[ovs-dev] [PATCH] vtep: add ACLs to VTEP schema

Bruce Davie bdavie at nicira.com
Tue Aug 25 20:03:05 UTC 2015


Two new tables are added to the VTEP schema, for ACL entries and
ACLs (which are groups of entries). The physical port table is modified
to allow ACLs to be associated with ports, and the logical router table
is modified to allow ACLs to be attached to logical router ports.

Signed-off-by: Bruce Davie <bdavie at vmware.com>
---
 vtep/vtep.ovsschema |  88 +++++++++++++++++++-
 vtep/vtep.xml       | 234 ++++++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 315 insertions(+), 7 deletions(-)

diff --git a/vtep/vtep.ovsschema b/vtep/vtep.ovsschema
index 62ec278..1ace5ae 100644
--- a/vtep/vtep.ovsschema
+++ b/vtep/vtep.ovsschema
@@ -1,6 +1,6 @@
 {
   "name": "hardware_vtep",
-  "cksum": "58544667 7319",
+  "cksum": "233800989 10230",
   "tables": {
     "Global": {
       "columns": {
@@ -42,6 +42,11 @@
                            "minInteger": 0, "maxInteger": 4095},
                    "value": {"type": "uuid", "refTable": "Logical_Switch"},
                    "min": 0, "max": "unlimited"}},
+        "acl_bindings": {
+          "type": {"key": {"type": "integer",
+                           "minInteger": 0, "maxInteger": 4095},
+                   "value": {"type": "uuid", "refTable": "ACL"},
+                   "min": 0, "max": "unlimited"}},
         "vlan_stats": {
           "type": {"key": {"type": "integer",
                            "minInteger": 0, "maxInteger": 4095},
@@ -141,6 +146,11 @@
         "static_routes": {
           "type": {"key": {"type": "string"},
                    "value": {"type" : "string"},
+                   "min": 0, "max": "unlimited"}},
+        "acl_binding": {
+          "type": {"key": {"type": "string"},
+                   "value": {"type": "uuid",
+                             "refTable": "ACL"},
                    "min": 0, "max": "unlimited"}}},
       "isRoot": true,
       "indexes": [["name"]]},
@@ -174,6 +184,80 @@
           "mutable": false},
         "dst_ip": {"type": "string", "mutable": false}},
       "indexes": [["encapsulation_type", "dst_ip"]]},
+    "ACL_entry": {
+      "columns": {
+        "sequence": {"type": "integer"},
+        "source_mac": {
+          "type": {
+            "key": "string", "min": 0, "max": 1}},
+        "dest_mac": {
+          "type": {
+            "key": "string", "min": 0, "max": 1}},
+        "ethertype": {
+          "type": {
+            "key": "string", "min": 0, "max": 1}},
+        "source_ip": {
+          "type": {
+            "key": "string", "min": 0, "max": 1}},
+        "source_mask": {
+          "type": {
+            "key": "string", "min": 0, "max": 1}},
+        "dest_ip": {
+          "type": {
+            "key": "string", "min": 0, "max": 1}},
+        "dest_mask": {
+          "type": {
+            "key": "string", "min": 0, "max": 1}},
+        "protocol": {
+          "type": {
+            "key": "integer", "min": 0, "max": 1}},
+        "source_port_min": {
+          "type": {
+            "key": "integer", "min": 0, "max": 1}},
+        "source_port_max": {
+          "type": {
+            "key": "integer", "min": 0, "max": 1}},
+        "dest_port_min": {
+          "type": {
+            "key": "integer", "min": 0, "max": 1}},
+        "dest_port_max": {
+          "type": {
+            "key": "integer", "min": 0, "max": 1}},
+        "tcp_flags": {
+          "type": {
+            "key": "integer", "min": 0, "max": 1}},
+        "tcp_flags_mask": {
+          "type": {
+            "key": "integer", "min": 0, "max": 1}},
+        "icmp_code": {
+          "type": {
+            "key": "integer", "min": 0, "max": 1}},
+        "icmp_type": {
+          "type": {
+            "key": "integer", "min": 0, "max": 1}},
+        "direction": {
+          "type": {
+            "key": {"type": "string", "enum": ["set", ["ingress", "egress"]]}}},
+        "action": {
+          "type": {
+            "key": {"type": "string", "enum": ["set", ["permit", "deny"]]}}},
+        "acle_fault_status": {
+          "type": {
+            "key": "string", "min": 0, "max": "unlimited"},
+            "ephemeral": true}},
+       "isRoot": true},
+    "ACL": {
+      "columns": {
+        "acl_entries": {
+          "type": {"key": {"type": "uuid", "refTable": "ACL_entry"},
+                   "min": 1, "max": "unlimited"}},
+        "acl_name": {"type": "string"},
+        "acl_fault_status": {
+          "type": {
+            "key": "string", "min": 0, "max": "unlimited"},
+            "ephemeral": true}},
+      "indexes": [["acl_name"]],
+      "isRoot": true},
     "Manager": {
       "columns": {
         "target": {"type": "string"},
@@ -193,4 +277,4 @@
           "ephemeral": true}},
       "indexes": [["target"]],
       "isRoot": false}},
-  "version": "1.3.0"}
+  "version": "1.4.0"}
diff --git a/vtep/vtep.xml b/vtep/vtep.xml
index ff8d0fe..a554dcf 100644
--- a/vtep/vtep.xml
+++ b/vtep/vtep.xml
@@ -367,7 +367,7 @@
       <group title="BFD Local Configuration">
         <p>
           The HSC writes the key-value pairs in the
-          <ref column="bfd_config_local"/> column to specifiy the local
+          <ref column="bfd_config_local"/> column to specify the local
           configurations to be used for BFD sessions on this tunnel.
         </p>
 
@@ -454,7 +454,7 @@
 
         <column name="bfd_params" key="cpath_down" type='{"type": "boolean"}'>
           Set to true to notify the remote endpoint that traffic should not be
-          forwarded to this system for some reason other than a connectivty
+          forwarded to this system for some reason other than a connectivity
           failure on the interface being monitored.  The typical underlying
           reason is ``concatenated path down,'' that is, that connectivity
           beyond the local system is down.  Defaults to false.
@@ -535,6 +535,19 @@
       paired logical switch.
     </column>
 
+    <column name="acl_bindings">
+      <p>
+        Attach Access Control Lists (ACLs) to the physical port. The
+        column consists of a map of VLAN tags to <ref table="ACL"/>s. If the value of
+        the VLAN tag in the map is 0, this means that the ACL is
+        associated with the entire physical port. Non-zero values mean
+        that the ACL is to be applied only on packets carrying that VLAN
+        tag value. Switches will not necessarily support matching on the
+        VLAN tag for all ACLs, and unsupported ACL bindings will cause
+        errors to be reported.
+      </p>
+    </column>
+
     <column name="vlan_stats">
       Statistics for VLANs bound to logical switches on the physical port.  An
       implementation that fully supports such statistics would populate this
@@ -558,7 +571,7 @@
     <group title="Error Notification">
       <p>
         An entry in this column indicates to the NVC that the physical port has
-        encountered a fault. The switch must clear this column when the errror
+        encountered a fault. The switch must clear this column when the error
         has been cleared.
       </p>
       <column name="port_fault_status" key="invalid_vlan_map">
@@ -568,6 +581,12 @@
           because of a conflict with local configuration.
         </p>
       </column>
+      <column name="port_fault_status" key="invalid_ACL_binding">
+        <p>
+          Indicates that an error has occurred in associating an ACL
+          with a port.
+        </p>
+      </column>
       <column name="port_fault_status" key="unspecified_fault">
         <p>
           Indicates that an error has occurred on the port but that no
@@ -795,7 +814,7 @@
       in which case the physical locators will be IP addresses of
       service nodes. If the VTEP supports replication onto multiple
       tunnels, then this may be used to replicate directly onto
-      VTEP-hyperisor tunnels.
+      VTEP-hypervisor tunnels.
     </p>
 
     <column name="MAC">
@@ -851,6 +870,15 @@
       One or more static routes, mapping IP prefixes to next hop IP addresses.
     </column>
 
+    <column name="acl_binding">
+      Maps ACLs to logical router interfaces. The router interfaces
+      are indicated using IP address notation, and must be the same
+      interfaces created in the <ref column="switch_binding"/>
+      column. For example, an ACL could be associated with the logical
+      router interface with an address of 192.68.1.1 as defined in the
+      example above.
+    </column>
+
     <group title="Identification">
       <column name="name">
         Symbolic name for the logical router.
@@ -972,5 +1000,201 @@
     </column>
 
   </table>
-
+  <table name="ACL_entry">
+    <p>
+      Describes the individual entries that comprise an Access Control List.
+    </p>
+    <p>
+      Each entry in the table is a single rule to match on certain
+      header fields. While there are a large number of fields that can
+      be matched on, most hardware cannot match on arbitrary
+      combinations of fields. It is common to match on either L2
+      fields (described below in the L2 group of columns) or L3/L4 fields
+      (the L3/L4 group of columns) but not both. The hardware switch
+      controller may log an error if an ACL entry requires it to match
+      on an incompatible mixture of fields.
+    </p>
+    <column name="sequence">
+      <p>
+        The sequence number for the ACL entry for the purpose of
+        ordering entries in an ACL.
+      </p>
+    </column>
+    <group title="L2 fields">
+      <column name="source_mac">
+        <p>
+          Source MAC address, in the form
+          <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
+        </p>
+      </column>
+      <column name="dest_mac">
+        <p>
+          Destination MAC address, in the form
+          <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
+        </p>
+      </column>
+            <column name="ethertype">
+        <p>
+          Ethertype in hexadecimal, in the form
+          <var>0xAAA</var> 
+        </p>
+      </column>
+    </group>
+    <group title="L3/L4 fields">
+      <column name="source_ip">
+        <p>
+          Source IP address, in the form
+          <var>xx.xx.xx.xx</var> for IPv4 or appropriate
+          colon-separated hexadecimal notation for IPv6.
+        </p>
+      </column>
+      <column name="source_mask">
+        <p>
+          Mask that determines which bits of source_ip to match on, in the form
+          <var>xx.xx.xx.xx</var> for IPv4 or appropriate
+          colon-separated hexadecimal notation for IPv6.
+        </p>
+      </column>
+      <column name="dest_ip">
+        <p>
+          Destination IP address, in the form
+          <var>xx.xx.xx.xx</var> for IPv4 or appropriate
+          colon-separated hexadecimal notation for IPv6.
+        </p>
+      </column>
+      <column name="dest_mask">
+        <p>
+          Mask that determines which bits of dest_ip to match on, in the form
+          <var>xx.xx.xx.xx</var> for IPv4 or appropriate
+          colon-separated hexadecimal notation for IPv6.
+        </p>
+      </column>
+      <column name="protocol">
+        <p>
+          Protocol number in the IPv4 header, or value of the "next
+          header" field in the IPv6 header.
+        </p>
+      </column>
+      <column name="source_port_min">
+        <p>
+          Lower end of the range of source port values.
+        </p>
+      </column>
+      <column name="source_port_max">
+        <p>
+          Upper end of the range of source port values.
+        </p>
+      </column>
+      <column name="dest_port_min">
+        <p>
+          Lower end of the range of destination port values.
+        </p>
+      </column>
+      <column name="dest_port_max">
+        <p>
+          Upper end of the range of destination port values.
+        </p>
+      </column>
+      <column name="tcp_flags">
+        <p>
+          Integer representing the value of TCP flags to match.
+        </p>
+      </column>
+      <column name="tcp_flags_mask">
+        <p>
+          Integer representing the mask to apply when matching TCP flags.
+        </p>
+      </column>
+      <column name="icmp_type">
+        <p>
+          ICMP type to be matched.
+        </p>
+      </column>
+      <column name="icmp_code">
+        <p>
+          ICMP code to be matched.
+        </p>
+      </column>
+    </group>
+    <column name="direction">
+      <p>
+        Direction of traffic to match on the specified port, either
+        "ingress" (toward the logical switch or router) or "egress"
+        (leaving the logical switch or router). 
+      </p>
+    </column>
+    <column name="action">
+      <p>
+        Action to take for this rule, either "permit" or "deny".
+      </p>
+    </column>
+    <group title="Error Notification">
+      <p>
+        An entry in this column indicates to the NVC that the ACL
+        could not be configured as requested. The switch must clear this column when the error
+        has been cleared.
+      </p>
+      <column name="acle_fault_status" key="invalid_acl_entry">
+        <p>
+          Indicates that an ACL entry requested by
+          the controller could not be instantiated by the switch,
+          e.g. because it requires an unsupported combination of
+          fields to be matched.
+        </p>
+      </column>
+      <column name="acle_fault_status" key="unspecified_fault">
+        <p>
+          Indicates that an error has occurred in configuring the ACL
+          entry but no
+          more specific information is available.
+        </p>
+      </column>
+    </group>
+  </table>
+  <table name="ACL">
+    <p>
+      Access Control List table. Each ACL is constructed as a set of
+      entries from the <ref table="ACL_entry"/> table.
+    </p>
+    <column name="acl_entries">
+      <p>
+        A set of references to entries in the <ref table="ACL_entry"/> table.
+      </p>
+    </column>
+    <column name="acl_name">
+      <p>
+        A human readable name for the ACL, which may (for example) be displayed on
+        the switch CLI.
+      </p>
+    </column>
+    <group title="Error Notification">
+      <p>
+        An entry in this column indicates to the NVC that the ACL
+        could not be configured as requested. The switch must clear this column when the error
+        has been cleared.
+      </p>
+      <column name="acl_fault_status" key="invalid_acl">
+        <p>
+          Indicates that an ACL requested by
+          the controller could not be instantiated by the switch,
+          e.g., because it requires an unsupported combination of
+          fields to be matched.
+        </p>
+      </column>
+      <column name="acl_fault_status" key="resource_shortage">
+        <p>
+          Indicates that an ACL requested by
+          the controller could not be instantiated by the switch due
+          to a shortage of resources (e.g. TCAM space).
+        </p>
+      </column>
+      <column name="acl_fault_status" key="unspecified_fault">
+        <p>
+          Indicates that an error has occurred in configuring the ACL
+          but no
+          more specific information is available.
+        </p>
+      </column>
+    </group>
+  </table>
 </database>
-- 
2.2.1




More information about the dev mailing list