[ovs-dev] OVN address set behavior

Han Zhou zhouhan at gmail.com
Sun Sep 10 06:00:16 UTC 2017


I submitted a patch:
https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/338533.html

Please take a look.

Thanks,
Han

On Fri, Sep 8, 2017 at 7:42 PM, Han Zhou <zhouhan at gmail.com> wrote:

> Thanks Guru! I think this is a serious problem. I verified it is a problem
> even with a single address set that is empty. It would impact some basic
> use cases such as OpenStack Neutron security group. For example:
>
> sec-group A:
> rule1: ingress, remote group == sec-group B, ipv4, tcp 22 // allows access
> to TCP 22 only if the source is in sec-group B.
>
> sec-group B:
> whatever rules
>
> If there is no VM bound to sec-group B yet, the corresponding Address Set
> of sec-group B in OVN will be empty, so any source will be able access VMs
> in sec-group A.
>
> I am working on a fix in ovn-controller, hopefully post a patch this
> weekend or early next week.
>
> Thanks,
> Han
>
> On Thu, Sep 7, 2017 at 10:55 AM, Guru Shetty <guru at ovn.org> wrote:
>
>> Hello All,
>>  We create an ACL using address sets, for e.g:
>>
>> ovn-nbctl --id=@acl create acl priority=1001 direction=to-lport
>> "match=\"ip4.src == {\$set1, \$set2} && tcp && tcp.dst==80 && outport ==
>> \\\"foo2\\\"\"" action=allow-related  -- add logical_switch foo acls @acl
>>
>> Now, if either $set1 or $set2 is empty, we will end up with a openflow
>> flow
>> that will allow all traffic to "tcp && tcp.dst == 80" for that outport.
>>
>> This looks like an undesirable behavior. Ideally, when an address set is
>> empty, we should simply skip that entry. Comments?
>> _______________________________________________
>> dev mailing list
>> dev at openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>
>
>


More information about the dev mailing list