From patchwork Tue Oct 18 15:59:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adrian Moreno X-Patchwork-Id: 1691615 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=AxEoPMj0; dkim-atps=neutral Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MsJTk0ldGz23jx for ; Wed, 19 Oct 2022 02:59:53 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id A93D141925; Tue, 18 Oct 2022 15:59:50 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org A93D141925 Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=AxEoPMj0 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oBcFsNbdKrMn; Tue, 18 Oct 2022 15:59:49 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp4.osuosl.org (Postfix) with ESMTPS id 127A6418AF; Tue, 18 Oct 2022 15:59:48 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 127A6418AF Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 77BABC007F; Tue, 18 Oct 2022 15:59:46 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id B5871C002D for ; Tue, 18 Oct 2022 15:59:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 8402B610D4 for ; Tue, 18 Oct 2022 15:59:44 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 8402B610D4 Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=AxEoPMj0 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNgrSRssaBfz for ; Tue, 18 Oct 2022 15:59:43 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 95EF360087 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id 95EF360087 for ; Tue, 18 Oct 2022 15:59:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1666108782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MrWivCgRuZ6s24dSu8kEX64kY1tDViRiuOUHGDESuJA=; b=AxEoPMj0Fz37Tbc936B0SduKGJPM0pwr2pqAI6IDqZNfctPKrZB1Qu0RNeP2SaLtdv2ddh +9YiWOBHA8us2fX3PPCDZuyJhjXfjsQIeEQhS4ahsfc/jHr26CSMuo2pdw5YkZ2nYR/ndc FVaGnXaXICFgtvXvnmf+HH1GlzB1QEc= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-209-GkLrRbAUOWqSKaflaQA6FA-1; Tue, 18 Oct 2022 11:59:41 -0400 X-MC-Unique: GkLrRbAUOWqSKaflaQA6FA-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 12CFF833AFD for ; Tue, 18 Oct 2022 15:59:41 +0000 (UTC) Received: from amorenoz.users.ipa.redhat.com (unknown [10.39.193.255]) by smtp.corp.redhat.com (Postfix) with ESMTP id C11C01468520; Tue, 18 Oct 2022 15:59:39 +0000 (UTC) From: Adrian Moreno To: dev@openvswitch.org Date: Tue, 18 Oct 2022 17:59:35 +0200 Message-Id: <20221018155936.1394396-2-amorenoz@redhat.com> In-Reply-To: <20221018155936.1394396-1-amorenoz@redhat.com> References: <20221018155936.1394396-1-amorenoz@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [RFC ovn 1/2] northd: add ACL Sampling X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Introduce a new table called Sample where per-flow IPFIX configuration can be specified. Also, reference rows from such table from the ACL table to enable the configuration of ACL sampling. If enabled, northd will add a sample action to each ACL-related logical flow. Signed-off-by: Adrian Moreno --- northd/northd.c | 31 ++++++++++++++++++++++++++++++- ovn-nb.ovsschema | 23 ++++++++++++++++++++++- ovn-nb.xml | 31 +++++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 2 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 61d474840..3e09e3a0f 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -6194,6 +6194,27 @@ build_acl_log(struct ds *actions, const struct nbrec_acl *acl, ds_put_cstr(actions, "); "); } +static void +build_acl_sample(struct ds *actions, const struct nbrec_acl *acl) +{ + if (!acl->sample) { + return; + } + ds_put_format(actions, "sample(probability=%"PRId16"," + "collector_set=%d," + "obs_domain=%hd,", + (uint16_t) acl->sample->probability, + (uint32_t) acl->sample->collector_set_id, + (uint8_t) acl->sample->obs_domain_id); + + if (acl->sample->obs_point_id) { + ds_put_format(actions, "obs_point=%"PRId32");", + (uint32_t) *acl->sample->obs_point_id); + } else { + ds_put_cstr(actions, "obs_point=$cookie);"); + } +} + static void