This column controls the addresses from which the host attached to the
logical port (``the host'') is allowed to send packets and to which it
is allowed to receive packets. If this column is empty, all addresses
are permitted.
Each element in the set must begin with one Ethernet address.
This would restrict the host to sending packets from and receiving
packets to the ethernet addresses defined in the logical port's
column. It also restricts the inner
source MAC addresses that the host may send in ARP and IPv6
Neighbor Discovery packets. The host is always allowed to receive packets
to multicast and broadcast Ethernet addresses.
Each element in the set may additionally contain one or more IPv4 or
IPv6 addresses (or both), with optional masks. If a mask is given, it
must be a CIDR mask. In addition to the restrictions described for
Ethernet addresses above, such an element restricts the IPv4 or IPv6
addresses from which the host may send and to which it may receive
packets to the specified addresses. A masked address, if the host part
is zero, indicates that the host is allowed to use any address in the
subnet; if the host part is nonzero, the mask simply indicates the size
of the subnet. In addition:
-
If any IPv4 address is given, the host is also allowed to receive
packets to the IPv4 local broadcast address 255.255.255.255 and to
IPv4 multicast addresses (224.0.0.0/4). If an IPv4 address with a
mask is given, the host is also allowed to receive packets to the
broadcast address in that specified subnet.
If any IPv4 address is given, the host is additionally restricted
to sending ARP packets with the specified source IPv4 address.
(RARP is not restricted.)
-
If any IPv6 address is given, the host is also allowed to receive
packets to IPv6 multicast addresses (ff00::/8).
If any IPv6 address is given, the host is additionally restricted
to sending IPv6 Neighbor Discovery Solicitation or Advertisement
packets with the specified source address or, for solicitations,
the unspecified address.
If an element includes an IPv4 address, but no IPv6 addresses, then
IPv6 traffic is not allowed. If an element includes an IPv6 address,
but no IPv4 address, then IPv4 and ARP traffic is not allowed.
This column uses the same lexical syntax as the column in the OVN Southbound
database's table. Multiple
addresses within an element may be space or comma separated.
This column is provided as a convenience to cloud management systems,
but all of the features that it implements can be implemented as ACLs
using the table.
Examples:
80:fa:5b:06:72:b7
-
The host may send traffic from and receive traffic to the specified
MAC address, and to receive traffic to Ethernet multicast and
broadcast addresses, but not otherwise. The host may not send ARP or
IPv6 Neighbor Discovery packets with inner source Ethernet addresses
other than the one specified.
80:fa:5b:06:72:b7 192.168.1.10/24
-
This adds further restrictions to the first example. The host may
send IPv4 packets from or receive IPv4 packets to only 192.168.1.10,
except that it may also receive IPv4 packets to 192.168.1.255 (based
on the subnet mask), 255.255.255.255, and any address in 224.0.0.0/4.
The host may not send ARPs with a source Ethernet address other than
80:fa:5b:06:72:b7 or source IPv4 address other than 192.168.1.10.
The host may not send or receive any IPv6 (including IPv6 Neighbor
Discovery) traffic.
"80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
-
The host may send traffic from and receive traffic to the
specified MAC addresses, and
to receive traffic to Ethernet multicast and broadcast addresses,
but not otherwise. With MAC 80:fa:5b:12:42:ba, the host may
send traffic from and receive traffic to any L3 address.
With MAC 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
receive IPv4 packets to only 192.168.1.10, except that it may also
receive IPv4 packets to 192.168.1.255 (based on the subnet mask),
255.255.255.255, and any address in 224.0.0.0/4. The host may not
send or receive any IPv6 (including IPv6 Neighbor Discovery) traffic.