Hi Han,
On 4/14/22 22:55, Han Zhou wrote:
> On Wed, Apr 6, 2022 at 7:33 AM Dumitru Ceara <[email protected]> wrote:
>>
>> This option changes how logical switch ACL related flows are generated
>> such that the following behavior is ensured:
>>
>> a. If a logical switch has no ACL applied to it (either directly or
>> indirectly via a port group) then traffic is always allowed in the
>> ls_in_acl, ls_in_acl_after_lb, ls_out_acl stages.
>>
>> b. If a logical switch has ACLs applied (directly or indirectly) and
>> NB_Global.options:default_acl_drop is set to 'false', then traffic that
>> doesn't match any ACL in the ls_in_acl, ls_in_acl_after_lb, ls_out_acl
>> stages is allowed to advance to the next step in the processing
>> pipeline.
>>
>> c. If a logical switch has *any* ACL applied (directly or indirectly)
>> and NB_Global.options:default_acl_drop is set to 'true', then a default
>> lowest-priority rule is added to the ls_in_acl, ls_in_acl_after_lb,
>> ls_out_acl stages to drop traffic that is not matched by any ACLs.
>>
>> The goal of the feature is to simplify the configuration of the ACLs and
>> port groups for CMSs that require a default-deny firewall
>> implementation. One such example is with OpenStack security groups
>> which, when enabled, implicitly drop all not explicitly allowed traffic.
>>
>> Until now the CMS had to add all logical ports corresponding to VMs in a
>> network to a single, huge, default-drop-port-group and apply a single
>> drop ACL to the port group.
>>
>> With this new feature, the CMS can enable 'default_acl_drop', and punch
>> holes for traffic that needs to be allowed. The resulting NB and SB
>> configuration is also reduced in size.
>>
>> Reported-by: Daniel Alvarez Sanchez <[email protected]>
>> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1947807
>> Signed-off-by: Dumitru Ceara <[email protected]>
>> ---
>> NOTE:
>> I'm sending this patch as RFC because I'd like to discuss alternatives
>> for the default behavior when the knob is enabled and logical switches
>> don't have any ACLs set.
>>
>> Also, it would be interesting to see if this feature, or something
>> similar would also be beneficial for other CMSs, e.g., ovn-kubernetes
>> (CC-ing Tim Rozet).
>
> Thanks Dumitru. This feature looks good. For ovn-kubernetes, I wonder it
> may not be helpful because network policies are applied on endpoints, and
> there is no way for a network policy be mapped to a logical switch in
> ovn-k8s because there is no mappings between applications/services and
> logical switches (which is node level object), so the ACLs would all have
> the inport/outport matches, and the default deny/allow has to be applied to
> each LSP level. Tim may correct me if I am wrong. Regardless, it is a
> useful feature for OpenStack and probably other CMS.
Thanks for looking at this RFC. Indeed, the main user is OpenStack.
>
> I have two comments, please see below.
>
>> ---
>> NEWS | 2 +
>> northd/northd.c | 31 +++++--
>> ovn-nb.xml | 8 ++
>> tests/ovn-northd.at | 218 ++++++++++++++++++++++++++++++++++++++++++++
>> 4 files changed, 253 insertions(+), 6 deletions(-)
>>
>> diff --git a/NEWS b/NEWS
>> index 3e8358723d..377d3f8cea 100644
>> --- a/NEWS
>> +++ b/NEWS
>> @@ -4,6 +4,8 @@ Post v22.03.0
>> different OVN Interconnection availability zones.
>> - Replaced the usage of masked ct_label by ct_mark in most cases to
> work
>> better with hardware-offloading.
>> + - Add global option (NB_Global.options:default_acl_drop) to enable
>> + implicit drop behavior on logical switches with ACLs applied.
>>
>> OVN v22.03.0 - 11 Mar 2022
>> --------------------------
>> diff --git a/northd/northd.c b/northd/northd.c
>> index 8dae72180d..77a2f49724 100644
>> --- a/northd/northd.c
>> +++ b/northd/northd.c
>> @@ -73,6 +73,12 @@ static struct eth_addr svc_monitor_mac_ea;
>> * Otherwise, it will avoid using it. The default is true. */
>> static bool use_ct_inv_match = true;
>>
>> +/* If this option is 'true' northd will implicitly add a lowest-priority
>> + * drop rule in the ACL stage of logical switches that have at least one
>> + * ACL.
>> + */
>> +static bool default_acl_drop;
>> +
>> #define MAX_OVN_TAGS 4096
>>
>> /* Pipeline stages. */
>> @@ -6588,6 +6594,7 @@ static void
>> build_acls(struct ovn_datapath *od, struct hmap *lflows,
>> const struct hmap *port_groups, const struct shash
> *meter_groups)
>> {
>> + const char *default_acl_action = default_acl_drop ? "drop;" :
> "next;";
>> bool has_stateful = od->has_stateful_acl || od->has_lb_vip;
>> struct ds match = DS_EMPTY_INITIALIZER;
>> struct ds actions = DS_EMPTY_INITIALIZER;
>> @@ -6599,15 +6606,26 @@ build_acls(struct ovn_datapath *od, struct hmap
> *lflows,
>> *
>> * A related rule at priority 1 is added below if there
>> * are any stateful ACLs in this datapath. */
>> - if (!od->has_acls && !od->has_lb_vip) {
>> - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "1",
> "next;");
>> - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "1",
> "next;");
>> + if (!od->has_acls) {
>> + if (!od->has_lb_vip) {
>> + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "1",
>> + "next;");
>> + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "1",
>> + "next;");
>> + } else {
>> + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, "1", "next;");
>> + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, "1", "next;");
>> + }
>> + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB, 0, "1",
> "next;");
>> } else {
>> - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", "next;");
>> - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", "next;");
>> + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1",
>> + default_acl_action);
>> + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1",
>> + default_acl_action);
>> + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB, 0, "1",
>> + default_acl_action);
>
> Should the packet be dropped if we just don't add the lflow with "next"? It
> may save some flows but I agree that it doesn't make big differences.
>
I think I prefer it more when drops are explicit. It makes debugging
easier in my opinion.
>> }
>>
>> - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB, 0, "1", "next;");
>>
>> if (has_stateful) {
>
> It seems the patch didn't take care of the stateful scenario? If
> has_stateful, there are priority 1 flows to forward the packets.
>
Good point, I missed those. I'll take care of the stateful scenario too
in the v1 patch. I'll also add a test.
> Thanks,
> Han
>
Thanks,
Dumitru
>> /* Ingress and Egress ACL Table (Priority 1).
>> @@ -15190,6 +15208,7 @@ ovnnb_db_run(struct northd_input *input_data,
>> "controller_event", false);
>> check_lsp_is_up = !smap_get_bool(&nb->options,
>> "ignore_lsp_down", true);
>> + default_acl_drop = smap_get_bool(&nb->options, "default_acl_drop",
> false);
>>
>> build_datapaths(input_data, ovnsb_txn, &data->datapaths,
> &data->lr_list);
>> build_lbs(input_data, &data->datapaths, &data->lbs);
>> diff --git a/ovn-nb.xml b/ovn-nb.xml
>> index 4d7a23c527..47347819f1 100644
>> --- a/ovn-nb.xml
>> +++ b/ovn-nb.xml
>> @@ -255,6 +255,14 @@
>> </p>
>> </column>
>>
>> + <column name="options" key="default_acl_drop">
>> + <p>
>> + If set to <code>true</code>., <code>ovn-northd</code> will
>> + generate a logical flow to drop all traffic in the ACL stages.
>> + By default this option is set to <code>false</code>.
>> + </p>
>> + </column>
>> +
>> <group title="Options for configuring interconnection route
> advertisement">
>> <p>
>> These options control how routes are advertised between OVN
>> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
>> index 317f024f64..3699f5bd23 100644
>> --- a/tests/ovn-northd.at
>> +++ b/tests/ovn-northd.at
>> @@ -6480,3 +6480,221 @@ AT_CHECK([grep -e "ls_in_stateful" lsflows | sed
> 's/table=../table=??/' | sort],
>>
>> AT_CLEANUP
>> ])
>> +
>> +OVN_FOR_EACH_NORTHD([
>> +AT_SETUP([LS default ACL drop])
>> +AT_KEYWORDS([acl])
>> +
>> +ovn_start
>> +
>> +check ovn-nbctl ls-add ls
>> +
>> +AS_BOX([No ACL, default_acl_drop not set])
>> +check ovn-nbctl --wait=sb sync
>> +AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed
> 's/table=../table=??/' | sort], [0], [dnl
>> + table=??(ls_in_acl ), priority=65535, match=(1),
> action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl_hint ), priority=65535, match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl ), priority=65535, match=(1),
> action=(next;)
>> + table=??(ls_out_acl_hint ), priority=65535, match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> +])
>> +
>> +AS_BOX([No ACL, default_acl_drop false])
>> +check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false
>> +AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed
> 's/table=../table=??/' | sort], [0], [dnl
>> + table=??(ls_in_acl ), priority=65535, match=(1),
> action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl_hint ), priority=65535, match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl ), priority=65535, match=(1),
> action=(next;)
>> + table=??(ls_out_acl_hint ), priority=65535, match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> +])
>> +
>> +AS_BOX([No ACL, default_acl_drop true])
>> +check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true
>> +AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed
> 's/table=../table=??/' | sort], [0], [dnl
>> + table=??(ls_in_acl ), priority=65535, match=(1),
> action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl_hint ), priority=65535, match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl ), priority=65535, match=(1),
> action=(next;)
>> + table=??(ls_out_acl_hint ), priority=65535, match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> +])
>> +
>> +AS_BOX([from-lport ACL])
>> +check ovn-nbctl acl-del ls
>> +check ovn-nbctl acl-add ls from-lport 1 "ip" allow
>> +
>> +AS_BOX([from-lport ACL, default_acl_drop not set])
>> +check ovn-nbctl --wait=sb remove NB_Global . options default_acl_drop
>> +AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed
> 's/table=../table=??/' | sort], [0], [dnl
>> + table=??(ls_in_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl ), priority=1001 , match=(ip),
> action=(next;)
>> + table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_acl ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> +])
>> +
>> +AS_BOX([from-lport ACL, default_acl_drop false])
>> +check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false
>> +AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed
> 's/table=../table=??/' | sort], [0], [dnl
>> + table=??(ls_in_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl ), priority=1001 , match=(ip),
> action=(next;)
>> + table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_acl ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> +])
>> +
>> +AS_BOX([from-lport ACL, default_acl_drop true])
>> +check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true
>> +AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed
> 's/table=../table=??/' | sort], [0], [dnl
>> + table=??(ls_in_acl ), priority=0 , match=(1),
> action=(drop;)
>> + table=??(ls_in_acl ), priority=1001 , match=(ip),
> action=(next;)
>> + table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=0 , match=(1),
> action=(drop;)
>> + table=??(ls_in_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl ), priority=0 , match=(1),
> action=(drop;)
>> + table=??(ls_out_acl ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> +])
>> +
>> +AS_BOX([from-lport --apply-after-lb ACL])
>> +check ovn-nbctl acl-del ls
>> +check ovn-nbctl --apply-after-lb acl-add ls from-lport 1 "ip" allow
>> +
>> +AS_BOX([from-lport --apply-after-lb ACL, default_acl_drop not set])
>> +check ovn-nbctl --wait=sb remove NB_Global . options default_acl_drop
>> +AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed
> 's/table=../table=??/' | sort], [0], [dnl
>> + table=??(ls_in_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=1001 , match=(ip),
> action=(next;)
>> + table=??(ls_in_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_acl ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> +])
>> +
>> +AS_BOX([from-lport --apply-after-lb ACL, default_acl_drop false])
>> +check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false
>> +AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed
> 's/table=../table=??/' | sort], [0], [dnl
>> + table=??(ls_in_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=1001 , match=(ip),
> action=(next;)
>> + table=??(ls_in_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_acl ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> +])
>> +
>> +AS_BOX([from-lport --apply-after-lb ACL, default_acl_drop true])
>> +check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true
>> +AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed
> 's/table=../table=??/' | sort], [0], [dnl
>> + table=??(ls_in_acl ), priority=0 , match=(1),
> action=(drop;)
>> + table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=0 , match=(1),
> action=(drop;)
>> + table=??(ls_in_acl_after_lb ), priority=1001 , match=(ip),
> action=(next;)
>> + table=??(ls_in_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl ), priority=0 , match=(1),
> action=(drop;)
>> + table=??(ls_out_acl ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> +])
>> +
>> +AS_BOX([to-lport ACL])
>> +check ovn-nbctl acl-del ls
>> +check ovn-nbctl acl-add ls to-lport 1 "ip" allow
>> +
>> +AS_BOX([to-lport ACL, default_acl_drop not set])
>> +check ovn-nbctl --wait=sb remove NB_Global . options default_acl_drop
>> +AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed
> 's/table=../table=??/' | sort], [0], [dnl
>> + table=??(ls_in_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_acl ), priority=1001 , match=(ip),
> action=(next;)
>> + table=??(ls_out_acl ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> +])
>> +
>> +AS_BOX([to-lport ACL, default_acl_drop false])
>> +check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false
>> +AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed
> 's/table=../table=??/' | sort], [0], [dnl
>> + table=??(ls_in_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_acl ), priority=1001 , match=(ip),
> action=(next;)
>> + table=??(ls_out_acl ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> +])
>> +
>> +AS_BOX([to-lport ACL, default_acl_drop true])
>> +check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true
>> +AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed
> 's/table=../table=??/' | sort], [0], [dnl
>> + table=??(ls_in_acl ), priority=0 , match=(1),
> action=(drop;)
>> + table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_in_acl_after_lb ), priority=0 , match=(1),
> action=(drop;)
>> + table=??(ls_in_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl ), priority=0 , match=(1),
> action=(drop;)
>> + table=??(ls_out_acl ), priority=1001 , match=(ip),
> action=(next;)
>> + table=??(ls_out_acl ), priority=34000, match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> + table=??(ls_out_acl_hint ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=0 , match=(1),
> action=(next;)
>> + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
> $svc_monitor_mac), action=(next;)
>> +])
>> +
>> +AT_CLEANUP
>> +])
>> --
>> 2.27.0
>>
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
