Skip to content

Commit

Permalink
Merge pull request #3476 from mab68/orderedacl1
Browse files Browse the repository at this point in the history
Ordered ACL output actions
  • Loading branch information
gizmoguy authored Mar 16, 2020
2 parents e71a4a6 + 6781b29 commit f13396a
Show file tree
Hide file tree
Showing 12 changed files with 3,940 additions and 536 deletions.
49 changes: 47 additions & 2 deletions docs/configuration.rst
Original file line number Diff line number Diff line change
Expand Up @@ -903,6 +903,9 @@ and actions. Matches are key/values based on the `ryu RESTFul API.
<https://ryu.readthedocs.io/en/latest/app/ofctl_rest.html#reference-description-of-match-and-actions>`_
Actions is a dictionary of actions to apply upon match.

.. note:: When setting allow to true, the packet will be submitted to the
next table AFTER having the output actions applied to it.

.. list-table:: : acls: <acl name>: - rule: actions: {}
:widths: 30 15 15 40
:header-rows: 1
Expand Down Expand Up @@ -933,12 +936,21 @@ Actions is a dictionary of actions to apply upon match.
- None
- Copy the packet, before any modifications, to the specified port (NOTE: ACL mirroring is done in input direction only)
* - output
- dictionary
- dictionary or list
- None
- Used to output a packet directly. Details below.
- Used to apply more specific output actions for an ACL

The output action contains a dictionary with the following elements:

.. note:: When using the dictionary format, Faucet will
build the actions in the following order: pop_vlans, vlan_vids, swap_vid,
vlan_vids, set_fields, port, ports and then failover.
The ACL dictionary format also restricts using port & ports, vlan_vid & vlan_vids
at the same time.

.. note:: When using the list format, the output actions will be applied in the
user defined order.

.. list-table:: : acls: <acl name>: - rule: actions: output: {}
:widths: 30 15 15 40
:header-rows: 1
Expand Down Expand Up @@ -979,6 +991,10 @@ The output action contains a dictionary with the following elements:
- dictionary
- None
- Output with a failover port (see below).
* - Tunnel
- dictionary
- None
- Generic port output to any port in the stack

Failover is an experimental option, but can be configured as follows:

Expand All @@ -999,6 +1015,35 @@ Failover is an experimental option, but can be configured as follows:
- None
- The list of ports the packet can be output through.

A tunnel ACL will encapsulate a packet before sending it through the stack topology

.. note:: Currently tunnel ACLs only support VLAN encapsulation.

.. list-table:: : acls: <acl name>: - rule: actions: output: tunnel: {}
:widths: 30 15 15 40
:header-rows: 1

* - Attribute
- Type
- Default
- Description
* - type
- str
- 'vlan'
- The encapsulation type for the packet. Default is to encapsulate using QinQ.
* - tunnel_id
- int/str
- VID that is greater than the largest configured VID
- The ID for the encapsulation type
* - dp
- int/str
- None
- The name or dp_id of the dp where the output port belongs
* - port
- int/str
- None
- The name or port number of the interface on the remote DP to output the packet

.. _gauge-configuration:

Gauge configuration
Expand Down
14 changes: 7 additions & 7 deletions docs/tutorials/acls.rst
Original file line number Diff line number Diff line change
Expand Up @@ -266,14 +266,14 @@ There is also the 'output' action which can be used to achieve the same thing.
actions:
allow: False
output:
port: 4
- port: 4
- rule:
dl_type: 0x86dd
ip_proto: 58
actions:
allow: False
output:
port: 4
- port: 4
The output action also allows us to change the packet by setting fields
Expand Down Expand Up @@ -302,7 +302,7 @@ Let's create a new ACL for host2's port that will change the MAC source address.
actions:
allow: True
output:
set_fields:
- set_fields:
- eth_src: "00:00:00:00:00:02"
...
Expand Down Expand Up @@ -356,16 +356,16 @@ To do this we will use both the 'port' & 'vlan_vid' output fields.
actions:
allow: False
output:
vlan_vid: 3
port: 4
- vlan_vid: 3
- port: 4
- rule:
dl_type: 0x86dd
ip_proto: 58
actions:
allow: False
output:
vlan_vid: 3
port: 4
- vlan_vid: 3
- port: 4
Again reload Faucet, start a tcpdump on host4, and ping from host1 to host3.
Expand Down
Loading

0 comments on commit f13396a

Please sign in to comment.