northd: Add option to enable conntrack for the LSP whose peer is l3dgw_port

[shylou]

By default, OVN skips the conntrack process for router type LSP within a LS. It seems unnecessary for the LSP whose peer is l3dgw_port. Therefore, we introduce a new option named 'enable_conntrack', which defaults to false and can be set true to enable conntrack for the LSP whose peer is l3dgw_port.

And then we can implement l3 gateway stateful firewall, for example:

prelude: R1-S1 is a l3dgw_port
ovn-nbctl pg-add pg_dgw
ovn-nbctl pg-set-ports pg_dgw S1-R1
ovn-nbctl acl-add pg_dgw from-lport 1002 "inport == @pg_dgw && ip4" allow-related
ovn-nbctl acl-add pg_dgw to-lport 1003 "outport == @pg_dgw && ip4" allow-related
ovn-nbctl lsp-set-options S1-R1 router-port=R1-S1 enable_conntrack=true

NOTE: this option only works for the LSP whose peer is l3dgw_port.

#225

[shylou]

It looks the CI environment has problems @dceara

[dceara]

It looks the CI environment has problems @dceara

This is the error the CI is hitting: https://github.com/ovn-org/ovn/actions/runs/7017869125/job/19092070388?pr=226#step:8:2991

That's because of your change here:
https://github.com/ovn-org/ovn/pull/226/files#diff-9929cba282db9475dd8343b95e3b6a564d80dcef2f7a4594774fdc9ddd955df2R1135-R1139

That's an invalid xml there. I suspect that once that's fixed the builds will succeed too.

Regards,
Dumitru

[shylou]

@dceara hi, I do not know why Cirrus CI failed. Could you give me any suggestions?

make[3]: Leaving directory '/tmp/cirrus-ci-build/ovn-23.09.90/_build/sub'
make  check-local
make[3]: Entering directory '/tmp/cirrus-ci-build/ovn-23.09.90/_build/sub'
set /bin/sh '../../tests/testsuite' -C tests AUTOTEST_PATH=/tmp/cirrus-ci-build/ovs/utilities:/tmp/cirrus-ci-build/ovs/vswitchd:/tmp/cirrus-ci-build/ovs/ovsdb:/tmp/cirrus-ci-build/ovs/vtep:tests:::controller-vtep:northd:utilities:controller:ic; \
"$@" -j4 1001- || \
(test -z "$(find /tmp/cirrus-ci-build/ovn-23.09.90/_build/sub/tests/testsuite.dir -name 'sanitizers.*')" && \
 test X'no' = Xyes && "$@" --recheck)
invalid test group: 1001
find: ‘/tmp/cirrus-ci-build/ovn-23.09.90/_build/sub/tests/testsuite.dir’: No such file or directory
make[3]: *** [Makefile:3769: check-local] Error 1
make[3]: Leaving directory '/tmp/cirrus-ci-build/ovn-23.09.90/_build/sub'
make[2]: *** [Makefile:3000: check-am] Error 2
make[2]: Leaving directory '/tmp/cirrus-ci-build/ovn-23.09.90/_build/sub'
make[1]: *** [Makefile:3002: check] Error 2
make[1]: Leaving directory '/tmp/cirrus-ci-build/ovn-23.09.90/_build/sub'
make: *** [Makefile:2920: distcheck] Error 1
+ cat '*/_build/sub/tests/testsuite.log'
cat: '*/_build/sub/tests/testsuite.log': No such file or directory
+ return 1
+ stable_rc=1
+ '[' '' ']'
+ [[ 1 -ne 0 ]]
+ exit 1
����

[dceara]

@shylou you need to rebase, that's fixed by 5ef2a08

[shylou]

@shylou you need to rebase, that's fixed by 5ef2a08

ok! thx @dceara

[dceara]

@shylou, thanks for the PR, the approach looks OK overall, I did leave some comments though.

On the functionality itself, @numansiddique had added the code to skip router ports from conntrack to avoid extra recirculations with the idea that firewall rules are normally applied on VIF ports only.

When your option is configured we now support a different type of behavior. That's fine, i think, but I wanted to double check with Numan to see what he thinks too.

[numansiddique]

@shylou, thanks for the PR, the approach looks OK overall, I did leave some comments though.

On the functionality itself, @numansiddique had added the code to skip router ports from conntrack to avoid extra recirculations with the idea that firewall rules are normally applied on VIF ports only.

When your option is configured we now support a different type of behavior. That's fine, i think, but I wanted to double check with Numan to see what he thinks too.

Its fine with me too to add this option.
I don't like the option name - "enable_conntrack". Using conntrack for ACLs is internal to OVN.
However I'm OK if you can't find a better name.

