On Thu, Oct 15, 2015 at 10:32:51AM -0700, Justin Pettit wrote:
> Add support for the "allow-related" ACL action. This is dependent on
> the OVS conntrack functionality, which is not available on all platforms
> or kernel versions.
>
> Here is a sample policy that will allow all tenants in logical switch
> "ls0" to SSH to each other. Anyone can make an HTTP request to "lp0".
> All other IP traffic is dropped:
>
> ovn-nbctl acl-add ls0 from-lport 100 ip allow-related
> ovn-nbctl acl-add ls0 to-lport 100 tcp.dst==22 allow-related
> ovn-nbctl acl-add ls0 to-lport 100 "outport == \"lp0\" \
> && tcp.dst==80" allow-related
> ovn-nbctl acl-add ls0 to-lport 1 ip drop
>
> Note: Kernel conntrack support is checked into the mainline Linux
> kernel, but hasn't been backported to the main OVS repo yet.
> ---
> I've pushed this patch on a partial backport of conntrack here:
>
> https://github.com/justinpettit/ovs/tree/ovn-acl
Thanks! This is going to be awesome.
This lacks a Signed-off-by.
ovn-northd.xml needs an update to explain all the new flows and
renumbered flow tables.
I get one "sparse" warning:
../ovn/lib/actions.c:151:13: warning: incorrect type in assignment
(different base types)
../ovn/lib/actions.c:151:13: expected unsigned short [unsigned]
[usertype] alg
../ovn/lib/actions.c:151:13: got restricted ovs_be16
In symtab_init() in ovn/controller/lflow.c, I think it would be a little
better to define ct.trk as a subfield, instead of a predicate, since
subfields are a little more general-purpose.
Acked-by: Ben Pfaff <[email protected]>
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev
