ovn: the implementation of icmp4 reject actions.
ACLs support the "icmp-reject" actions. Adds a row with the icmp4-reject
contents to the Logical_Flow table.
Signed-off-by: nickcooper-zhangtonghao <nickcooper-zhangtong...@opencloud.tech>
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 6712d21..78679b1 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -1625,11 +1625,42 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows)
acl->priority + OVN_ACL_PRI_OFFSET,
acl->match, "drop;");
} else if (!strcmp(acl->action, "reject")) {
- /* xxx Need to support "reject". */
- VLOG_INFO("reject is not a supported action");
+
+ /* ACLs support the "icmp-reject" actions.
+ * icmp-net-unreachable
+ * icmp-host-unreachable
+ * icmp-proto-unreachable
+ * icmp-port-unreachable
+ * icmp-net-prohibited
+ * icmp-host-prohibited
+ * icmp-admin-prohibited */
+
+ char reject_action[200];
+ uint8_t icmp_type = 3, icmp_code = 0;
+
+ if (!strcmp(acl->reject_action, "icmp-net-unreachable")) {
+ icmp_code = 0;
+ } else if (!strcmp(acl->reject_action, "icmp-host-unreachable")) {
+ icmp_code = 1;
+ } else if (!strcmp(acl->reject_action, "icmp-proto-unreachable")) {
+ icmp_code = 2;
+ } else if (!strcmp(acl->reject_action, "icmp-port-unreachable")) {
+ icmp_code = 3;
+ } else if (!strcmp(acl->reject_action, "icmp-net-prohibited")) {
+ icmp_code = 9;
+ } else if (!strcmp(acl->reject_action, "icmp-host-prohibited")) {
+ icmp_code = 10;
+ } else if (!strcmp(acl->reject_action, "icmp-admin-prohibited")) {
+ icmp_code = 13;
+ }
+
+ sprintf(reject_action, "icmp4 { eth.src<->eth.dst;
ip4.src<->ip4.dst;"
+ "icmp4.type = %d; icmp4.code = %d; outport = inport;
inport = \"\";output;};",
+ icmp_type, icmp_code);
+
ovn_lflow_add(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
- acl->match, "drop;");
+ acl->match, reject_action);
}
}
}
thanks,
nick
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
