On Fri, Apr 5, 2019 at 9:56 AM Miguel Duarte de Mora Barroso < mdbarroso@redhat.com> wrote:
Mind sharing the created ACLs ? (which I'm quite positive will be the default ones, but I just have to be sure). Can be done via "ovn-nbctl list acl" . With that I can check the ACLs assigned to the default group, and assure they are correct.
The question is: previous networks (in the sense of already existing before the port security feature had been introduced in 4.3) seems inherited the "Enabled" option and this prevents communication between VMs on the same OVN network. Is this expected? Otherwise other people in 4.2 using OVN will have the same problem migrating to 4.3 If I create now n 4.3.2 a new OVN based network, if I select "Create an external provider", I get as default "ovirt-provider-ovn" as External Provider and "Enabled" as Network Port Security. Is this expected? Is it expected that a new OVN network with default values (Enabled port security) is made so that by default 2 VMs don't communicate if I don't set a special security group rule (that in tis moment requires REST api)? As far as ACLs currently in place are concerned, here they are for my current environment. [root@ovmgr1 ~]# ovn-nbctl list acl _uuid : 239f0fa4-a66e-4cce-8df2-05630f11e052 action : drop direction : to-lport external_ids : {description="drop all ingress ip traffic", ovirt_port_group_id="79d3d3a0-7a57-4903-8646-f678ea53aeca"} log : false match : "outport == @DropAll && ip" meter : [] name : "" priority : 1000 severity : alert _uuid : 141aa336-0549-47d0-b09f-c2cb0dd78dd2 action : allow-related direction : from-lport external_ids : {description="automatically added allow all egress ip traffic", ovirt_ethertype="IPv4", ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"} log : false match : "inport == @Default && ip4" meter : [] name : "" priority : 1001 severity : alert _uuid : ac7d5a16-a596-43dc-88ec-e9d47512e7ce action : drop direction : from-lport external_ids : {description="drop all egress ip traffic", ovirt_port_group_id="79d3d3a0-7a57-4903-8646-f678ea53aeca"} log : false match : "inport == @DropAll && ip" meter : [] name : "" priority : 1000 severity : alert _uuid : ef7f32f2-8b78-433f-a831-0e801c9d8b3e action : allow-related direction : to-lport external_ids : {ovirt_ethertype="IPv4", ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616", ovirt_remote_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"} log : false match : "outport == @Default && ip4 && ip4.src == $pg_ip4_Default" meter : [] name : "" priority : 1001 severity : alert _uuid : 70c7114b-1be6-49c1-9bbd-966c52751e79 action : allow-related direction : from-lport external_ids : {description="automatically added allow all egress ip traffic", ovirt_ethertype="IPv6", ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"} log : false match : "inport == @Default && ip6" meter : [] name : "" priority : 1001 severity : alert _uuid : 264111cf-4f66-4b4c-b3c9-693bbca53a70 action : allow-related direction : to-lport external_ids : {ovirt_ethertype="IPv6", ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616", ovirt_remote_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"} log : false match : "outport == @Default && ip6 && ip6.src == $pg_ip6_Default" meter : [] name : "" priority : 1001 severity : alert [root@ovmgr1 ~]# Gianluca