>
> @@ -1377,13 +1381,34 @@ build_pre_acls(struct ovn_datapath *od, struct
> hmap *lflows,
> *
> * Regardless of whether the ACL is "from-lport" or "to-lport",
> * we need rules in both the ingress and egress table, because
> - * the return traffic needs to be followed. */
> - ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 100, "ip",
> "ct_next;");
> - ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip",
> "ct_next;");
> + * the return traffic needs to be followed.
> + *
> + * 'REGBIT_CONNTRACK_DEFRAG' is set to let the pre-stateful table
> send
> + * it to conntrack for tracking and defragmentation. */
> + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 100, "ip",
> + REGBIT_CONNTRACK_DEFRAG" = 1; next;");
> + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip",
> + REGBIT_CONNTRACK_DEFRAG" = 1; next;");
> }
> }
>
> static void
> +build_pre_stateful(struct ovn_datapath *od, struct hmap *lflows)
> +{
> + /* Ingress and Egress pre-stateful Table (Priority 0): Packets are
> + * allowed by default. */
> + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 0, "1", "next;");
> + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 0, "1", "next;");
> +
> + /* If REGBIT_CONNTRACK_DEFRAG is set as 1, then the packets should be
> + * sent to conntrack for tracking and defragmentation. */
> + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 100,
> + REGBIT_CONNTRACK_DEFRAG" == 1", "ct_next;");
> + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 100,
> + REGBIT_CONNTRACK_DEFRAG" == 1", "ct_next;");
> +}
>
I hope you can also modify the default next lflow with 0 priority for
PRE_ACL, instead of using "next;" as action, try to directly resubmit to
table ACL.
Since in PRE_STATEFUL table, for non-stateful stuff, there is just another
"next;", this is not fun.
Thanks,
Zong Kai, LI
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
