[ovs-dev] [PATCH v6 0/1] ovn: Apply ACL changes to existing connections.

Russell Bryant russell at ovn.org
Thu Jul 7 14:34:08 UTC 2016 

On Sun, Jul 3, 2016 at 1:40 PM, Ben Pfaff <blp at ovn.org> wrote:

> On Thu, Jun 30, 2016 at 04:14:04PM -0400, Russell Bryant wrote:
> > Prior to this commit, once a connection had been committed to the
> > connection tracker, the connection would continue to be allowed, even
> > if the policy defined in the ACL table changed.  This patch changes
> > the implementation so that existing connections are affected by policy
> > changes.
> >
> > The implementation is based on the suggested approach in this mailing
> > list thread:
> >
> >     http://openvswitch.org/pipermail/dev/2016-February/065716.html
> >
> > The implementation is covered in much more detail in the commit message
> > for patch 3, as well as code comments and doc updates.
> >
> > v1->v2:
> >  - Address issue pointed out by Han Zhou where removing and then
> re-creating
> >    an ACL did not allow an established connection to continue.  The
> changes
> >    are in patch 3.
> > v2->v3:
> >  - rebase and resolve conflicts with master.
> >  - Use ct_label instead of ct_mark.
> >  - patch 1: add ACK from han, otherwise unchanged
> >  - patch 2: add support for setting ct_label. v2 only included ct_mark.
> >    I did not include Han's ACK here because the changes were non trivial.
> >  - patch 3: add ACK from han. The rest of the changes are trivial
> >    replacement of ct_mark with ct_label.
> > v3->v4:
> >  - Added tests for additions to the ct_commit() logical flow action.
> >  - Simplified ct_commit() logical flow action additions as suggested by
> Ben.
> >  - Lots of doc cleanup as suggested by Justin.
> > v4->v5:
> >  - Rebase.
> >  - Support a mask for the value of ct_mark or ct_label in the
> ct_commit() action.
> >  - Update ovn-northd to explicitly specify that it is only setting 1 bit
> >    of ct_label.
> >  - This version now has all the changes requested by Justin Pettit, so is
> >    ready for his review.
> > v5->v6:
> >  - Applied patch 1/2 in v5 with minor updates.
> >  - Rebase final patch.
>
> This seems to have multiple acks, do you want particular review of some
> part of it?
>

Justin asked to review it before I push it.

I think it's in conflict again though ...

-- 
Russell Bryant

More information about the dev mailing list