From patchwork Thu Aug 1 09:53:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1967572 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=X/SQbL5H; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZPS062Nxz1ybX for ; Thu, 1 Aug 2024 19:53:52 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id C7A1740C2B; Thu, 1 Aug 2024 09:53:48 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id uqyxpX8Dn2EV; Thu, 1 Aug 2024 09:53:47 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org CA44C40CCB Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=X/SQbL5H Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp4.osuosl.org (Postfix) with ESMTPS id CA44C40CCB; Thu, 1 Aug 2024 09:53:46 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9D93CC002B; Thu, 1 Aug 2024 09:53:46 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id D65D3C002A for ; Thu, 1 Aug 2024 09:53:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id C66C040CA7 for ; Thu, 1 Aug 2024 09:53:45 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id K8rkyXGJv3Vj for ; Thu, 1 Aug 2024 09:53:45 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org CC79240C5B Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org CC79240C5B Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id CC79240C5B for ; Thu, 1 Aug 2024 09:53:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722506023; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0qt5WqRPnATnPVbEael8441Ma9bwALie4hdutWWXv2M=; b=X/SQbL5HIQH7pBLeLE2wb+0dduzNVpBsVRXhvucTSsbU8bhqzCixPvOtLPo59cX//CS1LR /mNMIDCAKgO0S4PvUvHiOEw+zqP8H1qj22e0I29c6iosk7QymsYcx65h5gIuDWyF5kQcU1 vyJDTO3KozT44pcGOU09ZYitkWrbLTo= Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-466-fzu4H6vuMRS3IMI-wfazHg-1; Thu, 01 Aug 2024 05:53:40 -0400 X-MC-Unique: fzu4H6vuMRS3IMI-wfazHg-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id EC6971955F0D; Thu, 1 Aug 2024 09:53:38 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.194.158]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 92E091955E80; Thu, 1 Aug 2024 09:53:36 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Thu, 1 Aug 2024 11:53:10 +0200 Message-ID: <20240801095319.467255-2-dceara@redhat.com> In-Reply-To: <20240801095319.467255-1-dceara@redhat.com> References: <20240801095319.467255-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 1/9] northd: Fix up logical flow documentation for QoS. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" When the QoS stages were merged the documentation wasn't updated properly. Also fix up some small style issues in the northd code itself. Fixes: 5dd573757699 ("Merge QoS logical pipelines.") Acked-by: Ales Musil Acked-by: Numan Siddique Signed-off-by: Dumitru Ceara --- V5: - Added acks from Ales and Numan --- northd/northd.c | 11 +++-- northd/ovn-northd.8.xml | 92 +++++++++++++---------------------------- 2 files changed, 34 insertions(+), 69 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index a8a0b6f94c..fbfd5a7f35 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -7137,7 +7137,6 @@ build_qos(struct ovn_datapath *od, struct lflow_table *lflows, } } if (rate) { - stage = ingress ? S_SWITCH_IN_QOS : S_SWITCH_OUT_QOS; if (burst) { ds_put_format(&action, "set_meter(%"PRId64", %"PRId64"); ", @@ -7164,11 +7163,11 @@ build_qos(struct ovn_datapath *od, struct lflow_table *lflows, qos->value_action[j]); } } - ds_put_cstr(&action, "next;"); - ovn_lflow_add_with_hint(lflows, od, stage, - qos->priority, - qos->match, ds_cstr(&action), - &qos->header_, lflow_ref); + ds_put_cstr(&action, "next;"); + ovn_lflow_add_with_hint(lflows, od, stage, + qos->priority, + qos->match, ds_cstr(&action), + &qos->header_, lflow_ref); } ds_destroy(&action); } diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index b06b09ac5f..ba85e4bfd7 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -907,48 +907,21 @@ -

Ingress Table 10: from-lport QoS Marking

+

Ingress Table 10: from-lport QoS

Logical flows in this table closely reproduce those in the - QoS table with the action column set in - the OVN_Northbound database for the + QoS table with the action or + bandwidth column set in the + OVN_Northbound database for the from-lport direction.

  • - For every qos_rules entry in a logical switch with DSCP marking - enabled, a flow will be added at the priority mentioned in the - QoS table. -
    • - -
  • - For every qos_rules entry in a logical switch with packet marking - enabled, a flow will be added at the priority mentioned in the - QoS table. -
    • - -
  • - One priority-0 fallback flow that matches all packets and advances to - the next table. -
    • -
- -

Ingress Table 11: from-lport QoS Meter

- -

- Logical flows in this table closely reproduce those in the - QoS table with the bandwidth column set - in the OVN_Northbound database for the - from-lport direction. -

- -
    -
  • - For every qos_rules entry in a logical switch with metering - enabled, a flow will be added at the priority mentioned in the - QoS table. + For every qos_rules entry in a logical switch with DSCP marking, + packet marking or metering enabled a flow will be added at the priority + mentioned in the QoS table.
  • @@ -957,7 +930,7 @@
-

Ingress Table 12: Load balancing affinity check

+

Ingress Table 11: Load balancing affinity check

Load balancing affinity check table contains the following @@ -985,7 +958,7 @@ -

Ingress Table 13: LB

+

Ingress Table 12: LB

  • @@ -1065,7 +1038,7 @@
-

Ingress Table 14: Load balancing affinity learn

+

Ingress Table 13: Load balancing affinity learn

Load balancing affinity learn table contains the following @@ -1096,7 +1069,7 @@ -

Ingress Table 15: Pre-Hairpin

+

Ingress Table 14: Pre-Hairpin

  • If the logical switch has load balancer(s) configured, then a @@ -1114,7 +1087,7 @@
-

Ingress Table 16: Nat-Hairpin

+

Ingress Table 15: Nat-Hairpin

  • If the logical switch has load balancer(s) configured, then a @@ -1149,7 +1122,7 @@
-

Ingress Table 17: Hairpin

+

Ingress Table 16: Hairpin

  • @@ -1187,7 +1160,7 @@

-

Ingress table 18: from-lport ACL evaluation after LB

+

Ingress table 17: from-lport ACL evaluation after LB

Logical flows in this table closely reproduce those in the @@ -1272,7 +1245,7 @@ -

Ingress Table 19: from-lport ACL action after LB

+

Ingress Table 18: from-lport ACL action after LB

Logical flows in this table decide how to proceed based on the values of @@ -1312,7 +1285,7 @@ -

Ingress Table 20: Stateful

+

Ingress Table 19: Stateful

  • @@ -1335,7 +1308,7 @@
-

Ingress Table 21: ARP/ND responder

+

Ingress Table 20: ARP/ND responder

This table implements ARP/ND responder in a logical switch for known @@ -1670,7 +1643,7 @@ output; -

Ingress Table 22: DHCP option processing

+

Ingress Table 21: DHCP option processing

This table adds the DHCPv4 options to a DHCPv4 packet from the @@ -1731,7 +1704,7 @@ next; -

Ingress Table 23: DHCP responses

+

Ingress Table 22: DHCP responses

This table implements DHCP responder for the DHCP replies generated by @@ -1812,7 +1785,7 @@ output; -

Ingress Table 24 DNS Lookup

+

Ingress Table 23 DNS Lookup

This table looks up and resolves the DNS names to the corresponding @@ -1841,7 +1814,7 @@ reg0[4] = dns_lookup(); next; -

Ingress Table 25 DNS Responses

+

Ingress Table 24 DNS Responses

This table implements DNS responder for the DNS replies generated by @@ -1876,7 +1849,7 @@ output; -

Ingress table 26 External ports

+

Ingress table 25 External ports

Traffic from the external logical ports enter the ingress @@ -1919,7 +1892,7 @@ output; -

Ingress Table 27 Destination Lookup

+

Ingress Table 26 Destination Lookup

This table implements switching behavior. It contains these logical @@ -2117,7 +2090,7 @@ output; -

Ingress Table 28 Destination unknown

+

Ingress Table 27 Destination unknown

This table handles the packets whose destination was not found or @@ -2330,28 +2303,21 @@ output; This is similar to ingress table ACL action.

-

Egress Table 6: to-lport QoS Marking

- -

- This is similar to ingress table QoS marking except - they apply to to-lport QoS rules. -

- -

Egress Table 7: to-lport QoS Meter

+

Egress Table 6: to-lport QoS

- This is similar to ingress table QoS meter except + This is similar to ingress table QoS except they apply to to-lport QoS rules.

-

Egress Table 8: Stateful

+

Egress Table 7: Stateful

This is similar to ingress table Stateful except that there are no rules added for load balancing new connections.

-

Egress Table 9: Egress Port Security - check

+

Egress Table 8: Egress Port Security - check

This is similar to the port security logic in table @@ -2380,7 +2346,7 @@ output; -

Egress Table 10: Egress Port Security - Apply

+

Egress Table 9: Egress Port Security - Apply

This is similar to the ingress port security logic in ingress table From patchwork Thu Aug 1 09:53:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1967573 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=QgtG00rX; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZPS33y89z1ybX for ; Thu, 1 Aug 2024 19:53:55 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 5943740D73; Thu, 1 Aug 2024 09:53:52 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id p7YHUlk4rgk7; Thu, 1 Aug 2024 09:53:50 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 39DB240C5B Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=QgtG00rX Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp4.osuosl.org (Postfix) with ESMTPS id 39DB240C5B; Thu, 1 Aug 2024 09:53:50 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0D371C0033; Thu, 1 Aug 2024 09:53:50 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 39C16C0926 for ; Thu, 1 Aug 2024 09:53:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 2829B40D17 for ; Thu, 1 Aug 2024 09:53:48 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id BBM-pxqdVN4v for ; Thu, 1 Aug 2024 09:53:46 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org 044C440C5B Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 044C440C5B Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id 044C440C5B for ; Thu, 1 Aug 2024 09:53:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722506024; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ET5UGnwvV7yXiwE8Fg6WM553EKio8drBDbiuYaqzHhA=; b=QgtG00rX+Uk434h+OT+ikxY1hHK0mcHFQ3oMzl6zFY7RoqwUizHIHjbsebxvw3pH/f3cn+ lVnxj382GpZ0MJVMxJoex6l9gI94wdbPQaZ216zcVcZHg3Uy5cFwW88Oxi3xyQJ22vpSoB ekt3UOCNjLzUlMUtpi1wg1hi1L5pPNg= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-633-2DhA6wu2M7GQxgjQ9fnijw-1; Thu, 01 Aug 2024 05:53:43 -0400 X-MC-Unique: 2DhA6wu2M7GQxgjQ9fnijw-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8F3D019560AB; Thu, 1 Aug 2024 09:53:42 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.194.158]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 4532F1955E80; Thu, 1 Aug 2024 09:53:39 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Thu, 1 Aug 2024 11:53:11 +0200 Message-ID: <20240801095319.467255-3-dceara@redhat.com> In-Reply-To: <20240801095319.467255-1-dceara@redhat.com> References: <20240801095319.467255-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 2/9] northd: Commit from-lport ACL label (and state) when LBs are used. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Quoting the ACL label section in the ovn.nb.5 man page: Associates an identifier with the ACL. The same value will be written to corresponding connection tracker entry. The value should be a valid 32-bit unsigned integer. This value can help in debugging from connection tracker side. For example, through this "label" we can backtrack to the ACL rule which is causing a "leaked" connection. Connection tracker entries are created only for allowed connections so the label is valid only for allow and allow-related actions. The above states that the ACL label must always be stored in the connection tracker entry label for allow-related ACLs (regardless of the direction of the ACL). However, since 74d82e296f80 ("northd: Support the option to apply from-lport ACLs after load balancer."), the connection is not re-committed in the ls_in_stateful stage (because it already was committed as part of the load balancer DNAT). Moreover, by not re-committing the connection after LB we also risk not re-setting any potential ct_mark.blocked value the connection might have. This patch addresses the issue by always committing packets matched by allow-related (or stateful in general) ACLs even if they were also committed as part of the load balancing stage. There's potentially a slight overhead when doing this (an additional commit call into conntrack but _no_ recirculation). This is however acceptable as it is required for a correct packet processing pipeline implementation. Even without this fix, packets creating new connections that hit "--apply-after-lb" ACLs trigger a re-commit (for storing the label and ct_mark.blocked). A new test is added to ensure we don't break this functionality in the future. CC: Numan Siddique Fixes: 74d82e296f80 ("northd: Support the option to apply from-lport ACLs after load balancer.") Acked-by: Mark Michelson Acked-by: Numan Siddique Signed-off-by: Dumitru Ceara --- V4: - Addressed Mark's comment: - fixed up build_lb_affinity_ls_flows() comment - Added Mark's and Numan's acks. --- northd/northd.c | 14 ++---- tests/ovn-northd.at | 110 +++++++++++++++++++++++++++++++------------- tests/ovn.at | 4 +- 3 files changed, 84 insertions(+), 44 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index fbfd5a7f35..8b4ef1403a 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -7437,14 +7437,12 @@ build_lb_affinity_lr_flows(struct lflow_table *lflows, * table=ls_in_lb, priority=150 * match=(REGBIT_KNOWN_LB_SESSION == 1 && ct.new && ip4.dst == V * && REG_LB_AFF_BACKEND_IP4 == B1 && REG_LB_AFF_MATCH_PORT == BP1) - * action=(REGBIT_CONNTRACK_COMMIT = 0; - * REG_ORIG_DIP_IPV4 = V; REG_ORIG_TP_DPORT = VP; + * action=(REG_ORIG_DIP_IPV4 = V; REG_ORIG_TP_DPORT = VP; * ct_lb_mark(backends=B1:BP1);) * table=ls_in_lb, priority=150 * match=(REGBIT_KNOWN_LB_SESSION == 1 && ct.new && ip4.dst == V * && REG_LB_AFF_BACKEND_IP4 == B2 && REG_LB_AFF_MATCH_PORT == BP2) - * action=(REGBIT_CONNTRACK_COMMIT = 0; - * REG_ORIG_DIP_IPV4 = V; + * action=(REG_ORIG_DIP_IPV4 = V; * REG_ORIG_TP_DPORT = VP; * ct_lb_mark(backends=B1:BP2);) * @@ -7514,8 +7512,7 @@ build_lb_affinity_ls_flows(struct lflow_table *lflows, ipv6 ? REG_LB_L2_AFF_BACKEND_IP6 : REG_LB_AFF_BACKEND_IP4; /* Prepare common part of affinity LB and affinity learn action. */ - ds_put_format(&aff_action, REGBIT_CONNTRACK_COMMIT" = 0; %s = %s; ", - reg_vip, lb_vip->vip_str); + ds_put_format(&aff_action, "%s = %s; ", reg_vip, lb_vip->vip_str); ds_put_cstr(&aff_action_learn, "commit_lb_aff(vip = \""); if (lb_vip->port_str) { @@ -7655,11 +7652,6 @@ build_lb_rules(struct lflow_table *lflows, struct ovn_lb_datapaths *lb_dps, ds_clear(action); ds_clear(match); - /* Make sure that we clear the REGBIT_CONNTRACK_COMMIT flag. Otherwise - * the load balanced packet will be committed again in - * S_SWITCH_IN_STATEFUL. */ - ds_put_format(action, REGBIT_CONNTRACK_COMMIT" = 0; "); - /* New connections in Ingress table. */ const char *meter = NULL; bool reject = build_lb_vip_actions(lb, lb_vip, lb_vip_nb, action, diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 199197f09d..27e8ec3388 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -1413,7 +1413,7 @@ check ovn-nbctl --wait=sb ls-lb-add sw0 lb1 AT_CAPTURE_FILE([sbflows]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows | grep 'priority=120.*backends' | ovn_strip_lflows], 0, [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) # disabled LSPs should not be a backend of Load Balancer @@ -1422,7 +1422,7 @@ check ovn-nbctl lsp-set-enabled sw0-p1 disabled AT_CAPTURE_FILE([sbflows]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows | grep 'priority=120.*backends' | ovn_strip_lflows], 0, [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=20.0.0.3:80);) ]) wait_row_count Service_Monitor 1 @@ -1431,7 +1431,7 @@ check ovn-nbctl lsp-set-enabled sw0-p1 enabled AT_CAPTURE_FILE([sbflows]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows | grep 'priority=120.*backends' | ovn_strip_lflows], 0, [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) wait_row_count Service_Monitor 2 @@ -1442,7 +1442,7 @@ wait_row_count Service_Monitor 0 AT_CAPTURE_FILE([sbflows2]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows2 | grep 'priority=120.*backends' | ovn_strip_lflows], [0], -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) AS_BOX([Create the Load_Balancer_Health_Check again.]) @@ -1454,7 +1454,7 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows sw0 | grep backends | grep priority=120 > lflows.txt AT_CHECK([cat lflows.txt | ovn_strip_lflows], [0], [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) AS_BOX([Get the uuid of both the service_monitor]) @@ -1464,7 +1464,7 @@ sm_sw1_p1=$(fetch_column Service_Monitor _uuid logical_port=sw1-p1) AT_CAPTURE_FILE([sbflows3]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows 3 | grep 'priority=120.*backends' | ovn_strip_lflows], [0], -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) AS_BOX([Set the service monitor for sw1-p1 to offline]) @@ -1475,7 +1475,7 @@ check ovn-nbctl --wait=sb sync AT_CAPTURE_FILE([sbflows4]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows4 | grep 'priority=120.*backends' | ovn_strip_lflows], [0], -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80);) ]) AS_BOX([Set the service monitor for sw0-p1 to offline]) @@ -1504,7 +1504,7 @@ check ovn-nbctl --wait=sb sync AT_CAPTURE_FILE([sbflows7]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows7 | grep backends | grep priority=120 | ovn_strip_lflows], 0, -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) AS_BOX([Set the service monitor for sw1-p1 to error]) @@ -1515,7 +1515,7 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \ | grep priority=120 > lflows.txt AT_CHECK([cat lflows.txt | grep ls_in_lb | ovn_strip_lflows], [0], [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80);) ]) AS_BOX([Add one more vip to lb1]) @@ -1541,8 +1541,8 @@ AT_CAPTURE_FILE([sbflows9]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows9 | grep backends | grep priority=120 | ovn_strip_lflows], 0, -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:1000);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb_mark(backends=10.0.0.3:1000);) ]) AS_BOX([Set the service monitor for sw1-p1 to online]) @@ -1555,8 +1555,8 @@ AT_CAPTURE_FILE([sbflows10]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows10 | grep backends | grep priority=120 | ovn_strip_lflows], 0, -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:1000,20.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb_mark(backends=10.0.0.3:1000,20.0.0.3:80);) ]) AS_BOX([Associate lb1 to sw1]) @@ -1565,8 +1565,8 @@ AT_CAPTURE_FILE([sbflows11]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw1 | tee sbflows11 | grep backends | grep priority=120 | ovn_strip_lflows], 0, [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:1000,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb_mark(backends=10.0.0.3:1000,20.0.0.3:80);) ]) AS_BOX([Now create lb2 same as lb1 but udp protocol.]) @@ -4602,8 +4602,8 @@ check_stateful_flows() { AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.4:8080);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.20 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.40:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.20 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.40:8080);) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4805,6 +4805,51 @@ AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ovn -- ACL label commit - load balancers]) +ovn_start + +dnl One logical switch, two ports, one load balancer and ACLs with label set. +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls lsp1 \ + -- lsp-set-addresses lsp1 "00:00:00:00:00:01" \ + -- lsp-add ls lsp2 \ + -- lsp-set-addresses lsp2 "00:00:00:00:00:02" \ + -- lb-add lb-test 42.42.42.42:4242 43.43.43.43:4343 udp \ + -- ls-lb-add ls lb-test + +check ovn-nbctl --wait=sb sync + +flow="inport == \"lsp1\" && eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02 && ip4.src == 42.42.42.1 && ip4.dst == 42.42.42.42 && ip.ttl==64 && udp.dst == 4242" + +AS_BOX([from-lport allow-related ACL]) +check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls from-lport 1 ip allow-related + +dnl Check that the label is committed to conntrack in the ingress pipeline +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; +]) + +AS_BOX([from-lport --apply-after-lb allow-related ACL]) +check ovn-nbctl --wait=sb -- acl-del ls -- --apply-after-lb --label=1234 acl-add ls from-lport 1 ip allow-related + +dnl Check that the label is committed to conntrack in the ingress pipeline +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; +]) + +AS_BOX([to-lport allow-related ACL]) +check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls to-lport 1 ip allow-related + +dnl Check that the label is committed to conntrack in the ingress pipeline +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_out_stateful -A 2 | grep commit], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV_PARALLELIZATION([ AT_SETUP([ovn -- ct.inv usage]) ovn_start @@ -7629,7 +7674,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | ovn_strip_lflo AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.10);) + table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(ct_lb_mark(backends=10.0.0.10);) ]) AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl @@ -7684,7 +7729,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | ovn_strip_lflo AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.10);) + table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(ct_lb_mark(backends=10.0.0.10);) ]) AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl @@ -7739,7 +7784,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | ovn_strip_lflo AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.10);) + table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(ct_lb_mark(backends=10.0.0.10);) ]) AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl @@ -9063,13 +9108,13 @@ AT_CAPTURE_FILE([S1flows]) AT_CHECK([grep "ls_in_lb " S0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(ct_lb_mark(backends=10.0.0.2:8080);) ]) AT_CHECK([grep "ls_in_lb " S1flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(ct_lb_mark(backends=10.0.0.2:8080);) ]) ovn-sbctl get datapath S0 _uuid > dp_uuids @@ -9199,9 +9244,9 @@ AT_CHECK([grep "ls_in_lb_aff_check" S0flows | ovn_strip_lflows], [0], [dnl ]) AT_CHECK([grep "ls_in_lb " S0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) - table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.2:80);) - table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=20.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) + table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=20.0.0.2:80);) ]) AT_CHECK([grep "ls_in_lb_aff_learn" S0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) @@ -10286,14 +10331,17 @@ dnl It should not commit anything in the egress pipeline of S1 or in the dnl ingress pipeline of S2. flow="inport == \"vm1\" && eth.src == 00:de:ad:01:00:01 && eth.dst == 00:de:ad:fe:00:01 && ip4.src == 173.0.1.2 && ip4.dst == 30.0.0.1 && ip.ttl==64" -dnl Check that we only commit once for ACLs, in the egress ACL pipeline -dnl (in S2, towards vm2). The original problem this test is trying to -dnl cover was that ct_state wasn't cleared when traversing from s1 -> r1 -dnl which caused two additional commits to happen: +dnl Check that we only commit twice for ACLs: +dnl - in the ingress ACL pipeline (in s1, from vm1) +dnl - in the egress ACL pipeline (in S2, towards vm2) +dnl The original problem this test is trying to cover was that ct_state +dnl wasn't cleared when traversing from s1 -> r1 which caused two additional +dnl commits to happen: dnl - in the egress pipeline of S1, when sending the packet out on s1_r1 dnl - in the ingress pipeline of S2, when processing the packet on s2_r1 AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new s1 "$flow" | grep -e ls_in_stateful -e ls_out_stateful -A 2 | grep commit], [0], [dnl ct_commit { ct_mark.blocked = 0; }; + ct_commit { ct_mark.blocked = 0; }; ]) AT_CLEANUP diff --git a/tests/ovn.at b/tests/ovn.at index b31afbfb37..cee361188a 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -25509,7 +25509,7 @@ OVS_WAIT_FOR_OUTPUT( ovn-sbctl dump-flows sw0 | grep ct_lb_mark | grep priority=120 | sed 's/table=..//'], 0, [dnl (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark;) - (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) + (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) ]) AT_CAPTURE_FILE([sbflows2]) @@ -25708,7 +25708,7 @@ OVS_WAIT_FOR_OUTPUT( ovn-sbctl dump-flows sw0 | grep ct_lb_mark | grep priority=120 | sed 's/table=..//'], 0, [dnl (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6.dst == 2001::a && tcp.dst == 80), action=(xxreg1 = 2001::a; reg2[[0..15]] = 80; ct_lb_mark;) - (ls_in_lb ), priority=120 , match=(ct.new && ip6.dst == 2001::a && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=[[2001::3]]:80,[[2002::3]]:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) + (ls_in_lb ), priority=120 , match=(ct.new && ip6.dst == 2001::a && tcp.dst == 80), action=(ct_lb_mark(backends=[[2001::3]]:80,[[2002::3]]:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) ]) AT_CAPTURE_FILE([sbflows2]) From patchwork Thu Aug 1 09:53:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1967574 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=MoYWFEOC; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZPS80L7kz1ybX for ; Thu, 1 Aug 2024 19:53:59 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 2D9F881EE4; Thu, 1 Aug 2024 09:53:58 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id MKmmeyBdoWCN; Thu, 1 Aug 2024 09:53:56 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 67A3781EBD Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=MoYWFEOC Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id 67A3781EBD; Thu, 1 Aug 2024 09:53:56 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1669FC0078; Thu, 1 Aug 2024 09:53:56 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 28FBEC0033 for ; Thu, 1 Aug 2024 09:53:54 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id B95FD40EAA for ; Thu, 1 Aug 2024 09:53:53 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id QwzMnd3SfrrU for ; Thu, 1 Aug 2024 09:53:52 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 173CE40EB1 Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 173CE40EB1 Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=MoYWFEOC Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 173CE40EB1 for ; Thu, 1 Aug 2024 09:53:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722506030; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bcQspMVDSYHMy/aWaHdfaZcod5hu2CIBKaqHb36I7Xc=; b=MoYWFEOCllkoDBBnX8aZ63XokBJI4kGM4NobFkYfCySvZxDQa7zljzqFarDbunfFD/8nL2 WPE+iBHY01QQeOsSEfDDB/GJbGF/N1Y+woNIprwatFHuzWJgSnjOVBCyxOsbwmPWBorb57 CVb6Fk/sah3zishT0sqg41h4doXgvg0= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-661-3VhSnol_PTmLWVcR_MBxGw-1; Thu, 01 Aug 2024 05:53:47 -0400 X-MC-Unique: 3VhSnol_PTmLWVcR_MBxGw-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8E2441955F3B; Thu, 1 Aug 2024 09:53:46 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.194.158]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 0F7FC1955E7B; Thu, 1 Aug 2024 09:53:43 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Thu, 1 Aug 2024 11:53:12 +0200 Message-ID: <20240801095319.467255-4-dceara@redhat.com> In-Reply-To: <20240801095319.467255-1-dceara@redhat.com> References: <20240801095319.467255-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 3/9] northd: Add Sampling_App table. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This will represent a unified place to store IPFIX observation domain ID configurations for sampling applications (currently only drop sampling is supported as application but following commits will add more). Acked-by: Numan Siddique Signed-off-by: Dumitru Ceara --- V5: - Addressed Ilya's and Numan's comments: - changed sampling_app 'name' column to 'type' - removed IPFIX reference from documentation - Added Numan's ack (I removed the one from Mark because quite a few changes were introduced by the rename). V4: - Addressed Ales' comments: - fix up indentation - bump NB schema version - Added Mark's ack. --- northd/automake.mk | 2 + northd/en-lflow.c | 5 ++ northd/en-sampling-app.c | 117 +++++++++++++++++++++++++++++++++++++++ northd/en-sampling-app.h | 51 +++++++++++++++++ northd/inc-proc-northd.c | 10 +++- northd/northd.h | 1 + ovn-nb.ovsschema | 20 ++++++- ovn-nb.xml | 16 ++++++ tests/ovn-northd.at | 17 ++++++ 9 files changed, 235 insertions(+), 4 deletions(-) create mode 100644 northd/en-sampling-app.c create mode 100644 northd/en-sampling-app.h diff --git a/northd/automake.mk b/northd/automake.mk index d491973a8b..6566ad2999 100644 --- a/northd/automake.mk +++ b/northd/automake.mk @@ -32,6 +32,8 @@ northd_ovn_northd_SOURCES = \ northd/en-lr-stateful.h \ northd/en-ls-stateful.c \ northd/en-ls-stateful.h \ + northd/en-sampling-app.c \ + northd/en-sampling-app.h \ northd/inc-proc-northd.c \ northd/inc-proc-northd.h \ northd/ipam.c \ diff --git a/northd/en-lflow.c b/northd/en-lflow.c index c4b927fb8c..eb91f2a651 100644 --- a/northd/en-lflow.c +++ b/northd/en-lflow.c @@ -25,6 +25,7 @@ #include "en-ls-stateful.h" #include "en-northd.h" #include "en-meters.h" +#include "en-sampling-app.h" #include "lflow-mgr.h" #include "lib/inc-proc-eng.h" @@ -86,6 +87,10 @@ lflow_get_input_data(struct engine_node *node, lflow_input->ovn_internal_version_changed = global_config->ovn_internal_version_changed; lflow_input->svc_monitor_mac = global_config->svc_monitor_mac; + + struct ed_type_sampling_app_data *sampling_app_data = + engine_get_input_data("sampling_app", node); + lflow_input->sampling_apps = &sampling_app_data->apps; } void en_lflow_run(struct engine_node *node, void *data) diff --git a/northd/en-sampling-app.c b/northd/en-sampling-app.c new file mode 100644 index 0000000000..e6c816c404 --- /dev/null +++ b/northd/en-sampling-app.c @@ -0,0 +1,117 @@ +/* + * Copyright (c) 2024, Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include "openvswitch/vlog.h" + +#include "en-sampling-app.h" + +VLOG_DEFINE_THIS_MODULE(en_sampling_app); + +/* Static function declarations. */ +static void sampling_app_table_add(struct sampling_app_table *, + const struct nbrec_sampling_app *); +static uint8_t sampling_app_table_get_id(const struct sampling_app_table *, + enum sampling_app); +static void sampling_app_table_reset(struct sampling_app_table *); +static enum sampling_app sampling_app_get_by_type(const char *app_type); + +void * +en_sampling_app_init(struct engine_node *node OVS_UNUSED, + struct engine_arg *arg OVS_UNUSED) +{ + struct ed_type_sampling_app_data *data = xzalloc(sizeof *data); + sampling_app_table_reset(&data->apps); + return data; +} + +void +en_sampling_app_cleanup(void *data OVS_UNUSED) +{ +} + +void +en_sampling_app_run(struct engine_node *node, void *data_) +{ + const struct nbrec_sampling_app_table *nb_sampling_app_table = + EN_OVSDB_GET(engine_get_input("NB_sampling_app", node)); + struct ed_type_sampling_app_data *data = data_; + + sampling_app_table_reset(&data->apps); + + const struct nbrec_sampling_app *sa; + NBREC_SAMPLING_APP_TABLE_FOR_EACH (sa, nb_sampling_app_table) { + sampling_app_table_add(&data->apps, sa); + } + + engine_set_node_state(node, EN_UPDATED); +} + +uint8_t +sampling_app_get_id(const struct sampling_app_table *app_table, + enum sampling_app app) +{ + return sampling_app_table_get_id(app_table, app); +} + +/* Static functions. */ +static void +sampling_app_table_add(struct sampling_app_table *table, + const struct nbrec_sampling_app *sa) +{ + enum sampling_app app = sampling_app_get_by_type(sa->type); + + if (app == SAMPLING_APP_MAX) { + static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); + VLOG_WARN_RL(&rl, "Unexpected Sampling_App type: %s", sa->type); + return; + } + table->app_ids[app] = sa->id; +} + +static uint8_t +sampling_app_table_get_id(const struct sampling_app_table *table, + enum sampling_app app) +{ + ovs_assert(app < SAMPLING_APP_MAX); + return table->app_ids[app]; +} + +static void +sampling_app_table_reset(struct sampling_app_table *table) +{ + for (size_t i = 0; i < SAMPLING_APP_MAX; i++) { + table->app_ids[i] = SAMPLING_APP_ID_NONE; + } +} + +static const char *app_types[] = { + [SAMPLING_APP_DROP_DEBUG] = "drop", + [SAMPLING_APP_ACL_NEW] = "acl-new", + [SAMPLING_APP_ACL_EST] = "acl-est", +}; + +static enum sampling_app +sampling_app_get_by_type(const char *app_type) +{ + for (size_t app = 0; app < ARRAY_SIZE(app_types); app++) { + if (!strcmp(app_type, app_types[app])) { + return app; + } + } + return SAMPLING_APP_MAX; +} diff --git a/northd/en-sampling-app.h b/northd/en-sampling-app.h new file mode 100644 index 0000000000..a5b5ae4222 --- /dev/null +++ b/northd/en-sampling-app.h @@ -0,0 +1,51 @@ +/* + * Copyright (c) 2024, Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef EN_SAMPLING_APP_H +#define EN_SAMPLING_APP_H 1 + +/* OVS includes. */ +#include "openvswitch/shash.h" + +/* OVN includes. */ +#include "lib/inc-proc-eng.h" +#include "lib/ovn-nb-idl.h" + +/* Valid sample IDs are in the 1..255 interval. */ +#define SAMPLING_APP_ID_NONE 0 + +/* Supported sampling applications. */ +enum sampling_app { + SAMPLING_APP_DROP_DEBUG, + SAMPLING_APP_ACL_NEW, + SAMPLING_APP_ACL_EST, + SAMPLING_APP_MAX, +}; + +struct sampling_app_table { + uint8_t app_ids[SAMPLING_APP_MAX]; +}; + +struct ed_type_sampling_app_data { + struct sampling_app_table apps; +}; + +void *en_sampling_app_init(struct engine_node *, struct engine_arg *); +void en_sampling_app_cleanup(void *data); +void en_sampling_app_run(struct engine_node *, void *data); +uint8_t sampling_app_get_id(const struct sampling_app_table *, + enum sampling_app); + +#endif /* EN_SAMPLING_APP_H */ diff --git a/northd/inc-proc-northd.c b/northd/inc-proc-northd.c index 522236ad2a..5d89670c29 100644 --- a/northd/inc-proc-northd.c +++ b/northd/inc-proc-northd.c @@ -39,6 +39,7 @@ #include "en-lflow.h" #include "en-northd-output.h" #include "en-meters.h" +#include "en-sampling-app.h" #include "en-sync-sb.h" #include "en-sync-from-sb.h" #include "unixctl.h" @@ -61,7 +62,8 @@ static unixctl_cb_func chassis_features_list; NB_NODE(meter, "meter") \ NB_NODE(bfd, "bfd") \ NB_NODE(static_mac_binding, "static_mac_binding") \ - NB_NODE(chassis_template_var, "chassis_template_var") + NB_NODE(chassis_template_var, "chassis_template_var") \ + NB_NODE(sampling_app, "sampling_app") enum nb_engine_node { #define NB_NODE(NAME, NAME_STR) NB_##NAME, @@ -138,6 +140,7 @@ enum sb_engine_node { * avoid sparse errors. */ static ENGINE_NODE_WITH_CLEAR_TRACK_DATA(northd, "northd"); static ENGINE_NODE(sync_from_sb, "sync_from_sb"); +static ENGINE_NODE(sampling_app, "sampling_app"); static ENGINE_NODE(lflow, "lflow"); static ENGINE_NODE(mac_binding_aging, "mac_binding_aging"); static ENGINE_NODE(mac_binding_aging_waker, "mac_binding_aging_waker"); @@ -170,6 +173,8 @@ void inc_proc_northd_init(struct ovsdb_idl_loop *nb, engine_add_input(&en_lb_data, &en_nb_logical_router, lb_data_logical_router_handler); + engine_add_input(&en_sampling_app, &en_nb_sampling_app, NULL); + engine_add_input(&en_global_config, &en_nb_nb_global, global_config_nb_global_handler); engine_add_input(&en_global_config, &en_sb_sb_global, @@ -251,6 +256,9 @@ void inc_proc_northd_init(struct ovsdb_idl_loop *nb, engine_add_input(&en_lflow, &en_sb_logical_dp_group, NULL); engine_add_input(&en_lflow, &en_global_config, node_global_config_handler); + + engine_add_input(&en_lflow, &en_sampling_app, NULL); + engine_add_input(&en_lflow, &en_northd, lflow_northd_handler); engine_add_input(&en_lflow, &en_port_group, lflow_port_group_handler); engine_add_input(&en_lflow, &en_lr_stateful, lflow_lr_stateful_handler); diff --git a/northd/northd.h b/northd/northd.h index d4a8d75abc..e50aa6731a 100644 --- a/northd/northd.h +++ b/northd/northd.h @@ -190,6 +190,7 @@ struct lflow_input { const struct hmap *svc_monitor_map; bool ovn_internal_version_changed; const char *svc_monitor_mac; + const struct sampling_app_table *sampling_apps; }; extern int parallelization_state; diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index e3c4aff9df..a6a377f20b 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "7.4.0", - "cksum": "1908497390 35615", + "version": "7.5.0", + "cksum": "1137408189 36223", "tables": { "NB_Global": { "columns": { @@ -691,6 +691,20 @@ "type": {"key": "string", "value": "string", "min": 0, "max": "unlimited"}}}, "indexes": [["chassis"]], - "isRoot": true} + "isRoot": true}, + "Sampling_App": { + "columns": { + "type": {"type": {"key": {"type": "string", + "enum": ["set", ["drop", "acl-new", "acl-est"]]}}}, + "id": {"type": {"key": {"type": "integer", + "minInteger": 1, + "maxInteger": 255}}}, + "external_ids": { + "type": {"key": "string", "value": "string", + "min": 0, "max": "unlimited"}} + }, + "indexes": [["type"]], + "isRoot": true + } } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 6376320d31..0cf2478cf3 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -5093,4 +5093,20 @@ or + + + The type of the application to be configured for sampling. Currently + supported options are: "drop", "acl-new", "acl-est". + + + The identifier to be encoded in the samples generated for this type of + application. This identifier is used as part of the sample's + observation domain ID. + + + + See External IDs at the beginning of this document. + + +
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 27e8ec3388..66a651e68e 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -12479,6 +12479,23 @@ check_engine_stats lflow recompute nocompute AT_CLEANUP +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([Sampling_App incremental processing]) + +ovn_start + +check as northd ovn-appctl -t ovn-northd inc-engine/clear-stats + +ovn-nbctl create Sampling_App type="acl-new" id="42" +check_row_count nb:Sampling_App 1 +check_engine_stats sampling_app recompute nocompute +check_engine_stats northd norecompute nocompute +check_engine_stats lflow recompute nocompute +CHECK_NO_CHANGE_AFTER_RECOMPUTE + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([NAT with match]) ovn_start From patchwork Thu Aug 1 09:53:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1967575 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ENjHllTc; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZPSS2TjZz1ybX for ; Thu, 1 Aug 2024 19:54:16 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 51EF140ECE; Thu, 1 Aug 2024 09:54:14 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id quXGWlWCcwDF; Thu, 1 Aug 2024 09:54:11 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 7C90840E97 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ENjHllTc Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 7C90840E97; Thu, 1 Aug 2024 09:54:11 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 2F4C4C0078; Thu, 1 Aug 2024 09:54:10 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1759EC002A for ; Thu, 1 Aug 2024 09:54:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id B513540D3F for ; Thu, 1 Aug 2024 09:53:56 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id N07eeht3E5q7 for ; Thu, 1 Aug 2024 09:53:55 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org 3375B40CDB Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 3375B40CDB Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ENjHllTc Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id 3375B40CDB for ; Thu, 1 Aug 2024 09:53:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722506034; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=373jpfydinOKlPxggWD3hSgHNf3RAuXPjNiwSIXa7tY=; b=ENjHllTcxFlCmgm7BtGIiiriiCzW/JfpQZiWJuE1RuiJELj19CFQfFwbH2JWz7dAqb2nXc kKMiLCQlaHbI/A8NCwEn/MnZV9JsPxRT7S4nMjEgVP3NW7912kJZgwRepsiwYlobUrIHnI lufAvSqCgTsHCjagNVpzBTE99i+kPQE= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-671-9RMyJJTjMsyEHd0zpiZISg-1; Thu, 01 Aug 2024 05:53:50 -0400 X-MC-Unique: 9RMyJJTjMsyEHd0zpiZISg-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id D8EBE1955D4E; Thu, 1 Aug 2024 09:53:49 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.194.158]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id C7EF31955E80; Thu, 1 Aug 2024 09:53:47 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Thu, 1 Aug 2024 11:53:13 +0200 Message-ID: <20240801095319.467255-5-dceara@redhat.com> In-Reply-To: <20240801095319.467255-1-dceara@redhat.com> References: <20240801095319.467255-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 4/9] northd: Override NB_Global drop sampling id with Sampling_App config. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Acked-by: Mark Michelson Acked-by: Ales Musil Signed-off-by: Dumitru Ceara --- V5: - Added Ales' ack. V4: - Addressed Ales' comments: - deprecated old config knob - fixed unit test typo - Added Mark's ack. --- NEWS | 3 +++ northd/debug.c | 12 +++++++----- northd/debug.h | 3 ++- northd/en-global-config.c | 31 +++++++++++++++++++++++-------- northd/inc-proc-northd.c | 1 + ovn-nb.xml | 5 +++++ tests/ovn-northd.at | 27 ++++++++++++++++++++++++++- 7 files changed, 67 insertions(+), 15 deletions(-) diff --git a/NEWS b/NEWS index 136f890f52..0c91e9608e 100644 --- a/NEWS +++ b/NEWS @@ -50,6 +50,9 @@ Post v24.03.0 - A new LSP option "disable_garp_rarp" has been added to prevent OVN from sending GARP or RARP announcements when a VIF is created on a bridged logical switch. + - The NB_Global.debug_drop_domain_id configured value is now overridden by + the ID associated with the Sampling_App record created for drop sampling + (Sampling_App.type configured as "drop"). OVN v24.03.0 - 01 Mar 2024 -------------------------- diff --git a/northd/debug.c b/northd/debug.c index 59da5d4f66..457993b7cf 100644 --- a/northd/debug.c +++ b/northd/debug.c @@ -3,6 +3,7 @@ #include #include "debug.h" +#include "en-sampling-app.h" #include "openvswitch/dynamic-string.h" #include "openvswitch/vlog.h" @@ -26,16 +27,17 @@ debug_enabled(void) } void -init_debug_config(const struct nbrec_nb_global *nb) +init_debug_config(const struct nbrec_nb_global *nb, + uint8_t drop_domain_id_override) { - const struct smap *options = &nb->options; uint32_t collector_set_id = smap_get_uint(options, "debug_drop_collector_set", 0); - uint32_t observation_domain_id = smap_get_uint(options, - "debug_drop_domain_id", - 0); + uint32_t observation_domain_id = + drop_domain_id_override != SAMPLING_APP_ID_NONE + ? drop_domain_id_override + : smap_get_uint(options, "debug_drop_domain_id", 0); if (collector_set_id != config.collector_set_id || observation_domain_id != config.observation_domain_id || diff --git a/northd/debug.h b/northd/debug.h index c1a5e5aadb..a0b535253a 100644 --- a/northd/debug.h +++ b/northd/debug.h @@ -21,7 +21,8 @@ #include "lib/ovn-nb-idl.h" #include "openvswitch/dynamic-string.h" -void init_debug_config(const struct nbrec_nb_global *nb); +void init_debug_config(const struct nbrec_nb_global *nb, + uint8_t drop_domain_id_override); void destroy_debug_config(void); const char *debug_drop_action(void); diff --git a/northd/en-global-config.c b/northd/en-global-config.c index c5e65966b8..d7607aa074 100644 --- a/northd/en-global-config.c +++ b/northd/en-global-config.c @@ -24,6 +24,7 @@ /* OVN includes */ #include "debug.h" #include "en-global-config.h" +#include "en-sampling-app.h" #include "include/ovn/features.h" #include "ipam.h" #include "lib/ovn-nb-idl.h" @@ -42,8 +43,10 @@ static bool chassis_features_changed(const struct chassis_features *, static bool config_out_of_sync(const struct smap *config, const struct smap *saved_config, const char *key, bool must_be_present); -static bool check_nb_options_out_of_sync(const struct nbrec_nb_global *, - struct ed_type_global_config *); +static bool check_nb_options_out_of_sync( + const struct nbrec_nb_global *, + struct ed_type_global_config *, + const struct sampling_app_table *); static void update_sb_config_options_to_sbrec(struct ed_type_global_config *, const struct sbrec_sb_global *); @@ -72,6 +75,9 @@ en_global_config_run(struct engine_node *node , void *data) EN_OVSDB_GET(engine_get_input("SB_sb_global", node)); const struct sbrec_chassis_table *sbrec_chassis_table = EN_OVSDB_GET(engine_get_input("SB_chassis", node)); + const struct ed_type_sampling_app_data *sampling_app_data = + engine_get_input_data("sampling_app", node); + const struct sampling_app_table *sampling_apps = &sampling_app_data->apps; struct ed_type_global_config *config_data = data; @@ -145,7 +151,8 @@ en_global_config_run(struct engine_node *node , void *data) build_chassis_features(sbrec_chassis_table, &config_data->features); } - init_debug_config(nb); + init_debug_config(nb, sampling_app_get_id(sampling_apps, + SAMPLING_APP_DROP_DEBUG)); const struct sbrec_sb_global *sb = sbrec_sb_global_table_first(sb_global_table); @@ -186,6 +193,9 @@ global_config_nb_global_handler(struct engine_node *node, void *data) EN_OVSDB_GET(engine_get_input("NB_nb_global", node)); const struct sbrec_sb_global_table *sb_global_table = EN_OVSDB_GET(engine_get_input("SB_sb_global", node)); + const struct ed_type_sampling_app_data *sampling_app_data = + engine_get_input_data("sampling_app", node); + const struct sampling_app_table *sampling_apps = &sampling_app_data->apps; const struct nbrec_nb_global *nb = nbrec_nb_global_table_first(nb_global_table); @@ -248,7 +258,7 @@ global_config_nb_global_handler(struct engine_node *node, void *data) return false; } - if (check_nb_options_out_of_sync(nb, config_data)) { + if (check_nb_options_out_of_sync(nb, config_data, sampling_apps)) { config_data->tracked_data.nb_options_changed = true; } @@ -461,8 +471,10 @@ config_out_of_sync(const struct smap *config, const struct smap *saved_config, } static bool -check_nb_options_out_of_sync(const struct nbrec_nb_global *nb, - struct ed_type_global_config *config_data) +check_nb_options_out_of_sync( + const struct nbrec_nb_global *nb, + struct ed_type_global_config *config_data, + const struct sampling_app_table *sampling_apps) { if (config_out_of_sync(&nb->options, &config_data->nb_options, "mac_binding_removal_limit", false)) { @@ -496,13 +508,16 @@ check_nb_options_out_of_sync(const struct nbrec_nb_global *nb, if (config_out_of_sync(&nb->options, &config_data->nb_options, "debug_drop_domain_id", false)) { - init_debug_config(nb); + init_debug_config(nb, sampling_app_get_id(sampling_apps, + SAMPLING_APP_DROP_DEBUG)); + return true; } if (config_out_of_sync(&nb->options, &config_data->nb_options, "debug_drop_collector_set", false)) { - init_debug_config(nb); + init_debug_config(nb, sampling_app_get_id(sampling_apps, + SAMPLING_APP_DROP_DEBUG)); return true; } diff --git a/northd/inc-proc-northd.c b/northd/inc-proc-northd.c index 5d89670c29..95bedc5cd0 100644 --- a/northd/inc-proc-northd.c +++ b/northd/inc-proc-northd.c @@ -181,6 +181,7 @@ void inc_proc_northd_init(struct ovsdb_idl_loop *nb, global_config_sb_global_handler); engine_add_input(&en_global_config, &en_sb_chassis, global_config_sb_chassis_handler); + engine_add_input(&en_global_config, &en_sampling_app, NULL); engine_add_input(&en_northd, &en_nb_mirror, NULL); engine_add_input(&en_northd, &en_nb_static_mac_binding, NULL); diff --git a/ovn-nb.xml b/ovn-nb.xml index 0cf2478cf3..bc44f67642 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -351,6 +351,11 @@ The observation_point_id will be set to the first 32 bits of the logical flow's UUID.

+

+ Note: This key is deprecated in favor of the value configured in the + table for the drop + application. +

diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 66a651e68e..ebf02ef10a 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -12489,13 +12489,38 @@ check as northd ovn-appctl -t ovn-northd inc-engine/clear-stats ovn-nbctl create Sampling_App type="acl-new" id="42" check_row_count nb:Sampling_App 1 check_engine_stats sampling_app recompute nocompute -check_engine_stats northd norecompute nocompute +check_engine_stats northd recompute nocompute check_engine_stats lflow recompute nocompute +check_engine_stats global_config recompute nocompute CHECK_NO_CHANGE_AFTER_RECOMPUTE AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([Sampling_App override debug_drop_domain_id]) + +ovn_start + +check ovn-nbctl -- set NB_Global . options:debug_drop_collector_set="123" \ + -- set NB_Global . options:debug_drop_domain_id="1" \ + -- ls-add ls +check ovn-nbctl --wait=sb sync + +AT_CHECK([ovn-sbctl lflow-list | grep ls_in_l2_unknown.*sample | ovn_strip_lflows], [0], [dnl + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(sample(probability=65535,collector_set=123,obs_domain=1,obs_point=$cookie); /* drop */) +]) + +ovn-nbctl --wait=sb create Sampling_App type="drop" id="42" +check_row_count nb:Sampling_App 1 + +AT_CHECK([ovn-sbctl lflow-list | grep ls_in_l2_unknown.*sample | ovn_strip_lflows], [0], [dnl + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(sample(probability=65535,collector_set=123,obs_domain=42,obs_point=$cookie); /* drop */) +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([NAT with match]) ovn_start From patchwork Thu Aug 1 09:53:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1967578 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DHmKYAbP; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZPTL3Xymz1ybX for ; Thu, 1 Aug 2024 19:55:02 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id D34BB81EEF; Thu, 1 Aug 2024 09:55:00 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id vGbcInLNUJjO; Thu, 1 Aug 2024 09:54:54 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 909EF80DD4 Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DHmKYAbP Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id 909EF80DD4; Thu, 1 Aug 2024 09:54:54 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 661AEC0033; Thu, 1 Aug 2024 09:54:54 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 788E3C002A for ; Thu, 1 Aug 2024 09:54:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id B102960F29 for ; Thu, 1 Aug 2024 09:54:11 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id y9EbNrWCKJZz for ; Thu, 1 Aug 2024 09:54:01 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org F3D8460F40 Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org F3D8460F40 Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DHmKYAbP Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id F3D8460F40 for ; Thu, 1 Aug 2024 09:54:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722506039; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+6WJrGwXPiwqOyVkrm78Y3EPbzIBeLFiPtPpDnmOric=; b=DHmKYAbPre8TwBMCFSw+zJcVVhxg/MzOTP4FHY4tEIHzKTjjo9Nt0Y7+DZqC2PPQJhs2+N rdSjcCZd/ROtKpXhV23SVvBs7RvlcuQoZa8y7/4CLobumt/9mG0h8RSovy1fpQ2s/7+BMl Fhp5/TunQA0drrlD4fGNfNYnmo5Zolw= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-646-NSccyCfIOsicyYYPJJTaWQ-1; Thu, 01 Aug 2024 05:53:55 -0400 X-MC-Unique: NSccyCfIOsicyYYPJJTaWQ-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 6EA99195608A; Thu, 1 Aug 2024 09:53:54 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.194.158]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id F3D531955E80; Thu, 1 Aug 2024 09:53:50 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Thu, 1 Aug 2024 11:53:14 +0200 Message-ID: <20240801095319.467255-6-dceara@redhat.com> In-Reply-To: <20240801095319.467255-1-dceara@redhat.com> References: <20240801095319.467255-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 5/9] northd: Add ACL Sampling. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Adrian Moreno Introduce a new table called Sample where per-flow IPFIX configuration can be specified. Also, reference rows from such table from the ACL table to enable the configuration of ACL sampling. If enabled, northd will add a sample action to each ACL related logical flow. Packets that hit stateful ACLs are sampled in different ways depending whether they are initiating a new session or are just forwarded on an existing (already allowed) session. Two new columns ("sample_new" and "sample_est") are added to the ACL table to allow for potentially different sampling rates for the two cases. Note: If an ACL has both sampling enabled and a label associated to it then the label value overrides the observation point ID defined in the sample configuration. This is a side effect of the implementation (observation point IDs are stored in conntrack in the same part of the ct_label where ACL labels are also stored). The two features (sampling and ACL labels) serve however similar purposes so it's not expected that they're both enabled together. When sampling is enabled on an ACL additional logical flows are created for that ACL (one for stateless ACLs and 3 for stateful ACLs) in the ACL action stage of the logical pipeline. These additional flows match on a combination of conntrack state values and observation point id values (either against a logical register or against the stored ct_label state) in order to determine whether the packets hitting the ACLs must be sampled or not. This comes with a slight increase in the number of logical flows and in the number of OpenFlow rules. The number of additional flows _does not_ depend on the original ACL match or action. New --sample-new and --sample-est optional arguments are added to the 'ovn-nbctl acl-add' command to allow configuring these new types of sampling for ACLs. An example workflow of configuring ACL samples is: # Create Sampling_App mappings for ACL traffic types: ovn-nbctl create Sampling_App name="acl-new-traffic-sampling" \ id="42" ovn-nbctl create sampling_app name="acl-est-traffic-sampling" \ id="43" # Create two sample collectors, one that samples all packets (c1) # and another one that samples with a probability of 10% (c2): c1=$(ovn-nbctl create Sample_Collector name=c1 \ probability=65535 set_id=1) c2=$(ovn-nbctl create Sample_Collector name=c2 \ probability=6553 set_id=2) # Create two sample configurations (for new and for established # traffic): s1=$(ovn-nbctl create sample collector="$c1 $c2" metadata=4301) s2=$(ovn-nbctl create sample collector="$c1 $c2" metadata=4302) # Create an ingress ACL to allow IP traffic: ovn-nbctl --sample-new=$s1 --sample-est=$s2 acl-add ls \ from-lport 1 "ip" allow-related The config above will generate IPFIX samples with: - 8 MSB of observation domain id set to 42 (Sampling_App "acl-new-traffic-sampling" config) and observation point id set to 4301 (Sample s1) for packets that create a new connection - 8 MSB of observation domain id set to 43 (Sampling_app "acl-est-traffic-sampling" config) and observation point id set to 4302 (Sample s2) for packets that are part of an already existing connection Note: in general, all generated IPFIX sample observation domain IDs are built by ovn-controller in the following way: The 8 MSB taken from the sample action's obs_domain_id and the last 24 LSB taken from the Southbound logical datapath tunnel_key (datapath ID). Reported-at: https://issues.redhat.com/browse/FDP-305 Signed-off-by: Adrian Moreno Co-authored-by: Ales Musil Signed-off-by: Ales Musil Co-authored-by: Dumitru Ceara Signed-off-by: Dumitru Ceara --- V5: - rebase - address Ilya's comment: - add documentation notes about behavior when mixing ACL labels with ACL sampling. V4: - added explicit sampling stages - reduced set_id max supported value - added support for tiered "pass" ACLs - improved system test + added tiered ACL system test - added Ales as co-author for most of the above - Addressed Mark's comment about better error messages in ovn-nbctl V3: - Addressed Ilya's comment: - Bumped NB schema version. V2: - Addressed Adrian's comments: - fixed up observation domain id comment in commit log. - store the obs_domain_id in the ct_label as an 8 bit value (add a test). - removed redundant check in build_acl_sample_label_action(). - added missing space after ternary ":" operator. - documented limitation for sampling ACLs with action "pass". - documented sample_new behavior for stateless ACLs. - Removed unused OVN_CT_SAMPLE_ID_SET_BIT and OVN_CT_SAMPLE_ID_SET. --- NEWS | 3 + controller/lflow.h | 12 +- lib/logical-fields.c | 4 + lib/ovn-util.h | 2 +- northd/northd.c | 458 +++++++++++++++++++++++-- northd/northd.h | 54 +-- northd/ovn-northd.8.xml | 133 +++++-- ovn-nb.ovsschema | 46 ++- ovn-nb.xml | 75 ++++ tests/atlocal.in | 6 + tests/ovn-controller.at | 168 ++++----- tests/ovn-macros.at | 14 +- tests/ovn-nbctl.at | 20 ++ tests/ovn-northd.at | 308 +++++++++++++++-- tests/ovn.at | 69 ++-- tests/system-common-macros.at | 11 + tests/system-ovn.at | 341 ++++++++++++++++++ utilities/containers/fedora/Dockerfile | 1 + utilities/containers/ubuntu/Dockerfile | 1 + utilities/ovn-nbctl.8.xml | 8 +- utilities/ovn-nbctl.c | 43 ++- 21 files changed, 1538 insertions(+), 239 deletions(-) diff --git a/NEWS b/NEWS index 0c91e9608e..676c49e3fa 100644 --- a/NEWS +++ b/NEWS @@ -53,6 +53,9 @@ Post v24.03.0 - The NB_Global.debug_drop_domain_id configured value is now overridden by the ID associated with the Sampling_App record created for drop sampling (Sampling_App.type configured as "drop"). + - Add support for ACL sampling through the new Sample_Collector and Sample + tables. Sampling is supported for both traffic that creates new + connections and for traffic that is part of an existing connection. OVN v24.03.0 - 01 Mar 2024 -------------------------- diff --git a/controller/lflow.h b/controller/lflow.h index c8a2a3f494..e95a016501 100644 --- a/controller/lflow.h +++ b/controller/lflow.h @@ -67,17 +67,17 @@ struct uuid; /* Start of LOG_PIPELINE_LEN tables. */ #define OFTABLE_LOG_INGRESS_PIPELINE 8 -#define OFTABLE_OUTPUT_LARGE_PKT_DETECT 37 -#define OFTABLE_OUTPUT_LARGE_PKT_PROCESS 38 -#define OFTABLE_REMOTE_OUTPUT 39 -#define OFTABLE_LOCAL_OUTPUT 40 -#define OFTABLE_CHECK_LOOPBACK 41 +#define OFTABLE_OUTPUT_LARGE_PKT_DETECT 40 +#define OFTABLE_OUTPUT_LARGE_PKT_PROCESS 41 +#define OFTABLE_REMOTE_OUTPUT 42 +#define OFTABLE_LOCAL_OUTPUT 43 +#define OFTABLE_CHECK_LOOPBACK 44 /* Start of the OUTPUT section of the pipeline. */ #define OFTABLE_OUTPUT_INIT OFTABLE_OUTPUT_LARGE_PKT_DETECT /* Start of LOG_PIPELINE_LEN tables. */ -#define OFTABLE_LOG_EGRESS_PIPELINE 42 +#define OFTABLE_LOG_EGRESS_PIPELINE 45 #define OFTABLE_SAVE_INPORT 64 #define OFTABLE_LOG_TO_PHY 65 #define OFTABLE_MAC_BINDING 66 diff --git a/lib/logical-fields.c b/lib/logical-fields.c index 4acf8a677e..0c187e1c84 100644 --- a/lib/logical-fields.c +++ b/lib/logical-fields.c @@ -175,6 +175,10 @@ ovn_init_symtab(struct shash *symtab) WR_CT_COMMIT); expr_symtab_add_subfield_scoped(symtab, "ct_label.label", NULL, "ct_label[96..127]", WR_CT_COMMIT); + expr_symtab_add_subfield_scoped(symtab, "ct_label.obs_point_id", NULL, + "ct_label[96..127]", WR_CT_COMMIT); + expr_symtab_add_subfield_scoped(symtab, "ct_label.obs_unused", NULL, + "ct_label[0..95]", WR_CT_COMMIT); expr_symtab_add_field(symtab, "ct_state", MFF_CT_STATE, NULL, false); diff --git a/lib/ovn-util.h b/lib/ovn-util.h index ae971ce5ab..7b98b9b9a1 100644 --- a/lib/ovn-util.h +++ b/lib/ovn-util.h @@ -308,7 +308,7 @@ BUILD_ASSERT_DECL( #define SCTP_ABORT_CHUNK_FLAG_T (1 << 0) /* The number of tables for the ingress and egress pipelines. */ -#define LOG_PIPELINE_LEN 29 +#define LOG_PIPELINE_LEN 30 static inline uint32_t hash_add_in6_addr(uint32_t hash, const struct in6_addr *addr) diff --git a/northd/northd.c b/northd/northd.c index 8b4ef1403a..34cd1f7a82 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -50,6 +50,7 @@ #include "en-lr-nat.h" #include "en-lr-stateful.h" #include "en-ls-stateful.h" +#include "en-sampling-app.h" #include "lib/ovn-parallel-hmap.h" #include "ovn/actions.h" #include "ovn/features.h" @@ -184,8 +185,10 @@ static bool vxlan_mode; #define REG_ORIG_TP_DPORT_ROUTER "reg9[16..31]" -/* Register used for setting a label for ACLs in a Logical Switch. */ -#define REG_LABEL "reg3" +/* Registers used for pasing observability information for switches: + * domain and point ID. */ +#define REG_OBS_POINT_ID_NEW "reg3" +#define REG_OBS_POINT_ID_EST "reg9" /* Register used for temporarily store ECMP eth.src to avoid masked ct_label * access. It doesn't really occupy registers because the content of the @@ -209,13 +212,13 @@ static bool vxlan_mode; * | | REGBIT_{HAIRPIN/HAIRPIN_REPLY} | | | * | | REGBIT_ACL_HINT_{ALLOW_NEW/ALLOW/DROP/BLOCK} | | | * | | REGBIT_ACL_{LABEL/STATELESS} | X | | - * +----+----------------------------------------------+ X | | - * | R5 | UNUSED | X | LB_L2_AFF_BACKEND_IP6 | - * | R1 | ORIG_DIP_IPV4 (>= IN_PRE_STATEFUL) | R | | - * +----+----------------------------------------------+ E | | + * +----+----------------------------------------------+ X | LB_L2_AFF_BACKEND_IP6 | + * | R1 | ORIG_DIP_IPV4 (>= IN_PRE_STATEFUL) | R | (>= IN_LB_AFF_CHECK && | + * +----+----------------------------------------------+ E | <= IN_LB_AFF_LEARN) | * | R2 | ORIG_TP_DPORT (>= IN_PRE_STATEFUL) | G | | * +----+----------------------------------------------+ 0 | | - * | R3 | ACL LABEL | | | + * | R3 | OBS_POINT_ID_NEW | | | + * | | (>= ACL_EVAL* && <= ACL_ACTION*) | | | * +----+----------------------------------------------+---+-----------------------------------+ * | R4 | REG_LB_AFF_BACKEND_IP4 | | | * +----+----------------------------------------------+ X | | @@ -225,9 +228,11 @@ static bool vxlan_mode; * +----+----------------------------------------------+ G | | * | R7 | UNUSED | 1 | | * +----+----------------------------------------------+---+-----------------------------------+ - * | R8 | LB_AFF_MATCH_PORT | + * | | LB_AFF_MATCH_PORT | + * | | (>= IN_LB_AFF_CHECK && <= IN_LB_AFF_LEARN) | * +----+----------------------------------------------+ - * | R9 | UNUSED | + * | R9 | OBS_POINT_ID_EST | + * | | (>= ACL_EVAL* && <= ACL_ACTION*) | * +----+----------------------------------------------+ * * Logical Router pipeline: @@ -6482,6 +6487,350 @@ build_acl_log(struct ds *actions, const struct nbrec_acl *acl, ds_put_cstr(actions, "); "); } +/* This builds an ACL specific sample action. + * If the ACL has a label configured the label itself is used as sample + * observation point ID. Otherwise the configured 'sample->metadata' + * is passed as observation point ID. */ +static void +build_acl_sample_action(struct ds *actions, const struct nbrec_acl *acl, + const struct nbrec_sample *sample, + uint8_t sample_domain_id) +{ + if (!sample || sample_domain_id == SAMPLING_APP_ID_NONE) { + return; + } + + uint32_t domain_id = 0; + uint32_t point_id = 0; + + if (acl->label) { + domain_id = 0; + point_id = acl->label; + } else if (sample) { + domain_id = sample_domain_id; + point_id = sample->metadata; + } + + for (size_t i = 0; i < sample->n_collectors; i++) { + ds_put_format(actions, "sample(probability=%"PRIu16"," + "collector_set=%"PRIu8"," + "obs_domain=%"PRIu32"," + "obs_point=%"PRIu32");", + (uint16_t) sample->collectors[i]->probability, + (uint8_t) sample->collectors[i]->set_id, + domain_id, point_id); + } + ds_put_cstr(actions, " next;"); +} + +/* This builds an ACL logical flow specific action that stores the observation + * point IDs to be used for samples generated for traffic that hits the ACL. + * Two observation point IDs are stored in registers, the one for traffic + * that creates new connections and the one for traffic that's part of an + * existing connection. + */ +static void +build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, + const struct nbrec_sample *sample_new, + const struct nbrec_sample *sample_est) +{ + if (!acl->label && !sample_new && !sample_est) { + return; + } + + uint32_t point_id_new = 0; + uint32_t point_id_est = 0; + + if (acl->label) { + point_id_new = acl->label; + point_id_est = acl->label; + } else { + if (sample_new) { + point_id_new = sample_new->metadata; + } + if (sample_est) { + point_id_est = sample_est->metadata; + } + } + + ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " + REG_OBS_POINT_ID_NEW " = %"PRIu32"; " + REG_OBS_POINT_ID_EST " = %"PRIu32"; ", + point_id_new, point_id_est); +} + +/* This builds an ACL logical flow specific match that selects traffic + * with an associated observation point ID register equal to that of the + * ACL label (if configured) or sample->metadata. + */ +static void +build_acl_sample_register_match(struct ds *match, const struct nbrec_acl *acl, + const struct nbrec_sample *sample) +{ + uint32_t point_id = 0; + + if (acl->label) { + point_id = acl->label; + } else if (sample) { + point_id = sample->metadata; + } + + ds_put_format(match, REG_OBS_POINT_ID_NEW " == %"PRIu32, point_id); +} + +/* This builds an ACL logical flow specific match that selects conntracked + * traffic whose associated ct_label.obs_point ID is equal to that of the + * ACL label (if configured) or sample->metadata. The match also ensures + * that the observation domain ID stored in the ct_label is also equal to + * 'sample_domain_id'. + */ +static void +build_acl_sample_label_match(struct ds *match, const struct nbrec_acl *acl, + const struct nbrec_sample *sample) +{ + uint32_t point_id = 0; + + if (acl->label) { + point_id = acl->label; + } else if (sample) { + point_id = sample->metadata; + } + + /* Match on the complete ct_label to avoid masked access to it in the + * datapath. Some NICs do not support HW offloading when masked-access + * of ct_label is used in the datapath. */ + ds_put_format(match, "ct_label.obs_point_id == %"PRIu32" && " + "ct_label.obs_unused == 0", point_id); +} + +/* This builds a logical flow that samples and forwards/drops traffic + * that hit a stateless ACL ("pass" or "allow-stateless") that has sampling + * enabled. + */ +static void +build_acl_sample_new_stateless_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + if (!acl->sample_new) { + return; + } + + ds_clear(actions); + ds_clear(match); + + ds_put_cstr(match, "ip && "); + build_acl_sample_register_match(match, acl, acl->sample_new); + + build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); + + ovn_lflow_add(lflows, od, stage, 1100, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds a logical flow that samples and forwards/drops traffic + * that created a new conntrack entry and hit a stateful ACL that has sampling + * enabled. + */ +static void +build_acl_sample_new_stateful_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + if (!acl->sample_new) { + return; + } + + ds_clear(actions); + ds_clear(match); + + ds_put_cstr(match, "ip && ct.new && "); + build_acl_sample_register_match(match, acl, acl->sample_new); + + build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); + + ovn_lflow_add(lflows, od, stage, 1100, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds a logical flow that samples and forwards traffic + * that is part of an existing connection (in the original direction) created + * by traffic allowed by a stateful ACL that has sampling enabled. + */ +static void +build_acl_sample_est_orig_stateful_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + ds_clear(actions); + ds_clear(match); + + ds_put_cstr(match, "ip && ct.trk && " + "(ct.est || ct.rel) && " + "!ct.rpl && "); + build_acl_sample_label_match(match, acl, acl->sample_est); + + build_acl_sample_action(actions, acl, acl->sample_est, sample_domain_id); + + ovn_lflow_add(lflows, od, stage, 1200, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds a logical flow that samples and forwards traffic + * that is part of an existing connection (in the reply direction) created + * by traffic allowed by a stateful ACL that has sampling enabled. + * + * NOTE: unlike for traffic in the original direction, this logical flow must + * be installed in the "opposite" pipeline. That is, for "from-lport" ACLs + * the conntrack entry is created in the ingress logical port zone and will be + * hit by reply traffic in the egress pipeline (before being sent out that + * logical port). + */ +static void +build_acl_sample_est_rpl_stateful_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage rpl_stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + ds_clear(actions); + ds_clear(match); + + ds_put_cstr(match, "ip && ct.trk && " + "(ct.est || ct.rel) && " + "ct.rpl && "); + build_acl_sample_label_match(match, acl, acl->sample_est); + + build_acl_sample_action(actions, acl, acl->sample_est, sample_domain_id); + + ovn_lflow_add(lflows, od, rpl_stage, 1200, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds logical flows that sample and forward traffic + * that is part of an existing connection (both in the original and in the + * reply direction) created by traffic allowed by a stateful ACL that has + * sampling enabled. + */ +static void +build_acl_sample_est_stateful_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + if (!acl->sample_est) { + return; + } + build_acl_sample_est_orig_stateful_flows(od, lflows, stage, match, actions, + acl, sample_domain_id, lflow_ref); + + /* Install flows in the "opposite" pipeline direction to handle reply + * traffic on established connections. */ + enum ovn_stage rpl_stage = (stage == S_SWITCH_OUT_ACL_SAMPLE + ? S_SWITCH_IN_ACL_SAMPLE + : S_SWITCH_OUT_ACL_SAMPLE); + build_acl_sample_est_rpl_stateful_flows(od, lflows, rpl_stage, + match, actions, + acl, sample_domain_id, lflow_ref); +} + +static void build_acl_reject_action(struct ds *actions, bool is_ingress); + +/* This builds all ACL sampling related logical flows: + * - for packets creating new connections + * - for packets that are part of an existing connection + */ +static void +build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, + const struct ovn_datapath *od, + struct lflow_table *lflows, + const struct nbrec_acl *acl, + struct ds *match, struct ds *actions, + const struct sampling_app_table *sampling_apps, + struct lflow_ref *lflow_ref) +{ + bool should_sample_established = + ls_stateful_rec->has_stateful_acl + && acl->sample_est + && !strcmp(acl->action, "allow-related"); + + bool stateful_match = + ls_stateful_rec->has_stateful_acl + && strcmp(acl->action, "allow-stateless"); + + /* Only sample if: + * - sampling is enabled for traffic creating new connections + * OR + * - sampling is enabled for traffic on established sessions and the + * switch has stateful ACLs. + */ + if (!acl->sample_new && !should_sample_established) { + return; + } + + bool ingress = !strcmp(acl->direction, "from-lport") ? true : false; + enum ovn_stage stage; + + if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { + stage = S_SWITCH_IN_ACL_AFTER_LB_SAMPLE; + } else if (ingress) { + stage = S_SWITCH_IN_ACL_SAMPLE; + } else { + stage = S_SWITCH_OUT_ACL_SAMPLE; + } + + uint8_t sample_new_domain_id = sampling_app_get_id(sampling_apps, + SAMPLING_APP_ACL_NEW); + uint8_t sample_est_domain_id = sampling_app_get_id(sampling_apps, + SAMPLING_APP_ACL_EST); + + if (!stateful_match) { + build_acl_sample_new_stateless_flows(od, lflows, stage, match, actions, + acl, sample_new_domain_id, + lflow_ref); + } else { + build_acl_sample_new_stateful_flows(od, lflows, stage, match, actions, + acl, sample_new_domain_id, + lflow_ref); + build_acl_sample_est_stateful_flows(od, lflows, stage, match, actions, + acl, sample_est_domain_id, + lflow_ref); + } +} + +/* This builds all default ACL sampling related logical flows. */ +static void +build_acl_sample_default_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + struct lflow_ref *lflow_ref) +{ + /* Rules at priority 1 is added below to pass the packet into next table + * if there isn't any match. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_SAMPLE, 0, "1", "next;", + lflow_ref); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_SAMPLE, 0, "1", "next;", + lflow_ref); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB_SAMPLE, 0, "1", + "next;", lflow_ref); +} + static void consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, const struct nbrec_acl *acl, bool has_stateful, @@ -6529,6 +6878,10 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, if (!has_stateful || !strcmp(acl->action, "pass") || !strcmp(acl->action, "allow-stateless")) { + + /* For stateless ACLs just sample "new" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); + ds_put_cstr(actions, "next;"); ds_put_format(match, "(%s)", acl->match); ovn_lflow_add_with_hint(lflows, od, stage, priority, @@ -6563,10 +6916,10 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_truncate(actions, log_verdict_len); ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); - if (acl->label) { - ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " - REG_LABEL" = %"PRId64"; ", acl->label); - } + + /* For stateful ACLs sample "new" and "established" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, + acl->sample_est); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6586,9 +6939,11 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, acl->match); if (acl->label) { ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); - ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " - REG_LABEL" = %"PRId64"; ", acl->label); } + + /* For stateful ACLs sample "new" and "established" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, + acl->sample_est); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6606,6 +6961,9 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_put_format(match, " && (%s)", acl->match); ds_truncate(actions, log_verdict_len); + + /* For drop ACLs just sample all packets as "new" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6626,6 +6984,9 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_put_format(match, " && (%s)", acl->match); ds_truncate(actions, log_verdict_len); + + /* For drop ACLs just sample all packets as "new" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); ds_put_cstr(actions, "ct_commit { ct_mark.blocked = 1; }; next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6706,6 +7067,20 @@ ovn_update_ipv6_options(struct hmap *lr_ports) #define IPV6_CT_OMIT_MATCH "nd || nd_ra || nd_rs || mldv1 || mldv2" +static void +build_acl_reject_action(struct ds *actions, bool is_ingress) +{ + ds_put_format( + actions, "reg0 = 0; " + "reject { " + "/* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ " + "outport <-> inport; next(pipeline=%s,table=%d); " + "};", + is_ingress ? "egress" : "ingress", + is_ingress ? ovn_stage_get_table(S_SWITCH_OUT_QOS) + : ovn_stage_get_table(S_SWITCH_IN_L2_LKUP)); +} + static void build_acl_action_lflows(const struct ls_stateful_record *ls_stateful_rec, const struct ovn_datapath *od, @@ -6722,6 +7097,12 @@ build_acl_action_lflows(const struct ls_stateful_record *ls_stateful_rec, S_SWITCH_OUT_ACL_ACTION, }; + enum ovn_stage eval_stages[] = { + S_SWITCH_IN_ACL_EVAL, + S_SWITCH_IN_ACL_AFTER_LB_EVAL, + S_SWITCH_OUT_ACL_EVAL, + }; + ds_clear(actions); ds_put_cstr(actions, REGBIT_ACL_VERDICT_ALLOW " = 0; " REGBIT_ACL_VERDICT_DROP " = 0; " @@ -6752,14 +7133,7 @@ build_acl_action_lflows(const struct ls_stateful_record *ls_stateful_rec, bool ingress = ovn_stage_get_pipeline(stage) == P_IN; ds_truncate(actions, verdict_len); - ds_put_format( - actions, "reg0 = 0; " - "reject { " - "/* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ " - "outport <-> inport; next(pipeline=%s,table=%d); };", - ingress ? "egress" : "ingress", - ingress ? ovn_stage_get_table(S_SWITCH_OUT_QOS) - : ovn_stage_get_table(S_SWITCH_IN_L2_LKUP)); + build_acl_reject_action(actions, ingress); ovn_lflow_metered(lflows, od, stage, 1000, REGBIT_ACL_VERDICT_REJECT " == 1", ds_cstr(actions), @@ -6778,7 +7152,7 @@ build_acl_action_lflows(const struct ls_stateful_record *ls_stateful_rec, ds_put_format(&tier_actions, REG_ACL_TIER " = %"PRIuSIZE"; " "next(pipeline=%s,table=%d);", j + 1, ingress ? "ingress" : "egress", - ovn_stage_get_table(stage) - 1); + ovn_stage_get_table(eval_stages[i])); ovn_lflow_add(lflows, od, stage, 500, ds_cstr(match), ds_cstr(&tier_actions), lflow_ref); } @@ -6799,12 +7173,6 @@ build_acl_log_related_flows(const struct ovn_datapath *od, * the ACL, then we need to ensure that the related and reply * traffic is logged, so we install a slightly higher-priority * flow that matches the ACL, allows the traffic, and logs it. - * - * Note: Matching the ct_label.label may prevent OVS flow HW - * offloading to work for some NICs because masked-access of - * ct_label is not supported on those NICs due to HW - * limitations. In such case the user may choose to avoid using the - * "log-related" option. */ bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; bool log_related = smap_get_bool(&acl->options, "log-related", @@ -6863,6 +7231,7 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, struct lflow_table *lflows, const struct ls_port_group_table *ls_port_groups, const struct shash *meter_groups, + const struct sampling_app_table *sampling_apps, struct lflow_ref *lflow_ref) { const char *default_acl_action = default_acl_drop @@ -7043,6 +7412,8 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, REGBIT_ACL_VERDICT_ALLOW " = 1; next;", lflow_ref); + build_acl_sample_default_flows(od, lflows, lflow_ref); + /* Ingress or Egress ACL Table (Various priorities). */ for (size_t i = 0; i < od->nbs->n_acls; i++) { struct nbrec_acl *acl = od->nbs->acls[i]; @@ -7052,6 +7423,8 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, consider_acl(lflows, od, acl, has_stateful, meter_groups, ls_stateful_rec->max_acl_tier, &match, &actions, lflow_ref); + build_acl_sample_flows(ls_stateful_rec, od, lflows, acl, + &match, &actions, sampling_apps, lflow_ref); } const struct ls_port_group *ls_pg = @@ -7068,6 +7441,9 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, consider_acl(lflows, od, acl, has_stateful, meter_groups, ls_stateful_rec->max_acl_tier, &match, &actions, lflow_ref); + build_acl_sample_flows(ls_stateful_rec, od, lflows, acl, + &match, &actions, sampling_apps, + lflow_ref); } } } @@ -7727,8 +8103,11 @@ build_stateful(struct ovn_datapath *od, struct lflow_table *lflows, * We always set ct_mark.blocked to 0 here as * any packet that makes it this far is part of a connection we * want to allow to continue. */ - ds_put_cstr(&actions, "ct_commit { ct_mark.blocked = 0; " - "ct_label.label = " REG_LABEL "; }; next;"); + ds_put_cstr(&actions, + "ct_commit { " + "ct_mark.blocked = 0; " + "ct_label.obs_point_id = " REG_OBS_POINT_ID_EST "; " + "}; next;"); ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100, REGBIT_CONNTRACK_COMMIT" == 1 && " REGBIT_ACL_LABEL" == 1", @@ -15776,6 +16155,7 @@ build_ls_stateful_flows(const struct ls_stateful_record *ls_stateful_rec, const struct ovn_datapath *od, const struct ls_port_group_table *ls_pgs, const struct shash *meter_groups, + const struct sampling_app_table *sampling_apps, struct lflow_table *lflows) { build_ls_stateful_rec_pre_acls(ls_stateful_rec, od, ls_pgs, lflows, @@ -15785,7 +16165,7 @@ build_ls_stateful_flows(const struct ls_stateful_record *ls_stateful_rec, build_acl_hints(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref); build_acls(ls_stateful_rec, od, lflows, ls_pgs, meter_groups, - ls_stateful_rec->lflow_ref); + sampling_apps, ls_stateful_rec->lflow_ref); build_lb_hairpin(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref); } @@ -15809,6 +16189,7 @@ struct lswitch_flow_build_info { struct ds actions; size_t thread_lflow_counter; const char *svc_monitor_mac; + const struct sampling_app_table *sampling_apps; }; /* Helper function to combine all lflow generation which is iterated by @@ -16100,6 +16481,7 @@ build_lflows_thread(void *arg) build_ls_stateful_flows(ls_stateful_rec, od, lsi->ls_port_groups, lsi->meter_groups, + lsi->sampling_apps, lsi->lflows); } } @@ -16173,7 +16555,8 @@ build_lswitch_and_lrouter_flows( const struct hmap *svc_monitor_map, const struct hmap *bfd_connections, const struct chassis_features *features, - const char *svc_monitor_mac) + const char *svc_monitor_mac, + const struct sampling_app_table *sampling_apps) { char *svc_check_match = xasprintf("eth.dst == %s", svc_monitor_mac); @@ -16207,6 +16590,7 @@ build_lswitch_and_lrouter_flows( lsiv[index].svc_check_match = svc_check_match; lsiv[index].thread_lflow_counter = 0; lsiv[index].svc_monitor_mac = svc_monitor_mac; + lsiv[index].sampling_apps = sampling_apps; ds_init(&lsiv[index].match); ds_init(&lsiv[index].actions); @@ -16247,6 +16631,7 @@ build_lswitch_and_lrouter_flows( .features = features, .svc_check_match = svc_check_match, .svc_monitor_mac = svc_monitor_mac, + .sampling_apps = sampling_apps, .match = DS_EMPTY_INITIALIZER, .actions = DS_EMPTY_INITIALIZER, }; @@ -16319,6 +16704,7 @@ build_lswitch_and_lrouter_flows( &od->nbs->header_.uuid)); build_ls_stateful_flows(ls_stateful_rec, od, lsi.ls_port_groups, lsi.meter_groups, + lsi.sampling_apps, lsi.lflows); } stopwatch_stop(LFLOWS_LS_STATEFUL_STOPWATCH_NAME, time_msec()); @@ -16408,7 +16794,8 @@ void build_lflows(struct ovsdb_idl_txn *ovnsb_txn, input_data->svc_monitor_map, input_data->bfd_connections, input_data->features, - input_data->svc_monitor_mac); + input_data->svc_monitor_mac, + input_data->sampling_apps); if (parallelization_state == STATE_INIT_HASH_SIZES) { parallelization_state = STATE_USE_PARALLELIZATION; @@ -16832,6 +17219,7 @@ lflow_handle_ls_stateful_changes(struct ovsdb_idl_txn *ovnsb_txn, build_ls_stateful_flows(ls_stateful_rec, od, lflow_input->ls_port_groups, lflow_input->meter_groups, + lflow_input->sampling_apps, lflows); /* Sync the new flows to SB. */ diff --git a/northd/northd.h b/northd/northd.h index e50aa6731a..b628911510 100644 --- a/northd/northd.h +++ b/northd/northd.h @@ -397,27 +397,30 @@ enum ovn_stage { PIPELINE_STAGE(SWITCH, IN, PRE_STATEFUL, 6, "ls_in_pre_stateful") \ PIPELINE_STAGE(SWITCH, IN, ACL_HINT, 7, "ls_in_acl_hint") \ PIPELINE_STAGE(SWITCH, IN, ACL_EVAL, 8, "ls_in_acl_eval") \ - PIPELINE_STAGE(SWITCH, IN, ACL_ACTION, 9, "ls_in_acl_action") \ - PIPELINE_STAGE(SWITCH, IN, QOS, 10, "ls_in_qos") \ - PIPELINE_STAGE(SWITCH, IN, LB_AFF_CHECK, 11, "ls_in_lb_aff_check") \ - PIPELINE_STAGE(SWITCH, IN, LB, 12, "ls_in_lb") \ - PIPELINE_STAGE(SWITCH, IN, LB_AFF_LEARN, 13, "ls_in_lb_aff_learn") \ - PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 14, "ls_in_pre_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 15, "ls_in_nat_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 16, "ls_in_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_EVAL, 17, \ - "ls_in_acl_after_lb_eval") \ - PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_ACTION, 18, \ + PIPELINE_STAGE(SWITCH, IN, ACL_SAMPLE, 9, "ls_in_acl_sample") \ + PIPELINE_STAGE(SWITCH, IN, ACL_ACTION, 10, "ls_in_acl_action") \ + PIPELINE_STAGE(SWITCH, IN, QOS, 11, "ls_in_qos") \ + PIPELINE_STAGE(SWITCH, IN, LB_AFF_CHECK, 12, "ls_in_lb_aff_check") \ + PIPELINE_STAGE(SWITCH, IN, LB, 13, "ls_in_lb") \ + PIPELINE_STAGE(SWITCH, IN, LB_AFF_LEARN, 14, "ls_in_lb_aff_learn") \ + PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 15, "ls_in_pre_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 16, "ls_in_nat_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 17, "ls_in_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_EVAL, 18, \ + "ls_in_acl_after_lb_eval") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_SAMPLE, 19, \ + "ls_in_acl_after_lb_sample") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_ACTION, 20, \ "ls_in_acl_after_lb_action") \ - PIPELINE_STAGE(SWITCH, IN, STATEFUL, 19, "ls_in_stateful") \ - PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 20, "ls_in_arp_rsp") \ - PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 21, "ls_in_dhcp_options") \ - PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 22, "ls_in_dhcp_response") \ - PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 23, "ls_in_dns_lookup") \ - PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 24, "ls_in_dns_response") \ - PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 25, "ls_in_external_port") \ - PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 26, "ls_in_l2_lkup") \ - PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 27, "ls_in_l2_unknown") \ + PIPELINE_STAGE(SWITCH, IN, STATEFUL, 21, "ls_in_stateful") \ + PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 22, "ls_in_arp_rsp") \ + PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 23, "ls_in_dhcp_options") \ + PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 24, "ls_in_dhcp_response") \ + PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 25, "ls_in_dns_lookup") \ + PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 26, "ls_in_dns_response") \ + PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 27, "ls_in_external_port") \ + PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 28, "ls_in_l2_lkup") \ + PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 29, "ls_in_l2_unknown") \ \ /* Logical switch egress stages. */ \ PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 0, "ls_out_pre_acl") \ @@ -425,11 +428,12 @@ enum ovn_stage { PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") \ PIPELINE_STAGE(SWITCH, OUT, ACL_HINT, 3, "ls_out_acl_hint") \ PIPELINE_STAGE(SWITCH, OUT, ACL_EVAL, 4, "ls_out_acl_eval") \ - PIPELINE_STAGE(SWITCH, OUT, ACL_ACTION, 5, "ls_out_acl_action") \ - PIPELINE_STAGE(SWITCH, OUT, QOS, 6, "ls_out_qos") \ - PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 7, "ls_out_stateful") \ - PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 8, "ls_out_check_port_sec") \ - PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 9, "ls_out_apply_port_sec") \ + PIPELINE_STAGE(SWITCH, OUT, ACL_SAMPLE, 5, "ls_out_acl_sample") \ + PIPELINE_STAGE(SWITCH, OUT, ACL_ACTION, 6, "ls_out_acl_action") \ + PIPELINE_STAGE(SWITCH, OUT, QOS, 7, "ls_out_qos") \ + PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 8, "ls_out_stateful") \ + PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 9, "ls_out_check_port_sec") \ + PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 10, "ls_out_apply_port_sec") \ \ /* Logical router ingress stages. */ \ PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") \ diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index ba85e4bfd7..3abd5f75bb 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -867,7 +867,47 @@ -

Ingress Table 9: from-lport ACL action

+

Ingress Table 9: from-lport ACL sampling

+ +

+ Logical flows in this table sample traffic matched by + from-lport ACLs with sampling enabled. +

+ +
    +
  • + If no ACLs have sampling enabled, then a priority 0 flow is installed + that matches everything and advances to the next table. +
    • + +
  • + For each ACL with sample_new configured a priority 1100 flow is + installed that matches on the saved observation_point_id value. + This flow generates a sample() action and then advances + the packet to the next table. +
    • + +
  • + For each ACL with sample_est configured a priority 1200 flow is + installed that matches on the saved observation_point_id value + for established traffic in the original direction. This flow + generates a sample() action and then advances + the packet to the next table. +
    • + +
  • + For each ACL with sample_est configured a priority 1200 flow is + installed that matches on the saved observation_point_id + value for established traffic in the reply direction. This flow + generates a sample() action and then advances + the packet to the next table. Note: this flow is installed in the + opposite pipeline (in the ingress pipeline for ACLs applied in the + egress direction and in the egress pipeline for ACLs applied in the + ingress direction). +
    • +
+ +

Ingress Table 10: from-lport ACL action

Logical flows in this table decide how to proceed based on the values of @@ -907,7 +947,7 @@ -

Ingress Table 10: from-lport QoS

+

Ingress Table 11: from-lport QoS

Logical flows in this table closely reproduce those in the @@ -930,7 +970,7 @@ -

Ingress Table 11: Load balancing affinity check

+

Ingress Table 12: Load balancing affinity check

Load balancing affinity check table contains the following @@ -958,7 +998,7 @@ -

Ingress Table 12: LB

+

Ingress Table 13: LB

  • @@ -1038,7 +1078,7 @@
-

Ingress Table 13: Load balancing affinity learn

+

Ingress Table 14: Load balancing affinity learn

Load balancing affinity learn table contains the following @@ -1069,7 +1109,7 @@ -

Ingress Table 14: Pre-Hairpin

+

Ingress Table 15: Pre-Hairpin

  • If the logical switch has load balancer(s) configured, then a @@ -1087,7 +1127,7 @@
-

Ingress Table 15: Nat-Hairpin

+

Ingress Table 16: Nat-Hairpin

  • If the logical switch has load balancer(s) configured, then a @@ -1122,7 +1162,7 @@
-

Ingress Table 16: Hairpin

+

Ingress Table 17: Hairpin

  • @@ -1160,7 +1200,7 @@

-

Ingress table 17: from-lport ACL evaluation after LB

+

Ingress table 18: from-lport ACL evaluation after LB

Logical flows in this table closely reproduce those in the @@ -1245,7 +1285,47 @@ -

Ingress Table 18: from-lport ACL action after LB

+

Ingress Table 19: from-lport ACL sampling after LB

+ +

+ Logical flows in this table sample traffic matched by + from-lport ACLs (evaluation after LB) with sampling enabled. +

+ +
    +
  • + If no ACLs have sampling enabled, then a priority 0 flow is installed + that matches everything and advances to the next table. +
    • + +
  • + For each ACL with sample_new configured a priority 1100 flow is + installed that matches on the saved observation_point_id value. + This flow generates a sample() action and then advances + the packet to the next table. +
    • + +
  • + For each ACL with sample_est configured a priority 1200 flow is + installed that matches on the saved observation_point_id value + for established traffic in the original direction. This flow + generates a sample() action and then advances + the packet to the next table. +
    • + +
  • + For each ACL with sample_est configured a priority 1200 flow is + installed that matches on the saved observation_point_id + value for established traffic in the reply direction. This flow + generates a sample() action and then advances + the packet to the next table. Note: this flow is installed in the + opposite pipeline (in the ingress pipeline for ACLs applied in the + egress direction and in the egress pipeline for ACLs applied in the + ingress direction). +
    • +
+ +

Ingress Table 20: from-lport ACL action after LB

Logical flows in this table decide how to proceed based on the values of @@ -1285,7 +1365,7 @@ -

Ingress Table 19: Stateful

+

Ingress Table 21: Stateful

  • @@ -1308,7 +1388,7 @@
-

Ingress Table 20: ARP/ND responder

+

Ingress Table 22: ARP/ND responder

This table implements ARP/ND responder in a logical switch for known @@ -1643,7 +1723,7 @@ output; -

Ingress Table 21: DHCP option processing

+

Ingress Table 23: DHCP option processing

This table adds the DHCPv4 options to a DHCPv4 packet from the @@ -1704,7 +1784,7 @@ next; -

Ingress Table 22: DHCP responses

+

Ingress Table 24: DHCP responses

This table implements DHCP responder for the DHCP replies generated by @@ -1785,7 +1865,7 @@ output; -

Ingress Table 23 DNS Lookup

+

Ingress Table 25 DNS Lookup

This table looks up and resolves the DNS names to the corresponding @@ -1814,7 +1894,7 @@ reg0[4] = dns_lookup(); next; -

Ingress Table 24 DNS Responses

+

Ingress Table 26 DNS Responses

This table implements DNS responder for the DNS replies generated by @@ -1849,7 +1929,7 @@ output; -

Ingress table 25 External ports

+

Ingress table 27 External ports

Traffic from the external logical ports enter the ingress @@ -1892,7 +1972,7 @@ output; -

Ingress Table 26 Destination Lookup

+

Ingress Table 28 Destination Lookup

This table implements switching behavior. It contains these logical @@ -2090,7 +2170,7 @@ output; -

Ingress Table 27 Destination unknown

+

Ingress Table 29 Destination unknown

This table handles the packets whose destination was not found or @@ -2298,26 +2378,31 @@ output; -

Egress Table 5: to-lport ACL action

+

Egress Table 5: to-lport ACL sampling

+

+ This is similar to ingress table ACL sampling. +

+ +

Egress Table 6: to-lport ACL action

This is similar to ingress table ACL action.

-

Egress Table 6: to-lport QoS

+

Egress Table 7: to-lport QoS

This is similar to ingress table QoS except they apply to to-lport QoS rules.

-

Egress Table 7: Stateful

+

Egress Table 8: Stateful

This is similar to ingress table Stateful except that there are no rules added for load balancing new connections.

-

Egress Table 8: Egress Port Security - check

+

Egress Table 9: Egress Port Security - check

This is similar to the port security logic in table @@ -2346,7 +2431,7 @@ output; -

Egress Table 9: Egress Port Security - Apply

+

Egress Table 10: Egress Port Security - Apply

This is similar to the ingress port security logic in ingress table diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index a6a377f20b..919103086d 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "7.5.0", - "cksum": "1137408189 36223", + "version": "7.6.0", + "cksum": "916377116 38300", "tables": { "NB_Global": { "columns": { @@ -30,6 +30,40 @@ "ipsec": {"type": "boolean"}}, "maxRows": 1, "isRoot": true}, + "Sample_Collector": { + "columns": { + "name": {"type": "string"}, + "probability": {"type": {"key": { + "type": "integer", + "minInteger": 0, + "maxInteger": 65535}}}, + "set_id": {"type": {"key": { + "type": "integer", + "minInteger": 1, + "maxInteger": 255}}}, + "external_ids": {"type": {"key": "string", "value": "string", + "min": 0, "max": "unlimited"}} + }, + "indexes": [["name"]], + "isRoot": true + }, + "Sample": { + "columns": { + "collectors": {"type": {"key": {"type": "uuid", + "refTable": "Sample_Collector", + "refType": "strong"}, + "min": 0, + "max": "unlimited"}}, + "metadata": {"type": {"key": {"type": "integer", + "minInteger": 1, + "maxInteger": 4294967295}, + "min": 1, "max":1}}, + "external_ids": {"type": {"key": "string", "value": "string", + "min": 0, "max": "unlimited"}} + }, + "indexes": [["metadata"]], + "isRoot": true + }, "Copp": { "columns": { "name": {"type": "string"}, @@ -275,6 +309,14 @@ "tier": {"type": {"key": {"type": "integer", "minInteger": 0, "maxInteger": 3}}}, + "sample_new": {"type": {"key": {"type": "uuid", + "refTable": "Sample", + "refType": "strong"}, + "min": 0, "max": 1}}, + "sample_est": {"type": {"key": {"type": "uuid", + "refTable": "Sample", + "refType": "strong"}, + "min": 0, "max": 1}}, "options": { "type": {"key": "string", "value": "string", diff --git a/ovn-nb.xml b/ovn-nb.xml index bc44f67642..e409f8b01d 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -511,6 +511,48 @@ + + + Sample collector name. + + + Sampling probability for this collector. It must be an integer number + between 0 and 65535. A value of 0 corresponds to no packets being + sampled while a value of 65535 corresponds to all packets being sampled. + + + The 8-bit integer identifier of the set of of collectors to send + packets to. See Flow_Sample_Collector_Set Table in ovs-vswitchd's + database schema. + + + See External IDs at the beginning of this document. + +
+ + +

+ This table describes a Sampling configuration. Entries in other tables + might be associated with Sample entries to indicate how the sample + should be generated. + + For an example, see . +

+ + A list of references to records to be + used when generating samples (e.g., IPFIX). A sample can be sent to + multiple collectors simultaneously. + + + Will be used as Observation Point ID in every sample. The Observation + Domain ID will be generated by ovn-northd and includes the logical + datapath key as the least significant 24 bits and the sampling + application type (e.g., drop debugging) as the 8 most significant bits. + + + See External IDs at the beginning of this document. + +

This table is used to define control plane protection policies, i.e., @@ -2342,6 +2384,12 @@ or created only for allowed connections so the label is valid only for allow and allow-related actions.

+ +

+ Note: if an ACL has both sampling enabled and a label associated to it + then the label value overrides the observation point ID defined in the + sample_new or sample_est configuration. +

@@ -2551,6 +2599,33 @@ or + +

+ The entry in the table to use for sampling for + new sessions matched by this ACL. In case the ACL is stateless + this is used for sampling all traffic matched by the ACL. +

+ +

+ Note: if an ACL has both sampling enabled and a label associated to it + then the label value overrides the observation point ID defined in the + sample_new configuration. +

+ + + +

+ The entry in the table to use for sampling for + established/related sessions matched by this ACL. +

+ +

+ Note: if an ACL has both sampling enabled and a label associated to it + then the label value overrides the observation point ID defined in the + sample_est configuration. +

+ + This column provides general key/value settings. The supported diff --git a/tests/atlocal.in b/tests/atlocal.in index 32d1c374ea..29e1bb2982 100644 --- a/tests/atlocal.in +++ b/tests/atlocal.in @@ -196,6 +196,12 @@ find_command bfdd-beacon # Set HAVE_ARPING find_command arping +# Set HAVE_NFCAPD +find_command nfcapd + +# Set HAVE_NFDUMP +find_command nfdump + # Turn off proxies. unset http_proxy unset https_proxy diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index 74bff9035a..50da0de19c 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -944,7 +944,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -965,9 +965,9 @@ for i in $(seq 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i @@ -987,7 +987,7 @@ for i in $(seq 10); do if test "$i" = 9; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi if test "$i" = 10; then @@ -1013,12 +1013,12 @@ for i in $(seq 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i * 2)) @@ -1121,7 +1121,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1142,9 +1142,9 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else # (1 conj_id flow + 3 tp_dst flows) = 4 extra flows @@ -1157,7 +1157,7 @@ priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=33 grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=conjunction,1/2) @@ -1184,9 +1184,9 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((14 - $i)) @@ -1209,7 +1209,7 @@ for i in $(seq 10); do grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=conjunction,1/2) @@ -1319,7 +1319,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1343,7 +1343,7 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else # (1 conj_id + nw_src * i + nw_dst * i) = 1 + i*2 flows @@ -1356,7 +1356,7 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10. grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=conjunction,1/2) @@ -1385,7 +1385,7 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.15 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.15 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((21 - $i*2)) @@ -1411,9 +1411,9 @@ for i in $(seq 2 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i @@ -1437,8 +1437,8 @@ for i in $(seq 10); do if test "$i" = 9; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) elif test "$i" = 10; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100"], [1], [ignore]) @@ -1478,7 +1478,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1504,8 +1504,8 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i*2)) @@ -1517,12 +1517,12 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=lo grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi done @@ -1578,7 +1578,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1604,8 +1604,8 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) elif test "$i" -lt 6; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i*2)) @@ -1620,12 +1620,12 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=lo grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi done @@ -1687,7 +1687,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1708,7 +1708,7 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else # (1 conj_id + nw_src * i + nw_dst * i) = 1 + i*2 flows @@ -1721,7 +1721,7 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10. grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1748,7 +1748,7 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((21 - $i*2)) @@ -1771,7 +1771,7 @@ for i in $(seq 10); do grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1811,7 +1811,7 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1835,7 +1835,7 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1874,7 +1874,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1897,8 +1897,8 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1922,8 +1922,8 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1953,8 +1953,8 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1999,7 +1999,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -2020,9 +2020,9 @@ for i in $(seq 5); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:01 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:02 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:03 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:01 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:02 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:03 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i @@ -2043,7 +2043,7 @@ for i in $(seq 5); do if test "$i" = 4; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:05 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:05 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi if test "$i" = 5; then @@ -2084,7 +2084,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -2105,9 +2105,9 @@ for i in $(seq 5); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i @@ -2127,7 +2127,7 @@ for i in $(seq 5); do if test "$i" = 4; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::5 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::5 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi if test "$i" = 5; then @@ -2167,7 +2167,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) ovn-nbctl create address_set name=as1 addresses=8.8.8.8 check ovn-nbctl acl-add ls1 to-lport 100 'outport == "ls1-lp1" && ip4.src == $as1' drop @@ -2939,7 +2939,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -2950,7 +2950,7 @@ check ovn-nbctl add address_set as1 addresses 10.0.0.0/24 check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) check ovn-nbctl add address_set as1 addresses 10.0.0.1 @@ -2960,22 +2960,22 @@ check ovn-nbctl add address_set as1 addresses 10.0.0.4 check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) check ovn-appctl inc-engine/recompute AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) OVN_CLEANUP([hv1]) diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at index a7a59a9124..eca642a67a 100644 --- a/tests/ovn-macros.at +++ b/tests/ovn-macros.at @@ -1129,6 +1129,10 @@ ovn_strip_lflows() { sed 's/table=[[0-9]]\{1,2\}\s\?/table=??/g' | sort } +ovn_strip_collector_set() { + sed 's/collector_set=[[0-9]]*,\?/collector_set=??,/g' +} + OVS_END_SHELL_HELPERS m4_define([OVN_POPULATE_ARP], [AT_CHECK(ovn_populate_arp__, [0], [ignore])]) @@ -1189,11 +1193,11 @@ m4_define([OVN_CHECK_SCAPY_EDNS_CLIENT_SUBNET_SUPPORT], m4_define([OFTABLE_PHY_TO_LOG], [0]) m4_define([OFTABLE_LOG_INGRESS_PIPELINE], [8]) -m4_define([OFTABLE_OUTPUT_LARGE_PKT_DETECT], [37]) -m4_define([OFTABLE_OUTPUT_LARGE_PKT_PROCESS], [38]) -m4_define([OFTABLE_REMOTE_OUTPUT], [39]) -m4_define([OFTABLE_LOCAL_OUTPUT], [40]) -m4_define([OFTABLE_LOG_EGRESS_PIPELINE], [42]) +m4_define([OFTABLE_OUTPUT_LARGE_PKT_DETECT], [40]) +m4_define([OFTABLE_OUTPUT_LARGE_PKT_PROCESS], [41]) +m4_define([OFTABLE_REMOTE_OUTPUT], [42]) +m4_define([OFTABLE_LOCAL_OUTPUT], [43]) +m4_define([OFTABLE_LOG_EGRESS_PIPELINE], [45]) m4_define([OFTABLE_SAVE_INPORT], [64]) m4_define([OFTABLE_LOG_TO_PHY], [65]) m4_define([OFTABLE_MAC_BINDING], [66]) diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index 797ee0b45e..a980b83abc 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -2803,6 +2803,26 @@ check_row_count nb:ACL 0 dnl --------------------------------------------------------------------- +OVN_NBCTL_TEST([acl_sampling], [ACL sampling operations], [ +check ovn-nbctl ls-add ls +sample1=$(ovn-nbctl create sample metadata=4301) +sample2=$(ovn-nbctl create sample metadata=4302) +check_row_count nb:Sample 2 + +check ovn-nbctl --sample-new=$sample1 acl-add ls from-lport 1 1 allow-related +check_column "$sample1" nb:ACL sample_new priority=1 + +check ovn-nbctl --sample-est=$sample2 acl-add ls from-lport 2 1 allow-related +check_column "" nb:ACL sample_new priority=2 +check_column "$sample2" nb:ACL sample_est priority=2 + +check ovn-nbctl --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 3 1 allow-related +check_column "$sample1" nb:ACL sample_new priority=3 +check_column "$sample2" nb:ACL sample_est priority=3 +]) + +dnl --------------------------------------------------------------------- + AT_SETUP([ovn-nbctl - daemon retry connection]) OVN_NBCTL_TEST_START daemon pid=$(cat ovsdb-server.pid) diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index ebf02ef10a..d5fcde68fb 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -4609,7 +4609,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK_UNQUOTED([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4633,7 +4633,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) } @@ -4676,7 +4676,7 @@ AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4697,7 +4697,7 @@ AT_CHECK([grep "ls_out_pre_stateful" sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) # LB with event=false and reject=false @@ -4726,23 +4726,23 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) # Add new ACL without label @@ -4753,27 +4753,27 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) # Delete new ACL with label @@ -4790,7 +4790,7 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0] AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl @@ -4800,7 +4800,7 @@ AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0 AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP ]) @@ -4828,7 +4828,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls from-lport 1 dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; ]) AS_BOX([from-lport --apply-after-lb allow-related ACL]) @@ -4836,7 +4836,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --apply-after-lb --label=1234 acl-add dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; ]) AS_BOX([to-lport allow-related ACL]) @@ -4844,7 +4844,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls to-lport 1 ip dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_out_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; ]) AT_CLEANUP @@ -7680,7 +7680,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with the apply-after-lb option]) @@ -7735,7 +7735,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with a few ACLs with apply-after-lb option]) @@ -7790,7 +7790,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP @@ -8069,15 +8069,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8094,15 +8097,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8119,15 +8125,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8154,11 +8163,13 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8169,6 +8180,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8191,11 +8203,13 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8206,6 +8220,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8228,11 +8243,13 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) @@ -8243,6 +8260,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8266,6 +8284,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) @@ -8284,6 +8303,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) && flags.tunnel_rx == 1), action=(next;) @@ -8310,6 +8330,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) @@ -8340,10 +8361,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8354,6 +8377,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8377,10 +8401,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8391,6 +8417,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8414,10 +8441,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) @@ -8428,6 +8457,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8453,6 +8483,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) @@ -8469,6 +8500,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) && flags.tunnel_rx == 1), action=(next;) @@ -8495,6 +8527,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) @@ -8524,10 +8557,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8539,6 +8574,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8561,10 +8597,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8576,6 +8614,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8598,10 +8637,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) @@ -8613,6 +8654,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8636,6 +8678,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) @@ -8652,6 +8695,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) && flags.tunnel_rx == 1), action=(next;) @@ -8680,6 +8724,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) @@ -9925,8 +9970,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) check ovn-nbctl --wait=sb acl-del S1 @@ -9940,8 +9987,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) check ovn-nbctl --wait=sb acl-del S1 @@ -9955,8 +10004,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) @@ -9968,8 +10019,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) check ovn-nbctl --wait=sb acl-del S1 @@ -9982,8 +10035,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) AT_CLEANUP @@ -12521,6 +12576,211 @@ AT_CHECK([ovn-sbctl lflow-list | grep ls_in_l2_unknown.*sample | ovn_strip_lflow AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ACL Sampling]) +AT_KEYWORDS([acl]) + +ovn_start + +collector1=$(ovn-nbctl create Sample_Collector name=test-collector1 probability=65535 set_id=1) +collector2=$(ovn-nbctl create Sample_Collector name=test-collector2 probability=65535 set_id=2) +check_row_count nb:Sample_Collector 2 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +sample1=$(ovn-nbctl create Sample collector="$collector1 $collector2" metadata=4301) +sample2=$(ovn-nbctl create Sample collector="$collector1 $collector2" metadata=4302) +check_row_count nb:Sample 2 + +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls lsp1 \ + -- lsp-set-addresses lsp1 00:00:00:00:00:01 \ + -- lsp-add ls lsp2 \ + -- lsp-set-addresses lsp2 00:00:00:00:00:02 +check ovn-nbctl --wait=sb sync + +base_flow="inport == \"lsp1\" && eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02 && ip4.src == 42.42.42.1 && ip4.dst == 42.42.42.2" +m4_define([TRACE_FILTER], [grep -e sample -e commit -e reg9 | grep -v _sample | sort]) + +AS_BOX([from-lport ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=43,obs_point=4302); + sample(probability=65535,collector_set=2,obs_domain=43,obs_point=4302); +]) + +AS_BOX([from-lport ACL sampling (new)]) +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --sample-new=$sample1 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + reg9 = 0; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 0; +]) + +AS_BOX([from-lport-after-lb ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --apply-after-lb --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=43,obs_point=4302); + sample(probability=65535,collector_set=2,obs_domain=43,obs_point=4302); +]) + +AS_BOX([from-lport-after-lb ACL sampling (new)]) +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --apply-after-lb --sample-new=$sample1 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + reg9 = 0; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 0; +]) + +AS_BOX([to-lport ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --sample-new=$sample1 --sample-est=$sample2 acl-add ls to-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; }; + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302" +AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=43,obs_point=4302); + sample(probability=65535,collector_set=2,obs_domain=43,obs_point=4302); +]) + +AS_BOX([to-lport ACL sampling (new)]) +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --sample-new=$sample1 acl-add ls to-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; }; + reg9 = 0; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 0; +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([NAT with match]) ovn_start diff --git a/tests/ovn.at b/tests/ovn.at index cee361188a..0f401ab96a 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -329,6 +329,8 @@ ct.trk = ct_state[5] ct_label = NXM_NX_CT_LABEL ct_label.ecmp_reply_eth = ct_label[32..79] ct_label.label = ct_label[96..127] +ct_label.obs_point_id = ct_label[96..127] +ct_label.obs_unused = ct_label[0..95] ct_mark = NXM_NX_CT_MARK ct_mark.blocked = ct_mark[0] ct_mark.ecmp_reply_port = ct_mark[16..31] @@ -1355,6 +1357,11 @@ ct_commit(ct_label=18446744073709551615); ct_commit(ct_label=18446744073709551616); Syntax error at `(' expecting `;'. +# Observation domain and point id. +ct_commit { ct_label.obs_point_id = reg2; }; + encodes as ct(commit,zone=NXM_NX_REG13[[0..15]],exec(move:NXM_NX_XXREG0[[32..63]]->NXM_NX_CT_LABEL[[96..127]])) + has prereqs ip + ct_mark = 12345 Field ct_mark is not modifiable. ct_mark.blocked = 1/1 @@ -13405,7 +13412,7 @@ tpa=$(ip_to_hex 10 0 0 100) send_garp 1 000000000001 ffffffffffff $spa $tpa dnl traffic from localport should not be sent to localnet -AT_CHECK([tcpdump -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl +AT_CHECK([tcpdump -vnne -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl 0 ],[ignore]) @@ -18565,7 +18572,7 @@ AT_CHECK([cat 2.packets], [0], [expout]) # There should be total of 9 flows present with conjunction action and 2 flows # with conj match. Eg. -# table=ls_out_acl_eval, priority=2001,conj_id=2,metadata=0x1 actions=resubmit(,ls_out_acl_action) +# table=ls_out_acl_eval, priority=2001,conj_id=2,metadata=0x1 actions=resubmit(,ls_out_acl_sample) # table=ls_out_acl_eval, priority=2001,conj_id=3,metadata=0x1 actions=drop # priority=2001,ip,metadata=0x1,nw_dst=10.0.0.6 actions=conjunction(2,2/2) # priority=2001,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(2,2/2) @@ -18856,7 +18863,7 @@ check ovn-nbctl --wait=hv sync # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) ovn-sbctl dump-flows > sbflows AT_CAPTURE_FILE([sbflows]) @@ -18924,11 +18931,11 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -18969,11 +18976,11 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -18987,8 +18994,8 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=conjunction(),conjunction() @@ -19027,11 +19034,11 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -19048,16 +19055,16 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction(),conjunction() - table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() - table=$acl_eval, priority=1003,udp,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,udp6,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,udp,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,udp6,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) OVN_CLEANUP([hv1]) @@ -22081,7 +22088,7 @@ check_virtual_offlows_present() { lr0_public_dp_key=$(printf "%x" $(fetch_column Port_Binding tunnel_key logical_port=lr0-public)) AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=$acl_eval,ip | ofctl_strip_all | grep "priority=2000"], [0], [dnl - table=$acl_eval, priority=2000,ip,metadata=0x$sw0_dp_key actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_out_acl_action)) + table=$acl_eval, priority=2000,ip,metadata=0x$sw0_dp_key actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample)) ]) AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=$ip_input | ofctl_strip_all | \ @@ -32529,7 +32536,7 @@ ovs-ofctl dump-flows br-int table=$acl_eval | grep "reg14=0x${rtr_port_key},meta # 42.42.42.42 coming from the router port. AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_strip_all | \ grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42"], [0], [dnl - table=$acl_eval, priority=1001,ip,reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_in_acl_action)) + table=$acl_eval, priority=1001,ip,reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_in_acl_sample)) ]) OVN_CLEANUP([hv1]) @@ -34386,8 +34393,8 @@ check ovn-nbctl set nb_global . options:use_common_zone="true" check ovn-nbctl --wait=hv sync # Use constants so that if tables or registers change, this test can # be updated easily. -DNAT_TABLE=16 -SNAT_TABLE=45 +DNAT_TABLE=$(ovn-debug lflow-stage-to-oftable lr_in_dnat) +SNAT_TABLE=$(ovn-debug lflow-stage-to-oftable lr_out_snat) DNAT_ZONE_REG="NXM_NX_REG11[[0..15]]" SNAT_ZONE_REG="NXM_NX_REG12[[0..15]]" @@ -35528,7 +35535,7 @@ ovn-nbctl --wait=hv sync # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_in_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_in_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_in_acl_sample) dnl Ensure the ACL is not translated to OpenFlow. as hv1 @@ -35543,14 +35550,14 @@ lsp2=0x$(fetch_column Port_Binding tunnel_key logical_port=lsp2) dnl Ensure the ACL is translated to OpenFlows expanding pg1. as hv1 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=$acl_eval, priority=1001,ip,reg14=$lsp1,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,reg14=$lsp1,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) dnl Remove a port from pg1 and expect OpenFlows to be correctly updated. check ovn-nbctl --wait=hv pg-set-ports pg1 lsp2 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) dnl Change the Chassis_Template_Var mapping to use the address set. @@ -35559,14 +35566,14 @@ check ovn-nbctl --wait=hv set Chassis_Template_Var hv1 variables:CONDITION='ip4. dnl Ensure the ACL is translated to OpenFlows expanding as1. as hv1 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) dnl Remove an IP from AS1 and expect OpenFlows to be correctly updated. check ovn-nbctl --wait=hv set address_set as1 addresses=\"1.1.1.1\" AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) dnl Remove the mapping and expect OpenFlows to be removed. diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at index 691c271a3a..c595561734 100644 --- a/tests/system-common-macros.at +++ b/tests/system-common-macros.at @@ -237,6 +237,17 @@ m4_define([STRIP_MONITOR_CSUM], [grep "csum:" | sed 's/csum:.*/csum: /']) m4_define([FORMAT_CT], [[grep -F "dst=$1," | sed -e 's/port=[0-9]*/port=/g' -e 's/id=[0-9]*/id=/g' -e 's/state=[0-9_A-Z]*/state=/g' | sort | uniq]]) +# DAEMONIZE([command], [pidfile]) +# +# Run 'command' as a background process and record its pid to 'pidfile' to +# allow cleanup on exit. +# +m4_define([DAEMONIZE], + [$1 & echo $! > $2 + echo "kill \`cat $2\`" >> cleanup + ] +) + # NETNS_DAEMONIZE([namespace], [command], [pidfile]) # # Run 'command' as a background process within 'namespace' and record its pid diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 7770d58dc3..4b693e51f6 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -13050,3 +13050,344 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d /connection dropped.*/d"]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- ACL Sampling]) +AT_SKIP_IF([test $HAVE_TCPDUMP = no]) +AT_SKIP_IF([test $HAVE_NFCAPD = no]) +AT_SKIP_IF([test $HAVE_NFDUMP = no]) +AT_KEYWORDS([ACL]) + +CHECK_CONNTRACK() +CHECK_CONNTRACK_NAT() +ovn_start +OVS_TRAFFIC_VSWITCHD_START() +ADD_BR([br-int]) + +dnl Set external-ids in br-int needed for ovn-controller +check ovs-vsctl \ + -- set Open_vSwitch . external-ids:system-id=hv1 \ + -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ + -- set bridge br-int fail-mode=secure other-config:disable-in-band=true + +dnl Start ovn-controller +start_daemon ovn-controller + +dnl Logical network: +dnl 1 logical switch connetected to one logical router +dnl 6 UDP load balancers (ports 1000, 1010, 2000, 2010, 3000, 3010) +dnl 2 VIFs + +check ovn-nbctl \ + -- lr-add rtr \ + -- lrp-add rtr rtr-ls 00:00:00:00:01:00 42.42.42.1/24 \ + -- ls-add ls \ + -- lsp-add ls ls-rtr \ + -- lsp-set-addresses ls-rtr 00:00:00:00:01:00 \ + -- lsp-set-type ls-rtr router \ + -- lsp-set-options ls-rtr router-port=rtr-ls \ + -- lsp-add ls vm1 -- lsp-set-addresses vm1 00:00:00:00:00:01 \ + -- lsp-add ls vm2 -- lsp-set-addresses vm2 00:00:00:00:00:02 \ + -- lb-add lb1 43.43.43.43:1000 42.42.42.3:1000 udp \ + -- lb-add lb2 43.43.43.43:1010 42.42.42.3:1010 udp \ + -- lb-add lb3 43.43.43.43:2000 42.42.42.3:2000 udp \ + -- lb-add lb4 43.43.43.43:2010 42.42.42.3:2010 udp \ + -- lb-add lb5 43.43.43.43:3000 42.42.42.3:3000 udp \ + -- lb-add lb6 43.43.43.43:3010 42.42.42.3:3010 udp \ + -- ls-lb-add ls lb1 \ + -- ls-lb-add ls lb2 \ + -- ls-lb-add ls lb3 \ + -- ls-lb-add ls lb4 \ + -- ls-lb-add ls lb5 \ + -- ls-lb-add ls lb6 + +ADD_NAMESPACES(vm1) +ADD_VETH(vm1, vm1, br-int, "42.42.42.2/24", "00:00:00:00:00:01", "42.42.42.1") + +ADD_NAMESPACES(vm2) +ADD_VETH(vm2, vm2, br-int, "42.42.42.3/24", "00:00:00:00:00:02", "42.42.42.1") + +collector1=$(ovn-nbctl create Sample_Collector name=test-collector1 probability=65535 set_id=1) +collector2=$(ovn-nbctl create Sample_Collector name=test-collector2 probability=65535 set_id=2) +check_row_count nb:Sample_Collector 2 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +sample_in_1c_new=$(ovn-nbctl create Sample collector="$collector1" metadata=1001) +sample_in_1c_est=$(ovn-nbctl create Sample collector="$collector1" metadata=1002) +sample_in_2c_new=$(ovn-nbctl create Sample collector="$collector1 $collector2" metadata=1011) +sample_in_2c_est=$(ovn-nbctl create Sample collector="$collector1 $collector2" metadata=1012) + +sample_in_lb_1c_new=$(ovn-nbctl create Sample collector="$collector1" metadata=2001) +sample_in_lb_1c_est=$(ovn-nbctl create Sample collector="$collector1" metadata=2002) +sample_in_lb_2c_new=$(ovn-nbctl create Sample collector="$collector1 $collector2" metadata=2011) +sample_in_lb_2c_est=$(ovn-nbctl create Sample collector="$collector1 $collector2" metadata=2012) + +sample_out_1c_new=$(ovn-nbctl create Sample collector="$collector1" metadata=3001) +sample_out_1c_est=$(ovn-nbctl create Sample collector="$collector1" metadata=3002) +sample_out_2c_new=$(ovn-nbctl create Sample collector="$collector1 $collector2" metadata=3011) +sample_out_2c_est=$(ovn-nbctl create Sample collector="$collector1 $collector2" metadata=3012) +check_row_count nb:Sample 12 + +dnl Create ACLs that match the 3 types of traffic in all 3 possible stages: +dnl from-lport, from-lport-after-lb, to-lport. +check ovn-nbctl --sample-new=$sample_in_1c_new --sample-est=$sample_in_1c_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1000" \ + allow-related +check ovn-nbctl --sample-new=$sample_in_2c_new --sample-est=$sample_in_2c_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1010" \ + allow-related + +check ovn-nbctl --apply-after-lb --sample-new=$sample_in_lb_1c_new \ + --sample-est=$sample_in_lb_1c_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 2000" \ + allow-related +check ovn-nbctl --apply-after-lb --sample-new=$sample_in_lb_2c_new \ + --sample-est=$sample_in_lb_2c_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 2010" \ + allow-related + +check ovn-nbctl --sample-new=$sample_out_1c_new \ + --sample-est=$sample_out_1c_est \ + acl-add ls to-lport 1 "outport == \"vm2\" && udp.dst == 3000" \ + allow-related +check ovn-nbctl --sample-new=$sample_out_2c_new \ + --sample-est=$sample_out_2c_est \ + acl-add ls to-lport 1 "outport == \"vm2\" && udp.dst == 3010" \ + allow-related + +dnl Wait for ovn-controller to catch up. +wait_for_ports_up +check ovn-nbctl --wait=hv sync + +dnl Start an IPFIX collector. +DAEMONIZE([nfcapd -B 1024000 -w . -p 4242 2> collector.err], [collector.pid]) + +dnl Wait for the collector to be up. +OVS_WAIT_UNTIL([grep -q 'Startup nfcapd.' collector.err]) + +dnl Configure the OVS flow sample collector. +ovs-vsctl --id=@br get Bridge br-int \ + -- --id=@ipfix create IPFIX targets=\"127.0.0.1:4242\" template_interval=1 \ + -- --id=@cs create Flow_Sample_Collector_Set id=1 bridge=@br ipfix=@ipfix + +dnl And wait for it to be up and running. +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q '1 ids']) + +dnl Start UDP echo server on vm2. +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 1000], [nc-vm2-1000.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 1010], [nc-vm2-1010.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 2000], [nc-vm2-2000.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 2010], [nc-vm2-2010.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 3000], [nc-vm2-3000.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 3010], [nc-vm2-3010.pid]) + +dnl Send traffic (2 packets) to the UDP LB1 (hits the from-lport ACL). +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 1000]) +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 1010]) + +dnl Send traffic (2 packets) to the UDP LB1 (hits the from-lport after-lb ACL). +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 2000]) +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 2010]) + +dnl Send traffic (2 packets) to the UDP LB1 (hits the from-lport ACL). +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 3000]) +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 3010]) + +dnl Wait until OVS sampled all expected packets (4 data packets + 1 ICMP +dnl port unreachable error on each session). +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q 'sampled pkts=30']) + +dnl Check the IPFIX samples. +kill $(cat collector.pid) +OVS_WAIT_WHILE([kill -0 $(cat collector.pid) 2>/dev/null]) + +dnl Can't match on observation domain ID due to the followig fix not being +dnl available in any released version of nfdump: +dnl https://github.com/phaag/nfdump/issues/544 +dnl +dnl Only match on the point ID. +dnl +dnl Expect for each ACL: +dnl - one sample for new packets +dnl - four samples for established packets (3 data + one icmp error) +AT_CHECK([nfdump -r nfcapd.* -o json | grep observationPointID | awk '{$1=$1;print}' | sort], [0], [dnl +"observationPointID" : 1001, +"observationPointID" : 1002, +"observationPointID" : 1002, +"observationPointID" : 1002, +"observationPointID" : 1002, +"observationPointID" : 1011, +"observationPointID" : 1012, +"observationPointID" : 1012, +"observationPointID" : 1012, +"observationPointID" : 1012, +"observationPointID" : 2001, +"observationPointID" : 2002, +"observationPointID" : 2002, +"observationPointID" : 2002, +"observationPointID" : 2002, +"observationPointID" : 2011, +"observationPointID" : 2012, +"observationPointID" : 2012, +"observationPointID" : 2012, +"observationPointID" : 2012, +"observationPointID" : 3001, +"observationPointID" : 3002, +"observationPointID" : 3002, +"observationPointID" : 3002, +"observationPointID" : 3002, +"observationPointID" : 3011, +"observationPointID" : 3012, +"observationPointID" : 3012, +"observationPointID" : 3012, +"observationPointID" : 3012, +]) + +OVS_APP_EXIT_AND_WAIT([ovn-controller]) + +as ovn-sb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as ovn-nb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as northd +OVS_APP_EXIT_AND_WAIT([ovn-northd]) + +as +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d +/connection dropped.*/d"]) + +AT_CLEANUP +]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- Tiered ACL Sampling]) +AT_SKIP_IF([test $HAVE_TCPDUMP = no]) +AT_SKIP_IF([test $HAVE_NFCAPD = no]) +AT_SKIP_IF([test $HAVE_NFDUMP = no]) +AT_KEYWORDS([ACL]) + +CHECK_CONNTRACK() +CHECK_CONNTRACK_NAT() +ovn_start +OVS_TRAFFIC_VSWITCHD_START() +ADD_BR([br-int]) + +dnl Set external-ids in br-int needed for ovn-controller +check ovs-vsctl \ + -- set Open_vSwitch . external-ids:system-id=hv1 \ + -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ + -- set bridge br-int fail-mode=secure other-config:disable-in-band=true + +dnl Start ovn-controller +start_daemon ovn-controller + +dnl Logical network: +dnl 1 logical switch +dnl 2 VIFs + +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls vm1 -- lsp-set-addresses vm1 00:00:00:00:00:01 \ + -- lsp-add ls vm2 -- lsp-set-addresses vm2 00:00:00:00:00:02 +ADD_NAMESPACES(vm1) +ADD_VETH(vm1, vm1, br-int, "42.42.42.2/24", "00:00:00:00:00:01", "42.42.42.1") + +ADD_NAMESPACES(vm2) +ADD_VETH(vm2, vm2, br-int, "42.42.42.3/24", "00:00:00:00:00:02", "42.42.42.1") + +collector1=$(ovn-nbctl create Sample_Collector name=test-collector1 probability=65535 set_id=1) +check_row_count nb:Sample_Collector 1 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +sample_1_new=$(ovn-nbctl create Sample collector="$collector1" metadata=1001) +sample_1_est=$(ovn-nbctl create Sample collector="$collector1" metadata=1002) +sample_2_new=$(ovn-nbctl create Sample collector="$collector1" metadata=2001) +sample_2_est=$(ovn-nbctl create Sample collector="$collector1" metadata=2002) +check_row_count nb:Sample 4 + +dnl Create two tiers of ACLs. +check ovn-nbctl --tier=0 --sample-new=$sample_1_new \ + --sample-est=$sample_1_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1000" \ + pass + +check ovn-nbctl --tier=1 --sample-new=$sample_2_new \ + --sample-est=$sample_2_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1000" \ + allow-related + +dnl Wait for ovn-controller to catch up. +wait_for_ports_up +check ovn-nbctl --wait=hv sync + +dnl Start an IPFIX collector. +DAEMONIZE([nfcapd -B 1024000 -w . -p 4242 2> collector.err], [collector.pid]) + +dnl Wait for the collector to be up. +OVS_WAIT_UNTIL([grep -q 'Startup nfcapd.' collector.err]) + +dnl Configure the OVS flow sample collector. +ovs-vsctl --id=@br get Bridge br-int \ + -- --id=@ipfix create IPFIX targets=\"127.0.0.1:4242\" template_interval=1 \ + -- --id=@cs create Flow_Sample_Collector_Set id=1 bridge=@br ipfix=@ipfix + +dnl And wait for it to be up and running. +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q '1 ids']) + +dnl Start UDP echo server on vm2. +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 1000], [nc-vm2-1000.pid]) + +dnl Send traffic to the UDP server (hits both ACL tiers). +NS_CHECK_EXEC([vm1], [echo a | nc --send-only -u 42.42.42.3 1000]) + +dnl Wait until OVS sampled all expected packets: +dnl - first packet sampled by both tiers +dnl - reply packet sampled by last tier (established session) +dnl - related ICMP port unreachable error sampled by last tier (established session) +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q 'sampled pkts=4']) + +dnl Check the IPFIX samples. +kill $(cat collector.pid) +OVS_WAIT_WHILE([kill -0 $(cat collector.pid) 2>/dev/null]) + +dnl Can't match on observation domain ID due to the followig fix not being +dnl available in any released version of nfdump: +dnl https://github.com/phaag/nfdump/issues/544 +dnl +dnl Only match on the point ID. +AT_CHECK([nfdump -r nfcapd.* -o json | grep observationPointID | awk '{$1=$1;print}' | sort], [0], [dnl +"observationPointID" : 1001, +"observationPointID" : 2001, +"observationPointID" : 2002, +"observationPointID" : 2002, +]) + +OVS_APP_EXIT_AND_WAIT([ovn-controller]) + +as ovn-sb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as ovn-nb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as northd +OVS_APP_EXIT_AND_WAIT([ovn-northd]) + +as +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d +/connection dropped.*/d"]) + +AT_CLEANUP +]) diff --git a/utilities/containers/fedora/Dockerfile b/utilities/containers/fedora/Dockerfile index 078180cff3..4dce1e32b4 100755 --- a/utilities/containers/fedora/Dockerfile +++ b/utilities/containers/fedora/Dockerfile @@ -27,6 +27,7 @@ RUN dnf -y update \ libcap-ng-devel \ libtool \ net-tools \ + nfdump \ ninja-build \ nmap-ncat \ numactl-devel \ diff --git a/utilities/containers/ubuntu/Dockerfile b/utilities/containers/ubuntu/Dockerfile index 7cf0751225..073afa8764 100755 --- a/utilities/containers/ubuntu/Dockerfile +++ b/utilities/containers/ubuntu/Dockerfile @@ -33,6 +33,7 @@ RUN apt update -y \ llvm-dev \ ncat \ net-tools \ + nfdump \ ninja-build \ python3-dev \ python3-pip \ diff --git a/utilities/ovn-nbctl.8.xml b/utilities/ovn-nbctl.8.xml index e2657ca02c..e1e5b681e1 100644 --- a/utilities/ovn-nbctl.8.xml +++ b/utilities/ovn-nbctl.8.xml @@ -399,7 +399,7 @@ must be either switch or port-group.

