On Fri, Jan 13, 2023 at 10:52 AM Dumitru Ceara <[email protected]> wrote:
> Otherwise it's hard to tell which ones are applied before and which ones > are applied after load balancing. > > Signed-off-by: Dumitru Ceara <[email protected]> > --- > tests/ovn-nbctl.at | 9 +++++++++ > utilities/ovn-nbctl.c | 7 +++++++ > 2 files changed, 16 insertions(+) > > diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at > index 8885ac9fcc..2fffe18500 100644 > --- a/tests/ovn-nbctl.at > +++ b/tests/ovn-nbctl.at > @@ -223,6 +223,9 @@ ovn_nbctl_test_acl() { > AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 100 ip drop]) > AT_CHECK([ovn-nbctl $2 --label=1234 acl-add $1 from-lport 70 icmp > allow-related]) > AT_CHECK([ovn-nbctl $2 --label=1235 acl-add $1 to-lport 70 icmp > allow-related]) > + AT_CHECK([ovn-nbctl $2 --apply-after-lb acl-add $1 from-lport 500 tcp > allow]) > + AT_CHECK([ovn-nbctl $2 --apply-after-lb acl-add $1 from-lport 300 tcp > drop]) > + AT_CHECK([ovn-nbctl $2 --apply-after-lb acl-add $1 from-lport 300 udp > allow]) > > dnl Add duplicated ACL > AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 100 ip drop], [1], [], > [stderr]) > @@ -247,6 +250,9 @@ from-lport 600 (udp) drop log() > from-lport 400 (tcp) drop > from-lport 200 (ip) drop > from-lport 70 (icmp) allow-related label=1234 > +from-lport 500 (tcp) allow [[after-lb]] > +from-lport 300 (tcp) drop [[after-lb]] > +from-lport 300 (udp) allow [[after-lb]] > to-lport 500 (udp) drop log(name=test,severity=info) > to-lport 300 (tcp) drop > to-lport 100 (ip) drop > @@ -260,6 +266,9 @@ from-lport 600 (udp) drop log() > from-lport 400 (tcp) drop > from-lport 200 (ip) drop > from-lport 70 (icmp) allow-related label=1234 > +from-lport 500 (tcp) allow [[after-lb]] > +from-lport 300 (tcp) drop [[after-lb]] > +from-lport 300 (udp) allow [[after-lb]] > ]) > > dnl Delete all ACLs. > diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c > index 9d4fb8c757..ae4d6c4036 100644 > --- a/utilities/ovn-nbctl.c > +++ b/utilities/ovn-nbctl.c > @@ -2091,9 +2091,13 @@ acl_cmp(const void *acl1_, const void *acl2_) > > int dir1 = dir_encode(acl1->direction); > int dir2 = dir_encode(acl2->direction); > + bool after_lb1 = smap_get_bool(&acl1->options, "apply-after-lb", > false); > + bool after_lb2 = smap_get_bool(&acl2->options, "apply-after-lb", > false); > > if (dir1 != dir2) { > return dir1 < dir2 ? -1 : 1; > + } else if (after_lb1 != after_lb2) { > + return after_lb2 ? -1 : 1; > } else if (acl1->priority != acl2->priority) { > return acl1->priority > acl2->priority ? -1 : 1; > } else { > @@ -2192,6 +2196,9 @@ nbctl_acl_list(struct ctl_context *ctx) > if (acl->label) { > ds_put_format(&ctx->output, " label=%"PRId64, acl->label); > } > + if (smap_get_bool(&acl->options, "apply-after-lb", false)) { > + ds_put_cstr(&ctx->output, " [after-lb]"); > + } > ds_put_cstr(&ctx->output, "\n"); > } > > -- > 2.31.1 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > Looks good to me, thanks. Acked-by: Ales Musil <[email protected]> -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> [email protected] IM: amusil <https://red.ht/sig> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
