[ovs-dev] [PATCH] ovn: Add stateful ACL support.
blp at nicira.com
Fri Oct 16 00:21:06 UTC 2015
On Thu, Oct 15, 2015 at 10:32:51AM -0700, Justin Pettit wrote:
> Add support for the "allow-related" ACL action. This is dependent on
> the OVS conntrack functionality, which is not available on all platforms
> or kernel versions.
> Here is a sample policy that will allow all tenants in logical switch
> "ls0" to SSH to each other. Anyone can make an HTTP request to "lp0".
> All other IP traffic is dropped:
> ovn-nbctl acl-add ls0 from-lport 100 ip allow-related
> ovn-nbctl acl-add ls0 to-lport 100 tcp.dst==22 allow-related
> ovn-nbctl acl-add ls0 to-lport 100 "outport == \"lp0\" \
> && tcp.dst==80" allow-related
> ovn-nbctl acl-add ls0 to-lport 1 ip drop
> Note: Kernel conntrack support is checked into the mainline Linux
> kernel, but hasn't been backported to the main OVS repo yet.
> I've pushed this patch on a partial backport of conntrack here:
Thanks! This is going to be awesome.
This lacks a Signed-off-by.
ovn-northd.xml needs an update to explain all the new flows and
renumbered flow tables.
I get one "sparse" warning:
../ovn/lib/actions.c:151:13: warning: incorrect type in assignment (different base types)
../ovn/lib/actions.c:151:13: expected unsigned short [unsigned] [usertype] alg
../ovn/lib/actions.c:151:13: got restricted ovs_be16
In symtab_init() in ovn/controller/lflow.c, I think it would be a little
better to define ct.trk as a subfield, instead of a predicate, since
subfields are a little more general-purpose.
Acked-by: Ben Pfaff <blp at nicira.com>
More information about the dev