[ovs-dev] [RFC PATCH v2 0/3] Associate identifier with OVN ACL connection tracking entry

Ankur Sharma ankur.sharma at nutanix.com
Tue Mar 5 04:17:01 UTC 2019 

What:
====
a. Goal is to be able to associate some identifier with a connection tracking
entry.

b. This identifier can be used to map OVN ACL which added this entry or
higher level constructs like openstack security group etc.

c. There are 2 connection tracking fields which can be used for it.
ct.mark (32 bits) and ct.label (128 bits).

d. Patch intends to use ct.label, as this is a longer field and
hence would be put to a better use, if it stores the identifier.

Why:
====
a. Adding an identifier would help in debugging.
b. Now, we can map a connection tracking entry to corresponding
   acl, security group etc.

How:
====
Following is the sequence of changes:

Patch 1:
i.  Current implementation uses a bit ct.label to handle policy update cases,
    where we use a bit in ct.label to indicate that reply traffic should
    be dropped now.
ii. Swap the usage of ct.label in current implementation with ct.mark.

Patch 2:
i. Add support in parser to allow ct.label and mark to be set from registers
as well (as of now only integer/masked integer is allowed).

Patch 3:
i. Add a new column (named 'label') to Table ACL in northbound schema.
ii. ovn-northd changes to enhance logical flows to set ct.label to acl->label.
For example:
table=4 (ls_out_acl         ), .... action=(reg0[1] = 1; reg0[3] = 1; xxreg1 = 0x1234; next;)
.
.
.
table=7 (ls_out_stateful    ), ... match=(reg0[1] == 1 && reg0[3] == 1),
                                   action=(ct_commit(ct_mark=0/1, ct_label=xxreg1); next;)


Ankur Sharma (3):
  OVN ACL: Replace the usage of ct_label with ct_mark
  OVN ACL: Allow ct_mark and ct_label values to be set from register as
    well
  OVN ACL: Allow a user to input ct.label value for an acl

 Documentation/tutorials/ovn-openstack.rst | 12 ++---
 include/ovn/actions.h                     |  3 ++
 ovn/lib/actions.c                         | 77 +++++++++++++++++++++++++---
 ovn/lib/logical-fields.c                  |  3 ++
 ovn/northd/ovn-northd.8.xml               | 14 ++---
 ovn/northd/ovn-northd.c                   | 85 ++++++++++++++++++++-----------
 ovn/ovn-nb.ovsschema                      |  5 +-
 ovn/ovn-nb.xml                            | 12 +++++
 ovn/ovn-sb.xml                            | 20 ++++----
 ovn/utilities/ovn-nbctl.c                 | 24 ++++++++-
 tests/ovn-nbctl.at                        | 12 ++++-
 tests/ovn.at                              | 84 ++++++++++++++++++++++++++++--
 12 files changed, 280 insertions(+), 71 deletions(-)

-- 
1.8.3.1

More information about the dev mailing list