Added ovs dev list to let others sanity check me. :-) The context is discussing how OpenStack will use ACLs in OVN_Northbound.
We don't have Neutron code for this yet, but we have the "Security Groups" section of this doc: http://docs.openstack.org/developer/networking-ovn/design/data_model.html On 07/20/2015 11:39 AM, Justin Pettit wrote: > >> On Jul 20, 2015, at 8:53 AM, Russell Bryant <rbry...@redhat.com> wrote: >> >> >> Does that help? Or would you like me to come up with something a bit >> more specific? > > That's very helpful. I think I can figure out what needs to be done > based on that description. I had a question, though. It looks like > you're planning to do a default "deny" and then poke holes for > "allow". I was expecting more "allow-related", since that will allow > return traffic back. Do you think all those "allow" flows will be > replaced with "allow-related" or will you have a mixture of both > "allow" and "allow-related"? Also, will you be using "reject"? All "allow" should be "allow-related", based on my reading of how the existing Neutron code uses iptables. The security groups API only seems to expose the idea of default deny (drop) + rules for what to allow. There's no way to express that you want "reject" behavior, so I guess we wouldn't be using it at all for now. > Feel free to move this to the mailing list if you think it warrants > broader discussion at this point. Done, just in case others have any additional input. -- Russell Bryant _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
