On Thu, Jun 23, 2016 at 1:05 AM, <bscha...@redhat.com> wrote: > From: Russell Bryant <russ...@ovn.org> > > This feature was originally proposed here: > > http://openvswitch.org/pipermail/dev/2016-March/067440.html > > A common use case for OVN ACLs involves needing to match a set of IP > addresses. > > outport == "lp1" && ip4.src == {10.0.0.5, 10.0.0.25, 10.0.0.50} > > This example match only has 3 addresses, but it could easily have > hundreds of addresses. In some cases, the same large set of addresses > needs to be used in several ACLs. > > This patch adds a new Address_Set table to OVN_Northbound so that a set > of addresses can be specified once and then referred to by name in ACLs. > To recreate the above example, you would first create an address set: > > $ ovn-nbctl create Address_Set name=set1 > addresses=10.0.0.5,10.0.0.25,10.0.0.50 > > Then you can refer to this address set by name in an ACL match: > > outport == "lp1" && ip4.src == $set1 > > Signed-off-by: Russell Bryant <russ...@ovn.org> > Signed-off-by: Babu Shanmugam <bscha...@redhat.com> > --- > ovn/controller/lflow.c | 155 > +++++++++++++++++++++++++++++++++++++++++++++- > ovn/northd/ovn-northd.c | 42 +++++++++++++ > ovn/ovn-nb.ovsschema | 10 ++- > ovn/ovn-nb.xml | 28 +++++++++ > ovn/ovn-sb.ovsschema | 12 +++- > ovn/ovn-sb.xml | 19 ++++++ > ovn/utilities/ovn-nbctl.c | 4 ++ > ovn/utilities/ovn-sbctl.c | 4 ++ > tests/ovn.at | 10 +++ > 9 files changed, 280 insertions(+), 4 deletions(-) > > <snip>
> > diff --git a/tests/ovn.at b/tests/ovn.at > index 4f72107..59f9307 100644 > --- a/tests/ovn.at > +++ b/tests/ovn.at > @@ -649,6 +649,8 @@ done > ovn-nbctl acl-add lsw0 from-lport 1000 'eth.type == 0x1234' drop > ovn-nbctl acl-add lsw0 from-lport 1000 'eth.type == 0x1235 && inport == > "lp11"' drop > ovn-nbctl acl-add lsw0 to-lport 1000 'eth.type == 0x1236 && outport == > "lp33"' drop > +ovn-nbctl create Address_Set name=set1 > addresses=\"f0:00:00:00:00:11\",\"f0:00:00:00:00:21\",\"f0:00:00:00:00:31\" > +ovn-nbctl acl-add lsw0 to-lport 1000 'eth.type == 0x1237 && eth.src == > $set1 && outport == "lp33"' drop > > # Pre-populate the hypervisors' ARP tables so that we don't lose any > # packets for ARP resolution (native tunneling doesn't queue packets > @@ -779,9 +781,17 @@ for is in 1 2 3; do > > if test $d != $s && test $s != 11; then acl2=$d; else > acl2=; fi > if test $d != $s && test $d != 33; then acl3=$d; else > acl3=; fi > + if test $d == $s || (test $js == 1 && test $d == 33); then > + # Source of 11, 21, or 31 and dest of 33 should be > droped > nitpick: typo on 'should be "dropped"' > + # due to the 4th ACL that uses address_set(set1). > + acl4= > + else > + acl4=$d > + fi > test_packet $s f000000000$d f000000000$s 1234 #7, > acl1 > test_packet $s f000000000$d f000000000$s 1235 $acl2 #7, > acl2 > test_packet $s f000000000$d f000000000$s 1236 $acl3 #7, > acl3 > + test_packet $s f000000000$d f000000000$s 1237 $acl4 #7, > acl4 > > test_packet $s f000000000$d f00000000055 810000091234 > #4 > test_packet $s f000000000$d 0100000000$s $s$d > #5 > -- > 2.5.5 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
