From patchwork Sat Sep 5 00:39:01 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Justin Pettit
X-Patchwork-Id: 514780
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (li376-54.members.linode.com
[96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 0CD24140284
for ;
Sat, 5 Sep 2015 10:39:11 +1000 (AEST)
Received: from archives.nicira.com (localhost [127.0.0.1])
by archives.nicira.com (Postfix) with ESMTP id B051122C395;
Fri, 4 Sep 2015 17:39:10 -0700 (PDT)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67])
by archives.nicira.com (Postfix) with ESMTPS id 4B9D522C394
for ; Fri, 4 Sep 2015 17:39:09 -0700 (PDT)
Received: from bar5.cudamail.com (unknown [192.168.21.12])
by mx1e4.cudamail.com (Postfix) with ESMTPS id 9D5BE1E02DF
for ; Fri, 4 Sep 2015 18:39:08 -0600 (MDT)
X-ASG-Debug-ID: 1441413547-09eadd069784e20001-byXFYA
Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar5.cudamail.com
with
ESMTP id 2cV2Px6YML8Wrd2X (version=TLSv1 cipher=DHE-RSA-AES256-SHA
bits=256 verify=NO) for ;
Fri, 04 Sep 2015 18:39:07 -0600 (MDT)
X-Barracuda-Envelope-From: jpettit@nicira.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2
Received: from unknown (HELO mail-pa0-f49.google.com) (209.85.220.49)
by mx1-pf2.cudamail.com with ESMTPS (RC4-SHA encrypted);
5 Sep 2015 00:39:07 -0000
Received-SPF: unknown (mx1-pf2.cudamail.com: Multiple SPF records returned)
X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.49
Received: by padhy16 with SMTP id hy16so36203328pad.1
for ; Fri, 04 Sep 2015 17:39:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:from:to:subject:date:message-id;
bh=Fprb1bgwcyEjMi7uPK6fTTDDvdr3t2vpqeoSN/sW/Ro=;
b=mGrtbUVMGKbH/VRxa161lJqJYeAPzQspRs+zFMvONn1G7gryTjoRRX8o4WyOVGQEQw
oexV2V8NyEb2rlNyNFdecTb2leKhpbfJHDjxX2eEv9ky6COxv2rpJPSSzCgveAPpxPMI
wOVxwZytegJea3QM5lDRCLxHBoB+2UjiuRL/7SKGiklBgHGUwbOV3uqsyuSJl59Ov7YI
Tg+pYyJ+U8DmzWvd5a4KkQQvUSfp3REFH+P8m8d4f1In4wMmZ4xVBqS0hTzwoY6dqrqs
zcdRn6TYsuYewKXoPhTVCdfHTJIazhJzcPXrCcxKBAin4YntJxAJK1TR4LK71lcjXrPw
qpIQ==
X-Gm-Message-State:
ALoCoQlx87uQbZ/BlSMkFBYM1Rm7T06yWFzRVzv3BTYEi3+rVnAWbc96uC9OtO5GZ6+2/IbCb4qW
X-Received: by 10.68.173.165 with SMTP id bl5mr14215277pbc.157.1441413546168;
Fri, 04 Sep 2015 17:39:06 -0700 (PDT)
Received: from localhost.localdomain ([208.91.2.4])
by smtp.gmail.com with ESMTPSA id
d4sm3828325pdc.93.2015.09.04.17.39.05
for (version=TLSv1/SSLv3 cipher=OTHER);
Fri, 04 Sep 2015 17:39:05 -0700 (PDT)
X-CudaMail-Envelope-Sender: jpettit@nicira.com
X-Barracuda-Apparent-Source-IP: 208.91.2.4
From: Justin Pettit
To: dev@openvswitch.org
X-CudaMail-Whitelist-To: dev@openvswitch.org
X-CudaMail-MID: CM-E2-903079093
X-CudaMail-DTE: 090415
X-CudaMail-Originating-IP: 209.85.220.49
Date: Fri, 4 Sep 2015 17:39:01 -0700
X-ASG-Orig-Subj: [##CM-E2-903079093##][PATCH 1/2] ovn-nb: Add direction and
reduce max priority for ACLs.
