Bug 1919941 - [ovn-nbctl] Enhance acl-list <LS> to also display ACLs applied through port groups.
Summary: [ovn-nbctl] Enhance acl-list <LS> to also display ACLs applied through port g...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: OVN
Version: FDP 20.H
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: ---
: ---
Assignee: OVN Team
QA Contact: Jianlin Shi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-25 12:22 UTC by Dumitru Ceara
Modified: 2023-07-13 07:25 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FD-1048 0 None None None 2021-11-19 14:51:38 UTC

Description Dumitru Ceara 2021-01-25 12:22:38 UTC 
Description of problem:

When OVN ACLs are applied to a port group they are essentially applied to every logical switch that contains ports that are part of the port group.

However, when displaying ACLs applied on a logical switch, ovn-nbctl only returns ACLs explicitly applied on the logical switch. This makes troubleshooting more complicated.

Version-Release number of selected component (if applicable):
Any.

How reproducible:
Every time.

Steps to Reproduce:
$ ovn-nbctl ls-add ls
$ ovn-nbctl lsp-add ls lsp1
$ ovn-nbctl pg-add pg1 lsp1
$ ovn-nbctl acl-add pg1 to-lport 2 udp allow
$ ovn-nbctl acl-add ls to-lport 1 ip drop

Actual results:
$ ovn-nbctl acl-list ls
  to-lport     1 (ip) drop
$ ovn-nbctl acl-list pg1
  to-lport     2 (udp) allow

Expected results:
$ ovn-nbctl --all acl-list ls
  to-lport     2 (udp) allow
  to-lport     1 (ip) drop
Note You need to log in before you can comment on or make changes to this bug.