[ovs-dev] ovn: is it possible to add validation on acl match

Ben Pfaff blp at ovn.org
Fri May 20 03:51:46 UTC 2016


On Thu, May 19, 2016 at 08:42:15PM -0700, Aaron Rosen wrote:
> I'm wondering if it would be possible to add any additional validation on
> the match column in the ACL table (and potentially other places in the
> future)?
> 
> For example, we had a silly bug in the ovn plugin where if someone created
> a security group rule and specified the protocol number as 6 instead of
> tcp,  we forgot to convert the protocol number 6 to tcp and ended up
> pushing a rule that looked like this:
> 
>   to-lport  1002 (outport == "c48a1ff1-a184-491a-9ffd-3db06ebd18ee" && ip4
> && 6 && *6.dst *== 22) allow-related

We could validate it in ovn-northd so that it doesn't get pushed down to
the southbound database, either just logging it at northd or adding some
kind of status or error column to the ACL table so that we could push
the problem back up.  Is that the kind of thing you're looking for?



More information about the dev mailing list