From patchwork Mon Oct 19 07:26:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Numan Siddique X-Patchwork-Id: 1384015 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=ovn.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CF7cn2Gywz9sS8 for ; Mon, 19 Oct 2020 18:27:20 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id B6F9E87275; Mon, 19 Oct 2020 07:27:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qddnU9qmQitG; Mon, 19 Oct 2020 07:27:12 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by whitealder.osuosl.org (Postfix) with ESMTP id C43B987205; Mon, 19 Oct 2020 07:27:12 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id A9D98C0891; Mon, 19 Oct 2020 07:27:12 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 62401C0052 for ; Mon, 19 Oct 2020 07:27:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 5EC7D87205 for ; Mon, 19 Oct 2020 07:27:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kvc-mSMTsjzd for ; Mon, 19 Oct 2020 07:27:09 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay10.mail.gandi.net (relay10.mail.gandi.net [217.70.178.230]) by whitealder.osuosl.org (Postfix) with ESMTPS id 193C6870C6 for ; Mon, 19 Oct 2020 07:27:08 +0000 (UTC) Received: from nusiddiq.home.org.com (unknown [27.7.102.201]) (Authenticated sender: numans@ovn.org) by relay10.mail.gandi.net (Postfix) with ESMTPSA id 53C0B240005; Mon, 19 Oct 2020 07:27:03 +0000 (UTC) From: numans@ovn.org To: dev@openvswitch.org Date: Mon, 19 Oct 2020 12:56:51 +0530 Message-Id: <20201019072651.280025-1-numans@ovn.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201019072627.279917-1-numans@ovn.org> References: <20201019072627.279917-1-numans@ovn.org> MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v3 1/3] actions: Add a new OVN action - reject {}. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Numan Siddique This action is similar to tcp_reset and icmp4/icmp6 action. If the matching packet is an IPv4 of IPv6 TCP packet, it sends out TCP RST packet else it sends out ICMPv4 or ICMPv6 Destination unreachable packet. While transforming the original packet to the reject packet, this action implicitly swaps the eth source with eth destination and IP source with IP destination. A future patch will make use of this action for reject ACL. Signed-off-by: Numan Siddique Acked-by: Dumitru Ceara Acked-by: Mark Michelson --- controller/pinctrl.c | 64 +++++++++++++++++++++++-------- include/ovn/actions.h | 9 ++++- lib/actions.c | 22 +++++++++++ ovn-sb.xml | 16 ++++++++ tests/ovn.at | 12 ++++++ utilities/ovn-trace.c | 88 ++++++++++++++++++++++++++++++++----------- 6 files changed, 172 insertions(+), 39 deletions(-) diff --git a/controller/pinctrl.c b/controller/pinctrl.c index 0a7020533b..a9b7a263e6 100644 --- a/controller/pinctrl.c +++ b/controller/pinctrl.c @@ -1467,7 +1467,7 @@ static void pinctrl_handle_icmp(struct rconn *swconn, const struct flow *ip_flow, struct dp_packet *pkt_in, const struct match *md, struct ofpbuf *userdata, - bool set_icmp_code) + bool set_icmp_code, bool loopback) { /* This action only works for IP packets, and the switch should only send * us IP packets this way, but check here just to be sure. */ @@ -1488,8 +1488,8 @@ pinctrl_handle_icmp(struct rconn *swconn, const struct flow *ip_flow, packet.packet_type = htonl(PT_ETH); struct eth_header *eh = dp_packet_put_zeros(&packet, sizeof *eh); - eh->eth_dst = ip_flow->dl_dst; - eh->eth_src = ip_flow->dl_src; + eh->eth_dst = loopback ? ip_flow->dl_src : ip_flow->dl_dst; + eh->eth_src = loopback ? ip_flow->dl_dst : ip_flow->dl_src; if (get_dl_type(ip_flow) == htons(ETH_TYPE_IP)) { struct ip_header *in_ip = dp_packet_l3(pkt_in); @@ -1511,8 +1511,9 @@ pinctrl_handle_icmp(struct rconn *swconn, const struct flow *ip_flow, sizeof(struct icmp_header)); nh->ip_proto = IPPROTO_ICMP; nh->ip_frag_off = htons(IP_DF); - packet_set_ipv4(&packet, ip_flow->nw_src, ip_flow->nw_dst, - ip_flow->nw_tos, 255); + ovs_be32 nw_src = loopback ? ip_flow->nw_dst : ip_flow->nw_src; + ovs_be32 nw_dst = loopback ? ip_flow->nw_src : ip_flow->nw_dst; + packet_set_ipv4(&packet, nw_src, nw_dst, ip_flow->nw_tos, 255); uint8_t icmp_code = 1; if (set_icmp_code && in_ip->ip_proto == IPPROTO_UDP) { @@ -1559,8 +1560,12 @@ pinctrl_handle_icmp(struct rconn *swconn, const struct flow *ip_flow, nh->ip6_vfc = 0x60; nh->ip6_nxt = IPPROTO_ICMPV6; nh->ip6_plen = htons(ICMP6_DATA_HEADER_LEN); - packet_set_ipv6(&packet, &ip_flow->ipv6_src, &ip_flow->ipv6_dst, - ip_flow->nw_tos, ip_flow->ipv6_label, 255); + const struct in6_addr *ip6_src = + loopback ? &ip_flow->ipv6_dst : &ip_flow->ipv6_src; + const struct in6_addr *ip6_dst = + loopback ? &ip_flow->ipv6_src : &ip_flow->ipv6_dst; + packet_set_ipv6(&packet, ip6_src, ip6_dst, ip_flow->nw_tos, + ip_flow->ipv6_label, 255); ih = dp_packet_put_zeros(&packet, sizeof *ih); dp_packet_set_l4(&packet, ih); @@ -1617,7 +1622,8 @@ pinctrl_handle_icmp(struct rconn *swconn, const struct flow *ip_flow, static void pinctrl_handle_tcp_reset(struct rconn *swconn, const struct flow *ip_flow, struct dp_packet *pkt_in, - const struct match *md, struct ofpbuf *userdata) + const struct match *md, struct ofpbuf *userdata, + bool loopback) { /* This action only works for TCP segments, and the switch should only send * us TCP segments this way, but check here just to be sure. */ @@ -1632,14 +1638,23 @@ pinctrl_handle_tcp_reset(struct rconn *swconn, const struct flow *ip_flow, dp_packet_use_stub(&packet, packet_stub, sizeof packet_stub); packet.packet_type = htonl(PT_ETH); + + struct eth_addr eth_src = loopback ? ip_flow->dl_dst : ip_flow->dl_src; + struct eth_addr eth_dst = loopback ? ip_flow->dl_src : ip_flow->dl_dst; + if (get_dl_type(ip_flow) == htons(ETH_TYPE_IPV6)) { - pinctrl_compose_ipv6(&packet, ip_flow->dl_src, ip_flow->dl_dst, - (struct in6_addr *)&ip_flow->ipv6_src, - (struct in6_addr *)&ip_flow->ipv6_dst, + const struct in6_addr *ip6_src = + loopback ? &ip_flow->ipv6_dst : &ip_flow->ipv6_src; + const struct in6_addr *ip6_dst = + loopback ? &ip_flow->ipv6_src : &ip_flow->ipv6_dst; + pinctrl_compose_ipv6(&packet, eth_src, eth_dst, + (struct in6_addr *) ip6_src, + (struct in6_addr *) ip6_dst, IPPROTO_TCP, 63, TCP_HEADER_LEN); } else { - pinctrl_compose_ipv4(&packet, ip_flow->dl_src, ip_flow->dl_dst, - ip_flow->nw_src, ip_flow->nw_dst, + ovs_be32 nw_src = loopback ? ip_flow->nw_dst : ip_flow->nw_src; + ovs_be32 nw_dst = loopback ? ip_flow->nw_src : ip_flow->nw_dst; + pinctrl_compose_ipv4(&packet, eth_src, eth_dst, nw_src, nw_dst, IPPROTO_TCP, 63, TCP_HEADER_LEN); } @@ -1670,6 +1685,18 @@ pinctrl_handle_tcp_reset(struct rconn *swconn, const struct flow *ip_flow, dp_packet_uninit(&packet); } +static void +pinctrl_handle_reject(struct rconn *swconn, const struct flow *ip_flow, + struct dp_packet *pkt_in, + const struct match *md, struct ofpbuf *userdata) +{ + if (ip_flow->nw_proto == IPPROTO_TCP) { + pinctrl_handle_tcp_reset(swconn, ip_flow, pkt_in, md, userdata, true); + } else { + pinctrl_handle_icmp(swconn, ip_flow, pkt_in, md, userdata, true, true); + } +} + static bool is_dhcp_flags_broadcast(ovs_be16 flags) { @@ -2773,18 +2800,23 @@ process_packet_in(struct rconn *swconn, const struct ofp_header *msg) case ACTION_OPCODE_ICMP: pinctrl_handle_icmp(swconn, &headers, &packet, &pin.flow_metadata, - &userdata, true); + &userdata, true, false); break; case ACTION_OPCODE_ICMP4_ERROR: case ACTION_OPCODE_ICMP6_ERROR: pinctrl_handle_icmp(swconn, &headers, &packet, &pin.flow_metadata, - &userdata, false); + &userdata, false, false); break; case ACTION_OPCODE_TCP_RESET: pinctrl_handle_tcp_reset(swconn, &headers, &packet, &pin.flow_metadata, - &userdata); + &userdata, false); + break; + + case ACTION_OPCODE_REJECT: + pinctrl_handle_reject(swconn, &headers, &packet, &pin.flow_metadata, + &userdata); break; case ACTION_OPCODE_PUT_ICMP4_FRAG_MTU: diff --git a/include/ovn/actions.h b/include/ovn/actions.h index 636cb4bc1a..b4e5acabb9 100644 --- a/include/ovn/actions.h +++ b/include/ovn/actions.h @@ -95,7 +95,8 @@ struct ovn_extend_table; OVNACT(HANDLE_SVC_CHECK, ovnact_handle_svc_check) \ OVNACT(FWD_GROUP, ovnact_fwd_group) \ OVNACT(DHCP6_REPLY, ovnact_null) \ - OVNACT(ICMP6_ERROR, ovnact_nest) + OVNACT(ICMP6_ERROR, ovnact_nest) \ + OVNACT(REJECT, ovnact_nest) \ /* enum ovnact_type, with a member OVNACT_ for each action. */ enum OVS_PACKED_ENUM ovnact_type { @@ -605,6 +606,12 @@ enum action_opcode { /* MTU value (to put in the icmp6 header field - frag_mtu) follow the * action header. */ ACTION_OPCODE_PUT_ICMP6_FRAG_MTU, + + /* "reject { ...actions... }". + * + * The actions, in OpenFlow 1.3 format, follow the action_header. + */ + ACTION_OPCODE_REJECT, }; /* Header. */ diff --git a/lib/actions.c b/lib/actions.c index 5fe0a3897e..1e1bdeff24 100644 --- a/lib/actions.c +++ b/lib/actions.c @@ -1386,6 +1386,12 @@ parse_CLONE(struct action_context *ctx) parse_nested_action(ctx, OVNACT_CLONE, NULL, WR_DEFAULT); } +static void +parse_REJECT(struct action_context *ctx) +{ + parse_nested_action(ctx, OVNACT_REJECT, NULL, ctx->scope); +} + static void format_nested_action(const struct ovnact_nest *on, const char *name, struct ds *s) @@ -1479,6 +1485,12 @@ format_TRIGGER_EVENT(const struct ovnact_controller_event *event, ds_put_cstr(s, ");"); } +static void +format_REJECT(const struct ovnact_nest *nest, struct ds *s) +{ + format_nested_action(nest, "reject", s); +} + static void encode_nested_actions(const struct ovnact_nest *on, const struct ovnact_encode_params *ep, @@ -1560,6 +1572,14 @@ encode_TCP_RESET(const struct ovnact_nest *on, encode_nested_actions(on, ep, ACTION_OPCODE_TCP_RESET, ofpacts); } +static void +encode_REJECT(const struct ovnact_nest *on, + const struct ovnact_encode_params *ep, + struct ofpbuf *ofpacts) +{ + encode_nested_actions(on, ep, ACTION_OPCODE_REJECT, ofpacts); +} + static void encode_ND_NA(const struct ovnact_nest *on, const struct ovnact_encode_params *ep, @@ -3567,6 +3587,8 @@ parse_action(struct action_context *ctx) parse_fwd_group_action(ctx); } else if (lexer_match_id(ctx->lexer, "handle_dhcpv6_reply")) { ovnact_put_DHCP6_REPLY(ctx->ovnacts); + } else if (lexer_match_id(ctx->lexer, "reject")) { + parse_REJECT(ctx); } else { lexer_syntax_error(ctx->lexer, "expecting action"); } diff --git a/ovn-sb.xml b/ovn-sb.xml index 59888a1553..182ff0a8a2 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -2191,6 +2191,22 @@ tcp.flags = RST;

Prerequisite: tcp

+
reject { action; ... };
+
+

+ If the original packet is IPv4 or IPv6 TCP packet, it replaces it + with IPv4 or IPv6 TCP RST packet and executes the inner actions. + Otherwise it replaces it with an ICMPv4 or ICMPv6 packet and + executes the inner actions. +

+ +

+ The inner actions should not attempt to swap eth source with eth + destination and IP source with IP destination as this action + implicitly does that. +

+
+
trigger_event;

diff --git a/tests/ovn.at b/tests/ovn.at index 9420b1e618..ad741f4f7c 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -1593,6 +1593,18 @@ tcp_reset { }; encodes as controller(userdata=00.00.00.0b.00.00.00.00) has prereqs tcp +# reject +reject { eth.dst = ff:ff:ff:ff:ff:ff; output; }; output; + encodes as controller(userdata=00.00.00.16.00.00.00.00.00.19.00.10.80.00.06.06.ff.ff.ff.ff.ff.ff.00.00.ff.ff.00.10.00.00.23.20.00.0e.ff.f8.40.00.00.00),resubmit(,64) + +reject { eth.dst <-> eth.src; ip4.src <-> ip4.dst; output; }; + encodes as controller(userdata=00.00.00.16.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1b.00.00.00.00.04.06.00.30.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1b.00.00.00.00.02.06.00.30.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1c.00.00.00.00.04.06.00.30.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1c.00.00.00.00.02.06.00.30.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1b.00.00.00.00.10.04.00.20.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1b.00.00.00.00.0e.04.00.20.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1c.00.00.00.00.10.04.00.20.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1c.00.00.00.00.0e.04.00.20.00.00.00.00.00.00.ff.ff.00.10.00.00.23.20.00.0e.ff.f8.40.00.00.00) + has prereqs eth.type == 0x800 && eth.type == 0x800 + +reject { }; + formats as reject { drop; }; + encodes as controller(userdata=00.00.00.16.00.00.00.00) + # trigger_event trigger_event(event = "empty_lb_backends", vip = "10.0.0.1:80", protocol = "tcp", load_balancer = "12345678-abcd-9876-fedc-11119f8e7d6c"); encodes as controller(userdata=00.00.00.0f.00.00.00.00.00.00.00.00.00.01.00.0b.31.30.2e.30.2e.30.2e.31.3a.38.30.00.02.00.03.74.63.70.00.03.00.24.31.32.33.34.35.36.37.38.2d.61.62.63.64.2d.39.38.37.36.2d.66.65.64.63.2d.31.31.31.31.39.66.38.65.37.64.36.63) diff --git a/utilities/ovn-trace.c b/utilities/ovn-trace.c index 0920ae1599..89b93774d7 100644 --- a/utilities/ovn-trace.c +++ b/utilities/ovn-trace.c @@ -1638,16 +1638,23 @@ execute_nd_ns(const struct ovnact_nest *on, const struct ovntrace_datapath *dp, static void execute_icmp4(const struct ovnact_nest *on, const struct ovntrace_datapath *dp, - const struct flow *uflow, uint8_t table_id, + const struct flow *uflow, uint8_t table_id, bool lookback, enum ovnact_pipeline pipeline, struct ovs_list *super) { struct flow icmp4_flow = *uflow; /* Update fields for ICMP. */ - icmp4_flow.dl_dst = uflow->dl_dst; - icmp4_flow.dl_src = uflow->dl_src; - icmp4_flow.nw_dst = uflow->nw_dst; - icmp4_flow.nw_src = uflow->nw_src; + if (lookback) { + icmp4_flow.dl_dst = uflow->dl_src; + icmp4_flow.dl_src = uflow->dl_dst; + icmp4_flow.nw_dst = uflow->nw_src; + icmp4_flow.nw_src = uflow->nw_dst; + } else { + icmp4_flow.dl_dst = uflow->dl_dst; + icmp4_flow.dl_src = uflow->dl_src; + icmp4_flow.nw_dst = uflow->nw_dst; + icmp4_flow.nw_src = uflow->nw_src; + } icmp4_flow.nw_proto = IPPROTO_ICMP; icmp4_flow.nw_ttl = 255; icmp4_flow.tp_src = htons(ICMP4_DST_UNREACH); /* icmp type */ @@ -1663,16 +1670,23 @@ execute_icmp4(const struct ovnact_nest *on, static void execute_icmp6(const struct ovnact_nest *on, const struct ovntrace_datapath *dp, - const struct flow *uflow, uint8_t table_id, + const struct flow *uflow, uint8_t table_id, bool loopback, enum ovnact_pipeline pipeline, struct ovs_list *super) { struct flow icmp6_flow = *uflow; /* Update fields for ICMPv6. */ - icmp6_flow.dl_dst = uflow->dl_dst; - icmp6_flow.dl_src = uflow->dl_src; - icmp6_flow.ipv6_dst = uflow->ipv6_dst; - icmp6_flow.ipv6_src = uflow->ipv6_src; + if (loopback) { + icmp6_flow.dl_dst = uflow->dl_src; + icmp6_flow.dl_src = uflow->dl_dst; + icmp6_flow.ipv6_dst = uflow->ipv6_src; + icmp6_flow.ipv6_src = uflow->ipv6_dst; + } else { + icmp6_flow.dl_dst = uflow->dl_dst; + icmp6_flow.dl_src = uflow->dl_src; + icmp6_flow.ipv6_dst = uflow->ipv6_dst; + icmp6_flow.ipv6_src = uflow->ipv6_src; + } icmp6_flow.nw_proto = IPPROTO_ICMPV6; icmp6_flow.nw_ttl = 255; icmp6_flow.tp_src = htons(ICMP6_DST_UNREACH); /* icmp type */ @@ -1689,15 +1703,23 @@ static void execute_tcp_reset(const struct ovnact_nest *on, const struct ovntrace_datapath *dp, const struct flow *uflow, uint8_t table_id, - enum ovnact_pipeline pipeline, struct ovs_list *super) + bool lookback, enum ovnact_pipeline pipeline, + struct ovs_list *super) { struct flow tcp_flow = *uflow; /* Update fields for TCP segment. */ - tcp_flow.dl_dst = uflow->dl_dst; - tcp_flow.dl_src = uflow->dl_src; - tcp_flow.nw_dst = uflow->nw_dst; - tcp_flow.nw_src = uflow->nw_src; + if (lookback) { + tcp_flow.dl_dst = uflow->dl_src; + tcp_flow.dl_src = uflow->dl_dst; + tcp_flow.nw_dst = uflow->nw_src; + tcp_flow.nw_src = uflow->nw_dst; + } else { + tcp_flow.dl_dst = uflow->dl_dst; + tcp_flow.dl_src = uflow->dl_src; + tcp_flow.nw_dst = uflow->nw_dst; + tcp_flow.nw_src = uflow->nw_src; + } tcp_flow.nw_proto = IPPROTO_TCP; tcp_flow.nw_ttl = 255; tcp_flow.tp_src = uflow->tp_src; @@ -1711,6 +1733,23 @@ execute_tcp_reset(const struct ovnact_nest *on, table_id, pipeline, &node->subs); } +static void +execute_reject(const struct ovnact_nest *on, + const struct ovntrace_datapath *dp, + const struct flow *uflow, uint8_t table_id, + enum ovnact_pipeline pipeline, struct ovs_list *super) +{ + if (uflow->nw_proto == IPPROTO_TCP) { + execute_tcp_reset(on, dp, uflow, table_id, true, pipeline, super); + } else { + if (get_dl_type(uflow) == htons(ETH_TYPE_IP)) { + execute_icmp4(on, dp, uflow, table_id, true, pipeline, super); + } else { + execute_icmp6(on, dp, uflow, table_id, true, pipeline, super); + } + } +} + static void execute_get_mac_bind(const struct ovnact_get_mac_bind *bind, const struct ovntrace_datapath *dp, @@ -2315,23 +2354,23 @@ trace_actions(const struct ovnact *ovnacts, size_t ovnacts_len, break; case OVNACT_ICMP4: - execute_icmp4(ovnact_get_ICMP4(a), dp, uflow, table_id, pipeline, - super); + execute_icmp4(ovnact_get_ICMP4(a), dp, uflow, table_id, false, + pipeline, super); break; case OVNACT_ICMP4_ERROR: execute_icmp4(ovnact_get_ICMP4_ERROR(a), dp, uflow, table_id, - pipeline, super); + false, pipeline, super); break; case OVNACT_ICMP6: - execute_icmp6(ovnact_get_ICMP6(a), dp, uflow, table_id, pipeline, - super); + execute_icmp6(ovnact_get_ICMP6(a), dp, uflow, table_id, false, + pipeline, super); break; case OVNACT_ICMP6_ERROR: execute_icmp6(ovnact_get_ICMP6_ERROR(a), dp, uflow, table_id, - pipeline, super); + false, pipeline, super); break; case OVNACT_IGMP: @@ -2340,13 +2379,18 @@ trace_actions(const struct ovnact *ovnacts, size_t ovnacts_len, case OVNACT_TCP_RESET: execute_tcp_reset(ovnact_get_TCP_RESET(a), dp, uflow, table_id, - pipeline, super); + false, pipeline, super); break; case OVNACT_OVNFIELD_LOAD: execute_ovnfield_load(ovnact_get_OVNFIELD_LOAD(a), super); break; + case OVNACT_REJECT: + execute_reject(ovnact_get_REJECT(a), dp, uflow, table_id, + pipeline, super); + break; + case OVNACT_TRIGGER_EVENT: break; From patchwork Mon Oct 19 07:27:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Numan Siddique X-Patchwork-Id: 1384016 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=ovn.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CF7d31tJ9z9sS8 for ; Mon, 19 Oct 2020 18:27:35 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id C5B77872B3; Mon, 19 Oct 2020 07:27:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xELUnV1VK+IR; Mon, 19 Oct 2020 07:27:27 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by whitealder.osuosl.org (Postfix) with ESMTP id D02BB87258; Mon, 19 Oct 2020 07:27:27 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id B86FCC0891; Mon, 19 Oct 2020 07:27:27 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id EBDD0C0052 for ; Mon, 19 Oct 2020 07:27:25 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id D976E87247 for ; Mon, 19 Oct 2020 07:27:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eUsl6qr0VkyP for ; Mon, 19 Oct 2020 07:27:17 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by whitealder.osuosl.org (Postfix) with ESMTPS id B57A587254 for ; Mon, 19 Oct 2020 07:27:13 +0000 (UTC) X-Originating-IP: 27.7.102.201 Received: from nusiddiq.home.org.com (unknown [27.7.102.201]) (Authenticated sender: numans@ovn.org) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id EECDDE000B; Mon, 19 Oct 2020 07:27:10 +0000 (UTC) From: numans@ovn.org To: dev@openvswitch.org Date: Mon, 19 Oct 2020 12:57:06 +0530 Message-Id: <20201019072706.280089-1-numans@ovn.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201019072627.279917-1-numans@ovn.org> References: <20201019072627.279917-1-numans@ovn.org> MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v3 2/3] ovn-northd: Optimize logical flow generation for reject ACLs. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Numan Siddique ovn-northd adds below lflows for a reject ACL with a match - M match = (ip4 && tcp && 'M') action = tcp_reject{} match = (ip6 && tcp && 'M') action = tcp_reject{} match = (ip4 && 'M') action = icmp4{} match = (ip6 && 'M') action = icmp6{} This approach has a couple of problems: - ovn-controller can reject the lflows if there are invalid matches. Eg. If match 'M' is - 'ip4 && udp'. - In a large scale deployment, this could result in lot of invalid logical flows and increase the size of the SB DB. This patch addresses this problem by using newly added reject OVN action. With this patch, there will be just one lflow for each reject ACL. Signed-off-by: Numan Siddique Acked-by: Dumitru Ceara --- northd/ovn-northd.c | 50 +---------- tests/ovn-northd.at | 214 +++++++------------------------------------- tests/system-ovn.at | 46 +++++++++- 3 files changed, 81 insertions(+), 229 deletions(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 366fdd95fe..5b76868dfb 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -5424,61 +5424,19 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows, ingress ? ovn_stage_get_table(S_SWITCH_OUT_QOS_MARK) : ovn_stage_get_table(S_SWITCH_IN_L2_LKUP)); - /* TCP */ build_acl_log(&actions, acl); if (extra_match->length > 0) { ds_put_format(&match, "(%s) && ", extra_match->string); } - ds_put_format(&match, "ip4 && tcp && (%s)", acl->match); - ds_put_format(&actions, "reg0 = 0; " - "eth.dst <-> eth.src; ip4.dst <-> ip4.src; " - "tcp_reset { outport <-> inport; %s };", next_action); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET + 10, - ds_cstr(&match), ds_cstr(&actions), stage_hint); - ds_clear(&match); - ds_clear(&actions); - build_acl_log(&actions, acl); - if (extra_match->length > 0) { - ds_put_format(&match, "(%s) && ", extra_match->string); - } - ds_put_format(&match, "ip6 && tcp && (%s)", acl->match); - ds_put_format(&actions, "reg0 = 0; " - "eth.dst <-> eth.src; ip6.dst <-> ip6.src; " - "tcp_reset { outport <-> inport; %s };", next_action); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET + 10, - ds_cstr(&match), ds_cstr(&actions), stage_hint); + ds_put_cstr(&match, acl->match); - /* IP traffic */ - ds_clear(&match); - ds_clear(&actions); - build_acl_log(&actions, acl); - if (extra_match->length > 0) { - ds_put_format(&match, "(%s) && ", extra_match->string); - } - ds_put_format(&match, "ip4 && (%s)", acl->match); if (extra_actions->length > 0) { ds_put_format(&actions, "%s ", extra_actions->string); } + ds_put_format(&actions, "reg0 = 0; " - "icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; " - "outport <-> inport; %s };", next_action); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(&match), ds_cstr(&actions), stage_hint); - ds_clear(&match); - ds_clear(&actions); - build_acl_log(&actions, acl); - if (extra_match->length > 0) { - ds_put_format(&match, "(%s) && ", extra_match->string); - } - ds_put_format(&match, "ip6 && (%s)", acl->match); - if (extra_actions->length > 0) { - ds_put_format(&actions, "%s ", extra_actions->string); - } - ds_put_format(&actions, "reg0 = 0; icmp6 { " - "eth.dst <-> eth.src; ip6.dst <-> ip6.src; " + "reject { " + "/* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ " "outport <-> inport; %s };", next_action); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index d020d3921a..50457c291a 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -2047,232 +2047,86 @@ ovn-nbctl --wait=hv sync AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl table=7 (ls_in_acl ), priority=2002 , dnl -match=(ip4 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=egress,table=6); };) - table=7 (ls_in_acl ), priority=2002 , dnl -match=(ip6 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=egress,table=6); };) - table=7 (ls_in_acl ), priority=2012 , dnl -match=(ip4 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };) - table=7 (ls_in_acl ), priority=2012 , dnl -match=(ip6 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };) +match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), dnl +action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) ]) AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl table=7 (ls_in_acl ), priority=2002 , dnl -match=(ip4 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=egress,table=6); };) - table=7 (ls_in_acl ), priority=2002 , dnl -match=(ip6 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=egress,table=6); };) - table=7 (ls_in_acl ), priority=2012 , dnl -match=(ip4 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };) - table=7 (ls_in_acl ), priority=2012 , dnl -match=(ip6 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };) +match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), dnl +action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) ]) AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) +match=(outport == @pg0 && ip6 && udp), dnl +action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) ]) AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) +match=(outport == @pg0 && ip6 && udp), dnl +action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) ]) ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && udp" reject AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2002 , dnl -match=(ip4 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2002 , dnl -match=(ip6 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=(outport == @pg0 && ip4 && udp), dnl +action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=(ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=(ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) +match=(outport == @pg0 && ip6 && udp), dnl +action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) ]) AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2002 , dnl -match=(ip4 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2002 , dnl -match=(ip6 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=(outport == @pg0 && ip4 && udp), dnl +action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=(ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=(ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) +match=(outport == @pg0 && ip6 && udp), dnl +action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) ]) ovn-nbctl --wait=sb acl-add pg0 to-lport 1001 "outport == @pg0 && ip" allow-related AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2001 , dnl -match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), dnl -action=(reg0[[1]] = 1; next;) +match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) table=5 (ls_out_acl ), priority=2001 , dnl match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;) table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), dnl +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), dnl +action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), dnl +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), dnl +action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) ]) AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2001 , dnl -match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), dnl -action=(reg0[[1]] = 1; next;) +match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) table=5 (ls_out_acl ), priority=2001 , dnl match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;) table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), dnl +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), dnl +action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), dnl +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), dnl +action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };) ]) AT_CLEANUP diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 420610f89f..b8e6ea32a8 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -4473,9 +4473,6 @@ ovn-nbctl lsp-add sw0 sw0-p2-rej ovn-nbctl lsp-set-addresses sw0-p2-rej "50:54:00:00:00:04 10.0.0.4 aef0::4" ovn-nbctl lsp-set-port-security sw0-p2-rej "50:54:00:00:00:04 10.0.0.4 aef0::4" -#ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p1\" && tcp && tcp.dst == 80" reject -#ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p2\" && ip6 && tcp && tcp.dst == 80" reject - # Create port group and ACLs for sw0 ports. ovn-nbctl pg-add pg0_drop sw0-p1-rej sw0-p2-rej ovn-nbctl acl-add pg0_drop from-lport 1001 "inport == @pg0_drop && ip" drop @@ -4638,6 +4635,49 @@ aef0::3 udp port objcall" | uniq | wc -l) test $c -eq 1 ]) +# Delete all the ACLs of pg0 and add the ACL with a generic match with reject action. +ovn-nbctl pg-del pg0 +ovn-nbctl pg-add pg0 sw0-p1-rej sw0-p2-rej +ovn-nbctl --log acl-add pg0 from-lport 1004 "inport == @pg0 && ip && (tcp || udp)" reject + +OVS_WAIT_UNTIL([ + ip netns exec sw0-p1-rej nc 10.0.0.4 80 2> r + res=$(cat r) + echo "result = $res" + test "$res" = "Ncat: Connection refused." +]) + +OVS_WAIT_UNTIL([ + ip netns exec sw0-p2-rej nc -6 aef0::3 80 2> r + res=$(cat r) + test "$res" = "Ncat: Connection refused." +]) + +rm -f *.pcap + +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 1 -i sw0-p1-rej icmp > sw0-p1-rej-icmp.pcap &], [0]) + +printf '.%.0s' {1..100} > foo +OVS_WAIT_UNTIL([ + ip netns exec sw0-p1-rej nc -u 10.0.0.4 90 < foo + c=$(cat sw0-p1-rej-icmp.pcap | grep \ +"10.0.0.4 > 10.0.0.3: ICMP 10.0.0.4 udp port dnsix unreachable" | uniq | wc -l) + test $c -eq 1 +]) + +rm -f *.pcap +# Now test for IPv6 UDP. +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 1 -i sw0-p2-rej icmp6 > sw0-p2-rej-icmp6.pcap &], [0]) + +OVS_WAIT_UNTIL([ + ip netns exec sw0-p2-rej nc -u -6 aef0::3 90 < foo + c=$(cat sw0-p2-rej-icmp6.pcap | grep \ +"IP6 aef0::3 > aef0::4: ICMP6, destination unreachable, unreachable port, \ +aef0::3 udp port dnsix" | uniq | wc -l) + test $c -eq 1 +]) + + OVS_APP_EXIT_AND_WAIT([ovn-controller]) as ovn-sb From patchwork Mon Oct 19 07:27:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Numan Siddique X-Patchwork-Id: 1384017 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=ovn.