[ovs-dev] [PATCH v6 0/1] ovn: Apply ACL changes to existing connections.
Russell Bryant
russell at ovn.org
Thu Jul 7 14:34:08 UTC 2016
On Sun, Jul 3, 2016 at 1:40 PM, Ben Pfaff <blp at ovn.org> wrote:
> On Thu, Jun 30, 2016 at 04:14:04PM -0400, Russell Bryant wrote:
> > Prior to this commit, once a connection had been committed to the
> > connection tracker, the connection would continue to be allowed, even
> > if the policy defined in the ACL table changed. This patch changes
> > the implementation so that existing connections are affected by policy
> > changes.
> >
> > The implementation is based on the suggested approach in this mailing
> > list thread:
> >
> > http://openvswitch.org/pipermail/dev/2016-February/065716.html
> >
> > The implementation is covered in much more detail in the commit message
> > for patch 3, as well as code comments and doc updates.
> >
> > v1->v2:
> > - Address issue pointed out by Han Zhou where removing and then
> re-creating
> > an ACL did not allow an established connection to continue. The
> changes
> > are in patch 3.
> > v2->v3:
> > - rebase and resolve conflicts with master.
> > - Use ct_label instead of ct_mark.
> > - patch 1: add ACK from han, otherwise unchanged
> > - patch 2: add support for setting ct_label. v2 only included ct_mark.
> > I did not include Han's ACK here because the changes were non trivial.
> > - patch 3: add ACK from han. The rest of the changes are trivial
> > replacement of ct_mark with ct_label.
> > v3->v4:
> > - Added tests for additions to the ct_commit() logical flow action.
> > - Simplified ct_commit() logical flow action additions as suggested by
> Ben.
> > - Lots of doc cleanup as suggested by Justin.
> > v4->v5:
> > - Rebase.
> > - Support a mask for the value of ct_mark or ct_label in the
> ct_commit() action.
> > - Update ovn-northd to explicitly specify that it is only setting 1 bit
> > of ct_label.
> > - This version now has all the changes requested by Justin Pettit, so is
> > ready for his review.
> > v5->v6:
> > - Applied patch 1/2 in v5 with minor updates.
> > - Rebase final patch.
>
> This seems to have multiple acks, do you want particular review of some
> part of it?
>
Justin asked to review it before I push it.
I think it's in conflict again though ...
--
Russell Bryant
More information about the dev
mailing list