Bug 2134138

Summary: [RFE] Support for hierarchical ACLs, implement skip ACLs to jump to next hierarchy
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Surya Seetharaman <surya>
Component: ovn23.06Assignee: Mark Michelson <mmichels>
Status: MODIFIED --- QA Contact: Ehsan Elahi <eelahi>
Severity: high Docs Contact:
Priority: high    
Version: FDP 22.LCC: astoycos, ctrautma, echaudro, jiji, jishi, mmichels
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovn23.06-23.06.0-141.el8fdp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Surya Seetharaman 2022-10-12 15:00:26 UTC 
Description of problem:

ANP, ACL1 - 32000 prio
ANP, ACL2 - 31999 prio - jump to NP ACL’s i.e skip all ACL’s in the range of [32000-3000]
ANP, ACL3 - 31995 prio
ANP, ACL4 - 30000 prio
NP, ACL5 - 1001 prio
NP, ACL6 - 1001 prio
NP, ACL7 - 1001 prio
BANP, ACL8 - 900 prio

Implementation Options:
1) Implement ANP & NP as two stages (probably will need to implement BANP as lower priority to NP - keep it same stage) - will need a new pipeline stage in OVN - we need to be sure ANP will be the last of hierarchies as far as policies go :D
2) Implement ANPs in switches and NPs/BANPs in transit switches or a different router/switch? Not sure… 
3) Trick OVS by setting a flag to resubmit to the same table, so if we matched on the skip ACL then we set flag=1 and rest of the flows in that table for that range are applied only if flag=0? - might be a bit more complicated…

This was discussed in the OVN-OpenShift sync meeting today.

From CMS perspective what we want is for a way to implement the "PASS" Admin Network Policy here, so have a way to say if I hit the PASS ACL rule it will just skip the rest of the ACLs under ANP and go straight to NP evaluation.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Mark Michelson 2023-03-21 18:00:30 UTC 
Patch series posted for review here: https://patchwork.ozlabs.org/project/ovn/list/?series=347327
Comment 4 OVN Bot 2023-05-19 04:09:04 UTC 
ovn23.06 fast-datapath-rhel-9 clone created at https://bugzilla.redhat.com/show_bug.cgi?id=2208427