Re: [ovs-dev] [PATCH] vtep: add ACLs to VTEP schema

Wed, 26 Aug 2015 17:14:52 -0700 

A couple of folks have pointed out that the way we attach ACLs to either 
physical ports or to <port, VLAN> pairs leaves some room for ambiguity. My 
proposal is that we discourage the use of both types of ACLs on the same 
physical port. We can’t enforce this (AFAIK) in the database itself, but we can 
recommend against it in the schema documentation. That is, to the current 
paragraph:

      <p>
        Attach Access Control Lists (ACLs) to the physical port. The
        column consists of a map of VLAN tags to <ref table="ACL"/>s. If the 
value of
        the VLAN tag in the map is 0, this means that the ACL is
        associated with the entire physical port. Non-zero values mean
        that the ACL is to be applied only on packets carrying that VLAN
        tag value. Switches will not necessarily support matching on the
        VLAN tag for all ACLs, and unsupported ACL bindings will cause
        errors to be reported.
      </p>

we would add a line something like:

“The binding of an ACL to a specific VLAN and the binding of an ACL to the 
entire physical port should not be combined on a single physical port. That is, 
a mix of zero and non-zero keys in the map is not recommended.”

I haven’t yet been able to figure out a realistic case where this would be an 
unreasonable restriction.

Also, there was a question as to how tagged and untagged packets arriving on a 
particular port would be handled when the ACL is attached to the entire port. 
That behavior would depend on how the switch port is configured independent 
from the ACL configuration. We have always assumed that some aspects of the 
switch’s configuration happen under operator control, without the network 
virtualization controller having any input.

Let me know if this raises any issues; if not, I’ll update the patch.

Bruce

> On Aug 24, 2015, at 6:08 PM, bda...@nicira.com wrote:
> 
> Two new tables are added to the VTEP schema, for ACL entries and
> ACLs (which are groups of entries). The physical port table is modified
> to allow ACLs to be associated with ports, and the logical router table
> is modified to allow ACLs to be attached to logical router ports.
> 
> Signed-off-by: Bruce Davie <bda...@vmware.com>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to