[ovs-discuss] Ip grouping in openflow rule
Justin Pettit
jpettit at ovn.org
Tue Feb 21 00:29:34 UTC 2017
> On Feb 20, 2017, at 12:46 AM, Tugrul Erdogan <h.tugrul.erdogan at gmail.com> wrote:
>
> Hi all,
>
> I am working on Centos 7 with OVS. I have simple flow rules as stated below:
>
> ovs-ofctl add-flow ovs-brext "ip, nw_dst=10.3.4.6, actions=drop"
> ovs-ofctl add-flow ovs-brext "ip, nw_dst=172.16.0.6, actions=drop"
>
> I want to group the destinations IP addresses in a structure ( like
> netfilter:ipset ) so I can drop many of the IP addresses from
> different subnets with one flow rule. I have searched this type of
> structure in man page of ovs-ctl and ovs-ofctl but I could not find.
>
> I want take your suggestions about IP grouping structure in flow rules.
As Ben mentioned, there's no such grouping mechanism using ovs-ofctl. Those tools are stateless, and OVS would normally expect that sort of state to be maintained by a controller. There is support for such groups in OVN (which acts as a controller), but that might be overkill for your application if you don't need full-blown network virtualization.
I have thought about how using just the southbound components of OVN could make a more convenient method of programming OVS. I should do a talk around that at some point, because I think the OVN logical flows are better in a lot of ways than straight OpenFlow.
--Justin
More information about the discuss
mailing list