> -----Original Message----- > From: discuss <ovs-discuss-boun...@openvswitch.org> On Behalf Of Tony > Liu > Sent: Monday, August 10, 2020 10:41 AM > To: Numan Siddique <num...@ovn.org> > Cc: ovs-discuss@openvswitch.org > Subject: [ovs-discuss] [OVN] not-equal in ACL > > Hi Numan, > > Create a new thread here to follow up ACL questions. > > > > > I think this is a big problem here. We should not use "!=" in > > > > logical flows, although OVN allows. > > > > > > Is this a generic recommendation or for certain cases? > > > Is it OK to add an ACL with "!=", like below? > > > > > > ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-e780d9dfdc0d from-lport > 1005 > > > 'ip4.dst == 192.168.0.0/16 && inport != > > > "d93619c3-dab9-4f6d-8261-4211f6937fd1"' drop > > > > > > This is a generic recommendation. The above ACL would also result in > > many OF flows. > > > > To handle cases like above, you can add a couple of ACLs like below > with > > high priority flow to allow the desired inport and low priority ACL to > > drop all the traffic. > > > > ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324-e780d9dfdc0d from-lport > > 1006 'ip4.dst == 192.168.0.0/16 && inport == "d93619c3-dab9-4f6d-8261- > > 4211f6937fd1"' allow ovn-nbctl acl-add 12b1681c-b3e7-4ec9-b324- > > e780d9dfdc0d from-lport > > 1005 'ip4.dst == 192.168.0.0/16"' drop > > In my case, two LS connect to one LR who has external access. > There are 3 ports on each LS. > * vm_port > * gw_port (connect to LR) > * svc_port (localport for DHCP and metadata) > > What I want is to disable the connection between two LS while allow > external access for them. > > Option #1, create one ACL for each VM on each LS. > ======== > acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16 && inport == > "$vm_port"' drop > ======== > This works fine for me, but the ACL has to be per VM. > > Option #2, create one ACL to exclude gw_port and svc_port. > ======== > acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16 && inport != > "$gw_port" && inport != "svc_port"' drop > ======== > As you mentioned, this is not recommended, cause it will result many > OF flows. I actually tried, but I don't see any OF flows created for > that ACL. Is there any policy in ovn-controller to not translate such > policy to OF flow? > > Option #3, as you suggested, I tried 2 ACLs. > ======== > acl-add $ls from-lport 1006 'ip4.dst == 192.168.0.0/16 && (inport == > "$gw_port" || inport == "svc_port")' allow > acl-add $ls from-lport 1005 'ip4.dst == 192.168.0.0/16' drop > ======== > On compute node, I see the "drop" OF flow only, not the "allow" flow. > Am I missing anything here?
Hi Numan, This works! The '$' was missing from "svc_port"! Thanks for the advice! Tony > > > Thanks! > > Tony > > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss