Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable_router_port_acl usage #264

Open
TVKain opened this issue Nov 14, 2024 · 0 comments
Open

enable_router_port_acl usage #264

TVKain opened this issue Nov 14, 2024 · 0 comments

Comments

@TVKain
Copy link

TVKain commented Nov 14, 2024

The commit 48397c0 added the enable_router_port_acl option for lsp which has a dgw port peer.

My goal is to set up a stateful Firewall for N-S traffic

I set up a simple topology to test it out
PUBLIC---S1-(S1-R1)-------------(R1-S1)-R1 -------- S2 ---- VM1

R1: dgw port 26.7.2.18, SNAT
S1: localnet -> VLAN 1000, 26.7.2.0/24
S2: localnet -> VLAN 3001, 192.168.31.0/24,
VM1: internal 192.168.31.200, floating 26.7.2.81
PUBLIC: 26.7.2.201

The behaviors that I want are

  1. VM1 is able to initiate ICMP echo to PUBLIC and receive the reply
  2. PUBLIC attemps to initiate ICMP echo to VM1 Floating IP will be blocked
ovn-nbctl pg-add pg_dgw
ovn-nbctl pg-set-ports pg_dgw S1-R1
ovn-nbctl acl-add pg_dgw to-lport 1002 "outport == @pg_dgw && ip4" allow-related
ovn-nbctl acl-add pg_dgw from-lport 1001 "inport == @pg_dgw && ip4" drop
ovn-nbctl lsp-set-options S1-R1 router-port=R1-S1 enable_router_port_acl=true

Actual result:
VM1 was able to initiate IMCP echo to PUBLIC, but the return traffic didn't pass through
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TVKain