Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1885670

Summary: [RFE] Improving Northbound Database Port-Group Table's functional behavior
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Anil Vishnoi <avishnoi>
Component: OVNAssignee: OVN Team <ovnteam>
Status: CLOSED WONTFIX QA Contact: Jianlin Shi <jishi>
Severity: medium Docs Contact:
Priority: medium    
Version: RHEL 8.0CC: ctrautma, dceara, i.maximets, mmichels, nusiddiq, trozet
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-02-14 21:11:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anil Vishnoi 2020-10-06 16:48:46 UTC 
Description of problem:
Currently Port-Group is used in multiple context 
(1) as a match criteria for ACL
(2) applying ACL's to set of logical switches (not to specific ports of the logical-switches).

This creates a bit of a confusion about it's functional behavior. Specifically for scenario (2) above, where port group is used to determine the logical-switch where ACL needs to be specified. Please see the BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1885668) for more details about it.

Had a good discussion over IRC on this with Dimitru, Iilya and numan in this regard. Just want to share few thoughts on improving this function behavior based on the discussion to see if that makes sense.

If we do following enhancement in OVN NB DB, it might make things more intuitive and simple
(1) Remove support for inport=@portgroup match from the ACL match.
(2) Port-Group will only be used to apply ACL to the specific ports. So it ACL is associated with a port-group, northd can generate logical-flows that contains inport match.
(3) Define Logical-Switch-Groups, to apply ACLs at the logical-switch level.

Given that inport won't be allowed in ACL, user need to explicitly define whether they want to apply ACL to specific port/set-of-ports or apply at the logical-switch level.

Thoughts?

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 OVN Bot 2024-02-14 21:11:23 UTC 
This issue is being closed as an automatic process due to the issue's age. If you wish to re-open this issue, please do so in Jira (https://issues.redhat.com) in the 'FDP' project. Please be sure to set the component to the latest OVN version where this issue is known to occur. If this is a feature request or improvement, please set the component to 'OVN'.