What: ==== a. Goal is to be able to associate some identifier with a connection tracking entry.
b. This identifier can be used to map OVN ACL which added this entry or higher level constructs like openstack security group etc. c. There are 2 connection tracking fields which can be used for it. ct.mark (32 bits) and ct.label (128 bits). d. Patch intends to use ct.label, as this is a longer field and hence would be put to a better use, if it stores the identifier. Why: ==== a. Adding an identifier would help in debugging. b. Now, we can map a connection tracking entry to corresponding acl, security group etc. How: ==== Following is the sequence of changes: Patch 1: i. Current implementation uses a bit ct.label to handle policy update cases, where we use a bit in ct.label to indicate that reply traffic should be dropped now. ii. Swap the usage of ct.label in current implementation with ct.mark. Patch 2: i. Add support in parser to allow ct.label and mark to be set from registers as well (as of now only integer/masked integer is allowed). Patch 3: i. Add a new column (named 'label') to Table ACL in northbound schema. ii. ovn-northd changes to enhance logical flows to set ct.label to acl->label. For example: table=4 (ls_out_acl ), .... action=(reg0[1] = 1; reg0[3] = 1; xxreg1 = 0x1234; next;) . . . table=7 (ls_out_stateful ), ... match=(reg0[1] == 1 && reg0[3] == 1), action=(ct_commit(ct_mark=0/1, ct_label=xxreg1); next;) Ankur Sharma (3): OVN ACL: Replace the usage of ct_label with ct_mark OVN ACL: Allow ct_mark and ct_label values to be set from register as well OVN ACL: Allow a user to input ct.label value for an acl Documentation/tutorials/ovn-openstack.rst | 12 ++--- include/ovn/actions.h | 3 ++ ovn/lib/actions.c | 77 +++++++++++++++++++++++++++---- ovn/lib/logical-fields.c | 3 ++ ovn/northd/ovn-northd.8.xml | 14 +++--- ovn/northd/ovn-northd.c | 48 +++++++++---------- ovn/ovn-nb.ovsschema | 4 +- ovn/ovn-sb.xml | 20 ++++---- tests/ovn.at | 27 +++++++++-- 9 files changed, 147 insertions(+), 61 deletions(-) -- 1.8.3.1 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev