When ACL is applied to a subnet, affects ACL rules based on security groups, such as pg group? #245
Comments
|
@almusil pls hava a look |
|
anyone ? |
|
Hi, I'm not sure if I understand the question correctly. But from the info provided it's correct that both ACL might be evaluated for the same VM. |
Although it belongs to the same VM, but this VM is in the PG and in the subnet, there are two ACLs, one is configured on the PG and the other is on the subnet, I expect both ACLs to take effect, in different directions, different ACLs take effect, and not as long as there is a high priority in effect,is there any way? Q1: VM1-->PG-x->Subnet-->VM2 |
ovn acl :
logical_switch :
_uuid : 12b25a3d-b32c-4f37-a89d-7c1b7cf81772
action : allow-related
direction : to-lport
external_ids : {acl_group=ACL-1}
label : 0
log : false
match : "ip4.src == 0.0.0.0/0 && tcp && 8080 <= tcp.dst <= 8080"
meter : []
name : ACL-1-in-3
options : {}
priority : 1497
severity : []
port group:
_uuid : 5a98ec19-a151-4f20-a12d-26fbd4bf5014
action : drop
direction : from-lport
external_ids : {}
label : 0
log : false
match : "ip && inport == @ovn_pg_1"
meter : []
name : []
options : {}
priority : 2000
severity : []
If the lsp interface of the VM exists in both logical switch and port group, the ACLs can only take effect at one level logcal switch or pg.
Is it correct that this kind of security policy affects each other when the actual effective scope is inconsistent? Or how can I configure it so that the two types of ACLs do not affect each other
The text was updated successfully, but these errors were encountered: