[ovs-dev] [PATCH v1 RFC] ovn: Support native dhcp using 'continuations'
Ramu Ramamurthy
ramu.ramamurthy at gmail.com
Mon Apr 4 18:47:09 UTC 2016
> @@ -89,10 +89,11 @@ enum ovn_stage {
> PIPELINE_STAGE(SWITCH, IN, PORT_SEC_L2, 0, "ls_in_port_sec_l2") \
> PIPELINE_STAGE(SWITCH, IN, PORT_SEC_IP, 1, "ls_in_port_sec_ip") \
> PIPELINE_STAGE(SWITCH, IN, PORT_SEC_ND, 2, "ls_in_port_sec_nd") \
> - PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 3, "ls_in_pre_acl") \
> - PIPELINE_STAGE(SWITCH, IN, ACL, 4, "ls_in_acl") \
> - PIPELINE_STAGE(SWITCH, IN, ARP_RSP, 5, "ls_in_arp_rsp") \
> - PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 6, "ls_in_l2_lkup") \
> + PIPELINE_STAGE(SWITCH, IN, DHCP, 3, "ls_in_dhcp") \
> + PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 4, "ls_in_pre_acl") \
> + PIPELINE_STAGE(SWITCH, IN, ACL, 5, "ls_in_acl") \
> + PIPELINE_STAGE(SWITCH, IN, ARP_RSP, 6, "ls_in_arp_rsp") \
> + PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 7, "ls_in_l2_lkup") \
> \
Would it make sense to put DHCP after ACL instead of before - so,
some control is
provided on the handling of DHCP packets via acl rules. For instance,
OpenStack programs these DHCP ACL
rules currently allowing client->server communication - and the
usecase would be if i want to drop
all client->server DHCP traffic for a rogue VM.
table=2( ls_in_acl), priority= 2002, match=(inport ==
"55c0912f-f7aa-4318-82f1-6118032839e3" && ip4 && (ip4.dst ==
255.255.255.255 || ip4.dst == 10.10.0.0/16) && udp && udp.src == 68 &&
udp.dst == 67), action=(ct_commit; next;)
More information about the dev
mailing list