Thanks Guru! I think this is a serious problem. I verified it is a problem even with a single address set that is empty. It would impact some basic use cases such as OpenStack Neutron security group. For example:
sec-group A: rule1: ingress, remote group == sec-group B, ipv4, tcp 22 // allows access to TCP 22 only if the source is in sec-group B. sec-group B: whatever rules If there is no VM bound to sec-group B yet, the corresponding Address Set of sec-group B in OVN will be empty, so any source will be able access VMs in sec-group A. I am working on a fix in ovn-controller, hopefully post a patch this weekend or early next week. Thanks, Han On Thu, Sep 7, 2017 at 10:55 AM, Guru Shetty <[email protected]> wrote: > Hello All, > We create an ACL using address sets, for e.g: > > ovn-nbctl --id=@acl create acl priority=1001 direction=to-lport > "match=\"ip4.src == {\$set1, \$set2} && tcp && tcp.dst==80 && outport == > \\\"foo2\\\"\"" action=allow-related -- add logical_switch foo acls @acl > > Now, if either $set1 or $set2 is empty, we will end up with a openflow flow > that will allow all traffic to "tcp && tcp.dst == 80" for that outport. > > This looks like an undesirable behavior. Ideally, when an address set is > empty, we should simply skip that entry. Comments? > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
