[ovs-dev] [PATCH v2 0/3] ovn: Apply ACL changes to existing connections.
Russell Bryant
russell at ovn.org
Wed Mar 9 21:51:29 UTC 2016
Prior to this commit, once a connection had been committed to the
connection tracker, the connection would continue to be allowed, even
if the policy defined in the ACL table changed. This patch changes
the implementation so that existing connections are affected by policy
changes.
The implementation is based on the suggested approach in this mailing
list thread:
http://openvswitch.org/pipermail/dev/2016-February/065716.html
The implementation is covered in much more detail in the commit message
for patch 3, as well as code comments and doc updates.
v1->v2:
- Address issue pointed out by Han Zhou where removing and then re-creating
an ACL did not allow an established connection to continue. The changes
are in patch 3.
Russell Bryant (3):
ovn: Update ACL flow docs.
ovn: Add ct_commit(ct_mark=INTEGER); action.
ovn: Apply ACL changes to existing connections.
ovn/lib/actions.c | 59 +++++++++++++-
ovn/northd/ovn-northd.8.xml | 54 ++++++++++---
ovn/northd/ovn-northd.c | 189 +++++++++++++++++++++++++++++++++-----------
ovn/ovn-sb.xml | 20 ++++-
4 files changed, 258 insertions(+), 64 deletions(-)
--
2.5.0
More information about the dev
mailing list