[ovs-discuss] Ip grouping in openflow rule

Justin Pettit jpettit at ovn.org
Tue Feb 21 00:29:34 UTC 2017


> On Feb 20, 2017, at 12:46 AM, Tugrul Erdogan <h.tugrul.erdogan at gmail.com> wrote:
> 
> Hi all,
> 
> I am working on Centos 7 with OVS. I have simple flow rules as stated below:
> 
> ovs-ofctl add-flow  ovs-brext  "ip, nw_dst=10.3.4.6, actions=drop"
> ovs-ofctl add-flow  ovs-brext  "ip, nw_dst=172.16.0.6, actions=drop"
> 
> I want to group the destinations IP addresses in a structure ( like
> netfilter:ipset ) so I can drop many of the IP addresses from
> different subnets with one flow rule. I have searched this type of
> structure in man page of ovs-ctl and ovs-ofctl but I could not find.
> 
> I want take your suggestions about IP grouping structure in flow rules.

As Ben mentioned, there's no such grouping mechanism using ovs-ofctl.  Those tools are stateless, and OVS would normally expect that sort of state to be maintained by a controller.  There is support for such groups in OVN (which acts as a controller), but that might be overkill for your application if you don't need full-blown network virtualization.

I have thought about how using just the southbound components of OVN could make a more convenient method of programming OVS.  I should do a talk around that at some point, because I think the OVN logical flows are better in a lot of ways than straight OpenFlow.

--Justin




More information about the discuss mailing list