mir/openvswitch
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-10-25 15:07:05 +00:00
Code Issues Releases Wiki Activity
Files
dc55e9465511dee6c12dbf0edb4ce2d9af57cb15
openvswitch/ovn/controller/binding.h
Justin Pettit 78aab811be ovn: Add stateful ACL support. 
Add support for the "allow-related" ACL action.  This is dependent on
the OVS conntrack functionality, which is not available on all platforms
or kernel versions.

Here is a sample policy that will allow all tenants in logical switch
"ls0" to SSH to each other.  Anyone can make an HTTP request to "lp0".
All other IP traffic is dropped:

  ovn-nbctl acl-add ls0 from-lport 100 ip allow-related
  ovn-nbctl acl-add ls0 to-lport 100 tcp.dst==22 allow-related
  ovn-nbctl acl-add ls0 to-lport 100 "outport == \"lp0\" \
            && tcp.dst==80" allow-related
  ovn-nbctl acl-add ls0 to-lport 1 ip drop

Note: Kernel conntrack support is checked into the mainline Linux
kernel, but hasn't been backported to the main OVS repo yet.

Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-10-16 00:23:45 -07:00

34 lines
1.1 KiB
C
Raw Blame History

/* Copyright (c) 2015 Nicira, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef OVN_BINDING_H
#define OVN_BINDING_H 1
#include <stdbool.h>
struct controller_ctx;
struct ovsdb_idl;
struct ovsrec_bridge;
struct simap;
void binding_register_ovs_idl(struct ovsdb_idl *);
void binding_run(struct controller_ctx *, const struct ovsrec_bridge *br_int,
const char *chassis_id, struct simap *ct_zones,
unsigned long *ct_zone_bitmap);
bool binding_cleanup(struct controller_ctx *, const char *chassis_id);
#endif /* ovn/binding.h */
Reference in New Issue View Git Blame Copy Permalink