From patchwork Sat Sep 5 00:39:01 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Justin Pettit X-Patchwork-Id: 514780 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (li376-54.members.linode.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 0CD24140284 for ; Sat, 5 Sep 2015 10:39:11 +1000 (AEST) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id B051122C395; Fri, 4 Sep 2015 17:39:10 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67]) by archives.nicira.com (Postfix) with ESMTPS id 4B9D522C394 for ; Fri, 4 Sep 2015 17:39:09 -0700 (PDT) Received: from bar5.cudamail.com (unknown [192.168.21.12]) by mx1e4.cudamail.com (Postfix) with ESMTPS id 9D5BE1E02DF for ; Fri, 4 Sep 2015 18:39:08 -0600 (MDT) X-ASG-Debug-ID: 1441413547-09eadd069784e20001-byXFYA Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar5.cudamail.com with ESMTP id 2cV2Px6YML8Wrd2X (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 04 Sep 2015 18:39:07 -0600 (MDT) X-Barracuda-Envelope-From: jpettit@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2 Received: from unknown (HELO mail-pa0-f49.google.com) (209.85.220.49) by mx1-pf2.cudamail.com with ESMTPS (RC4-SHA encrypted); 5 Sep 2015 00:39:07 -0000 Received-SPF: unknown (mx1-pf2.cudamail.com: Multiple SPF records returned) X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.49 Received: by padhy16 with SMTP id hy16so36203328pad.1 for ; Fri, 04 Sep 2015 17:39:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id; bh=Fprb1bgwcyEjMi7uPK6fTTDDvdr3t2vpqeoSN/sW/Ro=; b=mGrtbUVMGKbH/VRxa161lJqJYeAPzQspRs+zFMvONn1G7gryTjoRRX8o4WyOVGQEQw oexV2V8NyEb2rlNyNFdecTb2leKhpbfJHDjxX2eEv9ky6COxv2rpJPSSzCgveAPpxPMI wOVxwZytegJea3QM5lDRCLxHBoB+2UjiuRL/7SKGiklBgHGUwbOV3uqsyuSJl59Ov7YI Tg+pYyJ+U8DmzWvd5a4KkQQvUSfp3REFH+P8m8d4f1In4wMmZ4xVBqS0hTzwoY6dqrqs zcdRn6TYsuYewKXoPhTVCdfHTJIazhJzcPXrCcxKBAin4YntJxAJK1TR4LK71lcjXrPw qpIQ== X-Gm-Message-State: ALoCoQlx87uQbZ/BlSMkFBYM1Rm7T06yWFzRVzv3BTYEi3+rVnAWbc96uC9OtO5GZ6+2/IbCb4qW X-Received: by 10.68.173.165 with SMTP id bl5mr14215277pbc.157.1441413546168; Fri, 04 Sep 2015 17:39:06 -0700 (PDT) Received: from localhost.localdomain ([208.91.2.4]) by smtp.gmail.com with ESMTPSA id d4sm3828325pdc.93.2015.09.04.17.39.05 for (version=TLSv1/SSLv3 cipher=OTHER); Fri, 04 Sep 2015 17:39:05 -0700 (PDT) X-CudaMail-Envelope-Sender: jpettit@nicira.com X-Barracuda-Apparent-Source-IP: 208.91.2.4 From: Justin Pettit To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-E2-903079093 X-CudaMail-DTE: 090415 X-CudaMail-Originating-IP: 209.85.220.49 Date: Fri, 4 Sep 2015 17:39:01 -0700 X-ASG-Orig-Subj: [##CM-E2-903079093##][PATCH 1/2] ovn-nb: Add direction and reduce max priority for ACLs. Message-Id: <1441413542-92140-1-git-send-email-jpettit@nicira.com> X-Mailer: git-send-email 1.7.5.4 X-Barracuda-Connect: UNKNOWN[192.168.24.2] X-Barracuda-Start-Time: 1441413547 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [PATCH 1/2] ovn-nb: Add direction and reduce max priority for ACLs. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" Introduce a new "direction" column to the ACL table that accepts the values "to-lport" and "from-lport". Also reserve the ACL priority 65535 for return traffic associated with the "allow-related" action. Signed-off-by: Justin Pettit Acked-by: Ben Pfaff --- ovn/ovn-nb.ovsschema | 4 ++- ovn/ovn-nb.xml | 66 +++++++++++++++++++++++++++++++++++-------------- 2 files changed, 50 insertions(+), 20 deletions(-) diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema index f17b649..20fdc79 100644 --- a/ovn/ovn-nb.ovsschema +++ b/ovn/ovn-nb.ovsschema @@ -54,7 +54,9 @@ "columns": { "priority": {"type": {"key": {"type": "integer", "minInteger": 1, - "maxInteger": 65535}}}, + "maxInteger": 65534}}}, + "direction": {"type": {"key": {"type": "string", + "enum": ["set", ["from-lport", "to-lport"]]}}}, "match": {"type": "string"}, "action": {"type": {"key": {"type": "string", "enum": ["set", ["allow", "allow-related", "drop", "reject"]]}}}, diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index ade8164..4289631 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -211,22 +211,55 @@

- The ACL rule's priority. Rules with numerically higher priority take - precedence over those with lower. If two ACL rules with the same - priority both match, then the one actually applied to a packet is - undefined. +

+ The ACL rule's priority. Rules with numerically higher priority + take precedence over those with lower. If two ACL rules with + the same priority both match, then the one actually applied to a + packet is undefined. +

+ +

+ Return traffic from an allow-related flow is always + allowed and cannot be changed through an ACL. +

+ + + +

Direction of the traffic to which this rule should apply:

+
    +
  • + from-lport: Used to implement filters on traffic + arriving from a logical port. These rules are applied to the + logical switch's ingress pipeline. +
    • +
  • + to-lport: Used to implement filters on traffic + forwarded to a logical port. These rules are applied to the + logical switch's egress pipeline. +
    • +
- The packets that the ACL should match, in the same expression language - used for the column in the OVN Southbound database's table. Match - inport and outport against names of logical - ports within to implement ingress and egress - ACLs, respectively. In logical switches connected to logical routers, - the special port name ROUTER refers to the logical router - port. +

+ The packets that the ACL should match, in the same expression + language used for the column in the OVN Southbound database's + table. The + outport logical port is only available in the + to-lport direction. +

+ +

+ By default all traffic is allowed. When writing a more + restrictive policy, it is important to remember to allow flows + such as ARP and IPv6 neighbor discovery packets. +

+ +

+ In logical switches connected to logical routers, the special + port name ROUTER refers to the logical router port. +

@@ -249,14 +282,9 @@
  • reject: Drop the packet, replying with a RST for TCP or ICMP unreachable message for other IP-based protocols. + Not implemented--currently treated as drop
    • - -

    - Only allow and drop are implemented: - allow-related is currently treated as allow, - and reject as drop. -