On Tue, Jun 28, 2016 at 02:20:41PM +0530, bscha...@redhat.com wrote: > From: Russell Bryant <russ...@ovn.org> > > This feature was originally proposed here: > > http://openvswitch.org/pipermail/dev/2016-March/067440.html > > A common use case for OVN ACLs involves needing to match a set of IP > addresses. > > outport == "lp1" && ip4.src == {10.0.0.5, 10.0.0.25, 10.0.0.50} > > This example match only has 3 addresses, but it could easily have > hundreds of addresses. In some cases, the same large set of addresses > needs to be used in several ACLs. > > This patch adds a new Address_Set table to OVN_Northbound so that a set > of addresses can be specified once and then referred to by name in ACLs. > To recreate the above example, you would first create an address set: > > $ ovn-nbctl create Address_Set name=set1 > addresses=10.0.0.5,10.0.0.25,10.0.0.50 > > Then you can refer to this address set by name in an ACL match: > > outport == "lp1" && ip4.src == $set1 > > Signed-off-by: Russell Bryant <russ...@ovn.org> > Signed-off-by: Babu Shanmugam <bscha...@redhat.com> > Co-authored-by: Flavio Fernandes <fla...@flaviof.com> > Signed-off-by: Flavio Fernandes <fla...@flaviof.com>
Thanks for the patch! There are a couple of obsolete references to address_set() syntax here, including in the commit message. I think that it would be a good idea to give an example in the OVN_Northbound documentation. The test will need a little bit of an update given that I changed the error messages in patch 1. Thanks, Ben. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
