On 08/24/15 at 05:32pm, Joe Stringer wrote: > Expose the kernel connection tracker via OVS. Userspace components can > make use of the CT action to populate the connection state (ct_state) > field for a flow. This state can be subsequently matched. > > Exposed connection states are OVS_CS_F_*: > - NEW (0x01) - Beginning of a new connection. > - ESTABLISHED (0x02) - Part of an existing connection. > - RELATED (0x04) - Related to an established connection. > - INVALID (0x20) - Could not track the connection for this packet. > - REPLY_DIR (0x40) - This packet is in the reply direction for the flow. > - TRACKED (0x80) - This packet has been sent through conntrack. > > When the CT action is executed by itself, it will send the packet > through the connection tracker and populate the ct_state field with one > or more of the connection state flags above. The CT action will always > set the TRACKED bit. > > When the COMMIT flag is passed to the conntrack action, this specifies > that information about the connection should be stored. This allows > subsequent packets for the same (or related) connections to be > correlated with this connection. Sending subsequent packets for the > connection through conntrack allows the connection tracker to consider > the packets as ESTABLISHED, RELATED, and/or REPLY_DIR. > > The CT action may optionally take a zone to track the flow within. This > allows connections with the same 5-tuple to be kept logically separate > from connections in other zones. If the zone is specified, then the > "ct_zone" match field will be subsequently populated with the zone id. > > IP fragments are handled by transparently assembling them as part of the > CT action. The maximum received unit (MRU) size is tracked so that > refragmentation can occur during output. > > IP frag handling contributed by Andy Zhou. > > Signed-off-by: Joe Stringer <joestringer@xxxxxxxxxx> > Signed-off-by: Justin Pettit <jpettit@xxxxxxxxxx> > Signed-off-by: Andy Zhou <azhou@xxxxxxxxxx> Acked-by: Thomas Graf <tgraf@xxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
