@@ -1,7 +1,7 @@
{
"name": "OVN_Northbound",
"version": "5.0.0",
- "cksum": "849073644 7576",
+ "cksum": "2026671360 7919",
"tables": {
"Logical_Switch": {
"columns": {
@@ -87,6 +87,10 @@
"match": {"type": "string"},
"action": {"type": {"key": {"type": "string",
"enum": ["set", ["allow", "allow-related", "drop", "reject"]]}}},
+ "reject_action": {"type": {"key": {"type": "string",
+ "enum": ["set", ["icmp-net-unreachable", "icmp-host-unreachable",
+ "icmp-proto-unreachable", "icmp-port-unreachable", "icmp-net-prohibited",
+ "icmp-host-prohibited", "icmp-admin-prohibited", "tcp-reset", ""]]}}},
"log": {"type": "boolean"},
"external_ids": {
"type": {"key": "string", "value": "string”,
@@ -681,13 +681,51 @@
</li>
<li>
- <code>reject</code>: Drop the packet, replying with a RST for TCP or
- ICMP unreachable message for other IP-based protocols.
- <code>Not implemented--currently treated as drop</code>
+ <code>reject</code>: Reject the packet, replying with a RST for TCP or
+ ICMP unreachable message for other IP-based protocols. Reject action support only <code>from-lport</code> direction.
</li>
</ul>
</column>
+ <column name="reject_action">
+ <p>The action to take when the reject ACL rule matches:</p>
+ <ul>
+ <li>
+ <code>icmp-net-unreachable</code>: ICMP network unreachable (default).
+ </li>
+
+ <li>
+ <code>icmp-host-unreachable</code>: ICMP host unreachable.
+ </li>
+
+ <li>
+ <code>icmp-proto-unreachable</code>: ICMP protocol unreachable.
+ </li>
+
+ <li>
+ <code>icmp-port-unreachable</code>: ICMP port unreachable.
+ </li>
+
+ <li>
+ <code>icmp-net-prohibited</code>: ICMP network prohibited.
+ </li>
+
+ <li>
+ <code>icmp-host-prohibited</code>: ICMP host prohibited.
+ </li>
+
+ <li>
+ <code>icmp-admin-prohibited</code>: ICMP administratively prohibited.
+ </li>
+
+ <li>
+ <code>tcp-reset</code>: TCP RST packet.
+ <code>Not implemented--currently treated as icmp-net-unreachable</code>
+ </li>
+
+ </ul>
+ </column>
+
<column name="log">
<p>
If set to <code>true</code>, packets that match the ACL will trigger a
@@ -1251,10 +1251,6 @@
<li><code>icmp4.code = 1</code> (host unreachable)</li>
</ul>
- <p>
- Details TBD.
- </p>
-
<p><b>Prerequisite:</b> <code>ip4</code></p>
</dd>
ovn: the implementation of icmp4 reject actions. Update the ovn manpage and ovn-nb.ovsschema for icmp4 reject actions. Signed-off-by: nickcooper-zhangtonghao <nickcooper-zhangtonghao@opencloud.tech> thanks, nick