From patchwork Tue Aug 6 09:44:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969400 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=fhQNvH+G; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdT244BkLz1ydt for ; Tue, 6 Aug 2024 19:45:32 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 9E2494035F; Tue, 6 Aug 2024 09:45:30 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id AFu_wTrvXnra; Tue, 6 Aug 2024 09:45:27 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 9909640356 Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=fhQNvH+G Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp4.osuosl.org (Postfix) with ESMTPS id 9909640356; Tue, 6 Aug 2024 09:45:27 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 56885C0035; Tue, 6 Aug 2024 09:45:27 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 64E5EC002A for ; Tue, 6 Aug 2024 09:45:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 534DF607E9 for ; Tue, 6 Aug 2024 09:45:26 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id plfNvy93Hnbj for ; Tue, 6 Aug 2024 09:45:25 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 4A1A8607DB Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 4A1A8607DB Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=fhQNvH+G Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id 4A1A8607DB for ; Tue, 6 Aug 2024 09:45:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722937524; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uGN4AW0zULmrrHdwciiUs4I4NkTJmN0NDKHxVLgmnS8=; b=fhQNvH+GiQRYfFwdspRLW5MZHzq9435GcBy/QQSmM/hVLYi/hnFteK1Nt0f042/zIIsO/i JZzAp29U/rHT14mxFWEH8xlJS73TgaB9eSvaH+ayr21wM6OD1Qr4S6VRz602AB6uA2YTTh xLOjgT/gj7j3iB/OrA1f53xw1nx6bzw= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-207-l-OKWQrpPjauCbyej9scGw-1; Tue, 06 Aug 2024 05:45:19 -0400 X-MC-Unique: l-OKWQrpPjauCbyej9scGw-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 05D141955D4D; Tue, 6 Aug 2024 09:45:19 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.207]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8616C1956046; Tue, 6 Aug 2024 09:45:16 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Tue, 6 Aug 2024 11:44:43 +0200 Message-ID: <20240806094451.730622-2-dceara@redhat.com> In-Reply-To: <20240806094451.730622-1-dceara@redhat.com> References: <20240806094451.730622-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v6 1/9] northd: Fix up logical flow documentation for QoS. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" When the QoS stages were merged the documentation wasn't updated properly. Also fix up some small style issues in the northd code itself. Fixes: 5dd573757699 ("Merge QoS logical pipelines.") Acked-by: Numan Siddique Signed-off-by: Dumitru Ceara --- V6: - Removed Ales' ack. V5: - Added acks from Ales and Numan --- northd/northd.c | 11 +++-- northd/ovn-northd.8.xml | 92 +++++++++++++---------------------------- 2 files changed, 34 insertions(+), 69 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index a8a0b6f94c..fbfd5a7f35 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -7137,7 +7137,6 @@ build_qos(struct ovn_datapath *od, struct lflow_table *lflows, } } if (rate) { - stage = ingress ? S_SWITCH_IN_QOS : S_SWITCH_OUT_QOS; if (burst) { ds_put_format(&action, "set_meter(%"PRId64", %"PRId64"); ", @@ -7164,11 +7163,11 @@ build_qos(struct ovn_datapath *od, struct lflow_table *lflows, qos->value_action[j]); } } - ds_put_cstr(&action, "next;"); - ovn_lflow_add_with_hint(lflows, od, stage, - qos->priority, - qos->match, ds_cstr(&action), - &qos->header_, lflow_ref); + ds_put_cstr(&action, "next;"); + ovn_lflow_add_with_hint(lflows, od, stage, + qos->priority, + qos->match, ds_cstr(&action), + &qos->header_, lflow_ref); } ds_destroy(&action); } diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index b06b09ac5f..ba85e4bfd7 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -907,48 +907,21 @@ -

Ingress Table 10: from-lport QoS Marking

+

Ingress Table 10: from-lport QoS

Logical flows in this table closely reproduce those in the - QoS table with the action column set in - the OVN_Northbound database for the + QoS table with the action or + bandwidth column set in the + OVN_Northbound database for the from-lport direction.

  • - For every qos_rules entry in a logical switch with DSCP marking - enabled, a flow will be added at the priority mentioned in the - QoS table. -
    • - -
  • - For every qos_rules entry in a logical switch with packet marking - enabled, a flow will be added at the priority mentioned in the - QoS table. -
    • - -
  • - One priority-0 fallback flow that matches all packets and advances to - the next table. -
    • -
- -

Ingress Table 11: from-lport QoS Meter

- -

- Logical flows in this table closely reproduce those in the - QoS table with the bandwidth column set - in the OVN_Northbound database for the - from-lport direction. -

- -
    -
  • - For every qos_rules entry in a logical switch with metering - enabled, a flow will be added at the priority mentioned in the - QoS table. + For every qos_rules entry in a logical switch with DSCP marking, + packet marking or metering enabled a flow will be added at the priority + mentioned in the QoS table.
  • @@ -957,7 +930,7 @@
-

Ingress Table 12: Load balancing affinity check

+

Ingress Table 11: Load balancing affinity check

Load balancing affinity check table contains the following @@ -985,7 +958,7 @@ -

Ingress Table 13: LB

+

Ingress Table 12: LB

  • @@ -1065,7 +1038,7 @@
-

Ingress Table 14: Load balancing affinity learn

+

Ingress Table 13: Load balancing affinity learn

Load balancing affinity learn table contains the following @@ -1096,7 +1069,7 @@ -

Ingress Table 15: Pre-Hairpin

+

Ingress Table 14: Pre-Hairpin

  • If the logical switch has load balancer(s) configured, then a @@ -1114,7 +1087,7 @@
-

Ingress Table 16: Nat-Hairpin

+

Ingress Table 15: Nat-Hairpin

  • If the logical switch has load balancer(s) configured, then a @@ -1149,7 +1122,7 @@
-

Ingress Table 17: Hairpin

+

Ingress Table 16: Hairpin

  • @@ -1187,7 +1160,7 @@

-

Ingress table 18: from-lport ACL evaluation after LB

+

Ingress table 17: from-lport ACL evaluation after LB

Logical flows in this table closely reproduce those in the @@ -1272,7 +1245,7 @@ -

Ingress Table 19: from-lport ACL action after LB

+

Ingress Table 18: from-lport ACL action after LB

Logical flows in this table decide how to proceed based on the values of @@ -1312,7 +1285,7 @@ -

Ingress Table 20: Stateful

+

Ingress Table 19: Stateful

  • @@ -1335,7 +1308,7 @@
-

Ingress Table 21: ARP/ND responder

+

Ingress Table 20: ARP/ND responder

This table implements ARP/ND responder in a logical switch for known @@ -1670,7 +1643,7 @@ output; -

Ingress Table 22: DHCP option processing

+

Ingress Table 21: DHCP option processing

This table adds the DHCPv4 options to a DHCPv4 packet from the @@ -1731,7 +1704,7 @@ next; -

Ingress Table 23: DHCP responses

+

Ingress Table 22: DHCP responses

This table implements DHCP responder for the DHCP replies generated by @@ -1812,7 +1785,7 @@ output; -

Ingress Table 24 DNS Lookup

+

Ingress Table 23 DNS Lookup

This table looks up and resolves the DNS names to the corresponding @@ -1841,7 +1814,7 @@ reg0[4] = dns_lookup(); next; -

Ingress Table 25 DNS Responses

+

Ingress Table 24 DNS Responses

This table implements DNS responder for the DNS replies generated by @@ -1876,7 +1849,7 @@ output; -

Ingress table 26 External ports

+

Ingress table 25 External ports

Traffic from the external logical ports enter the ingress @@ -1919,7 +1892,7 @@ output; -

Ingress Table 27 Destination Lookup

+

Ingress Table 26 Destination Lookup

This table implements switching behavior. It contains these logical @@ -2117,7 +2090,7 @@ output; -

Ingress Table 28 Destination unknown

+

Ingress Table 27 Destination unknown

This table handles the packets whose destination was not found or @@ -2330,28 +2303,21 @@ output; This is similar to ingress table ACL action.

-

Egress Table 6: to-lport QoS Marking

- -

- This is similar to ingress table QoS marking except - they apply to to-lport QoS rules. -

- -

Egress Table 7: to-lport QoS Meter

+

Egress Table 6: to-lport QoS

- This is similar to ingress table QoS meter except + This is similar to ingress table QoS except they apply to to-lport QoS rules.

