[ovs-dev] [PATCH v2 2/2] OVN: add acl reject support using icmp4 action
Ben Pfaff
blp at ovn.org
Fri Mar 9 22:29:24 UTC 2018
On Tue, Feb 20, 2018 at 06:39:44PM +0100, Lorenzo Bianconi wrote:
> Whenever the acl reject rule is hit send back an ICMPv4 destination
> unreachable packet and do not handle reject rule as drop one.
> Treat TCP connections as DROP for the moment since tcp_reset{} action
> has not been implemented yet.
>
> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
Thanks! I applied this to master. I decided to simplify some of the
southbound flows slightly, so I folded in the following (note that icmp4
has an ip4 prerequisite so that part can be dropped):
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index d91f0324520e..396381049024 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -2904,16 +2904,10 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
*
* Not to do conntrack on ND and ICMP destination
* unreachable packets. */
- ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, "nd", "next;");
- ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, "(nd_rs || nd_ra)",
- "next;");
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
- "ip4 && icmp4.type == 3", "next;");
- ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, "nd", "next;");
- ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
- "(nd_rs || nd_ra)", "next;");
+ "nd || nd_rs || nd_ra || icmp4.type == 3", "next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
- "ip4 && icmp4.type == 3", "next;");
+ "nd || nd_rs || nd_ra || icmp4.type == 3", "next;");
/* Ingress and Egress Pre-ACL Table (Priority 100).
*
I considered adding a NEWS item but decided to delay until we have a
more complete implementation that includes TCP (and IPv6?) support.
Thanks,
Ben.
More information about the dev
mailing list