Hi,
The ACL section of the ovn-nb.5.html man page states:
*m**a**t**c**h*: string
...
...
...
Note that you can not create an ACL matching on a port with
type=router or type=localnet.
Yet this is not what I see, it seems that ACLs work on localnet ports, I have:
ls_vcn5185721_external_ugw
port ls_vcn5185721_external_ugw-lr_vcn5185721
type: router
router-port: lr_vcn5185721-ls_vcn5185721_external_ugw
port ln-ls_vcn5185721_external_ugw
type: localnet
addresses: ["unknown"]
And an ACL:
to-lport 32767 (outport == "ln-ls_vcn5185721_external_ugw" && (icmp4.type ==
3 || icmp4.type == 11)) allow-related
to-lport 32767 (outport == "ln-ls_vcn5185721_external_ugw" && (ip4.dst ==
169.254.169.254 && tcp.dst == 80)) drop log(name=vcn-ugw-def-2,severity=info)
to-lport 32767 (outport == "ln-ls_vcn5185721_external_ugw" && arp)
allow-related
to-lport 32766 (outport == "ln-ls_vcn5185721_external_ugw" && (ip4.dst ==
$vcn5185721_allowed_underlay) && (tcp.dst == 53 || tcp.dst == 443 || tcp.dst == 8443 || udp.dst
== 53 || tcp.dst == 123 || udp.dst == 123)) allow-related
to-lport 0 (outport == "ln-ls_vcn5185721_external_ugw") drop
log(name=vcn-ugw-def-4,severity=info)
And the ACL is working, am I missing something, is the man page incorrect?
Thanks
Brendan
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
