From patchwork Thu Sep 8 14:06:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladislav Odintsov X-Patchwork-Id: 1675647 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=VV98/02M; dkim-atps=neutral Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MNgtC0gNmz1ynD for ; Fri, 9 Sep 2022 00:07:12 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 13C796FADC; Thu, 8 Sep 2022 14:07:08 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 13C796FADC Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=VV98/02M X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RSn6WHOgWM7; Thu, 8 Sep 2022 14:07:06 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp3.osuosl.org (Postfix) with ESMTPS id 0A38D60ADC; Thu, 8 Sep 2022 14:07:04 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 0A38D60ADC Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id D99F3C0032; Thu, 8 Sep 2022 14:07:04 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 08FEAC002D for ; Thu, 8 Sep 2022 14:07:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id D3B376F928 for ; Thu, 8 Sep 2022 14:07:02 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org D3B376F928 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNITyAqQKEtH for ; Thu, 8 Sep 2022 14:07:01 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 08B1960ADC Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) by smtp3.osuosl.org (Postfix) with ESMTPS id 08B1960ADC for ; Thu, 8 Sep 2022 14:06:58 +0000 (UTC) Received: by mail-lf1-x131.google.com with SMTP id w8so27852139lft.12 for ; Thu, 08 Sep 2022 07:06:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date; bh=AkKWN8ECfvJdXxuj1TunRiw0m7HwAZVBSZ7/58K+uQg=; b=VV98/02Mgc1tT0TKHPNA7mC8f3JZEfsz6xhvS4YtKjBVqe7Aja3GGQPNaQX/uTPw7y IK3+cuyDlBMm4bZAtmGCe2+QqJfZ1WFlkM0e/USoBOv0y0lSqXyaEKqjiiNC0XWSNP4z XLaajfBkI5Hi85wEY0BccteZd40DlUfAOB5FXUgRmo3cKigAAD1bmkN8dw3eGo+znDn5 yD3+cBu86jhCk0Cn3TfOYJAyjWEqWZXUq5I388HZgA/DHuaq7DacrPNZjJfGjuwOPikk XOzG+Dv2pAnoA6M6Tiw1f9HqS3F3hum22wf2k+C2yKfbEQaA/DcjEAe9frD8V2HjEGHY NDlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=AkKWN8ECfvJdXxuj1TunRiw0m7HwAZVBSZ7/58K+uQg=; b=KaP6jp3TLyrLcb9mB9UQyYnuMpDQpYd0fz5OZnwYwTJLRfMXIM2gUHZWowR3hCfAE4 qCfnG3pGjwT0W9nml5U1v0PE4bvm6wGpjm+Uxdw30aoFVSesBTWDiyJkQDOi4aWV71No bD/TOCl481JXaYi4hiol/c/DNZyFQr9jADptusqpJX/Ymv/e6/xGegUTYpzw5BJC0/qv 401SvmFnnUkBN5t93nAjnbbl06JNtWoWQpR4raueOZEYyLgR6HAWCMYgtOBP88+MhQOk 7vZiBp0O3V0LnPPY0gckWZxvvtgT+W7pzw2INAtxzkiAkr0raJM04y0tG1GtrENL4/bF vuGQ== X-Gm-Message-State: ACgBeo2Su5t0DfBI5KG7+RpNumzMHJVaSnH3oPjgU7gq7dKd6glnXG88 p7f4heR00HwxAcTVglP1AUY6/ujih2Y= X-Google-Smtp-Source: AA6agR44LaQ4ivywOtG0tmmnRlbt5LHQzBs0oiGUfEt6XYaxj21cxuj+47aYgj88BTg6N9/NkHTlNw== X-Received: by 2002:a05:6512:3e11:b0:492:c5ef:442b with SMTP id i17-20020a0565123e1100b00492c5ef442bmr3050923lfv.434.1662646012523; Thu, 08 Sep 2022 07:06:52 -0700 (PDT) Received: from ip-10-70-112-12.vpc-1e810be1.internal (c2-178-216-98-9.elastic.cloud.croc.ru. [178.216.98.9]) by smtp.gmail.com with ESMTPSA id q16-20020ac25fd0000000b00492f5ad0ae7sm3047428lfg.43.2022.09.08.07.06.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Sep 2022 07:06:52 -0700 (PDT) From: Vladislav Odintsov To: dev@openvswitch.org Date: Thu, 8 Sep 2022 17:06:44 +0300 Message-Id: <20220908140644.2647859-1-odivlad@gmail.com> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 Cc: Vladislav Odintsov Subject: [ovs-dev] [PATCH ovn v2] northd: drop traffic to disabled LSPs in ingress pipeline X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Prior to this patch traffic to LSPs, which are disabled with `ovn-nbctl lsp-set-enabled disabled` was dropped in the end of lswitch egress pipeline. This means that traffic is processed in vain: - traffic, which should be dropped, first travels from one chassis to another (if source/dest LSPs reside on different nodes) and dropped on the destination chassis; - when such traffic reaches destination chassis, if stateful services are enabled within logical switch, first traffic is sent to conntrack and is dropped after that. So it is costly to drop traffic in such manner especially in case LSP is disabled to prevent chassis and/or VM attack by any harmful traffic. This patch changes "to-lport" drop behaviour. Now it is dropped in lswitch ingress pipeline to avoid sending traffic to disabled LSP from one chassis to another. Traffic doesn't reach conntrack in destination LSP's zone now as well. Signed-off-by: Vladislav Odintsov --- northd/northd.c | 18 ++-- northd/ovn-northd.8.xml | 21 ++--- tests/ovn-northd.at | 184 +++++++++++++++++++++++++--------------- 3 files changed, 135 insertions(+), 88 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 4a40ec9b0..1eb190dc1 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -5475,9 +5475,8 @@ build_lswitch_port_sec_op(struct ovn_port *op, struct hmap *lflows, ds_clear(match); ds_put_format(match, "outport == %s", op->json_key); ovn_lflow_add_with_lport_and_hint( - lflows, op->od, S_SWITCH_OUT_CHECK_PORT_SEC, 150, - ds_cstr(match), REGBIT_PORT_SEC_DROP" = 1; next;", - op->key, &op->nbsp->header_); + lflows, op->od, S_SWITCH_IN_L2_UNKNOWN, 50, ds_cstr(match), + "drop;", op->key, &op->nbsp->header_); return; } @@ -8466,6 +8465,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, * Ethernet address followed by zero or more IPv4 * or IPv6 addresses (or both). */ struct eth_addr mac; + bool lsp_enabled = lsp_is_enabled(op->nbsp); + char *action = lsp_enabled ? "outport = %s; output;" : "drop;"; if (ovs_scan(op->nbsp->addresses[i], ETH_ADDR_SCAN_FMT, ETH_ADDR_SCAN_ARGS(mac))) { ds_clear(match); @@ -8473,13 +8474,13 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, ETH_ADDR_ARGS(mac)); ds_clear(actions); - ds_put_format(actions, "outport = %s; output;", op->json_key); + ds_put_format(actions, action, op->json_key); ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP, 50, ds_cstr(match), ds_cstr(actions), &op->nbsp->header_); } else if (!strcmp(op->nbsp->addresses[i], "unknown")) { - if (lsp_is_enabled(op->nbsp)) { + if (lsp_enabled) { ovs_mutex_lock(&mcgroup_mutex); ovn_multicast_add(mcgroups, &mc_unknown, op); ovs_mutex_unlock(&mcgroup_mutex); @@ -8496,7 +8497,7 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, ETH_ADDR_ARGS(mac)); ds_clear(actions); - ds_put_format(actions, "outport = %s; output;", op->json_key); + ds_put_format(actions, action, op->json_key); ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP, 50, ds_cstr(match), ds_cstr(actions), @@ -8544,7 +8545,7 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, } ds_clear(actions); - ds_put_format(actions, "outport = %s; output;", op->json_key); + ds_put_format(actions, action, op->json_key); ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP, 50, ds_cstr(match), ds_cstr(actions), @@ -8567,8 +8568,7 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, nat->logical_port); ds_clear(actions); - ds_put_format(actions, "outport = %s; output;", - op->json_key); + ds_put_format(actions, action, op->json_key); ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP, 50, ds_cstr(match), diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index f4eceb0ec..dae961c87 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -1737,8 +1737,9 @@ output;

  • One priority-50 flow that matches each known Ethernet address against - eth.dst and outputs the packet to the single associated - output port. + eth.dst. Action of this flow outputs the packet to the + single associated output port if it is enabled. drop; + action is applied if LSP is disabled.

    @@ -1814,6 +1815,13 @@ output;

      +
    • +

      + Priority 50 flow with the match outport == P + is added for each disabled Logical Switch Port P. This + flow has action drop;. +

      +

    • If the logical switch has logical ports with 'unknown' addresses set, @@ -1822,7 +1830,7 @@ output;

      • - Priority 50 flow with the match outport == none then + Priority 50 flow with the match outport == "none" then outputs them to the MC_UNKNOWN multicast group, which ovn-northd populates with all enabled logical ports that accept unknown destination packets. As a small optimization, @@ -2011,13 +2019,6 @@ output; the out port security checks.
        • -
      • - For each disabled logical port, a priority 150 flow is added which - matches on all packets and applies the action - REGBIT_PORT_SEC_DROP" = 1; next;" so that the packets are - dropped in the next stage. -
        • -
      • A priority 0 logical flow is added which matches on all the packets and applies the action diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index d5136ac6d..da83bce7c 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -7425,16 +7425,22 @@ check ovn-nbctl --wait=sb ls-add sw0 ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) - table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) - table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown | \ +sort | sed 's/table=../table=??/' ], [0], [dnl + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) + table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1 "00:00:00:00:00:01" @@ -7444,16 +7450,24 @@ check ovn-nbctl --wait=sb lsp-add sw0 localnetport -- lsp-set-type localnetport ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) - table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) - table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown | \ +sort | sed 's/table=../table=??/' ], [0], [dnl + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) + table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl lsp-set-port-security sw0p1 "00:00:00:00:00:01 10.0.0.3 1000::3" @@ -7462,16 +7476,24 @@ check ovn-nbctl --wait=sb lsp-set-port-security sw0p2 "00:00:00:00:00:02 10.0.0. ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) - table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) - table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown | \ +sort | sed 's/table=../table=??/' ], [0], [dnl + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) + table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) # Disable sw0p1 @@ -7480,37 +7502,53 @@ check ovn-nbctl --wait=sb set logical_switch_port sw0p1 enabled=false ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) - table=? (ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), action=(reg0[[15]] = 1; next;) - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) - table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) - table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=? (ls_out_check_port_sec), priority=150 , match=(outport == "sw0p1"), action=(reg0[[15]] = 1; next;) - table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown | \ +sort | sed 's/table=../table=??/' ], [0], [dnl + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=??(ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), action=(reg0[[15]] = 1; next;) + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(drop;) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"), action=(drop;) + table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl --wait=sb lsp-set-options sw0p2 qdisc_queue_id=10 ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) - table=? (ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), action=(reg0[[15]] = 1; next;) - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) - table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) - table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=? (ls_out_check_port_sec), priority=150 , match=(outport == "sw0p1"), action=(reg0[[15]] = 1; next;) - table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown | \ +sort | sed 's/table=../table=??/' ], [0], [dnl + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=??(ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), action=(reg0[[15]] = 1; next;) + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(drop;) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"), action=(drop;) + table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl set logical_switch_port sw0p1 enabled=true @@ -7519,20 +7557,28 @@ check ovn-nbctl --wait=sb lsp-set-options localnetport qdisc_queue_id=10 ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) - table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) - table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=? (ls_out_apply_port_sec), priority=100 , match=(outport == "localnetport"), action=(set_queue(10); output;) - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown | \ +sort | sed 's/table=../table=??/' ], [0], [dnl + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) + table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=100 , match=(outport == "localnetport"), action=(set_queue(10); output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) AT_CLEANUP