Prior to this commit, once a connection had been committed to the
connection tracker, the connection would continue to be allowed, even
if the policy defined in the ACL table changed. This patch changes
the implementation so that existing connections are affected by policy
changes.
The implementation is based on the suggested approach in this mailing
list thread:
http://openvswitch.org/pipermail/dev/2016-February/065716.html
The implementation is covered in much more detail in the commit message
for patch 3, as well as code comments and doc updates.
v1->v2:
- Address issue pointed out by Han Zhou where removing and then re-creating
an ACL did not allow an established connection to continue. The changes
are in patch 3.
v2->v3:
- rebase and resolve conflicts with master.
- Use ct_label instead of ct_mark.
- patch 1: add ACK from han, otherwise unchanged
- patch 2: add support for setting ct_label. v2 only included ct_mark.
I did not include Han's ACK here because the changes were non trivial.
- patch 3: add ACK from han. The rest of the changes are trivial
replacement of ct_mark with ct_label.
Russell Bryant (3):
ovn: Update ACL flow docs.
ovn: Add ct_commit(ct_mark=INT, ct_label=INT); action.
ovn: Apply ACL changes to existing connections.
ovn/lib/actions.c | 128 +++++++++++++++++++++++++++++-
ovn/northd/ovn-northd.8.xml | 54 ++++++++++---
ovn/northd/ovn-northd.c | 189 +++++++++++++++++++++++++++++++++-----------
ovn/ovn-sb.xml | 20 ++++-
4 files changed, 327 insertions(+), 64 deletions(-)
--
2.5.0
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
