[ovs-dev] OpenStack ACL Rules for OVN

Russell Bryant rbryant at redhat.com
Mon Jul 20 16:03:43 UTC 2015


Added ovs dev list to let others sanity check me.  :-)  The context is
discussing how OpenStack will use ACLs in OVN_Northbound.

We don't have Neutron code for this yet, but we have the "Security
Groups" section of this doc:

http://docs.openstack.org/developer/networking-ovn/design/data_model.html

On 07/20/2015 11:39 AM, Justin Pettit wrote:
> 
>> On Jul 20, 2015, at 8:53 AM, Russell Bryant <rbryant at redhat.com> wrote:
>>
>>
>> Does that help?  Or would you like me to come up with something a bit
>> more specific?
> 
> That's very helpful. I think I can figure out what needs to be done
> based on that description. I had a question, though. It looks like
> you're planning to do a default "deny" and then poke holes for
> "allow". I was expecting more "allow-related", since that will allow
> return traffic back. Do you think all those "allow" flows will be
> replaced with "allow-related" or will you have a mixture of both
> "allow" and "allow-related"? Also, will you be using "reject"?

All "allow" should be "allow-related", based on my reading of how the
existing Neutron code uses iptables.

The security groups API only seems to expose the idea of default deny
(drop) + rules for what to allow. There's no way to express that you
want "reject" behavior, so I guess we wouldn't be using it at all for now.

> Feel free to move this to the mailing list if you think it warrants
> broader discussion at this point.

Done, just in case others have any additional input.

-- 
Russell Bryant



More information about the dev mailing list