From patchwork Mon Apr 25 11:17:23 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?q?Adri=C3=A1n_Moreno?=
X-Patchwork-Id: 1621879
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
header.s=mimecast20190719 header.b=ELsxT+0N;
dkim-atps=neutral
Authentication-Results: ozlabs.org;
spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
(client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;
envelope-from=ovs-dev-bounces@openvswitch.org; receiver=)
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
SHA256)
(No client certificate requested)
by bilbo.ozlabs.org (Postfix) with ESMTPS id 4Kn2YN5rB0z9s0B
for ; Mon, 25 Apr 2022 21:17:44 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id 5432160BDD;
Mon, 25 Apr 2022 11:17:42 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id qsofvJlLCLh8; Mon, 25 Apr 2022 11:17:39 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
by smtp3.osuosl.org (Postfix) with ESMTPS id 5B50A60D4E;
Mon, 25 Apr 2022 11:17:38 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
by lists.linuxfoundation.org (Postfix) with ESMTP id 8DD15C0084;
Mon, 25 Apr 2022 11:17:37 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
by lists.linuxfoundation.org (Postfix) with ESMTP id CB65BC002D
for ; Mon, 25 Apr 2022 11:17:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id AB0E2409D3
for ; Mon, 25 Apr 2022 11:17:35 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Authentication-Results: smtp4.osuosl.org (amavisd-new);
dkim=pass (1024-bit key) header.d=redhat.com
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 0cBR_UFgAU1i for ;
Mon, 25 Apr 2022 11:17:34 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.129.124])
by smtp4.osuosl.org (Postfix) with ESMTPS id 7335840991
for ; Mon, 25 Apr 2022 11:17:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1650885452;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=OEU4q6kkE4gKu39nSxri1lxqj0jo4EUGssHuzvzeYjk=;
b=ELsxT+0NxFweeCZUtGWn7w7mmDDNPXQr7SR5gbL3xBVTzqlsEmG0FjtX2ZFzP0XkdbwYhZ
l1wH98L0zrebbib+lqs88PA31FAm9IqVCtsVcCvfPizbtKQFgpFDHwgi2kiVQX6UXpPtDj
5z16UQ9oJ2oGlpDUhktWLRKceswTmHg=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
[66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
(version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
us-mta-563-rCcfSdJtPpqv8FiyVu7K_A-1; Mon, 25 Apr 2022 07:17:30 -0400
X-MC-Unique: rCcfSdJtPpqv8FiyVu7K_A-1
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com
[10.11.54.7])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5A1F0800882
for ; Mon, 25 Apr 2022 11:17:30 +0000 (UTC)
Received: from amorenoz.users.ipa.redhat.com (unknown [10.39.194.136])
by smtp.corp.redhat.com (Postfix) with ESMTP id 4721B145BA66;
Mon, 25 Apr 2022 11:17:29 +0000 (UTC)
From: Adrian Moreno
To: dev@openvswitch.org
Date: Mon, 25 Apr 2022 13:17:23 +0200
Message-Id: <20220425111724.2981776-3-amorenoz@redhat.com>
In-Reply-To: <20220425111724.2981776-1-amorenoz@redhat.com>
References: <20220425111724.2981776-1-amorenoz@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7
Authentication-Results: relay.mimecast.com;
auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=amorenoz@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Cc: trozet@redhat.com, dceara@redhat.com
Subject: [ovs-dev] [RFC PATCH ovn 2/3] northd: add drop_debugging option
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev"
When enabled, a default action to explicitly drop all packets is added
to those stages that currently don't have a default action.
Signed-off-by: Adrian Moreno
---
northd/automake.mk | 2 +
northd/debug.c | 35 +++++++++++++
northd/debug.h | 35 +++++++++++++
northd/northd.c | 124 ++++++++++++++++++++++++++++++---------------
ovn-nb.xml | 8 +++
tests/ovn.at | 2 +-
6 files changed, 164 insertions(+), 42 deletions(-)
create mode 100644 northd/debug.c
create mode 100644 northd/debug.h
diff --git a/northd/automake.mk b/northd/automake.mk
index 4862ec7b7..7537c00b5 100644
--- a/northd/automake.mk
+++ b/northd/automake.mk
@@ -1,6 +1,8 @@
# ovn-northd
bin_PROGRAMS += northd/ovn-northd
northd_ovn_northd_SOURCES = \
+ northd/debug.c \
+ northd/debug.h \
northd/northd.c \
northd/northd.h \
northd/ovn-northd.c \
diff --git a/northd/debug.c b/northd/debug.c
new file mode 100644
index 000000000..5dc40e8ce
--- /dev/null
+++ b/northd/debug.c
@@ -0,0 +1,35 @@
+#include
+
+#include
+
+#include "debug.h"
+
+#include "smap.h"
+
+static struct debug_config config;
+
+void
+init_debug_config(const struct nbrec_nb_global *nb)
+{
+
+ const struct smap *options = &nb->options;
+ config.enabled = smap_get_bool(options, "debug_drop_mode", false);
+}
+
+bool
+debug_enabled(void)
+{
+ return config.enabled;
+}
+
+const char *
+debug_drop_action(void)
+{
+ return "drop;";
+}
+
+const char *
+debug_implicit_drop_action(void)
+{
+ return "/* drop */";
+}
diff --git a/northd/debug.h b/northd/debug.h
new file mode 100644
index 000000000..0e83b4ca2
--- /dev/null
+++ b/northd/debug.h
@@ -0,0 +1,35 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef NORTHD_DEBUG_H
+#define NORTHD_DEBUG_H 1
+
+#include
+#include
+
+#include "lib/ovn-nb-idl.h"
+
+struct debug_config {
+ bool enabled;
+};
+
+void init_debug_config(const struct nbrec_nb_global *nb);
+
+bool debug_enabled(void);
+
+const char *debug_drop_action(void);
+const char *debug_implicit_drop_action(void);
+const char *debug_reject_action(void);
+
+#endif /* NORTHD_DEBUG_H */
diff --git a/northd/northd.c b/northd/northd.c
index bcd36bbaa..56d16d719 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -17,6 +17,7 @@
#include
#include
+#include "debug.h"
#include "bitmap.h"
#include "dirs.h"
#include "ipam.h"
@@ -3739,7 +3740,7 @@ build_lb_vip_actions(struct ovn_lb_vip *lb_vip,
if (!n_active_backends) {
if (!lb_vip->empty_backend_rej) {
ds_clear(action);
- ds_put_cstr(action, "drop;");
+ ds_put_cstr(action, debug_drop_action());
skip_hash_fields = true;
} else {
reject = true;
@@ -4839,6 +4840,18 @@ ovn_lflow_add_at(struct hmap *lflow_map, struct ovn_datapath *od,
io_port, ctrl_meter, stage_hint, where, hash);
}
+static void
+__ovn_lflow_add_default_drop(struct hmap *lflow_map,
+ struct ovn_datapath *od,
+ enum ovn_stage stage,
+ const char *where)
+{
+ if (OVS_UNLIKELY(debug_enabled())) {
+ ovn_lflow_add_at(lflow_map, od, stage, 0, "1", debug_drop_action(),
+ NULL, NULL, NULL, where );
+ }
+}
+
/* Adds a row with the specified contents to the Logical_Flow table. */
#define ovn_lflow_add_with_hint__(LFLOW_MAP, OD, STAGE, PRIORITY, MATCH, \
ACTIONS, IN_OUT_PORT, CTRL_METER, \
@@ -4851,6 +4864,10 @@ ovn_lflow_add_at(struct hmap *lflow_map, struct ovn_datapath *od,
ovn_lflow_add_at(LFLOW_MAP, OD, STAGE, PRIORITY, MATCH, ACTIONS, \
NULL, NULL, STAGE_HINT, OVS_SOURCE_LOCATOR)
+#define ovn_lflow_add_default_drop(LFLOW_MAP, OD, STAGE) \
+ __ovn_lflow_add_default_drop(LFLOW_MAP, OD, STAGE, OVS_SOURCE_LOCATOR)
+
+
/* This macro is similar to ovn_lflow_add_with_hint, except that it requires
* the IN_OUT_PORT argument, which tells the lport name that appears in the
* MATCH, which helps ovn-controller to bypass lflows parsing when the lport is
@@ -5095,8 +5112,8 @@ build_port_security_nd(struct ovn_port *op, struct hmap *lflows,
ds_clear(&match);
ds_put_format(&match, "inport == %s && (arp || nd)", op->json_key);
ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND,
- 80, ds_cstr(&match), "drop;", op->key,
- stage_hint);
+ 80, ds_cstr(&match), debug_drop_action(),
+ op->key, stage_hint);
ds_destroy(&match);
}
@@ -5229,7 +5246,8 @@ build_port_security_ip(enum ovn_pipeline pipeline, struct ovn_port *op,
pipeline == P_IN ? "eth.src" : "eth.dst",
ps->ea_s);
ovn_lflow_add_with_lport_and_hint(lflows, op->od, stage, 80, match,
- "drop;", op->key, stage_hint);
+ debug_drop_action(), op->key,
+ stage_hint);
free(match);
}
@@ -5661,8 +5679,9 @@ build_lswitch_output_port_sec_op(struct ovn_port *op,
} else {
ovn_lflow_add_with_lport_and_hint(lflows, op->od,
S_SWITCH_OUT_PORT_SEC_L2, 150,
- ds_cstr(match), "drop;", op->key,
- &op->nbsp->header_);
+ ds_cstr(match),
+ debug_drop_action(),
+ op->key, &op->nbsp->header_);
}
if (op->nbsp->n_port_security) {
@@ -5682,6 +5701,9 @@ build_lswitch_output_port_sec_od(struct ovn_datapath *od,
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_IP, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_L2, 100, "eth.mcast",
"output;");
+
+ /* Default action for L2 security is to drop. */
+ ovn_lflow_add_default_drop(lflows, od, S_SWITCH_OUT_PORT_SEC_L2);
}
}
@@ -6426,7 +6448,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
} else {
ds_put_format(match, " && (%s)", acl->match);
build_acl_log(actions, acl, meter_groups);
- ds_put_cstr(actions, "/* drop */");
+ ds_put_cstr(actions, debug_implicit_drop_action());
ovn_lflow_add_with_hint(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
ds_cstr(match), ds_cstr(actions),
@@ -6453,7 +6475,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
} else {
ds_put_format(match, " && (%s)", acl->match);
build_acl_log(actions, acl, meter_groups);
- ds_put_cstr(actions, "/* drop */");
+ ds_put_cstr(actions, debug_implicit_drop_action());
ovn_lflow_add_with_hint(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
ds_cstr(match), ds_cstr(actions),
@@ -6470,7 +6492,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
actions, &acl->header_, meter_groups);
} else {
build_acl_log(actions, acl, meter_groups);
- ds_put_cstr(actions, "/* drop */");
+ ds_put_cstr(actions, debug_implicit_drop_action());
ovn_lflow_add_with_hint(lflows, od, stage,
acl->priority + OVN_ACL_PRI_OFFSET,
acl->match, ds_cstr(actions),
@@ -6678,9 +6700,9 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
ds_put_format(&match, "%s(ct.est && ct.rpl && ct_mark.blocked == 1)",
use_ct_inv_match ? "ct.inv || " : "");
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3,
- ds_cstr(&match), "drop;");
+ ds_cstr(&match), debug_drop_action());
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3,
- ds_cstr(&match), "drop;");
+ ds_cstr(&match), debug_drop_action());
/* Ingress and Egress ACL Table (Priority 65535 - 3).
*
@@ -7669,7 +7691,7 @@ build_drop_arp_nd_flows_for_unbound_router_ports(struct ovn_port *op,
rp->lsp_addrs[k].ipv4_addrs[l].addr_s);
ovn_lflow_add_with_lport_and_hint(
lflows, op->od, S_SWITCH_IN_EXTERNAL_PORT, 100,
- ds_cstr(&match), "drop;", port->key,
+ ds_cstr(&match), debug_drop_action(), port->key,
&op->nbsp->header_);
}
for (size_t l = 0; l < rp->lsp_addrs[k].n_ipv6_addrs; l++) {
@@ -7685,7 +7707,7 @@ build_drop_arp_nd_flows_for_unbound_router_ports(struct ovn_port *op,
rp->lsp_addrs[k].ipv6_addrs[l].addr_s);
ovn_lflow_add_with_lport_and_hint(
lflows, op->od, S_SWITCH_IN_EXTERNAL_PORT, 100,
- ds_cstr(&match), "drop;", port->key,
+ ds_cstr(&match), debug_drop_action(), port->key,
&op->nbsp->header_);
}
@@ -7700,7 +7722,8 @@ build_drop_arp_nd_flows_for_unbound_router_ports(struct ovn_port *op,
ovn_lflow_add_with_lport_and_hint(lflows, op->od,
S_SWITCH_IN_EXTERNAL_PORT,
100, ds_cstr(&match),
- "drop;", port->key,
+ debug_drop_action(),
+ port->key,
&op->nbsp->header_);
}
}
@@ -7738,7 +7761,7 @@ build_lswitch_flows(const struct hmap *datapaths,
"outport = \""MC_UNKNOWN "\"; output;");
} else {
ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 50,
- "outport == \"none\"", "drop;");
+ "outport == \"none\"", debug_drop_action());
}
ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 0, "1",
"output;");
@@ -7779,16 +7802,19 @@ build_lswitch_lflows_admission_control(struct ovn_datapath *od,
if (!is_vlan_transparent(od)) {
/* Block logical VLANs. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100,
- "vlan.present", "drop;");
+ "vlan.present", debug_drop_action());
}
/* Broadcast/multicast source address is invalid. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "eth.src[40]",
- "drop;");
+ debug_drop_action());
/* Port security flows have priority 50
* (see build_lswitch_input_port_sec()) and will continue
* to the next table if packet source is acceptable. */
+
+ /* Default action is to drop. */
+ ovn_lflow_add_default_drop(lflows, od, S_SWITCH_IN_PORT_SEC_L2);
}
}
@@ -8326,7 +8352,7 @@ build_lswitch_destination_lookup_bmcast(struct ovn_datapath *od,
*/
if (!mcast_sw_info->flood_relay &&
!mcast_sw_info->flood_static) {
- ds_put_cstr(actions, "drop;");
+ ds_put_cstr(actions, debug_drop_action());
}
ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 80,
@@ -8892,7 +8918,7 @@ build_routing_policy_flow(struct hmap *lflows, struct ovn_datapath *od,
out_port->json_key);
} else if (!strcmp(rule->action, "drop")) {
- ds_put_cstr(&actions, "drop;");
+ ds_put_cstr(&actions, debug_drop_action());
} else if (!strcmp(rule->action, "allow")) {
uint32_t pkt_mark = ovn_smap_get_uint(&rule->options, "pkt_mark", 0);
if (pkt_mark) {
@@ -9658,7 +9684,7 @@ add_route(struct hmap *lflows, struct ovn_datapath *od,
struct ds common_actions = DS_EMPTY_INITIALIZER;
struct ds actions = DS_EMPTY_INITIALIZER;
if (is_discard_route) {
- ds_put_format(&actions, "drop;");
+ ds_put_cstr(&actions, debug_drop_action());
} else {
ds_put_format(&common_actions, REG_ECMP_GROUP_ID" = 0; %s = ",
is_ipv4 ? REG_NEXT_HOP_IPV4 : REG_NEXT_HOP_IPV6);
@@ -9689,6 +9715,10 @@ add_route(struct hmap *lflows, struct ovn_datapath *od,
priority + 1, ds_cstr(&match),
ds_cstr(&common_actions), stage_hint);
}
+
+ /* Default action for S_ROUTER_IN_IP_ROUTING is to drop. */
+ ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_IP_ROUTING);
+
ds_destroy(&match);
ds_destroy(&common_actions);
ds_destroy(&actions);
@@ -10346,7 +10376,7 @@ build_lrouter_arp_flow(struct ovn_datapath *od, struct ovn_port *op,
ds_put_format(&match, " && %s", ds_cstr(extra_match));
}
if (drop) {
- ds_put_format(&actions, "drop;");
+ ds_put_cstr(&actions, debug_drop_action());
} else {
ds_put_format(&actions,
"eth.dst = eth.src; "
@@ -10402,7 +10432,7 @@ build_lrouter_nd_flow(struct ovn_datapath *od, struct ovn_port *op,
}
if (drop) {
- ds_put_format(&actions, "drop;");
+ ds_put_cstr(&actions, debug_drop_action());
ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_IP_INPUT, priority,
ds_cstr(&match), ds_cstr(&actions), hint);
} else {
@@ -10549,7 +10579,7 @@ build_lrouter_drop_own_dest(struct ovn_port *op, enum ovn_stage stage,
char *match = xasprintf("ip4.dst == {%s}", ds_cstr(&match_ips));
ovn_lflow_add_with_hint(lflows, op->od, stage, priority,
- match, "drop;",
+ match, debug_drop_action(),
&op->nbrp->header_);
free(match);
}
@@ -10575,7 +10605,7 @@ build_lrouter_drop_own_dest(struct ovn_port *op, enum ovn_stage stage,
char *match = xasprintf("ip6.dst == {%s}", ds_cstr(&match_ips));
ovn_lflow_add_with_hint(lflows, op->od, stage, priority,
- match, "drop;",
+ match, debug_drop_action(),
&op->nbrp->header_);
free(match);
}
@@ -10743,7 +10773,10 @@ build_adm_ctrl_flows_for_lrouter(
/* Logical VLANs not supported.
* Broadcast/multicast source address is invalid. */
ovn_lflow_add(lflows, od, S_ROUTER_IN_ADMISSION, 100,
- "vlan.present || eth.src[40]", "drop;");
+ "vlan.present || eth.src[40]", debug_drop_action());
+
+ /* Default action for L2 security is to drop. */
+ ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_ADMISSION);
}
}
@@ -10939,6 +10972,8 @@ build_neigh_learning_flows_for_lrouter(
"nd_ns", "put_nd(inport, ip6.src, nd.sll); next;",
copp_meter_get(COPP_ND_NS, od->nbr->copp,
meter_groups));
+
+ ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_LEARN_NEIGHBOR);
}
}
@@ -11281,7 +11316,7 @@ build_mcast_lookup_flows_for_lrouter(
* i.e., router solicitation and router advertisement.
*/
ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING, 10550,
- "nd_rs || nd_ra", "drop;");
+ "nd_rs || nd_ra", debug_drop_action());
if (!od->mcast_info.rtr.relay) {
return;
}
@@ -11328,13 +11363,13 @@ build_mcast_lookup_flows_for_lrouter(
ds_put_format(match, "eth.src == %s && igmp",
op->lrp_networks.ea_s);
ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING, 10550,
- ds_cstr(match), "drop;");
+ ds_cstr(match), debug_drop_action());
ds_clear(match);
ds_put_format(match, "eth.src == %s && (mldv1 || mldv2)",
op->lrp_networks.ea_s);
ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING, 10550,
- ds_cstr(match), "drop;");
+ ds_cstr(match), debug_drop_action());
}
ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING, 10460,
@@ -11358,7 +11393,7 @@ build_mcast_lookup_flows_for_lrouter(
"};");
} else {
ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING, 10450,
- "ip4.mcast || ip6.mcast", "drop;");
+ "ip4.mcast || ip6.mcast", debug_drop_action());
}
}
}
@@ -11416,11 +11451,13 @@ build_arp_resolve_flows_for_lrouter(
ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 500,
"ip4.mcast || ip6.mcast", "next;");
- ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 0, "ip4",
+ ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 1, "ip4",
"get_arp(outport, " REG_NEXT_HOP_IPV4 "); next;");
- ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 0, "ip6",
+ ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 1, "ip6",
"get_nd(outport, " REG_NEXT_HOP_IPV6 "); next;");
+
+ ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_ARP_RESOLVE);
}
}
@@ -11546,9 +11583,9 @@ build_arp_resolve_flows_for_lrouter_port(
* in stage "lr_in_ip_input" but traffic that could have been unSNATed
* but didn't match any existing session might still end up here.
*
- * Priority 1.
+ * Priority 2.
*/
- build_lrouter_drop_own_dest(op, S_ROUTER_IN_ARP_RESOLVE, 1, true,
+ build_lrouter_drop_own_dest(op, S_ROUTER_IN_ARP_RESOLVE, 2, true,
lflows);
} else if (op->od->n_router_ports && !lsp_is_router(op->nbsp)
&& strcmp(op->nbsp->type, "virtual")) {
@@ -12112,6 +12149,8 @@ build_egress_delivery_flows_for_lrouter_port(
ds_put_format(match, "outport == %s", op->json_key);
ovn_lflow_add(lflows, op->od, S_ROUTER_OUT_DELIVERY, 100,
ds_cstr(match), "output;");
+
+ ovn_lflow_add_default_drop(lflows, op->od, S_ROUTER_OUT_DELIVERY);
}
}
@@ -12141,7 +12180,7 @@ build_misc_local_traffic_drop_flows_for_lrouter(
"ip4.dst == 127.0.0.0/8 || "
"ip4.src == 0.0.0.0/8 || "
"ip4.dst == 0.0.0.0/8",
- "drop;");
+ debug_drop_action());
/* Drop ARP packets (priority 85). ARP request packets for router's own
* IPs are handled with priority-90 flows.
@@ -12149,7 +12188,7 @@ build_misc_local_traffic_drop_flows_for_lrouter(
* IPs are handled with priority-90 flows.
*/
ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 85,
- "arp || nd", "drop;");
+ "arp || nd", debug_drop_action());
/* Allow IPv6 multicast traffic that's supposed to reach the
* router pipeline (e.g., router solicitations).
@@ -12159,21 +12198,22 @@ build_misc_local_traffic_drop_flows_for_lrouter(
/* Drop other reserved multicast. */
ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 83,
- "ip6.mcast_rsvd", "drop;");
+ "ip6.mcast_rsvd", debug_drop_action());
/* Allow other multicast if relay enabled (priority 82). */
ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 82,
"ip4.mcast || ip6.mcast",
- od->mcast_info.rtr.relay ? "next;" : "drop;");
+ (od->mcast_info.rtr.relay ? "next;" :
+ debug_drop_action()));
/* Drop Ethernet local broadcast. By definition this traffic should
* not be forwarded.*/
ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 50,
- "eth.bcast", "drop;");
+ "eth.bcast", debug_drop_action());
/* TTL discard */
ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 30,
- "ip4 && ip.ttl == {0, 1}", "drop;");
+ "ip4 && ip.ttl == {0, 1}", debug_drop_action());
/* Pass other traffic not already handled to the next table for
* routing. */
@@ -12435,7 +12475,7 @@ build_lrouter_ipv4_ip_input(struct ovn_port *op,
op_put_v4_networks(match, op, true);
ds_put_cstr(match, " && "REGBIT_EGRESS_LOOPBACK" == 0");
ovn_lflow_add_with_hint(lflows, op->od, S_ROUTER_IN_IP_INPUT, 100,
- ds_cstr(match), "drop;",
+ ds_cstr(match), debug_drop_action(),
&op->nbrp->header_);
/* ICMP echo reply. These flows reply to ICMP echo requests
@@ -13463,7 +13503,7 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows,
struct ovn_port *op = ovn_port_find(ports, nat->logical_port);
if (op && op->nbsp && !strcmp(op->nbsp->type, "virtual")) {
ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_GW_REDIRECT,
- 80, ds_cstr(match), "drop;",
+ 80, ds_cstr(match), debug_drop_action(),
&nat->header_);
}
ds_put_format(match, " && is_chassis_resident(\"%s\")",
@@ -15322,6 +15362,8 @@ ovnnb_db_run(struct northd_input *input_data,
check_lsp_is_up = !smap_get_bool(&nb->options,
"ignore_lsp_down", true);
+ init_debug_config(nb);
+
build_datapaths(input_data, ovnsb_txn, &data->datapaths, &data->lr_list);
build_lbs(input_data, &data->datapaths, &data->lbs);
build_ports(input_data, ovnsb_txn, sbrec_chassis_by_name,
diff --git a/ovn-nb.xml b/ovn-nb.xml
index 547f7f48a..76b6bab17 100644
--- a/ovn-nb.xml
+++ b/ovn-nb.xml
@@ -255,6 +255,14 @@
+
+
+ If set to true, ovn-northd
will add an explicit 'drop'
+ logical flow when possible instead of relying on the OVS implicitly
+ dropping packets that do not match any flow.
+
+
+
These options control how routes are advertised between OVN
diff --git a/tests/ovn.at b/tests/ovn.at
index d1b062fb3..3e22ecf4b 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -26102,7 +26102,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep "actions=controller" | grep
])
# The packet should've been dropped in the lr_in_arp_resolve stage.
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=23, n_packets=1,.* priority=1,ip,metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=23, n_packets=1,.* priority=2,ip,metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl
1
])