_label=1) works is a little hazy. There are 2
stages now. So whenever a firewall rule is deleted for an established
connection, the default ct_commit(ct_label=1) will get hit and the
connection is dropped. The same thing happens in the second stage for any
removed firewall rule. In the second stage when a firewall rule is deleted
ct_label is also set which will reflect in the first stage. Does not this
cause confusion with the logic?


>
>
> --
> Russell Bryant
>



More information about the dev mailing list