Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-879

Implement ACL standalone service

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • OVN
    • 8
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      Given a system administrator configures an ACL standalone service specifying access rules in the ACL_Service table,

      When packets pass through the standalone ACL service,

      Then, the ACL service applies the configured access control rules to packets as expected, creates necessary logical flows and assigns connection tracking zones for stateful ACLs.

      Show
      Given a system administrator configures an ACL standalone service specifying access rules in the ACL_Service table, When packets pass through the standalone ACL service, Then, the ACL service applies the configured access control rules to packets as expected, creates necessary logical flows and assigns connection tracking zones for stateful ACLs.
    • rhel-sst-network-fastdatapath
    • ssg_networking

      For reference on OVN composable services, please see this document: https://docs.google.com/document/d/1GMyxUJbqTaCxCx3hbEGSu6xMRDriMWUK1dKNFpSWlXo/edit

      For this task, you will be implementing the foundation work for standalone services, along with a null/noop service for testing.

      • Database schema changes:
        • Add "ACL_Service" table.
      • northd changes:
        • Create logical flows for each row in the ACL_Service table.
        • Use functions from the "scaffolding" task to create southbound datapath bindings and port bindings for each row in ACL_Service.
      • ovn-controller changes:
        • Ensure that a conntrack zone is assigned for each local Datapath_Binding corresponding to a northd ACL_Service if that ACL service has any stateful ACLs.
      • Tests:
        • Ensure that northd creates expected logical flows for the ACL service.
        • Ensure that changes to a configured ACL or ACL service results in logical flows being re-written.
        • Ensure that conntrack zones are allocated for local ACL services. Ensure that conntrack zones are not allocated for non-local ACLs, and for 100% stateless ACL services.
        • Ensure that traffic that passes through an ACL service has ACLs applied as expected.

              ovnteam@redhat.com OVN Team
              mmichelson Mark Michelson
              Jianlin Shi Jianlin Shi
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: