Re: [ovs-discuss] [External] : ACLs on localnet

Mon, 24 Feb 2025 04:56:12 -0800 



For that matter I also have router ports like:

switch e6aa8e40-6191-4def-bbad-be0d5e144ec4 (ls_vcn1059080_external_igw)
    port ls_vcn1059080_external_igw-lr_vcn1059080_igw
        type: router
        router-port: lr_vcn1059080_igw-ls_vcn1059080_external_igw

With ACLs:

from-lport 32767 (inport == 
"ls_vcn1059080_external_igw-lr_vcn1059080_igw" && (icmp4.type == 3 || 
icmp4.type == 11 || arp)) allow-related
from-lport 32767 (inport == 
"ls_vcn1059080_external_igw-lr_vcn1059080_igw" && ip4.dst == 
$vcn1059080_allowed_underlay) allow-related
from-lport 32700 (inport == 
"ls_vcn1059080_external_igw-lr_vcn1059080_igw" && ip4.dst == 
10.80.65.16/28) drop log(name=exa_vcn1059080_igw)
from-lport 32000 (inport == 
"ls_vcn1059080_external_igw-lr_vcn1059080_igw" && ip4.dst == 
$vcn1059080_igw_deny) drop log(name=vcn1059080_igw-ext_deny,severity=info)
from-lport  1002 (inport == 
"ls_vcn1059080_external_igw-lr_vcn1059080_igw" && ip4.src == 
$vcn1059080_igw) allow-related
from-lport     0 (inport == 
"ls_vcn1059080_external_igw-lr_vcn1059080_igw") drop 
log(name=vcn-ext_igw_drop,severity=info)


And these also work?

On 24/02/2025 11:39, Brendan Doyle via discuss wrote:

Hi,


The ACL section of the ovn-nb.5.html man page states:

*m**a**t**c**h*: string
...
...
...

               Note  that  you  can  not  create an ACL matching on a port with
               type=router or type=localnet.



Yet this is not what I see, it seems that ACLs work on localnet ports, I have:


ls_vcn5185721_external_ugw
     port ls_vcn5185721_external_ugw-lr_vcn5185721
         type: router
         router-port: lr_vcn5185721-ls_vcn5185721_external_ugw
     port ln-ls_vcn5185721_external_ugw
         type: localnet
         addresses: ["unknown"]


And an ACL:
   to-lport 32767 (outport == "ln-ls_vcn5185721_external_ugw" && (icmp4.type == 
3 || icmp4.type == 11)) allow-related
   to-lport 32767 (outport == "ln-ls_vcn5185721_external_ugw" && (ip4.dst == 
169.254.169.254 && tcp.dst == 80)) drop log(name=vcn-ugw-def-2,severity=info)
   to-lport 32767 (outport == "ln-ls_vcn5185721_external_ugw" && arp) 
allow-related
   to-lport 32766 (outport == "ln-ls_vcn5185721_external_ugw" && (ip4.dst == 
$vcn5185721_allowed_underlay) && (tcp.dst == 53 || tcp.dst == 443 || tcp.dst == 8443 || udp.dst 
== 53 || tcp.dst == 123 || udp.dst == 123)) allow-related
   to-lport     0 (outport == "ln-ls_vcn5185721_external_ugw") drop 
log(name=vcn-ugw-def-4,severity=info)


And the ACL is working, am I missing something, is the man page incorrect?


Thanks

Brendan


_______________________________________________
discuss mailing list
disc...@openvswitch.org

https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-discuss__;!!ACWV5N9M2RV99hQ!J82iTyrh7cPT-_zP9ghqrzXHhHB-vyPM53tBeOEomWuUatfluLt3TApEpmPo4PL01h-iC8V1XdabDPYiAyRg673vSzVuyg$ 

_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss






















					Reply via email to