> For every port security defined for a logical port, add following lflows > in "ls_in_port_sec" and "ls_out_port_sec" stage > - A priority 90 flow to allow ipv4 traffic for known ip addresses > and (broadcast ip - for ingress, mainly for dhcp) > - A priority 80 flow to drop all ipv4 traffic. > - For ingress, a priority 90 flow to allow arp traffic for known > ip addresses and priority 80 flow to drop all arp traffic > - A priority 90 flow to allow ipv6 traffic for all ipv6 addresses if > port security has ipv6 address(es) defined > (next patch will address ipv6) > - A priority 80 flow to drop all ipv6 traffic. > - A priority 50 flow to allow all traffic on that port with the matching > eth address > > Eg. if the port security is "00:00:00:00:00:01 10.0.0.2" > > priority=90, match=(inport == "portname" && eth.src == 00:00:00:00:00:01 > && arp && arp.sha == 00:00:00:00:00:01 && (arp.spa == 10.0.0.2)), action= (next;) > > priority=90, match=(inport == "portname" && eth.src == 00:00:00:00:00:01 > && ip4 && ((ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255) || > ip4.src == 10.0.0.3)), action=(next;) > > priority=80, match=(inport == "portname" && eth.src == 00:00:00:00:00:01 > && (arp || ip4)), action=(drop;) > > priority=80, match=(inport == "portname" && eth.src == 00:00:00:00:00:01 > && ip6), action=(drop;) > > priority=50, match=(inport == "portname" && eth.src == 00:00:00:00:00:01), > action=(next;) > > Signed-off-by: Numan Siddique <nusiddiq at redhat.com>
Acked-By: Ryan Moats <rmo...@us.ibm.com> _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
