Each row in this table represents one ACL rule for a logical
switch or a port group that points to it through its acls column.
The action column for the highest-priority matching row in this
table determines a packet's treatment. If no row matches, packets
are allowed by default. (Default-deny treatment is possible: add
a rule with priority 0, 1 as match, and deny as action.)
Summary:
priority integer, in range 0 to 32,767
direction string, either from-lport or
to-lport
match string
action string, one of allow-related,
allow, drop, or reject
Logging:
log boolean
name optional string, at most 63
characters long
severity optional string, one of alert,
debug, info, notice, or warning
meter optional string
Common Columns:
external_ids map of string-string pairs
Details:
priority: integer, in range 0 to 32,767
The ACL rule's priority. Rules with numerically higher
priority take precedence over those with lower. If two ACL
rules with the same priority both match, then the one
actually applied to a packet is undefined.
Return traffic from an allow-related flow is always
allowed and cannot be changed through an ACL.
direction: string, either from-lport or to-lport
Direction of the traffic to which this rule should apply:
• from-lport: Used to implement filters on traffic
arriving from a logical port. These rules are
applied to the logical switch's ingress pipeline.
• to-lport: Used to implement filters on traffic
forwarded to a logical port. These rules are
applied to the logical switch's egress pipeline.
match: string
The packets that the ACL should match, in the same
expression language used for the match column in the OVN
Southbound database's Logical_Flow table. The outport
logical port is only available in the to-lport direction
(the inport is available in both directions).
By default all traffic is allowed. When writing a more
restrictive policy, it is important to remember to allow
flows such as ARP and IPv6 neighbor discovery packets.
Note that you can not create an ACL matching on a port
with type=router or type=localnet.
action: string, one of allow-related, allow, drop, or reject
The action to take when the ACL rule matches:
• allow: Forward the packet.
• allow-related: Forward the packet and related
traffic (e.g. inbound replies to an outbound
connection).
• drop: Silently drop the packet.
• reject: Drop the packet, replying with a RST for
TCP or ICMPv4/ICMPv6 unreachable message for other
IPv4/IPv6-based protocols.
Logging:
These columns control whether and how OVN logs packets that match
an ACL.
log: boolean
If set to true, packets that match the ACL will trigger a
log message on the transport node or nodes that perform
ACL processing. Logging may be combined with any action.
If set to false, the remaining columns in this group have
no significance.
name: optional string, at most 63 characters long
This name, if it is provided, is included in log records.
It provides the administrator and the cloud management
system a way to associate a log record with a particular
ACL.
severity: optional string, one of alert, debug, info, notice, or
warning
The severity of the ACL. The severity levels match those
of syslog, in decreasing level of severity: alert,
warning, notice, info, or debug. When the column is empty,
the default is info.
meter: optional string
The name of a meter to rate-limit log messages for the
ACL. The string must match the name column of a row in the
Meter table. By default, log messages are not rate-
limited.
Common Columns:
external_ids: map of string-string pairs
See External IDs at the beginning of this document.
