[ovs-dev] [PATCH v1 RFC] ovn: Support native dhcp using 'continuations'

Ramu Ramamurthy ramu.ramamurthy at gmail.com
Mon Apr 4 18:47:09 UTC 2016


> @@ -89,10 +89,11 @@ enum ovn_stage {
>      PIPELINE_STAGE(SWITCH, IN,  PORT_SEC_L2,    0, "ls_in_port_sec_l2")     \
>      PIPELINE_STAGE(SWITCH, IN,  PORT_SEC_IP,    1, "ls_in_port_sec_ip")     \
>      PIPELINE_STAGE(SWITCH, IN,  PORT_SEC_ND,    2, "ls_in_port_sec_nd")     \
> -    PIPELINE_STAGE(SWITCH, IN,  PRE_ACL,        3, "ls_in_pre_acl")      \
> -    PIPELINE_STAGE(SWITCH, IN,  ACL,            4, "ls_in_acl")          \
> -    PIPELINE_STAGE(SWITCH, IN,  ARP_RSP,        5, "ls_in_arp_rsp")      \
> -    PIPELINE_STAGE(SWITCH, IN,  L2_LKUP,        6, "ls_in_l2_lkup")      \
> +    PIPELINE_STAGE(SWITCH, IN,  DHCP,           3, "ls_in_dhcp")     \
> +    PIPELINE_STAGE(SWITCH, IN,  PRE_ACL,        4, "ls_in_pre_acl")      \
> +    PIPELINE_STAGE(SWITCH, IN,  ACL,            5, "ls_in_acl")          \
> +    PIPELINE_STAGE(SWITCH, IN,  ARP_RSP,        6, "ls_in_arp_rsp")      \
> +    PIPELINE_STAGE(SWITCH, IN,  L2_LKUP,        7, "ls_in_l2_lkup")      \
>                                                                        \

Would it make sense to put DHCP after ACL instead of before - so,
some control is
provided on the handling of DHCP packets via acl rules. For instance,
OpenStack programs these DHCP ACL
rules currently allowing client->server communication - and the
usecase would be if i want to drop
all client->server DHCP traffic for a rogue VM.

table=2(       ls_in_acl), priority= 2002, match=(inport ==
"55c0912f-f7aa-4318-82f1-6118032839e3" && ip4 && (ip4.dst ==
255.255.255.255 || ip4.dst == 10.10.0.0/16) && udp && udp.src == 68 &&
udp.dst == 67), action=(ct_commit; next;)



More information about the dev mailing list