[ovs-dev] [PATCH 1/2] ovn: Support port groups in ACLs

Han Zhou zhouhan at gmail.com
Thu Mar 1 20:21:13 UTC 2018


On Thu, Mar 1, 2018 at 12:13 PM, Guru Shetty <guru at ovn.org> wrote:
>
>
>
> On 28 February 2018 at 19:37, Han Zhou <zhouhan at gmail.com> wrote:
>>
>> This patch enables using port group names in ACL match conditions.
>> Users can create a port group in northbound DB Port_Group table,
>> and then use the name of the port group in ACL match conditions
>> for "inport" or "outport". It can help reduce the number of ACLs
>> for CMS clients such as OpenStack Neutron, for the use cases
>> where a group of logical ports share same ACL rules except the
>> "inport"/"outport" part. Without this patch, the clients have to
>> create N (N = number of lports) ACLs, and this patch helps achieve
>> the same goal with only one ACL. E.g.:
>>
>> to-lport 1000 "outport == @port_group1 && ip4.src == {IP1, IP2, ...}"
allow-related
>>
>> There was a similar attempt by Zong Kai Li in 2016 [1]. This patch
>> takes a slightly different approach by using weak refs instead of
>> strings, which requires a new table instead of reusing the address
>> set table. This way it will also benefit for a follow up patch that
>> enables generating address sets automatically from port groups to
>> avoid a lot a trouble from client perspective [2].
>>
>> [1]
https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/077118.html
>> [2]
https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046260.html
>>
>> Reported-by: Daniel Alvarez Sanchez <dalvarez at redhat.com>
>> Reported-at:
https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046166.html
>> Signed-off-by: Han Zhou <hzhou8 at ebay.com>
>
>
> Wouldn't it be more complete and useful if we add the acl to a port group
too? And then internally, you decide which switches you want to add the ACL
to.
>
> For e.g: ovn-nbctl --port-group add-acl port_group1 to-lport 1000
"outport == @port_group1 && ip4.src == {IP1, IP2, ...}" allow-related
>
> This way, the client does not have to keep track of all the logical
switches it needs to apply an ACL to. Thoughts?
>
Yes, this is a good idea. Since it is only about the ovn-nbctl tool
improvement, it can be a follow up patch.


More information about the dev mailing list