[ovs-git] [openvswitch/ovs] 78aab8: ovn: Add stateful ACL support.
GitHub
noreply at github.com
Fri Oct 16 07:24:31 UTC 2015
Branch: refs/heads/master
Home: https://github.com/openvswitch/ovs
Commit: 78aab811be52cecb6dea3dc937bb9bc4e558e422
https://github.com/openvswitch/ovs/commit/78aab811be52cecb6dea3dc937bb9bc4e558e422
Author: Justin Pettit <jpettit at nicira.com>
Date: 2015-10-16 (Fri, 16 Oct 2015)
Changed paths:
M ovn/TODO
M ovn/controller/binding.c
M ovn/controller/binding.h
M ovn/controller/lflow.c
M ovn/controller/lflow.h
M ovn/controller/ovn-controller.8.xml
M ovn/controller/ovn-controller.c
M ovn/controller/ovn-controller.h
M ovn/controller/physical.c
M ovn/controller/physical.h
M ovn/lib/actions.c
M ovn/lib/actions.h
M ovn/northd/ovn-northd.8.xml
M ovn/northd/ovn-northd.c
M ovn/ovn-architecture.7.xml
M ovn/ovn-sb.xml
M tests/ovn.at
M tests/test-ovn.c
Log Message:
-----------
ovn: Add stateful ACL support.
Add support for the "allow-related" ACL action. This is dependent on
the OVS conntrack functionality, which is not available on all platforms
or kernel versions.
Here is a sample policy that will allow all tenants in logical switch
"ls0" to SSH to each other. Anyone can make an HTTP request to "lp0".
All other IP traffic is dropped:
ovn-nbctl acl-add ls0 from-lport 100 ip allow-related
ovn-nbctl acl-add ls0 to-lport 100 tcp.dst==22 allow-related
ovn-nbctl acl-add ls0 to-lport 100 "outport == \"lp0\" \
&& tcp.dst==80" allow-related
ovn-nbctl acl-add ls0 to-lport 1 ip drop
Note: Kernel conntrack support is checked into the mainline Linux
kernel, but hasn't been backported to the main OVS repo yet.
Signed-off-by: Justin Pettit <jpettit at nicira.com>
Acked-by: Ben Pfaff <blp at nicira.com>
More information about the git
mailing list