Re: [ovs-discuss] [External] : Re: Could Address_Sets contain port numbers?

Thu, 19 Dec 2024 12:45:33 -0800 



On 19/12/2024 14:57, Numan Siddique wrote:




On Thu, Dec 19, 2024 at 9:23 AM Brendan Doyle via discuss 
<ovs-discuss@openvswitch.org> wrote:


    Hi,

    Though the docs say Address_Sets contain address, MACs, IP4, IP6
    could they contain
    protocol port numbers too, it would also greatly help when
    construction ACLs, for example
    say I have:

    ovn-nbctl acl-add ls_external_ugw from-lport 32700 'inport == "ln-ls_external_ugw" && 
(ip4.dst == $private_allowed && ip4.src == $mn_mapping_ips) && (tcp.dst == 22)' allow-stateless
    ovn-nbctl acl-add ls_external_ugw from-lport 32700 'inport == "ln-ls_external_ugw" && 
(ip4.dst == $private_allowed && ip4.src == $mn_mapping_ips) && (tcp.dst == 80)' allow-stateless


    I could do this instead:

    ovn-nbctl acl-add ls_external_ugw from-lport 32700 'inport == "ln-ls_external_ugw" && 
(ip4.dst == $private_allowed && ip4.src == $mn_mapping_ips) && (tcp.dst == $allowed_ports)' 
allow-stateless



You could also do
ovn-nbctl acl-add ls_external_ugw from-lport 32700 'inport == "ln-ls_external_ugw" && (ip4.dst 
== $private_allowed && ip4.src == $mn_mapping_ips) && ((tcp.dst == 22 || tcp.dst == 80))' 
allow-stateless


I know but that means I have to modify the ACL each time, just nicer if 
I could add to an Address Set like I can for IP addresses.




    Then I just have one ACL, and as IPs/ports are added I just update
    the address set.


I don't think address_sets supports parsing port numbers.


I'm not sure if it's worth adding this support. Because you can 
express a range of port numbers as "tcp.dst > 22 && tcp.dst < 1000" 
for example or you can use "||" to match on specific port numbers.


OK.



Numan



    Brendan.

    _______________________________________________
    discuss mailing list
    disc...@openvswitch.org
    https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
    
<https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-discuss__;!!ACWV5N9M2RV99hQ!KLEBgSvqqbnWuNVwpvxKjH0ox7HefnpkLPfs_S8uoajS0Qqa8lviQ9Ueud5di-ojKZm4YUxVYCki-3TDd6rjk80$>


_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss






















					Reply via email to