On Mon, Aug 10, 2020 at 11:11 PM Tony Liu <tonyliu0...@hotmail.com> wrote: > > Hi Numan, > > Create a new thread here to follow up ACL questions. > > > > > I think this is a big problem here. We should not use "!=" in > > > > logical flows, although OVN allows. > > > > > > Is this a generic recommendation or for certain cases? > > > Is it OK to add an ACL with "!=", like below? > > > > > > ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-e780d9dfdc0d from-lport 1005 > > > 'ip4.dst == 192.168.0.0/16 && inport != > > > "d93619c3-dab9-4f6d-8261-4211f6937fd1"' drop > > > > > > This is a generic recommendation. The above ACL would also result in > > many OF flows. > > > > To handle cases like above, you can add a couple of ACLs like below with > > high priority flow to allow the desired inport and low priority ACL to > > drop all the traffic. > > > > ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-e780d9dfdc0d from-lport > > 1006 'ip4.dst == 192.168.0.0/16 && inport == "d93619c3-dab9-4f6d-8261- > > 4211f6937fd1"' allow ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324- > > e780d9dfdc0d from-lport > > 1005 'ip4.dst == 192.168.0.0/16"' drop > > In my case, two LS connect to one LR who has external access. > There are 3 ports on each LS. > * vm_port > * gw_port (connect to LR) > * svc_port (localport for DHCP and metadata) > > What I want is to disable the connection between two LS while allow > external access for them. > > Option #1, create one ACL for each VM on each LS. > ======== > acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16 && inport == > "$vm_port"' drop > ======== > This works fine for me, but the ACL has to be per VM. > > Option #2, create one ACL to exclude gw_port and svc_port. > ======== > acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16 && inport != > "$gw_port" && inport != "svc_port"' drop > ======== > As you mentioned, this is not recommended, cause it will result many > OF flows. I actually tried, but I don't see any OF flows created for > that ACL. Is there any policy in ovn-controller to not translate such > policy to OF flow? > > Option #3, as you suggested, I tried 2 ACLs. > ======== > acl-add $ls from-lport 1006 'ip4.dst == 192.168.0.0/16 && (inport == > "$gw_port" || inport == "svc_port")' allow > acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16' drop > ======== > On compute node, I see the "drop" OF flow only, not the "allow" flow. > Am I missing anything here? >
If there is a logical flow like - "inport == port1 && .....", ovnm-controller which binds this logical port converts like logical flow to OF rule. Other ovn-controller ignore this logical flow. I think that's what happening in your case. I think there are many ways to solve your case. 1. Have separate logical router for each logical switch and connect these logical routers to your provider network logical switch. 2. Add ACLs on the egress pipeline. I'd suggest this rather than on the ingress pipeline. If your first LS1 cidr is 192.168.0.0/24 and the 2nd LS2 cidr is 172.168.0.0/24 then on add the below ACL on LS1 ovn-nbctl pg-add pg1 <LS1 lpor> ovn-nbctl acl-add pg1 to-lport 1002 "ip4.src == 172.168.0.0/24 && outport == @pg1" drop ovn-nbctl acl-add pg1 to-lport 1001 "ip && outport == @pg1" allow ovn-nbctl pg-add pg2 <LS2 lports> ovn-nbctl acl-add pg2 to-lport 1002 "ip4.src == 192.168.0.0/24 && outport == @pg2" drop ovn-nbctl acl-add pg2 to-lport 1001 "ip && outport == @pg2" allow Please note that I haven't tested these ACLs. Thanks Numan > > Thanks! > > Tony > > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
