Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ordered ACL output actions #3476

Merged
merged 8 commits into from Mar 16, 2020
Merged

Ordered ACL output actions #3476

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
e9d2f2e
Ordered ACL output actions and tunnel improvements
mab68 Feb 25, 2020
f1d17a3
Merge branch 'master' into orderedacl1
anarkiwi Mar 9, 2020
97ef240
Make tunnel_ids deterministic.
anarkiwi Mar 9, 2020
0696be3
Also tunnel IDs not deterministic.
anarkiwi Mar 10, 2020
803272d
pylint.
anarkiwi Mar 10, 2020
456adb3
pylint.
anarkiwi Mar 10, 2020
992384e
Merge branch 'master' into orderedacl1
anarkiwi Mar 10, 2020
6781b29
dynamic tunnel ID fix
mab68 Mar 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
49 changes: 47 additions & 2 deletions docs/configuration.rst
View file
Open in desktop
Expand Up @@ -903,6 +903,9 @@ and actions. Matches are key/values based on the `ryu RESTFul API.
<https://ryu.readthedocs.io/en/latest/app/ofctl_rest.html#reference-description-of-match-and-actions>`_
Actions is a dictionary of actions to apply upon match.

.. note:: When setting allow to true, the packet will be submitted to the
next table AFTER having the output actions applied to it.

.. list-table:: : acls: <acl name>: - rule: actions: {}
:widths: 30 15 15 40
:header-rows: 1
Expand Down Expand Up @@ -933,12 +936,21 @@ Actions is a dictionary of actions to apply upon match.
- None
- Copy the packet, before any modifications, to the specified port (NOTE: ACL mirroring is done in input direction only)
* - output
- dictionary
- dictionary or list
- None
- Used to output a packet directly. Details below.
- Used to apply more specific output actions for an ACL

The output action contains a dictionary with the following elements:

.. note:: When using the dictionary format, Faucet will
build the actions in the following order: pop_vlans, vlan_vids, swap_vid,
vlan_vids, set_fields, port, ports and then failover.
The ACL dictionary format also restricts using port & ports, vlan_vid & vlan_vids
at the same time.

.. note:: When using the list format, the output actions will be applied in the
user defined order.

.. list-table:: : acls: <acl name>: - rule: actions: output: {}
:widths: 30 15 15 40
:header-rows: 1
Expand Down Expand Up @@ -979,6 +991,10 @@ The output action contains a dictionary with the following elements:
- dictionary
- None
- Output with a failover port (see below).
* - Tunnel
- dictionary
- None
- Generic port output to any port in the stack

Failover is an experimental option, but can be configured as follows:

Expand All @@ -999,6 +1015,35 @@ Failover is an experimental option, but can be configured as follows:
- None
- The list of ports the packet can be output through.

A tunnel ACL will encapsulate a packet before sending it through the stack topology

.. note:: Currently tunnel ACLs only support VLAN encapsulation.

.. list-table:: : acls: <acl name>: - rule: actions: output: tunnel: {}
:widths: 30 15 15 40
:header-rows: 1

* - Attribute
- Type
- Default
- Description
* - type
- str
- 'vlan'
- The encapsulation type for the packet. Default is to encapsulate using QinQ.
* - tunnel_id
- int/str
- VID that is greater than the largest configured VID
- The ID for the encapsulation type
* - dp
- int/str
- None
- The name or dp_id of the dp where the output port belongs
* - port
- int/str
- None
- The name or port number of the interface on the remote DP to output the packet

.. _gauge-configuration:

Gauge configuration
Expand Down
14 changes: 7 additions & 7 deletions docs/tutorials/acls.rst
View file
Open in desktop
Expand Up @@ -266,14 +266,14 @@ There is also the 'output' action which can be used to achieve the same thing.
actions:
allow: False
output:
port: 4
- port: 4
- rule:
dl_type: 0x86dd
ip_proto: 58
actions:
allow: False
output:
port: 4
- port: 4


The output action also allows us to change the packet by setting fields
Expand Down Expand Up @@ -302,7 +302,7 @@ Let's create a new ACL for host2's port that will change the MAC source address.
actions:
allow: True
output:
set_fields:
- set_fields:
- eth_src: "00:00:00:00:00:02"
...

Expand Down Expand Up @@ -356,16 +356,16 @@ To do this we will use both the 'port' & 'vlan_vid' output fields.
actions:
allow: False
output:
vlan_vid: 3
port: 4
- vlan_vid: 3
- port: 4
- rule:
dl_type: 0x86dd
ip_proto: 58
actions:
allow: False
output:
vlan_vid: 3
port: 4
- vlan_vid: 3
- port: 4


Again reload Faucet, start a tcpdump on host4, and ping from host1 to host3.
Expand Down