[ovs-discuss] ACLs on localnet

Brendan Doyle via discuss Mon, 24 Feb 2025 03:39:28 -0800

Hi,


The ACL section of the ovn-nb.5.html man page states:

*m**a**t**c**h*: string
...
...
...

              Note  that  you  can  not  create an ACL matching on a port with
              type=router or type=localnet.



Yet this is not what I see, it seems that ACLs work on localnet ports, I have:


ls_vcn5185721_external_ugw
    port ls_vcn5185721_external_ugw-lr_vcn5185721
        type: router
        router-port: lr_vcn5185721-ls_vcn5185721_external_ugw
    port ln-ls_vcn5185721_external_ugw
        type: localnet
        addresses: ["unknown"]


And an ACL:
  to-lport 32767 (outport == "ln-ls_vcn5185721_external_ugw" && (icmp4.type == 
3 || icmp4.type == 11)) allow-related
  to-lport 32767 (outport == "ln-ls_vcn5185721_external_ugw" && (ip4.dst == 
169.254.169.254 && tcp.dst == 80)) drop log(name=vcn-ugw-def-2,severity=info)
  to-lport 32767 (outport == "ln-ls_vcn5185721_external_ugw" && arp) 
allow-related
  to-lport 32766 (outport == "ln-ls_vcn5185721_external_ugw" && (ip4.dst == 
$vcn5185721_allowed_underlay) && (tcp.dst == 53 || tcp.dst == 443 || tcp.dst == 8443 || udp.dst 
== 53 || tcp.dst == 123 || udp.dst == 123)) allow-related
  to-lport     0 (outport == "ln-ls_vcn5185721_external_ugw") drop 
log(name=vcn-ugw-def-4,severity=info)


And the ACL is working, am I missing something, is the man page incorrect?


Thanks

Brendan

_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

[ovs-discuss] ACLs on localnet

Reply via email to