[ovs-dev] [PATCH v3 ovn 2/2] ovn-northd: Support mixing stateless/stateful ACLs with Stateless_Filter.
dceara at redhat.com
Mon Sep 7 15:13:29 UTC 2020
On 9/7/20 2:55 PM, Numan Siddique wrote:
> On Wed, Sep 2, 2020 at 8:36 PM Dumitru Ceara <dceara at redhat.com
> <mailto:dceara at redhat.com>> wrote:
> A new table is added to OVN_Northbound: Stateless_Filter. Users can
> populate this table with records consisting of <priority, match>. These
> records generate logical flows in the PRE_ACL stages of the logical
> switch pipeline.
> Packets matching these flows will completely bypass connection tracking
> for ACL purposes. In specific scenarios CMSs can predetermine which
> traffic must be firewalled statefully or not, e.g., UDP vs TCP. However,
> until now, if at least one stateful ACL (allow-related) is configured
> on the switch, all traffic gets sent to connection tracking.
> This induces a hit in performance when forwarding packets that don't
> need stateful processing.
> New command line arguments are added to ovn-nbctl (stateless-filter-*)
> to allow the users to interact with the Stateless_Filter table.
> Signed-off-by: Dumitru Ceara <dceara at redhat.com
> <mailto:dceara at redhat.com>>
> Hi Dumitru,
> Unfortunately due to the bug reported here  and the patch to fix the
> issue, your patch 2 in this
> series will not have any benefit if a logical switch has a load balancer
> CMS can still use the feature of this patch if there are no load
> balancers configured on a logical switch.
Yes, this does make Stateless_Filters more complicated to use.
> I'm fine if you still want to pursue this patch for the use case I
> mentioned. What do you think ?
I'll give it more thought. I think it might be risky to allow
stateless_filters in any case because it will be hard to enforce that
traffic that matches a stateless_filter is not traffic that is part of a
load balanced session. Which might lead to hard to debug
misconfigurations with symptoms similar to what your fix is trying to
However, I think patch 1/2 of this series could still be reviewed and
>  - https://bugzilla.redhat.com/show_bug.cgi?id=1870359
> - https://firstname.lastname@example.org/
More information about the dev