Hi, I'm wondering if it would be possible to add any additional validation on the match column in the ACL table (and potentially other places in the future)?
For example, we had a silly bug in the ovn plugin where if someone created a security group rule and specified the protocol number as 6 instead of tcp, we forgot to convert the protocol number 6 to tcp and ended up pushing a rule that looked like this: to-lport 1002 (outport == "c48a1ff1-a184-491a-9ffd-3db06ebd18ee" && ip4 && 6 && *6.dst *== 22) allow-related ovn-controller does expose this issue in the log: 2016-05-20T03:25:18Z|00061|lflow|WARN|error parsing match "ct.new && (outport == "c48a1ff1-a184-491a-9ffd-3db06ebd18ee" && ip4 && 6 && 6.dst == 22)": Syntax error at `&&' expecting relational operator. Though it would be nice to be able to detect the issue as an error at the caller if possible. Currently it looks like one would need to be auditing the logs on all of their hypervisors to detect this bug so it could go unnoticed for a while. Aaron _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
