[ovs-discuss] [ACL 3/3] vswitchd: Add ACL configuration to man page.

Jesse Gross jesse at nicira.com
Mon Aug 3 18:21:35 UTC 2009


Document the new ACL functionality in the ovs-vswitchd.conf man page.
---
 vswitchd/ovs-vswitchd.conf.5.in |  129 +++++++++++++++++++++++++++++++++++++++
 1 files changed, 129 insertions(+), 0 deletions(-)

diff --git a/vswitchd/ovs-vswitchd.conf.5.in b/vswitchd/ovs-vswitchd.conf.5.in
index 665d3d0..f03ea07 100644
--- a/vswitchd/ovs-vswitchd.conf.5.in
+++ b/vswitchd/ovs-vswitchd.conf.5.in
@@ -271,6 +271,135 @@ mirror.mybr.a.output.port=eth3
         
 .fi
 .RE
+.SS "Access Control Lists"
+Access control lists allow restrictions to be placed on the types of
+traffic that may flow through the switch.  These restrictions can be
+applied to ports or groups of ports on either switch ingress or egress.
+Note that ACL's are in effect only when remote management is not
+configured.  If a controller is in use, then it can be used to apply
+any necessary restrictions.
+
+.ST "Rules"
+Rules define an action to be taken when a particular flow is encountered.
+These rules can be aggregated into groups to form access control lists.
+A rule consists of a 6-tuple of the form
+\fIcommand protocol srcip/netmask dstip/netmask srcport dstport\fR.
+The components of a rule are:
+.
+.TP
+\fIcommand\fR
+The action to be taken when this flow is encountered.  The allowed
+values are \fBpermit\fR and \fBdeny\fR.  \fBpermit\fR causes the packet
+to be handled according to normal packet processing rules.  \fBdeny\fR
+drops the packet.
+.
+.TP
+\fIprotocol\fR
+The protocol of the flow.  Acceptable values are \fBarp\fR, \fBip\fR,
+\fB\icmp\fR, \fBtcp\fR, and \fBudp\fR.  If \fBarp\fR is specified,
+no other components of the rule can be set.  If \fBip\fR is
+specified, only \fIsrcip/netmask\fR and \fIdstip/netmask\fR may be set.
+.
+.TP
+\fIsrcip/netmask\fR
+The source IP address of the flow.  It also optionally allows a network
+to be specified using CIDR notation.  Not available when \fIprotocol\fR
+is \fBarp\fR.
+.
+.TP
+\fIdstip/netmask\fR
+The destination IP address of the flow.  Takes the same form as
+\fIsrcip/netmask\fR.
+.
+.TP
+\fIsrcport\fR
+The source port of the flow when \fIprotocol\fR is \fBtcp\fR or
+\fBudp\fR.  When \fIprotocol\fR is \fBicmp\fR, it specifies the ICMP
+type.  Not available when \fIprotocol\fR is \fBarp\fR or \fBip\fR.
+.
+.TP
+\fIdstport\fR
+The destination port of the flow when \fIprotocol\fR is \fBtcp\fR or
+\fBudp\fR.  When \fIprotocol\fR is \fBicmp\fR, it specifies the ICMP
+code.  Not available when \fIprotocol\fR is \fBarp\fR or \fBip\fR.
+.PP
+
+Any of the components with the exception of \fIcommand\fR may be omitted
+or take the value \fBany\fR.  If the value is omitted, that component
+is wildcarded and all following entries must be omitted.  If the value
+is \fBany\fR then the value is wildcarded but following entries may
+be specified.  If \fIprotocol\fR is \fBany\fR then all following
+entries must either be omitted or set to \fBany\fR.
+
+.ST "Rule Groups"
+Access controls lists can be configured as groups of rules that
+are matched against switch traffic.  These groups are ordered
+lists that are executed on a first match basis.
+
+A rule group is created by specifying rules as values for the key
+\fBacl.group.\fIname\fB.\fIorder\fR.  Each key defines a single rule
+in group \fIname\fR that is executed in \fIorder\fR from lowest to highest.
+In addition to the listed rules, each group ends with an implicit deny rule
+that drops all traffic not otherwise matched.
+
+The following rule group allows \fBTCP/IP\fR port \fB80\fR and \fBARP\fR
+traffic while dropping everything else:
+.PP
+.RS
+.nf
+
+acl.group.http.1=permit tcp any any any 80
+acl.group.http.2=permit arp
+acl.group.http.3=deny
+
+.RE
+.fi
+.ST "Ports"
+Before an ACL will filter any traffic, the rule group must be applied to
+one or more ports.  To apply an ACL to a port, set the key
+\fBacl.port.\fIport\fB.\fIdirection\fR to a rule group.  \fIport\fR is
+an interface that is attached to the bridge and \fIdirection\fR is
+either \fBin\fR or \fBout\fR, which respectively filter traffic either
+upon ingress or egress from the switch.  One \fBin\fR and one \fBout\fR
+rule may be defined for each port.
+
+The following applies the rule group from the previous section to
+\fBeth0\fR.  This could be used to filter traffic for an HTTP server
+attached to \fBeth0\fR.
+.PP
+.RS
+.nf
+
+acl.port.eth0.out=http
+
+.RE
+.fi
+.ST "Default Rules"
+Sometimes it is more convenient to specify rules that apply to groups
+of ports.  Default rules may be used to apply ACL's to all ports with
+names matching a given pattern.  These are called default rules
+because they will only be applied if no other rule is assigned
+to the port.  Default rules consist of an ordered set of directives
+that specify a glob to match against port names and rule groups to
+apply in the ingress and egress directions.  For a given port,
+default rules are applied on a first match basis.  A maximum of one
+ingress and one egress rule is applied to each port.  A default rule
+can be defined by setting the key
+\fBacl.default.\fIorder\fB.match\fR to a \fIglob\fR.  It is then
+possible to apply rule groups with the key
+\fBacl.default.\fIorder\fB.\fIdirection\fR.
+
+The following applies the rule group from the previous section to all
+ethernet devices:
+.PP
+.RS
+.nf
+
+acl.default.1.match=eth*
+acl.default.1.out=http
+
+.fi
+.RE
 .SS "Port Rate-Limiting"
 Traffic policing and shaping are configured on physical ports.  Policing
 defines a hard limit at which traffic that exceeds the specified rate is
-- 
1.6.0.4





More information about the discuss mailing list