[ovs-dev] [PATCH] ovn-nbctl: check for duplicated ACL adding.
Han Zhou
zhouhan at gmail.com
Thu Jan 19 02:51:16 UTC 2017
Check for duplicated ACL adding and add option --may-exist for
ovn-nbctl acl-add.
Signed-off-by: Han Zhou <zhouhan at gmail.com>
---
ovn/utilities/ovn-nbctl.8.xml | 5 ++++-
ovn/utilities/ovn-nbctl.c | 14 +++++++++++++-
tests/ovn-nbctl.at | 4 ++++
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/ovn/utilities/ovn-nbctl.8.xml b/ovn/utilities/ovn-nbctl.8.xml
index 4911c6a..03d8be9 100644
--- a/ovn/utilities/ovn-nbctl.8.xml
+++ b/ovn/utilities/ovn-nbctl.8.xml
@@ -76,7 +76,7 @@
<h1>Logical Switch ACL Commands</h1>
<dl>
- <dt>[<code>--log</code>] <code>acl-add</code> <var>switch</var> <var>direction</var> <var>priority</var> <var>match</var> <var>action</var></dt>
+ <dt>[<code>--log</code>] [<code>--may-exist</code>] <code>acl-add</code> <var>switch</var> <var>direction</var> <var>priority</var> <var>match</var> <var>action</var></dt>
<dd>
Adds the specified ACL to <var>switch</var>.
<var>direction</var> must be either <code>from-lport</code> or
@@ -84,6 +84,9 @@
<code>0</code> and <code>32767</code>, inclusive. If
<code>--log</code> is specified, packet logging is enabled for the
ACL. A full description of the fields are in <code>ovn-nb</code>(5).
+ If <code>--may-exist</code> is specified, adding a duplicated ACL
+ succeeds but the ACL is not really created. Without <code>--may-exist</code>,
+ adding a duplicated ACL results in error.
</dd>
<dt><code>acl-del</code> <var>switch</var> [<var>direction</var> [<var>priority</var> <var>match</var>]]</dt>
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 4397daf..bca59fe 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -1314,6 +1314,18 @@ nbctl_acl_add(struct ctl_context *ctx)
nbrec_acl_set_log(acl, true);
}
+ /* Check if same acl already exists for the ls */
+ for (size_t i = 0; i < ls->n_acls; i++) {
+ if (!acl_cmp(&ls->acls[i], &acl)) {
+ bool may_exist = shash_find(&ctx->options, "--may-exist") != NULL;
+ if (!may_exist) {
+ ctl_fatal("Same ACL already existed on the ls %s.",
+ ctx->argv[1]);
+ }
+ return;
+ }
+ }
+
/* Insert the acl into the logical switch. */
nbrec_logical_switch_verify_acls(ls);
struct nbrec_acl **new_acls = xmalloc(sizeof *new_acls * (ls->n_acls + 1));
@@ -3244,7 +3256,7 @@ static const struct ctl_command_syntax nbctl_commands[] = {
/* acl commands. */
{ "acl-add", 5, 5, "SWITCH DIRECTION PRIORITY MATCH ACTION", NULL,
- nbctl_acl_add, NULL, "--log", RW },
+ nbctl_acl_add, NULL, "--log,--may-exist", RW },
{ "acl-del", 1, 4, "SWITCH [DIRECTION [PRIORITY MATCH]]", NULL,
nbctl_acl_del, NULL, "", RW },
{ "acl-list", 1, 1, "SWITCH", NULL, nbctl_acl_list, NULL, "", RO },
diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at
index 164c81a..81530d1 100644
--- a/tests/ovn-nbctl.at
+++ b/tests/ovn-nbctl.at
@@ -200,6 +200,10 @@ AT_CHECK([ovn-nbctl acl-add ls0 from-lport 400 tcp drop])
AT_CHECK([ovn-nbctl acl-add ls0 to-lport 300 tcp drop])
AT_CHECK([ovn-nbctl acl-add ls0 from-lport 200 ip drop])
AT_CHECK([ovn-nbctl acl-add ls0 to-lport 100 ip drop])
+dnl Add duplicated ACL
+AT_CHECK([ovn-nbctl acl-add ls0 to-lport 100 ip drop], [1], [], [stderr])
+AT_CHECK([grep 'already existed' stderr], [0], [ignore])
+AT_CHECK([ovn-nbctl --may-exist acl-add ls0 to-lport 100 ip drop])
AT_CHECK([ovn-nbctl acl-list ls0], [0], [dnl
from-lport 600 (udp) drop log
--
2.1.0
More information about the dev
mailing list