ovn安全组总结

本文将针对ovn实现安全组进行技术总结,分为ovn插件安全组实现,ovn逻辑流表,openflow流表三部分进行介绍,其中还会补充介绍ovn相关的一些协议和技术。

ovn基础概念

开头部分介绍几个ovn(ovs)的基础概念。
ovn-arch

tunnel_key

ovn会在创建ovn datapath的时候,为它们分配一个唯一的tunnel _key,并同步到南向流表(详见ovn代码build_datapath函数),如下datapath逻辑路由器和逻辑网络,可以看到share_router的key是3,share_net的key是1:

()[root@ovn-ovsdb-sb-0 /]# ovn-sbctl list Datapath_Binding
_uuid : 51e7ecae-4935-4fba-a68e-b385297f8c74
external_ids : {logical-router="0c532506-992e-4430-aea2-c60ee0ffa364", name=neutron-3f26be47-1e01-44b5-b74f-b025f82bb0b6, name2=share_router}
tunnel_key : 3

_uuid : 19902b04-1fe5-411d-9516-749fa1500376
external_ids : {logical-switch="301f9dc3-66c1-4667-9ddb-63bc8e2f2d6f", name=neutron-1489889a-d027-462d-8d17-014852f27b5a, name2=share_net}
tunnel_key : 1

创建ovn port时,为port分配其所在datapath下唯一的tunnel_key,并同步到南向流表(详见ovn代码build_ports函数),如下port在南向的数据,三张网卡属于同一个switch,其中两个是子网接口:

()[root@ovn-ovsdb-sb-0 /]# ovn-sbctl list Port_Binding 
_uuid : d48080ec-8563-43f7-ba5d-8e5ff87045ec
datapath : 19902b04-1fe5-411d-9516-749fa1500376
external_ids : {"neutron:cidrs"="192.168.111.1/24", "neutron:device_id"="3f26be47-1e01-44b5-b74f-b025f82bb0b6", "neutron:device_owner"="network:router_interface", "neutron:network_name"=neutron-1489889a-d027-462d-8d17-014852f27b5a, "neutron:port_name"="", "neutron:project_id"="1e3a5bacc11a46acb1a1803ddaf7bcc1", "neutron:revision_number"="3", "neutron:security_group_ids"=""}
logical_port : "a7e8a001-4c92-4eb9-95ac-7696993ae9b2"
mac : [router]
options : {peer=lrp-a7e8a001-4c92-4eb9-95ac-7696993ae9b2}
tunnel_key : 1
type : patch

_uuid : 05870332-50f9-4122-a123-21b1c465272b
datapath : 19902b04-1fe5-411d-9516-749fa1500376
external_ids : {"neutron:cidrs"="192.168.222.1/24", "neutron:device_id"="3f26be47-1e01-44b5-b74f-b025f82bb0b6", "neutron:device_owner"="network:router_interface", "neutron:network_name"=neutron-1489889a-d027-462d-8d17-014852f27b5a, "neutron:port_name"="", "neutron:project_id"="1e3a5bacc11a46acb1a1803ddaf7bcc1", "neutron:revision_number"="3", "neutron:security_group_ids"=""}
logical_port : "cabdccc3-8a9c-428f-a678-5fed80d72d17"
mac : [router]
options : {peer=lrp-cabdccc3-8a9c-428f-a678-5fed80d72d17}
tunnel_key : 5
type : patch

_uuid : 93eb8dd5-0071-4ee9-8c31-371a95f2db57
chassis : 8209d6dc-0809-416b-a1a9-0f4f5a0e617f
datapath : 19902b04-1fe5-411d-9516-749fa1500376
external_ids : {name=instance-DNWPye_share_net_5a03dfba, "neutron:cidrs"="192.168.111.175/24", "neutron:device_id"="ab98829d-26c0-439a-b930-dd24ccad78d7", "neutron:device_owner"="compute:default-az", "neutron:network_name"=neutron-1489889a-d027-462d-8d17-014852f27b5a, "neutron:port_fip"="172.16.10.101", "neutron:port_name"=instance-DNWPye_share_net_5a03dfba, "neutron:project_id"="1e3a5bacc11a46acb1a1803ddaf7bcc1", "neutron:revision_number"="5", "neutron:security_group_ids"="fac16449-d03f-4880-b361-383b3c893ee0"}
logical_port : "b5ca6f69-eb6d-4496-8df0-e558e1552167"
mac : ["fa:16:3e:e8:dd:6b 192.168.111.175"]
options : {requested-chassis=node-1.domain.tld}
tunnel_key : 2
type : ""

以上资源归纳如下:

tunnel_key在ovn流表中起到了标识流的来源和去向的作用,怎么理解呢,ovn使用了如下三个寄存器:

  • reg14:logical input port field,标识入口tunnel_key
  • reg15:logical output port field,标识出口tunnel_key
  • metadata:logical datapath field,标识所属的datapath的tunnel_key

ovn-controller在转换成openflow流表时,通过metadata+reg14标识流的来源,通过metadata+reg15标识流的去向。
举个例子:上面提到的网卡b5ca6f69-eb6d-4496-8df0-e558e1552167的tunnel_key是2,所属datapath的tunnel_key是1,上联的是tapb5ca6f69

在openflow table0中标记了入口reg14=0x2,metadata=0x1:

cookie=0x0, duration=967010.862s, table=0, n_packets=93, n_bytes=16890, priority=100,
in_port="tapb5ca6f69-eb" actions=load:0xc->NXM_NX_REG13[],load:0x5->NXM_NX_REG11[],
load:0x6->NXM_NX_REG12[],load:0x1->OXM_OF_METADATA[],
load:0x2->NXM_NX_REG14[],resubmit(,8)

在table25标记了出口reg15=0x2:

cookie=0x0, duration=1057442.127s, table=65, n_packets=118, n_bytes=19390, priority=100,
reg15=0x2,metadata=0x1 actions=output:"tapb5ca6f69-eb"

logical port

上面提到的logical port,这种port主要是通过neutron create_port方式创建后的端口。
除此之外还有以下类型的端口,需要注意:

  • localport端口:逻辑交换机和VIF之间的本地连接点。比如说使用Localport端口将metedata提供给驻留在每个hypervisor上的虚拟机。
  • localnet端口:逻辑交换机和物理网络之间的连接点。即连接br-xx和br-int的patch端口,比如创建vlan network后,会生成命名为provnet-xxx的逻辑port(geneve网络没有),在ovs上会看到br-int与br-xx建立了patch。该patch就用于与物理网络通信。
  • patch端口:表示逻辑交换机和逻辑路由器之间的连接点,比如创建子网接口后,会自动生成逻辑path端口用于子网和路由器,目前看来逻辑patch不会在ovs上生成。

pipeline

ovn通过流水线pipleline的方式处理逻辑流表,分为ingress和egress两个阶段:

  • ingress的逻辑流表从table0开始(对应ovs流表从table8开始),安全组部分从table0~table6会涉及
  • egress的逻辑流表从table0开始(对应ovs流表从table40开始),安全组部分从table0~table4会涉及

逻辑flow标记了所处的stage(ovn源码PIPELINE_STAGES),通过stage名称可以帮助了解flow的作用,类似这种:
table=0 (ls_in_port_sec_l2 )

ovs conntrack

ovs-conntrack
ovs的conntrack功能增加了ct流表的概念,将需要跟踪状态的报文提交进ct里去,标记连接状态,供后续报文查询连接状态使用。
conntrack-fileds
每个以”+“为前缀的标志,表示必须设置,或者以”-“为前缀的标志表示不能设置。这里面的zone用来隔离不同的跟踪会话,避免与其他会话冲突,ovn同步给ovs时使用reg13标记zone:

  • reg13:Logical conntrack zone for lports
    不过报文不走ct会对性能有很大提升,所以对性能有要求的场景建议使用无状态的acl。

ovn插件实现安全组

最新neutron已经将networking-ovn插件合并,纳入为一种ml2 driver,并实现了安全组功能。安全组的实现里引入了ovn的port group的功能。

ovn ml2 driver会在创建安全组的过程中,先创建好port group,然后配置acl规则到该port group,新增或删除port的时候,都会调用port group命令调整内部列表。所以port就不会直接与安全组打交道,而只是在port group内进行增删。

