Implementing logical network security on a hardware switch

1 - 20 . (canceled) 21 . A method for configuring a managed hardware forwarding element (MHFE) to implement a security policy associated with a logical switch of a logical network, the method comprising: receiving a security policy comprising at least one security rule for a physical machine connected to a physical port of the MHFE; and populating (i) a physical port table stored on the MHFE with physical port data that maps the physical port of the MHFE to the logical switch of the logical network, (ii) an access control list (ACL) table stored on the MHFE with a ACL rules data generated based on the at least one security rule, and (iii) a linking table stored on the MHFE with linking data that links the set of ACL rules in the ACL table to the physical port data in the physical port table, wherein the MHFE uses the physical port table, access control list table, and linking table to apply the at least one security rule to logical network traffic processed by the MHFE. 22 . The method of claim 21 , wherein a particular security rule comprises a field that specifies that the rule is applied for a logical switch to which the physical machine is logically connected. 23 . The method of claim 22 , wherein the logical switch comprises a logical port to which the physical machine is logically connected and the logical port maps to a particular physical port of the MHFE. 24 . The method of claim 21 , wherein a set of the security rules comprise firewall rules that are applied to logical network traffic in a distributed manner by a logical firewall that comprises a plurality of firewall instances instantiated on a plurality of host computers on which data compute nodes attached to the logical network execute. 25 . The method of claim 21 , wherein a particular security rule comprises a security group as one of a source address and a destination address, the security group comprising a plurality of data compute nodes attached to the logical network that share a common property. 26 . The method of claim 21 , wherein populating the physical port table, ACL table, and linking table comprises distributing the physical port data, ACL rules data, and linking data to the MHFE using an open source protocol that is recognizable and used by the MHFE. 27 . The method of claim 21 , wherein the MHFE determines security rules to apply to a logical network packet received from the physical machine by (i) mapping the physical port at which the packet is received to the logical switch and to an entry of the linking table using the physical port table and (ii) using the linking table entry to identify a set of one or more ACL table entries storing rules data for rules to apply to the packet. 28 . The method of claim 27 , wherein the MHFE applies the security rules to the packet by using the rules data stored in the identified set of ACL table entries. 29 . The method of claim 21 , wherein a particular entry in the ACL rules table specifies at least one of a source layer 2 address and a destination layer 2 address for packets to which the particular entry applies. 30 . The method of claim 21 , wherein each entry in the ACL rules table specifies (i) a set of conditions of packets to which the entry applies and (ii) an action for the MHFE to take on packets to which the entry applies. 31 . A non-transitory machine-readable medium storing a program which when executed by at least one processing unit configures a managed hardware forwarding element (MHFE) to implement a security policy associated with a logical switch of a logical network, the program comprising sets of instructions for: receiving a security policy comprising at least one security rule for a physical machine connected to a physical port of the MHFE; and populating (i) a physical port table stored on the MHFE with physical port data that maps the physical port of the MHFE to the logical switch of the logical network, (ii) an access control list (ACL) table stored on the MHFE with a ACL rules data generated based on the at least one security rule, and (iii) a linking table stored on the MHFE with linking data that links the set of ACL rules in the ACL table to the physical port data in the physical port table, wherein the MHFE uses the physical port table, access control list table, and linking table to apply the at least one security rule to logical network traffic processed by the MHFE. 32 . The non-transitory machine-readable medium of claim 31 , wherein a particular security rule comprises a field that specifies that the rule is applied for a logical switch to which the physical machine is logically connected. 33 . The non-transitory machine-readable medium of claim 32 , wherein the logical switch comprises a logical port to which the physical machine is logically connected and the logical port maps to a particular physical port of the MHFE. 34 . The non-transitory machine-readable medium of claim 31 , wherein a set of the security rules comprise firewall rules that are applied to logical network traffic in a distributed manner by a logical firewall that comprises a plurality of firewall instances instantiated on a plurality of host computers on which data compute nodes attached to the logical network execute. 35 . The non-transitory machine-readable medium of claim 31 , wherein a particular security rule comprises a security group as one of a source address and a destination address, the security group comprising a plurality of data compute nodes attached to the logical network that share a common property. 36 . The non-transitory machine-readable medium of claim 31 , wherein the set of instructions for populating the physical port table, ACL table, and linking table comprises a set of instructions for distributing the physical port data, ACL rules data, and linking data to the MHFE using an open source protocol that is recognizable and used by the MHFE. 37 . The non-transitory machine-readable medium of claim 31 , wherein the MHFE determines security rules to apply to a logical network packet received from the physical machine by (i) mapping the physical port at which the packet is received to the logical switch and to an entry of the linking table using the physical port table and (ii) using the linking table entry to identify a set of one or more ACL table entries storing rules data for rules to apply to the packet. 38 . The non-transitory machine-readable medium of claim 37 , wherein the MHFE applies the security rules to the packet by using the rules data stored in the identified set of ACL table entries. 39 . The non-transitory machine-readable medium of claim 31 , wherein a particular entry in the ACL rules table specifies at least one of a source layer 2 address and a destination layer 2 address for packets to which the particular entry applies. 40 . The non-transitory machine-readable medium of claim 31 , wherein each entry in the ACL rules table specifies (i) a set of conditions of packets to which the entry applies and (ii) an action for the MHFE to take on packets to which the entry applies.