Thanks

[shylou]

@shylou, thanks for the PR, the approach looks OK overall, I did leave some comments though.
On the functionality itself, @numansiddique had added the code to skip router ports from conntrack to avoid extra recirculations with the idea that firewall rules are normally applied on VIF ports only.
When your option is configured we now support a different type of behavior. That's fine, i think, but I wanted to double check with Numan to see what he thinks too.

Its fine with me too to add this option. I don't like the option name - "enable_conntrack". Using conntrack for ACLs is internal to OVN. However I'm OK if you can't find a better name.

Thanks

@numansiddique thanks for your review!

[shylou]

@dceara @numansiddique hi，please review this new patch.

[dceara]

@shylou This needs a very small rebase (minor conflict in the NEWS file). Also, please address @numansiddique's comment about changing the option name from "enable_conntrack" to something else; maybe we can call it enable-router-port-acl or something like that?

[shylou]

@shylou This needs a very small rebase (minor conflict in the NEWS file). Also, please address @numansiddique's comment about changing the option name from "enable_conntrack" to something else; maybe we can call it enable-router-port-acl or something like that?

@dceara OK! I will upgrade it as soon as possible.

[shylou]

@dceara @numansiddique please feel free to review the new patch.

[dceara]

Overall it looks OK to me, I left a few more minor comments. I'll wait for @numansiddique to comment too.

[dceara]

I didn't test it but this looks OK to me.

[dceara]

In case this goes in:

Acked-by: Dumitru Ceara <[email protected]>

[numansiddique]

Same here. I don't think we can just ignore and remove this "else if".

@dceara Wdyt ?

[dceara]

@numansiddique I guess you meant "I think we can just ignore and remove.." right?

[numansiddique]

Yes I meant the same. Sorry for the typo

[numansiddique]

Submitted the patch with the below changes to the ovs-dev mailing list. Once the CI passes I'll apply this patch.

https://patchwork.ozlabs.org/project/ovn/patch/[email protected]/

diff --git a/northd/northd.c b/northd/northd.c
index 34d13a900c..952f8200d4 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -2831,17 +2831,9 @@ join_logical_ports(const struct sbrec_port_binding_table *sbrec_pb_table,
             }
 
             /* Only used for the router type LSP whose peer is l3dgw_port */
-            if (smap_get(&op->nbsp->options, "enable_router_port_acl")) {
-                if (op->peer && is_l3dgw_port(op->peer)) {
-                    op->enable_router_port_acl = smap_get_bool(&op->nbsp->options,
-                                              "enable_router_port_acl", false);
-                } else {
-                    static struct vlog_rate_limit rl =
-                        VLOG_RATE_LIMIT_INIT(5, 1);
-                    VLOG_WARN_RL(&rl, "enable_router_port_acl option is not "
-                                      "supported on logical port %s",
-                                      op->nbsp->name);
-                }
+            if (op->peer && is_l3dgw_port(op->peer)) {
+                op->enable_router_port_acl = smap_get_bool(
+                    &op->nbsp->options, "enable_router_port_acl", false);
             }
         } else if (op->nbrp && op->nbrp->peer && !op->l3dgw_port) {
             struct ovn_port *peer = ovn_port_find(ports, op->nbrp->peer);
@@ -2860,13 +2852,6 @@ join_logical_ports(const struct sbrec_port_binding_table *sbrec_pb_table,
                                  "port %s is a switch port", op->key);
                 }
             }
-        } else if (op->nbsp && !lsp_is_router(op->nbsp)) {
-            /* Only used for the router type LSP whose peer is l3dgw_port */
-            if (smap_get(&op->nbsp->options, "enable_router_port_acl")) {
-                static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1);
-                VLOG_WARN_RL(&rl, "enable_router_port_acl option is not supported "
-                                    "on logical port %s", op->nbsp->name);
-            }
         }
     }
 
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index 98cf7adb43..f1eb9ecb1b 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -438,7 +438,12 @@
       <code>Pre-stateful</code> to send IP packets to the connection tracker
       before eventually advancing to ingress table <code>ACLs</code>. If
       special ports such as route ports or localnet ports can't use ct(), a
-      priority-110 flow is added to skip over stateful ACLs. Multicast, IPv6
+      priority-110 flow is added to skip over stateful ACLs.  This
+      priority-110 flow is not addd for router ports if the option
+      enable_router_port_acl is set to true in
+      <ref column="options:enable_router_port_acl"
+      table="Logical_Switch_Port" db="OVN_Northbound"/> column of
+      <ref table="Logical_Switch_Port" db="OVN_Northbound"/>.  Multicast, IPv6
       Neighbor Discovery and MLD traffic also skips stateful ACLs. For
       "allow-stateless" ACLs, a flow is added to bypass setting the hint for
       connection tracker processing when there are stateful ACLs or LB rules;

[numansiddique]

Patch applied - 9a0f307

Closing the PR