Add support for the "allow-related" ACL action. This is dependent on
the OVS conntrack functionality, which is not available on all platforms
or kernel versions.
Here is a sample policy that will allow all tenants in logical switch
"ls0" to SSH to each other. Anyone can make an HTTP request to "lp0".
All other IP traffic is dropped:
ovn-nbctl acl-add ls0 from-lport 100 ip allow-related
ovn-nbctl acl-add ls0 to-lport 100 tcp.dst==22 allow-related
ovn-nbctl acl-add ls0 to-lport 100 "outport == \"lp0\" \
&& tcp.dst==80" allow-related
ovn-nbctl acl-add ls0 to-lport 1 ip drop
Note: Kernel conntrack support is checked into the mainline Linux
kernel, but hasn't been backported to the main OVS repo yet.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Until now, OVN has used "flat" tunnel keys, in which the STT tunnel key or
Geneve VNI contains a logical port number. Logical port numbers are unique
within an OVN deployment.
Flat tunnel keys have the advantage of simplicity. However, for packets
that are destined to logical ports on multiple hypervisors, they require
sending one packet per destination logical port rather than one packet per
hypervisor. They also make it hard to integrate with VXLAN-based hardware
switches, which use VNIs to designate logical networks instead of logical
ports.
This commit switches OVN to a different scheme. In this scheme, in Geneve
the VNI designates a logical network and a Geneve option specifies the
logical input and output ports, which are now scoped within the logical
network rather than globally unique. In STT, all three identifiers are
encoded in the tunnel key.
To allow for the reduced amount of traffic for packets destined to logical
ports on multiple hypervisors, this commit also introduces the concept
of a logical multicast group. The membership of these groups can be set
using a new Multicast_Group table in the southbound database (and
ovn-northd does use it starting in this commit).
With multicast groups alone, it would be difficult to implement ACLs,
because an ACL might disallow only some of the packets being sent to
a remote hypervisor. Thus, this commit also splits the OVN logical
pipeline into two pipelines: the "ingress" pipeline, which makes the
decision about the logical destination of a packet as a set of logical
ports or multicast groups, and the "egress" pipeline, which runs on the
destination hypervisor with the multicast group destination exploded into
individual ports and makes a final decision on whether to deliver the
packet. The "egress" pipeline can efficiently apply ACLs.
Until now, the OVN logical and physical pipeline implementation was not
adequately documented. This commit adds extensive documentation to
the OVN manpages to cover these issues.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
The generic *_init() names for these functions made it sounds like they
do something more than just register IDL columns, even though that's all
they do. Also, the controller_ctx that was passed into each of them was
only used to get the IDL handle. This commit renames them and changes
their parameter type to simplify and make all of this clearer.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
I found it otherwise difficult to see what code depended on this. When
later commits make it possible for ovn-controller to handle changes in
chassis ID, this will become important (the code should determine the
current chassis ID before trying to use it).
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
As I was working in ovn-controller, I found it hard to tell what code
produced and what code consumed the OpenFlow flow table, because it was
all implicit. This commit makes the data structure an explicit variable
in the main loop, which makes it easier to see.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Russell Bryant <rbryant@redhat.com>
This last piece allows us to start testing and debugging a complete OVN
installation. A previous version of this patch was tested in a VM
environment, but this exact version has not been.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Justin Pettit <jpettit@nicira.com>
