[ovs-git] [openvswitch/ovs] ea3825: ovn: Add address set support for ACLs.
GitHub
noreply at github.com
Sun Jul 3 19:32:48 UTC 2016
Branch: refs/heads/master
Home: https://github.com/openvswitch/ovs
Commit: ea382567e816ac3bdb6365fdec90438156cf51d1
https://github.com/openvswitch/ovs/commit/ea382567e816ac3bdb6365fdec90438156cf51d1
Author: Russell Bryant <russell at ovn.org>
Date: 2016-07-03 (Sun, 03 Jul 2016)
Changed paths:
M ovn/controller/lflow.c
M ovn/northd/ovn-northd.c
M ovn/ovn-nb.ovsschema
M ovn/ovn-nb.xml
M ovn/ovn-sb.ovsschema
M ovn/ovn-sb.xml
M ovn/utilities/ovn-nbctl.c
M ovn/utilities/ovn-sbctl.c
M tests/ovn.at
Log Message:
-----------
ovn: Add address set support for ACLs.
This feature was originally proposed here:
http://openvswitch.org/pipermail/dev/2016-March/067440.html
A common use case for OVN ACLs involves needing to match a set of IP
addresses.
outport == "lp1" && ip4.src == {10.0.0.5, 10.0.0.25, 10.0.0.50}
This example match only has 3 addresses, but it could easily have
hundreds of addresses. In some cases, the same large set of addresses
needs to be used in several ACLs.
This patch adds a new Address_Set table to OVN_Northbound so that a set
of addresses can be specified once and then referred to by name in ACLs.
To recreate the above example, you would first create an address set:
$ ovn-nbctl create Address_Set name=set1 addresses="10.0.0.5","10.0.0.25","10.0.0.50"
Then you can refer to this address set by name in an ACL match:
outport == "lp1" && ip4.src == $set1
Signed-off-by: Russell Bryant <russell at ovn.org>
Signed-off-by: Babu Shanmugam <bschanmu at redhat.com>
Co-authored-by: Flavio Fernandes <flavio at flaviof.com>
Signed-off-by: Flavio Fernandes <flavio at flaviof.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>
More information about the git
mailing list