11:24 a.m.
On Fri, Apr 5, 2019 at 9:56 AM Miguel Duarte de Mora Barroso <
mdbarroso(a)redhat.com> wrote:
Mind sharing the created ACLs ? (which I'm quite positive will be the
default ones, but I just have to be sure). Can be done via "ovn-nbctl
list acl" . With that I can check the ACLs assigned to the default
group, and assure they are correct.
The question is: previous networks (in the sense of already existing before
the port security feature had been introduced in 4.3) seems inherited the
"Enabled" option and this prevents communication between VMs on the same
OVN network.
Is this expected?
Otherwise other people in 4.2 using OVN will have the same problem
migrating to 4.3
If I create now n 4.3.2 a new OVN based network, if I select "Create an
external provider", I get as default "ovirt-provider-ovn" as External
Provider and "Enabled" as Network Port Security. Is this expected?
Is it expected that a new OVN network with default values (Enabled port
security) is made so that by default 2 VMs don't communicate if I don't set
a special security group rule (that in tis moment requires REST api)?
As far as ACLs currently in place are concerned, here they are for my
current environment.
[root@ovmgr1 ~]# ovn-nbctl list acl
_uuid : 239f0fa4-a66e-4cce-8df2-05630f11e052
action : drop
direction : to-lport
external_ids : {description="drop all ingress ip traffic",
ovirt_port_group_id="79d3d3a0-7a57-4903-8646-f678ea53aeca"}
log : false
match : "outport == @DropAll && ip"
meter : []
name : ""
priority : 1000
severity : alert
_uuid : 141aa336-0549-47d0-b09f-c2cb0dd78dd2
action : allow-related
direction : from-lport
external_ids : {description="automatically added allow all egress ip
traffic", ovirt_ethertype="IPv4",
ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"}
log : false
match : "inport == @Default && ip4"
meter : []
name : ""
priority : 1001
severity : alert
_uuid : ac7d5a16-a596-43dc-88ec-e9d47512e7ce
action : drop
direction : from-lport
external_ids : {description="drop all egress ip traffic",
ovirt_port_group_id="79d3d3a0-7a57-4903-8646-f678ea53aeca"}
log : false
match : "inport == @DropAll && ip"
meter : []
name : ""
priority : 1000
severity : alert
_uuid : ef7f32f2-8b78-433f-a831-0e801c9d8b3e
action : allow-related
direction : to-lport
external_ids : {ovirt_ethertype="IPv4",
ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616",
ovirt_remote_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"}
log : false
match : "outport == @Default && ip4 && ip4.src ==
$pg_ip4_Default"
meter : []
name : ""
priority : 1001
severity : alert
_uuid : 70c7114b-1be6-49c1-9bbd-966c52751e79
action : allow-related
direction : from-lport
external_ids : {description="automatically added allow all egress ip
traffic", ovirt_ethertype="IPv6",
ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"}
log : false
match : "inport == @Default && ip6"
meter : []
name : ""
priority : 1001
severity : alert
_uuid : 264111cf-4f66-4b4c-b3c9-693bbca53a70
action : allow-related
direction : to-lport
external_ids : {ovirt_ethertype="IPv6",
ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616",
ovirt_remote_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"}
log : false
match : "outport == @Default && ip6 && ip6.src ==
$pg_ip6_Default"
meter : []
name : ""
priority : 1001
severity : alert
[root@ovmgr1 ~]#
Gianluca