On Thu, May 19, 2016 at 11:51 PM, Ben Pfaff <b...@ovn.org> wrote: > On Thu, May 19, 2016 at 08:42:15PM -0700, Aaron Rosen wrote: > > I'm wondering if it would be possible to add any additional validation on > > the match column in the ACL table (and potentially other places in the > > future)? > > > > For example, we had a silly bug in the ovn plugin where if someone > created > > a security group rule and specified the protocol number as 6 instead of > > tcp, we forgot to convert the protocol number 6 to tcp and ended up > > pushing a rule that looked like this: > > > > to-lport 1002 (outport == "c48a1ff1-a184-491a-9ffd-3db06ebd18ee" && > ip4 > > && 6 && *6.dst *== 22) allow-related > > We could validate it in ovn-northd so that it doesn't get pushed down to > the southbound database, either just logging it at northd or adding some > kind of status or error column to the ACL table so that we could push > the problem back up. Is that the kind of thing you're looking for?
Validation in ovn-northd and reporting an error state in the ACL table sounds good to me. We can watch events in our plugin for when ACL rows get updated and check to see if the error column was set. We can at least log an error on the OpenStack side in that case. It would be asynchronous from the OpenStack API call, so we wouldn't be able to return an error in the API, though. -- Russell Bryant _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
