> @@ -89,10 +89,11 @@ enum ovn_stage { > PIPELINE_STAGE(SWITCH, IN, PORT_SEC_L2, 0, "ls_in_port_sec_l2") \ > PIPELINE_STAGE(SWITCH, IN, PORT_SEC_IP, 1, "ls_in_port_sec_ip") \ > PIPELINE_STAGE(SWITCH, IN, PORT_SEC_ND, 2, "ls_in_port_sec_nd") \ > - PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 3, "ls_in_pre_acl") \ > - PIPELINE_STAGE(SWITCH, IN, ACL, 4, "ls_in_acl") \ > - PIPELINE_STAGE(SWITCH, IN, ARP_RSP, 5, "ls_in_arp_rsp") \ > - PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 6, "ls_in_l2_lkup") \ > + PIPELINE_STAGE(SWITCH, IN, DHCP, 3, "ls_in_dhcp") \ > + PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 4, "ls_in_pre_acl") \ > + PIPELINE_STAGE(SWITCH, IN, ACL, 5, "ls_in_acl") \ > + PIPELINE_STAGE(SWITCH, IN, ARP_RSP, 6, "ls_in_arp_rsp") \ > + PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 7, "ls_in_l2_lkup") \ > \
Would it make sense to put DHCP after ACL instead of before - so, some control is provided on the handling of DHCP packets via acl rules. For instance, OpenStack programs these DHCP ACL rules currently allowing client->server communication - and the usecase would be if i want to drop all client->server DHCP traffic for a rogue VM. table=2( ls_in_acl), priority= 2002, match=(inport == "55c0912f-f7aa-4318-82f1-6118032839e3" && ip4 && (ip4.dst == 255.255.255.255 || ip4.dst == 10.10.0.0/16) && udp && udp.src == 68 && udp.dst == 67), action=(ct_commit; next;) _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev