On Fri, Sep 04, 2015 at 06:04:20PM -0700, Justin Pettit wrote:
> Add support for the "allow-related" ACL action. This is dependent on
> the OVS conntrack functionality, which is not available on all platforms
> or kernel versions.
>
> Here is a sample policy that will allow all tenants in logical switch
> "ls0" to SSH to each other. Anyone can make an HTTP request to "lp0".
> All other IP traffic is dropped:
>
> ovn-nbctl acl-add ls0 from-lport 100 ip allow-related
> ovn-nbctl acl-add ls0 to-lport 100 tcp.dst==22 allow-related
> ovn-nbctl acl-add ls0 to-lport 100 "outport == \"lp0\" \
> && tcp.dst==80" allow-related
> ovn-nbctl acl-add ls0 to-lport 1 ip drop
>
> -=-=-=-=-=-=-=-=-=-
>
> NOTE: This is an RFC. I would like some feedback on the overall design
> and whether it works as expected. It has a number of dependencies on
> features not yet available in the master of OVS. As such, it is
> probably easiest to try this patch from the following repo:
>
> https://github.com/justinpettit/ovs/tree/ovn-acl
>
> Once the prerequisites make it to the main OVS repo, I'll send out a
> non-RFC version.
Thanks! This is pretty clean, and not very much code.
Is adding support for FTP a big project or a small one? (What about
other ALGs?)
In update_ct_zones() in binding.c, the bitmap_scan() call starts over
from 0 every time. It would not be too much work to start from the
previously allocated zone, and so that is probably worthwhile.
If ct_next is not the last action in a logical flow, will the actions
that follow it get executed? If not, then we should document that and
we should probably reject a set of actions where ct_next is followed by
other actions.
It would be nice to test the parsing of the new actions, in the "ovn --
action parsing" test in tests/ovn.at.
I have some other suggestions too that seemed to be best expressed as
patches that can be squashed in. I pushed them to:
[email protected]:blp/ovs-reviews.git acl-suggestions
The commits there are:
commit 68601484d3a00161a2c28c73254679fcd030cce6
Author: Ben Pfaff <[email protected]>
Date: Sat Sep 5 18:27:30 2015 -0700
ovn-sb: Improve documentation formatting and phrasing.
Signed-off-by: Ben Pfaff <[email protected]>
commit 71644ce7656775ff39037d02526f1f04118dd2ba
Author: Ben Pfaff <[email protected]>
Date: Sat Sep 5 18:19:20 2015 -0700
ovn-northd: Add parentheses around ACL match.
Otherwise an ACL that contains an && would yield a syntax error, and in
general it's best not to tempt precedence rules.
Signed-off-by: Ben Pfaff <[email protected]>
commit d618afd0356870c20df323371fea6f2a9647445c
Author: Ben Pfaff <[email protected]>
Date: Sat Sep 5 18:09:00 2015 -0700
physical: Revert stray change.
The indentation was changed in "ovn: Add stateful ACL support." but
I think it was a mistake.
Signed-off-by: Ben Pfaff <[email protected]>
commit 8316edccf932d6560274f4cc9dc74139cb0936aa
Author: Ben Pfaff <[email protected]>
Date: Sat Sep 5 18:08:20 2015 -0700
ovn-controller: Pass conntrack zone info as explicit parameters.
It's a lot easier to see what code actually depends on data when the data
is passed as a parameter instead of as part of a large struct. This
commit makes that change for conntrack zones.
Signed-off-by: Ben Pfaff <[email protected]>
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev
