[ovs-dev] [PATCH] vtep: add ACLs to VTEP schema

Bruce Davie bdavie at vmware.com
Thu Aug 27 00:14:38 UTC 2015

A couple of folks have pointed out that the way we attach ACLs to either physical ports or to <port, VLAN> pairs leaves some room for ambiguity. My proposal is that we discourage the use of both types of ACLs on the same physical port. We can’t enforce this (AFAIK) in the database itself, but we can recommend against it in the schema documentation. That is, to the current paragraph:

        Attach Access Control Lists (ACLs) to the physical port. The
        column consists of a map of VLAN tags to <ref table="ACL"/>s. If the value of
        the VLAN tag in the map is 0, this means that the ACL is
        associated with the entire physical port. Non-zero values mean
        that the ACL is to be applied only on packets carrying that VLAN
        tag value. Switches will not necessarily support matching on the
        VLAN tag for all ACLs, and unsupported ACL bindings will cause
        errors to be reported.

we would add a line something like:

“The binding of an ACL to a specific VLAN and the binding of an ACL to the entire physical port should not be combined on a single physical port. That is, a mix of zero and non-zero keys in the map is not recommended.”

I haven’t yet been able to figure out a realistic case where this would be an unreasonable restriction.

Also, there was a question as to how tagged and untagged packets arriving on a particular port would be handled when the ACL is attached to the entire port. That behavior would depend on how the switch port is configured independent from the ACL configuration. We have always assumed that some aspects of the switch’s configuration happen under operator control, without the network virtualization controller having any input.

Let me know if this raises any issues; if not, I’ll update the patch.


> On Aug 24, 2015, at 6:08 PM, bdavie at nicira.com wrote:
> Two new tables are added to the VTEP schema, for ACL entries and
> ACLs (which are groups of entries). The physical port table is modified
> to allow ACLs to be associated with ports, and the logical router table
> is modified to allow ACLs to be attached to logical router ports.
> Signed-off-by: Bruce Davie <bdavie at vmware.com>

More information about the dev mailing list