On Tue, Apr 5, 2016 at 12:17 AM, Ramu Ramamurthy <ramu.ramamur...@gmail.com>
wrote:
> > @@ -89,10 +89,11 @@ enum ovn_stage {
> > PIPELINE_STAGE(SWITCH, IN, PORT_SEC_L2, 0,
> "ls_in_port_sec_l2") \
> > PIPELINE_STAGE(SWITCH, IN, PORT_SEC_IP, 1,
> "ls_in_port_sec_ip") \
> > PIPELINE_STAGE(SWITCH, IN, PORT_SEC_ND, 2,
> "ls_in_port_sec_nd") \
> > - PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 3, "ls_in_pre_acl")
> \
> > - PIPELINE_STAGE(SWITCH, IN, ACL, 4, "ls_in_acl")
> \
> > - PIPELINE_STAGE(SWITCH, IN, ARP_RSP, 5, "ls_in_arp_rsp")
> \
> > - PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 6, "ls_in_l2_lkup")
> \
> > + PIPELINE_STAGE(SWITCH, IN, DHCP, 3, "ls_in_dhcp") \
> > + PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 4, "ls_in_pre_acl")
> \
> > + PIPELINE_STAGE(SWITCH, IN, ACL, 5, "ls_in_acl")
> \
> > + PIPELINE_STAGE(SWITCH, IN, ARP_RSP, 6, "ls_in_arp_rsp")
> \
> > + PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 7, "ls_in_l2_lkup")
> \
> > \
>
> Would it make sense to put DHCP after ACL instead of before - so,
> some control is
> provided on the handling of DHCP packets via acl rules. For instance,
> OpenStack programs these DHCP ACL
> rules currently allowing client->server communication - and the
> usecase would be if i want to drop
> all client->server DHCP traffic for a rogue VM.
>
> table=2( ls_in_acl), priority= 2002, match=(inport ==
> "55c0912f-f7aa-4318-82f1-6118032839e3" && ip4 && (ip4.dst ==
> 255.255.255.255 || ip4.dst == 10.10.0.0/16) && udp && udp.src == 68 &&
> udp.dst == 67), action=(ct_commit; next;)
>
​Since the dhcp traffic is handled by the ovn-controller, I thought there
is no need for
the ACL checks. I do not have any preference as such. I will test this out
once.
Thanks
Numan
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
