On Thu, Jul 02, 2015 at 02:21:23PM -0700, Gurucharan Shetty wrote: > On Thu, Jul 2, 2015 at 12:42 PM, Ben Pfaff <b...@nicira.com> wrote: > > Here's a proposal for an OVN port security specification. I tried to > > specify it as carefully and completely as possible. This is not > > implemented yet, only specified. Comments are welcome! > > > > port_security: set of strings > > This column controls the addresses from which the host > > attached > > to the logical port (``the host’’) is allowed to send > > packets > > and to which it is allowed to receive packets. If this > > column > > is empty, all addresses are permitted. > > > > Each element in the set must contain one or more > > Ethernet > > addresses, optionally masked. An element that contains > > only > > Ethernet addresses restricts the host to sending packets > > from > > and receiving packets to those addresses. It also restricts > > the > > inner source MAC addresses that the host may send in ARP > > and > > IPv6 Neighbor Discovery packets. It does not restrict the > > logi‐ > > cal port to any particular L3 addresses. The host is > > always > > allowed to receive packets to multicast and broadcast > > Ethernet > > addresses. > > > > Each element in the set may additionally contain one or > > more > > IPv4 or IPv6 addresses (or both), with optional masks. > > If a > > mask is given, it must be a CIDR mask. In addition to > > the > > restrictions described for Ethernet addresses above, such > > an > > element restricts the IPv4 or IPv6 addresses from the host > > may > > send and to which it may receive to packets to the > > specified > > addresses. A masked address, if the host part is zero, > > indi‐ > > cates that the host is allowed to use any addresses in the > > sub‐ > > net; if the host part is nonzero, the mask simply indicates > > the > > size of the subnet. In addition: > > > > * If no IPv4 address is given, the host is not allowed > > to > > send or receive any IPv4 or ARP traffic. > I don't understand what the above means. Does it mean that if ipv6 is > specified and no ipv4 is specified the above rule holds true? (Because > if only mac address is specified then all IP addresses are allowed)
Yes. I guess it is not clear enough, so I'll rephrase it, thanks. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
