Skip to content
Browse files

ovn: support applying ACLs to port groups

Although port group can be used in match conditions of ACLs, it is
still inconvenient for clients to figure out the lswitches that each
ACL should be applied to.

This patch supports applying ACLs to port groups directly instead of
applying to each related lswitch individually. It provides convenience
for clients such as k8s and OpenStack Neutron.

Requested-by: Guru Shetty <>
Requested-by: Daniel Alvarez Sanchez <>
Signed-off-by: Han Zhou <>
Signed-off-by: Ben Pfaff <>
  • Loading branch information
hzhou8 authored and blp committed May 9, 2018
1 parent 138df3e commit 1beb60afd25a64f1779903b22b37ed3d9956d47c
Showing with 526 additions and 156 deletions.
  1. +2 −1 NEWS
  2. +275 −147 ovn/northd/ovn-northd.c
  3. +7 −2 ovn/ovn-nb.ovsschema
  4. +13 −6 ovn/ovn-nb.xml
  5. +229 −0 tests/
@@ -22,7 +22,8 @@ Post-v2.9.0
and reply with a RST for TCP or ICMPv4/ICMPv6 unreachable message for
other IPv4/IPv6-based protocols whenever a reject ACL rule is hit.
* ACL match conditions can now match on Port_Groups as well as address
sets that are automatically generated by Port_Groups.
sets that are automatically generated by Port_Groups. ACLs can be
applied directly to Port_Groups as well.
* New 'check-dpdk' Makefile target to run a new system testsuite.
See Testing topic for the details.

0 comments on commit 1beb60a

Please sign in to comment.