On Thu, Dec 19, 2024 at 9:23 AM Brendan Doyle via discuss < ovs-discuss@openvswitch.org> wrote:
> Hi, > > Though the docs say Address_Sets contain address, MACs, IP4, IP6 could > they contain > protocol port numbers too, it would also greatly help when construction > ACLs, for example > say I have: > > ovn-nbctl acl-add ls_external_ugw from-lport 32700 'inport == > "ln-ls_external_ugw" && (ip4.dst == $private_allowed && ip4.src == > $mn_mapping_ips) && (tcp.dst == 22)' allow-stateless > ovn-nbctl acl-add ls_external_ugw from-lport 32700 'inport == > "ln-ls_external_ugw" && (ip4.dst == $private_allowed && ip4.src == > $mn_mapping_ips) && (tcp.dst == 80)' allow-stateless > > > > I could do this instead: > > ovn-nbctl acl-add ls_external_ugw from-lport 32700 'inport == > "ln-ls_external_ugw" && (ip4.dst == $private_allowed && ip4.src == > $mn_mapping_ips) && (tcp.dst == $allowed_ports)' allow-stateless > > > You could also do ovn-nbctl acl-add ls_external_ugw from-lport 32700 'inport == "ln-ls_external_ugw" && (ip4.dst == $private_allowed && ip4.src == $mn_mapping_ips) && ((tcp.dst == 22 || tcp.dst == 80))' allow-stateless > Then I just have one ACL, and as IPs/ports are added I just update the > address set. > I don't think address_sets supports parsing port numbers. I'm not sure if it's worth adding this support. Because you can express a range of port numbers as "tcp.dst > 22 && tcp.dst < 1000" for example or you can use "||" to match on specific port numbers. Numan > > > Brendan. > > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
