[ovs-discuss] [ACL 3/3] vswitchd: Add ACL configuration to man page.
Jesse Gross
jesse at nicira.com
Mon Aug 3 18:21:35 UTC 2009
Document the new ACL functionality in the ovs-vswitchd.conf man page.
---
vswitchd/ovs-vswitchd.conf.5.in | 129 +++++++++++++++++++++++++++++++++++++++
1 files changed, 129 insertions(+), 0 deletions(-)
diff --git a/vswitchd/ovs-vswitchd.conf.5.in b/vswitchd/ovs-vswitchd.conf.5.in
index 665d3d0..f03ea07 100644
--- a/vswitchd/ovs-vswitchd.conf.5.in
+++ b/vswitchd/ovs-vswitchd.conf.5.in
@@ -271,6 +271,135 @@ mirror.mybr.a.output.port=eth3
.fi
.RE
+.SS "Access Control Lists"
+Access control lists allow restrictions to be placed on the types of
+traffic that may flow through the switch. These restrictions can be
+applied to ports or groups of ports on either switch ingress or egress.
+Note that ACL's are in effect only when remote management is not
+configured. If a controller is in use, then it can be used to apply
+any necessary restrictions.
+
+.ST "Rules"
+Rules define an action to be taken when a particular flow is encountered.
+These rules can be aggregated into groups to form access control lists.
+A rule consists of a 6-tuple of the form
+\fIcommand protocol srcip/netmask dstip/netmask srcport dstport\fR.
+The components of a rule are:
+.
+.TP
+\fIcommand\fR
+The action to be taken when this flow is encountered. The allowed
+values are \fBpermit\fR and \fBdeny\fR. \fBpermit\fR causes the packet
+to be handled according to normal packet processing rules. \fBdeny\fR
+drops the packet.
+.
+.TP
+\fIprotocol\fR
+The protocol of the flow. Acceptable values are \fBarp\fR, \fBip\fR,
+\fB\icmp\fR, \fBtcp\fR, and \fBudp\fR. If \fBarp\fR is specified,
+no other components of the rule can be set. If \fBip\fR is
+specified, only \fIsrcip/netmask\fR and \fIdstip/netmask\fR may be set.
+.
+.TP
+\fIsrcip/netmask\fR
+The source IP address of the flow. It also optionally allows a network
+to be specified using CIDR notation. Not available when \fIprotocol\fR
+is \fBarp\fR.
+.
+.TP
+\fIdstip/netmask\fR
+The destination IP address of the flow. Takes the same form as
+\fIsrcip/netmask\fR.
+.
+.TP
+\fIsrcport\fR
+The source port of the flow when \fIprotocol\fR is \fBtcp\fR or
+\fBudp\fR. When \fIprotocol\fR is \fBicmp\fR, it specifies the ICMP
+type. Not available when \fIprotocol\fR is \fBarp\fR or \fBip\fR.
+.
+.TP
+\fIdstport\fR
+The destination port of the flow when \fIprotocol\fR is \fBtcp\fR or
+\fBudp\fR. When \fIprotocol\fR is \fBicmp\fR, it specifies the ICMP
+code. Not available when \fIprotocol\fR is \fBarp\fR or \fBip\fR.
+.PP
+
+Any of the components with the exception of \fIcommand\fR may be omitted
+or take the value \fBany\fR. If the value is omitted, that component
+is wildcarded and all following entries must be omitted. If the value
+is \fBany\fR then the value is wildcarded but following entries may
+be specified. If \fIprotocol\fR is \fBany\fR then all following
+entries must either be omitted or set to \fBany\fR.
+
+.ST "Rule Groups"
+Access controls lists can be configured as groups of rules that
+are matched against switch traffic. These groups are ordered
+lists that are executed on a first match basis.
+
+A rule group is created by specifying rules as values for the key
+\fBacl.group.\fIname\fB.\fIorder\fR. Each key defines a single rule
+in group \fIname\fR that is executed in \fIorder\fR from lowest to highest.
+In addition to the listed rules, each group ends with an implicit deny rule
+that drops all traffic not otherwise matched.
+
+The following rule group allows \fBTCP/IP\fR port \fB80\fR and \fBARP\fR
+traffic while dropping everything else:
+.PP
+.RS
+.nf
+
+acl.group.http.1=permit tcp any any any 80
+acl.group.http.2=permit arp
+acl.group.http.3=deny
+
+.RE
+.fi
+.ST "Ports"
+Before an ACL will filter any traffic, the rule group must be applied to
+one or more ports. To apply an ACL to a port, set the key
+\fBacl.port.\fIport\fB.\fIdirection\fR to a rule group. \fIport\fR is
+an interface that is attached to the bridge and \fIdirection\fR is
+either \fBin\fR or \fBout\fR, which respectively filter traffic either
+upon ingress or egress from the switch. One \fBin\fR and one \fBout\fR
+rule may be defined for each port.
+
+The following applies the rule group from the previous section to
+\fBeth0\fR. This could be used to filter traffic for an HTTP server
+attached to \fBeth0\fR.
+.PP
+.RS
+.nf
+
+acl.port.eth0.out=http
+
+.RE
+.fi
+.ST "Default Rules"
+Sometimes it is more convenient to specify rules that apply to groups
+of ports. Default rules may be used to apply ACL's to all ports with
+names matching a given pattern. These are called default rules
+because they will only be applied if no other rule is assigned
+to the port. Default rules consist of an ordered set of directives
+that specify a glob to match against port names and rule groups to
+apply in the ingress and egress directions. For a given port,
+default rules are applied on a first match basis. A maximum of one
+ingress and one egress rule is applied to each port. A default rule
+can be defined by setting the key
+\fBacl.default.\fIorder\fB.match\fR to a \fIglob\fR. It is then
+possible to apply rule groups with the key
+\fBacl.default.\fIorder\fB.\fIdirection\fR.
+
+The following applies the rule group from the previous section to all
+ethernet devices:
+.PP
+.RS
+.nf
+
+acl.default.1.match=eth*
+acl.default.1.out=http
+
+.fi
+.RE
.SS "Port Rate-Limiting"
Traffic policing and shaping are configured on physical ports. Policing
defines a hard limit at which traffic that exceeds the specified rate is
--
1.6.0.4
More information about the discuss
mailing list