-
[--type={switch | port-group}] [--log] [--meter=meter] [--severity=severity] [--name=name] [--label=label] [--may-exist] [--apply-after-lb] [--tier] acl-add entity direction priority match verdict
+
[--type={switch | port-group}] [--log] [--meter=meter] [--severity=severity] [--name=name] [--label=label] [--sample-new=sample] [--sample-est=sample] [--may-exist] [--apply-after-lb] [--tier] acl-add entity direction priority match verdict

Adds the specified ACL to entity. direction @@ -424,6 +424,12 @@ names a meter configured by meter-add.

+

+ The --sample-new (and optionally + --sample-est) enable ACL sampling. A valid uuid of a + row of the table must be provided. +

+

The --apply-after-lb option sets apply-after-lb=true in the options column diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index 679d3f2d93..2bef6f84d0 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -2318,6 +2318,11 @@ nbctl_pre_acl(struct ctl_context *ctx) ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_match); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_options); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_tier); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample_new); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample_est); + + ovsdb_idl_add_table(ctx->idl, &nbrec_table_sample_collector); + ovsdb_idl_add_table(ctx->idl, &nbrec_table_sample); } static void @@ -2331,6 +2336,8 @@ nbctl_pre_acl_list(struct ctl_context *ctx) ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_severity); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_meter); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_label); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample_new); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample_est); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_options); } @@ -2382,6 +2389,8 @@ nbctl_acl_add(struct ctl_context *ctx) const char *severity = shash_find_data(&ctx->options, "--severity"); const char *name = shash_find_data(&ctx->options, "--name"); const char *meter = shash_find_data(&ctx->options, "--meter"); + const char *sample_new = shash_find_data(&ctx->options, "--sample-new"); + const char *sample_est = shash_find_data(&ctx->options, "--sample-est"); if (log || severity || name || meter) { nbrec_acl_set_log(acl, true); } @@ -2398,6 +2407,38 @@ nbctl_acl_add(struct ctl_context *ctx) if (meter) { nbrec_acl_set_meter(acl, meter); } + if (sample_new) { + const struct nbrec_sample *sample_elem = NULL; + struct uuid sample_uuid; + + if (uuid_from_string(&sample_uuid, sample_new)) { + sample_elem = nbrec_sample_get_for_uuid(ctx->idl, &sample_uuid); + if (!sample_elem) { + ctl_error(ctx, "--sample-new record not found"); + return; + } + nbrec_acl_set_sample_new(acl, sample_elem); + } else { + ctl_error(ctx, "a valid --sample-new uuid must be provided"); + return; + } + } + if (sample_est) { + const struct nbrec_sample *sample_elem = NULL; + struct uuid sample_uuid; + + if (uuid_from_string(&sample_uuid, sample_est)) { + sample_elem = nbrec_sample_get_for_uuid(ctx->idl, &sample_uuid); + if (!sample_elem) { + ctl_error(ctx, "--sample-est record not found"); + return; + } + nbrec_acl_set_sample_est(acl, sample_elem); + } else { + ctl_error(ctx, "a valid --sample-est uuid must be provided"); + return; + } + } /* Set the ACL label */ const char *label = shash_find_data(&ctx->options, "--label"); @@ -7925,7 +7966,7 @@ static const struct ctl_command_syntax nbctl_commands[] = { { "acl-add", 5, 6, "{SWITCH | PORTGROUP} DIRECTION PRIORITY MATCH ACTION", nbctl_pre_acl, nbctl_acl_add, NULL, "--log,--may-exist,--type=,--name=,--severity=,--meter=,--label=," - "--apply-after-lb,--tier=", RW }, + "--apply-after-lb,--tier=,--sample-new=,--sample-est=", RW }, { "acl-del", 1, 4, "{SWITCH | PORTGROUP} [DIRECTION [PRIORITY MATCH]]", nbctl_pre_acl, nbctl_acl_del, NULL, "--type=,--tier=", RW }, { "acl-list", 1, 1, "{SWITCH | PORTGROUP}", From patchwork Thu Aug 1 09:53:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1967576 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Jn5EV9eY; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZPSb1FH9z1ydq for ; Thu, 1 Aug 2024 19:54:23 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 7C48840EFF; Thu, 1 Aug 2024 09:54:21 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id ykw-hv-7piKP; Thu, 1 Aug 2024 09:54:19 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 32FA540EF2 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Jn5EV9eY Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 32FA540EF2; Thu, 1 Aug 2024 09:54:19 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id EEDA0C002B; Thu, 1 Aug 2024 09:54:18 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 13F90C0035 for ; Thu, 1 Aug 2024 09:54:18 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id E89CC81ED3 for ; Thu, 1 Aug 2024 09:54:03 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id ubME8HftPkOJ for ; Thu, 1 Aug 2024 09:54:01 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 17D7E81EE6 Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 17D7E81EE6 Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Jn5EV9eY Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 17D7E81EE6 for ; Thu, 1 Aug 2024 09:54:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722506039; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I4noMs+oab3s7apKPSprmrEQCQ9R6bVRxTyDje/5ujw=; b=Jn5EV9eYcUQWQH4Lu9gwW/fgUu7gU2FgriKiKRsf6g4BipbWrdPQPjt0CBc1OnQ1pzmIbS 3lELh8/6fCBivlrKqj2HJJMmSDp3cPYykQw0QdAFABNp2CRxrlqrJpvywqcqGSlmwHcCiS zFILWxcu2PD5XqnR2dT8JoHmOzJcl8w= Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-614-wx3ZtB8WMAOQnoCdD9UBRA-1; Thu, 01 Aug 2024 05:53:58 -0400 X-MC-Unique: wx3ZtB8WMAOQnoCdD9UBRA-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 90DC31955D4D; Thu, 1 Aug 2024 09:53:57 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.194.158]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 623801955E80; Thu, 1 Aug 2024 09:53:55 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Thu, 1 Aug 2024 11:53:15 +0200 Message-ID: <20240801095319.467255-7-dceara@redhat.com> In-Reply-To: <20240801095319.467255-1-dceara@redhat.com> References: <20240801095319.467255-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 6/9] features: Make querying of OpenFlow features more versatile. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Ales Musil Up until now we were interested only in two OpenFlow features, meters and groups. The current system of querying worked, however it wasn't very versatile, and it would be hard to query more features, make the system more extensible instead. Acked-by: Dumitru Ceara Signed-off-by: Ales Musil --- V5: - Address Ilya's comment: - Rename OVS_DP_GROUP_SUPPORT to OVS_OF_GROUP_SUPPORT - Added Dumitru's ack --- include/ovn/features.h | 2 + lib/features.c | 269 +++++++++++++++++++++++++++++------------ 2 files changed, 196 insertions(+), 75 deletions(-) diff --git a/include/ovn/features.h b/include/ovn/features.h index d7bceb62c4..97669410af 100644 --- a/include/ovn/features.h +++ b/include/ovn/features.h @@ -38,6 +38,7 @@ enum ovs_feature_support_bits { OVS_DP_METER_SUPPORT_BIT, OVS_CT_TUPLE_FLUSH_BIT, OVS_DP_HASH_L4_SYM_BIT, + OVS_OF_GROUP_SUPPORT_BIT, }; enum ovs_feature_value { @@ -45,6 +46,7 @@ enum ovs_feature_value { OVS_DP_METER_SUPPORT = (1 << OVS_DP_METER_SUPPORT_BIT), OVS_CT_TUPLE_FLUSH_SUPPORT = (1 << OVS_CT_TUPLE_FLUSH_BIT), OVS_DP_HASH_L4_SYM_SUPPORT = (1 << OVS_DP_HASH_L4_SYM_BIT), + OVS_OF_GROUP_SUPPORT = (1 << OVS_OF_GROUP_SUPPORT_BIT), }; void ovs_feature_support_destroy(void); diff --git a/lib/features.c b/lib/features.c index 607e4bd313..d3591d6410 100644 --- a/lib/features.c +++ b/lib/features.c @@ -28,6 +28,7 @@ #include "openvswitch/ofp-msgs.h" #include "openvswitch/ofp-meter.h" #include "openvswitch/ofp-group.h" +#include "openvswitch/ofp-print.h" #include "openvswitch/ofp-util.h" #include "openvswitch/rconn.h" #include "ovn/features.h" @@ -47,6 +48,18 @@ struct ovs_feature { ovs_feature_parse_func *parse; }; +struct ovs_openflow_feature { + enum ovs_feature_value value; + const char *name; + bool queued; + ovs_be32 xid; + ovs_be32 barrier_xid; + void (*send_request)(struct ovs_openflow_feature *feature); + bool (*handle_response)(struct ovs_openflow_feature *feature, + enum ofptype type, const struct ofp_header *oh); + bool (*handle_barrier)(struct ovs_openflow_feature *feature); +}; + static bool bool_parser(const struct smap *ovs_capabilities, const char *cap_name) { @@ -83,24 +96,172 @@ static struct ovs_feature all_ovs_features[] = { /* A bitmap of OVS features that have been detected as 'supported'. */ static uint32_t supported_ovs_features; -/* Last set of received feature replies. */ -static struct ofputil_meter_features ovs_meter_features_reply; -static struct ofputil_group_features ovs_group_features_reply; /* Currently discovered set of features. */ static struct ofputil_meter_features ovs_meter_features; static struct ofputil_group_features ovs_group_features; -/* Number of features replies still expected to receive for the requests - * we sent already. */ -static uint32_t n_features_reply_expected; - -static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 5); +static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 10); /* ovs-vswitchd connection. */ static struct rconn *swconn; static uint32_t conn_seq_no; +static void +log_unexpected_reply(struct ovs_openflow_feature *feature, + const struct ofp_header *oh) +{ + if (VLOG_IS_WARN_ENABLED()) { + char *s = ofp_to_string(oh, ntohs(oh->length), NULL, NULL, 2); + VLOG_WARN_RL(&rl, "OVS Feature: %s, unexpected reply: %s", + feature->name, s); + free(s); + } +} + +static bool +default_barrier_response_handle(struct ovs_openflow_feature *feature) +{ + VLOG_WARN_RL(&rl, "OVS Feature: %s, didn't receive any reply", + feature->name); + return supported_ovs_features & feature->value; +} + +static void +meter_features_send_request(struct ovs_openflow_feature *feature) +{ + struct ofpbuf *msg = ofpraw_alloc(OFPRAW_OFPST13_METER_FEATURES_REQUEST, + rconn_get_version(swconn), 0); + feature->xid = ((struct ofp_header *) msg->data)->xid; + rconn_send(swconn, msg, NULL); +} + +static bool +meter_features_handle_response(struct ovs_openflow_feature *feature, + enum ofptype type, const struct ofp_header *oh) +{ + if (type != OFPTYPE_METER_FEATURES_STATS_REPLY) { + log_unexpected_reply(feature, oh); + return supported_ovs_features & feature->value; + } + + struct ofputil_meter_features features; + ofputil_decode_meter_features(oh, &features); + + if (memcmp(&ovs_meter_features, &features, sizeof features)) { + ovs_meter_features = features; + return ovs_meter_features.max_meters; + } + + return supported_ovs_features & feature->value; +} + +static void +group_features_send_request(struct ovs_openflow_feature *feature) +{ + struct ofpbuf *msg = + ofputil_encode_group_features_request(rconn_get_version(swconn)); + feature->xid = ((struct ofp_header *) msg->data)->xid; + rconn_send(swconn, msg, NULL); +} + +static bool +group_features_handle_response(struct ovs_openflow_feature *feature, + enum ofptype type, const struct ofp_header *oh) +{ + if (type != OFPTYPE_GROUP_FEATURES_STATS_REPLY) { + log_unexpected_reply(feature, oh); + return supported_ovs_features & feature->value; + } + + struct ofputil_group_features features; + ofputil_decode_group_features_reply(oh, &features); + + if (memcmp(&ovs_group_features, &features, sizeof features)) { + ovs_group_features = features; + return ovs_group_features.max_groups[OFPGT11_SELECT]; + } + + return supported_ovs_features & feature->value; +} + +static struct ovs_openflow_feature all_openflow_features[] = { + { + .value = OVS_DP_METER_SUPPORT, + .name = "meter_support", + .send_request = meter_features_send_request, + .handle_response = meter_features_handle_response, + .handle_barrier = default_barrier_response_handle, + }, + { + .value = OVS_OF_GROUP_SUPPORT, + .name = "group_support", + .send_request = group_features_send_request, + .handle_response = group_features_handle_response, + .handle_barrier = default_barrier_response_handle, + } +}; + +static bool +handle_feature_state_update(bool new_state, enum ovs_feature_value value, + const char *name) +{ + bool updated = false; + + bool old_state = supported_ovs_features & value; + if (new_state != old_state) { + updated = true; + if (new_state) { + supported_ovs_features |= value; + } else { + supported_ovs_features &= ~value; + } + VLOG_INFO_RL(&rl, "OVS Feature: %s, state: %s", name, + new_state ? "supported" : "not supported"); + } + + return updated; +} + +static bool +features_handle_rconn_msg(struct ofpbuf *msg) +{ + const struct ofp_header *oh = msg->data; + + enum ofptype type; + ofptype_decode(&type, oh); + + if (type == OFPTYPE_ECHO_REQUEST) { + rconn_send(swconn, ofputil_encode_echo_reply(oh), NULL); + return false; + } + + for (size_t i = 0; i < ARRAY_SIZE(all_openflow_features); i++) { + struct ovs_openflow_feature *feature = &all_openflow_features[i]; + + bool new_state; + if (feature->queued && feature->xid == oh->xid) { + new_state = feature->handle_response(feature, type, oh); + } else if (feature->queued && feature->barrier_xid == oh->xid) { + new_state = feature->handle_barrier(feature); + } else { + continue; + } + + feature->queued = false; + return handle_feature_state_update(new_state, feature->value, + feature->name); + } + + if (VLOG_IS_DBG_ENABLED()) { + char *s = ofp_to_string(oh, ntohs(oh->length), NULL, NULL, 2); + VLOG_DBG_RL(&rl, "OpenFlow packet ignored: %s", s); + free(s); + } + + return false; +} + static bool ovs_feature_is_valid(enum ovs_feature_value feature) { @@ -109,6 +270,7 @@ ovs_feature_is_valid(enum ovs_feature_value feature) case OVS_DP_METER_SUPPORT: case OVS_CT_TUPLE_FLUSH_SUPPORT: case OVS_DP_HASH_L4_SYM_SUPPORT: + case OVS_OF_GROUP_SUPPORT: return true; default: return false; @@ -126,8 +288,6 @@ ovs_feature_is_supported(enum ovs_feature_value feature) static bool ovs_feature_get_openflow_cap(void) { - struct ofpbuf *msg; - rconn_run(swconn); if (!rconn_is_connected(swconn)) { rconn_run_wait(swconn); @@ -137,67 +297,33 @@ ovs_feature_get_openflow_cap(void) /* send new requests just after reconnect. */ if (conn_seq_no != rconn_get_connection_seqno(swconn)) { - n_features_reply_expected = 0; - - /* Dump OpenFlow switch meter capabilities. */ - msg = ofpraw_alloc(OFPRAW_OFPST13_METER_FEATURES_REQUEST, - rconn_get_version(swconn), 0); - rconn_send(swconn, msg, NULL); - n_features_reply_expected++; - /* Dump OpenFlow switch group capabilities. */ - msg = ofputil_encode_group_features_request(rconn_get_version(swconn)); - rconn_send(swconn, msg, NULL); - n_features_reply_expected++; + for (size_t i = 0; i < ARRAY_SIZE(all_openflow_features); i++) { + struct ovs_openflow_feature *feature = &all_openflow_features[i]; + + feature->queued = true; + feature->send_request(feature); + + struct ofpbuf *msg = + ofputil_encode_barrier_request(rconn_get_version(swconn)); + feature->barrier_xid = ((struct ofp_header *) msg->data)->xid; + rconn_send(swconn, msg, NULL); + } } conn_seq_no = rconn_get_connection_seqno(swconn); bool ret = false; for (int i = 0; i < 50; i++) { - msg = rconn_recv(swconn); + struct ofpbuf *msg = rconn_recv(swconn); if (!msg) { break; } - const struct ofp_header *oh = msg->data; - enum ofptype type; - ofptype_decode(&type, oh); - - if (type == OFPTYPE_METER_FEATURES_STATS_REPLY) { - ofputil_decode_meter_features(oh, &ovs_meter_features_reply); - ovs_assert(n_features_reply_expected); - n_features_reply_expected--; - } else if (type == OFPTYPE_GROUP_FEATURES_STATS_REPLY) { - ofputil_decode_group_features_reply(oh, &ovs_group_features_reply); - ovs_assert(n_features_reply_expected); - n_features_reply_expected--; - } else if (type == OFPTYPE_ECHO_REQUEST) { - rconn_send(swconn, ofputil_encode_echo_reply(oh), NULL); - } + ret |= features_handle_rconn_msg(msg); ofpbuf_delete(msg); } rconn_run_wait(swconn); rconn_recv_wait(swconn); - /* If all feature replies were received, update the set of supported - * features. */ - if (!n_features_reply_expected) { - if (memcmp(&ovs_meter_features, &ovs_meter_features_reply, - sizeof ovs_meter_features_reply)) { - ovs_meter_features = ovs_meter_features_reply; - if (ovs_meter_features.max_meters) { - supported_ovs_features |= OVS_DP_METER_SUPPORT; - } else { - supported_ovs_features &= ~OVS_DP_METER_SUPPORT; - } - ret = true; - } - if (memcmp(&ovs_group_features, &ovs_group_features_reply, - sizeof ovs_group_features_reply)) { - ovs_group_features = ovs_group_features_reply; - ret = true; - } - } - return ret; } @@ -214,7 +340,6 @@ ovs_feature_support_run(const struct smap *ovs_capabilities, const char *conn_target, int probe_interval) { static struct smap empty_caps = SMAP_INITIALIZER(&empty_caps); - bool updated = false; if (!ovs_capabilities) { ovs_capabilities = &empty_caps; @@ -225,24 +350,13 @@ ovs_feature_support_run(const struct smap *ovs_capabilities, } ovn_update_swconn_at(swconn, conn_target, probe_interval, "features"); - if (ovs_feature_get_openflow_cap()) { - updated = true; - } + bool updated = ovs_feature_get_openflow_cap(); for (size_t i = 0; i < ARRAY_SIZE(all_ovs_features); i++) { struct ovs_feature *feature = &all_ovs_features[i]; - bool old_state = supported_ovs_features & feature->value; - bool new_state = feature->parse(ovs_capabilities, feature->name); - if (new_state != old_state) { - updated = true; - if (new_state) { - supported_ovs_features |= feature->value; - } else { - supported_ovs_features &= ~feature->value; - } - VLOG_INFO_RL(&rl, "OVS Feature: %s, state: %s", feature->name, - new_state ? "supported" : "not supported"); - } + bool new_value = feature->parse(ovs_capabilities, feature->name); + updated |= handle_feature_state_update(new_value, feature->value, + feature->name); } return updated; } @@ -252,8 +366,13 @@ ovs_feature_set_discovered(void) { /* The supported feature set has been discovered if we're connected * to OVS and it replied to all our feature request messages. */ - return swconn && rconn_is_connected(swconn) && - n_features_reply_expected == 0; + bool replied_to_all = false; + for (size_t i = 0; i < ARRAY_SIZE(all_openflow_features); i++) { + struct ovs_openflow_feature *feature = &all_openflow_features[i]; + replied_to_all |= !feature->queued; + } + + return swconn && rconn_is_connected(swconn) && replied_to_all; } /* Returns the number of meters the OVS datapath supports. */ From patchwork Thu Aug 1 09:53:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1967577 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=IbcbrN1l; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZPT60cNkz1ybX for ; Thu, 1 Aug 2024 19:54:50 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 3850D80DC9; Thu, 1 Aug 2024 09:54:48 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id SnFSSsdPPY5o; Thu, 1 Aug 2024 09:54:43 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6A1D181344 Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=IbcbrN1l Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id 6A1D181344; Thu, 1 Aug 2024 09:54:43 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id E413AC002A; Thu, 1 Aug 2024 09:54:42 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 8D4B7C002A for ; Thu, 1 Aug 2024 09:54:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 8F30840E43 for ; Thu, 1 Aug 2024 09:54:08 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id HOIVKQPjapwx for ; Thu, 1 Aug 2024 09:54:07 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org C2DB240CEF Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org C2DB240CEF Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=IbcbrN1l Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id C2DB240CEF for ; Thu, 1 Aug 2024 09:54:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722506045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zEQ1wUUiCt7AB61XLfe5/ineEgSQsnUBCSTBGMLecSk=; b=IbcbrN1l3yuPSO6Sw3jeRcRdBTNU6MacQaMvg3qmxld4P0sgVbwpdHQJV5IHny8uI9lw4C 9wiJ3nP6Nra/fzlvanqHKZUwryZbeCven9VagXXwsb5pHwDzkm9D6fcsgB9crMHYsL7jRE 8JCA5zKadGJ4yBSD2o8npoaawR0ZAOs= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-133-6M2CmJOZM7m17Y1a3MRhqA-1; Thu, 01 Aug 2024 05:54:02 -0400 X-MC-Unique: 6M2CmJOZM7m17Y1a3MRhqA-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id C7C4919560AA; Thu, 1 Aug 2024 09:54:01 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.194.158]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 530881955E80; Thu, 1 Aug 2024 09:53:58 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Thu, 1 Aug 2024 11:53:16 +0200 Message-ID: <20240801095319.467255-8-dceara@redhat.com> In-Reply-To: <20240801095319.467255-1-dceara@redhat.com> References: <20240801095319.467255-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 7/9] features: Add detection for sample with registers. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Ales Musil Add detection for sample action that allows to configure obs_domain_id and obs_point_id via registers. This feature is available only from OvS version 3.4. Signed-off-by: Ales Musil Acked-by: Dumitru Ceara --- V5: - Addressed Ilya's comments: - Fixed SB chassis reconciliation. - Rename OVS_DP_SAMPLE_REG_SUPPORT to OVS_SAMPLE_REG_SUPPORT --- controller/chassis.c | 15 +++++++ include/ovn/features.h | 3 ++ lib/features.c | 91 +++++++++++++++++++++++++++++++++++++++ northd/en-global-config.c | 10 +++++ northd/en-global-config.h | 1 + 5 files changed, 120 insertions(+) diff --git a/controller/chassis.c b/controller/chassis.c index 4942ba281d..42a2894dce 100644 --- a/controller/chassis.c +++ b/controller/chassis.c @@ -67,6 +67,8 @@ struct ovs_chassis_cfg { struct ds iface_types; /* Is this chassis an interconnection gateway. */ bool is_interconn; + /* Does OVS support sampling with ids taken from registers? */ + bool sample_with_regs; }; static void @@ -338,6 +340,8 @@ chassis_parse_ovs_config(const struct ovsrec_open_vswitch_table *ovs_table, &ovs_cfg->iface_types); ovs_cfg->is_interconn = get_is_interconn(&cfg->external_ids, chassis_id); + ovs_cfg->sample_with_regs = + ovs_feature_is_supported(OVS_SAMPLE_REG_SUPPORT); return true; } @@ -372,6 +376,8 @@ chassis_build_other_config(const struct ovs_chassis_cfg *ovs_cfg, smap_replace(config, OVN_FEATURE_LS_DPG_COLUMN, "true"); smap_replace(config, OVN_FEATURE_CT_COMMIT_NAT_V2, "true"); smap_replace(config, OVN_FEATURE_CT_COMMIT_TO_ZONE, "true"); + smap_replace(config, OVN_FEATURE_SAMPLE_WITH_REGISTERS, + ovs_cfg->sample_with_regs ? "true" : "false"); } /* @@ -523,6 +529,14 @@ chassis_other_config_changed(const struct ovs_chassis_cfg *ovs_cfg, return true; } + bool chassis_sample_with_regs = + smap_get_bool(&chassis_rec->other_config, + OVN_FEATURE_SAMPLE_WITH_REGISTERS, + false); + if (chassis_sample_with_regs != ovs_cfg->sample_with_regs) { + return true; + } + return false; } @@ -656,6 +670,7 @@ update_supported_sset(struct sset *supported) sset_add(supported, OVN_FEATURE_LS_DPG_COLUMN); sset_add(supported, OVN_FEATURE_CT_COMMIT_NAT_V2); sset_add(supported, OVN_FEATURE_CT_COMMIT_TO_ZONE); + sset_add(supported, OVN_FEATURE_SAMPLE_WITH_REGISTERS); } static void diff --git a/include/ovn/features.h b/include/ovn/features.h index 97669410af..4275f75269 100644 --- a/include/ovn/features.h +++ b/include/ovn/features.h @@ -29,6 +29,7 @@ #define OVN_FEATURE_LS_DPG_COLUMN "ls-dpg-column" #define OVN_FEATURE_CT_COMMIT_NAT_V2 "ct-commit-nat-v2" #define OVN_FEATURE_CT_COMMIT_TO_ZONE "ct-commit-to-zone" +#define OVN_FEATURE_SAMPLE_WITH_REGISTERS "ovn-sample-with-registers" /* OVS datapath supported features. Based on availability OVN might generate * different types of openflows. @@ -39,6 +40,7 @@ enum ovs_feature_support_bits { OVS_CT_TUPLE_FLUSH_BIT, OVS_DP_HASH_L4_SYM_BIT, OVS_OF_GROUP_SUPPORT_BIT, + OVS_SAMPLE_REG_SUPPORT_BIT, }; enum ovs_feature_value { @@ -47,6 +49,7 @@ enum ovs_feature_value { OVS_CT_TUPLE_FLUSH_SUPPORT = (1 << OVS_CT_TUPLE_FLUSH_BIT), OVS_DP_HASH_L4_SYM_SUPPORT = (1 << OVS_DP_HASH_L4_SYM_BIT), OVS_OF_GROUP_SUPPORT = (1 << OVS_OF_GROUP_SUPPORT_BIT), + OVS_SAMPLE_REG_SUPPORT = (1 << OVS_SAMPLE_REG_SUPPORT_BIT), }; void ovs_feature_support_destroy(void); diff --git a/lib/features.c b/lib/features.c index d3591d6410..ab0327d516 100644 --- a/lib/features.c +++ b/lib/features.c @@ -25,6 +25,8 @@ #include "openvswitch/vlog.h" #include "openvswitch/ofpbuf.h" #include "openvswitch/rconn.h" +#include "openvswitch/ofp-actions.h" +#include "openvswitch/ofp-bundle.h" #include "openvswitch/ofp-msgs.h" #include "openvswitch/ofp-meter.h" #include "openvswitch/ofp-group.h" @@ -185,6 +187,87 @@ group_features_handle_response(struct ovs_openflow_feature *feature, return supported_ovs_features & feature->value; } +static void +sample_with_reg_send_request(struct ovs_openflow_feature *feature) +{ + struct ofputil_bundle_ctrl_msg ctrl = { + .bundle_id = 0, + .flags = OFPBF_ORDERED | OFPBF_ATOMIC, + .type = OFPBCT_OPEN_REQUEST, + }; + rconn_send(swconn, + ofputil_encode_bundle_ctrl_request(OFP15_VERSION, &ctrl), NULL); + + uint8_t actions_stub[64]; + struct ofpbuf actions; + ofpbuf_use_stub(&actions, actions_stub, sizeof(actions_stub)); + + struct mf_subfield subfield = { + .field = mf_from_id(MFF_REG0), + .n_bits = 32, + .ofs = 0 + }; + + struct ofpact_sample *sample = ofpact_put_SAMPLE(&actions); + sample->probability = UINT16_MAX; + sample->collector_set_id = 0; + sample->obs_domain_src = subfield; + sample->obs_point_src = subfield; + sample->sampling_port = OFPP_NONE; + + struct ofputil_flow_mod fm = { + .priority = 0, + .table_id = 0, + .ofpacts = actions.data, + .ofpacts_len = actions.size, + .command = OFPFC_ADD, + .new_cookie = htonll(0), + .buffer_id = UINT32_MAX, + .out_port = OFPP_ANY, + .out_group = OFPG_ANY, + }; + + struct match match; + match_init_catchall(&match); + minimatch_init(&fm.match, &match); + + struct ofpbuf *fm_msg = ofputil_encode_flow_mod(&fm, OFPUTIL_P_OF15_OXM); + + struct ofputil_bundle_add_msg bam = { + .bundle_id = ctrl.bundle_id, + .flags = ctrl.flags, + .msg = fm_msg->data, + }; + struct ofpbuf *msg = ofputil_encode_bundle_add(OFP15_VERSION, &bam); + + feature->xid = ((struct ofp_header *) msg->data)->xid; + rconn_send(swconn, msg, NULL); + + ctrl.type = OFPBCT_DISCARD_REQUEST; + rconn_send(swconn, + ofputil_encode_bundle_ctrl_request(OFP15_VERSION, &ctrl), NULL); + + minimatch_destroy(&fm.match); + ofpbuf_delete(fm_msg); +} + +static bool +sample_with_reg_handle_response(struct ovs_openflow_feature *feature, + enum ofptype type, const struct ofp_header *oh) +{ + if (type != OFPTYPE_ERROR) { + log_unexpected_reply(feature, oh); + } + + return false; +} + +static bool +sample_with_reg_handle_barrier(struct ovs_openflow_feature *feature OVS_UNUSED) +{ + return true; +} + static struct ovs_openflow_feature all_openflow_features[] = { { .value = OVS_DP_METER_SUPPORT, @@ -199,6 +282,13 @@ static struct ovs_openflow_feature all_openflow_features[] = { .send_request = group_features_send_request, .handle_response = group_features_handle_response, .handle_barrier = default_barrier_response_handle, + }, + { + .value = OVS_SAMPLE_REG_SUPPORT, + .name = "sample_action_with_registers", + .send_request = sample_with_reg_send_request, + .handle_response = sample_with_reg_handle_response, + .handle_barrier = sample_with_reg_handle_barrier, } }; @@ -271,6 +361,7 @@ ovs_feature_is_valid(enum ovs_feature_value feature) case OVS_CT_TUPLE_FLUSH_SUPPORT: case OVS_DP_HASH_L4_SYM_SUPPORT: case OVS_OF_GROUP_SUPPORT: + case OVS_SAMPLE_REG_SUPPORT: return true; default: return false; diff --git a/northd/en-global-config.c b/northd/en-global-config.c index d7607aa074..0ce7f83083 100644 --- a/northd/en-global-config.c +++ b/northd/en-global-config.c @@ -381,6 +381,7 @@ northd_enable_all_features(struct ed_type_global_config *data) .ls_dpg_column = true, .ct_commit_nat_v2 = true, .ct_commit_to_zone = true, + .sample_with_reg = true, }; } @@ -442,6 +443,15 @@ build_chassis_features(const struct sbrec_chassis_table *sbrec_chassis_table, chassis_features->ct_commit_to_zone) { chassis_features->ct_commit_to_zone = false; } + + bool sample_with_reg = + smap_get_bool(&chassis->other_config, + OVN_FEATURE_SAMPLE_WITH_REGISTERS, + false); + if (!sample_with_reg && + chassis_features->sample_with_reg) { + chassis_features->sample_with_reg = false; + } } } diff --git a/northd/en-global-config.h b/northd/en-global-config.h index 8a1c35fc8f..0cf34482af 100644 --- a/northd/en-global-config.h +++ b/northd/en-global-config.h @@ -19,6 +19,7 @@ struct chassis_features { bool ls_dpg_column; bool ct_commit_nat_v2; bool ct_commit_to_zone; + bool sample_with_reg; }; struct global_config_tracked_data { From patchwork Thu Aug 1 09:53:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1967579 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=JX5aMyCn; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZPTS4v7Fz1yYq for ; Thu, 1 Aug 2024 19:55:08 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id D649E40D3B; Thu, 1 Aug 2024 09:55:04 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id zJi-gX8TGH9E; Thu, 1 Aug 2024 09:55:01 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 72E7840C4B Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=JX5aMyCn Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp4.osuosl.org (Postfix) with ESMTPS id 72E7840C4B; Thu, 1 Aug 2024 09:55:00 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 2A3FFC0033; Thu, 1 Aug 2024 09:55:00 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id A4BD9C002B for ; Thu, 1 Aug 2024 09:54:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id E684E40C4B for ; Thu, 1 Aug 2024 09:54:14 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id vDW-Uu14LBTG for ; Thu, 1 Aug 2024 09:54:12 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org A961040E46 Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org A961040E46 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id A961040E46 for ; Thu, 1 Aug 2024 09:54:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722506050; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qbTWQb5+EmmmiJTWPmGlK75jE0MLtuFuy3BDSbMYzDI=; b=JX5aMyCnZmKjkMBwk3BpiiPO9henjxo4a4jKIcZJUL9SPucxMiPFvIx3iFthEKVMQ+b/72 lZrS/tzh+5El5MQHpl/zVaAI3BPSUqOnrvKs+uiIgyyQu7QV1DqNdyNSHxatpf1G7Uidj0 ILWqc7jdDAagPWZXHXkPTyTi9MTn/IU= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-383-wXFgjVqoPCyPIrND_gOAAQ-1; Thu, 01 Aug 2024 05:54:05 -0400 X-MC-Unique: wXFgjVqoPCyPIrND_gOAAQ-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id E47691955F42; Thu, 1 Aug 2024 09:54:04 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.194.158]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id B39831955E70; Thu, 1 Aug 2024 09:54:02 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Thu, 1 Aug 2024 11:53:17 +0200 Message-ID: <20240801095319.467255-9-dceara@redhat.com> In-Reply-To: <20240801095319.467255-1-dceara@redhat.com> References: <20240801095319.467255-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 8/9] actions: Add support for sample with register. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Ales Musil Allow sample to accept obs_point_id as register instead of integer literal value. Acked-by: Dumitru Ceara Signed-off-by: Ales Musil --- V5: - Added Dumitru's ack --- include/ovn/actions.h | 16 +++++++++------- lib/actions.c | 12 ++++++++---- tests/ovn.at | 13 ++++++++++++- 3 files changed, 29 insertions(+), 12 deletions(-) diff --git a/include/ovn/actions.h b/include/ovn/actions.h index 88cf4de79f..c8dd66ed83 100644 --- a/include/ovn/actions.h +++ b/include/ovn/actions.h @@ -498,13 +498,15 @@ struct ovnact_lookup_fdb { /* OVNACT_SAMPLE */ struct ovnact_sample { struct ovnact ovnact; - uint16_t probability; /* probability over UINT16_MAX. */ - uint8_t obs_domain_id; /* most significant byte of the - observation domain id. The other 24 bits - will come from the datapath's tunnel key. */ - uint32_t collector_set_id; /* colector_set_id. */ - uint32_t obs_point_id; /* observation point id. */ - bool use_cookie; /* use cookie as obs_point_id */ + uint16_t probability; /* probability over UINT16_MAX. */ + uint8_t obs_domain_id; /* most significant byte of the + observation domain id. The other + 24 bits will come from the + datapath's tunnel key. */ + uint32_t collector_set_id; /* colector_set_id. */ + struct expr_field obs_point_id_src; /* observation point id source reg */ + uint32_t obs_point_id; /* observation point id */ + bool use_cookie; /* use cookie as obs_point_id */ }; /* OVNACT_COMMIT_ECMP_NH. */ diff --git a/lib/actions.c b/lib/actions.c index 37676ef81b..586c64af36 100644 --- a/lib/actions.c +++ b/lib/actions.c @@ -4523,10 +4523,13 @@ format_SAMPLE(const struct ovnact_sample *sample, struct ds *s) ds_put_format(s, ",collector_set=%"PRIu32, sample->collector_set_id); ds_put_format(s, ",obs_domain=%"PRIu8, sample->obs_domain_id); + ds_put_cstr(s, ",obs_point="); if (sample->use_cookie) { - ds_put_cstr(s, ",obs_point=$cookie"); + ds_put_cstr(s, "$cookie"); + } else if (sample->obs_point_id_src.symbol) { + expr_field_format(&sample->obs_point_id_src, s); } else { - ds_put_format(s, ",obs_point=%"PRIu32, sample->obs_point_id); + ds_put_format(s, "%"PRIu32, sample->obs_point_id); } ds_put_format(s, ");"); } @@ -4551,6 +4554,8 @@ encode_SAMPLE(const struct ovnact_sample *sample, if (sample->use_cookie) { os->obs_point_imm = ep->lflow_uuid.parts[0]; + } else if (sample->obs_point_id_src.symbol) { + os->obs_point_src = expr_resolve_field(&sample->obs_point_id_src); } else { os->obs_point_imm = sample->obs_point_id; } @@ -4584,8 +4589,7 @@ parse_sample_arg(struct action_context *ctx, struct ovnact_sample *sample) sample->obs_point_id = ntohll(ctx->lexer->token.value.integer); lexer_get(ctx->lexer); } else { - lexer_syntax_error(ctx->lexer, - "malformed sample observation_point_id"); + action_parse_field(ctx, 32, false, &sample->obs_point_id_src); } } else if (lexer_match_id(ctx->lexer, "obs_domain")) { if (!lexer_force_match(ctx->lexer, LEX_T_EQUALS)) { diff --git a/tests/ovn.at b/tests/ovn.at index 0f401ab96a..f1fc29503f 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -2333,11 +2333,19 @@ sample(probability=10); sample(probability=100,collector_set=999,obs_domain=0,obs_point=1000); encodes as drop +sample(probability=10, obs_point=reg3); + formats as sample(probability=10,collector_set=0,obs_domain=0,obs_point=reg3); + encodes as sample(probability=10,collector_set_id=0,obs_domain_id=11259375,obs_point_id=NXM_NX_XXREG0[[0..31]]) + +sample(probability=10, obs_point=ct_label.obs_point_id); + formats as sample(probability=10,collector_set=0,obs_domain=0,obs_point=ct_label.obs_point_id); + encodes as sample(probability=10,collector_set_id=0,obs_domain_id=11259375,obs_point_id=NXM_NX_CT_LABEL[[96..127]]) + sample(probability=0,collector_set=200,obs_domain=0,obs_point=1000); probability must be greater than zero sample(probability=0,collector_set=200,obs_domain=0,obs_point=foo); - Syntax error at `foo' malformed sample observation_point_id. + Syntax error at `foo' expecting field name. sample(probability=0,collector_set=200,obs_domain=300,obs_point=foo); Syntax error at `300' obs_domain must be 8-bit long. @@ -2345,6 +2353,9 @@ sample(probability=0,collector_set=200,obs_domain=300,obs_point=foo); sample(probability=10,foo=bar,obs_domain=0,obs_point=1000); Syntax error at `foo' unknown argument. +sample(probability=10, obs_point=ct_label); + Cannot use 128-bit field ct_label[[0..127]] where 32-bit field is required. + # mac_cache_use mac_cache_use; encodes as resubmit(,OFTABLE_MAC_CACHE_USE) From patchwork Thu Aug 1 09:53:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1967580 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=eGeOzP0e; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZPTb69NYz1ybV for ; Thu, 1 Aug 2024 19:55:15 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 5806A40D3F; Thu, 1 Aug 2024 09:55:13 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id Kvavypovl5-I; Thu, 1 Aug 2024 09:55:06 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org AC059410E3 Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=eGeOzP0e Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp4.osuosl.org (Postfix) with ESMTPS id AC059410E3; Thu, 1 Aug 2024 09:55:04 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 561B2C002B; Thu, 1 Aug 2024 09:55:04 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 4D62BC002B for ; Thu, 1 Aug 2024 09:55:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 427764033F for ; Thu, 1 Aug 2024 09:54:24 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id K8xidxUAuWvu for ; Thu, 1 Aug 2024 09:54:19 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 9936140E9E Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 9936140E9E Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=eGeOzP0e Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 9936140E9E for ; Thu, 1 Aug 2024 09:54:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722506057; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PhL8TUBgO/ga4NDU44LNz5r4BGiQj6CEC+IJSvK4xp8=; b=eGeOzP0ejD/evXPiQ2r2fLSRJWDKLcutBZguFvW3ogqhWtHbNDmePm5RYo52I0kMykLPd0 GwXm+aZs9v8BwPOWrjI65sJZd7P7fBcQd4AakFspbKnHM1U3NL50oQNBluCFVb4KWk8zps TxVF6ny968tt3NPYisgIv0j7bx+r0eM= Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-660-CJbEIe3ANwuGc5QELmgeww-1; Thu, 01 Aug 2024 05:54:13 -0400 X-MC-Unique: CJbEIe3ANwuGc5QELmgeww-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 570121955BF6; Thu, 1 Aug 2024 09:54:12 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.194.158]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 2123D1955E8C; Thu, 1 Aug 2024 09:54:05 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Thu, 1 Aug 2024 11:53:18 +0200 Message-ID: <20240801095319.467255-10-dceara@redhat.com> In-Reply-To: <20240801095319.467255-1-dceara@redhat.com> References: <20240801095319.467255-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 9/9] northd: Allow flow simplification for ACL sampling. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Ales Musil Currently, OVN would generate up to 2 flows per sample, depending on the configuration. Add optimization that can reduce the number of flows added into the ACL pipeline down to 3 per collector. This optimization can be achieved only when the sample action with registers is supported in OvS and the sample has only single collector. The single collector per sample should be the case in most configurations, usually even the same collector for all samples which greatly reduces the number of flows per ACL with sampling. If there are more collectors per sample or the OvS feature is not supported, the implementation will fall back to flows per sample. Reported-at: https://issues.redhat.com/browse/FDP-709 Acked-by: Dumitru Ceara Signed-off-by: Ales Musil --- V5: - Address Ilya's comments: - Explicitly set acl_observation_stage enum values. - Added Dumitru's ack --- include/ovn/logical-fields.h | 2 + lib/logical-fields.c | 8 + northd/northd.c | 252 +++++++++++++++++++------- tests/ovn-northd.at | 341 ++++++++++++++++++++++++++++++----- tests/ovn.at | 2 + tests/system-ovn.at | 10 +- 6 files changed, 506 insertions(+), 109 deletions(-) diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h index ce79b501cf..d6c4a9b6b3 100644 --- a/include/ovn/logical-fields.h +++ b/include/ovn/logical-fields.h @@ -197,6 +197,8 @@ const struct ovn_field *ovn_field_from_name(const char *name); #define OVN_CT_NATTED_BIT 1 #define OVN_CT_LB_SKIP_SNAT_BIT 2 #define OVN_CT_LB_FORCE_SNAT_BIT 3 +#define OVN_CT_OBS_STAGE_1ST_BIT 4 +#define OVN_CT_OBS_STAGE_END_BIT 5 #define OVN_CT_BLOCKED 1 #define OVN_CT_NATTED 2 diff --git a/lib/logical-fields.c b/lib/logical-fields.c index 0c187e1c84..134d2674fd 100644 --- a/lib/logical-fields.c +++ b/lib/logical-fields.c @@ -165,6 +165,14 @@ ovn_init_symtab(struct shash *symtab) OVN_CT_STR(OVN_CT_LB_FORCE_SNAT_BIT) "]", WR_CT_COMMIT); + expr_symtab_add_subfield_scoped(symtab, "ct_mark.obs_stage", NULL, + "ct_mark[" + OVN_CT_STR(OVN_CT_OBS_STAGE_1ST_BIT) ".." + OVN_CT_STR(OVN_CT_OBS_STAGE_END_BIT) + "]", + WR_CT_COMMIT); + expr_symtab_add_subfield_scoped(symtab, "ct_mark.obs_collector_id", NULL, + "ct_mark[16..23]", WR_CT_COMMIT); expr_symtab_add_field_scoped(symtab, "ct_label", MFF_CT_LABEL, NULL, false, WR_CT_COMMIT); diff --git a/northd/northd.c b/northd/northd.c index 34cd1f7a82..ee2205efb4 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -144,8 +144,20 @@ static bool vxlan_mode; #define REGBIT_ACL_VERDICT_ALLOW "reg8[16]" #define REGBIT_ACL_VERDICT_DROP "reg8[17]" #define REGBIT_ACL_VERDICT_REJECT "reg8[18]" +#define REGBIT_ACL_OBS_STAGE "reg8[19..20]" #define REG_ACL_TIER "reg8[30..31]" +enum acl_observation_stage { + ACL_OBS_FROM_LPORT = 0, + ACL_OBS_FROM_LPORT_AFTER_LB = 1, + ACL_OBS_TO_LPORT = 2, + ACL_OBS_STAGE_MAX +}; + +/* enum acl_observation_stage_t values must fit in the 2 bits of + * REGBIT_ACL_OBS_STAGE .*/ +BUILD_ASSERT_DECL(ACL_OBS_STAGE_MAX < (1 << 2)); + /* Indicate that this packet has been recirculated using egress * loopback. This allows certain checks to be bypassed, such as a * logical router dropping packets with source IP address equals @@ -189,6 +201,8 @@ static bool vxlan_mode; * domain and point ID. */ #define REG_OBS_POINT_ID_NEW "reg3" #define REG_OBS_POINT_ID_EST "reg9" +#define REG_OBS_COLLECTOR_ID_NEW "reg8[0..7]" +#define REG_OBS_COLLECTOR_ID_EST "reg8[8..15]" /* Register used for temporarily store ECMP eth.src to avoid masked ct_label * access. It doesn't really occupy registers because the content of the @@ -228,12 +242,13 @@ static bool vxlan_mode; * +----+----------------------------------------------+ G | | * | R7 | UNUSED | 1 | | * +----+----------------------------------------------+---+-----------------------------------+ - * | | LB_AFF_MATCH_PORT | - * | | (>= IN_LB_AFF_CHECK && <= IN_LB_AFF_LEARN) | - * +----+----------------------------------------------+ - * | R9 | OBS_POINT_ID_EST | - * | | (>= ACL_EVAL* && <= ACL_ACTION*) | - * +----+----------------------------------------------+ + * | R8 | LB_AFF_MATCH_PORT | X | REG_OBS_COLLECTOR_ID_NEW | + * | | (>= IN_LB_AFF_CHECK && <= IN_LB_AFF_LEARN) | R | REG_OBS_COLLECTOR_ID_EST | + * | | | E | (>= ACL_EVAL* && <= ACL_ACTION*) | + * +----+----------------------------------------------+ G +-----------------------------------+ + * | R9 | OBS_POINT_ID_EST | 4 | | + * | | (>= ACL_EVAL* && <= ACL_ACTION*) | | | + * +----+----------------------------------------------+---+-----------------------------------+ * * Logical Router pipeline: * +-----+---------------------------+---+-----------------+---+------------------------------------+ @@ -6532,7 +6547,8 @@ build_acl_sample_action(struct ds *actions, const struct nbrec_acl *acl, static void build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, const struct nbrec_sample *sample_new, - const struct nbrec_sample *sample_est) + const struct nbrec_sample *sample_est, + enum acl_observation_stage obs_stage) { if (!acl->label && !sample_new && !sample_est) { return; @@ -6540,6 +6556,8 @@ build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, uint32_t point_id_new = 0; uint32_t point_id_est = 0; + uint8_t collector_id_new = 0; + uint8_t collector_id_est = 0; if (acl->label) { point_id_new = acl->label; @@ -6547,16 +6565,27 @@ build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, } else { if (sample_new) { point_id_new = sample_new->metadata; + if (sample_new->n_collectors == 1) { + collector_id_new = sample_new->collectors[0]->set_id; + } } if (sample_est) { point_id_est = sample_est->metadata; + if (sample_est->n_collectors == 1) { + collector_id_est = sample_est->collectors[0]->set_id; + } } } ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " REG_OBS_POINT_ID_NEW " = %"PRIu32"; " - REG_OBS_POINT_ID_EST " = %"PRIu32"; ", - point_id_new, point_id_est); + REG_OBS_POINT_ID_EST " = %"PRIu32"; " + REG_OBS_COLLECTOR_ID_NEW " = %"PRIu8"; " + REG_OBS_COLLECTOR_ID_EST " = %"PRIu8"; " + REGBIT_ACL_OBS_STAGE " = %"PRIu8"; ", + point_id_new, point_id_est, + collector_id_new, collector_id_est, + (uint8_t) obs_stage); } /* This builds an ACL logical flow specific match that selects traffic @@ -6604,46 +6633,16 @@ build_acl_sample_label_match(struct ds *match, const struct nbrec_acl *acl, } /* This builds a logical flow that samples and forwards/drops traffic - * that hit a stateless ACL ("pass" or "allow-stateless") that has sampling - * enabled. - */ -static void -build_acl_sample_new_stateless_flows(const struct ovn_datapath *od, - struct lflow_table *lflows, - enum ovn_stage stage, - struct ds *match, struct ds *actions, - const struct nbrec_acl *acl, - uint8_t sample_domain_id, - struct lflow_ref *lflow_ref) -{ - if (!acl->sample_new) { - return; - } - - ds_clear(actions); - ds_clear(match); - - ds_put_cstr(match, "ip && "); - build_acl_sample_register_match(match, acl, acl->sample_new); - - build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); - - ovn_lflow_add(lflows, od, stage, 1100, ds_cstr(match), - ds_cstr(actions), lflow_ref); -} - -/* This builds a logical flow that samples and forwards/drops traffic - * that created a new conntrack entry and hit a stateful ACL that has sampling - * enabled. + * that hit a stateless/stateful ACL that has sampling enabled. */ static void -build_acl_sample_new_stateful_flows(const struct ovn_datapath *od, - struct lflow_table *lflows, - enum ovn_stage stage, - struct ds *match, struct ds *actions, - const struct nbrec_acl *acl, - uint8_t sample_domain_id, - struct lflow_ref *lflow_ref) +build_acl_sample_new_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, bool stateful, + struct lflow_ref *lflow_ref) { if (!acl->sample_new) { return; @@ -6652,7 +6651,7 @@ build_acl_sample_new_stateful_flows(const struct ovn_datapath *od, ds_clear(actions); ds_clear(match); - ds_put_cstr(match, "ip && ct.new && "); + ds_put_format(match, "ip %s&& ", stateful ? "&& ct.new " : ""); build_acl_sample_register_match(match, acl, acl->sample_new); build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); @@ -6753,6 +6752,101 @@ build_acl_sample_est_stateful_flows(const struct ovn_datapath *od, static void build_acl_reject_action(struct ds *actions, bool is_ingress); +/* This builds a generic logical flow that samples traffic + * that hit a stateless/stateful ACL that has sampling enabled with + * single collector and all chassis supporting the sample with match action. + */ +static void +build_acl_sample_generic_new_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + enum acl_observation_stage obs_stage, + struct ds *match, struct ds *actions, + const struct nbrec_sample_collector *coll, + uint8_t sample_domain_id, bool stateful, + struct lflow_ref *lflow_ref) +{ + ds_clear(match); + ds_clear(actions); + + ds_put_format(match, "ip %s&& "REG_OBS_COLLECTOR_ID_NEW" == %"PRIu8" && " + REGBIT_ACL_OBS_STAGE " == %"PRIu8, + stateful ? "&& ct.new " : "", + (uint8_t) coll->set_id, + (uint8_t) obs_stage); + + ds_put_format(actions, "sample(probability=%"PRIu16"," + "collector_set=%"PRIu8"," + "obs_domain=%"PRIu32"," + "obs_point="REG_OBS_POINT_ID_NEW");" + " next;", + (uint16_t) coll->probability, + (uint8_t) coll->set_id, + sample_domain_id); + + ovn_lflow_add(lflows, od, stage, stateful ? 1000 : 900, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds a generic logical flow that samples established traffic + * that hit a stateful ACL that has sampling enabled with + * single collector and all chassis supporting the sample with match action. + */ +static void +build_acl_sample_generic_est_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + enum acl_observation_stage obs_stage, + struct ds *match, struct ds *actions, + const struct nbrec_sample_collector *coll, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + ds_clear(match); + ds_clear(actions); + + ds_put_cstr(match, "ip && ct.trk && (ct.est || ct.rel) && " + "ct_label.obs_unused == 0 && "); + + size_t match_len = match->length; + ds_put_format(match, "!ct.rpl && ct_mark.obs_collector_id == %"PRIu8" && " + "ct_mark.obs_stage == %"PRIu8, + (uint8_t) coll->set_id, + (uint8_t) obs_stage); + + ds_put_format(actions, "sample(probability=%"PRIu16"," + "collector_set=%"PRIu8"," + "obs_domain=%"PRIu32"," + "obs_point=ct_label.obs_point_id);" + " next;", + (uint16_t) coll->probability, + (uint8_t) coll->set_id, + sample_domain_id); + + ovn_lflow_add(lflows, od, stage, 1000, ds_cstr(match), + ds_cstr(actions), lflow_ref); + + enum ovn_stage rpl_stage = (stage == S_SWITCH_OUT_ACL_SAMPLE + ? S_SWITCH_IN_ACL_SAMPLE + : S_SWITCH_OUT_ACL_SAMPLE); + + ds_truncate(match, match_len); + ds_put_format(match, "ct.rpl && ct_mark.obs_collector_id == %"PRIu8, + (uint8_t) coll->set_id); + + ovn_lflow_add(lflows, od, rpl_stage, 1000, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* Check if the smaple has only single collector and the sample action + * with registers is supported. */ +static bool +acl_use_generic_sample_flows(const struct nbrec_sample *sample, + const struct chassis_features *features) +{ + return sample && sample->n_collectors == 1 && features->sample_with_reg; +} + /* This builds all ACL sampling related logical flows: * - for packets creating new connections * - for packets that are part of an existing connection @@ -6764,6 +6858,7 @@ build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, const struct nbrec_acl *acl, struct ds *match, struct ds *actions, const struct sampling_app_table *sampling_apps, + const struct chassis_features *features, struct lflow_ref *lflow_ref) { bool should_sample_established = @@ -6787,13 +6882,17 @@ build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, bool ingress = !strcmp(acl->direction, "from-lport") ? true : false; enum ovn_stage stage; + enum acl_observation_stage obs_stage; if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { stage = S_SWITCH_IN_ACL_AFTER_LB_SAMPLE; + obs_stage = ACL_OBS_FROM_LPORT_AFTER_LB; } else if (ingress) { stage = S_SWITCH_IN_ACL_SAMPLE; + obs_stage = ACL_OBS_FROM_LPORT; } else { stage = S_SWITCH_OUT_ACL_SAMPLE; + obs_stage = ACL_OBS_TO_LPORT; } uint8_t sample_new_domain_id = sampling_app_get_id(sampling_apps, @@ -6801,14 +6900,28 @@ build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, uint8_t sample_est_domain_id = sampling_app_get_id(sampling_apps, SAMPLING_APP_ACL_EST); + if (acl_use_generic_sample_flows(acl->sample_new, features)) { + build_acl_sample_generic_new_flows(od, lflows, stage, obs_stage, + match, actions, + acl->sample_new->collectors[0], + sample_new_domain_id, + stateful_match, lflow_ref); + } else { + build_acl_sample_new_flows(od, lflows, stage, match, actions, + acl, sample_new_domain_id, stateful_match, + lflow_ref); + } + if (!stateful_match) { - build_acl_sample_new_stateless_flows(od, lflows, stage, match, actions, - acl, sample_new_domain_id, - lflow_ref); + return; + } + + if (acl_use_generic_sample_flows(acl->sample_est, features)) { + build_acl_sample_generic_est_flows(od, lflows, stage, obs_stage, + match, actions, + acl->sample_est->collectors[0], + sample_est_domain_id, lflow_ref); } else { - build_acl_sample_new_stateful_flows(od, lflows, stage, match, actions, - acl, sample_new_domain_id, - lflow_ref); build_acl_sample_est_stateful_flows(od, lflows, stage, match, actions, acl, sample_est_domain_id, lflow_ref); @@ -6840,13 +6953,17 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, { bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; enum ovn_stage stage; + enum acl_observation_stage obs_stage; if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { stage = S_SWITCH_IN_ACL_AFTER_LB_EVAL; + obs_stage = ACL_OBS_FROM_LPORT_AFTER_LB; } else if (ingress) { stage = S_SWITCH_IN_ACL_EVAL; + obs_stage = ACL_OBS_FROM_LPORT; } else { stage = S_SWITCH_OUT_ACL_EVAL; + obs_stage = ACL_OBS_TO_LPORT; } const char *verdict; @@ -6880,7 +6997,8 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, || !strcmp(acl->action, "allow-stateless")) { /* For stateless ACLs just sample "new" packets. */ - build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, + obs_stage); ds_put_cstr(actions, "next;"); ds_put_format(match, "(%s)", acl->match); @@ -6919,7 +7037,7 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, /* For stateful ACLs sample "new" and "established" packets. */ build_acl_sample_label_action(actions, acl, acl->sample_new, - acl->sample_est); + acl->sample_est, obs_stage); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6943,7 +7061,7 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, /* For stateful ACLs sample "new" and "established" packets. */ build_acl_sample_label_action(actions, acl, acl->sample_new, - acl->sample_est); + acl->sample_est, obs_stage); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6963,7 +7081,8 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_truncate(actions, log_verdict_len); /* For drop ACLs just sample all packets as "new" packets. */ - build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, + obs_stage); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6986,7 +7105,8 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_truncate(actions, log_verdict_len); /* For drop ACLs just sample all packets as "new" packets. */ - build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, + obs_stage); ds_put_cstr(actions, "ct_commit { ct_mark.blocked = 1; }; next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -7232,6 +7352,7 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, const struct ls_port_group_table *ls_port_groups, const struct shash *meter_groups, const struct sampling_app_table *sampling_apps, + const struct chassis_features *features, struct lflow_ref *lflow_ref) { const char *default_acl_action = default_acl_drop @@ -7424,7 +7545,8 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, meter_groups, ls_stateful_rec->max_acl_tier, &match, &actions, lflow_ref); build_acl_sample_flows(ls_stateful_rec, od, lflows, acl, - &match, &actions, sampling_apps, lflow_ref); + &match, &actions, sampling_apps, + features, lflow_ref); } const struct ls_port_group *ls_pg = @@ -7443,7 +7565,7 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, &match, &actions, lflow_ref); build_acl_sample_flows(ls_stateful_rec, od, lflows, acl, &match, &actions, sampling_apps, - lflow_ref); + features, lflow_ref); } } } @@ -8106,6 +8228,8 @@ build_stateful(struct ovn_datapath *od, struct lflow_table *lflows, ds_put_cstr(&actions, "ct_commit { " "ct_mark.blocked = 0; " + "ct_mark.obs_stage = " REGBIT_ACL_OBS_STAGE "; " + "ct_mark.obs_collector_id = " REG_OBS_COLLECTOR_ID_EST "; " "ct_label.obs_point_id = " REG_OBS_POINT_ID_EST "; " "}; next;"); ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100, @@ -16156,6 +16280,7 @@ build_ls_stateful_flows(const struct ls_stateful_record *ls_stateful_rec, const struct ls_port_group_table *ls_pgs, const struct shash *meter_groups, const struct sampling_app_table *sampling_apps, + const struct chassis_features *features, struct lflow_table *lflows) { build_ls_stateful_rec_pre_acls(ls_stateful_rec, od, ls_pgs, lflows, @@ -16165,7 +16290,7 @@ build_ls_stateful_flows(const struct ls_stateful_record *ls_stateful_rec, build_acl_hints(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref); build_acls(ls_stateful_rec, od, lflows, ls_pgs, meter_groups, - sampling_apps, ls_stateful_rec->lflow_ref); + sampling_apps, features, ls_stateful_rec->lflow_ref); build_lb_hairpin(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref); } @@ -16482,6 +16607,7 @@ build_lflows_thread(void *arg) lsi->ls_port_groups, lsi->meter_groups, lsi->sampling_apps, + lsi->features, lsi->lflows); } } @@ -16705,6 +16831,7 @@ build_lswitch_and_lrouter_flows( build_ls_stateful_flows(ls_stateful_rec, od, lsi.ls_port_groups, lsi.meter_groups, lsi.sampling_apps, + lsi.features, lsi.lflows); } stopwatch_stop(LFLOWS_LS_STATEFUL_STOPWATCH_NAME, time_msec()); @@ -17220,6 +17347,7 @@ lflow_handle_ls_stateful_changes(struct ovsdb_idl_txn *ovnsb_txn, lflow_input->ls_port_groups, lflow_input->meter_groups, lflow_input->sampling_apps, + lflow_input->features, lflows); /* Sync the new flows to SB. */ diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index d5fcde68fb..7e519a7878 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -4609,7 +4609,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK_UNQUOTED([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4633,7 +4633,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) } @@ -4676,7 +4676,7 @@ AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4697,7 +4697,7 @@ AT_CHECK([grep "ls_out_pre_stateful" sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) # LB with event=false and reject=false @@ -4726,23 +4726,23 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) # Add new ACL without label @@ -4753,27 +4753,27 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) # Delete new ACL with label @@ -4790,7 +4790,7 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0] AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl @@ -4800,7 +4800,7 @@ AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0 AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP ]) @@ -4828,7 +4828,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls from-lport 1 dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; ]) AS_BOX([from-lport --apply-after-lb allow-related ACL]) @@ -4836,7 +4836,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --apply-after-lb --label=1234 acl-add dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; ]) AS_BOX([to-lport allow-related ACL]) @@ -4844,7 +4844,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls to-lport 1 ip dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_out_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; ]) AT_CLEANUP @@ -7680,7 +7680,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with the apply-after-lb option]) @@ -7735,7 +7735,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with a few ACLs with apply-after-lb option]) @@ -7790,7 +7790,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP @@ -12609,8 +12609,8 @@ AS_BOX([from-lport ACL sampling (new, est)]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12621,7 +12621,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg9 = 4302; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); @@ -12639,8 +12639,8 @@ AS_BOX([from-lport ACL sampling (new)]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --sample-new=$sample1 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) @@ -12649,7 +12649,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg9 = 0; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); @@ -12666,8 +12666,8 @@ AS_BOX([from-lport-after-lb ACL sampling (new, est)]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --apply-after-lb --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12678,7 +12678,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_ dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg9 = 4302; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); @@ -12696,8 +12696,8 @@ AS_BOX([from-lport-after-lb ACL sampling (new)]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --apply-after-lb --sample-new=$sample1 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) @@ -12706,7 +12706,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_ dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg9 = 0; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=2,obs_domain=42,obs_point=4301); @@ -12725,8 +12725,8 @@ check ovn-nbctl --wait=sb --sample-new=$sample1 --sample-est=$sample2 acl-add ls AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12735,7 +12735,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; ct_commit { ct_mark.blocked = 0; }; reg9 = 4302; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); @@ -12755,8 +12755,8 @@ check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --sample-new=$sample1 acl-add ls to-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) ]) @@ -12764,7 +12764,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; ct_commit { ct_mark.blocked = 0; }; reg9 = 0; sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); @@ -12781,6 +12781,263 @@ AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ACL Sampling - Generic sample]) +AT_KEYWORDS([acl]) + +ovn_start + +collector1=$(ovn-nbctl create Sample_Collector name=test-collector1 probability=65535 set_id=1) +check_row_count nb:Sample_Collector 1 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +sample1=$(ovn-nbctl create Sample collector="$collector1" metadata=4301) +sample2=$(ovn-nbctl create Sample collector="$collector1" metadata=4302) +check_row_count nb:Sample 2 + +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls lsp1 \ + -- lsp-set-addresses lsp1 00:00:00:00:00:01 \ + -- lsp-add ls lsp2 \ + -- lsp-set-addresses lsp2 00:00:00:00:00:02 +check ovn-nbctl --wait=sb sync + +base_flow="inport == \"lsp1\" && eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02 && ip4.src == 42.42.42.1 && ip4.dst == 42.42.42.2" +m4_define([TRACE_FILTER], [grep -e sample -e commit -e reg9 -e 'reg8\[[0..7\]]' -e 'reg8\[[8..15\]]' | grep -v _sample | sort]) + +AS_BOX([ACL sampling without register support]) +check ovn-sbctl chassis-add gw1 geneve 127.0.0.1 \ + -- set chassis gw1 other_config:ovn-sample-with-registers="false" + +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=4301); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=43,obs_point=4302); +]) + +check ovn-sbctl set chassis gw1 other_config:ovn-sample-with-registers="true" + + +AS_BOX([from-lport ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=reg3); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 1" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=43,obs_point=ct_label.obs_point_id); +]) + +AS_BOX([from-lport ACL sampling (new)]) +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --sample-new=$sample1 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 0; + reg9 = 0; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=reg3); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 0; + reg9 = 0; +]) + +AS_BOX([from-lport-after-lb ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --apply-after-lb --sample-new=$sample1 --sample-est=$sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=reg3); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 1 && ct_mark.obs_collector_id == 1" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=43,obs_point=ct_label.obs_point_id); +]) + +AS_BOX([from-lport-after-lb ACL sampling (new)]) +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --apply-after-lb --sample-new=$sample1 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 0; + reg9 = 0; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=reg3); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 0; + reg9 = 0; +]) + +AS_BOX([to-lport ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --sample-new=$sample1 --sample-est=$sample2 acl-add ls to-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 2), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=reg3); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 2 && ct_mark.obs_collector_id == 1" +AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=1,obs_domain=43,obs_point=ct_label.obs_point_id); +]) + +AS_BOX([to-lport ACL sampling (new)]) +check ovn-nbctl acl-del ls +check ovn-nbctl --wait=sb --sample-new=$sample1 acl-add ls to-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 0; + reg9 = 0; + sample(probability=65535,collector_set=1,obs_domain=42,obs_point=reg3); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 2 && ct_mark.obs_collector_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 0; + reg9 = 0; +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([NAT with match]) ovn_start diff --git a/tests/ovn.at b/tests/ovn.at index f1fc29503f..c8aedfddfc 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -336,6 +336,8 @@ ct_mark.blocked = ct_mark[0] ct_mark.ecmp_reply_port = ct_mark[16..31] ct_mark.force_snat = ct_mark[3] ct_mark.natted = ct_mark[1] +ct_mark.obs_collector_id = ct_mark[16..23] +ct_mark.obs_stage = ct_mark[4..5] ct_mark.skip_snat = ct_mark[2] ct_state = NXM_NX_CT_STATE ]]) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 4b693e51f6..a05f1eb156 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -7724,7 +7724,7 @@ NS_CHECK_EXEC([sw0-p3], [ping -q -c 10 -i 0.3 -w 15 10.0.0.2 | FORMAT_PING], \ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.2) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/'], [0], [dnl -icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,labels=0x4d3000000000000000000000000 +icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,mark=32,labels=0x4d3000000000000000000000000 icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone= ]) @@ -7851,7 +7851,7 @@ NS_CHECK_EXEC([sw0-p1], [ping -q -c 10 -i 0.3 -w 15 10.0.0.4 | FORMAT_PING], \ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.4) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d2[[0-9a-f]]*/labels=0x4d2000000000000000000000000/'], [0], [dnl -icmp,orig=(src=10.0.0.2,dst=10.0.0.4,id=,type=8,code=0),reply=(src=10.0.0.4,dst=10.0.0.2,id=,type=0,code=0),zone=,labels=0x4d2000000000000000000000000 +icmp,orig=(src=10.0.0.2,dst=10.0.0.4,id=,type=8,code=0),reply=(src=10.0.0.4,dst=10.0.0.2,id=,type=0,code=0),zone=,mark=16,labels=0x4d2000000000000000000000000 icmp,orig=(src=10.0.0.2,dst=10.0.0.4,id=,type=8,code=0),reply=(src=10.0.0.4,dst=10.0.0.2,id=,type=0,code=0),zone= ]) @@ -7866,7 +7866,7 @@ NS_CHECK_EXEC([sw0-p3], [ping -q -c 10 -i 0.3 -w 15 10.0.0.2 | FORMAT_PING], \ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.2) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/'], [0], [dnl -icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,labels=0x4d3000000000000000000000000 +icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,mark=32,labels=0x4d3000000000000000000000000 icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone= ]) @@ -8081,7 +8081,7 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.3) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d2[[0-9a-f]]*/labels=0x4d2000000000000000000000000/' | sort], [0], [dnl icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone= -icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone=,labels=0x4d2000000000000000000000000 +icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone=,mark=16,labels=0x4d2000000000000000000000000 ]) # Add a higher priority ACL with different label. @@ -8097,7 +8097,7 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.3) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/' | sort], [0], [dnl icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone= -icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone=,labels=0x4d3000000000000000000000000 +icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone=,mark=16,labels=0x4d3000000000000000000000000 ]) OVS_APP_EXIT_AND_WAIT([ovn-controller])