Message ID | 1462410066-41547-3-git-send-email-joe@ovn.org |
---|---|
State | Deferred |
Headers | show |
With some questions for clarification below, Acked-by: Jarno Rajahalme <jarno@ovn.org> > On May 4, 2016, at 6:01 PM, Joe Stringer <joe@ovn.org> wrote: > > A few of the earlier tests were written with all flows in a single flat > table. While this is a possible way to write your flows to use > connection tracking, it's easier to understand if the processing > proceeds forward from one table to the next. Update these tests. > > Signed-off-by: Joe Stringer <joe@ovn.org> > --- > tests/system-traffic.at | 65 ++++++++++++++++++++++++++----------------------- > 1 file changed, 35 insertions(+), 30 deletions(-) > > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index 49426eb36c2a..a5ec11775a7b 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -1155,27 +1155,29 @@ ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > > dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. > AT_DATA([flows1.txt], [dnl > -priority=1,action=drop > -priority=10,arp,action=normal > -priority=10,icmp,action=normal > -priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 > -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) > -priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 > -priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1 > +table=0,priority=1,action=drop > +table=0,priority=10,arp,action=normal > +table=0,priority=10,icmp,action=normal > +table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 > +table=0,priority=100,in_port=2,tcp,action=ct(table=1) > +table=1,priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 > +table=1,priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1 I don't think this makes a difference for the test, but should there be an explicit lower-priority drop rule in table 1, or are we relying on the used OpenFlow version to do it? Otherwise we can drop the priorities in table 1 as all the rules have the same priority. Same for the later cases too. > ]) > > dnl Similar policy but without allowing all traffic from ns0->ns1. > AT_DATA([flows2.txt], [dnl > -priority=1,action=drop > -priority=10,arp,action=normal > -priority=10,icmp,action=normal > -priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0) > -priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 > -priority=100,in_port=1,tcp,ct_state=+trk+est,action=2 > -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) > -priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 > -priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 > -priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1 > +table=0,priority=1,action=drop > +table=0,priority=10,arp,action=normal > +table=0,priority=10,icmp,action=normal > + > +table=0,priority=100,in_port=1,tcp,action=ct(table=1) > +table=1,priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 > +table=1,priority=100,in_port=1,tcp,ct_state=+trk+est,action=2 > + > +table=0,priority=100,in_port=2,tcp,action=ct(table=1) > +table=1,priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 > +table=1,priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 > +table=1,priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1 > ]) > > AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt]) > @@ -1287,19 +1289,22 @@ ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > > dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1. > AT_DATA([flows.txt], [dnl > -priority=1,action=drop > -priority=10,arp,action=normal > -priority=10,icmp,action=normal > -priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1) > -priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 > -priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2) > -priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2) > -priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 > -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2) > -priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 > -priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1) > -priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 > -priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 > +table=0,priority=1,action=drop > +table=0,priority=10,arp,action=normal > +table=0,priority=10,icmp,action=normal > + > +dnl Traffic from ns1 > +table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1,alg=ftp) I see you added helper setting here, but not in the previous test case. Does this change make a difference? > +table=1,priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 > +table=1,priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,alg=ftp,zone=2) > +table=2,priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 > + > +dnl Traffic from ns2 > +table=0,priority=100,in_port=2,tcp,action=ct(table=1,alg=ftp,zone=2) Same here. > +table=1,priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 > +table=1,priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,alg=ftp,zone=1) And here. I did not think that you could attach or remove a helper at this stage? > +table=2,priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 > +table=2,priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 > ]) > > AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > -- > 2.1.4 >
On 5 May 2016 at 13:03, Jarno Rajahalme <jarno@ovn.org> wrote: > With some questions for clarification below, > > Acked-by: Jarno Rajahalme <jarno@ovn.org> Thanks for the review. I think I'll hold back this patch for another round, due to the feedback here and a bug that I'm fixing upstream. >> On May 4, 2016, at 6:01 PM, Joe Stringer <joe@ovn.org> wrote: >> >> A few of the earlier tests were written with all flows in a single flat >> table. While this is a possible way to write your flows to use >> connection tracking, it's easier to understand if the processing >> proceeds forward from one table to the next. Update these tests. >> >> Signed-off-by: Joe Stringer <joe@ovn.org> >> --- >> tests/system-traffic.at | 65 ++++++++++++++++++++++++++----------------------- >> 1 file changed, 35 insertions(+), 30 deletions(-) >> >> diff --git a/tests/system-traffic.at b/tests/system-traffic.at >> index 49426eb36c2a..a5ec11775a7b 100644 >> --- a/tests/system-traffic.at >> +++ b/tests/system-traffic.at >> @@ -1155,27 +1155,29 @@ ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") >> >> dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. >> AT_DATA([flows1.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=10,icmp,action=normal >> -priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 >> -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) >> -priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 >> -priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1 >> +table=0,priority=1,action=drop >> +table=0,priority=10,arp,action=normal >> +table=0,priority=10,icmp,action=normal >> +table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 >> +table=0,priority=100,in_port=2,tcp,action=ct(table=1) >> +table=1,priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 >> +table=1,priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1 > > I don't think this makes a difference for the test, but should there be an explicit lower-priority drop rule in table 1, or are we relying on the used OpenFlow version to do it? Otherwise we can drop the priorities in table 1 as all the rules have the same priority. Same for the later cases too. If you don't configure a flow for it, then it should be implicitly dropped. I think we should set fail-mode to secure for these tests as well, so there's guaranteed no default "normal" rule. Definitely the priorities can be omitted for those tables, I'll do that. >> ]) >> >> dnl Similar policy but without allowing all traffic from ns0->ns1. >> AT_DATA([flows2.