On Wed, Feb 14, 2018 at 3:08 PM, Ben Pfaff <b...@ovn.org> wrote: > > On Wed, Feb 14, 2018 at 02:25:56PM -0800, Han Zhou wrote: > > On Wed, Feb 14, 2018 at 1:40 PM, Ben Pfaff <b...@ovn.org> wrote: > > > > > > On Wed, Feb 14, 2018 at 12:34:19PM -0800, Han Zhou wrote: > > > > I remember there was a patch for ACL group in OVN, so that instead of > > R*P > > > > rows we will have only R + P rows, but didn't see it went through. > > > > > > I don't remember that. Any chance you could point me to it? > > > > Yes, I found it: > > > > https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/077118.html > > https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/321165.html > > > > And I made a mistake in my previous text. It is about port group, which is > > what we need here, rather than ACL group. > > I guess what I'd like to see is an example of the problem that we're > trying to solve here: what does a typical ACL row for a security group > look like, and what parts of the row differ between its instance for one > port and another port?
An ACL for a Neutron SG rule: ingress tcp dport=22, is something like: to-lport 1000 "outport==\"<neutron port uuid>\" && ip4 && tcp && tcp.dst==22" allow-related All ports bound to the same SG will have an ACL like this, and the only difference between one port and another is the <neutron port uuid> part.
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss