From patchwork Wed Nov 4 07:02:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Pfaff X-Patchwork-Id: 1393679 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=ovn.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CQyL56hGYz9sT6 for ; Wed, 4 Nov 2020 18:03:41 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 7F411864E6; Wed, 4 Nov 2020 07:03:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0W1v1x3w72Dc; Wed, 4 Nov 2020 07:03:37 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by fraxinus.osuosl.org (Postfix) with ESMTP id 6049A86375; Wed, 4 Nov 2020 07:03:35 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 39857C1AD8; Wed, 4 Nov 2020 07:03:35 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 59EBEC0051 for ; Wed, 4 Nov 2020 07:03:33 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 44DC0228EF for ; Wed, 4 Nov 2020 07:03:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2aXyfnV3nGi9 for ; Wed, 4 Nov 2020 07:03:22 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by silver.osuosl.org (Postfix) with ESMTPS id 233A5228E7 for ; Wed, 4 Nov 2020 07:03:03 +0000 (UTC) X-Originating-IP: 75.54.222.30 Received: from sigfpe.attlocal.net (75-54-222-30.lightspeed.rdcyca.sbcglobal.net [75.54.222.30]) (Authenticated sender: blp@ovn.org) by relay7-d.mail.gandi.net (Postfix) with ESMTPSA id A715B20012; Wed, 4 Nov 2020 07:03:01 +0000 (UTC) From: Ben Pfaff To: dev@openvswitch.org Date: Tue, 3 Nov 2020 23:02:40 -0800 Message-Id: <20201104070246.2847579-7-blp@ovn.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201104070246.2847579-1-blp@ovn.org> References: <20201104070246.2847579-1-blp@ovn.org> MIME-Version: 1.0 Cc: Ben Pfaff Subject: [ovs-dev] [PATCH ovn 06/12] tests: Improve "reject ACL" test. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This makes it more debuggable. Signed-off-by: Ben Pfaff --- tests/ovn-northd.at | 67 +++++++++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 23 deletions(-) diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 9e7d8750f8fd..0bf20c1a7053 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -909,14 +909,14 @@ AT_CHECK([ ]) # Stateful FIP with ALLOWED_IPs -ovn-nbctl lr-nat-del DR snat 50.0.0.11 -ovn-nbctl lr-nat-del CR snat 50.0.0.11 +check ovn-nbctl lr-nat-del DR snat 50.0.0.11 +check ovn-nbctl lr-nat-del CR snat 50.0.0.11 -ovn-nbctl lr-nat-add DR dnat_and_snat 172.16.1.2 50.0.0.11 -ovn-nbctl lr-nat-add CR dnat_and_snat 172.16.1.2 50.0.0.11 +check ovn-nbctl lr-nat-add DR dnat_and_snat 172.16.1.2 50.0.0.11 +check ovn-nbctl lr-nat-add CR dnat_and_snat 172.16.1.2 50.0.0.11 -ovn-nbctl lr-nat-update-ext-ip DR dnat_and_snat 172.16.1.2 allowed_range -ovn-nbctl lr-nat-update-ext-ip CR dnat_and_snat 172.16.1.2 allowed_range +check ovn-nbctl lr-nat-update-ext-ip DR dnat_and_snat 172.16.1.2 allowed_range +check ovn-nbctl lr-nat-update-ext-ip CR dnat_and_snat 172.16.1.2 allowed_range ovn-nbctl show DR ovn-sbctl dump-flows DR @@ -1691,45 +1691,59 @@ AT_CLEANUP AT_SETUP([ovn-northd -- reject ACL]) ovn_start -ovn-nbctl ls-add sw0 -ovn-nbctl lsp-add sw0 sw0-p1 +check ovn-nbctl ls-add sw0 +check ovn-nbctl lsp-add sw0 sw0-p1 -ovn-nbctl ls-add sw1 -ovn-nbctl lsp-add sw1 sw1-p1 +check ovn-nbctl ls-add sw1 +check ovn-nbctl lsp-add sw1 sw1-p1 + +check ovn-nbctl pg-add pg0 sw0-p1 sw1-p1 +check ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4 && tcp && tcp.dst == 80" reject +check ovn-nbctl acl-add pg0 to-lport 1003 "outport == @pg0 && ip6 && udp" reject + +check ovn-nbctl --wait=hv sync -ovn-nbctl pg-add pg0 sw0-p1 sw1-p1 -ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4 && tcp && tcp.dst == 80" reject -ovn-nbctl acl-add pg0 to-lport 1003 "outport == @pg0 && ip6 && udp" reject +AS_BOX([1]) -ovn-nbctl --wait=hv sync +ovn-sbctl dump-flows sw0 > sw0flows +AT_CAPTURE_FILE([sw0flows]) +ovn-sbctl dump-flows sw1 > sw1flows +AT_CAPTURE_FILE([sw1flows]) -AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl +AT_CHECK([grep "ls_in_acl" sw0flows | grep pg0 | sort], [0], [dnl table=7 (ls_in_acl ), priority=2002 , dnl match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), dnl action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) ]) -AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl +AT_CHECK([grep "ls_in_acl" sw1flows | grep pg0 | sort], [0], [dnl table=7 (ls_in_acl ), priority=2002 , dnl match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), dnl action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) ]) -AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl +AT_CHECK([grep "ls_out_acl" sw0flows | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2003 , dnl match=(outport == @pg0 && ip6 && udp), dnl action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) ]) -AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl +AT_CHECK([grep "ls_out_acl" sw1flows | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2003 , dnl match=(outport == @pg0 && ip6 && udp), dnl action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) ]) -ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && udp" reject +AS_BOX([2]) -AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl +ovn-nbctl --wait=sb acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && udp" reject + +ovn-sbctl dump-flows sw0 > sw0flows2 +AT_CAPTURE_FILE([sw0flows2]) +ovn-sbctl dump-flows sw1 > sw1flows2 +AT_CAPTURE_FILE([sw1flows2]) + +AT_CHECK([grep "ls_out_acl" sw0flows2 | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2002 , dnl match=(outport == @pg0 && ip4 && udp), dnl action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) @@ -1738,7 +1752,7 @@ match=(outport == @pg0 && ip6 && udp), dnl action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) ]) -AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl +AT_CHECK([grep "ls_out_acl" sw1flows2 | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2002 , dnl match=(outport == @pg0 && ip4 && udp), dnl action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) @@ -1747,9 +1761,16 @@ match=(outport == @pg0 && ip6 && udp), dnl action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) ]) +AS_BOX([3]) + ovn-nbctl --wait=sb acl-add pg0 to-lport 1001 "outport == @pg0 && ip" allow-related -AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl +ovn-sbctl dump-flows sw0 > sw0flows3 +AT_CAPTURE_FILE([sw0flows3]) +ovn-sbctl dump-flows sw1 > sw1flows3 +AT_CAPTURE_FILE([sw1flows3]) + +AT_CHECK([grep "ls_out_acl" sw0flows3 | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2001 , dnl match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) table=5 (ls_out_acl ), priority=2001 , dnl @@ -1768,7 +1789,7 @@ match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), dnl action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) ]) -AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl +AT_CHECK([grep "ls_out_acl" sw1flows3 | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2001 , dnl match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) table=5 (ls_out_acl ), priority=2001 , dnl