创建安全组:
_create_security_group
-->create_security_group
-->txn.add(self._nb_idl.pg_add( 添加命名qg-安全组id的port group
name=name, acls=[], external_ids=ext_ids))
-->add_acls_for_sg_port_group 给port group配置acl规则
------------------------------------------------------------------------------------------
创建port配置安全组:
注意会先过滤掉device_owner为"network:"的port,然后将符合条件的port添加进port group里
txn.add(self._nb_idl.pg_add_ports(
utils.ovn_port_group_name(sg), port_cmd))

接下来,介绍几个处理细节。

规则direction

社区的安全组规则对应到ovn的acl时,实际的acl是作用到虚机上联的br-int上,所以作用的方向需要注意,常见的ovn acl命令如下:

from-lport  1002 (inport == @pg_99ead3ac_2539_49d2_b8fa_f46116a22955 && ip4) allow-related
to-lport 1002 (outport == @pg_99ead3ac_2539_49d2_b8fa_f46116a22955 && ip4 && ip4.src == $pg_99ead3ac_2539_49d2_b8fa_f46116a22955_ip4) allow-related

虚机端口出来的流量即egress,对应logic port就是入方向,到acl上是from-lport并指定logic port为inport;
进入虚机端口的流量即ingress,对应logic port就是出方向,到acl上是to-lport并指定logic port为outport。

规则优先级

安全组规则在配置给ovn时,指定了一个较高的优先级,目前插件侧设置为:

ACL_PRIORITY_ALLOW = 1002
ACL_PRIORITY_DROP = 1001

这里有个需要注意的地方,查看acl规则对应logic流表,会发现优先级变成了2002和2001:

table=4 (ls_out_acl), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == @pg_f3a6bf24_858f_482f_81e8_eb450c527605 && ip4 && ip4.src == $pg_f3a6bf24_858f_482f_81e8_eb450c527605_ip4)), action=(next;)

原因是ovn进行了修改增加了1000,避免与其它硬编码的flow优先级冲突:

/* Due to various hard-coded priorities need to implement ACLs, the
* northbound database supports a smaller range of ACL priorities than
* are available to logical flows. This value is added to an ACL
* priority to determine the ACL's logical flow priority. */
#define OVN_ACL_PRI_OFFSET 1000

allowed_address_pairs

插件调用ovn_client处理create_port时,会先获取port的addresses列表,包括allowed_address_pairs。
在调用ovn-client进行port创建/更新时,会将address配置进logic port里去。所以在ovn实现安全防护的时候,它只会允许addresses列表里的ip/mac通过。
举个例子,给port配置了allowed_address_pairs地址为10.0.0.3:

()[root@busybox-openstack-74787f576-pkffm /]# neutron port-show instance-DNWPye_share_net_5a03dfba -c allowed_address_pairs -c fixed_ips
+-----------------------+----------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+----------------------------------------------------------------------------------------+
| allowed_address_pairs | {"ip_address": "10.0.0.3", "mac_address": "fa:16:3e:e8:dd:6b"} |
| fixed_ips | {"subnet_id": "d39ae184-1c71-4aff-a4ba-9efad08e32ce", "ip_address": "192.168.111.175"} |
+-----------------------+----------------------------------------------------------------------------------------+

然后查看logic 流表,生成了允许10.0.0.3和192.168.111.175通过的规则,其余ip将被丢弃:

ingress:
table=1 (ls_in_port_sec_ip ), priority=90 , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip4.src == {192.168.111.175, 10.0.0.3}), action=(next;)
table=1 (ls_in_port_sec_ip ), priority=80 , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip), action=(drop;)
egress:
table=8 (ls_out_port_sec_ip ), priority=90 , match=(outport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.dst == fa:16:3e:e8:dd:6b && ip4.dst == {255.255.255.255, 224.0.0.0/4, 192.168.111.175, 10.0.0.3}), action=(next;)
table=8 (ls_out_port_sec_ip ), priority=80 , match=(outport == "c4c13c68-b786-4859-aded-131a4ac44897" && eth.dst == fa:16:3e:95:34:c5 && ip), action=(drop;)

remote_group_id

插件配置远端安全组时,通过获取远端安全组的port group,然后将远端安全组的ip集合作为匹配规则中源ip和目的ip,类似这样‘‘pg_f3a6bf24_858f_482f_81e8_eb450c527605_ip4’’:

match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == @pg_f3a6bf24_858f_482f_81e8_eb450c527605 && ip4 && ip4.src == $pg_f3a6bf24_858f_482f_81e8_eb450c527605_ip4)))

远端安全组的ip集合命名如下:

def ovn_pg_addrset_name(sg_id, ip_version):
# The name of the address set for the given security group id modelled as a
# Port Group and ip version. The format is:
# pg-<security group uuid>-<ip version>
# with all '-' replaced with '_'. This replacement is necessary
# because OVN doesn't support '-' in an address set name.
return ('pg-%s-%s' % (sg_id, ip_version)).replace('-', '_')

neutron_pg_drop

插件启动之初,也就是进程pre_fork阶段,会首先创建一个名为neutron_pg_drop的port group,配置的acl动作是drop。加入该port group需要满足以下条件:

  • 非trusted port,即device_owner不为空,且值不是以network:开头的
  • port _security为enable

总结来说,虚机的port是会被纳入到neutron_pg_drop中的,当访问虚机相关的流量没有匹配到安全组规则时,将会匹配neutron_pg_drop对应的规则,即报文丢弃。不过该设计会导致单个pg_drop性能问题,我们对其进行了修改,不使用唯一port-group去存,而是以network为单位创建pg_drop。

逻辑流表实现安全组

以网卡b5ca6f69-eb6d-4496-8df0-e558e1552167为例子,reg14=0x2metadata=0x1,分析ingress逻辑流表。
table0(ls_in_port_sec_l2),ovs参照table8:

build_lswitch_lflows_admission_control:
源地址多播/组播丢弃:
table=0 (ls_in_port_sec_l2 ), priority=100 , match=(eth.src[40]), action=(drop;)
vlan透传报文丢弃(未启用vlan pass的话):
table=0 (ls_in_port_sec_l2 ), priority=100 , match=(vlan.present), action=(drop;)
build_port_security_l2:
允许网卡eth.src报文通过:
table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == {fa:16:3e:e8:dd:6b}), action=(next;)

table1(ls_in_port_sec_ip),ovs参照table9:

build_port_security_ip(port_security,allowed-address-pairs):
允许dhcp报文和allowed-address-pairs,其余ip报文丢弃:
table=1 (ls_in_port_sec_ip ), priority=90 , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67), action=(next;)
table=1 (ls_in_port_sec_ip ), priority=90 , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip4.src == {192.168.111.175, 10.0.0.3}), action=(next;)
table=1 (ls_in_port_sec_ip ), priority=80 , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip), action=(drop;)
build_lswitch_input_port_sec_od:
table=1 (ls_in_port_sec_ip ), priority=0 , match=(1), action=(next;)

table2(ls_in_port_sec_nd),ovs参照table10:

build_port_security_nd:
虚机发出的arp报文必须和allowed-address-pairs匹配,否则丢弃,防止arp欺骗:
table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && arp.sha == fa:16:3e:e8:dd:6b && arp.spa == {192.168.111.175,10.0.0.3}), action=(next;)
table=2 (ls_in_port_sec_nd ), priority=80 , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && (arp || nd)), action=(drop;)
build_lswitch_input_port_sec_od:
table=2 (ls_in_port_sec_nd ), priority=0 , match=(1), action=(next;)

table3(ls_in_pre_acl),ovs参照table11:

build_pre_acls:
子网接口将跳过状态acl,它们作为ingress的reg14分别为0x5和0x1:
table=3 (ls_in_pre_acl ), priority=110 , match=(ip && inport == "a7e8a001-4c92-4eb9-95ac-7696993ae9b2"), action=(next;)
table=3 (ls_in_pre_acl ), priority=110 , match=(ip && inport == "cabdccc3-8a9c-428f-a678-5fed80d72d17"), action=(next;)
ipv6邻居协议,路由协议报文,icmp4/6不可达报文,tcp rst报文将跳过状态acl:
table=3 (ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra || icmp4.type == 3 || icmp6.type == 1 || (tcp && tcp.flags == 4)), action=(next;)
状态acl预处理,reg0[0]赋值1(REGBIT_CONNTRACK_DEFRAG标记ip分片重组):
table=3 (ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[0] = 1; next;)
table=3 (ls_in_pre_acl ), priority=0 , match=(1), action=(next;)

table4(ls_in_pre_lb),ovs参照table12:

build_pre_lb:
table=4 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra), action=(next;)
table=4 (ls_in_pre_lb ), priority=0 , match=(1), action=(next;)

table5(ls_in_pre_stateful),ovs参照table13:

build_pre_stateful:
标记过reg0[0]的报文纳入状态跟踪:
table=5 (ls_in_pre_stateful ), priority=100 , match=(reg0[0] == 1), action=(ct_next;)
table=5 (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)

table6(ls_in_acl),ovs参照table14:

build_acls:
创建最高优先级的acl,允许与已存在的状态跟踪相关的报文通过:
table=6 (ls_in_acl ), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
创建最高优先级的acl,允许已建立状态跟踪的回复报文通过:
table=6 (ls_in_acl ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
创建最高优先级的acl,丢弃无效状态的报文:
table=6 (ls_in_acl ), priority=65535, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
table=6 (ls_in_acl ), priority=65535, match=(nd), action=(next;)

创建安全组规则的acl,允许inport为安全组port group的报文通过:
table=6 (ls_in_acl ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == @pg_fac16449_d03f_4880_b361_383b3c893ee0 && ip4)), action=(next;)
table=6 (ls_in_acl ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == @pg_fac16449_d03f_4880_b361_383b3c893ee0 && ip6)), action=(next;)
table=6 (ls_in_acl ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (inport == @pg_fac16449_d03f_4880_b361_383b3c893ee0 && ip4)), action=(reg0[1] = 1; next;)
table=6 (ls_in_acl ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (inport == @pg_fac16449_d03f_4880_b361_383b3c893ee0 && ip6)), action=(reg0[1] = 1; next;)
创建安全组规则的acl,丢弃inport来自neutron_pg_drop的报文:
table=6 (ls_in_acl ), priority=2001 , match=((!ct.est || (ct.est && ct_label.blocked == 1)) && (inport == @neutron_pg_drop && ip)), action=(/* drop */)
table=6 (ls_in_acl ), priority=2001 , match=(ct.est && ct_label.blocked == 0 && (inport == @neutron_pg_drop && ip)), action=(ct_commit(ct_label=1/1); /* drop */)

table=6 (ls_in_acl ), priority=1 , match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), action=(reg0[1] = 1; next;)
table=6 (ls_in_acl ), priority=0 , match=(1), action=(next;)

ovs流表实现安全组

上文提到的逻辑流表,对照openflow流表如下:

table8:
源地址多播/组播丢弃:
cookie=0x6f1dbc42, duration=966129.895s, table=8, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=100,metadata=0x1,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
vlan透传报文丢弃(未启用vlan pass的话):
cookie=0x35965f1e, duration=966203.206s, table=8, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=100,metadata=0x1,vlan_tci=0x1000/0x1000 actions=drop (https://blog.csdn.net/u012124304/article/details/103211105)
允许该网卡的eth.src报文通过:
cookie=0xd2362303, duration=966463.937s, table=8, n_packets=93, n_bytes=16890, idle_age=4216, hard_age=65534, priority=50,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b actions=resubmit(,9)


table9:
允许该网的卡dhcp报文和allowed-address-pairs,其余ip报文丢弃:
cookie=0x6953fb29, duration=968411.177s, table=9, n_packets=0, n_bytes=0, priority=90,udp,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=resubmit(,10)
cookie=0x120781d1, duration=968411.185s, table=9, n_packets=49, n_bytes=15332, priority=90,ip,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,nw_src=192.168.111.175 actions=resubmit(,10)
cookie=0x2ff58c89, duration=49.356s, table=9, n_packets=0, n_bytes=0, priority=90,ip,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,nw_src=10.0.0.3 actions=resubmit(,10)
cookie=0x1fab468e, duration=968411.188s, table=9, n_packets=0, n_bytes=0, priority=80,ip,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b actions=drop
cookie=0xfbeb7eae, duration=968411.192s, table=9, n_packets=192, n_bytes=68946, priority=0,metadata=0x1 actions=resubmit(,10)

