Your questions are likely answered in the various "ACL" threads in the
"discuss" mailing list archive from this month:
http://openvswitch.org/pipermail/discuss_openvswitch.org/2010-February/thread.html
If you have additional questions feel free to ask, but please at least look at
the "ovs-ofctl" man page first.
In the future, please don't cross-post. These sorts of end-user questions are
best sent to the [email protected] mailing list.
--Justin
On Feb 17, 2010, at 5:48 PM, Kaushik Kumar Ram wrote:
> Hello,
>
> I heard that open vswitch has basic support for ACLs. Can someone clarify
> what sort of support is available and how ACLs can be installed? To be more
> precise, I would like to install a ACL with a rule of type "drop all traffic
> to TCP port XYZ".
>
> I understand that so called "negative flows" can be used to achieve the same,
> i.e. drop all traffic matching particular flow(s) (to TCP port XYZ in this
> example). This would also be more efficient since the packet would be dropped
> in the in-kernel fast-path itself. But then it is not possible to match
> against packet header fields outside the 10-tuple (like TCP flags for
> example).
>
> Any feedback would be appreciated.
>
> Thanks.
> -Kaushik
> _______________________________________________
> dev mailing list
> [email protected]
> http://openvswitch.org/mailman/listinfo/dev_openvswitch.org
_______________________________________________
discuss mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
