[ovs-discuss] [OVN] not-equal in ACL
Tony Liu
tonyliu0592 at hotmail.com
Thu Aug 13 19:14:04 UTC 2020
> -----Original Message-----
> From: discuss <ovs-discuss-bounces at openvswitch.org> On Behalf Of Tony
> Liu
> Sent: Monday, August 10, 2020 10:41 AM
> To: Numan Siddique <numans at ovn.org>
> Cc: ovs-discuss at openvswitch.org
> Subject: [ovs-discuss] [OVN] not-equal in ACL
>
> Hi Numan,
>
> Create a new thread here to follow up ACL questions.
>
> > > > I think this is a big problem here. We should not use "!=" in
> > > > logical flows, although OVN allows.
> > >
> > > Is this a generic recommendation or for certain cases?
> > > Is it OK to add an ACL with "!=", like below?
> > >
> > > ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-e780d9dfdc0d from-lport
> 1005
> > > 'ip4.dst == 192.168.0.0/16 && inport !=
> > > "d93619c3-dab9-4f6d-8261-4211f6937fd1"' drop
> >
> >
> > This is a generic recommendation. The above ACL would also result in
> > many OF flows.
> >
> > To handle cases like above, you can add a couple of ACLs like below
> with
> > high priority flow to allow the desired inport and low priority ACL to
> > drop all the traffic.
> >
> > ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-e780d9dfdc0d from-lport
> > 1006 'ip4.dst == 192.168.0.0/16 && inport == "d93619c3-dab9-4f6d-8261-
> > 4211f6937fd1"' allow ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-
> > e780d9dfdc0d from-lport
> > 1005 'ip4.dst == 192.168.0.0/16"' drop
>
> In my case, two LS connect to one LR who has external access.
> There are 3 ports on each LS.
> * vm_port
> * gw_port (connect to LR)
> * svc_port (localport for DHCP and metadata)
>
> What I want is to disable the connection between two LS while allow
> external access for them.
>
> Option #1, create one ACL for each VM on each LS.
> ========
> acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16 && inport ==
> "$vm_port"' drop
> ========
> This works fine for me, but the ACL has to be per VM.
>
> Option #2, create one ACL to exclude gw_port and svc_port.
> ========
> acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16 && inport !=
> "$gw_port" && inport != "svc_port"' drop
> ========
> As you mentioned, this is not recommended, cause it will result many
> OF flows. I actually tried, but I don't see any OF flows created for
> that ACL. Is there any policy in ovn-controller to not translate such
> policy to OF flow?
>
> Option #3, as you suggested, I tried 2 ACLs.
> ========
> acl-add $ls from-lport 1006 'ip4.dst == 192.168.0.0/16 && (inport ==
> "$gw_port" || inport == "svc_port")' allow
> acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16' drop
> ========
> On compute node, I see the "drop" OF flow only, not the "allow" flow.
> Am I missing anything here?
Hi Numan,
This works! The '$' was missing from "svc_port"!
Thanks for the advice!
Tony
>
>
> Thanks!
>
> Tony
>
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
More information about the discuss
mailing list