[ovs-dev] [PATCH v1 RFC] ovn: Support native dhcp using 'continuations'

Numan Siddique nusiddiq at redhat.com
Tue Apr 5 11:52:47 UTC 2016


On Tue, Apr 5, 2016 at 12:17 AM, Ramu Ramamurthy <ramu.ramamurthy at gmail.com>
wrote:

> > @@ -89,10 +89,11 @@ enum ovn_stage {
> >      PIPELINE_STAGE(SWITCH, IN,  PORT_SEC_L2,    0,
> "ls_in_port_sec_l2")     \
> >      PIPELINE_STAGE(SWITCH, IN,  PORT_SEC_IP,    1,
> "ls_in_port_sec_ip")     \
> >      PIPELINE_STAGE(SWITCH, IN,  PORT_SEC_ND,    2,
> "ls_in_port_sec_nd")     \
> > -    PIPELINE_STAGE(SWITCH, IN,  PRE_ACL,        3, "ls_in_pre_acl")
>   \
> > -    PIPELINE_STAGE(SWITCH, IN,  ACL,            4, "ls_in_acl")
>   \
> > -    PIPELINE_STAGE(SWITCH, IN,  ARP_RSP,        5, "ls_in_arp_rsp")
>   \
> > -    PIPELINE_STAGE(SWITCH, IN,  L2_LKUP,        6, "ls_in_l2_lkup")
>   \
> > +    PIPELINE_STAGE(SWITCH, IN,  DHCP,           3, "ls_in_dhcp")     \
> > +    PIPELINE_STAGE(SWITCH, IN,  PRE_ACL,        4, "ls_in_pre_acl")
>   \
> > +    PIPELINE_STAGE(SWITCH, IN,  ACL,            5, "ls_in_acl")
>   \
> > +    PIPELINE_STAGE(SWITCH, IN,  ARP_RSP,        6, "ls_in_arp_rsp")
>   \
> > +    PIPELINE_STAGE(SWITCH, IN,  L2_LKUP,        7, "ls_in_l2_lkup")
>   \
> >                                                                        \
>
> Would it make sense to put DHCP after ACL instead of before - so,
> some control is
> provided on the handling of DHCP packets via acl rules. For instance,
> OpenStack programs these DHCP ACL
> rules currently allowing client->server communication - and the
> usecase would be if i want to drop
> all client->server DHCP traffic for a rogue VM.
>
> table=2(       ls_in_acl), priority= 2002, match=(inport ==
> "55c0912f-f7aa-4318-82f1-6118032839e3" && ip4 && (ip4.dst ==
> 255.255.255.255 || ip4.dst == 10.10.0.0/16) && udp && udp.src == 68 &&
> udp.dst == 67), action=(ct_commit; next;)
>

​Since the dhcp traffic is handled by the ovn-controller, I thought there
is no need for
the ACL checks. I do not have any preference as such. I will test this out
once.

Thanks
Numan



More information about the dev mailing list