Message-Id: <1441413542-92140-1-git-send-email-jpettit@nicira.com>
X-Mailer: git-send-email 1.7.5.4
X-Barracuda-Connect: UNKNOWN[192.168.24.2]
X-Barracuda-Start-Time: 1441413547
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?=
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
Subject: [ovs-dev] [PATCH 1/2] ovn-nb: Add direction and reduce max priority
for ACLs.
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
MIME-Version: 1.0
Errors-To: dev-bounces@openvswitch.org
Sender: "dev"
Introduce a new "direction" column to the ACL table that accepts the
values "to-lport" and "from-lport". Also reserve the ACL priority 65535
for return traffic associated with the "allow-related" action.
Signed-off-by: Justin Pettit
Acked-by: Ben Pfaff
---
ovn/ovn-nb.ovsschema | 4 ++-
ovn/ovn-nb.xml | 66 +++++++++++++++++++++++++++++++++++--------------
2 files changed, 50 insertions(+), 20 deletions(-)
diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
index f17b649..20fdc79 100644
--- a/ovn/ovn-nb.ovsschema
+++ b/ovn/ovn-nb.ovsschema
@@ -54,7 +54,9 @@
"columns": {
"priority": {"type": {"key": {"type": "integer",
"minInteger": 1,
- "maxInteger": 65535}}},
+ "maxInteger": 65534}}},
+ "direction": {"type": {"key": {"type": "string",
+ "enum": ["set", ["from-lport", "to-lport"]]}}},
"match": {"type": "string"},
"action": {"type": {"key": {"type": "string",
"enum": ["set", ["allow", "allow-related", "drop", "reject"]]}}},
diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
index ade8164..4289631 100644
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@@ -211,22 +211,55 @@
- The ACL rule's priority. Rules with numerically higher priority take
- precedence over those with lower. If two ACL rules with the same
- priority both match, then the one actually applied to a packet is
- undefined.
+
+ The ACL rule's priority. Rules with numerically higher priority
+ take precedence over those with lower. If two ACL rules with
+ the same priority both match, then the one actually applied to a
+ packet is undefined.
+
+
+
+ Return traffic from an allow-related
flow is always
+ allowed and cannot be changed through an ACL.
+
+
+
+
+ Direction of the traffic to which this rule should apply:
+
+ -
+
from-lport
: Used to implement filters on traffic
+ arriving from a logical port. These rules are applied to the
+ logical switch's ingress pipeline.
+
+ -
+
to-lport
: Used to implement filters on traffic
+ forwarded to a logical port. These rules are applied to the
+ logical switch's egress pipeline.
+
+
- The packets that the ACL should match, in the same expression language
- used for the column in the OVN Southbound database's table. Match
- inport
and outport
against names of logical
- ports within to implement ingress and egress
- ACLs, respectively. In logical switches connected to logical routers,
- the special port name ROUTER
refers to the logical router
- port.
+
+ The packets that the ACL should match, in the same expression
+ language used for the column in the OVN Southbound database's
+ table. The
+ outport
logical port is only available in the
+ to-lport
direction.
+
+
+
+ By default all traffic is allowed. When writing a more
+ restrictive policy, it is important to remember to allow flows
+ such as ARP and IPv6 neighbor discovery packets.
+
+
+
+ In logical switches connected to logical routers, the special
+ port name ROUTER
refers to the logical router port.
+
@@ -249,14 +282,9 @@
reject
: Drop the packet, replying with a RST for TCP or
ICMP unreachable message for other IP-based protocols.
+ Not implemented--currently treated as drop
-
-
- Only allow
and drop
are implemented:
- allow-related
is currently treated as allow
,
- and reject
as drop
.
-