[ovs-discuss] [OVN] not-equal in ACL

Tony Liu tonyliu0592 at hotmail.com
Thu Aug 13 19:14:04 UTC 2020


> -----Original Message-----
> From: discuss <ovs-discuss-bounces at openvswitch.org> On Behalf Of Tony
> Liu
> Sent: Monday, August 10, 2020 10:41 AM
> To: Numan Siddique <numans at ovn.org>
> Cc: ovs-discuss at openvswitch.org
> Subject: [ovs-discuss] [OVN] not-equal in ACL
> 
> Hi Numan,
> 
> Create a new thread here to follow up ACL questions.
> 
> > > > I think this is a big problem here. We should not use "!=" in
> > > > logical flows, although OVN allows.
> > >
> > > Is this a generic recommendation or for certain cases?
> > > Is it OK to add an ACL with "!=", like below?
> > >
> > > ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-e780d9dfdc0d from-lport
> 1005
> > > 'ip4.dst == 192.168.0.0/16 && inport !=
> > > "d93619c3-dab9-4f6d-8261-4211f6937fd1"' drop
> >
> >
> > This is a generic recommendation. The above ACL would also result in
> > many OF flows.
> >
> > To handle cases like above, you can add a couple of ACLs like below
> with
> > high priority flow to allow the desired inport and low priority ACL to
> > drop all the traffic.
> >
> >  ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-e780d9dfdc0d from-lport
> > 1006 'ip4.dst == 192.168.0.0/16 && inport == "d93619c3-dab9-4f6d-8261-
> > 4211f6937fd1"' allow  ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-
> > e780d9dfdc0d from-lport
> > 1005 'ip4.dst == 192.168.0.0/16"' drop
> 
> In my case, two LS connect to one LR who has external access.
> There are 3 ports on each LS.
> * vm_port
> * gw_port (connect to LR)
> * svc_port (localport for DHCP and metadata)
> 
> What I want is to disable the connection between two LS while allow
> external access for them.
> 
> Option #1, create one ACL for each VM on each LS.
> ========
> acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16 && inport ==
> "$vm_port"' drop
> ========
> This works fine for me, but the ACL has to be per VM.
> 
> Option #2, create one ACL to exclude gw_port and svc_port.
> ========
> acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16 && inport !=
> "$gw_port" && inport != "svc_port"' drop
> ========
> As you mentioned, this is not recommended, cause it will result many
> OF flows. I actually tried, but I don't see any OF flows created for
> that ACL. Is there any policy in ovn-controller to not translate such
> policy to OF flow?
> 
> Option #3, as you suggested, I tried 2 ACLs.
> ========
> acl-add $ls from-lport 1006 'ip4.dst == 192.168.0.0/16 && (inport ==
> "$gw_port" || inport == "svc_port")' allow
> acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16' drop
> ========
> On compute node, I see the "drop" OF flow only, not the "allow" flow.
> Am I missing anything here?

Hi Numan,

This works! The '$' was missing from "svc_port"!

Thanks for the advice!

Tony
> 
> 
> Thanks!
> 
> Tony
> 
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss


More information about the discuss mailing list