Hi Numan, Create a new thread here to follow up ACL questions.
> > > I think this is a big problem here. We should not use "!=" in > > > logical flows, although OVN allows. > > > > Is this a generic recommendation or for certain cases? > > Is it OK to add an ACL with "!=", like below? > > > > ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-e780d9dfdc0d from-lport 1005 > > 'ip4.dst == 192.168.0.0/16 && inport != > > "d93619c3-dab9-4f6d-8261-4211f6937fd1"' drop > > > This is a generic recommendation. The above ACL would also result in > many OF flows. > > To handle cases like above, you can add a couple of ACLs like below with > high priority flow to allow the desired inport and low priority ACL to > drop all the traffic. > > ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-e780d9dfdc0d from-lport > 1006 'ip4.dst == 192.168.0.0/16 && inport == "d93619c3-dab9-4f6d-8261- > 4211f6937fd1"' allow ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324- > e780d9dfdc0d from-lport > 1005 'ip4.dst == 192.168.0.0/16"' drop In my case, two LS connect to one LR who has external access. There are 3 ports on each LS. * vm_port * gw_port (connect to LR) * svc_port (localport for DHCP and metadata) What I want is to disable the connection between two LS while allow external access for them. Option #1, create one ACL for each VM on each LS. ======== acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16 && inport == "$vm_port"' drop ======== This works fine for me, but the ACL has to be per VM. Option #2, create one ACL to exclude gw_port and svc_port. ======== acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16 && inport != "$gw_port" && inport != "svc_port"' drop ======== As you mentioned, this is not recommended, cause it will result many OF flows. I actually tried, but I don't see any OF flows created for that ACL. Is there any policy in ovn-controller to not translate such policy to OF flow? Option #3, as you suggested, I tried 2 ACLs. ======== acl-add $ls from-lport 1006 'ip4.dst == 192.168.0.0/16 && (inport == "$gw_port" || inport == "svc_port")' allow acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16' drop ======== On compute node, I see the "drop" OF flow only, not the "allow" flow. Am I missing anything here? Thanks! Tony _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss