[ovs-dev] [RFC] OVN northbound address sets

Russell Bryant russell at ovn.org
Tue Mar 22 19:32:37 UTC 2016


Great, thanks for the feedback!

I'm working on the implementation of address sets for OVN now.  It's still
incomplete, but I'd like to post something by the end of the week.

https://github.com/russellb/ovs/commits/ovn-address-sets

-- 
Russell Bryant

On Tue, Mar 22, 2016 at 3:26 PM, Salvatore Orlando <salv.orlando at gmail.com>
wrote:

> As I am doing some integration between OVN and Kubernetes, there is a
> similar problem there where the introduction of this concept can be very
> beneficial.
>
> To provide some context a Kubernetes network policy [1] might have several
> "from" clauses which might translate into a great number of IP addresses.
> So far implementing this in OVN requires either a distinct ACL for every
> IP address or continuously updating the same ACL, whose match expression
> quickly becomes hardly manageable.
>
> Having address sets will enable us to simply add or remove source IPs from
> the ACL when kubernetes Pods are created or destroyed.
>
> Salvatore
>
> [1]
> https://docs.google.com/document/d/1qAm-_oSap-f1d6a-xRTj6xaH1sYQBfK36VyjB5XOZug/edit
>
> On 11 March 2016 at 02:10, Ben Pfaff <blp at ovn.org> wrote:
>
>> On Wed, Mar 09, 2016 at 04:12:07PM -0500, Russell Bryant wrote:
>> >
>> > One use case for OVN ACLs includes matching on a set of IP addresses.  A
>> > simple example:
>> >
>> >     inport == "lport1" && ip.src == {10.0.0.1, 10.0.0.3, 10.0.7}
>> >
>> > This is only 3 addresses, but it could easily be hundreds of addresses.
>> >
>> > I'd like to add a new table to OVN_Northbound called something like
>> > "Address_Set".
>> >
>> > +        "Address_Set": {
>> > +            "columns": {
>> > +                "name": {"type": "string"},
>> > +                "addresses": {"type": {"key": "string",
>> > +                                       "min": 0,
>> > +                                       "max": "unlimited"}}},
>> > +            "indexes": [["name"]],
>> > +            "isRoot": false},
>> >
>> > I'd also like to be able to refer to an address set by name in an ACL
>> > match.  I'm not sure about the syntax, but as an example:
>>
>> I support this.  It matches some sketchy plans I had when I started
>> designing the OVN matching language.
>>
>> I support Ryan's suggestion to extend this to the southbound database.
>> _______________________________________________
>> dev mailing list
>> dev at openvswitch.org
>> http://openvswitch.org/mailman/listinfo/dev
>>
>
>


-- 
Russell Bryant



More information about the dev mailing list