Skip to content

Commit 1b15f8e

Browse files
kyrtapzkyrtapz
committed
advertised network isolation: functions doc
Signed-off-by: Patryk Diak <[email protected]>
1 parent 250d7fe commit 1b15f8e

File tree

1 file changed

+14
-0
lines changed

1 file changed

+14
-0
lines changed

go-controller/pkg/ovn/udn_isolation.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -244,12 +244,14 @@ const advertisedNetworkIsolationACLID = "advertised-network-isolation"
244244
const advertisedNetworkSubnetsAddressSet = "advertised-network-subnets"
245245
const advertisedNetworkSubnetsCtrl = "advertised-network-subnets-controller"
246246

247+
// GetAdvertisedNetworkSubnetsAddressSetDBIDs returns the DB IDs for the advertised network subnets addressset
247248
func GetAdvertisedNetworkSubnetsAddressSetDBIDs() *libovsdbops.DbObjectIDs {
248249
return libovsdbops.NewDbObjectIDs(libovsdbops.AddressSetAdvertisedNetwork, advertisedNetworkSubnetsCtrl, map[libovsdbops.ExternalIDKey]string{
249250
libovsdbops.ObjectNameKey: advertisedNetworkSubnetsAddressSet,
250251
})
251252
}
252253

254+
// GetAdvertisedNetworkSubnetsDropACLdbIDs returns the DB IDs for the advertised network subnets drop ACL
253255
func GetAdvertisedNetworkSubnetsDropACLdbIDs() *libovsdbops.DbObjectIDs {
254256
return libovsdbops.NewDbObjectIDs(libovsdbops.ACLAdvertisedNetwork, advertisedNetworkIsolationACLID,
255257
map[libovsdbops.ExternalIDKey]string{
@@ -258,6 +260,7 @@ func GetAdvertisedNetworkSubnetsDropACLdbIDs() *libovsdbops.DbObjectIDs {
258260
})
259261
}
260262

263+
// GetAdvertisedNetworkSubnetsPassACLdbIDs returns the DB IDs for the advertised network subnets pass ACL
261264
func GetAdvertisedNetworkSubnetsPassACLdbIDs(networkName string, networkID int) *libovsdbops.DbObjectIDs {
262265
return libovsdbops.NewDbObjectIDs(libovsdbops.ACLAdvertisedNetwork, advertisedNetworkIsolationACLID,
263266
map[libovsdbops.ExternalIDKey]string{
@@ -266,6 +269,10 @@ func GetAdvertisedNetworkSubnetsPassACLdbIDs(networkName string, networkID int)
266269
})
267270
}
268271

272+
// BuildAdvertisedNetworkSubnetsDropACL builds the advertised network subnets drop ACL:
273+
// action match priority
274+
// ------ --------------------------------------------------------------------------- --------
275+
// drop "(ip[4|6].src == $<ALL_ADV_SUBNETS> && ip[4|6].dst == $<ALL_ADV_SUBNETS>)" 1050
269276
func BuildAdvertisedNetworkSubnetsDropACL(advertisedNetworkSubnetsAddressSet addressset.AddressSet) *nbdb.ACL {
270277
var dropMatches []string
271278
v4AddrSet, v6AddrSet := advertisedNetworkSubnetsAddressSet.GetASHashNames()
@@ -287,6 +294,12 @@ func BuildAdvertisedNetworkSubnetsDropACL(advertisedNetworkSubnetsAddressSet add
287294
return dropACL
288295
}
289296

297+
// addAdvertisedNetworkIsolation adds advertised network isolation rules to the given node.
298+
// It adds the following ACLs to the node switch:
299+
// action match priority
300+
// ------ --------------------------------------------------------------------------- --------
301+
// pass "(ip[4|6].src == <UDN_SUBNET> && ip[4|6].dst == <UDN_SUBNET>)" 1100
302+
// drop "(ip[4|6].src == $<ALL_ADV_SUBNETS> && ip[4|6].dst == $<ALL_ADV_SUBNETS>)" 1050
290303
func (bnc *BaseNetworkController) addAdvertisedNetworkIsolation(nodeName string) error {
291304
var passMatches, cidrs []string
292305
var ops []ovsdb.Operation
@@ -348,6 +361,7 @@ func (bnc *BaseNetworkController) addAdvertisedNetworkIsolation(nodeName string)
348361
return nil
349362
}
350363

364+
// deleteAdvertisedNetworkIsolation deletes advertised network isolation rules from the given node switch
351365
func (bnc *BaseNetworkController) deleteAdvertisedNetworkIsolation(nodeName string) error {
352366
addrSet, err := bnc.addressSetFactory.GetAddressSet(GetAdvertisedNetworkSubnetsAddressSetDBIDs())
353367
if err != nil {

0 commit comments

Comments
 (0)