On Tue, Mar 8, 2016 at 2:18 AM, Han Zhou <zhou...@gmail.com> wrote: > > > On Wed, Mar 2, 2016 at 1:43 PM, Russell Bryant <russ...@ovn.org> wrote: > There is a small problem of this patch. For an established connection, if > the ACL rule allowing the connection is deleted, it will take effect by > setting the mark to 1 in CT table. However, if we add the ACL back before > the connection is dead, it will fail to connect because the mark = 1 is not > cleared. This can be verified by an ICMP ping test: > > 1. with ACL allowing the src IP, ping the port's IP, and keep the ping > session > 2. remove ACL, the ping session blocked, but keep it > 3. add the ACL back, ping session still blocked, until starting a new ping > session > > I think we can set ct_commit(mark = 0) explicitly when applying the ACL. >
Good catch! Thanks for testing. Your proposed solution makes sense. I'll incorporate that into a v2. -- Russell Bryant _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
