[ovs-dev] ovn: is it possible to add validation on acl match
Ben Pfaff
blp at ovn.org
Fri May 20 03:51:46 UTC 2016
On Thu, May 19, 2016 at 08:42:15PM -0700, Aaron Rosen wrote:
> I'm wondering if it would be possible to add any additional validation on
> the match column in the ACL table (and potentially other places in the
> future)?
>
> For example, we had a silly bug in the ovn plugin where if someone created
> a security group rule and specified the protocol number as 6 instead of
> tcp, we forgot to convert the protocol number 6 to tcp and ended up
> pushing a rule that looked like this:
>
> to-lport 1002 (outport == "c48a1ff1-a184-491a-9ffd-3db06ebd18ee" && ip4
> && 6 && *6.dst *== 22) allow-related
We could validate it in ovn-northd so that it doesn't get pushed down to
the southbound database, either just logging it at northd or adding some
kind of status or error column to the ACL table so that we could push
the problem back up. Is that the kind of thing you're looking for?
More information about the dev
mailing list