[ovs-git] [openvswitch/ovs] ea3825: ovn: Add address set support for ACLs.

GitHub noreply at github.com
Sun Jul 3 19:32:48 UTC 2016


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: ea382567e816ac3bdb6365fdec90438156cf51d1
      https://github.com/openvswitch/ovs/commit/ea382567e816ac3bdb6365fdec90438156cf51d1
  Author: Russell Bryant <russell at ovn.org>
  Date:   2016-07-03 (Sun, 03 Jul 2016)

  Changed paths:
    M ovn/controller/lflow.c
    M ovn/northd/ovn-northd.c
    M ovn/ovn-nb.ovsschema
    M ovn/ovn-nb.xml
    M ovn/ovn-sb.ovsschema
    M ovn/ovn-sb.xml
    M ovn/utilities/ovn-nbctl.c
    M ovn/utilities/ovn-sbctl.c
    M tests/ovn.at

  Log Message:
  -----------
  ovn: Add address set support for ACLs.

This feature was originally proposed here:

  http://openvswitch.org/pipermail/dev/2016-March/067440.html

A common use case for OVN ACLs involves needing to match a set of IP
addresses.

   outport == "lp1" && ip4.src == {10.0.0.5, 10.0.0.25, 10.0.0.50}

This example match only has 3 addresses, but it could easily have
hundreds of addresses.  In some cases, the same large set of addresses
needs to be used in several ACLs.

This patch adds a new Address_Set table to OVN_Northbound so that a set
of addresses can be specified once and then referred to by name in ACLs.
To recreate the above example, you would first create an address set:

  $ ovn-nbctl create Address_Set name=set1 addresses="10.0.0.5","10.0.0.25","10.0.0.50"

Then you can refer to this address set by name in an ACL match:

  outport == "lp1" && ip4.src == $set1

Signed-off-by: Russell Bryant <russell at ovn.org>
Signed-off-by: Babu Shanmugam <bschanmu at redhat.com>
Co-authored-by: Flavio Fernandes <flavio at flaviof.com>
Signed-off-by: Flavio Fernandes <flavio at flaviof.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>




More information about the git mailing list