[ovs-dev] [PATCH 2/2] ovn-nbctl: Support ACL commands on port groups.
Han Zhou
zhouhan at gmail.com
Thu May 10 06:35:58 UTC 2018
On Wed, May 9, 2018 at 3:20 PM, Ben Pfaff <blp at ovn.org> wrote:
>
> On May 9, 2018 3:11:19 PM PDT, Han Zhou <zhouhan at gmail.com> wrote:
>>
>>
>>
>> On Wed, May 9, 2018 at 11:13 AM, Ben Pfaff <blp at ovn.org> wrote:
>> >
>> > On Sun, Apr 22, 2018 at 09:52:35AM -0700, Han Zhou wrote:
>> > > The new option --port-group is supported for ovn-nbctl ACL related
>> > > commands. User can now ovn-nbctl to add/delete/list ACLs on port
>> > > groups. E.g.
>> > >
>> > > ovn-nbctl --port-group acl-add port_group1 to-lport 1000 \
>> > > 'outport == @port_group1 && ip4.src == $port_group1_ip4' \
>> > > allow-related
>> > >
>> > > Signed-off-by: Han Zhou <hzhou8 at ebay.com>
>> >
>> > Thanks for working on making ovn-nbctl more useful here.
>> >
>> > The documentation is pretty inconsistent about whether it mentions
>> > --port-group.
>> >
>> > I think that in most cases the names of port groups and lswitches are
>> > going to be different. As a user interface convenience, I suggest that
>> > there be *two* options: --port-group and --lswitch (or whatever). If
>> > either one is given, then the command works with that kind of entity.
>> > If neither one is given, then the command works with whichever one
>> > actually exists with the given name, or exits with an error if both
>> > exist.
>> >
>> This is a good suggestion. Then would it be better to have just one
option e.g. --acl-type (or just --type), and the value can be "port-group"
or "lswitch"? If the option is not provided, the command works with
whichever exists or error out if both exist. What do you think?
>>
>> Thanks,
>> Han
>
>
> Sure, that's fine too.
Nice, I submitted v2: https://patchwork.ozlabs.org/patch/911290/
More information about the dev
mailing list