Prior to this commit, once a connection had been committed to the
connection tracker, the connection would continue to be allowed, even
if the policy defined in the ACL table changed. This patch changes
the implementation so that existing connections are affected by policy
changes.
The implementation is based on the suggested approach in this mailing
list thread:
http://openvswitch.org/pipermail/dev/2016-February/065716.html
The implementation is covered in much more detail in the commit message
for patch 3, as well as code comments and doc updates.
v1->v2:
- Address issue pointed out by Han Zhou where removing and then re-creating
an ACL did not allow an established connection to continue. The changes
are in patch 3.
v2->v3:
- rebase and resolve conflicts with master.
- Use ct_label instead of ct_mark.
- patch 1: add ACK from han, otherwise unchanged
- patch 2: add support for setting ct_label. v2 only included ct_mark.
I did not include Han's ACK here because the changes were non trivial.
- patch 3: add ACK from han. The rest of the changes are trivial
replacement of ct_mark with ct_label.
v3->v4:
- Added tests for additions to the ct_commit() logical flow action.
- Simplified ct_commit() logical flow action additions as suggested by Ben.
- Lots of doc cleanup as suggested by Justin.
v4->v5:
- Rebase.
- Support a mask for the value of ct_mark or ct_label in the ct_commit()
action.
- Update ovn-northd to explicitly specify that it is only setting 1 bit
of ct_label.
- This version now has all the changes requested by Justin Pettit, so is
ready for his review.
v5->v6:
- Applied patch 1/2 in v5 with minor updates.
- Rebase final patch.
[PATCH] ovn: Apply ACL changes to existing connections.
--
Russell Bryant
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
