Audit ACLs
OVN ACLs are ordered by priority, and a higher-priority rule that already matches all traffic makes a lower-priority rule unreachable. Northwatch's ACL audit finds these shadowed and conflicting rules so you can spot dead security policy.
The audit is part of the debug capability, on by default.
Run the audit
curl -s http://localhost:8080/api/v1/debug/acl-auditThe result enumerates ACLs with their priority, direction, match and action, and flags rules that can never match because a higher-priority rule shadows them.
Browse the raw ACL state
To inspect ACLs, port groups and address sets directly:
curl -s http://localhost:8080/api/v1/nb/acls
curl -s http://localhost:8080/api/v1/nb/port-groups
curl -s http://localhost:8080/api/v1/nb/address-setsWith OpenStack enrichment on, a port group maps to a security group and an address set maps to a security-group remote reference, so the audit reads in terms of your tenant's security groups. See Enrich with OpenStack.
Search for a specific rule
To find every ACL whose match references an IP or address set, use Omnisearch:
curl -s 'http://localhost:8080/api/v1/search?q=10.0.0.0/24'