Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-3131

[RFE] Requesting `pass-related` action for ACLs

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • OVN
    • None
    • [RFE] Requesting `pass-related` action for ACLs
    • 8
    • False
    • False
    • Hide

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      ( ) The acceptance criteria defined below are met.

      Given an OVN logical switch with tiered ACLs containing a pass-related ACL at higher priority and a drop ACL at lower priority in the same tier,

      When traffic matching the pass-related rule traverses the ACL pipeline,

      Then, the ACL is accepted in the northbound DB with action="pass-related" and matching connections are committed to conntrack so return/related traffic is automatically passed to the next tier.

      ( ) The epics work is available in a downstream build (nightly/async or other)

      ( ) Test coverage is available in downstream CI if applicable

      ( ) All cards under the epic have been moved to Done

      ( ) Failed Test Plans have bugs added as children to the epic/feature.

      Show
      Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given an OVN logical switch with tiered ACLs containing a pass-related ACL at higher priority and a drop ACL at lower priority in the same tier, When traffic matching the pass-related rule traverses the ACL pipeline, Then, the ACL is accepted in the northbound DB with action="pass-related" and matching connections are committed to conntrack so return/related traffic is automatically passed to the next tier. ( ) The epics work is available in a downstream build (nightly/async or other) ( ) Test coverage is available in downstream CI if applicable ( ) All cards under the epic have been moved to Done ( ) Failed Test Plans have bugs added as children to the epic/feature.
    • rhel-9
    • None
    • rhel-net-ovn
    • 100% To Do, 0% In Progress, 0% Done
    • ssg_networking

      This epic tracks all the effort needed to deliver the solution related to the feature request described below.

      What's the feature?

      Today OVN acls have allow and allow-related for stateful tracking. However the counterpart for passing is only pass and we don't have pass-related. So to pass statefully there is a need for CMS to create two way ACLs which could be simplified by having a pass-related ACL.

      Why is it needed?

      See https://issues.redhat.com/browse/FDP-3124 and https://redhat-internal.slack.com/archives/C01G7T6SYSD/p1770660924381709 

      Who will benefit? 

      OpenShift/OVN-Kubernetes that use tiered ACLs will no longer require manual two-way ACL creation for stateful pass scenarios.

              ovnteam@redhat.com OVN Team
              sseethar Surya Seetharaman
              OVN QE OVN QE
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: