@@ -435,6 +435,7 @@ ovn_start
# Add all of the vifs to a single logical switch lsw0.
# Turn on port security on all the vifs except vif[123]1.
# Make vif13, vif2[23], vif3[123] destinations for unknown MACs.
+# Add some ACLs for Ethertypes 1234, 1235, 1236.
ovn-nbctl lswitch-add lsw0
net_add n1
for i in 1 2 3; do
@@ -454,6 +455,14 @@ for i in 1 2 3; do
fi
done
done
+ovn-nbctl \
+ -- --id=@acl1 create acl priority=1000 action=drop \
+ match='"eth.type == 0x1234"' \
+ -- --id=@acl2 create acl priority=1000 action=drop \
+ match='"eth.type == 0x1235 && inport == \"lp11\""' \
+ -- --id=@acl3 create acl priority=1000 action=drop \
+ match='"eth.type == 0x1236 && outport == \"lp33\""' \
+ -- set Logical_Switch lsw0 acls=@acl1,@acl2,@acl3
# Pre-populate the hypervisors' ARP tables so that we don't lose any
# packets for ARP resolution (native tunneling doesn't queue packets
@@ -508,31 +517,46 @@ test_packet() {
#
# 6. The lswitch delivers packets with an unknown destination to lports with
# "unknown" among their MAC addresses (and port security disabled).
+#
+# 7. The lswitch drops unicast packets that violate an ACL.
+#
+# 8. The lswitch drops multicast and broadcast packets that violate an ACL.
for is in 1 2 3; do
for js in 1 2 3; do
s=$is$js
bcast=
unknown=
+ bacl2=
+ bacl3=
for id in 1 2 3; do
for jd in 1 2 3; do
d=$id$jd
- impersonate=
- if test $d != $s; then
- unicast=$d
- bcast="$bcast $d"
- if test $js = 1; then
- impersonate=$d
- fi
- if test $jd = 1; then
- unknown="$unknown $d"
- fi
- else
- unicast=
- fi
+
+ if test $d != $s; then unicast=$d; else unicast=; fi
test_packet $s f000000000$d f000000000$s $s$d $unicast #1
+
+ if test $d != $s && test $js = 1; then
+ impersonate=$d
+ else
+ impersonate=
+ fi
test_packet $s f000000000$d f00000000055 55$d $impersonate #3
+
+ if test $d != $s && test $s != 11; then acl2=$d; else acl2=; fi
+ if test $d != $s && test $d != 33; then acl3=$d; else acl3=; fi
+ test_packet $s f000000000$d f000000000$s 1234 #7, acl1
+ test_packet $s f000000000$d f000000000$s 1235 $acl2 #7, acl2
+ test_packet $s f000000000$d f000000000$s 1236 $acl3 #7, acl3
+
test_packet $s f000000000$d f00000000055 810000091234 #4
test_packet $s f000000000$d 0100000000$s $s$d #5
+
+ if test $d != $s && test $jd = 1; then
+ unknown="$unknown $d"
+ fi
+ bcast="$bcast $unicast"
+ bacl2="$bacl2 $acl2"
+ bacl3="$bacl3 $acl3"
done
done
@@ -547,6 +571,13 @@ for is in 1 2 3; do
test_packet $s 010000000000 f00000000044 44ff $bcast_impersonate #3
test_packet $s f0000000ffff f000000000$s ${s}66 $unknown #6
+
+ test_packet $s ffffffffffff f000000000$s 1234 #8, acl1
+ test_packet $s ffffffffffff f000000000$s 1235 $bacl2 #8, acl2
+ test_packet $s ffffffffffff f000000000$s 1236 $bacl3 #8, acl3
+ test_packet $s 010000000000 f000000000$s 1234 #8, acl1
+ test_packet $s 010000000000 f000000000$s 1235 $bacl2 #8, acl2
+ test_packet $s 010000000000 f000000000$s 1236 $bacl3 #8, acl3
done
done
Signed-off-by: Ben Pfaff <blp@nicira.com> --- tests/ovn.at | 57 ++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 44 insertions(+), 13 deletions(-)