[ovs-dev] OVN address set behavior
Guru Shetty
guru at ovn.org
Thu Sep 7 17:55:09 UTC 2017
Hello All,
We create an ACL using address sets, for e.g:
ovn-nbctl --id=@acl create acl priority=1001 direction=to-lport
"match=\"ip4.src == {\$set1, \$set2} && tcp && tcp.dst==80 && outport ==
\\\"foo2\\\"\"" action=allow-related -- add logical_switch foo acls @acl
Now, if either $set1 or $set2 is empty, we will end up with a openflow flow
that will allow all traffic to "tcp && tcp.dst == 80" for that outport.
This looks like an undesirable behavior. Ideally, when an address set is
empty, we should simply skip that entry. Comments?
More information about the dev
mailing list