OVN ACL implementation used ct_label to indicate if a previosuly
allowed connection should not be allowed anymore and vice versa.
However, ct_label is a 128 bit value and we should rather leverage
on ct_mark which is a 32 bit value.
Using ct_mark for this purpose, allows us to use ct_label for storing
other values like, identifier for corresponidng OVN ACL/Security group etc.
Signed-off-by: Ankur Sharma
---
Documentation/tutorials/ovn-openstack.rst | 14 -
lib/logical-fields.c | 3 ++
northd/ovn-northd.8.xml | 14 -
northd/ovn-northd.c | 50 ---
tests/ovn.at | 11 +++
5 files changed, 49 insertions(+), 43 deletions(-)
diff --git a/Documentation/tutorials/ovn-openstack.rst
b/Documentation/tutorials/ovn-openstack.rst
index 3ef0523..5134406 100644
--- a/Documentation/tutorials/ovn-openstack.rst
+++ b/Documentation/tutorials/ovn-openstack.rst
@@ -60,7 +60,7 @@ packaging for developers, in a way that allows you to follow
along
with the tutorial in full.
Unless you have a spare computer laying about, it's easiest to install
-DevStacck in a virtual machine. This tutorial was built using a VM
+DevStack in a virtual machine. This tutorial was built using a VM
implemented by KVM and managed by virt-manager. I recommend
configuring the VM configured for the x86-64 architecture, 6 GB RAM, 2
VCPUs, and a 20 GB virtual disk.
@@ -1228,7 +1228,7 @@ as the output port::
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---
- 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl &&
ct_label.blocked == 0 && (inport == "ap" && ip4), priority 2002, uuid a12b39f0
+ 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl &&
ct.blocked == 0 && (inport == "ap" && ip4), priority 2002, uuid a12b39f0
next;
13. ls_in_l2_lkup (ovn-northd.c:3529): eth.dst == fa:16:3e:f6:e2:8f,
priority 50, uuid c43ead31
outport = "17d870";
@@ -1297,7 +1297,7 @@ Finally the logical switch for ``n2`` runs through the
same logic as
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---
- 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl &&
ct_label.blocked == 0 && (outport == "cp" && ip4 && ip4.src ==
$as_ip4_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid a746fa0d
+ 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl &&
ct.blocked == 0 && (outport == "cp" && ip4 && ip4.src ==
$as_ip4_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid a746fa0d
next;
7. ls_out_port_sec_ip (ovn-northd.c:2364): outport == "cp" && eth.dst ==
fa:16:3e:89:f2:36 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.1.2.7},
priority 90, uuid 4d9862b5
next;
@@ -1537,7 +1537,7 @@ firewall and is output to ``d``::
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---
- 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl &&
ct_label.blocked == 0 && (outport == "dp" && ip4 && ip4.src == 0.0.0.0/0 &&
icmp4), priority 2002, uuid b860fc9f
+ 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl &&
ct.blocked == 0 && (outport == "dp" && ip4 && ip4.src == 0.0.0.0/0 && icmp4),
priority 2002, uuid b860fc9f
next;
7. ls_out_port_sec_ip (ovn-northd.c:2364): outport == "dp" && eth.dst ==
fa:16:3e:c1:f5:a2 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.0.0.6},
priority 90, uuid 15655a98
next;
@@ -1649,7 +1649,7 @@ closely to those for IPv4 which we already discussed back
under
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---
- 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl &&
ct_label.blocked == 0 && (inport == "ap" && ip6), priority 2002, uuid 7fdd607e
+ 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl &&
ct.blocked == 0 && (inport == "ap" && ip6), priority 2002, uuid 7fdd607e
next;
13. ls_in_l2_lkup (ovn-northd.c:3529): eth.dst == fa:16:3e:ef:2f:8b,
priority 50, uuid e1d87fc5
outport = "ad952e";
@@ -1707,7 +1707,7 @@ closely to those for IPv4 which we already discussed back
under
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---
- 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl &&
ct_label.blocked == 0 && (outport == "cp" && ip6 && ip6.src ==
$as_ip6_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid 12fc96f9
+ 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl &&
ct.blocked == 0 && (outport == "cp" && ip6 && ip6.src ==
$as_ip6_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority