On Sun, Jul 03, 2016 at 10:35:26AM -0500, Ryan Moats wrote:
> From: Russell Bryant <russ...@ovn.org>
>
> This feature was originally proposed here:
>
> http://openvswitch.org/pipermail/dev/2016-March/067440.html
>
> A common use case for OVN ACLs involves needing to match a set of IP
> addresses.
>
> outport == "lp1" && ip4.src == {10.0.0.5, 10.0.0.25, 10.0.0.50}
>
> This example match only has 3 addresses, but it could easily have
> hundreds of addresses. In some cases, the same large set of addresses
> needs to be used in several ACLs.
>
> This patch adds a new Address_Set table to OVN_Northbound so that a set
> of addresses can be specified once and then referred to by name in ACLs.
> To recreate the above example, you would first create an address set:
>
> $ ovn-nbctl create Address_Set name=set1
> addresses="10.0.0.5","10.0.0.25","10.0.0.50"
>
> Then you can refer to this address set by name in an ACL match:
>
> outport == "lp1" && ip4.src == $set1
>
> Signed-off-by: Russell Bryant <russ...@ovn.org>
> Signed-off-by: Babu Shanmugam <bscha...@redhat.com>
> Co-authored-by: Flavio Fernandes <fla...@flaviof.com>
> Signed-off-by: Flavio Fernandes <fla...@flaviof.com>
Thanks.
I applied this to master. I folded in the following tweaks. The most
notable change is to the example, which originally didn't work. It was
also a little long to show on a single line in the formatted version, so
I changed it from Ethernet to IP addresses.
--8<--------------------------cut here-------------------------->8--
diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
index fdc1ec4..2469dc2 100644
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@@ -506,20 +506,21 @@
<table name="Address_Set" title="Address Sets">
<p>
Each row in this table represents a named set of addresses.
- An address set may contain MAC, IPv4, or IPv6 addresses and cidrs.
- The address set will ultimately be used in ACLs, where a certain
- type of field such as ip4.src or ip6.src will be compared with the
- address set. So, a single address set must contain addresses of the
+ An address set may contain Ethernet, IPv4, or IPv6 addresses
+ with optional bitwise or CIDR masks.
+ Address set may ultimately be used in ACLs to compare against
+ fields such as <code>ip4.src</code> or <code>ip6.src</code>.
+ A single address set must contain addresses of the
same type. As an example, the following would create an address set
- with three MAC addresses:
+ with three IP addresses:
</p>
- <p>
- ovn-nbctl create Address_Set name=set1
addresses="f0:00:00:00:00:11","f0:00:00:00:00:21","f0:00:00:00:00:31"
- </p>
+ <pre>
+ ovn-nbctl create Address_Set name=set1 addresses='10.0.0.1 10.0.0.2
10.0.0.3'
+ </pre>
<p>
- Address sets can be used in the <ref column="match" table="ACL"/> column
+ Address sets may be used in the <ref column="match" table="ACL"/> column
of the <ref table="ACL"/> table. For syntax information, see the details
of the expression language used for the <ref column="match"
table="Logical_Flow" db="OVN_Southbound"/> column in the <ref
@@ -528,15 +529,11 @@
</p>
<column name="name">
- <p>
- A name for the address set. This must be unique among all address
sets.
- </p>
+ A name for the address set. This must be unique among all address sets.
</column>
<column name="addresses">
- <p>
- The set of addresses in string form.
- </p>
+ The set of addresses in string form.
</column>
<group title="Common Columns">
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
