Re: [ovs-dev] [PATCH ovn v2] northd, controller: Commit flows dropped by ACLs to conntrack

Fri, 03 Mar 2023 04:20:56 -0800 


> On 13 Feb 2023, at 16:35, Abhiram Sangana <sangana.abhi...@nutanix.com> wrote:
> 
> This patch adds support to commit connections dropped/rejected by
> ACLs to the connection tracking table. Dropped connections are
> committed to conntrack only if NB_Global options:ct_commit_acl_drop
> is set to true (false by default) and ACL dropping/rejecting the
> connection has label configured. The dropped connections are
> committed in a separate conntrack zone so that they can be managed
> independently and do not interact with the connection tracking state
> of allowed connections.
> 
> This provides a new approach to identify connections dropped by ACLs
> besides the existing ACL logging and drop sampling approaches.
> 
> Each logical switch is assigned a new conntrack zone for committing
> dropped flows. The zone is loaded into register MFF_LOG_ACL_DROP_ZONE.
> A new lflow action "ct_commit_drop" is introduced that commits flows
> to connection tracking table in a zone identified by
> MFF_LOG_ACL_DROP_ZONE register. An ACL with "drop" or "reject" action
> and non-empty label translates to include "ct_commit_drop" in its
> actions instead of simply dropping/rejecting the packet.
> 
> Signed-off-by: Abhiram Sangana <sangana.abhi...@nutanix.com>
> ---
> controller/ovn-controller.c  |  14 +++-
> controller/physical.c        |  32 ++++++++-
> include/ovn/actions.h        |   1 +
> include/ovn/logical-fields.h |   1 +
> lib/actions.c                |  65 +++++++++++++++++
> lib/ovn-util.c               |   4 +-
> lib/ovn-util.h               |   2 +-
> northd/northd.c              |  25 ++++++-
> northd/ovn-northd.8.xml      |  30 +++++++-
> ovn-nb.xml                   |  17 +++--
> ovn-sb.xml                   |  22 ++++++
> tests/ovn-nbctl.at           |  10 ++-
> tests/ovn-northd.at          | 133 ++++++++++++++++++++++++-----------
> tests/ovn.at                 |  90 +++++++++++++++++++++++-
> utilities/ovn-nbctl.c        |   7 --
> utilities/ovn-trace.c        |   2 +
> 16 files changed, 383 insertions(+), 72 deletions(-)
> 

Can someone please review this patch?

Thank you,
Abhiram Sangana
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev






















					Reply via email to