Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-815

Add an ACL option to allow established sessions

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • FDP-25.A
    • None
    • OVN
    • 8
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      Given that a DNS-based ACL is configured with both "allow" and "drop" rules and there is an active, established connection to an IP address resolved via DNS,

      When the TTL of the DNS record expires or the DNS-based ACL is updated to remove the IP from the allowed list,

      Then, the existing connection to the IP should remain open and unaffected. 

      Show
      Given that a DNS-based ACL is configured with both "allow" and "drop" rules and there is an active, established connection to an IP address resolved via DNS, When the TTL of the DNS record expires or the DNS-based ACL is updated to remove the IP from the allowed list, Then, the existing connection to the IP should remain open and unaffected. 
    • rhel-sst-network-fastdatapath
    • ssg_networking
    • FDP 24.H, FDP 25.A

      For DNS name resolution feature, we reference allowed IPs in the ACL. IP's TTL may expire based on the DNS record, but it doesn't mean the existing connection should be dropped, only that new connections to that IP should not be allowed.

      In an ideal world, I would like to store dnsNameID in the conntrack entry, so that the workflow would look like

      dnsNameID := encode(dns-name)

      acl.Action = allow-related && ct.label=dnsNameID

      acl.Match = ip4.dst == <currently allowed ips> || ct.label == "dnsNameID"

      (ct.label here is a very abstract thing)

      That would allow dropping established connections when dnsName should not be allowed anymore.

      Another option is just to always allow established connections for a given acl, so that we could just use a new acl.Action = allow-related+allow-established. This should be easier to implement, but won't allow breaking connections that should not be allowed anymore.

      Let me know if you have more questions/better ideas to solve the problem.

              mmichelson Mark Michelson
              npinaeva@redhat.com Nadia Pinaeva
              Jianlin Shi Jianlin Shi
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: