Re: [ovs-dev] [RFC] OVN northbound address sets

2016-03-22 Thread Russell Bryant
Great, thanks for the feedback! I'm working on the implementation of address sets for OVN now. It's still incomplete, but I'd like to post something by the end of the week. https://github.com/russellb/ovs/commits/ovn-address-sets -- Russell Bryant On Tue, Mar 22, 2016 at 3:26 PM, Salvatore

Re: [ovs-dev] [RFC] OVN northbound address sets

2016-03-22 Thread Salvatore Orlando
As I am doing some integration between OVN and Kubernetes, there is a similar problem there where the introduction of this concept can be very beneficial. To provide some context a Kubernetes network policy [1] might have several "from" clauses which might translate into a great number of IP

Re: [ovs-dev] [RFC] OVN northbound address sets

2016-03-10 Thread Ben Pfaff
On Wed, Mar 09, 2016 at 04:12:07PM -0500, Russell Bryant wrote: > > One use case for OVN ACLs includes matching on a set of IP addresses. A > simple example: > > inport == "lport1" && ip.src == {10.0.0.1, 10.0.0.3, 10.0.7} > > This is only 3 addresses, but it could easily be hundreds of

Re: [ovs-dev] [RFC] OVN northbound address sets

2016-03-10 Thread Amitabha Biswas
It’s a great idea. From an OpenStack point of view, this will make NB ACL transaction sets O(1) instead of O(N) when combined with the delta ACL computation patch that is currently under review. I agree with Ryan’s SB extension. Since Address_Set will be a new table, the conditional_monitor

Re: [ovs-dev] [RFC] OVN northbound address sets

2016-03-10 Thread Russell Bryant
On Thu, Mar 10, 2016 at 1:45 AM, Han Zhou wrote: > This is a great idea!! Just like what ipset has helped for iptables. > Thanks for the feedback. Yes, ipset was what inspired the idea. :-) > And I agree with the "additional step" (as pointed out by Ryan) that we > should

Re: [ovs-dev] [RFC] OVN northbound address sets

2016-03-09 Thread Han Zhou
On Wed, Mar 9, 2016 at 1:32 PM, Ryan Moats <rmo...@us.ibm.com> wrote: > > > > "dev" <dev-boun...@openvswitch.org> wrote on 03/09/2016 03:12:07 PM: > > > From: Russell Bryant <russ...@ovn.org> > > To: ovs dev <dev@openvswitch.org> &

Re: [ovs-dev] [RFC] OVN northbound address sets

2016-03-09 Thread Ryan Moats
"dev" <dev-boun...@openvswitch.org> wrote on 03/09/2016 03:12:07 PM: > From: Russell Bryant <russ...@ovn.org> > To: ovs dev <dev@openvswitch.org> > Date: 03/09/2016 03:12 PM > Subject: [ovs-dev] [RFC] OVN northbound address sets > Sent by: "

[ovs-dev] [RFC] OVN northbound address sets

2016-03-09 Thread Russell Bryant
I'd like to propose a new feature for the OVN northbound database. If we reach some consensus, I will implement it. Overview: One use case for OVN ACLs includes matching on a set of IP addresses. A simple example: inport == "lport1" && ip.src == {10.0.0.1, 10.0.0.3, 10.0.7} This is only