Ok let me paste some example but feel free to ask for any further
details.

1 Logical Switch with 5 ports and 8 ACLs per port:


# ovn-nbctl show
switch c1fac5d4-b682-4078-9282-61cfa6383893
(neutron-d35e99a5-d9e9-4bc5-9ad4-08e0941f1820) (aka test_net)
    port 8a8be79b-7a24-4a19-b952-c68d839e0164 (aka port2)
        addresses: ["fa:16:3e:eb:c1:fe 10.1.0.12"]
    port 181e3f51-9d16-43fe-a96c-195bf93f2cad
        type: localport
        addresses: ["fa:16:3e:46:bd:58 10.1.0.2"]
    port 340ca12f-8a4c-4441-87f6-885fb81f8964 (aka port5)
        addresses: ["fa:16:3e:60:a7:2e 10.1.0.11"]
    port 8883e188-ed97-4f66-954f-b61a7784bf58 (aka port1)
        addresses: ["fa:16:3e:7a:e1:90 10.1.0.4"]
    port 1031f2d3-b1ea-473b-b033-92c15c4df005 (aka port4)
        addresses: ["fa:16:3e:2a:fa:4a 10.1.0.15"]
    port a75b6392-bb94-435a-abff-42edcb12fcf2 (aka port3)
        addresses: ["fa:16:3e:fa:c4:0d 10.1.0.10"]


* Logical Switch:

_uuid               : c1fac5d4-b682-4078-9282-61cfa6383893
acls                : [02070cc2-4910-407e-b396-81e603e1aa41,
02bdeb85-3030-43cf-9516-6608c3c490c0, 0952ab80-31b1-4fd1-975f-97ae6a9737a4,
0b47a395-bcb8-4d4d-abb5-92b245d34584, 1b2e5465-9ede-443d-b8ad-a6650d34d122,
224767cc-1d9b-4a92-a28f-31371c49f2b5, 2756e656-fd67-4298-8f36-37cdad8cd77b,
31f28d63-7b8f-4857-9b44-01efab624065, 3378f438-e3b0-4237-97f4-7e13c75b0853,
397b0944-ede3-4bc1-9f8b-7132fe398bbc, 3f4d056f-938c-4798-aa03-4dd1b6692ffe,
41fc3152-865b-4970-a2ba-75ce223a5b1b, 469e59ce-3d29-4534-9be4-23a77030f276,
4963ff86-b4f6-4481-9718-69ab6f98e823, 4b473d3a-d2cf-4bf6-b821-9f9a2513199e,
64078115-ca20-4e24-984f-cec39e0f952d, 6d3a4e24-396f-456a-864c-fa66babccf29,
76dc882e-b57c-4f07-bf79-38b29404bcea, 78d22025-4a8e-4693-ad3d-2e6139405114,
79474822-bde6-4764-bbe9-44eed8aa81ff, 80e48478-5b79-4ede-886b-02ba5966fa74,
84368ef1-25f4-4d28-a42c-a63d224b6b8d, 966778a8-08e9-4d94-8338-3b362b1aefc7,
a1838363-c906-41db-b7de-02aee4f02c67, a5dc65f7-22a4-4aa9-9c47-0994afa1e65b,
aa604f5c-d082-4a72-a1af-0963fdd57b13, aeccba8e-a81a-4596-84e2-72a5faeaadc2,
b001199a-3b81-41db-b013-2a28b471f5d8, b10116b8-ee5d-42a5-9ab6-748eca0ff594,
b14cbff7-47b3-4c9d-9f94-bfa435227c17, b4544d68-5bed-4b69-8bb7-254300a72c70,
c553fd14-cb47-4646-b7f2-2a47041ca68c, caa570c9-e8d8-44a9-b3b1-d5a044f54a9e,
e4f88595-7130-4c21-a6d8-b7130272c797, e7ddfd73-2c41-4fc5-a6c6-87cb24d710b1,
f0493516-e561-41cd-b748-df992aff3308, f2ecd261-c860-4dee-ab78-86547a72591e,
f37aeecf-da41-4964-b913-6b83e92a5716, f92f1023-56ec-457d-82cb-5547b27c8403,
fa8dd4e0-8bdc-4d63-84de-ebe952f95cfd]
dns_records         : []
external_ids        : {"neutron:network_name"=test_net,
"neutron:qos_policy_id"=null, "neutron:revision_number"="4"}
load_balancer       : []
name                : "neutron-d35e99a5-d9e9-4bc5-9ad4-08e0941f1820"
other_config        : {}
ports               : [003491b0-38cb-4aa9-a2b1-922020dee8dd,
14abb895-8696-41a0-9f4a-e02c8a488310, 2d23f0a0-38e7-4942-988b-c9a1345e3f82,
33c5d2a0-2ae9-496c-972f-1fccb37eac9d, a8693978-52f9-4876-a928-2b2232195122,
f2924201-8163-4ea6-a55f-89e663ecda6d]


* ACLs for port1:

_uuid               : fa8dd4e0-8bdc-4d63-84de-ebe952f95cfd
action              : allow
direction           : from-lport
external_ids        :
{"neutron:lport"="8883e188-ed97-4f66-954f-b61a7784bf58"}
log                 : false
match               : "inport == \"8883e188-ed97-4f66-954f-b61a7784bf58\"
&& ip4 && ip4.dst == {255.255.255.255, 10.1.0.0/16} && udp && udp.src == 68
&& udp.dst == 67"
name                : []
priority            : 1002
severity            : []


_uuid               : 79474822-bde6-4764-bbe9-44eed8aa81ff
action              : allow-related
direction           : from-lport
external_ids        :
{"neutron:lport"="8883e188-ed97-4f66-954f-b61a7784bf58",
"neutron:security_group_rule_id"="2603769a-c388-41f7-af13-bbd80991db63"}
log                 : false
match               : "inport == \"8883e188-ed97-4f66-954f-b61a7784bf58\"
&& ip4"
name                : []
priority            : 1002
severity            : []


_uuid               : 397b0944-ede3-4bc1-9f8b-7132fe398bbc
action              : allow-related
direction           : to-lport
external_ids        :
{"neutron:lport"="8883e188-ed97-4f66-954f-b61a7784bf58",
"neutron:security_group_rule_id"="953242fd-bc6d-4100-bff0-c6d4e1879e28"}
log                 : false
match               : "outport == \"8883e188-ed97-4f66-954f-b61a7784bf58\"
&& ip4 && ip4.src == 0.0.0.0/0 && icmp4"
name                : []
priority            : 1002
severity            : []


_uuid               : 4963ff86-b4f6-4481-9718-69ab6f98e823
action              : allow-related
direction           : from-lport
external_ids        :
{"neutron:lport"="8883e188-ed97-4f66-954f-b61a7784bf58",
"neutron:security_group_rule_id"="e4a6d2ae-4946-42e3-934d-a67856226902"}
log                 : false
match               : "inport == \"8883e188-ed97-4f66-954f-b61a7784bf58\"
&& ip4 && ip4.dst == 0.0.0.0/0 && tcp"
name                : []
priority            : 1002
severity            : []


_uuid               : caa570c9-e8d8-44a9-b3b1-d5a044f54a9e
action              : allow-related
direction           : from-lport
external_ids        :
{"neutron:lport"="8883e188-ed97-4f66-954f-b61a7784bf58",
"neutron:security_group_rule_id"="105df449-d073-4389-a895-f2b01ef9d0b3"}
log                 : false
match               : "inport == \"8883e188-ed97-4f66-954f-b61a7784bf58\"
&& ip6"
name                : []
priority            : 1002
severity            : []


_uuid               : 84368ef1-25f4-4d28-a42c-a63d224b6b8d
action              : drop
direction           : to-lport
external_ids        :
{"neutron:lport"="8883e188-ed97-4f66-954f-b61a7784bf58"}
log                 : false
match               : "outport == \"8883e188-ed97-4f66-954f-b61a7784bf58\"
&& ip"
name                : []
priority            : 1001
severity            : []


_uuid               : 0b47a395-bcb8-4d4d-abb5-92b245d34584
action              : drop
direction           : from-lport
external_ids        :
{"neutron:lport"="8883e188-ed97-4f66-954f-b61a7784bf58"}
log                 : false
match               : "inport == \"8883e188-ed97-4f66-954f-b61a7784bf58\"
&& ip"
name                : []
priority            : 1001
severity            : []


_uuid               : a5dc65f7-22a4-4aa9-9c47-0994afa1e65b
action              : allow-related
direction           : to-lport
external_ids        :
{"neutron:lport"="8883e188-ed97-4f66-954f-b61a7784bf58",
"neutron:security_group_rule_id"="415a68ae-51bb-452b-b497-686fe39a80de"}
log                 : false
match               : "outport == \"8883e188-ed97-4f66-954f-b61a7784bf58\"
&& ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22"
name                : []
priority            : 1002
severity            : []


Remaining ports have the same ACLs, for example, for port 2, the SSH rule
looks exactly the same:

_uuid               : 64078115-ca20-4e24-984f-cec39e0f952d
action              : allow-related
direction           : to-lport
external_ids        :
{"neutron:lport"="8a8be79b-7a24-4a19-b952-c68d839e0164",
"neutron:security_group_rule_id"="415a68ae-51bb-452b-b497-686fe39a80de"}
log                 : false
match               : "outport == \"8a8be79b-7a24-4a19-b952-c68d839e0164\"
&& ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22"
name                : []
priority            : 1002
severity            : []


If we would have the Port_Set we could simply write the match part as
"outport == $security_group1 && ip4 && ip4.src == 0.0.0.0/0 && tcp &&
tcp.dst == 22"
and reduce the number of ACLs to 1 per security group rule instead of 1 per
security
group rule per port as it is right now. As you can see, we're referencing
the relevant security group rule in the CMS through the
neutron:security_group_rule_id
key in the external_ids column so we would reduce all ACLs which correspond
to
the same SG rule to just 1.

* Logical_Switch_Port:

port1:

_uuid               : 33c5d2a0-2ae9-496c-972f-1fccb37eac9d
addresses           : ["fa:16:3e:7a:e1:90 10.1.0.4"]
dhcpv4_options      : b1d9c34a-cec4-4e6b-8b6e-582d19602adc
dhcpv6_options      : []
dynamic_addresses   : []
enabled             : true
external_ids        : {"neutron:cidrs"="10.1.0.4/16",
"neutron:device_id"="", "neutron:device_owner"="",
"neutron:network_name"="neutron-d35e99a5-d9e9-4bc5-9ad4-08e0941f1820",
"neutron:port_
name"="port1", "neutron:project_id"="0c9babdf9b154b1e8d4b87bece2ea11d",
"neutron:revision_number"="4",
"neutron:security_group_ids"="f9cb62fb-cbfd-4259-a711-b35315fdc169"}
name                : "8883e188-ed97-4f66-954f-b61a7784bf58"
options             : {requested-chassis=""}
parent_name         : []
port_security       : ["fa:16:3e:7a:e1:90 10.1.0.4"]
tag                 : []
tag_request         : []
type                : ""
up                  : false


* Address_Set:

_uuid               : b546bb07-04c7-4c93-a5e7-3d0c9f9e5c06
addresses           : ["10.1.0.10", "10.1.0.11", "10.1.0.12", "10.1.0.15",
"10.1.0.4"]
external_ids        :
{"neutron:security_group_id"="f9cb62fb-cbfd-4259-a711-b35315fdc169"}
name                : "as_ip4_f9cb62fb_cbfd_4259_a711_b35315fdc169"




On Thu, Feb 15, 2018 at 12:08 AM, Ben Pfaff <b...@ovn.org> wrote:

> On Wed, Feb 14, 2018 at 02:25:56PM -0800, Han Zhou wrote:
> > On Wed, Feb 14, 2018 at 1:40 PM, Ben Pfaff <b...@ovn.org> wrote:
> > >
> > > On Wed, Feb 14, 2018 at 12:34:19PM -0800, Han Zhou wrote:
> > > > I remember there was a patch for ACL group in OVN, so that instead of
> > R*P
> > > > rows we will have only R + P rows, but didn't see it went through.
> > >
> > > I don't remember that.  Any chance you could point me to it?
> >
> > Yes, I found it:
> >
> > https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/077118.html
> > https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/321165.html
> >
> > And I made a mistake in my previous text. It is about port group, which
> is
> > what we need here, rather than ACL group.
>
> I guess what I'd like to see is an example of the problem that we're
> trying to solve here: what does a typical ACL row for a security group
> look like, and what parts of the row differ between its instance for one
> port and another port?
>
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Reply via email to