Skip to content

Commit

Permalink
ovn: Apply ACL changes to existing connections.
Browse files Browse the repository at this point in the history 
Prior to this commit, once a connection had been committed to the
connection tracker, the connection would continue to be allowed, even
if the policy defined in the ACL table changed.  This patch changes
the implementation so that existing connections are affected by policy
changes.

The implementation is based on the suggested approach in this mailing
list thread:

    http://openvswitch.org/pipermail/dev/2016-February/065716.html

Instead of always allowing packets associated with an established
connection, we now put all packets in the request direction through
the flows generated based on OVN ACLs.  If a packet associated with an
established connection hits a "drop" ACL, that means we have
encountered a policy change and should drop packets associated with
this connection from now on.  We handle this by setting "ct_label" on
the associated connection tracking entry.

These changes also account for re-allowing a known connection after
ct_label had been set on it. This can happen if you delete an ACL and
then re-create it while connection state is still known.

The proposal on the mailing list also discussed the idea that
ovn-controller could periodically sweep the connection tracker and
delete entries with ct_label set.  That is not implemented in this
patch.  Instead, we rely on connections dying since we're dropping
its packets and then allowing the connection tracking entry to
eventually time out.  More proactively clearing them out could be a
future enhancement.

As a realistic example of how this works, consider this security policy
from an OpenStack+OVN development environment.

    +---------+-----------------------+
    | name    | security_group_rules  |
    +---------+-----------------------+
    | default | egress, IPv4          |
    |         | egress, IPv6          |
    |         | ingress, IPv4, 22/tcp |
    |         | ingress, IPv4, icmp   |
    +---------+-----------------------+

The OpenStack Neutron plugin creates ACLs that drop traffic by default
and higher priority ACLs for each type of traffic that is allowed.  In
this case, the ACLs for a port using the "default" security group are:

  from-lport  1002 (inport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4) allow-related
  from-lport  1002 (inport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip6) allow-related
  from-lport  1001 (inport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip) drop
    to-lport  1002 (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4 && icmp4) allow-related
    to-lport  1002 (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4 && tcp && tcp.dst == 22) allow-related
    to-lport  1001 (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip) drop

which results in the following logical flows:

  table=3 (ls_in_pre_acl      ), priority=100  , match=(ip), action=(reg0[0] = 1; next;)
  table=3 (ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
  table=4 (ls_in_pre_lb       ), priority=0    , match=(1), action=(next;)
  table=5 (ls_in_pre_stateful ), priority=100  , match=(reg0[0] == 1), action=(ct_next;)
  table=5 (ls_in_pre_stateful ), priority=0    , match=(1), action=(next;)
  table=6 (ls_in_acl          ), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label[0] == 0), action=(next;)
  table=6 (ls_in_acl          ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label[0] == 0), action=(next;)
  table=6 (ls_in_acl          ), priority=65535, match=(ct.inv || (ct.est && ct.rpl && ct_label[0] == 1)), action=(drop;)
  table=6 (ls_in_acl          ), priority=65535, match=(nd), action=(next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label[0] == 0 && (inport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4 && (ip4.dst == 255.255.255.255 || ip4.dst == 10.0.0.0/24) && udp && udp.src == 68 && udp.dst == 67)), action=(next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label[0] == 0 && (inport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4)), action=(next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label[0] == 0 && (inport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip6)), action=(next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label[0] == 1)) && (inport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4 && (ip4.dst == 255.255.255.255 || ip4.dst == 10.0.0.0/24) && udp && udp.src == 68 && udp.dst == 67)), action=(reg0[1] = 1; next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label[0] == 1)) && (inport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4)), action=(reg0[1] = 1; next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label[0] == 1)) && (inport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip6)), action=(reg0[1] = 1; next;)
  table=6 (ls_in_acl          ), priority=2001 , match=((!ct.est || (ct.est && ct_label[0] == 1)) && (inport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip)), action=(drop;)
  table=6 (ls_in_acl          ), priority=2001 , match=(ct.est && ct_label[0] == 0 && (inport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip)), action=(ct_commit(ct_label=1/1);)
  table=6 (ls_in_acl          ), priority=1    , match=(ip && (!ct.est || (ct.est && ct_label[0] == 1))), action=(reg0[1] = 1; next;)
  table=6 (ls_in_acl          ), priority=0    , match=(1), action=(next;)
  table=7 (ls_in_lb           ), priority=0    , match=(1), action=(next;)
  table=8 (ls_in_stateful     ), priority=100  , match=(reg0[1] == 1), action=(ct_commit(ct_label=0/1); next;)
  table=8 (ls_in_stateful     ), priority=100  , match=(reg0[2] == 1), action=(ct_lb;)
  table=8 (ls_in_stateful     ), priority=0    , match=(1), action=(next;)

  table=0 (ls_out_pre_lb      ), priority=0    , match=(1), action=(next;)
  table=1 (ls_out_pre_acl     ), priority=110  , match=(ip && outport == "351f0012-0c13-4330-b471-b0d4719c5031"), action=(next;)
  table=1 (ls_out_pre_acl     ), priority=110  , match=(ip && outport == "4e0e294d-e54a-400c-a240-f121175904c2"), action=(next;)
  table=1 (ls_out_pre_acl     ), priority=110  , match=(nd), action=(next;)
  table=1 (ls_out_pre_acl     ), priority=100  , match=(ip), action=(reg0[0] = 1; next;)
  table=1 (ls_out_pre_acl     ), priority=0    , match=(1), action=(next;)
  table=2 (ls_out_pre_stateful), priority=100  , match=(reg0[0] == 1), action=(ct_next;)
  table=2 (ls_out_pre_stateful), priority=0    , match=(1), action=(next;)
  table=3 (ls_out_lb          ), priority=0    , match=(1), action=(next;)
  table=4 (ls_out_acl         ), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label[0] == 0), action=(next;)
  table=4 (ls_out_acl         ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label[0] == 0), action=(next;)
  table=4 (ls_out_acl         ), priority=65535, match=(ct.inv || (ct.est && ct.rpl && ct_label[0] == 1)), action=(drop;)
  table=4 (ls_out_acl         ), priority=65535, match=(nd), action=(next;)
  table=4 (ls_out_acl         ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label[0] == 0 && (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4 && icmp4)), action=(next;)
  table=4 (ls_out_acl         ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label[0] == 0 && (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4 && ip4.src == $as_ip4_85300131_274c_492c_a000_b1782315196d)), action=(next;)
  table=4 (ls_out_acl         ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label[0] == 0 && (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4 && ip4.src == 10.0.0.0/24 && udp && udp.src == 67 && udp.dst == 68)), action=(next;)
  table=4 (ls_out_acl         ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label[0] == 0 && (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip6 && ip6.src == $as_ip6_85300131_274c_492c_a000_b1782315196d)), action=(next;)
  table=4 (ls_out_acl         ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label[0] == 1)) && (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4 && icmp4)), action=(reg0[1] = 1; next;)
  table=4 (ls_out_acl         ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label[0] == 1)) && (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4 && ip4.src == $as_ip4_85300131_274c_492c_a000_b1782315196d)), action=(reg0[1] = 1; next;)
  table=4 (ls_out_acl         ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label[0] == 1)) && (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip4 && ip4.src == 10.0.0.0/24 && udp && udp.src == 67 && udp.dst == 68)), action=(reg0[1] = 1; next;)
  table=4 (ls_out_acl         ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label[0] == 1)) && (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip6 && ip6.src == $as_ip6_85300131_274c_492c_a000_b1782315196d)), action=(reg0[1] = 1; next;)
  table=4 (ls_out_acl         ), priority=2001 , match=((!ct.est || (ct.est && ct_label[0] == 1)) && (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip)), action=(drop;)
  table=4 (ls_out_acl         ), priority=2001 , match=(ct.est && ct_label[0] == 0 && (outport == "23706cbe-98b6-4a8b-b78b-a8e12e6d773f" && ip)), action=(ct_commit(ct_label=1/1);)
  table=4 (ls_out_acl         ), priority=1    , match=(ip && (!ct.est || (ct.est && ct_label[0] == 1))), action=(reg0[1] = 1; next;)
  table=4 (ls_out_acl         ), priority=0    , match=(1), action=(next;)
  table=5 (ls_out_stateful    ), priority=100  , match=(reg0[1] == 1), action=(ct_commit(ct_label=0/1); next;)
  table=5 (ls_out_stateful    ), priority=100  , match=(reg0[2] == 1), action=(ct_lb;)
  table=5 (ls_out_stateful    ), priority=0    , match=(1), action=(next;)

One way I tested this by leaving ping running, ensuring that it was
blocked when the rule for ICMP was deleted, and then re-allowed when
the rule allowing ICMP was restored.  In this case, the ICMP
connection is still known by the connection tracker, but the flows
ensure that ct_label gets reset back to 0.

Reported-by: Xiao Li Xu <[email protected]>
Reported-at: https://bugs.launchpad.net/networking-ovn/+bug/1536080
Suggested-by: Justin Pettit <[email protected]>
Signed-off-by: Russell Bryant <[email protected]>
Acked-by: Han Zhou <[email protected]>
Acked-by: Ben Pfaff <[email protected]>
Acked-by: Justin Pettit <[email protected]>
Tested-by: Babu Shanmugam <[email protected]>
  • Loading branch information
@russellb
russellb committed Jul 20, 2016
1 parent bf32e3e commit cc58e1f
Show file tree
Hide file tree
Showing 3 changed files with 199 additions and 61 deletions.
6 changes: 6 additions & 0 deletions ovn/TODO
View file
Original file line number Diff line number Diff line change
Expand Up @@ -235,3 +235,9 @@ large.
** Support reject action.

** Support log option.

** We currently use ct_label[0] to mark connections that have been blocked
by an ACL. It would be nice in the logical flow syntax to have a
symbolic name like "ct_label.blocked" to make things more clear, as
well as to change the implementation of "blocked" in the future
if needed.
58 changes: 46 additions & 12 deletions ovn/northd/ovn-northd.8.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -284,16 +284,33 @@
<p>
Logical flows in this table closely reproduce those in the
<code>ACL</code> table in the <code>OVN_Northbound</code> database
for the <code>from-lport</code> direction. <code>allow</code>
ACLs translate into logical flows with the <code>next;</code>
action, <code>allow-related</code> ACLs translate into logical
flows with the <code>reg0[1] = 1; next;</code> actions (which acts
as a hint for the next tables to commit the connection to conntrack),
other ACLs translate to <code>drop;</code>. The <code>priority</code>
values from the <code>ACL</code> table have a limited range and have 1000
added to them to leave room for OVN default flows at both higher
and lower priorities.
for the <code>from-lport</code> direction. The <code>priority</code>
values from the <code>ACL</code> table have a limited range and have
1000 added to them to leave room for OVN default flows at both
higher and lower priorities.
</p>
<ul>
<li>
<code>allow</code> ACLs translate into logical flows with
the <code>next;</code> action. If there are any stateful ACLs
on this datapath, then <code>allow</code> ACLs translate to
<code>ct_commit; next;</code> (which acts as a hint for the next tables
to commit the connection to conntrack),
</li>
<li>
<code>allow-related</code> ACLs translate into logical
flows with the <code>ct_commit(ct_label=0/1); next;</code> actions
for new connections and <code>reg0[1] = 1; next;</code> for existing
connections.
</li>
<li>
Other ACLs translate to <code>drop;</code> for new or untracked
connections and <code>ct_commit(ct_label=1/1);</code> for known
connections. Setting <code>ct_label</code> marks a connection
as one that was previously allowed, but should no longer be
allowed due to a policy change.
</li>
</ul>

<p>
This table also contains a priority 0 flow with action
Expand All @@ -312,20 +329,37 @@
</li>

<li>
A priority-65535 flow that allows any traffic that has been
committed to the connection tracker (i.e., established flows).
A priority-65535 flow that allows any traffic in the reply
direction for a connection that has been committed to the
connection tracker (i.e., established flows), as long as
the committed flow does not have <code>ct_label[0]</code> set.
We only handle traffic in the reply direction here because
we want all packets going in the request direction to still
go through the flows that implement the currently defined
policy based on ACLs. If a connection is no longer allowed by
policy, <code>ct_label[0]</code> will get set and packets in the
reply direction will no longer be allowed, either.
</li>

<li>
A priority-65535 flow that allows any traffic that is considered
related to a committed flow in the connection tracker (e.g., an
ICMP Port Unreachable from a non-listening UDP port).
ICMP Port Unreachable from a non-listening UDP port), as long
as the committed flow does not have <code>ct_label[0]</code> set.
</li>

<li>
A priority-65535 flow that drops all traffic marked by the
connection tracker as invalid.
</li>

<li>
A priority-65535 flow that drops all trafic in the reply direction
with <code>ct_label[0]</code> set meaning that the connection
should no longer be allowed due to a policy change. Packets
in the request direction are skipped here to let a newly created
ACL re-allow this connection.
</li>
</ul>

