[ovs-dev] [ovs-discuss] [ACLv2 02/19] ofproto: Add ofproto_get_flow_stats functions.

Jesse Gross jesse at nicira.com
Fri Sep 4 22:26:11 UTC 2009

Ben Pfaff wrote:
> Jesse Gross <jesse at nicira.com> writes:
>> Ben Pfaff wrote:
>>> By the way, although this is something that I could find out for
>>> myself, what happens when a switch that has a configured
>>> controller goes into fail-open mode?  Do any configured ACLs go
>>> into effect at that point?  Would it make sense for them to do
>>> so?
>> Currently, if a bridge has a controller configured it will disable
>> ACL's, independent of the state of that controller.  It probably makes
>> sense to turn them on if fail open goes into effect.  It would give
>> administrators much finer grained control beyond just fail-open and
>> fail-secure.
>> I don't think that it would be too confusing to have ACL's suddenly
>> spring in to effect in this situation.
> I guess what I had in mind was that the controller would
> configure the ACLs to be similar to the access-control policy
> that the controller itself is enforcing, giving continuity over
> the access-control policy should the controller become
> inaccessible.
> I hope it wouldn't be confusing.

Sure, that makes sense.  As an aside, a couple people have been asking 
about pushing down ACL's in normal operation of the controller due to 
the additional power that they provide.

More information about the dev mailing list