[ovs-discuss] TCP flags(SYN, ACK etc.) support in open vswitch ACL
Justin Pettit
jpettit at nicira.com
Mon Feb 15 15:56:20 UTC 2010
On Feb 15, 2010, at 3:27 AM, devang.vyas at aol.in wrote:
> I can use ovs-ofctl to add flow to deny or allow specific network traffic.
> Does it supports TCP flags (SYN,ACK etc.)? Is there any way that define direction (inbound/outbound) of this traffic?
Open vSwitch's flow matching capabilities are mostly based on what's defined by OpenFlow. OpenFlow is based on flow-matching, and as such, does not support match of TCP flags. Also, there's no way to define matching based on direction. Obviously, you can limit based on ingress port, but I suspect that's not sufficient for you.
Jesse has a branch that supports more advanced ACLs when the switch is disconnected from a controller. It should be merged into our mainline branches before too long. I don't remember the capabilities off the top of my head. Jesse, I know it doesn't support inbound/outbound directly, but it does support egress port, correct?
--Justin
More information about the discuss
mailing list