<h3>Ingress Table 7: LB</h3>
Expand Down
196 changes: 147 additions & 49 deletions ovn/northd/ovn-northd.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1561,48 +1561,77 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows)
* commit IP flows. This is because, while the initiater's
* direction may not have any stateful rules, the server's may
* and then its return traffic would not have an associated
* conntrack entry and would return "+invalid". */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, "ip",
REGBIT_CONNTRACK_COMMIT" = 1; next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, "ip",
REGBIT_CONNTRACK_COMMIT" = 1; next;");
* conntrack entry and would return "+invalid".
*
* We use "ct_commit" for a connection that is not already known
* by the connection tracker. Once a connection is committed,
* subsequent packets will hit the flow at priority 0 that just
* uses "next;"
*
* We also check for established connections that have ct_label[0]
* set on them. That's a connection that was disallowed, but is
* now allowed by policy again since it hit this default-allow flow.
* We need to set ct_label[0]=0 to let the connection continue,
* which will be done by ct_commit() in the "stateful" stage.
* Subsequent packets will hit the flow at priority 0 that just
* uses "next;". */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1,
"ip && (!ct.est || (ct.est && ct_label[0] == 1))",
REGBIT_CONNTRACK_COMMIT" = 1; next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1,
"ip && (!ct.est || (ct.est && ct_label[0] == 1))",
REGBIT_CONNTRACK_COMMIT" = 1; next;");

/* Ingress and Egress ACL Table (Priority 65535).
*
* Always drop traffic that's in an invalid state. This is
* enforced at a higher priority than ACLs can be defined. */
* Always drop traffic that's in an invalid state. Also drop
* reply direction packets for connections that have been marked
* for deletion (bit 0 of ct_label is set).
*
* This is enforced at a higher priority than ACLs can be defined. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
"ct.inv", "drop;");
"ct.inv || (ct.est && ct.rpl && ct_label[0] == 1)",
"drop;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
"ct.inv", "drop;");
"ct.inv || (ct.est && ct.rpl && ct_label[0] == 1)",
"drop;");

/* Ingress and Egress ACL Table (Priority 65535).
*
* Always allow traffic that is established to a committed
* conntrack entry. This is enforced at a higher priority than
* ACLs can be defined. */
* Allow reply traffic that is part of an established
* conntrack entry that has not been marked for deletion
* (bit 0 of ct_label). We only match traffic in the
* reply direction because we want traffic in the request
* direction to hit the currently defined policy from ACLs.
*
* This is enforced at a higher priority than ACLs can be defined. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
"ct.est && !ct.rel && !ct.new && !ct.inv",
"ct.est && !ct.rel && !ct.new && !ct.inv "
"&& ct.rpl && ct_label[0] == 0",
"next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
"ct.est && !ct.rel && !ct.new && !ct.inv",
"ct.est && !ct.rel && !ct.new && !ct.inv "
"&& ct.rpl && ct_label[0] == 0",
"next;");

/* Ingress and Egress ACL Table (Priority 65535).
*
* Always allow traffic that is related to an existing conntrack
* entry. This is enforced at a higher priority than ACLs can
* be defined.
* Allow traffic that is related to an existing conntrack entry that
* has not been marked for deletion (bit 0 of ct_label).
*
* This is enforced at a higher priority than ACLs can be defined.
*
* NOTE: This does not support related data sessions (eg,
* a dynamically negotiated FTP data channel), but will allow
* related traffic such as an ICMP Port Unreachable through
* that's generated from a non-listening UDP port. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
"!ct.est && ct.rel && !ct.new && !ct.inv",
"!ct.est && ct.rel && !ct.new && !ct.inv "
"&& ct_label[0] == 0",
"next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
"!ct.est && ct.rel && !ct.new && !ct.inv",
"!ct.est && ct.rel && !ct.new && !ct.inv "
"&& ct_label[0] == 0",
"next;");

/* Ingress and Egress ACL Table (Priority 65535).
Expand All @@ -1618,41 +1647,108 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows)
bool ingress = !strcmp(acl->direction, "from-lport") ? true :false;
enum ovn_stage stage = ingress ? S_SWITCH_IN_ACL : S_SWITCH_OUT_ACL;

if (!strcmp(acl->action, "allow")) {
if (!strcmp(acl->action, "allow")
|| !strcmp(acl->action, "allow-related")) {
/* If there are any stateful flows, we must even commit "allow"
* actions. This is because, while the initiater's
* direction may not have any stateful rules, the server's
* may and then its return traffic would not have an
* associated conntrack entry and would return "+invalid". */
const char *actions = has_stateful
? REGBIT_CONNTRACK_COMMIT" = 1; next;"
: "next;";
ovn_lflow_add(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
acl->match, actions);
} else if (!strcmp(acl->action, "allow-related")) {
if (!has_stateful) {
ovn_lflow_add(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
acl->match, "next;");
} else {
struct ds match = DS_EMPTY_INITIALIZER;

/* Commit the connection tracking entry if it's a new
* connection that matches this ACL. After this commit,
* the reply traffic is allowed by a flow we create at
* priority 65535, defined earlier.
*
* It's also possible that a known connection was marked for
* deletion after a policy was deleted, but the policy was
* re-added while that connection is still known. We catch
* that case here and un-set ct_label[0] (which will be done
* by ct_commit in the "stateful" stage) to indicate that the
* connection should be allowed to resume.
*/
ds_put_format(&match, "((ct.new && !ct.est)"
" || (!ct.new && ct.est && !ct.rpl "
"&& ct_label[0] == 1)) "
"&& (%s)", acl->match);
ovn_lflow_add(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
ds_cstr(&match),
REGBIT_CONNTRACK_COMMIT" = 1; next;");

/* Match on traffic in the request direction for an established
* connection tracking entry that has not been marked for
* deletion. There is no need to commit here, so we can just
* proceed to the next table. We use this to ensure that this
* connection is still allowed by the currently defined
* policy. */
ds_clear(&match);
ds_put_format(&match,
"!ct.new && ct.est && !ct.rpl"
" && ct_label[0] == 0 && (%s)",
acl->match);
ovn_lflow_add(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
ds_cstr(&match), "next;");

ds_destroy(&match);
}
} else if (!strcmp(acl->action, "drop")
|| !strcmp(acl->action, "reject")) {
struct ds match = DS_EMPTY_INITIALIZER;

/* Commit the connection tracking entry, which allows all
* other traffic related to this entry to flow due to the
* 65535 priority flow defined earlier. */
ds_put_format(&match, "ct.new && (%s)", acl->match);
ovn_lflow_add(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
ds_cstr(&match),
REGBIT_CONNTRACK_COMMIT" = 1; next;");
/* XXX Need to support "reject", treat it as "drop;" for now. */
if (!strcmp(acl->action, "reject")) {
VLOG_INFO("reject is not a supported action");
}

ds_destroy(&match);
} else if (!strcmp(acl->action, "drop")) {
ovn_lflow_add(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
acl->match, "drop;");
} else if (!strcmp(acl->action, "reject")) {
/* xxx Need to support "reject". */
VLOG_INFO("reject is not a supported action");
ovn_lflow_add(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
acl->match, "drop;");
/* The implementation of "drop" differs if stateful ACLs are in
* use for this datapath. In that case, the actions differ
* depending on whether the connection was previously committed
* to the connection tracker with ct_commit. */
if (has_stateful) {
/* If the packet is not part of an established connection, then
* we can simply drop it. */
ds_put_format(&match,
"(!ct.est || (ct.est && ct_label[0] == 1)) "
"&& (%s)",
acl->match);
ovn_lflow_add(lflows, od, stage, acl->priority +
OVN_ACL_PRI_OFFSET, ds_cstr(&match), "drop;");

/* For an existing connection without ct_label set, we've
* encountered a policy change. ACLs previously allowed
* this connection and we committed the connection tracking
* entry. Current policy says that we should drop this
* connection. First, we set bit 0 of ct_label to indicate
* that this connection is set for deletion. By not
* specifying "next;", we implicitly drop the packet after
* updating conntrack state. We would normally defer
* ct_commit() to the "stateful" stage, but since we're
* dropping the packet, we go ahead and do it here. */
ds_clear(&match);
ds_put_format(&match,
"ct.est && ct_label[0] == 0 && (%s)",
acl->match);
ovn_lflow_add(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
ds_cstr(&match), "ct_commit(ct_label=1/1);");

ds_destroy(&match);
} else {
/* There are no stateful ACLs in use on this datapath,
* so a "drop" ACL is simply the "drop" logical flow action
* in all cases. */
ovn_lflow_add(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
acl->match, "drop;");
}
}
}
}
Expand Down Expand Up @@ -1687,11 +1783,13 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows)
ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 0, "1", "next;");

/* If REGBIT_CONNTRACK_COMMIT is set as 1, then the packets should be
* committed to conntrack. */
* committed to conntrack. We always set ct_label[0] to 0 here as
* any packet that makes it this far is part of a connection we
* want to allow to continue. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100,
REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit; next;");
REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_label=0/1); next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 100,
REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit; next;");
REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_label=0/1); next;");

/* If REGBIT_CONNTRACK_NAT is set as 1, then packets should just be sent
* through nat (without committing).
Expand Down

0 comments on commit cc58e1f

Please sign in to comment.