Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-625

ACL Tiers are not holistic across ingress/egress pipelines; thus breaking CMS expectations

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • OVN
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • -

      If I have a

      • tier3ACL created with direction="from-lport", options={"apply-after-lb": "true"} and
      • tier2 ACL created with direction="to-lport" 

      tier3ACL is evaluated first because its evaluated in the OVN ingress pipeline versus tier2ACL is evaluated afterwards.

      This breaks how tiers are supposed to work in OVN: The original RFE and docs all state:

      <p>The hierarchical tier that this ACL belongs to.</p>

      <p>
        ACLs can be assigned to numerical tiers. When evaluating ACLs, an
        internal counter is used to determine which tier of ACLs should be
        evaluated. Tier 0 ACLs are evaluated first. If no verdict can be
        determined, then tier 1 ACLs are evaluated next. This continues
        until the maximum tier value is reached. If all tiers of ACLs are
        evaluated and no verdict is reached, then the <ref column="options"
        key="default_acl_drop" table="NB_Global" /> option from table
        <ref table="NB_Global" /> is used to determine how to proceed.
      </p>

      <p>
        In this version of OVN, the maximum tier value for ACLs is 3,
        meaning there are 4 tiers of ACLs allowed (0-3).
      </p>

      Tier1 is evaluated first followed by tier2 followed by tier3.

              ovnteam@redhat.com OVN Team
              sseethar Surya Seetharaman
              Jianlin Shi Jianlin Shi
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: