[ovs-dev] [PATCH v6 0/1] ovn: Apply ACL changes to existing connections.

Ben Pfaff blp at ovn.org
Sun Jul 3 18:40:18 UTC 2016


On Thu, Jun 30, 2016 at 04:14:04PM -0400, Russell Bryant wrote:
> Prior to this commit, once a connection had been committed to the
> connection tracker, the connection would continue to be allowed, even
> if the policy defined in the ACL table changed.  This patch changes
> the implementation so that existing connections are affected by policy
> changes.
> 
> The implementation is based on the suggested approach in this mailing
> list thread:
> 
>     http://openvswitch.org/pipermail/dev/2016-February/065716.html
> 
> The implementation is covered in much more detail in the commit message
> for patch 3, as well as code comments and doc updates.
> 
> v1->v2:
>  - Address issue pointed out by Han Zhou where removing and then re-creating
>    an ACL did not allow an established connection to continue.  The changes
>    are in patch 3.
> v2->v3:
>  - rebase and resolve conflicts with master.
>  - Use ct_label instead of ct_mark.
>  - patch 1: add ACK from han, otherwise unchanged
>  - patch 2: add support for setting ct_label. v2 only included ct_mark.
>    I did not include Han's ACK here because the changes were non trivial.
>  - patch 3: add ACK from han. The rest of the changes are trivial
>    replacement of ct_mark with ct_label.
> v3->v4:
>  - Added tests for additions to the ct_commit() logical flow action.
>  - Simplified ct_commit() logical flow action additions as suggested by Ben.
>  - Lots of doc cleanup as suggested by Justin.
> v4->v5:
>  - Rebase.
>  - Support a mask for the value of ct_mark or ct_label in the ct_commit() action.
>  - Update ovn-northd to explicitly specify that it is only setting 1 bit
>    of ct_label.
>  - This version now has all the changes requested by Justin Pettit, so is
>    ready for his review.
> v5->v6:
>  - Applied patch 1/2 in v5 with minor updates.
>  - Rebase final patch.

This seems to have multiple acks, do you want particular review of some
part of it?



More information about the dev mailing list