Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-1462

[ovn-nbctl] Enhance acl-list <LS> to also display ACLs applied through port groups.

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • None
    • None
    • ovn25.09
    • None
    • 3
    • False
    • False
    • Hide

      Given a logical switch ls with ports that are members of a port group pg1 and pg1 has ACLs assigned, 

      When the system administrator runs ovn-nbctl --all acl-list ls, 

      Then all ACLs applied directly and indirectly (via PGs) are listed, and inherited ones are annotated with [pg-name].

      Show
      Given a logical switch ls with ports that are members of a port group pg1 and pg1 has ACLs assigned,  When the system administrator runs ovn-nbctl --all acl-list ls,  Then all ACLs applied directly and indirectly (via PGs) are listed, and inherited ones are annotated with [pg-name] .
    • ovn25.09-25.09.0-alpha.209.el9fdp
    • rhel-9
    • None
    • OVN FDP Sprint 5
    • 1
    • +

      This is essentially the same feature request as the old, auto-closed, https://issues.redhat.com/browse/FD-1048:

      When OVN ACLs are applied to a port group they are essentially applied to every logical switch that contains ports that are part of the port group.

      However, when displaying ACLs applied on a logical switch, ovn-nbctl only returns ACLs explicitly applied on the logical switch. This makes troubleshooting more complicated.

      Steps to Reproduce:

      $ ovn-nbctl ls-add ls
$ ovn-nbctl lsp-add ls lsp1
$ ovn-nbctl pg-add pg1 lsp1
$ ovn-nbctl acl-add pg1 to-lport 2 udp allow
$ ovn-nbctl acl-add ls to-lport 1 ip drop

      Actual results:

      $ ovn-nbctl acl-list ls
to-lport 1 (ip) drop
$ ovn-nbctl acl-list pg1
to-lport 2 (udp) allow

      Expected results:

      $ ovn-nbctl --all acl-list ls
to-lport 2 (udp) allow
to-lport 1 (ip) drop

      Additionally, users could be informed that some ACLs are applied through a port group by enhancing the output with the name of the port group the ACL was "inherited" from. E.g.:
      Expected results:

      $ ovn-nbctl --all acl-list ls
to-lport 2 (udp) allow   [pg1]
to-lport 1 (ip) drop

              rh-ee-moloings Mairtin Lynch
              dceara@redhat.com Dumitru Ceara
              Ehsan Elahi Ehsan Elahi
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: