Hi,
Now that some reject functions have been implemented and tested,other
functions(e.g. TCP RST) need perfect!
ovn: the implementation of icmp4 reject actions.
It support icmp4 reject (e.g. icmp-net-unreachable, icmp-host-prohibited,
tcp-reset,
icmp-admin-prohibited, icmp-port-unreachable, icmp-net-prohibited,
icmp-host-unreachable,
and icmp-proto-unreachable). The icmp-net-unreachable is default. The "TCP RST”
function
will be completed soon. Reject action support only "from-lport" direction. In
general,
considering performance requirements, it might make sense to support only
“from-lport” direction.
Signed-off-by: nickcooper-zhangtonghao <nickcooper-zhangtong...@opencloud.tech>
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 25916da..55cc1da 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -302,7 +302,7 @@ Logical switch commands:\n\
ls-list print the names of all logical switches\n\
\n\
ACL commands:\n\
- acl-add SWITCH DIRECTION PRIORITY MATCH ACTION [log]\n\
+ acl-add SWITCH DIRECTION PRIORITY MATCH ACTION [REJECT-ACTION] [log]\n\
add an ACL to SWITCH\n\
acl-del SWITCH [DIRECTION [PRIORITY MATCH]]\n\
remove ACLs from SWITCH\n\
@@ -1082,9 +1082,11 @@ nbctl_acl_list(struct ctl_context *ctx)
for (i = 0; i < ls->n_acls; i++) {
const struct nbrec_acl *acl = acls[i];
- ds_put_format(&ctx->output, "%10s %5"PRId64" (%s) %s%s\n",
+ ds_put_format(&ctx->output, "%10s %5"PRId64" (%s) %s %s %s\n",
acl->direction, acl->priority,
- acl->match, acl->action, acl->log ? " log" : "");
+ acl->match, acl->action,
+ strcmp(acl->action, "reject") ? "" : acl->reject_action,
+ acl->log ? "log" : "");
}
free(acls);
@@ -1120,6 +1122,7 @@ nbctl_acl_add(struct ctl_context *ctx)
{
const struct nbrec_logical_switch *ls;
const char *action = ctx->argv[5];
+ const char *reject_action = ctx->argv[6];
ls = ls_by_name_or_uuid(ctx, ctx->argv[1], true);
@@ -1133,6 +1136,35 @@ nbctl_acl_add(struct ctl_context *ctx)
"\"drop\", and \"reject\"", action);
return;
}
+
+ /* Validate reject action. */
+ if (strcmp(action, "reject")) {
+ reject_action = "";
+ } else {
+ if (strcmp(direction, "from-lport"))
+ ctl_fatal("%s: reject action support only \"from-lport\"
direction.",
+ direction);
+
+ if (ctx->argc == 6) {
+ reject_action = "icmp-net-unreachable";
+ } else if (ctx->argc == 7) {
+ if (strcmp(reject_action, "icmp-net-unreachable")
+ && strcmp(reject_action, "icmp-host-unreachable")
+ && strcmp(reject_action, "icmp-proto-unreachable")
+ && strcmp(reject_action, "icmp-port-unreachable")
+ && strcmp(reject_action, "icmp-net-prohibited")
+ && strcmp(reject_action, "icmp-host-prohibited")
+ && strcmp(reject_action, "icmp-admin-prohibited")
+ && strcmp(reject_action, "tcp-reset")) {
+ ctl_fatal("%s: reject action must be one of
\"icmp-net-unreachable\", "
+ "\"icmp-host-unreachable\",
\"icmp-proto-unreachable\", "
+ "\"icmp-port-unreachable\", \"icmp-net-prohibited\", "
+ "\"icmp-host-prohibited\", \"icmp-admin-prohibited\", "
+ "and \"tcp-reset\"", reject_action);
+ return;
+ }
+ }
+ }
/* Create the acl. */
struct nbrec_acl *acl = nbrec_acl_insert(ctx->txn);
@@ -1140,6 +1172,7 @@ nbctl_acl_add(struct ctl_context *ctx)
nbrec_acl_set_direction(acl, direction);
nbrec_acl_set_match(acl, ctx->argv[4]);
nbrec_acl_set_action(acl, action);
+ nbrec_acl_set_reject_action(acl, reject_action);
if (shash_find(&ctx->options, "--log") != NULL) {
nbrec_acl_set_log(acl, true);
}
@@ -2139,7 +2172,7 @@ static const struct ctl_command_syntax nbctl_commands[] =
{
{ "ls-list", 0, 0, "", NULL, nbctl_ls_list, NULL, "", RO },
/* acl commands. */
- { "acl-add", 5, 5, "SWITCH DIRECTION PRIORITY MATCH ACTION", NULL,
+ { "acl-add", 5, 6, "SWITCH DIRECTION PRIORITY MATCH ACTION
[REJECT-ACTIONS]", NULL,
nbctl_acl_add, NULL, "--log", RW },
{ "acl-del", 1, 4, "SWITCH [DIRECTION [PRIORITY MATCH]]", NULL,
nbctl_acl_del, NULL, "", RW },
thanks,
nick
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
