From patchwork Tue Oct 8 08:59:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lorenzo Bianconi X-Patchwork-Id: 1994106 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=bt/+or2F; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XN92K0SLrz1xsn for ; Tue, 8 Oct 2024 19:59:51 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 1309480DC7; Tue, 8 Oct 2024 08:59:49 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id pEFTzWI6rWK3; Tue, 8 Oct 2024 08:59:48 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org E6BCE80C55 Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=bt/+or2F Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id E6BCE80C55; Tue, 8 Oct 2024 08:59:47 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id B1BF7C08A6; Tue, 8 Oct 2024 08:59:47 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id C4126C08A3 for ; Tue, 8 Oct 2024 08:59:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id B28B8401CA for ; Tue, 8 Oct 2024 08:59:45 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id dQkzduxrE7It for ; Tue, 8 Oct 2024 08:59:44 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=lorenzo.bianconi@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 71464400D6 Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 71464400D6 Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=bt/+or2F Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 71464400D6 for ; Tue, 8 Oct 2024 08:59:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1728377982; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xF17H2itqp84dUvKfAzreP9XgGeYnxi+JwhufRkhNvY=; b=bt/+or2F8Xr1ToByqEPslcns9+/WtWgev58aekxCs6K4Z3N2Nv3KZ86w3E93y5EJTxeVzX aRrKT/3kylNpC/ClaP6o7c9csXj1GwWy7lfc96OLi4z978nGC4vGivnEpspx8QXVq7PDq+ VSrvjyQWIV6KnaGV01MGPWvBSxIxi9s= Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com [209.85.167.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-394-sxKRWcdtNs6V1WVbYZ-5Aw-1; Tue, 08 Oct 2024 04:59:41 -0400 X-MC-Unique: sxKRWcdtNs6V1WVbYZ-5Aw-1 Received: by mail-lf1-f71.google.com with SMTP id 2adb3069b0e04-53994f50133so5213074e87.1 for ; Tue, 08 Oct 2024 01:59:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728377979; x=1728982779; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xF17H2itqp84dUvKfAzreP9XgGeYnxi+JwhufRkhNvY=; b=P1CsRe0F+FpVH+k7TPAXVFiXo6w3Iz2mum+QQDmqGJs+IZuUXhpEewMhAafKr0p6k9 YQ2ZDBgiO+XEn0UveUY1hi7e9nibW6WihNQ+H3ouq6f5p8NwI+4pZ2tQvrs+4KJQh8e1 0z4xUbknWMtYpyOxC2nUCpuyA2sDIORcs4U5/oPm1HyYT49PBZWI0dWt5h6E6HmnWb7B B3EPIhKaMm6X3xCNxF7TdT0bxH7ACLxIG5v2ekaqeIdchZcTNhENjvga1Gz8KQv7/whz YPJzwce3190EJpylGxEh98TP/oVBtRCt91FWU/x7HeABeKsJkynaqSV5QwDJjouDAmME 4HLA== X-Gm-Message-State: AOJu0Yyexzsqlg+qPFoOJbrJanWBZnilyZ42GV8BP5+QOsPR9W6eun0P 6tTOzY/FdYjywWP4QwSSqEejQOxkxp15gbhahz6PT05bfdSYs22i7TTi9i6SvJ9zbqfehMvtxs2 CbwX2zzfahowIe44woDfjiXvqzAEGIo3uuiFmK26wLqmLSZeZfKSbSzrqMYT1iMeVH38vdyTe6z 3apLMi/6P1++02ACsUWHWho2OnvqAoQbVuFVuvk5WZyfzjpZ3zYg== X-Received: by 2002:a05:6512:6c6:b0:535:6aa9:9855 with SMTP id 2adb3069b0e04-539ab6d9bdfmr7083117e87.0.1728377979526; Tue, 08 Oct 2024 01:59:39 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGD9PoozAFYlgqfKCSqm27miho9UqO6ySe9PiBEqTKpLmlW1ybEX9lBawR/N9Z+WVpz83sXLw== X-Received: by 2002:a05:6512:6c6:b0:535:6aa9:9855 with SMTP id 2adb3069b0e04-539ab6d9bdfmr7083094e87.0.1728377978969; Tue, 08 Oct 2024 01:59:38 -0700 (PDT) Received: from localhost (net-93-146-37-148.cust.vodafonedsl.it. [93.146.37.148]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42f86a205absm118737055e9.19.2024.10.08.01.59.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Oct 2024 01:59:38 -0700 (PDT) From: Lorenzo Bianconi To: ovs-dev@openvswitch.org Date: Tue, 8 Oct 2024 10:59:24 +0200 Message-ID: <2b94713da835e9886d69511321b46518c7262c2f.1728377302.git.lorenzo.bianconi@redhat.com> X-Mailer: git-send-email 2.46.2 MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn] northd: Commit ct_label.obs_point_id for blocked connections. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: npinaeva@redhat.com, dceara@redhat.com Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Considering the following configuration: $ovn-nbctl acl-list sw01 from-lport 100 (inport == "sw01-port1" && udp.dst == 5201) allow-related [after-lb] from-lport 10 (inport == "sw01-port1" && udp) drop [after-lb] $ovn-nbctl list acl _uuid : e440336a-84d3-4a6d-95a9-edd1db1c3631 action : drop direction : from-lport external_ids : {} label : 0 log : false match : "inport == \"sw01-port1\" && udp" meter : [] name : [] options : {apply-after-lb="true"} priority : 10 sample_est : ac6a6efc-a2e0-4d68-b5f8-8cd91113e554 sample_new : 5cdad2ab-4390-4772-ac40-74aa2980c06e severity : [] tier : 0 _uuid : 85ef08d7-aacc-41d7-b808-6ab011edd753 action : allow-related direction : from-lport external_ids : {} label : 0 log : false match : "inport == \"sw01-port1\" && udp.dst == 5201" meter : [] name : [] options : {apply-after-lb="true"} priority : 100 sample_est : 143ce7e2-fd13-4d5e-930c-133d5cf87d0d sample_new : 1d1a0a05-2a8a-4c72-ad35-77d7e2908183 severity : [] tier : 0 If the priority-100 acl is removed, the udp traffic with destination port 5201 will be dropped however ovn-controller will continue sampling the existing connection with the observationPointID associated to the removed acl. Fix the issue updating the ct_label.obs_point_id for the connection marked with ct_mark.blocked. Fixes: d15b12da6fe6 ("northd: Add ACL Sampling.") Repoerted-at: https://issues.redhat.com/browse/FDP-819 Signed-off-by: Lorenzo Bianconi Signed-off-by: Lorenzo Bianconi --- northd/northd.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/northd/northd.c b/northd/northd.c index 2c4703301..d5b9a54b2 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -7205,7 +7205,14 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, /* For drop ACLs just sample all packets as "new" packets. */ build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, obs_stage); - ds_put_cstr(actions, "ct_commit { ct_mark.blocked = 1; }; next;"); + if (acl->sample_est) { + ds_put_format(actions, + "ct_commit { ct_mark.blocked = 1; " + "ct_label.obs_point_id = %"PRIu32"; }; next;", + (uint32_t) acl->sample_est->metadata); + } else { + ds_put_cstr(actions, "ct_commit { ct_mark.blocked = 1; }; next;"); + } ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), &acl->header_, lflow_ref);