[ovs-dev] [PATCH v2] ovn-tutorial: Add a section on ACLs.

Russell Bryant rbryant at redhat.com
Wed Nov 4 16:04:08 UTC 2015 

On 11/04/2015 10:58 AM, Kyle Mestery wrote:
> Thanks for writing this up Russell! I found super pedantic (possible)
> nit, but otherwise, this reads fine to me and was helpful in
> understanding how ACLs work. Thanks!
> 
> Acked-by: Kyle Mestery <mestery at mestery.com <mailto:mestery at mestery.com>>

Thanks for the review!  I fixed the typo you pointed out and pushed this
to master.

> 
> On Wed, Nov 4, 2015 at 9:53 AM, Russell Bryant <rbryant at redhat.com
> <mailto:rbryant at redhat.com>> wrote:
> 
>     Add a section that gives a quick introduction to applying ACLs.  It
>     discusses how the ACLs are translated into OVN logical flows. It doesn't
>     get down to the OpenFlow level because that's not supported in
>     ovs-sandbox yet.  Instead, it provides a reference to an OpenStack
>     related blog post that talks about how OVN ACLs are used there and gives
>     examples of the resulting OpenFlow flows.
> 
>     In theory, once we have a userspace conntrack implementation available,
>     we'll be able to provide better suppot for it in ovs-sandbox.
> 
>     Signed-off-by: Russell Bryant <rbryant at redhat.com
>     <mailto:rbryant at redhat.com>>
>     ---
>      tutorial/OVN-Tutorial.md      | 84
>     +++++++++++++++++++++++++++++++++++++++++++
>      tutorial/automake.mk <http://automake.mk>          |  4 ++-
>      tutorial/ovn/env6/add-acls.sh | 21 +++++++++++
>      tutorial/ovn/env6/setup.sh    | 46 ++++++++++++++++++++++++
>      4 files changed, 154 insertions(+), 1 deletion(-)
>      create mode 100755 tutorial/ovn/env6/add-acls.sh
>      create mode 100755 tutorial/ovn/env6/setup.sh
> 
>     diff --git a/tutorial/OVN-Tutorial.md b/tutorial/OVN-Tutorial.md
>     index 4fc06eb..667b76b 100644
>     --- a/tutorial/OVN-Tutorial.md
>     +++ b/tutorial/OVN-Tutorial.md
>     @@ -628,6 +628,87 @@ see it output to OpenFlow ports 5 and 6 only.
>          $ ovn/env5/packet2.sh
> 
> 
>     +6) Stateful ACLs
>     +----------------
>     +
>     +ACLs provide a way to do distributed packet filtering for OVN
>     networks.  One
>     +example use of ACLs is that OpenStack Neutron uses them to
>     implement security
>     +groups.  ACLs are implemented using conntrack integration with OVS.
>     +
>     +Start with a simple logical switch with 2 logical ports.
>     +
>     +[View ovn/env6/setup.sh][env6setup].
>     +
>     +    $ ovn/env6/setup.sh
>     +
>     +A common use case would be the following policy applied for
>     `sw0-port1`:
>     +
>     +* Allow outbound IP traffic  and associated return traffic.
> 
> 
> To my eyes, looks like an extra space after "traffic" above, but it's
> super pedantic, so only re-spin if you need to for some other reason. :)

There is indeed an extra space there.  I removed it.

-- 
Russell Bryant

More information about the dev mailing list