[ovs-dev] [PATCH 3/3] ovn: Add address_set() support for ACLs.
Russell Bryant
russell at ovn.org
Wed Apr 6 15:16:45 UTC 2016
On Tue, Apr 5, 2016 at 5:24 PM, Russell Bryant <russell at ovn.org> wrote:
> This feature was originally proposed here:
>
> http://openvswitch.org/pipermail/dev/2016-March/067440.html
>
> A common use case for OVN ACLs involves needing to match a set of IP
> addresses.
>
> outport == "lp1" && ip4.src == {10.0.0.5, 10.0.0.25, 10.0.0.50}
>
> This example match only has 3 addresses, but it could easily have
> hundreds of addresses. In some cases, the same large set of addresses
> needs to be used in several ACLs.
>
> This patch adds a new Address_Set table to OVN_Northbound so that a set
> of addresses can be specified once and then referred to by name in ACLs.
> To recreate the above example, you would first create an address set:
>
> $ ovn-nbctl create Address_Set name=set1
> addresses=10.0.0.5,10.0.0.25,10.0.0.50
>
> Then you can refer to this address set by name in an ACL match:
>
> outport == "lp1" && ip4.src == address_set(set1)
>
> Signed-off-by: Russell Bryant <russell at ovn.org>
I have documentation updates for this patch that I forgot to commit before
sending these patches. I'll include them in v2.
--
Russell Bryant
More information about the dev
mailing list