[ovs-dev] [PATCH v2] ovn-tutorial: Add a section on ACLs.
Russell Bryant
rbryant at redhat.com
Wed Nov 4 16:04:08 UTC 2015
On 11/04/2015 10:58 AM, Kyle Mestery wrote:
> Thanks for writing this up Russell! I found super pedantic (possible)
> nit, but otherwise, this reads fine to me and was helpful in
> understanding how ACLs work. Thanks!
>
> Acked-by: Kyle Mestery <mestery at mestery.com <mailto:mestery at mestery.com>>
Thanks for the review! I fixed the typo you pointed out and pushed this
to master.
>
> On Wed, Nov 4, 2015 at 9:53 AM, Russell Bryant <rbryant at redhat.com
> <mailto:rbryant at redhat.com>> wrote:
>
> Add a section that gives a quick introduction to applying ACLs. It
> discusses how the ACLs are translated into OVN logical flows. It doesn't
> get down to the OpenFlow level because that's not supported in
> ovs-sandbox yet. Instead, it provides a reference to an OpenStack
> related blog post that talks about how OVN ACLs are used there and gives
> examples of the resulting OpenFlow flows.
>
> In theory, once we have a userspace conntrack implementation available,
> we'll be able to provide better suppot for it in ovs-sandbox.
>
> Signed-off-by: Russell Bryant <rbryant at redhat.com
> <mailto:rbryant at redhat.com>>
> ---
> tutorial/OVN-Tutorial.md | 84
> +++++++++++++++++++++++++++++++++++++++++++
> tutorial/automake.mk <http://automake.mk> | 4 ++-
> tutorial/ovn/env6/add-acls.sh | 21 +++++++++++
> tutorial/ovn/env6/setup.sh | 46 ++++++++++++++++++++++++
> 4 files changed, 154 insertions(+), 1 deletion(-)
> create mode 100755 tutorial/ovn/env6/add-acls.sh
> create mode 100755 tutorial/ovn/env6/setup.sh
>
> diff --git a/tutorial/OVN-Tutorial.md b/tutorial/OVN-Tutorial.md
> index 4fc06eb..667b76b 100644
> --- a/tutorial/OVN-Tutorial.md
> +++ b/tutorial/OVN-Tutorial.md
> @@ -628,6 +628,87 @@ see it output to OpenFlow ports 5 and 6 only.
> $ ovn/env5/packet2.sh
>
>
> +6) Stateful ACLs
> +----------------
> +
> +ACLs provide a way to do distributed packet filtering for OVN
> networks. One
> +example use of ACLs is that OpenStack Neutron uses them to
> implement security
> +groups. ACLs are implemented using conntrack integration with OVS.
> +
> +Start with a simple logical switch with 2 logical ports.
> +
> +[View ovn/env6/setup.sh][env6setup].
> +
> + $ ovn/env6/setup.sh
> +
> +A common use case would be the following policy applied for
> `sw0-port1`:
> +
> +* Allow outbound IP traffic and associated return traffic.
>
>
> To my eyes, looks like an extra space after "traffic" above, but it's
> super pedantic, so only re-spin if you need to for some other reason. :)
There is indeed an extra space there. I removed it.
--
Russell Bryant
More information about the dev
mailing list