build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows, enum ovn_stage stage, struct nbrec_acl *acl, @@ -6260,6 +6281,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, if (!strcmp(acl->action, "allow-stateless")) { ds_clear(actions); build_acl_log(actions, acl, meter_groups); + build_acl_sample(actions, acl); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, @@ -6275,6 +6297,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, if (!has_stateful) { ds_clear(actions); build_acl_log(actions, acl, meter_groups); + build_acl_sample(actions, acl); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, @@ -6304,6 +6327,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, REG_LABEL" = %"PRId64"; ", acl->label); } build_acl_log(actions, acl, meter_groups); + build_acl_sample(actions, acl); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, @@ -6329,6 +6353,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, REG_LABEL" = %"PRId64"; ", acl->label); } build_acl_log(actions, acl, meter_groups); + build_acl_sample(actions, acl); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, @@ -6349,7 +6374,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, */ bool log_related = smap_get_bool(&acl->options, "log-related", false); - if (acl->log && acl->label && log_related) { + if ((acl->log || acl->sample) && acl->label && log_related) { /* Related/reply flows need to be set on the opposite pipeline * from where the ACL itself is set. */ @@ -6365,6 +6390,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, use_ct_inv_match ? " && !ct.inv" : "", ct_blocked_match, acl->label); build_acl_log(actions, acl, meter_groups); + build_acl_sample(actions, acl); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, log_related_stage, UINT16_MAX - 2, @@ -6402,6 +6428,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, } else { ds_put_format(match, " && (%s)", acl->match); build_acl_log(actions, acl, meter_groups); + build_acl_sample(actions, acl); ds_put_cstr(actions, debug_implicit_drop_action()); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, @@ -6430,6 +6457,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, } else { ds_put_format(match, " && (%s)", acl->match); build_acl_log(actions, acl, meter_groups); + build_acl_sample(actions, acl); ds_put_cstr(actions, debug_implicit_drop_action()); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, @@ -6447,6 +6475,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, actions, &acl->header_, meter_groups); } else { build_acl_log(actions, acl, meter_groups); + build_acl_sample(actions, acl); ds_put_cstr(actions, debug_implicit_drop_action()); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index 174364c8b..6178b532e 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", "version": "6.3.0", - "cksum": "4042813038 31869", + "cksum": "3795038812 33116", "tables": { "NB_Global": { "columns": { @@ -30,6 +30,23 @@ "ipsec": {"type": "boolean"}}, "maxRows": 1, "isRoot": true}, + "Sample": { + "columns": { + "probability": {"type": {"key": {"type": "integer", + "minInteger": 0, + "maxInteger": 65535}}}, + "collector_set_id": {"type": {"key": {"type": "integer", + "minInteger": 0, + "maxInteger": 4294967295}}}, + "obs_domain_id": {"type": {"key": {"type": "integer", + "minInteger": 0, + "maxInteger": 255}}}, + "obs_point_id": {"type": {"key": {"type": "integer", + "minInteger": 0, + "maxInteger": 4294967295}, + "min": 0, "max":1}} + } + }, "Copp": { "columns": { "name": {"type": "string"}, @@ -267,6 +284,10 @@ "label": {"type": {"key": {"type": "integer", "minInteger": 0, "maxInteger": 4294967295}}}, + "sample": {"type": {"key": {"type": "uuid", + "refTable": "Sample", + "refType": "strong"}, + "min": 0, "max": 1}}, "options": { "type": {"key": "string", "value": "string", diff --git a/ovn-nb.xml b/ovn-nb.xml index 9581aef7c..e818fd8d1 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -387,6 +387,31 @@ + +