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=10,icmp,action=normal >> -priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0) >> -priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 >> -priority=100,in_port=1,tcp,ct_state=+trk+est,action=2 >> -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) >> -priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 >> -priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 >> -priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1 >> +table=0,priority=1,action=drop >> +table=0,priority=10,arp,action=normal >> +table=0,priority=10,icmp,action=normal >> + >> +table=0,priority=100,in_port=1,tcp,action=ct(table=1) >> +table=1,priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 >> +table=1,priority=100,in_port=1,tcp,ct_state=+trk+est,action=2 >> + >> +table=0,priority=100,in_port=2,tcp,action=ct(table=1) >> +table=1,priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 >> +table=1,priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 >> +table=1,priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1 >> ]) >> >> AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt]) >> @@ -1287,19 +1289,22 @@ ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") >> >> dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1. >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=10,icmp,action=normal >> -priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1) >> -priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 >> -priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2) >> -priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2) >> -priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 >> -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2) >> -priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 >> -priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1) >> -priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 >> -priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 >> +table=0,priority=1,action=drop >> +table=0,priority=10,arp,action=normal >> +table=0,priority=10,icmp,action=normal >> + >> +dnl Traffic from ns1 >> +table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1,alg=ftp) > > I see you added helper setting here, but not in the previous test case. Does this change make a difference? It turns out that it does, this was a bit careless of me - and it points towards an upstream issue. >> +table=1,priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 >> +table=1,priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,alg=ftp,zone=2) >> +table=2,priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 >> + >> +dnl Traffic from ns2 >> +table=0,priority=100,in_port=2,tcp,action=ct(table=1,alg=ftp,zone=2) > > Same here. > >> +table=1,priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 >> +table=1,priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,alg=ftp,zone=1) > > And here. I did not think that you could attach or remove a helper at this stage? Right, you can't attach helpers to established connections. >> +table=2,priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 >> +table=2,priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 >> ]) >> >> AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) >> -- >> 2.1.4 >> >
diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 49426eb36c2a..a5ec11775a7b 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -1155,27 +1155,29 @@ ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. AT_DATA([flows1.txt], [dnl -priority=1,action=drop -priority=10,arp,action=normal -priority=10,icmp,action=normal -priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) -priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 -priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1 +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal +table=0,priority=10,icmp,action=normal +table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 +table=0,priority=100,in_port=2,tcp,action=ct(table=1) +table=1,priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 +table=1,priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1 ]) dnl Similar policy but without allowing all traffic from ns0->ns1. AT_DATA([flows2.txt], [dnl -priority=1,action=drop -priority=10,arp,action=normal -priority=10,icmp,action=normal -priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0) -priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 -priority=100,in_port=1,tcp,ct_state=+trk+est,action=2 -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) -priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 -priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 -priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1 +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal +table=0,priority=10,icmp,action=normal + +table=0,priority=100,in_port=1,tcp,action=ct(table=1) +table=1,priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 +table=1,priority=100,in_port=1,tcp,ct_state=+trk+est,action=2 + +table=0,priority=100,in_port=2,tcp,action=ct(table=1) +table=1,priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 +table=1,priority=100,in_port=2,tcp,ct_state=+trk+est,action=1 +table=1,priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1 ]) AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt]) @@ -1287,19 +1289,22 @@ ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1. AT_DATA([flows.txt], [dnl -priority=1,action=drop -priority=10,arp,action=normal -priority=10,icmp,action=normal -priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1) -priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 -priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2) -priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2) -priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2) -priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 -priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1) -priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 -priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal +table=0,priority=10,icmp,action=normal + +dnl Traffic from ns1 +table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1,alg=ftp) +table=1,priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 +table=1,priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,alg=ftp,zone=2) +table=2,priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 + +dnl Traffic from ns2 +table=0,priority=100,in_port=2,tcp,action=ct(table=1,alg=ftp,zone=2) +table=1,priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 +table=1,priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,alg=ftp,zone=1) +table=2,priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 +table=2,priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 ]) AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
A few of the earlier tests were written with all flows in a single flat table. While this is a possible way to write your flows to use connection tracking, it's easier to understand if the processing proceeds forward from one table to the next. Update these tests. Signed-off-by: Joe Stringer <joe@ovn.org> --- tests/system-traffic.at | 65 ++++++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 30 deletions(-)