On Fri, Jan 29, 2016 at 09:28:54PM +0530, Numan Siddique wrote: > For every port security defined for a logical port, add following lflows > in "ls_in_port_sec" and "ls_out_port_sec" stage > - A priority 90 flow to allow ipv4 traffic for known ip addresses > and (broadcast ip - for ingress, mainly for dhcp) > - A priority 80 flow to drop all ipv4 traffic. > - For ingress, a priority 90 flow to allow arp traffic for known > ip addresses and priority 80 flow to drop all arp traffic > - A priority 90 flow to allow ipv6 traffic for all ipv6 addresses if > port security has ipv6 address(es) defined > (next patch will address ipv6) > - A priority 80 flow to drop all ipv6 traffic. > - A priority 50 flow to allow all traffic on that port with the matching > eth address > > Eg. if the port security is "00:00:00:00:00:01 10.0.0.2" > > priority=90, match=(inport == "portname" && eth.src == 00:00:00:00:00:01 > && arp && arp.sha == 00:00:00:00:00:01 && (arp.spa == 10.0.0.2)), > action=(next;) > > priority=90, match=(inport == "portname" && eth.src == 00:00:00:00:00:01 > && ip4 && ((ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255) || > ip4.src == 10.0.0.3)), action=(next;) > > priority=80, match=(inport == "portname" && eth.src == 00:00:00:00:00:01 > && (arp || ip4)), action=(drop;) > > priority=80, match=(inport == "portname" && eth.src == 00:00:00:00:00:01 > && ip6), action=(drop;) > > priority=50, match=(inport == "portname" && eth.src == 00:00:00:00:00:01), > action=(next;) > > Signed-off-by: Numan Siddique <nusid...@redhat.com>
Please update ovn-northd.8.xml to describe the new flows. Thanks for writing a test. I know that they're difficult to write. (I intend to work on this at some point.) _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
