diff options
| author | Russell Bryant <russell@ovn.org> | 2016-07-03 10:35:26 -0500 |
|---|---|---|
| committer | Ben Pfaff <blp@ovn.org> | 2016-07-03 12:32:31 -0700 |
| commit | ea382567e816ac3bdb6365fdec90438156cf51d1 (patch) | |
| tree | 194bb92065cdb60374eacd55df3df0f0855a8efb /tests | |
| parent | f94705d729459d808fd139c8f95d5f1f8d8becc6 (diff) | |
| download | openvswitch-ea382567e816ac3bdb6365fdec90438156cf51d1.tar.gz | |
ovn: Add address set support for ACLs.
This feature was originally proposed here:
http://openvswitch.org/pipermail/dev/2016-March/067440.html
A common use case for OVN ACLs involves needing to match a set of IP
addresses.
outport == "lp1" && ip4.src == {10.0.0.5, 10.0.0.25, 10.0.0.50}
This example match only has 3 addresses, but it could easily have
hundreds of addresses. In some cases, the same large set of addresses
needs to be used in several ACLs.
This patch adds a new Address_Set table to OVN_Northbound so that a set
of addresses can be specified once and then referred to by name in ACLs.
To recreate the above example, you would first create an address set:
$ ovn-nbctl create Address_Set name=set1 addresses="10.0.0.5","10.0.0.25","10.0.0.50"
Then you can refer to this address set by name in an ACL match:
outport == "lp1" && ip4.src == $set1
Signed-off-by: Russell Bryant <russell@ovn.org>
Signed-off-by: Babu Shanmugam <bschanmu@redhat.com>
Co-authored-by: Flavio Fernandes <flavio@flaviof.com>
Signed-off-by: Flavio Fernandes <flavio@flaviof.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/ovn.at | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/tests/ovn.at b/tests/ovn.at index decc90dd2..4424b861f 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -264,6 +264,9 @@ ip4.src == ::1 => 128-bit constant is not compatible with 32-bit field ip4.src. 1 == eth.type == 2 => Range expressions must have the form `x < field < y' or `x > field > y', with each `<' optionally replaced by `<=' or `>' by `>='). eth.dst[40] x => Extra tokens at end of input. + +ip4.src == {1.2.3.4, $set1, $unknownset} => Syntax error at `$unknownset' expecting address set name. +eth.src == {$set3, badmac, 00:00:00:00:00:01} => Syntax error at `badmac' expecting constant. ]]) sed 's/ =>.*//' test-cases.txt > input.txt sed 's/.* => //' test-cases.txt > expout @@ -487,6 +490,12 @@ dl_src=00:00:00:00:00:01 dl_src=00:00:00:00:00:02 dl_src=00:00:00:00:00:03 ]) +AT_CHECK([expr_to_flow 'eth.src == {00:00:00:00:00:01, $set3, ba:be:be:ef:de:ad, $set3}'], [0], [dnl +dl_src=00:00:00:00:00:01 +dl_src=00:00:00:00:00:02 +dl_src=00:00:00:00:00:03 +dl_src=ba:be:be:ef:de:ad +]) AT_CLEANUP AT_SETUP([ovn -- action parsing]) @@ -688,6 +697,8 @@ done ovn-nbctl acl-add lsw0 from-lport 1000 'eth.type == 0x1234' drop ovn-nbctl acl-add lsw0 from-lport 1000 'eth.type == 0x1235 && inport == "lp11"' drop ovn-nbctl acl-add lsw0 to-lport 1000 'eth.type == 0x1236 && outport == "lp33"' drop +ovn-nbctl create Address_Set name=set1 addresses=\"f0:00:00:00:00:11\",\"f0:00:00:00:00:21\",\"f0:00:00:00:00:31\" +ovn-nbctl acl-add lsw0 to-lport 1000 'eth.type == 0x1237 && eth.src == $set1 && outport == "lp33"' drop # Pre-populate the hypervisors' ARP tables so that we don't lose any # packets for ARP resolution (native tunneling doesn't queue packets @@ -818,9 +829,17 @@ for is in 1 2 3; do if test $d != $s && test $s != 11; then acl2=$d; else acl2=; fi if test $d != $s && test $d != 33; then acl3=$d; else acl3=; fi + if test $d == $s || (test $js == 1 && test $d == 33); then + # Source of 11, 21, or 31 and dest of 33 should be dropped + # due to the 4th ACL that uses address_set(set1). + acl4= + else + acl4=$d + fi test_packet $s f000000000$d f000000000$s 1234 #7, acl1 test_packet $s f000000000$d f000000000$s 1235 $acl2 #7, acl2 test_packet $s f000000000$d f000000000$s 1236 $acl3 #7, acl3 + test_packet $s f000000000$d f000000000$s 1237 $acl4 #7, acl4 test_packet $s f000000000$d f00000000055 810000091234 #4 test_packet $s f000000000$d 0100000000$s $s$d #5 |