ovn安全组总结

本文将针对ovn实现安全组进行技术总结，分为ovn插件安全组实现，ovn逻辑流表，openflow流表三部分进行介绍，其中还会补充介绍ovn相关的一些协议和技术。

ovn基础概念

开头部分介绍几个ovn(ovs)的基础概念。

ovn-arch

tunnel_key

ovn会在创建ovn datapath的时候，为它们分配一个唯一的tunnel _key，并同步到南向流表（详见ovn代码build_datapath函数），如下datapath逻辑路由器和逻辑网络，可以看到share_router的key是3，share_net的key是1：

()[root@ovn-ovsdb-sb-0 /]# ovn-sbctl list Datapath_Binding
_uuid               : 51e7ecae-4935-4fba-a68e-b385297f8c74
external_ids        : {logical-router="0c532506-992e-4430-aea2-c60ee0ffa364", name=neutron-3f26be47-1e01-44b5-b74f-b025f82bb0b6, name2=share_router}
tunnel_key          : 3

_uuid               : 19902b04-1fe5-411d-9516-749fa1500376
external_ids        : {logical-switch="301f9dc3-66c1-4667-9ddb-63bc8e2f2d6f", name=neutron-1489889a-d027-462d-8d17-014852f27b5a, name2=share_net}
tunnel_key          : 1

创建ovn port时，为port分配其所在datapath下唯一的tunnel_key，并同步到南向流表（详见ovn代码build_ports函数），如下port在南向的数据，三张网卡属于同一个switch，其中两个是子网接口:

()[root@ovn-ovsdb-sb-0 /]# ovn-sbctl list Port_Binding 
_uuid               : d48080ec-8563-43f7-ba5d-8e5ff87045ec
datapath            : 19902b04-1fe5-411d-9516-749fa1500376
external_ids        : {"neutron:cidrs"="192.168.111.1/24", "neutron:device_id"="3f26be47-1e01-44b5-b74f-b025f82bb0b6", "neutron:device_owner"="network:router_interface", "neutron:network_name"=neutron-1489889a-d027-462d-8d17-014852f27b5a, "neutron:port_name"="", "neutron:project_id"="1e3a5bacc11a46acb1a1803ddaf7bcc1", "neutron:revision_number"="3", "neutron:security_group_ids"=""}
logical_port        : "a7e8a001-4c92-4eb9-95ac-7696993ae9b2"
mac                 : [router]
options             : {peer=lrp-a7e8a001-4c92-4eb9-95ac-7696993ae9b2}
tunnel_key          : 1
type                : patch

_uuid               : 05870332-50f9-4122-a123-21b1c465272b
datapath            : 19902b04-1fe5-411d-9516-749fa1500376
external_ids        : {"neutron:cidrs"="192.168.222.1/24", "neutron:device_id"="3f26be47-1e01-44b5-b74f-b025f82bb0b6", "neutron:device_owner"="network:router_interface", "neutron:network_name"=neutron-1489889a-d027-462d-8d17-014852f27b5a, "neutron:port_name"="", "neutron:project_id"="1e3a5bacc11a46acb1a1803ddaf7bcc1", "neutron:revision_number"="3", "neutron:security_group_ids"=""}
logical_port        : "cabdccc3-8a9c-428f-a678-5fed80d72d17"
mac                 : [router]
options             : {peer=lrp-cabdccc3-8a9c-428f-a678-5fed80d72d17}
tunnel_key          : 5
type                : patch

_uuid               : 93eb8dd5-0071-4ee9-8c31-371a95f2db57
chassis             : 8209d6dc-0809-416b-a1a9-0f4f5a0e617f
datapath            : 19902b04-1fe5-411d-9516-749fa1500376
external_ids        : {name=instance-DNWPye_share_net_5a03dfba, "neutron:cidrs"="192.168.111.175/24", "neutron:device_id"="ab98829d-26c0-439a-b930-dd24ccad78d7", "neutron:device_owner"="compute:default-az", "neutron:network_name"=neutron-1489889a-d027-462d-8d17-014852f27b5a, "neutron:port_fip"="172.16.10.101", "neutron:port_name"=instance-DNWPye_share_net_5a03dfba, "neutron:project_id"="1e3a5bacc11a46acb1a1803ddaf7bcc1", "neutron:revision_number"="5", "neutron:security_group_ids"="fac16449-d03f-4880-b361-383b3c893ee0"}
logical_port        : "b5ca6f69-eb6d-4496-8df0-e558e1552167"
mac                 : ["fa:16:3e:e8:dd:6b 192.168.111.175"]
options             : {requested-chassis=node-1.domain.tld}
tunnel_key          : 2
type                : ""

以上资源归纳如下：

资源

tunnel_key在ovn流表中起到了标识流的来源和去向的作用，怎么理解呢，ovn使用了如下三个寄存器：

• reg14：logical input port field，标识入口tunnel_key
• reg15：logical output port field，标识出口tunnel_key
• metadata：logical datapath field，标识所属的datapath的tunnel_key

ovn-controller在转换成openflow流表时，通过metadata+reg14标识流的来源，通过metadata+reg15标识流的去向。
举个例子：上面提到的网卡b5ca6f69-eb6d-4496-8df0-e558e1552167的tunnel_key是2，所属datapath的tunnel_key是1，上联的是tapb5ca6f69。

在openflow table0中标记了入口reg14=0x2，metadata=0x1：

cookie=0x0, duration=967010.862s, table=0, n_packets=93, n_bytes=16890, priority=100,
 in_port="tapb5ca6f69-eb" actions=load:0xc->NXM_NX_REG13[],load:0x5->NXM_NX_REG11[],
 load:0x6->NXM_NX_REG12[],load:0x1->OXM_OF_METADATA[],
 load:0x2->NXM_NX_REG14[],resubmit(,8)  

在table25标记了出口reg15=0x2：

cookie=0x0, duration=1057442.127s, table=65, n_packets=118, n_bytes=19390, priority=100,
 reg15=0x2,metadata=0x1 actions=output:"tapb5ca6f69-eb"

logical port

上面提到的logical port，这种port主要是通过neutron create_port方式创建后的端口。
除此之外还有以下类型的端口，需要注意：

• localport端口：逻辑交换机和VIF之间的本地连接点。比如说使用Localport端口将metedata提供给驻留在每个hypervisor上的虚拟机。
• localnet端口：逻辑交换机和物理网络之间的连接点。即连接br-xx和br-int的patch端口，比如创建vlan network后，会生成命名为provnet-xxx的逻辑port（geneve网络没有），在ovs上会看到br-int与br-xx建立了patch。该patch就用于与物理网络通信。
• patch端口：表示逻辑交换机和逻辑路由器之间的连接点，比如创建子网接口后，会自动生成逻辑path端口用于子网和路由器，目前看来逻辑patch不会在ovs上生成。

pipeline

ovn通过流水线pipleline的方式处理逻辑流表，分为ingress和egress两个阶段：

• ingress的逻辑流表从table0开始（对应ovs流表从table8开始），安全组部分从table0~table6会涉及
• egress的逻辑流表从table0开始（对应ovs流表从table40开始），安全组部分从table0~table4会涉及

逻辑flow标记了所处的stage（ovn源码PIPELINE_STAGES），通过stage名称可以帮助了解flow的作用，类似这种：
table=0 (ls_in_port_sec_l2 )

ovs conntrack

ovs-conntrack

ovs的conntrack功能增加了ct流表的概念，将需要跟踪状态的报文提交进ct里去，标记连接状态，供后续报文查询连接状态使用。

conntrack-fileds

每个以"+“为前缀的标志，表示必须设置，或者以”-"为前缀的标志表示不能设置。这里面的zone用来隔离不同的跟踪会话，避免与其他会话冲突，ovn同步给ovs时使用reg13标记zone：

• reg13：Logical conntrack zone for lports
  不过报文不走ct会对性能有很大提升，所以对性能有要求的场景建议使用无状态的acl。

ovn插件实现安全组

最新neutron已经将networking-ovn插件合并，纳入为一种ml2 driver，并实现了安全组功能。安全组的实现里引入了ovn的port group的功能。

ovn ml2 driver会在创建安全组的过程中，先创建好port group，然后配置acl规则到该port group，新增或删除port的时候，都会调用port group命令调整内部列表。所以port就不会直接与安全组打交道，而只是在port group内进行增删。

