[ovs-dev] [PATCH] ovn: Add stateful ACL support.

Ben Pfaff blp at nicira.com
Fri Oct 16 00:21:06 UTC 2015

On Thu, Oct 15, 2015 at 10:32:51AM -0700, Justin Pettit wrote:
> Add support for the "allow-related" ACL action.  This is dependent on
> the OVS conntrack functionality, which is not available on all platforms
> or kernel versions.
> Here is a sample policy that will allow all tenants in logical switch
> "ls0" to SSH to each other.  Anyone can make an HTTP request to "lp0".
> All other IP traffic is dropped:
>   ovn-nbctl acl-add ls0 from-lport 100 ip allow-related
>   ovn-nbctl acl-add ls0 to-lport 100 tcp.dst==22 allow-related
>   ovn-nbctl acl-add ls0 to-lport 100 "outport == \"lp0\" \
>             && tcp.dst==80" allow-related
>   ovn-nbctl acl-add ls0 to-lport 1 ip drop
> Note: Kernel conntrack support is checked into the mainline Linux
> kernel, but hasn't been backported to the main OVS repo yet.
> ---
> I've pushed this patch on a partial backport of conntrack here:
>     https://github.com/justinpettit/ovs/tree/ovn-acl

Thanks!  This is going to be awesome.

This lacks a Signed-off-by.

ovn-northd.xml needs an update to explain all the new flows and
renumbered flow tables.

I get one "sparse" warning:

    ../ovn/lib/actions.c:151:13: warning: incorrect type in assignment (different base types)
    ../ovn/lib/actions.c:151:13:    expected unsigned short [unsigned] [usertype] alg
    ../ovn/lib/actions.c:151:13:    got restricted ovs_be16

In symtab_init() in ovn/controller/lflow.c, I think it would be a little
better to define ct.trk as a subfield, instead of a predicate, since
subfields are a little more general-purpose.

Acked-by: Ben Pfaff <blp at nicira.com>

More information about the dev mailing list