[ovs-discuss] [OVN] not-equal in ACL

Tony Liu tonyliu0592 at hotmail.com
Mon Aug 10 17:41:19 UTC 2020


Hi Numan,

Create a new thread here to follow up ACL questions.

> > > I think this is a big problem here. We should not use "!=" in
> > > logical flows, although OVN allows.
> >
> > Is this a generic recommendation or for certain cases?
> > Is it OK to add an ACL with "!=", like below?
> >
> > ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-e780d9dfdc0d from-lport 1005
> > 'ip4.dst == 192.168.0.0/16 && inport !=
> > "d93619c3-dab9-4f6d-8261-4211f6937fd1"' drop
> 
> 
> This is a generic recommendation. The above ACL would also result in
> many OF flows.
> 
> To handle cases like above, you can add a couple of ACLs like below with
> high priority flow to allow the desired inport and low priority ACL to
> drop all the traffic.
> 
>  ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-e780d9dfdc0d from-lport
> 1006 'ip4.dst == 192.168.0.0/16 && inport == "d93619c3-dab9-4f6d-8261-
> 4211f6937fd1"' allow  ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-
> e780d9dfdc0d from-lport
> 1005 'ip4.dst == 192.168.0.0/16"' drop

In my case, two LS connect to one LR who has external access.
There are 3 ports on each LS.
* vm_port
* gw_port (connect to LR)
* svc_port (localport for DHCP and metadata)

What I want is to disable the connection between two LS while allow
external access for them.

Option #1, create one ACL for each VM on each LS.
========
acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16 && inport == "$vm_port"' drop
========
This works fine for me, but the ACL has to be per VM.

Option #2, create one ACL to exclude gw_port and svc_port.
========
acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16 && inport != "$gw_port" && inport != "svc_port"' drop
========
As you mentioned, this is not recommended, cause it will result many
OF flows. I actually tried, but I don't see any OF flows created for
that ACL. Is there any policy in ovn-controller to not translate such
policy to OF flow?

Option #3, as you suggested, I tried 2 ACLs.
========
acl-add $ls from-lport 1006 'ip4.dst == 192.168.0.0/16 && (inport == "$gw_port" || inport == "svc_port")' allow
acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16' drop
========
On compute node, I see the "drop" OF flow only, not the "allow" flow.
Am I missing anything here?


Thanks!

Tony



More information about the discuss mailing list