On Thu, Apr 7, 2016 at 3:52 PM, Ryan Moats <rmo...@us.ibm.com> wrote:
> "dev" <dev-boun...@openvswitch.org> wrote on 04/07/2016 10:46:45 AM: > > > From: Russell Bryant <russ...@ovn.org> > > To: dev@openvswitch.org > > Date: 04/07/2016 10:47 AM > > Subject: [ovs-dev] [PATCH v2 3/3] ovn: Add address_set() support for > ACLs. > > Sent by: "dev" <dev-boun...@openvswitch.org> > > > > This feature was originally proposed here: > > > > http://openvswitch.org/pipermail/dev/2016-March/067440.html > > > > A common use case for OVN ACLs involves needing to match a set of IP > > addresses. > > > > outport == "lp1" && ip4.src == {10.0.0.5, 10.0.0.25, 10.0.0.50} > > > > This example match only has 3 addresses, but it could easily have > > hundreds of addresses. In some cases, the same large set of addresses > > needs to be used in several ACLs. > > > > This patch adds a new Address_Set table to OVN_Northbound so that a set > > of addresses can be specified once and then referred to by name in ACLs. > > To recreate the above example, you would first create an address set: > > > > $ ovn-nbctl create Address_Set name=set1 addresses=10.0.0.5,10.0. > > 0.25,10.0.0.50 > > > > Then you can refer to this address set by name in an ACL match: > > > > outport == "lp1" && ip4.src == address_set(set1) > > > > Signed-off-by: Russell Bryant <russ...@ovn.org> > > --- > > Yes, this works and yes, I like having the address set in both > northbound and southbound. I've got two nits in the comments though: > Thanks for the comments. It appears my space bar was malfunctioning :-p. I'll fix the typos in the next revision or before applying to master. -- Russell Bryant _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
