[ovs-dev] [PATCH v3 ovn 2/2] ovn-northd: Support mixing stateless/stateful ACLs with Stateless_Filter.

Dumitru Ceara dceara at redhat.com
Mon Sep 7 15:13:29 UTC 2020


On 9/7/20 2:55 PM, Numan Siddique wrote:
> 
> 
> On Wed, Sep 2, 2020 at 8:36 PM Dumitru Ceara <dceara at redhat.com
> <mailto:dceara at redhat.com>> wrote:
> 
>     A new table is added to OVN_Northbound: Stateless_Filter. Users can
>     populate this table with records consisting of <priority, match>. These
>     records generate logical flows in the PRE_ACL stages of the logical
>     switch pipeline.
> 
>     Packets matching these flows will completely bypass connection tracking
>     for ACL purposes. In specific scenarios CMSs can predetermine which
>     traffic must be firewalled statefully or not, e.g., UDP vs TCP. However,
>     until now, if at least one stateful ACL (allow-related) is configured
>     on the switch, all traffic gets sent to connection tracking.
>     This induces a hit in performance when forwarding packets that don't
>     need stateful processing.
> 
>     New command line arguments are added to ovn-nbctl (stateless-filter-*)
>     to allow the users to interact with the Stateless_Filter table.
> 
>     Signed-off-by: Dumitru Ceara <dceara at redhat.com
>     <mailto:dceara at redhat.com>>
> 
> 
> Hi Dumitru,
> 

Hi Numan,

> Unfortunately due to the bug reported here [1] and the patch to fix the
> issue[2],  your patch 2 in this
> series will not have any benefit if a logical switch has a load balancer
> configured.
> 
> CMS can still use the feature of this patch if there are no load
> balancers configured on a logical switch.
> 

Yes, this does make Stateless_Filters more complicated to use.

> I'm fine if you still want to pursue this patch for the use case I
> mentioned. What do you think ?
> 

I'll give it more thought. I think it might be risky to allow
stateless_filters in any case because it will be hard to enforce that
traffic that matches a stateless_filter is not traffic that is part of a
load balanced session. Which might lead to hard to debug
misconfigurations with symptoms similar to what your fix is trying to
address.

However, I think patch 1/2 of this series could still be reviewed and
applied independently.

> [1] - https://bugzilla.redhat.com/show_bug.cgi?id=1870359
> [2]
>https://patchwork.ozlabs.org/project/ovn/patch/20200907124320.830247-1-numans@ovn.org/
> 
> Thanks
> Numan
> 
> 
Thanks,
Dumitru



More information about the dev mailing list