[ovs-dev] OpenStack ACL Rules for OVN
Russell Bryant
rbryant at redhat.com
Mon Jul 20 16:03:43 UTC 2015
Added ovs dev list to let others sanity check me. :-) The context is
discussing how OpenStack will use ACLs in OVN_Northbound.
We don't have Neutron code for this yet, but we have the "Security
Groups" section of this doc:
http://docs.openstack.org/developer/networking-ovn/design/data_model.html
On 07/20/2015 11:39 AM, Justin Pettit wrote:
>
>> On Jul 20, 2015, at 8:53 AM, Russell Bryant <rbryant at redhat.com> wrote:
>>
>>
>> Does that help? Or would you like me to come up with something a bit
>> more specific?
>
> That's very helpful. I think I can figure out what needs to be done
> based on that description. I had a question, though. It looks like
> you're planning to do a default "deny" and then poke holes for
> "allow". I was expecting more "allow-related", since that will allow
> return traffic back. Do you think all those "allow" flows will be
> replaced with "allow-related" or will you have a mixture of both
> "allow" and "allow-related"? Also, will you be using "reject"?
All "allow" should be "allow-related", based on my reading of how the
existing Neutron code uses iptables.
The security groups API only seems to expose the idea of default deny
(drop) + rules for what to allow. There's no way to express that you
want "reject" behavior, so I guess we wouldn't be using it at all for now.
> Feel free to move this to the mailing list if you think it warrants
> broader discussion at this point.
Done, just in case others have any additional input.
--
Russell Bryant
More information about the dev
mailing list