On 11/04/2015 10:58 AM, Kyle Mestery wrote: > Thanks for writing this up Russell! I found super pedantic (possible) > nit, but otherwise, this reads fine to me and was helpful in > understanding how ACLs work. Thanks! > > Acked-by: Kyle Mestery <mest...@mestery.com <mailto:mest...@mestery.com>>
Thanks for the review! I fixed the typo you pointed out and pushed this to master. > > On Wed, Nov 4, 2015 at 9:53 AM, Russell Bryant <rbry...@redhat.com > <mailto:rbry...@redhat.com>> wrote: > > Add a section that gives a quick introduction to applying ACLs. It > discusses how the ACLs are translated into OVN logical flows. It doesn't > get down to the OpenFlow level because that's not supported in > ovs-sandbox yet. Instead, it provides a reference to an OpenStack > related blog post that talks about how OVN ACLs are used there and gives > examples of the resulting OpenFlow flows. > > In theory, once we have a userspace conntrack implementation available, > we'll be able to provide better suppot for it in ovs-sandbox. > > Signed-off-by: Russell Bryant <rbry...@redhat.com > <mailto:rbry...@redhat.com>> > --- > tutorial/OVN-Tutorial.md | 84 > +++++++++++++++++++++++++++++++++++++++++++ > tutorial/automake.mk <http://automake.mk> | 4 ++- > tutorial/ovn/env6/add-acls.sh | 21 +++++++++++ > tutorial/ovn/env6/setup.sh | 46 ++++++++++++++++++++++++ > 4 files changed, 154 insertions(+), 1 deletion(-) > create mode 100755 tutorial/ovn/env6/add-acls.sh > create mode 100755 tutorial/ovn/env6/setup.sh > > diff --git a/tutorial/OVN-Tutorial.md b/tutorial/OVN-Tutorial.md > index 4fc06eb..667b76b 100644 > --- a/tutorial/OVN-Tutorial.md > +++ b/tutorial/OVN-Tutorial.md > @@ -628,6 +628,87 @@ see it output to OpenFlow ports 5 and 6 only. > $ ovn/env5/packet2.sh > > > +6) Stateful ACLs > +---------------- > + > +ACLs provide a way to do distributed packet filtering for OVN > networks. One > +example use of ACLs is that OpenStack Neutron uses them to > implement security > +groups. ACLs are implemented using conntrack integration with OVS. > + > +Start with a simple logical switch with 2 logical ports. > + > +[View ovn/env6/setup.sh][env6setup]. > + > + $ ovn/env6/setup.sh > + > +A common use case would be the following policy applied for > `sw0-port1`: > + > +* Allow outbound IP traffic and associated return traffic. > > > To my eyes, looks like an extra space after "traffic" above, but it's > super pedantic, so only re-spin if you need to for some other reason. :) There is indeed an extra space there. I removed it. -- Russell Bryant _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