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CF7d35C56z9sT6 for ; Mon, 19 Oct 2020 18:27:35 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 0CD7687640; Mon, 19 Oct 2020 07:27:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OtULeK9HY0EI; Mon, 19 Oct 2020 07:27:31 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by hemlock.osuosl.org (Postfix) with ESMTP id 31F1187614; Mon, 19 Oct 2020 07:27:29 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id B8257C1ADC; Mon, 19 Oct 2020 07:27:28 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 362F9C0052 for ; Mon, 19 Oct 2020 07:27:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 335BD87247 for ; Mon, 19 Oct 2020 07:27:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JC0eq-mKX9nt for ; Mon, 19 Oct 2020 07:27:22 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by whitealder.osuosl.org (Postfix) with ESMTPS id CA70187274 for ; Mon, 19 Oct 2020 07:27:21 +0000 (UTC) X-Originating-IP: 27.7.102.201 Received: from nusiddiq.home.org.com (unknown [27.7.102.201]) (Authenticated sender: numans@ovn.org) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 3E0BF60013; Mon, 19 Oct 2020 07:27:16 +0000 (UTC) From: numans@ovn.org To: dev@openvswitch.org Date: Mon, 19 Oct 2020 12:57:12 +0530 Message-Id: <20201019072712.280142-1-numans@ovn.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201019072627.279917-1-numans@ovn.org> References: <20201019072627.279917-1-numans@ovn.org> MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v3 3/3] ovn-trace: Handle IPv6 packets for tcp_reset action. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Numan Siddique tcp_reset action can be used for both IPv4 and IPv6 TCP packets, but ovn-trace was not handling IPv6. Reported-by: Dumitru Ceara Signed-off-by: Numan Siddique Acked-by: Dumitru Ceara --- utilities/ovn-trace.c | 57 +++++++++++++++++++++++++++++++++++++++---- 1 file changed, 52 insertions(+), 5 deletions(-) diff --git a/utilities/ovn-trace.c b/utilities/ovn-trace.c index 89b93774d7..70d47fd1aa 100644 --- a/utilities/ovn-trace.c +++ b/utilities/ovn-trace.c @@ -1700,11 +1700,11 @@ execute_icmp6(const struct ovnact_nest *on, } static void -execute_tcp_reset(const struct ovnact_nest *on, - const struct ovntrace_datapath *dp, - const struct flow *uflow, uint8_t table_id, - bool lookback, enum ovnact_pipeline pipeline, - struct ovs_list *super) +execute_tcp4_reset(const struct ovnact_nest *on, + const struct ovntrace_datapath *dp, + const struct flow *uflow, uint8_t table_id, + bool lookback, enum ovnact_pipeline pipeline, + struct ovs_list *super) { struct flow tcp_flow = *uflow; @@ -1733,6 +1733,53 @@ execute_tcp_reset(const struct ovnact_nest *on, table_id, pipeline, &node->subs); } +static void +execute_tcp6_reset(const struct ovnact_nest *on, + const struct ovntrace_datapath *dp, + const struct flow *uflow, uint8_t table_id, + bool lookback, enum ovnact_pipeline pipeline, + struct ovs_list *super) +{ + struct flow tcp_flow = *uflow; + + /* Update fields for TCP segment. */ + if (lookback) { + tcp_flow.dl_dst = uflow->dl_src; + tcp_flow.dl_src = uflow->dl_dst; + tcp_flow.ipv6_dst = uflow->ipv6_src; + tcp_flow.ipv6_src = uflow->ipv6_dst; + } else { + tcp_flow.dl_dst = uflow->dl_dst; + tcp_flow.dl_src = uflow->dl_src; + tcp_flow.ipv6_dst = uflow->ipv6_dst; + tcp_flow.ipv6_src = uflow->ipv6_src; + } + tcp_flow.nw_proto = IPPROTO_TCP; + tcp_flow.nw_ttl = 255; + tcp_flow.tp_src = uflow->tp_src; + tcp_flow.tp_dst = uflow->tp_dst; + tcp_flow.tcp_flags = htons(TCP_RST); + + struct ovntrace_node *node = ovntrace_node_append( + super, OVNTRACE_NODE_TRANSFORMATION, "tcp_reset"); + + trace_actions(on->nested, on->nested_len, dp, &tcp_flow, + table_id, pipeline, &node->subs); +} + +static void +execute_tcp_reset(const struct ovnact_nest *on, + const struct ovntrace_datapath *dp, + const struct flow *uflow, uint8_t table_id, + bool lookback, enum ovnact_pipeline pipeline, + struct ovs_list *super) +{ + if (get_dl_type(uflow) == htons(ETH_TYPE_IP)) { + execute_tcp4_reset(on, dp, uflow, table_id, lookback, pipeline, super); + } else { + execute_tcp6_reset(on, dp, uflow, table_id, lookback, pipeline, super); + } +} static void execute_reject(const struct ovnact_nest *on, const struct ovntrace_datapath *dp,