[ovs-discuss] [ovs-dev] Query on ACLs

Justin Pettit jpettit at nicira.com
Thu Feb 18 02:04:27 UTC 2010


Your questions are likely answered in the various "ACL" threads in the "discuss" mailing list archive from this month:

	http://openvswitch.org/pipermail/discuss_openvswitch.org/2010-February/thread.html

If you have additional questions feel free to ask, but please at least look at the "ovs-ofctl" man page first.

In the future, please don't cross-post.  These sorts of end-user questions are best sent to the discuss at openvswitch.org mailing list.

--Justin


On Feb 17, 2010, at 5:48 PM, Kaushik Kumar Ram wrote:

> Hello,
> 
> I heard that open vswitch has basic support for ACLs. Can someone clarify what sort of support is available and how ACLs can be installed? To be more precise, I would like to install a ACL with a rule of type "drop all traffic to TCP port XYZ".  
> 
> I understand that so called "negative flows" can be used to achieve the same, i.e. drop all traffic matching particular flow(s) (to TCP port XYZ in this example). This would also be more efficient since the packet would be dropped in the in-kernel fast-path itself. But then it is not possible to match against packet header fields outside the 10-tuple (like TCP flags for example). 
> 
> Any feedback would be appreciated.
> 
> Thanks.
> -Kaushik
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev_openvswitch.org





More information about the discuss mailing list