On Tue, Aug 2, 2016 at 3:17 PM, Guru Shetty <g...@ovn.org> wrote: > > > On 2 August 2016 at 12:01, Russell Bryant <russ...@ovn.org> wrote: > >> >> On Tue, Aug 2, 2016 at 1:29 PM, Guru Shetty <g...@ovn.org> wrote: >> >>> The 2 ct_commit for deletion of firewall rules will likely be tricky. >>> This >>> will need unit tests. >>> >> >> I don't think I understand the concern. Can you expand a bit on what you >> mean by "2 ct_commit for deletion of firewall rules"? >> > > My memory on how ct_commit(ct_label=1) works is a little hazy. There are 2 > stages now. So whenever a firewall rule is deleted for an established > connection, the default ct_commit(ct_label=1) will get hit and the > connection is dropped. The same thing happens in the second stage for any > removed firewall rule. In the second stage when a firewall rule is deleted > ct_label is also set which will reflect in the first stage. Does not this > cause confusion with the logic? >
Setting ct_label back to 0 only happens in the stateful table. That ct_commit will only occur if none of the ACL stages think the packet should be dropped. I think it's OK. -- Russell Bryant _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev