diff options
author | Han Zhou <zhouhan@gmail.com> | 2017-01-18 18:51:16 -0800 |
---|---|---|
committer | Ben Pfaff <blp@ovn.org> | 2017-01-31 14:39:03 -0800 |
commit | fa3cc9b9f9f361a458549beb671f3a10e6508872 (patch) | |
tree | 41dd895f0df0dd73980a7f6bff65e960c6f19ff4 | |
parent | 0c3e38159958cee51d5583737fa070721d0ea3df (diff) | |
download | openvswitch-fa3cc9b9f9f361a458549beb671f3a10e6508872.tar.gz |
ovn-nbctl: check for duplicated ACL adding.
Check for duplicated ACL adding and add option --may-exist for
ovn-nbctl acl-add.
Signed-off-by: Han Zhou <zhouhan@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
-rw-r--r-- | ovn/utilities/ovn-nbctl.8.xml | 5 | ||||
-rw-r--r-- | ovn/utilities/ovn-nbctl.c | 14 | ||||
-rw-r--r-- | tests/ovn-nbctl.at | 4 |
3 files changed, 21 insertions, 2 deletions
diff --git a/ovn/utilities/ovn-nbctl.8.xml b/ovn/utilities/ovn-nbctl.8.xml index d81e99fab..19134881b 100644 --- a/ovn/utilities/ovn-nbctl.8.xml +++ b/ovn/utilities/ovn-nbctl.8.xml @@ -76,7 +76,7 @@ <h1>Logical Switch ACL Commands</h1> <dl> - <dt>[<code>--log</code>] <code>acl-add</code> <var>switch</var> <var>direction</var> <var>priority</var> <var>match</var> <var>action</var></dt> + <dt>[<code>--log</code>] [<code>--may-exist</code>] <code>acl-add</code> <var>switch</var> <var>direction</var> <var>priority</var> <var>match</var> <var>action</var></dt> <dd> Adds the specified ACL to <var>switch</var>. <var>direction</var> must be either <code>from-lport</code> or @@ -84,6 +84,9 @@ <code>0</code> and <code>32767</code>, inclusive. If <code>--log</code> is specified, packet logging is enabled for the ACL. A full description of the fields are in <code>ovn-nb</code>(5). + If <code>--may-exist</code> is specified, adding a duplicated ACL + succeeds but the ACL is not really created. Without <code>--may-exist</code>, + adding a duplicated ACL results in error. </dd> <dt><code>acl-del</code> <var>switch</var> [<var>direction</var> [<var>priority</var> <var>match</var>]]</dt> diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c index 3dac4340f..900b08877 100644 --- a/ovn/utilities/ovn-nbctl.c +++ b/ovn/utilities/ovn-nbctl.c @@ -1320,6 +1320,18 @@ nbctl_acl_add(struct ctl_context *ctx) nbrec_acl_set_log(acl, true); } + /* Check if same acl already exists for the ls */ + for (size_t i = 0; i < ls->n_acls; i++) { + if (!acl_cmp(&ls->acls[i], &acl)) { + bool may_exist = shash_find(&ctx->options, "--may-exist") != NULL; + if (!may_exist) { + ctl_fatal("Same ACL already existed on the ls %s.", + ctx->argv[1]); + } + return; + } + } + /* Insert the acl into the logical switch. */ nbrec_logical_switch_verify_acls(ls); struct nbrec_acl **new_acls = xmalloc(sizeof *new_acls * (ls->n_acls + 1)); @@ -3289,7 +3301,7 @@ static const struct ctl_command_syntax nbctl_commands[] = { /* acl commands. */ { "acl-add", 5, 5, "SWITCH DIRECTION PRIORITY MATCH ACTION", NULL, - nbctl_acl_add, NULL, "--log", RW }, + nbctl_acl_add, NULL, "--log,--may-exist", RW }, { "acl-del", 1, 4, "SWITCH [DIRECTION [PRIORITY MATCH]]", NULL, nbctl_acl_del, NULL, "", RW }, { "acl-list", 1, 1, "SWITCH", NULL, nbctl_acl_list, NULL, "", RO }, diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index cec516f6f..9f0a2779b 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -200,6 +200,10 @@ AT_CHECK([ovn-nbctl acl-add ls0 from-lport 400 tcp drop]) AT_CHECK([ovn-nbctl acl-add ls0 to-lport 300 tcp drop]) AT_CHECK([ovn-nbctl acl-add ls0 from-lport 200 ip drop]) AT_CHECK([ovn-nbctl acl-add ls0 to-lport 100 ip drop]) +dnl Add duplicated ACL +AT_CHECK([ovn-nbctl acl-add ls0 to-lport 100 ip drop], [1], [], [stderr]) +AT_CHECK([grep 'already existed' stderr], [0], [ignore]) +AT_CHECK([ovn-nbctl --may-exist acl-add ls0 to-lport 100 ip drop]) AT_CHECK([ovn-nbctl acl-list ls0], [0], [dnl from-lport 600 (udp) drop log |