[ovs-dev] [PATCH v3 2/2] ovn: Add address_set() support for ACLs.
Flaviof
flavio at flaviof.com
Thu Jun 23 19:05:43 UTC 2016
On Thu, Jun 23, 2016 at 1:05 AM, <bschanmu at redhat.com> wrote:
> From: Russell Bryant <russell at ovn.org>
>
> This feature was originally proposed here:
>
> http://openvswitch.org/pipermail/dev/2016-March/067440.html
>
> A common use case for OVN ACLs involves needing to match a set of IP
> addresses.
>
> outport == "lp1" && ip4.src == {10.0.0.5, 10.0.0.25, 10.0.0.50}
>
> This example match only has 3 addresses, but it could easily have
> hundreds of addresses. In some cases, the same large set of addresses
> needs to be used in several ACLs.
>
> This patch adds a new Address_Set table to OVN_Northbound so that a set
> of addresses can be specified once and then referred to by name in ACLs.
> To recreate the above example, you would first create an address set:
>
> $ ovn-nbctl create Address_Set name=set1
> addresses=10.0.0.5,10.0.0.25,10.0.0.50
>
> Then you can refer to this address set by name in an ACL match:
>
> outport == "lp1" && ip4.src == $set1
>
> Signed-off-by: Russell Bryant <russell at ovn.org>
> Signed-off-by: Babu Shanmugam <bschanmu at redhat.com>
> ---
> ovn/controller/lflow.c | 155
> +++++++++++++++++++++++++++++++++++++++++++++-
> ovn/northd/ovn-northd.c | 42 +++++++++++++
> ovn/ovn-nb.ovsschema | 10 ++-
> ovn/ovn-nb.xml | 28 +++++++++
> ovn/ovn-sb.ovsschema | 12 +++-
> ovn/ovn-sb.xml | 19 ++++++
> ovn/utilities/ovn-nbctl.c | 4 ++
> ovn/utilities/ovn-sbctl.c | 4 ++
> tests/ovn.at | 10 +++
> 9 files changed, 280 insertions(+), 4 deletions(-)
>
> <snip>
>
> diff --git a/tests/ovn.at b/tests/ovn.at
> index 4f72107..59f9307 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -649,6 +649,8 @@ done
> ovn-nbctl acl-add lsw0 from-lport 1000 'eth.type == 0x1234' drop
> ovn-nbctl acl-add lsw0 from-lport 1000 'eth.type == 0x1235 && inport ==
> "lp11"' drop
> ovn-nbctl acl-add lsw0 to-lport 1000 'eth.type == 0x1236 && outport ==
> "lp33"' drop
> +ovn-nbctl create Address_Set name=set1
> addresses=\"f0:00:00:00:00:11\",\"f0:00:00:00:00:21\",\"f0:00:00:00:00:31\"
> +ovn-nbctl acl-add lsw0 to-lport 1000 'eth.type == 0x1237 && eth.src ==
> $set1 && outport == "lp33"' drop
>
> # Pre-populate the hypervisors' ARP tables so that we don't lose any
> # packets for ARP resolution (native tunneling doesn't queue packets
> @@ -779,9 +781,17 @@ for is in 1 2 3; do
>
> if test $d != $s && test $s != 11; then acl2=$d; else
> acl2=; fi
> if test $d != $s && test $d != 33; then acl3=$d; else
> acl3=; fi
> + if test $d == $s || (test $js == 1 && test $d == 33); then
> + # Source of 11, 21, or 31 and dest of 33 should be
> droped
>
nitpick: typo on 'should be "dropped"'
> + # due to the 4th ACL that uses address_set(set1).
> + acl4=
> + else
> + acl4=$d
> + fi
> test_packet $s f000000000$d f000000000$s 1234 #7,
> acl1
> test_packet $s f000000000$d f000000000$s 1235 $acl2 #7,
> acl2
> test_packet $s f000000000$d f000000000$s 1236 $acl3 #7,
> acl3
> + test_packet $s f000000000$d f000000000$s 1237 $acl4 #7,
> acl4
>
> test_packet $s f000000000$d f00000000055 810000091234
> #4
> test_packet $s f000000000$d 0100000000$s $s$d
> #5
> --
> 2.5.5
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>
More information about the dev
mailing list