On Wed, Feb 14, 2018 at 3:08 PM, Ben Pfaff <b...@ovn.org> wrote:
> On Wed, Feb 14, 2018 at 02:25:56PM -0800, Han Zhou wrote:
> > On Wed, Feb 14, 2018 at 1:40 PM, Ben Pfaff <b...@ovn.org> wrote:
> > >
> > > On Wed, Feb 14, 2018 at 12:34:19PM -0800, Han Zhou wrote:
> > > > I remember there was a patch for ACL group in OVN, so that instead
> > R*P
> > > > rows we will have only R + P rows, but didn't see it went through.
> > >
> > > I don't remember that. Any chance you could point me to it?
> > Yes, I found it:
> > https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/077118.html
> > https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/321165.html
> > And I made a mistake in my previous text. It is about port group, which
> > what we need here, rather than ACL group.
> I guess what I'd like to see is an example of the problem that we're
> trying to solve here: what does a typical ACL row for a security group
> look like, and what parts of the row differ between its instance for one
> port and another port?
An ACL for a Neutron SG rule: ingress tcp dport=22, is something like:
to-lport 1000 "outport==\"<neutron port uuid>\" && ip4 && tcp &&
All ports bound to the same SG will have an ACL like this, and the only
difference between one port and another is the <neutron port uuid> part.
discuss mailing list