Describes the individual entries that comprise an Access Control
List.
Each entry in the table is a single rule to match on certain
header fields. While there are a large number of fields that can
be matched on, most hardware cannot match on arbitrary
combinations of fields. It is common to match on either L2 fields
(described below in the L2 group of columns) or L3/L4 fields (the
L3/L4 group of columns) but not both. The hardware switch
controller may log an error if an ACL entry requires it to match
on an incompatible mixture of fields.
Summary:
sequence integer
L2 fields:
source_mac optional string
dest_mac optional string
ethertype optional string
L3/L4 fields:
source_ip optional string
source_mask optional string
dest_ip optional string
dest_mask optional string
protocol optional integer
source_port_min optional integer
source_port_max optional integer
dest_port_min optional integer
dest_port_max optional integer
tcp_flags optional integer
tcp_flags_mask optional integer
icmp_type optional integer
icmp_code optional integer
direction string, either egress or ingress
action string, either deny or permit
Error Notification:
acle_fault_status : invalid_acl_entry
none
acle_fault_status : unspecified_fault
none
Details:
sequence: integer
The sequence number for the ACL entry for the purpose of
ordering entries in an ACL. Lower numbered entries are
matched before higher numbered entries.
L2 fields:
source_mac: optional string
Source MAC address, in the form xx:xx:xx:xx:xx:xx
dest_mac: optional string
Destination MAC address, in the form xx:xx:xx:xx:xx:xx
ethertype: optional string
Ethertype in hexadecimal, in the form 0xAAAA
L3/L4 fields:
source_ip: optional string
Source IP address, in the form xx.xx.xx.xx for IPv4 or
appropriate colon-separated hexadecimal notation for IPv6.
source_mask: optional string
Mask that determines which bits of source_ip to match on,
in the form xx.xx.xx.xx for IPv4 or appropriate colon-
separated hexadecimal notation for IPv6.
dest_ip: optional string
Destination IP address, in the form xx.xx.xx.xx for IPv4
or appropriate colon-separated hexadecimal notation for
IPv6.
dest_mask: optional string
Mask that determines which bits of dest_ip to match on, in
the form xx.xx.xx.xx for IPv4 or appropriate colon-
separated hexadecimal notation for IPv6.
protocol: optional integer
Protocol number in the IPv4 header, or value of the "next
header" field in the IPv6 header.
source_port_min: optional integer
Lower end of the range of source port values. The value
specified is included in the range.
source_port_max: optional integer
Upper end of the range of source port values. The value
specified is included in the range.
dest_port_min: optional integer
Lower end of the range of destination port values. The
value specified is included in the range.
dest_port_max: optional integer
Upper end of the range of destination port values. The
value specified is included in the range.
tcp_flags: optional integer
Integer representing the value of TCP flags to match. For
example, the SYN flag is the second least significant bit
in the TCP flags. Hence a value of 2 would indicate that
the "SYN" flag should be set (assuming an appropriate
mask).
tcp_flags_mask: optional integer
Integer representing the mask to apply when matching TCP
flags. For example, a value of 2 would imply that the
"SYN" flag should be matched and all other flags ignored.
icmp_type: optional integer
ICMP type to be matched.
icmp_code: optional integer
ICMP code to be matched.
direction: string, either egress or ingress
Direction of traffic to match on the specified port,
either "ingress" (toward the logical switch or router) or
"egress" (leaving the logical switch or router).
action: string, either deny or permit
Action to take for this rule, either "permit" or "deny".
Error Notification:
An entry in this column indicates to the NVC that the ACL could
not be configured as requested. The switch must clear this column
when the error has been cleared.
acle_fault_status : invalid_acl_entry: none
Indicates that an ACL entry requested by the controller
could not be instantiated by the switch, e.g. because it
requires an unsupported combination of fields to be
matched.
acle_fault_status : unspecified_fault: none
Indicates that an error has occurred in configuring the
ACL entry but no more specific information is available.
