From patchwork Tue Apr 28 11:06:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Numan Siddique X-Patchwork-Id: 1278395 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=ovn.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49BJk30Dlbz9sSG for ; Tue, 28 Apr 2020 21:06:34 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 7C71086E6A; Tue, 28 Apr 2020 11:06:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uxNCo1P5mPIG; Tue, 28 Apr 2020 11:06:28 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by whitealder.osuosl.org (Postfix) with ESMTP id 7719086E1D; Tue, 28 Apr 2020 11:06:28 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6A953C0864; Tue, 28 Apr 2020 11:06:28 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id CA4FCC0172 for ; Tue, 28 Apr 2020 11:06:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id B37F0848ED for ; Tue, 28 Apr 2020 11:06:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zo4jckn0jkyZ for ; Tue, 28 Apr 2020 11:06:24 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 3105E848AB for ; Tue, 28 Apr 2020 11:06:23 +0000 (UTC) X-Originating-IP: 115.99.208.6 Received: from nummac.local (unknown [115.99.208.6]) (Authenticated sender: numans@ovn.org) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 948A64000A; Tue, 28 Apr 2020 11:06:19 +0000 (UTC) From: numans@ovn.org To: dev@openvswitch.org Date: Tue, 28 Apr 2020 16:36:09 +0530 Message-Id: <20200428110609.3680194-1-numans@ovn.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn] Fix ACL reject action for UDP packets. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Numan Siddique The icmp packet generated by ovn-controller for reject ACL action for non TCP packets is not getting delivered to the sender of the original packet. This is because the icmp packets are skipped from out_pre_lb/out_pre_acl logical switch egress pipeline and this results in these icmp packets getting dropped in the ACL stage because of invalid ct flags. This patch fixes this issue by removing those logical flows. The IP checksum generated by ovn-controller is invalid. This patch fixes this issue as well. Signed-off-by: Numan Siddique Tested-by: Lorenzo Bianconi --- controller/pinctrl.c | 102 ++++++++++++++++++++++++++++--------------- northd/ovn-northd.c | 22 +++++----- tests/ovn.at | 46 +++++++++---------- tests/system-ovn.at | 95 ++++++++++++++++++++++++++++++++-------- 4 files changed, 177 insertions(+), 88 deletions(-) diff --git a/controller/pinctrl.c b/controller/pinctrl.c index 3230bb386..63796d88c 100644 --- a/controller/pinctrl.c +++ b/controller/pinctrl.c @@ -1453,7 +1453,7 @@ static void pinctrl_handle_icmp(struct rconn *swconn, const struct flow *ip_flow, struct dp_packet *pkt_in, const struct match *md, struct ofpbuf *userdata, - bool include_orig_ip_datagram) + bool set_icmp_code) { /* This action only works for IP packets, and the switch should only send * us IP packets this way, but check here just to be sure. */ @@ -1500,46 +1500,51 @@ pinctrl_handle_icmp(struct rconn *swconn, const struct flow *ip_flow, packet_set_ipv4(&packet, ip_flow->nw_src, ip_flow->nw_dst, ip_flow->nw_tos, 255); + uint8_t icmp_code = 1; + if (set_icmp_code && in_ip->ip_proto == IPPROTO_UDP) { + icmp_code = 3; + } + struct icmp_header *ih = dp_packet_put_zeros(&packet, sizeof *ih); dp_packet_set_l4(&packet, ih); - packet_set_icmp(&packet, ICMP4_DST_UNREACH, 1); - - if (include_orig_ip_datagram) { - /* RFC 1122: 3.2.2 MUST send at least the IP header and 8 bytes - * of header. MAY send more. - * RFC says return as much as we can without exceeding 576 - * bytes. - * So, lets return as much as we can. */ - - /* Calculate available room to include the original IP + data. */ - nh = dp_packet_l3(&packet); - uint16_t room = 576 - (sizeof *eh + ntohs(nh->ip_tot_len)); - if (in_ip_len > room) { - in_ip_len = room; - } - dp_packet_put(&packet, in_ip, in_ip_len); - - /* dp_packet_put may reallocate the buffer. Get the l3 and l4 - * header pointers again. */ - nh = dp_packet_l3(&packet); - ih = dp_packet_l4(&packet); - uint16_t ip_total_len = ntohs(nh->ip_tot_len) + in_ip_len; - nh->ip_tot_len = htons(ip_total_len); - ih->icmp_csum = 0; - ih->icmp_csum = csum(ih, sizeof *ih + in_ip_len); - nh->ip_csum = 0; - nh->ip_csum = csum(nh, sizeof *nh); - } + packet_set_icmp(&packet, ICMP4_DST_UNREACH, icmp_code); + + /* RFC 1122: 3.2.2 MUST send at least the IP header and 8 bytes + * of header. MAY send more. + * RFC says return as much as we can without exceeding 576 + * bytes. + * So, lets return as much as we can. */ + + /* Calculate available room to include the original IP + data. */ + nh = dp_packet_l3(&packet); + uint16_t room = 576 - (sizeof *eh + ntohs(nh->ip_tot_len)); + if (in_ip_len > room) { + in_ip_len = room; + } + dp_packet_put(&packet, in_ip, in_ip_len); + + /* dp_packet_put may reallocate the buffer. Get the l3 and l4 + * header pointers again. */ + nh = dp_packet_l3(&packet); + ih = dp_packet_l4(&packet); + uint16_t ip_total_len = ntohs(nh->ip_tot_len) + in_ip_len; + nh->ip_tot_len = htons(ip_total_len); + ih->icmp_csum = 0; + ih->icmp_csum = csum(ih, sizeof *ih + in_ip_len); + nh->ip_csum = 0; + nh->ip_csum = csum(nh, sizeof *nh); + } else { struct ip6_hdr *nh = dp_packet_put_zeros(&packet, sizeof *nh); struct icmp6_data_header *ih; uint32_t icmpv6_csum; + struct ip6_hdr *in_ip = dp_packet_l3(pkt_in); eh->eth_type = htons(ETH_TYPE_IPV6); dp_packet_set_l3(&packet, nh); nh->ip6_vfc = 0x60; nh->ip6_nxt = IPPROTO_ICMPV6; - nh->ip6_plen = htons(sizeof(*nh) + ICMP6_DATA_HEADER_LEN); + nh->ip6_plen = htons(ICMP6_DATA_HEADER_LEN); packet_set_ipv6(&packet, &ip_flow->ipv6_src, &ip_flow->ipv6_dst, ip_flow->nw_tos, ip_flow->ipv6_label, 255); @@ -1547,15 +1552,42 @@ pinctrl_handle_icmp(struct rconn *swconn, const struct flow *ip_flow, dp_packet_set_l4(&packet, ih); ih->icmp6_base.icmp6_type = ICMP6_DST_UNREACH; ih->icmp6_base.icmp6_code = 1; + + if (set_icmp_code && in_ip->ip6_nxt == IPPROTO_UDP) { + ih->icmp6_base.icmp6_code = ICMP6_DST_UNREACH_NOPORT; + } ih->icmp6_base.icmp6_cksum = 0; - uint8_t *data = dp_packet_put_zeros(&packet, sizeof *nh); - memcpy(data, dp_packet_l3(pkt_in), sizeof(*nh)); + nh = dp_packet_l3(&packet); + + /* RFC 4443: 3.1. + * + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Type | Code | Checksum | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Unused | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | As much of invoking packet | + * + as possible without the ICMPv6 packet + + * | exceeding the minimum IPv6 MTU [IPv6] | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + + uint16_t room = 1280 - (sizeof *eh + sizeof *nh + + ICMP6_DATA_HEADER_LEN); + uint16_t in_ip_len = (uint16_t) sizeof *in_ip + ntohs(in_ip->ip6_plen); + if (in_ip_len > room) { + in_ip_len = room; + } + + dp_packet_put(&packet, in_ip, in_ip_len); + nh->ip6_plen = htons(ICMP6_DATA_HEADER_LEN + in_ip_len); icmpv6_csum = packet_csum_pseudoheader6(dp_packet_l3(&packet)); ih->icmp6_base.icmp6_cksum = csum_finish( csum_continue(icmpv6_csum, ih, - sizeof(*nh) + ICMP6_DATA_HEADER_LEN)); + in_ip_len + ICMP6_DATA_HEADER_LEN)); } if (ip_flow->vlans[0].tci & htons(VLAN_CFI)) { @@ -2646,12 +2678,12 @@ process_packet_in(struct rconn *swconn, const struct ofp_header *msg) case ACTION_OPCODE_ICMP: pinctrl_handle_icmp(swconn, &headers, &packet, &pin.flow_metadata, - &userdata, false); + &userdata, true); break; case ACTION_OPCODE_ICMP4_ERROR: pinctrl_handle_icmp(swconn, &headers, &packet, &pin.flow_metadata, - &userdata, true); + &userdata, false); break; case ACTION_OPCODE_TCP_RESET: diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 63753ac61..eb459c8c4 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -4724,12 +4724,10 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows) * Not to do conntrack on ND and ICMP destination * unreachable packets. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, - "nd || nd_rs || nd_ra || icmp4.type == 3 || " - "icmp6.type == 1 || " + "nd || nd_rs || nd_ra || " "(udp && udp.src == 546 && udp.dst == 547)", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, - "nd || nd_rs || nd_ra || icmp4.type == 3 || " - "icmp6.type == 1 || " + "nd || nd_rs || nd_ra || " "(udp && udp.src == 546 && udp.dst == 547)", "next;"); /* Ingress and Egress Pre-ACL Table (Priority 100). @@ -4841,12 +4839,10 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows, { /* Do not send ND packets to conntrack */ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110, - "nd || nd_rs || nd_ra || icmp4.type == 3 ||" - "icmp6.type == 1", + "nd || nd_rs || nd_ra", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110, - "nd || nd_rs || nd_ra || icmp4.type == 3 ||" - "icmp6.type == 1", + "nd || nd_rs || nd_ra", "next;"); /* Do not send service monitor packets to conntrack. */ @@ -5025,9 +5021,10 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows, ds_put_format(&actions, "%s ", extra_actions->string); } ds_put_format(&actions, "reg0 = 0; " - "eth.dst <-> eth.src; ip4.dst <-> ip4.src; " - "icmp4 { outport <-> inport; %s };", - ingress ? "output;" : "next(pipeline=ingress,table=0);"); + "icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; " + "outport <-> inport; %s };", + ingress ? "next(pipeline=egress,table=5);" + : "next(pipeline=ingress,table=19);"); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, ds_cstr(&match), ds_cstr(&actions), stage_hint); @@ -5044,7 +5041,8 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows, ds_put_format(&actions, "reg0 = 0; icmp6 { " "eth.dst <-> eth.src; ip6.dst <-> ip6.src; " "outport <-> inport; %s };", - ingress ? "output;" : "next(pipeline=ingress,table=0);"); + ingress ? "next(pipeline=egress,table=5);" + : "next(pipeline=ingress,table=19);"); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, ds_cstr(&match), ds_cstr(&actions), stage_hint); diff --git a/tests/ovn.at b/tests/ovn.at index e6febd4c2..6467bdc42 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -11813,13 +11813,13 @@ test_ip_packet() { local ip_ttl=ff local packet=${eth_dst}${eth_src}08004500001400004000${ip_ttl}01${ip_chksum}${ipv4_src}${ipv4_dst} - + local orig_pkt_in_reply=4500001400004000${ip_ttl}01${ip_chksum}${ipv4_src}${ipv4_dst} local reply_icmp_ttl=ff local icmp_type_code_response=0301 local icmp_data=00000000 local reply_icmp_payload=${icmp_type_code_response}${exp_icmp_chksum}${icmp_data} - local reply=${eth_src}${eth_dst}08004500001c00004000${reply_icmp_ttl}01${exp_ip_chksum}${ipv4_dst}${ipv4_src}${reply_icmp_payload} - echo $reply >> vif$inport.expected + local reply=${eth_src}${eth_dst}08004500003000004000${reply_icmp_ttl}01${exp_ip_chksum}${ipv4_dst}${ipv4_src}${reply_icmp_payload} + echo $reply$orig_pkt_in_reply >> vif$inport.expected as hv$hv ovs-appctl netdev-dummy/receive vif$inport $packet } @@ -11836,7 +11836,7 @@ test_ipv6_packet() { local ip6_hdr=6000000000083aff${ipv6_src}${ipv6_dst} local packet=${eth_dst}${eth_src}86dd${ip6_hdr}0000000000000000 - local reply=${eth_src}${eth_dst}86dd6000000000303aff${ipv6_dst}${ipv6_src}0101${exp_icmp_chksum}00000000${ip6_hdr} + local reply=${eth_src}${eth_dst}86dd6000000000383aff${ipv6_dst}${ipv6_src}0101${exp_icmp_chksum}00000000${ip6_hdr}0000000000000000 echo $reply >> vif$inport.expected as hv$hv ovs-appctl netdev-dummy/receive vif$inport $packet @@ -11914,11 +11914,11 @@ ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p21\"" reject # Allow some time for ovn-northd and ovn-controller to catch up. ovn-nbctl --timeout=3 --wait=hv sync -test_ip_packet 11 1 000000000011 000000000021 $(ip_to_hex 192 168 1 11) $(ip_to_hex 192 168 1 21) 0000 7d8d fcfe -test_ip_packet 21 2 000000000021 000000000011 $(ip_to_hex 192 168 1 21) $(ip_to_hex 192 168 1 11) 0000 7d8d fcfe -test_ip_packet 31 3 000000000031 000000000012 $(ip_to_hex 192 168 1 31) $(ip_to_hex 192 168 1 12) 0000 7d82 fcfe +test_ip_packet 11 1 000000000011 000000000021 $(ip_to_hex 192 168 1 11) $(ip_to_hex 192 168 1 21) 0000 f85b f576 +test_ip_packet 21 2 000000000021 000000000011 $(ip_to_hex 192 168 1 21) $(ip_to_hex 192 168 1 11) 0000 f85b f576 +test_ip_packet 31 3 000000000031 000000000012 $(ip_to_hex 192 168 1 31) $(ip_to_hex 192 168 1 12) 0000 f850 f56b -test_ipv6_packet 11 1 000000000011 000000000021 fe80000000000000020001fffe000001 fe80000000000000020001fffe000002 6183 +test_ipv6_packet 11 1 000000000011 000000000021 fe80000000000000020001fffe000001 fe80000000000000020001fffe000002 617b test_tcp_syn_packet 11 1 000000000011 000000000021 $(ip_to_hex 192 168 1 11) $(ip_to_hex 192 168 1 21) 0000 8b40 3039 0000 b85f 70e4 test_tcp_syn_packet 21 2 000000000021 000000000011 $(ip_to_hex 192 168 1 21) $(ip_to_hex 192 168 1 11) 0000 8b40 3039 0000 b85f 70e4 @@ -12871,13 +12871,13 @@ test_ip_packet() { local ip_ttl=01 local packet=${eth_dst}${eth_src}08004500001400004000${ip_ttl}01${ip_chksum}${ipv4_src}${ipv4_dst} - + local orig_pkt_in_reply=4500001400004000${ip_ttl}01${ip_chksum}${ipv4_src}${ipv4_dst} local reply_icmp_ttl=fe local icmp_type_code_response=0b00 local icmp_data=00000000 local reply_icmp_payload=${icmp_type_code_response}${exp_icmp_chksum}${icmp_data} - local reply=${eth_src}${eth_dst}08004500001c00004000${reply_icmp_ttl}01${exp_ip_chksum}${ip_router}${ipv4_src}${reply_icmp_payload} - echo $reply >> vif$inport.expected + local reply=${eth_src}${eth_dst}08004500003000004000${reply_icmp_ttl}01${exp_ip_chksum}${ip_router}${ipv4_src}${reply_icmp_payload} + echo $reply$orig_pkt_in_reply >> vif$inport.expected as hv$hv ovs-appctl netdev-dummy/receive vif$inport $packet } @@ -12895,7 +12895,7 @@ test_ip6_packet() { local ip6_hdr=6000000000151101${ipv6_src}${ipv6_dst} local packet=${eth_dst}${eth_src}86dd${ip6_hdr}dbb8303900155bac6b646f65206676676e6d66720a - local reply=${eth_src}${eth_dst}86dd6000000000303afe${ipv6_router}${ipv6_src}0300${exp_icmp_chksum}00000000${ip6_hdr} + local reply=${eth_src}${eth_dst}86dd6000000000453afe${ipv6_router}${ipv6_src}0300${exp_icmp_chksum}00000000${ip6_hdr}dbb8303900155bac6b646f65206676676e6d66720a echo $reply >> vif$inport.expected as hv$hv ovs-appctl netdev-dummy/receive vif$inport $packet @@ -12937,8 +12937,8 @@ OVN_POPULATE_ARP # allow some time for ovn-northd and ovn-controller to catch up. ovn-nbctl --wait=hv sync -test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) $(ip_to_hex 192 168 2 1) $(ip_to_hex 192 168 1 254) 0000 7dae f4ff -test_ip6_packet 1 1 000000000001 00000000ff01 20010db8000100000000000000000011 20010db8000200000000000000000011 20010db8000100000000000000000001 d461 +test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) $(ip_to_hex 192 168 2 1) $(ip_to_hex 192 168 1 254) 0000 f87c ea96 +test_ip6_packet 1 1 000000000001 00000000ff01 20010db8000100000000000000000011 20010db8000200000000000000000011 20010db8000100000000000000000001 1c22 OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected]) OVN_CLEANUP([hv1], [hv2]) @@ -12967,12 +12967,12 @@ test_ip_packet() { local ip_ttl=ff local packet=${eth_dst}${eth_src}08004500001400004000${ip_ttl}${l4_proto}${ip_chksum}${ipv4_src}${ip_router} - + local orig_pkt_in_reply=4500001400004000${ip_ttl}${l4_proto}${ip_chksum}${ipv4_src}${ip_router} local reply_icmp_ttl=fe local icmp_data=00000000 local reply_icmp_payload=${exp_icmp_code}${exp_icmp_chksum}${icmp_data} - local reply=${eth_src}${eth_dst}08004500001c00004000${reply_icmp_ttl}01${exp_ip_chksum}${ip_router}${ipv4_src}${reply_icmp_payload} - echo $reply >> vif$inport.expected + local reply=${eth_src}${eth_dst}08004500003000004000${reply_icmp_ttl}01${exp_ip_chksum}${ip_router}${ipv4_src}${reply_icmp_payload} + echo $reply$orig_pkt_in_reply >> vif$inport.expected as hv$hv ovs-appctl netdev-dummy/receive vif$inport $packet } @@ -13038,7 +13038,9 @@ test_ip6_packet() { local ip6_hdr=60000000${ipv6_len}${ipv6_proto}ff${ipv6_src}${ipv6_dst} local packet=${eth_dst}${eth_src}86dd${ip6_hdr}${data} - local reply=${eth_src}${eth_dst}86dd6000000000303afe${ipv6_dst}${ipv6_src}${exp_icmp_code}${exp_icmp_chksum}00000000${ip6_hdr} + local reply_ip_len=`expr 48 + ${#data} / 2` + reply_ip_len=$(printf "%x" $reply_ip_len) + local reply=${eth_src}${eth_dst}86dd6000000000${reply_ip_len}3afe${ipv6_dst}${ipv6_src}${exp_icmp_code}${exp_icmp_chksum}00000000${ip6_hdr}${data} echo $reply >> vif$inport.expected as hv$hv ovs-appctl netdev-dummy/receive vif$inport $packet @@ -13080,13 +13082,13 @@ OVN_POPULATE_ARP # allow some time for ovn-northd and ovn-controller to catch up. ovn-nbctl --wait=hv sync -test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) $(ip_to_hex 192 168 1 254) 11 0000 7dae fcfc 0303 -test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) $(ip_to_hex 192 168 1 254) 84 0000 7dae fcfd 0302 -test_ip6_packet 1 1 000000000001 00000000ff01 20010db8000100000000000000000011 20010db8000100000000000000000001 11 0015 dbb8303900155bac6b646f65206676676e6d66720a 0104 d570 +test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) $(ip_to_hex 192 168 1 254) 11 0000 f87c f485 0303 +test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) $(ip_to_hex 192 168 1 254) 84 0000 f87c f413 0302 +test_ip6_packet 1 1 000000000001 00000000ff01 20010db8000100000000000000000011 20010db8000100000000000000000001 11 0015 dbb8303900155bac6b646f65206676676e6d66720a 0104 1d31 OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected]) test_tcp_syn_packet 2 2 000000000002 00000000ff02 $(ip_to_hex 192 168 2 1) $(ip_to_hex 192 168 2 254) 0000 8b40 3039 0000 b680 6e05 -test_ip6_packet 2 2 000000000002 00000000ff02 20010db8000200000000000000000011 20010db8000200000000000000000001 84 0004 01020304 0103 627e +test_ip6_packet 2 2 000000000002 00000000ff02 20010db8000200000000000000000011 20010db8000200000000000000000001 84 0004 01020304 0103 5e74 test_tcp6_packet 2 2 000000000002 00000000ff02 20010db8000200000000000000000011 20010db8000200000000000000000001 8b40 3039 0000 98cd OVN_CHECK_PACKETS([hv2/vif2-tx.pcap], [vif2.expected]) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index fa3b83cb1..117f1e835 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -3697,7 +3697,7 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d AT_CLEANUP -AT_SETUP([ovn -- ACL reject - TCP reset]) +AT_SETUP([ovn -- ACL reject]) AT_SKIP_IF([test $HAVE_NC = no]) AT_KEYWORDS([lb]) @@ -3736,13 +3736,14 @@ ovn-nbctl acl-add pg0_drop from-lport 1001 "inport == @pg0_drop && ip" drop ovn-nbctl acl-add pg0_drop to-lport 1001 "outport == @pg0_drop && ip" drop ovn-nbctl pg-add pg0 sw0-p1-rej sw0-p2-rej -ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4" allow-related +ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip" allow-related ovn-nbctl --log acl-add pg0 from-lport 1004 "inport == @pg0 && ip && tcp && tcp.dst == 80" reject +ovn-nbctl --log acl-add pg0 from-lport 1004 "inport == @pg0 && ip && udp && udp.dst == 90" reject -ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" allow-related ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 82" allow-related ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst == 82" allow-related ovn-nbctl --log acl-add pg0 to-lport 1004 "inport == @pg0 && ip && tcp && tcp.dst == 84" reject +ovn-nbctl --log acl-add pg0 to-lport 1004 "inport == @pg0 && ip && udp && udp.dst == 94" reject OVN_POPULATE_ARP ovn-nbctl --wait=hv sync @@ -3758,33 +3759,38 @@ ADD_VETH(sw0-p2-rej, sw0-p2-rej, br-int, "10.0.0.4/24", "50:54:00:00:00:04", \ NS_CHECK_EXEC([sw0-p1-rej], [ip a a aef0::3/64 dev sw0-p1-rej], [0]) NS_CHECK_EXEC([sw0-p2-rej], [ip a a aef0::4/64 dev sw0-p2-rej], [0]) -# Capture packets in sw0-p1-rej. -NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 2 -i sw0-p1-rej tcp port 80 > sw0-p1-rej-ip4.pcap &], [0]) sleep 1 -NS_CHECK_EXEC([sw0-p1-rej], [nc 10.0.0.4 80], [1], [], -[dnl -Ncat: Connection refused. -]) +# Capture packets in sw0-p1-rej. +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 4 -i sw0-p1-rej tcp > sw0-p1-rej-ip4.pcap &], [0]) + +sleep 1 OVS_WAIT_UNTIL([ - total=`cat sw0-p1-rej-ip4.pcap | wc -l` - echo "total = $total" - test "${total}" = "2" + ip netns exec sw0-p1-rej nc 10.0.0.4 80 2> r + res=$(cat r) + test "$res" = "Ncat: Connection refused." ]) # Now send traffic to port 84 -NS_CHECK_EXEC([sw0-p1-rej], [nc 10.0.0.4 84], [1], [], -[dnl -Ncat: Connection refused. +OVS_WAIT_UNTIL([ + ip netns exec sw0-p1-rej nc 10.0.0.4 84 2> r + res=$(cat r) + test "$res" = "Ncat: Connection refused." ]) -AT_CHECK([ +OVS_WAIT_UNTIL([ n_pkt=$(ovs-ofctl dump-flows br-int table=44 | grep -v n_packets=0 | \ grep controller | grep tp_dst=84 -c) test $n_pkt -eq 1 ]) +OVS_WAIT_UNTIL([ + total=`cat sw0-p1-rej-ip4.pcap | wc -l` + echo "total = $total" + test "${total}" = "4" +]) + # Without this sleep, test case fails intermittently. sleep 3 @@ -3792,17 +3798,68 @@ NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 2 -i sw0-p2-rej tcp port 80 > sw0-p2- sleep 1 -NS_CHECK_EXEC([sw0-p2-rej], [nc -6 aef0::3 80], [1], [], -[dnl -Ncat: Connection refused. +OVS_WAIT_UNTIL([ + ip netns exec sw0-p2-rej nc -6 aef0::3 80 2> r + res=$(cat r) + test "$res" = "Ncat: Connection refused." ]) + OVS_WAIT_UNTIL([ total=`cat sw0-p2-rej-ip6.pcap | wc -l` echo "total = $total" test "${total}" = "2" ]) +# Now test for IPv4 UDP. +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 1 -i sw0-p1-rej udp port 90 > sw0-p1-rej-udp.pcap &], [0]) +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 1 -i sw0-p1-rej icmp > sw0-p1-rej-icmp.pcap &], [0]) + +echo "foo" > foo +OVS_WAIT_UNTIL([ + ip netns exec sw0-p1-rej nc -u 10.0.0.4 90 < foo + c=$(cat sw0-p1-rej-icmp.pcap | grep \ +"10.0.0.4 > 10.0.0.3: ICMP 10.0.0.4 udp port dnsix unreachable" | uniq | wc -l) + test $c -eq 1 +]) + +rm -f *.pcap + +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 1 -i sw0-p1-rej udp port 94 > sw0-p1-rej-udp.pcap &], [0]) +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 1 -i sw0-p1-rej icmp > sw0-p1-rej-icmp.pcap &], [0]) + +OVS_WAIT_UNTIL([ + ip netns exec sw0-p1-rej nc -u 10.0.0.4 94 < foo + c=$(cat sw0-p1-rej-icmp.pcap | grep \ +"10.0.0.4 > 10.0.0.3: ICMP 10.0.0.4 udp port objcall unreachable" | uniq | wc -l) + test $c -eq 1 +]) + +# Now test for IPv6 UDP. +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 1 -i sw0-p2-rej udp port 90 > sw0-p2-rej-ip6-udp.pcap &], [0]) +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 1 -i sw0-p2-rej icmp6 > sw0-p2-rej-icmp6.pcap &], [0]) + +OVS_WAIT_UNTIL([ + ip netns exec sw0-p2-rej nc -u -6 aef0::3 90 < foo + c=$(cat sw0-p2-rej-icmp6.pcap | grep \ +"IP6 aef0::3 > aef0::4: ICMP6, destination unreachable, unreachable port, \ +aef0::3 udp port dnsix" | uniq | wc -l) + test $c -eq 1 +]) + +rm -f *.pcap + +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 1 -i sw0-p2-rej udp port 94 > sw0-p2-rej-ip6-udp.pcap &], [0]) +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 1 -i sw0-p2-rej icmp6 > sw0-p2-rej-icmp6.pcap &], [0]) + +OVS_WAIT_UNTIL([ + ip netns exec sw0-p2-rej nc -u -6 aef0::3 94 < foo + c=$(cat sw0-p2-rej-icmp6.pcap | grep \ +"IP6 aef0::3 > aef0::4: ICMP6, destination unreachable, unreachable port, \ +aef0::3 udp port objcall" | uniq | wc -l) + test $c -eq 1 +]) + OVS_APP_EXIT_AND_WAIT([ovn-controller]) as ovn-sb