创建安全组：
_create_security_group
-->create_security_group
 -->txn.add(self._nb_idl.pg_add(                         添加命名qg-安全组id的port group
                name=name, acls=[], external_ids=ext_ids))
 -->add_acls_for_sg_port_group                            给port group配置acl规则
 ------------------------------------------------------------------------------------------
 创建port配置安全组：
 注意会先过滤掉device_owner为"network:"的port，然后将符合条件的port添加进port group里
                 txn.add(self._nb_idl.pg_add_ports(
                    utils.ovn_port_group_name(sg), port_cmd))

接下来，介绍几个处理细节。

规则direction

社区的安全组规则对应到ovn的acl时，实际的acl是作用到虚机上联的br-int上，所以作用的方向需要注意，常见的ovn acl命令如下：

from-lport  1002 (inport == @pg_99ead3ac_2539_49d2_b8fa_f46116a22955 && ip4) allow-related
to-lport  1002 (outport == @pg_99ead3ac_2539_49d2_b8fa_f46116a22955 && ip4 && ip4.src == $pg_99ead3ac_2539_49d2_b8fa_f46116a22955_ip4) allow-related

虚机端口出来的流量即egress，对应logic port就是入方向，到acl上是from-lport并指定logic port为inport；
进入虚机端口的流量即ingress，对应logic port就是出方向，到acl上是to-lport并指定logic port为outport。

规则优先级

安全组规则在配置给ovn时，指定了一个较高的优先级，目前插件侧设置为：

ACL_PRIORITY_ALLOW = 1002
ACL_PRIORITY_DROP = 1001

这里有个需要注意的地方，查看acl规则对应logic流表，会发现优先级变成了2002和2001:

table=4 (ls_out_acl), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == @pg_f3a6bf24_858f_482f_81e8_eb450c527605 && ip4 && ip4.src == $pg_f3a6bf24_858f_482f_81e8_eb450c527605_ip4)), action=(next;)

原因是ovn进行了修改增加了1000，避免与其它硬编码的flow优先级冲突：

/* Due to various hard-coded priorities need to implement ACLs, the
 * northbound database supports a smaller range of ACL priorities than
 * are available to logical flows.  This value is added to an ACL
 * priority to determine the ACL's logical flow priority. */
#define OVN_ACL_PRI_OFFSET 1000

allowed_address_pairs

插件调用ovn_client处理create_port时，会先获取port的addresses列表，包括allowed_address_pairs。
在调用ovn-client进行port创建/更新时，会将address配置进logic port里去。所以在ovn实现安全防护的时候，它只会允许addresses列表里的ip/mac通过。
举个例子，给port配置了allowed_address_pairs地址为10.0.0.3:

()[root@busybox-openstack-74787f576-pkffm /]# neutron port-show instance-DNWPye_share_net_5a03dfba -c allowed_address_pairs -c fixed_ips
+-----------------------+----------------------------------------------------------------------------------------+
| Field                 | Value                                                                                  |
+-----------------------+----------------------------------------------------------------------------------------+
| allowed_address_pairs | {"ip_address": "10.0.0.3", "mac_address": "fa:16:3e:e8:dd:6b"}                         |
| fixed_ips             | {"subnet_id": "d39ae184-1c71-4aff-a4ba-9efad08e32ce", "ip_address": "192.168.111.175"} |
+-----------------------+----------------------------------------------------------------------------------------+

然后查看logic 流表，生成了允许10.0.0.3和192.168.111.175通过的规则，其余ip将被丢弃：

ingress:
table=1 (ls_in_port_sec_ip  ), priority=90   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip4.src == {192.168.111.175, 10.0.0.3}), action=(next;)
table=1 (ls_in_port_sec_ip  ), priority=80   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip), action=(drop;)
egress:
table=8 (ls_out_port_sec_ip ), priority=90   , match=(outport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.dst == fa:16:3e:e8:dd:6b && ip4.dst == {255.255.255.255, 224.0.0.0/4, 192.168.111.175, 10.0.0.3}), action=(next;)
table=8 (ls_out_port_sec_ip ), priority=80   , match=(outport == "c4c13c68-b786-4859-aded-131a4ac44897" && eth.dst == fa:16:3e:95:34:c5 && ip), action=(drop;)

remote_group_id

插件配置远端安全组时，通过获取远端安全组的port group，然后将远端安全组的ip集合作为匹配规则中源ip和目的ip，类似这样‘‘pg_f3a6bf24_858f_482f_81e8_eb450c527605_ip4’’：

match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == @pg_f3a6bf24_858f_482f_81e8_eb450c527605 && ip4 && ip4.src == $pg_f3a6bf24_858f_482f_81e8_eb450c527605_ip4)))

远端安全组的ip集合命名如下：

def ovn_pg_addrset_name(sg_id, ip_version):
    # The name of the address set for the given security group id modelled as a
    # Port Group and ip version. The format is:
    #   pg-<security group uuid>-<ip version>
    # with all '-' replaced with '_'. This replacement is necessary
    # because OVN doesn't support '-' in an address set name.
    return ('pg-%s-%s' % (sg_id, ip_version)).replace('-', '_')

neutron_pg_drop

插件启动之初，也就是进程pre_fork阶段，会首先创建一个名为neutron_pg_drop的port group，配置的acl动作是drop。加入该port group需要满足以下条件：

• 非trusted port，即device_owner不为空，且值不是以network:开头的
• port _security为enable

总结来说，虚机的port是会被纳入到neutron_pg_drop中的，当访问虚机相关的流量没有匹配到安全组规则时，将会匹配neutron_pg_drop对应的规则，即报文丢弃。不过该设计会导致单个pg_drop性能问题，我们对其进行了修改，不使用唯一port-group去存，而是以network为单位创建pg_drop。

逻辑流表实现安全组

以网卡b5ca6f69-eb6d-4496-8df0-e558e1552167为例子，reg14=0x2，metadata=0x1，分析ingress逻辑流表。
table0（ls_in_port_sec_l2），ovs参照table8：

build_lswitch_lflows_admission_control:
  源地址多播/组播丢弃：
  table=0 (ls_in_port_sec_l2  ), priority=100  , match=(eth.src[40]), action=(drop;)   
  vlan透传报文丢弃（未启用vlan pass的话）：
  table=0 (ls_in_port_sec_l2  ), priority=100  , match=(vlan.present), action=(drop;)  
build_port_security_l2:
  允许网卡eth.src报文通过：
  table=0 (ls_in_port_sec_l2  ), priority=50   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == {fa:16:3e:e8:dd:6b}), action=(next;)

table1（ls_in_port_sec_ip），ovs参照table9：

build_port_security_ip(port_security,allowed-address-pairs):
  允许dhcp报文和allowed-address-pairs，其余ip报文丢弃：
  table=1 (ls_in_port_sec_ip  ), priority=90   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67), action=(next;)
  table=1 (ls_in_port_sec_ip  ), priority=90   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip4.src == {192.168.111.175, 10.0.0.3}), action=(next;)
  table=1 (ls_in_port_sec_ip  ), priority=80   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && ip), action=(drop;)
build_lswitch_input_port_sec_od:
  table=1 (ls_in_port_sec_ip  ), priority=0    , match=(1), action=(next;)

table2（ls_in_port_sec_nd），ovs参照table10：

build_port_security_nd:
  虚机发出的arp报文必须和allowed-address-pairs匹配，否则丢弃，防止arp欺骗：
  table=2 (ls_in_port_sec_nd  ), priority=90   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && eth.src == fa:16:3e:e8:dd:6b && arp.sha == fa:16:3e:e8:dd:6b && arp.spa == {192.168.111.175,10.0.0.3}), action=(next;)
  table=2 (ls_in_port_sec_nd  ), priority=80   , match=(inport == "b5ca6f69-eb6d-4496-8df0-e558e1552167" && (arp || nd)), action=(drop;)
build_lswitch_input_port_sec_od:
  table=2 (ls_in_port_sec_nd  ), priority=0    , match=(1), action=(next;)

table3（ls_in_pre_acl），ovs参照table11：

build_pre_acls:
  子网接口将跳过状态acl，它们作为ingress的reg14分别为0x5和0x1：
  table=3 (ls_in_pre_acl      ), priority=110  , match=(ip && inport == "a7e8a001-4c92-4eb9-95ac-7696993ae9b2"), action=(next;)     
  table=3 (ls_in_pre_acl      ), priority=110  , match=(ip && inport == "cabdccc3-8a9c-428f-a678-5fed80d72d17"), action=(next;) 
  ipv6邻居协议，路由协议报文，icmp4/6不可达报文，tcp rst报文将跳过状态acl：
  table=3 (ls_in_pre_acl      ), priority=110  , match=(nd || nd_rs || nd_ra || icmp4.type == 3 || icmp6.type == 1 || (tcp && tcp.flags == 4)), action=(next;)
  状态acl预处理，reg0[0]赋值1（REGBIT_CONNTRACK_DEFRAG标记ip分片重组）：
  table=3 (ls_in_pre_acl      ), priority=100  , match=(ip), action=(reg0[0] = 1; next;)
  table=3 (ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)

table4（ls_in_pre_lb），ovs参照table12：

build_pre_lb:
  table=4 (ls_in_pre_lb       ), priority=110  , match=(nd || nd_rs || nd_ra), action=(next;)
  table=4 (ls_in_pre_lb       ), priority=0    , match=(1), action=(next;)

table5（ls_in_pre_stateful），ovs参照table13：

build_pre_stateful:
  标记过reg0[0]的报文纳入状态跟踪：
  table=5 (ls_in_pre_stateful ), priority=100  , match=(reg0[0] == 1), action=(ct_next;)
  table=5 (ls_in_pre_stateful ), priority=0    , match=(1), action=(next;)

table6（ls_in_acl），ovs参照table14:

build_acls:
  创建最高优先级的acl，允许与已存在的状态跟踪相关的报文通过：
  table=6 (ls_in_acl          ), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;)
  创建最高优先级的acl，允许已建立状态跟踪的回复报文通过：
  table=6 (ls_in_acl          ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
  创建最高优先级的acl，丢弃无效状态的报文：
  table=6 (ls_in_acl          ), priority=65535, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;)
  table=6 (ls_in_acl          ), priority=65535, match=(nd), action=(next;)
  
  创建安全组规则的acl，允许inport为安全组port group的报文通过:
  table=6 (ls_in_acl          ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == @pg_fac16449_d03f_4880_b361_383b3c893ee0 && ip4)), action=(next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == @pg_fac16449_d03f_4880_b361_383b3c893ee0 && ip6)), action=(next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (inport == @pg_fac16449_d03f_4880_b361_383b3c893ee0 && ip4)), action=(reg0[1] = 1; next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (inport == @pg_fac16449_d03f_4880_b361_383b3c893ee0 && ip6)), action=(reg0[1] = 1; next;)
  创建安全组规则的acl，丢弃inport来自neutron_pg_drop的报文:
  table=6 (ls_in_acl          ), priority=2001 , match=((!ct.est || (ct.est && ct_label.blocked == 1)) && (inport == @neutron_pg_drop && ip)), action=(/* drop */)
  table=6 (ls_in_acl          ), priority=2001 , match=(ct.est && ct_label.blocked == 0 && (inport == @neutron_pg_drop && ip)), action=(ct_commit(ct_label=1/1); /* drop */)
  
  table=6 (ls_in_acl          ), priority=1    , match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), action=(reg0[1] = 1; next;)
  table=6 (ls_in_acl          ), priority=0    , match=(1), action=(next;)

ovs流表实现安全组

上文提到的逻辑流表，对照openflow流表如下：

 table8:
 源地址多播/组播丢弃：
 cookie=0x6f1dbc42, duration=966129.895s, table=8, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=100,metadata=0x1,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
 vlan透传报文丢弃（未启用vlan pass的话）：
 cookie=0x35965f1e, duration=966203.206s, table=8, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=100,metadata=0x1,vlan_tci=0x1000/0x1000 actions=drop (https://blog.csdn.net/u012124304/article/details/103211105)
 允许该网卡的eth.src报文通过：
 cookie=0xd2362303, duration=966463.937s, table=8, n_packets=93, n_bytes=16890, idle_age=4216, hard_age=65534, priority=50,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b actions=resubmit(,9)
 

 table9:
 允许该网的卡dhcp报文和allowed-address-pairs，其余ip报文丢弃：
 cookie=0x6953fb29, duration=968411.177s, table=9, n_packets=0, n_bytes=0, priority=90,udp,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=resubmit(,10)
 cookie=0x120781d1, duration=968411.185s, table=9, n_packets=49, n_bytes=15332, priority=90,ip,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,nw_src=192.168.111.175 actions=resubmit(,10)
 cookie=0x2ff58c89, duration=49.356s,     table=9, n_packets=0, n_bytes=0,      priority=90,ip,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,nw_src=10.0.0.3 actions=resubmit(,10)                    
 cookie=0x1fab468e, duration=968411.188s, table=9, n_packets=0, n_bytes=0, priority=80,ip,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b actions=drop
 cookie=0xfbeb7eae, duration=968411.192s, table=9, n_packets=192, n_bytes=68946, priority=0,metadata=0x1 actions=resubmit(,10)              

