I submitted a patch: https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/338533.html
Please take a look. Thanks, Han On Fri, Sep 8, 2017 at 7:42 PM, Han Zhou <[email protected]> wrote: > Thanks Guru! I think this is a serious problem. I verified it is a problem > even with a single address set that is empty. It would impact some basic > use cases such as OpenStack Neutron security group. For example: > > sec-group A: > rule1: ingress, remote group == sec-group B, ipv4, tcp 22 // allows access > to TCP 22 only if the source is in sec-group B. > > sec-group B: > whatever rules > > If there is no VM bound to sec-group B yet, the corresponding Address Set > of sec-group B in OVN will be empty, so any source will be able access VMs > in sec-group A. > > I am working on a fix in ovn-controller, hopefully post a patch this > weekend or early next week. > > Thanks, > Han > > On Thu, Sep 7, 2017 at 10:55 AM, Guru Shetty <[email protected]> wrote: > >> Hello All, >> We create an ACL using address sets, for e.g: >> >> ovn-nbctl --id=@acl create acl priority=1001 direction=to-lport >> "match=\"ip4.src == {\$set1, \$set2} && tcp && tcp.dst==80 && outport == >> \\\"foo2\\\"\"" action=allow-related -- add logical_switch foo acls @acl >> >> Now, if either $set1 or $set2 is empty, we will end up with a openflow >> flow >> that will allow all traffic to "tcp && tcp.dst == 80" for that outport. >> >> This looks like an undesirable behavior. Ideally, when an address set is >> empty, we should simply skip that entry. Comments? >> _______________________________________________ >> dev mailing list >> [email protected] >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >> > > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