table10:
虚机发出的arp报文必须和allowed-address-pairs匹配,否则丢弃,防止arp欺骗:
cookie=0xbf374718, duration=968411.182s, table=10, n_packets=46, n_bytes=1932, priority=90,arp,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,arp_spa=192.168.111.175,arp_sha=fa:16:3e:e8:dd:6b actions=resubmit(,11)
cookie=0xed2936cb, duration=23433.135s, table=10, n_packets=0, n_bytes=0, priority=90,arp,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,arp_spa=10.0.0.3,arp_sha=fa:16:3e:e8:dd:6b actions=resubmit(,11)
cookie=0xe858f8f3, duration=968411.185s, table=10, n_packets=0, n_bytes=0, priority=80,arp,reg14=0x2,metadata=0x1 actions=drop
cookie=0x53f76439, duration=968411.188s, table=10, n_packets=195, n_bytes=82346, priority=0,metadata=0x1 actions=resubmit(,11)

table11:
两个子网接口ingress时reg14=0x1和reg14=0x5,ovn将跳过对其进行状态acl:
cookie=0x14018c1f, duration=1057442.112s, table=11, n_packets=167, n_bytes=95460, priority=110,ip,reg14=0x1,metadata=0x1 actions=resubmit(,12)
cookie=0x3380f1d7, duration=948268.302s, table=11, n_packets=351, n_bytes=162148, priority=110,ip,reg14=0x5,metadata=0x1 actions=resubmit(,12)
ipv6邻居协议,路由协议报文,icmp4/6不可达报文,tcp rst报文将跳过状态acl:
cookie=0xab9fff1, duration=968411.193s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0 actions=resubmit(,12)
cookie=0xab9fff1, duration=968411.188s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=134,icmp_code=0 actions=resubmit(,12)
cookie=0xab9fff1, duration=968411.185s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=133,icmp_code=0 actions=resubmit(,12)
cookie=0xab9fff1, duration=968411.183s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0 actions=resubmit(,12)
cookie=0xab9fff1, duration=968411.191s, table=11, n_packets=0, n_bytes=0, priority=110,tcp6,metadata=0x1,tcp_flags=rst actions=resubmit(,12)
cookie=0xab9fff1, duration=968411.188s, table=11, n_packets=0, n_bytes=0, priority=110,tcp,metadata=0x1,tcp_flags=rst actions=resubmit(,12)
cookie=0xab9fff1, duration=968411.190s, table=11, n_packets=2, n_bytes=226, priority=110,icmp,metadata=0x1,icmp_type=3 actions=resubmit(,12)
cookie=0xab9fff1, duration=968411.181s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,icmp_type=1 actions=resubmit(,12)
状态acl预处理,reg0[0]赋值1(REGBIT_CONNTRACK_DEFRAG标记ip分片重组):
cookie=0x7d898487, duration=968411.187s, table=11, n_packets=49, n_bytes=15332, priority=100,ip,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[96],resubmit(,12)
cookie=0x7d898487, duration=968411.182s, table=11, n_packets=0, n_bytes=0, priority=100,ipv6,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[96],resubmit(,12)
cookie=0x293449e5, duration=968411.193s, table=11, n_packets=46, n_bytes=1932, priority=0,metadata=0x1 actions=resubmit(,12)

table12:
cookie=0xa4a37e36, duration=1034058.339s, table=12, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=133,icmp_code=0 actions=resubmit(,13)
cookie=0xa4a37e36, duration=1034058.336s, table=12, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=134,icmp_code=0 actions=resubmit(,13)
cookie=0xa4a37e36, duration=1034058.336s, table=12, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0 actions=resubmit(,13)
cookie=0xa4a37e36, duration=1034058.328s, table=12, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0 actions=resubmit(,13)
cookie=0x8c6fe364, duration=1034058.337s, table=12, n_packets=247, n_bytes=85400, priority=0,metadata=0x1 actions=resubmit(,13)

table13:
标记过reg0[0]的报文纳入状态跟踪,reg13标记zone:
cookie=0x24a1efe4, duration=1034058.328s, table=13, n_packets=52, n_bytes=16328, priority=100,ip,reg0=0x1/0x1,metadata=0x1 actions=ct(table=14,zone=NXM_NX_REG13[0..15])
cookie=0x2201969c, duration=1034058.334s, table=13, n_packets=195, n_bytes=69072, priority=0,metadata=0x1 actions=resubmit(,14)