 table10:
 虚机发出的arp报文必须和allowed-address-pairs匹配，否则丢弃，防止arp欺骗：
 cookie=0xbf374718, duration=968411.182s, table=10, n_packets=46, n_bytes=1932, priority=90,arp,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,arp_spa=192.168.111.175,arp_sha=fa:16:3e:e8:dd:6b actions=resubmit(,11)
 cookie=0xed2936cb, duration=23433.135s, table=10, n_packets=0, n_bytes=0, priority=90,arp,reg14=0x2,metadata=0x1,dl_src=fa:16:3e:e8:dd:6b,arp_spa=10.0.0.3,arp_sha=fa:16:3e:e8:dd:6b actions=resubmit(,11)
 cookie=0xe858f8f3, duration=968411.185s, table=10, n_packets=0, n_bytes=0, priority=80,arp,reg14=0x2,metadata=0x1 actions=drop
 cookie=0x53f76439, duration=968411.188s, table=10, n_packets=195, n_bytes=82346, priority=0,metadata=0x1 actions=resubmit(,11)

 table11:
 两个子网接口ingress时reg14=0x1和reg14=0x5，ovn将跳过对其进行状态acl：
 cookie=0x14018c1f, duration=1057442.112s, table=11, n_packets=167, n_bytes=95460, priority=110,ip,reg14=0x1,metadata=0x1 actions=resubmit(,12)
 cookie=0x3380f1d7, duration=948268.302s, table=11, n_packets=351, n_bytes=162148, priority=110,ip,reg14=0x5,metadata=0x1 actions=resubmit(,12)
 ipv6邻居协议，路由协议报文，icmp4/6不可达报文，tcp rst报文将跳过状态acl：
 cookie=0xab9fff1, duration=968411.193s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0 actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.188s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=134,icmp_code=0 actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.185s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=133,icmp_code=0 actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.183s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0 actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.191s, table=11, n_packets=0, n_bytes=0, priority=110,tcp6,metadata=0x1,tcp_flags=rst actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.188s, table=11, n_packets=0, n_bytes=0, priority=110,tcp,metadata=0x1,tcp_flags=rst actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.190s, table=11, n_packets=2, n_bytes=226, priority=110,icmp,metadata=0x1,icmp_type=3 actions=resubmit(,12)
 cookie=0xab9fff1, duration=968411.181s, table=11, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,icmp_type=1 actions=resubmit(,12)
 状态acl预处理，reg0[0]赋值1（REGBIT_CONNTRACK_DEFRAG标记ip分片重组）：
 cookie=0x7d898487, duration=968411.187s, table=11, n_packets=49, n_bytes=15332, priority=100,ip,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[96],resubmit(,12)
 cookie=0x7d898487, duration=968411.182s, table=11, n_packets=0, n_bytes=0, priority=100,ipv6,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[96],resubmit(,12)
 cookie=0x293449e5, duration=968411.193s, table=11, n_packets=46, n_bytes=1932, priority=0,metadata=0x1 actions=resubmit(,12)

 table12:
 cookie=0xa4a37e36, duration=1034058.339s, table=12, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=133,icmp_code=0 actions=resubmit(,13)
 cookie=0xa4a37e36, duration=1034058.336s, table=12, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=134,icmp_code=0 actions=resubmit(,13)
 cookie=0xa4a37e36, duration=1034058.336s, table=12, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0 actions=resubmit(,13)
 cookie=0xa4a37e36, duration=1034058.328s, table=12, n_packets=0, n_bytes=0, priority=110,icmp6,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0 actions=resubmit(,13)
 cookie=0x8c6fe364, duration=1034058.337s, table=12, n_packets=247, n_bytes=85400, priority=0,metadata=0x1 actions=resubmit(,13)

 table13:
 标记过reg0[0]的报文纳入状态跟踪，reg13标记zone：
 cookie=0x24a1efe4, duration=1034058.328s, table=13, n_packets=52, n_bytes=16328, priority=100,ip,reg0=0x1/0x1,metadata=0x1 actions=ct(table=14,zone=NXM_NX_REG13[0..15])
 cookie=0x2201969c, duration=1034058.334s, table=13, n_packets=195, n_bytes=69072, priority=0,metadata=0x1 actions=resubmit(,14)

