[ovs-dev] Example of Neutron security groups as OVN ACLs
Justin Pettit
jpettit at nicira.com
Sat Sep 5 03:46:40 UTC 2015
> On Sep 4, 2015, at 8:34 PM, Russell Bryant <rbryant at redhat.com> wrote:
>
> On 09/04/2015 05:09 PM, Russell Bryant wrote:
>> I've been working on Neutron security groups for OVN a bit this week and
>> have the first rough cut "working" (it does something, at least). Right
>> now it only creates ACLs on neutron port creation. I have to go back
>> and add cleanup, handle when ports or security groups get updated after
>> they are created, ...
>>
>> Anyway, I definitely found myself getting confused with Neutron's SG
>> ingress vs. egress, OVN ACL direction inbound vs. outbound, and when to
>> use OVN inport and outport associated with each. So, here's the
>> simplest example. Let me know which part doesn't match what you'd
>> expect, because surely I've got something backwards.
>
> I just saw the RFC patch for OVN ACLs and the related schema patch.
> Renaming inbound/outbound to to-lport/from-lport helps a lot. The
> associated docs helped clarify for me, as well. Thanks!
Glad to hear it. The priorities and directions were the main thing that I'd noticed from a quick look earlier. Have you tried the new branch with traffic? I'm happy to still look at the flows you're generating. Can you send them with the updated direction and priorities? Let me know if there's anything else that I should add to the docs.
Thanks!
--Justin
More information about the dev
mailing list