table14:
创建最高优先级的acl,允许与已存在的状态跟踪相关的报文通过:
cookie=0xf82466f5, duration=1057442.124s, table=14, n_packets=0, n_bytes=0, priority=65535,ct_state=-new-est+rel-inv+trk,ct_label=0/0x1,metadata=0x1 actions=resubmit(,15)
创建最高优先级的acl,允许已建立状态跟踪的回复报文通过:
cookie=0xea74928f, duration=1057442.122s, table=14, n_packets=4, n_bytes=392, priority=65535,ct_state=-new+est-rel+rpl-inv+trk,ct_label=0/0x1,metadata=0x1 actions=resubmit(,15)
创建最高优先级的acl,丢弃无效状态的报文:
cookie=0xf5b4b6e8, duration=1057442.124s, table=14, n_packets=0, n_bytes=0, priority=65535,ct_state=+inv+trk,metadata=0x1 actions=drop
cookie=0xf5b4b6e8, duration=1057442.108s, table=14, n_packets=0, n_bytes=0, priority=65535,ct_state=+est+rpl+trk,ct_label=0x1/0x1,metadata=0x1 actions=drop
cookie=0xd4194ce2, duration=1057442.119s, table=14, n_packets=0, n_bytes=0, priority=65535,icmp6,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0 actions=resubmit(,15)
cookie=0xd4194ce2, duration=1057442.112s, table=14, n_packets=0, n_bytes=0, priority=65535,icmp6,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0 actions=resubmit(,15)
创建安全组规则的acl,允许来自该网卡匹配规则的报文通过:
cookie=0x30990bd9, duration=1057442.121s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=+new-est+trk,ipv6,reg14=0x2,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
cookie=0xd96dfb12, duration=1057442.119s, table=14, n_packets=49, n_bytes=16268, priority=2002,ct_state=+new-est+trk,ip,reg14=0x2,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
cookie=0xd96dfb12, duration=1057442.119s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=-new+est-rpl+trk,ct_label=0x1/0x1,ip,reg14=0x2,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
cookie=0x31749d4e, duration=1057442.112s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=-new+est-rpl+trk,ct_label=0/0x1,ip,reg14=0x2,metadata=0x1 actions=resubmit(,15)
cookie=0x30990bd9, duration=1057442.112s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=-new+est-rpl+trk,ct_label=0x1/0x1,ipv6,reg14=0x2,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
cookie=0x296730c6, duration=1057442.107s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=-new+est-rpl+trk,ct_label=0/0x1,ipv6,reg14=0x2,metadata=0x1 actions=resubmit(,15)
创建默认丢弃的流表(对应逻辑流表中inport为neutron_pg_drop的流表):
cookie=0x3d47ccf1, duration=1057442.116s, table=14, n_packets=0, n_bytes=0, priority=2001,ct_state=+est+trk,ct_label=0x1/0x1,ipv6,reg14=0x2,metadata=0x1 actions=drop
cookie=0x3d47ccf1, duration=1057442.108s, table=14, n_packets=0, n_bytes=0, priority=2001,ct_state=+est+trk,ct_label=0x1/0x1,ip,reg14=0x2,metadata=0x1 actions=drop
cookie=0x3d47ccf1, duration=1057442.118s, table=14, n_packets=0, n_bytes=0, priority=2001,ct_state=-est+trk,ip,reg14=0x2,metadata=0x1 actions=drop
cookie=0x3d47ccf1, duration=1057442.108s, table=14, n_packets=0, n_bytes=0, priority=2001,ct_state=-est+trk,ipv6,reg14=0x2,metadata=0x1 actions=drop

cookie=0x1454342d, duration=1057442.124s, table=14, n_packets=0, n_bytes=0, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ipv6,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
cookie=0x1454342d, duration=1057442.121s, table=14, n_packets=0, n_bytes=0, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ip,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)

cookie=0x16579627, duration=1057442.121s, table=14, n_packets=575, n_bytes=260428, priority=0,metadata=0x1 actions=resubmit(,15)

个人分析,欢迎指正,若转载请注明出处!