 table14:
 创建最高优先级的acl，允许与已存在的状态跟踪相关的报文通过：
 cookie=0xf82466f5, duration=1057442.124s, table=14, n_packets=0, n_bytes=0, priority=65535,ct_state=-new-est+rel-inv+trk,ct_label=0/0x1,metadata=0x1 actions=resubmit(,15)
 创建最高优先级的acl，允许已建立状态跟踪的回复报文通过：
 cookie=0xea74928f, duration=1057442.122s, table=14, n_packets=4, n_bytes=392, priority=65535,ct_state=-new+est-rel+rpl-inv+trk,ct_label=0/0x1,metadata=0x1 actions=resubmit(,15)
 创建最高优先级的acl，丢弃无效状态的报文：
 cookie=0xf5b4b6e8, duration=1057442.124s, table=14, n_packets=0, n_bytes=0, priority=65535,ct_state=+inv+trk,metadata=0x1 actions=drop
 cookie=0xf5b4b6e8, duration=1057442.108s, table=14, n_packets=0, n_bytes=0, priority=65535,ct_state=+est+rpl+trk,ct_label=0x1/0x1,metadata=0x1 actions=drop
 cookie=0xd4194ce2, duration=1057442.119s, table=14, n_packets=0, n_bytes=0, priority=65535,icmp6,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0 actions=resubmit(,15)
 cookie=0xd4194ce2, duration=1057442.112s, table=14, n_packets=0, n_bytes=0, priority=65535,icmp6,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0 actions=resubmit(,15)
 创建安全组规则的acl，允许来自该网卡匹配规则的报文通过:
 cookie=0x30990bd9, duration=1057442.121s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=+new-est+trk,ipv6,reg14=0x2,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
 cookie=0xd96dfb12, duration=1057442.119s, table=14, n_packets=49, n_bytes=16268, priority=2002,ct_state=+new-est+trk,ip,reg14=0x2,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
 cookie=0xd96dfb12, duration=1057442.119s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=-new+est-rpl+trk,ct_label=0x1/0x1,ip,reg14=0x2,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
 cookie=0x31749d4e, duration=1057442.112s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=-new+est-rpl+trk,ct_label=0/0x1,ip,reg14=0x2,metadata=0x1 actions=resubmit(,15)
 cookie=0x30990bd9, duration=1057442.112s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=-new+est-rpl+trk,ct_label=0x1/0x1,ipv6,reg14=0x2,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
 cookie=0x296730c6, duration=1057442.107s, table=14, n_packets=0, n_bytes=0, priority=2002,ct_state=-new+est-rpl+trk,ct_label=0/0x1,ipv6,reg14=0x2,metadata=0x1 actions=resubmit(,15)
 创建默认丢弃的流表（对应逻辑流表中inport为neutron_pg_drop的流表）:
 cookie=0x3d47ccf1, duration=1057442.116s, table=14, n_packets=0, n_bytes=0, priority=2001,ct_state=+est+trk,ct_label=0x1/0x1,ipv6,reg14=0x2,metadata=0x1 actions=drop
 cookie=0x3d47ccf1, duration=1057442.108s, table=14, n_packets=0, n_bytes=0, priority=2001,ct_state=+est+trk,ct_label=0x1/0x1,ip,reg14=0x2,metadata=0x1 actions=drop
 cookie=0x3d47ccf1, duration=1057442.118s, table=14, n_packets=0, n_bytes=0, priority=2001,ct_state=-est+trk,ip,reg14=0x2,metadata=0x1 actions=drop
 cookie=0x3d47ccf1, duration=1057442.108s, table=14, n_packets=0, n_bytes=0, priority=2001,ct_state=-est+trk,ipv6,reg14=0x2,metadata=0x1 actions=drop
 
 cookie=0x1454342d, duration=1057442.124s, table=14, n_packets=0, n_bytes=0, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ipv6,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
 cookie=0x1454342d, duration=1057442.121s, table=14, n_packets=0, n_bytes=0, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ip,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)

 cookie=0x16579627, duration=1057442.121s, table=14, n_packets=575, n_bytes=260428, priority=0,metadata=0x1 actions=resubmit(,15)

个人分析，欢迎指正，若转载请注明出处！欢迎访问我的主页