On Thu, Dec 19, 2024 at 10:04 AM <brendan.do...@oracle.com> wrote: > > > > On 19/12/2024 14:57, Numan Siddique wrote: > > > > On Thu, Dec 19, 2024 at 9:23 AM Brendan Doyle via discuss < > ovs-discuss@openvswitch.org> wrote: > >> Hi, >> >> Though the docs say Address_Sets contain address, MACs, IP4, IP6 could >> they contain >> protocol port numbers too, it would also greatly help when construction >> ACLs, for example >> say I have: >> >> ovn-nbctl acl-add ls_external_ugw from-lport 32700 'inport == >> "ln-ls_external_ugw" && (ip4.dst == $private_allowed && ip4.src == >> $mn_mapping_ips) && (tcp.dst == 22)' allow-stateless >> ovn-nbctl acl-add ls_external_ugw from-lport 32700 'inport == >> "ln-ls_external_ugw" && (ip4.dst == $private_allowed && ip4.src == >> $mn_mapping_ips) && (tcp.dst == 80)' allow-stateless >> >> >> >> I could do this instead: >> >> ovn-nbctl acl-add ls_external_ugw from-lport 32700 'inport == >> "ln-ls_external_ugw" && (ip4.dst == $private_allowed && ip4.src == >> $mn_mapping_ips) && (tcp.dst == $allowed_ports)' allow-stateless >> >> >> > You could also do > > > ovn-nbctl acl-add ls_external_ugw from-lport 32700 'inport == > "ln-ls_external_ugw" && (ip4.dst == $private_allowed && ip4.src == > $mn_mapping_ips) && ((tcp.dst == 22 || tcp.dst == 80))' allow-stateless > > > I know but that means I have to modify the ACL each time, just nicer if I > could add to an Address Set like I can for IP addresses. > > >> Then I just have one ACL, and as IPs/ports are added I just update the >> address set. >> > > I don't think address_sets supports parsing port numbers. > > I'm not sure if it's worth adding this support. Because you can express a > range of port numbers as "tcp.dst > 22 && tcp.dst < 1000" for example or > you can use "||" to match on specific port numbers. > > > OK. >
I'm OK if having this feature makes the life of a CMS easier. Feel free to submit a patch if you're planning to. Numan > > Numan > > > > >> >> >> Brendan. >> >> _______________________________________________ >> discuss mailing list >> disc...@openvswitch.org >> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >> <https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-discuss__;!!ACWV5N9M2RV99hQ!KLEBgSvqqbnWuNVwpvxKjH0ox7HefnpkLPfs_S8uoajS0Qqa8lviQ9Ueud5di-ojKZm4YUxVYCki-3TDd6rjk80$> >> > >
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
