[ovs-dev] [PATCH 3/4] ovn-northd: Add l3 port security for IPv4 and ARP

[Ryan Moats]

> For every port security defined for a logical port, add following lflows
> in "ls_in_port_sec" and "ls_out_port_sec" stage
>    - A priority 90 flow to allow ipv4 traffic for known ip addresses
>     and (broadcast ip - for ingress, mainly for dhcp)
>    - A priority 80 flow to drop all ipv4 traffic.
>    - For ingress, a priority 90 flow to allow arp traffic for known
>       ip addresses and priority 80 flow to drop all arp traffic
>    - A priority 90 flow to allow ipv6 traffic for all ipv6 addresses if
>      port security has ipv6 address(es) defined
>      (next patch will address ipv6)
>    - A priority 80 flow to drop all ipv6 traffic.
>    - A priority 50 flow to allow all traffic on that port with the
matching
>      eth address
>
> Eg. if the port security is "00:00:00:00:00:01 10.0.0.2"
>
> priority=90, match=(inport == "portname" && eth.src == 00:00:00:00:00:01
> && arp && arp.sha == 00:00:00:00:00:01 && (arp.spa == 10.0.0.2)), action=
(next;)
>
> priority=90, match=(inport == "portname" && eth.src == 00:00:00:00:00:01
> && ip4 && ((ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255) ||
> ip4.src == 10.0.0.3)), action=(next;)
>
> priority=80, match=(inport == "portname" && eth.src == 00:00:00:00:00:01
> && (arp || ip4)), action=(drop;)
>
> priority=80, match=(inport == "portname" && eth.src == 00:00:00:00:00:01
> && ip6), action=(drop;)
>
> priority=50, match=(inport == "portname" && eth.src ==
00:00:00:00:00:01),
> action=(next;)
>
> Signed-off-by: Numan Siddique <nusiddiq at redhat.com>

Acked-By: Ryan Moats <rmoats at us.ibm.com>