[ovs-dev] [PATCH 3/3] ovn: Apply ACL changes to existing connections.
Russell Bryant
russell at ovn.org
Tue Mar 8 13:31:29 UTC 2016
On Tue, Mar 8, 2016 at 2:18 AM, Han Zhou <zhouhan at gmail.com> wrote:
>
>
> On Wed, Mar 2, 2016 at 1:43 PM, Russell Bryant <russell at ovn.org> wrote:
> There is a small problem of this patch. For an established connection, if
> the ACL rule allowing the connection is deleted, it will take effect by
> setting the mark to 1 in CT table. However, if we add the ACL back before
> the connection is dead, it will fail to connect because the mark = 1 is not
> cleared. This can be verified by an ICMP ping test:
>
> 1. with ACL allowing the src IP, ping the port's IP, and keep the ping
> session
> 2. remove ACL, the ping session blocked, but keep it
> 3. add the ACL back, ping session still blocked, until starting a new ping
> session
>
> I think we can set ct_commit(mark = 0) explicitly when applying the ACL.
>
Good catch! Thanks for testing. Your proposed solution makes sense. I'll
incorporate that into a v2.
--
Russell Bryant
More information about the dev
mailing list