* These must be listed in the order that the stages will be executed. */
#define INGRESS_STAGES \
INGRESS_STAGE(PORT_SEC, port_sec) \
+ INGRESS_STAGE(ACL, acl) \
INGRESS_STAGE(L2_LKUP, l2_lkup)
enum ingress_stage {
ds_destroy(&match);
}
- /* Ingress table 1: Destination lookup, broadcast and multicast handling
+ /* Ingress table 1: ACLs (any priority). */
+ HMAP_FOR_EACH (od, key_node, datapaths) {
+ for (size_t i = 0; i < od->nb->n_acls; i++) {
+ const struct nbrec_acl *acl = od->nb->acls[i];
+ const char *action;
+
+ if (strcmp(acl->direction, "from-lport")) {
+ continue;
+ }
+
+ action = (!strcmp(acl->action, "allow") ||
+ !strcmp(acl->action, "allow-related"))
+ ? "next;" : "drop;";
+ ovn_lflow_add(&lflows, od, P_IN, S_IN_ACL, acl->priority,
+ acl->match, action);
+ }
+ }
+ HMAP_FOR_EACH (od, key_node, datapaths) {
+ ovn_lflow_add(&lflows, od, P_IN, S_IN_ACL, 0, "1", "next;");
+ }
+
+ /* Ingress table 2: Destination lookup, broadcast and multicast handling
* (priority 100). */
HMAP_FOR_EACH (op, key_node, ports) {
if (lport_is_enabled(op->nb)) {
"outport = \""MC_FLOOD"\"; output;");
}
- /* Ingress table 1: Destination lookup, unicast handling (priority 50), */
+ /* Ingress table 2: Destination lookup, unicast handling (priority 50), */
HMAP_FOR_EACH (op, key_node, ports) {
for (size_t i = 0; i < op->nb->n_macs; i++) {
struct eth_addr mac;
}
}
- /* Ingress table 1: Destination lookup for unknown MACs (priority 0). */
+ /* Ingress table 2: Destination lookup for unknown MACs (priority 0). */
HMAP_FOR_EACH (od, key_node, datapaths) {
if (od->has_unknown) {
ovn_lflow_add(&lflows, od, P_IN, S_IN_L2_LKUP, 0, "1",
const struct nbrec_acl *acl = od->nb->acls[i];
const char *action;
+ if (strcmp(acl->direction, "to-lport")) {
+ continue;
+ }
+
action = (!strcmp(acl->action, "allow") ||
!strcmp(acl->action, "allow-related"))
? "next;" : "drop;";
"columns": {
"priority": {"type": {"key": {"type": "integer",
"minInteger": 1,
- "maxInteger": 65535}}},
+ "maxInteger": 65534}}},
+ "direction": {"type": {"key": {"type": "string",
+ "enum": ["set", ["from-lport", "to-lport"]]}}},
"match": {"type": "string"},
"action": {"type": {"key": {"type": "string",
"enum": ["set", ["allow", "allow-related", "drop", "reject"]]}}},
</p>
<column name="priority">
- The ACL rule's priority. Rules with numerically higher priority take
- precedence over those with lower. If two ACL rules with the same
- priority both match, then the one actually applied to a packet is
- undefined.
+ <p>
+ The ACL rule's priority. Rules with numerically higher priority
+ take precedence over those with lower. If two ACL rules with
+ the same priority both match, then the one actually applied to a
+ packet is undefined.
+ </p>
+
+ <p>
+ Return traffic from an <code>allow-related</code> flow is always
+ allowed and cannot be changed through an ACL.
+ </p>
+ </column>
+
+ <column name="direction">
+ <p>Direction of the traffic to which this rule should apply:</p>
+ <ul>
+ <li>
+ <code>from-lport</code>: Used to implement filters on traffic
+ arriving from a logical port. These rules are applied to the
+ logical switch's ingress pipeline.
+ </li>
+ <li>
+ <code>to-lport</code>: Used to implement filters on traffic
+ forwarded to a logical port. These rules are applied to the
+ logical switch's egress pipeline.
+ </li>
+ </ul>
</column>
<column name="match">
- The packets that the ACL should match, in the same expression language
- used for the <ref column="match" table="Logical_Flow"
- db="OVN_Southbound"/> column in the OVN Southbound database's <ref
- table="Logical_Flow" db="OVN_Southbound"/> table. Match
- <code>inport</code> and <code>outport</code> against names of logical
- ports within <ref column="lswitch"/> to implement ingress and egress
- ACLs, respectively. In logical switches connected to logical routers,
- the special port name <code>ROUTER</code> refers to the logical router
- port.
+ <p>
+ The packets that the ACL should match, in the same expression
+ language used for the <ref column="match" table="Logical_Flow"
+ db="OVN_Southbound"/> column in the OVN Southbound database's
+ <ref table="Logical_Flow" db="OVN_Southbound"/> table. The
+ <code>outport</code> logical port is only available in the
+ <code>to-lport</code> direction (the <code>inport</code> is
+ available in both directions).
+ </p>
+
+ <p>
+ By default all traffic is allowed. When writing a more
+ restrictive policy, it is important to remember to allow flows
+ such as ARP and IPv6 neighbor discovery packets.
+ </p>
+
+ <p>
+ In logical switches connected to logical routers, the special
+ port name <code>ROUTER</code> refers to the logical router port.
+ </p>
</column>
<column name="action">
<li>
<code>reject</code>: Drop the packet, replying with a RST for TCP or
ICMP unreachable message for other IP-based protocols.
+ <code>Not implemented--currently treated as drop</code>
</li>
</ul>
-
- <p>
- Only <code>allow</code> and <code>drop</code> are implemented:
- <code>allow-related</code> is currently treated as <code>allow</code>,
- and <code>reject</code> as <code>drop</code>.
- </p>
</column>
<column name="log">