[ovs-dev] [PATCH ovn 4/4] doc: explain interaction of overlapping state[less|ful] matches

Ihar Hrachyshka ihrachys at redhat.com
Tue Jun 1 21:38:25 UTC 2021

Stateless ACLs may omit sending some returning traffic to connection
tracker, which may have belonged to other stateful flows. In this case,
stateless rule cancels out the effort for stateful rules.

As with writing stateless rules for returning traffic, attention should
be paid to mixed stateless/stateful rules with overlapping matches.

Signed-off-by: Ihar Hrachyshka <ihrachys at redhat.com>
 ovn-nb.xml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ovn-nb.xml b/ovn-nb.xml
index 47f25eac1..63fd61c66 100644
--- a/ovn-nb.xml
+++ b/ovn-nb.xml
@@ -1812,7 +1812,12 @@
           for inbound replies.  For example, if you define a rule to allow
           outgoing TCP traffic directed to an IP address, then you probably
           also want to define another rule to allow incoming TCP traffic coming
-          from this same IP address.
+          from this same IP address. When used in combination with stateful
+          ACLs with overlapping matching rules, attention should be given to
+          the fact that <code>allow-stateless</code> ACLs may "cancel out"
+          effect for stateful rules by omitting sending some returning traffic
+          to connection tracker even when it may belong to other overlapping
+          rules too.

More information about the dev mailing list