+ This table describes an IPFIX Sampling Point. Entries in other tables + might be associated with Sample entries to indicate how the sample + should be generated. + + For an example, see . +

+ + Sampling probability. It must be an integer number between 0 and 65535. + + + The 32-bit integer identifier of the set of of collectors to send + packets to. See Flow_Sample_Collector_Set Table in ovs-vswitchd's + database schema. + + + The 8 most significant bits of the Observation Domain ID that will be + added to evvery IPFIX sample. The 24 LSB will be the datapath key. + + + If set, it'll be use as Observation Point ID in every IPFIX sample. + Otherwise the Logical Flow's coockie will be used. + +

This table is used to define control plane protection policies, i.e., @@ -2191,6 +2216,12 @@ + +

+ The entry in the table to use for sampling. +

+ + This column provides general key/value settings. The supported From patchwork Tue Oct 18 15:59:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adrian Moreno X-Patchwork-Id: 1691616 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=LLhRQ9iL; dkim-atps=neutral Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MsJTm4qZ9z23jx for ; Wed, 19 Oct 2022 02:59:56 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 31698418DC; Tue, 18 Oct 2022 15:59:53 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 31698418DC Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=LLhRQ9iL X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VtJRpeZrw4Y8; Tue, 18 Oct 2022 15:59:51 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp4.osuosl.org (Postfix) with ESMTPS id DF79D41913; Tue, 18 Oct 2022 15:59:49 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org DF79D41913 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 927CBC0077; Tue, 18 Oct 2022 15:59:49 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 96FF0C0080 for ; Tue, 18 Oct 2022 15:59:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 37EEC408CA for ; Tue, 18 Oct 2022 15:59:46 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 37EEC408CA X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J_xdZBYZSRDk for ; Tue, 18 Oct 2022 15:59:45 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 1E72140325 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id 1E72140325 for ; Tue, 18 Oct 2022 15:59:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1666108784; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ADIJdfMJ/yZuXEgZ9k+V6zTXwhKG77EU7kUDf3mIrPs=; b=LLhRQ9iLQkz5+1p5abx/rFghh6l3zDIRKfZoS34oOf9DNJBhI4GIkfZh7SdvNF+3QgidNX Sd8+EnFrzqvyh+JCGthA5nqOPmfg76Go7zTQB1n8wKhY/tieSV9iGZdEaIvGENlBMgyKGt 1LzzCAgTCr+BaR9hBJ2YEOD5FG83v50= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-219-JMHefvVbP8-aUUhopXS8yw-1; Tue, 18 Oct 2022 11:59:42 -0400 X-MC-Unique: JMHefvVbP8-aUUhopXS8yw-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E0C3E8041B5 for ; Tue, 18 Oct 2022 15:59:41 +0000 (UTC) Received: from amorenoz.users.ipa.redhat.com (unknown [10.39.193.255]) by smtp.corp.redhat.com (Postfix) with ESMTP id 589A11468522; Tue, 18 Oct 2022 15:59:41 +0000 (UTC) From: Adrian Moreno To: dev@openvswitch.org Date: Tue, 18 Oct 2022 17:59:36 +0200 Message-Id: <20221018155936.1394396-3-amorenoz@redhat.com> In-Reply-To: <20221018155936.1394396-1-amorenoz@redhat.com> References: <20221018155936.1394396-1-amorenoz@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [RFC ovn 2/2] ovn-nbctl: add sample to acl-add X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Signed-off-by: Adrian Moreno --- utilities/ovn-nbctl.8.xml | 7 ++++++- utilities/ovn-nbctl.c | 20 +++++++++++++++++++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/utilities/ovn-nbctl.8.xml b/utilities/ovn-nbctl.8.xml index 5f9eb186b..2172c1429 100644 --- a/utilities/ovn-nbctl.8.xml +++ b/utilities/ovn-nbctl.8.xml @@ -399,7 +399,7 @@ must be either switch or port-group.

-
[--type={switch | port-group}] [--log] [--meter=meter] [--severity=severity] [--name=name] [--label=label] [--may-exist] [--apply-after-lb] acl-add entity direction priority match verdict
+
[--type={switch | port-group}] [--log] [--meter=meter] [--severity=severity] [--name=name] [--label=label] [--sample=sample] [--may-exist] [--apply-after-lb] acl-add entity direction priority match verdict

Adds the specified ACL to entity. direction @@ -424,6 +424,11 @@ names a meter configured by meter-add.

+

+ The --sample enables ACL sampling. A valid uuid of a + row of the table must be provided. +

+

The --apply-after-lb option sets apply-after-lb=true in the options column diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index 811468dc6..5b8caca80 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -2154,6 +2154,7 @@ nbctl_pre_acl_list(struct ctl_context *ctx) ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_severity); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_meter); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_label); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_options); } @@ -2205,6 +2206,7 @@ nbctl_acl_add(struct ctl_context *ctx) const char *severity = shash_find_data(&ctx->options, "--severity"); const char *name = shash_find_data(&ctx->options, "--name"); const char *meter = shash_find_data(&ctx->options, "--meter"); + const char *sample = shash_find_data(&ctx->options, "--sample"); if (log || severity || name || meter) { nbrec_acl_set_log(acl, true); } @@ -2221,6 +2223,22 @@ nbctl_acl_add(struct ctl_context *ctx) if (meter) { nbrec_acl_set_meter(acl, meter); } + if (sample) { + const struct nbrec_sample *sample_elem = NULL; + struct uuid sample_uuid; + + if (uuid_from_string(&sample_uuid, sample)) { + sample_elem = nbrec_sample_get_for_uuid(ctx->idl, &sample_uuid); + if (!sample_elem) { + ctl_error(ctx, "sample record not found"); + return; + } + nbrec_acl_set_sample(acl, sample_elem); + } else { + ctl_error(ctx, "a valid uuid must be provided"); + return; + } + } /* Set the ACL label */ const char *label = shash_find_data(&ctx->options, "--label"); @@ -7319,7 +7337,7 @@ static const struct ctl_command_syntax nbctl_commands[] = { { "acl-add", 5, 6, "{SWITCH | PORTGROUP} DIRECTION PRIORITY MATCH ACTION", nbctl_pre_acl, nbctl_acl_add, NULL, "--log,--may-exist,--type=,--name=,--severity=,--meter=,--label=," - "--apply-after-lb", RW }, + "--apply-after-lb,--sample", RW }, { "acl-del", 1, 4, "{SWITCH | PORTGROUP} [DIRECTION [PRIORITY MATCH]]", nbctl_pre_acl, nbctl_acl_del, NULL, "--type=", RW }, { "acl-list", 1, 1, "{SWITCH | PORTGROUP}",