[ovs-dev] [RFC] OVN northbound address sets

Salvatore Orlando salv.orlando at gmail.com
Tue Mar 22 19:26:59 UTC 2016


As I am doing some integration between OVN and Kubernetes, there is a
similar problem there where the introduction of this concept can be very
beneficial.

To provide some context a Kubernetes network policy [1] might have several
"from" clauses which might translate into a great number of IP addresses.
So far implementing this in OVN requires either a distinct ACL for every IP
address or continuously updating the same ACL, whose match expression
quickly becomes hardly manageable.

Having address sets will enable us to simply add or remove source IPs from
the ACL when kubernetes Pods are created or destroyed.

Salvatore

[1]
https://docs.google.com/document/d/1qAm-_oSap-f1d6a-xRTj6xaH1sYQBfK36VyjB5XOZug/edit

On 11 March 2016 at 02:10, Ben Pfaff <blp at ovn.org> wrote:

> On Wed, Mar 09, 2016 at 04:12:07PM -0500, Russell Bryant wrote:
> >
> > One use case for OVN ACLs includes matching on a set of IP addresses.  A
> > simple example:
> >
> >     inport == "lport1" && ip.src == {10.0.0.1, 10.0.0.3, 10.0.7}
> >
> > This is only 3 addresses, but it could easily be hundreds of addresses.
> >
> > I'd like to add a new table to OVN_Northbound called something like
> > "Address_Set".
> >
> > +        "Address_Set": {
> > +            "columns": {
> > +                "name": {"type": "string"},
> > +                "addresses": {"type": {"key": "string",
> > +                                       "min": 0,
> > +                                       "max": "unlimited"}}},
> > +            "indexes": [["name"]],
> > +            "isRoot": false},
> >
> > I'd also like to be able to refer to an address set by name in an ACL
> > match.  I'm not sure about the syntax, but as an example:
>
> I support this.  It matches some sketchy plans I had when I started
> designing the OVN matching language.
>
> I support Ryan's suggestion to extend this to the southbound database.
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>



More information about the dev mailing list