[ovs-dev] ovn: is it possible to add validation on acl match

Aaron Rosen aaronorosen at gmail.com
Fri May 20 03:42:15 UTC 2016


Hi,

I'm wondering if it would be possible to add any additional validation on
the match column in the ACL table (and potentially other places in the
future)?

For example, we had a silly bug in the ovn plugin where if someone created
a security group rule and specified the protocol number as 6 instead of
tcp,  we forgot to convert the protocol number 6 to tcp and ended up
pushing a rule that looked like this:

  to-lport  1002 (outport == "c48a1ff1-a184-491a-9ffd-3db06ebd18ee" && ip4
&& 6 && *6.dst *== 22) allow-related

ovn-controller does expose this issue in the log:

2016-05-20T03:25:18Z|00061|lflow|WARN|error parsing match "ct.new &&
(outport == "c48a1ff1-a184-491a-9ffd-3db06ebd18ee" && ip4 && 6 && 6.dst ==
22)": Syntax error at `&&' expecting relational operator.

Though it would be nice to be able to detect the issue as an error at the
caller if possible. Currently it looks like one would need to be auditing
the logs on all of their hypervisors to detect this bug so it could go
unnoticed for a while.

Aaron



More information about the dev mailing list