-

Egress Table 8: Stateful

+

Egress Table 7: Stateful

This is similar to ingress table Stateful except that there are no rules added for load balancing new connections.

-

Egress Table 9: Egress Port Security - check

+

Egress Table 8: Egress Port Security - check

This is similar to the port security logic in table @@ -2380,7 +2346,7 @@ output; -

Egress Table 10: Egress Port Security - Apply

+

Egress Table 9: Egress Port Security - Apply

This is similar to the ingress port security logic in ingress table From patchwork Tue Aug 6 09:44:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969401 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DPL9OK04; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdT2F3rksz1ydt for ; Tue, 6 Aug 2024 19:45:41 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id DC55040936; Tue, 6 Aug 2024 09:45:39 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id WpOUmwYQ_yWx; Tue, 6 Aug 2024 09:45:37 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4A65C40919 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DPL9OK04 Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 4A65C40919; Tue, 6 Aug 2024 09:45:36 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 8FDC8C002B; Tue, 6 Aug 2024 09:45:36 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0C552C002A for ; Tue, 6 Aug 2024 09:45:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 9AB1F80CAE for ; Tue, 6 Aug 2024 09:45:30 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id fJMbAJOYVLcV for ; Tue, 6 Aug 2024 09:45:28 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 6B3AB80C50 Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6B3AB80C50 Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DPL9OK04 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 6B3AB80C50 for ; Tue, 6 Aug 2024 09:45:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722937527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ET5UGnwvV7yXiwE8Fg6WM553EKio8drBDbiuYaqzHhA=; b=DPL9OK04KITAu2mfLnK4NTdVs5pJT3IlIV/ijrh23Dlw0NH3/1Pm7JT2ep8+AnGLxv1Z7a m/sPd+knaSctoLfGDOUcqU1ofSZUWC52kKF24i27k1vV9xQFC7qcWzFrIuz9we4w1ywKPk hAURQohFNpshxrapC8xB8MzIJN5tMSU= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-281-9GkQ_1vkMcWe_G6WaHSZ0g-1; Tue, 06 Aug 2024 05:45:23 -0400 X-MC-Unique: 9GkQ_1vkMcWe_G6WaHSZ0g-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 015581955D56; Tue, 6 Aug 2024 09:45:23 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.207]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 3D24F1956046; Tue, 6 Aug 2024 09:45:19 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Tue, 6 Aug 2024 11:44:44 +0200 Message-ID: <20240806094451.730622-3-dceara@redhat.com> In-Reply-To: <20240806094451.730622-1-dceara@redhat.com> References: <20240806094451.730622-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v6 2/9] northd: Commit from-lport ACL label (and state) when LBs are used. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Quoting the ACL label section in the ovn.nb.5 man page: Associates an identifier with the ACL. The same value will be written to corresponding connection tracker entry. The value should be a valid 32-bit unsigned integer. This value can help in debugging from connection tracker side. For example, through this "label" we can backtrack to the ACL rule which is causing a "leaked" connection. Connection tracker entries are created only for allowed connections so the label is valid only for allow and allow-related actions. The above states that the ACL label must always be stored in the connection tracker entry label for allow-related ACLs (regardless of the direction of the ACL). However, since 74d82e296f80 ("northd: Support the option to apply from-lport ACLs after load balancer."), the connection is not re-committed in the ls_in_stateful stage (because it already was committed as part of the load balancer DNAT). Moreover, by not re-committing the connection after LB we also risk not re-setting any potential ct_mark.blocked value the connection might have. This patch addresses the issue by always committing packets matched by allow-related (or stateful in general) ACLs even if they were also committed as part of the load balancing stage. There's potentially a slight overhead when doing this (an additional commit call into conntrack but _no_ recirculation). This is however acceptable as it is required for a correct packet processing pipeline implementation. Even without this fix, packets creating new connections that hit "--apply-after-lb" ACLs trigger a re-commit (for storing the label and ct_mark.blocked). A new test is added to ensure we don't break this functionality in the future. CC: Numan Siddique Fixes: 74d82e296f80 ("northd: Support the option to apply from-lport ACLs after load balancer.") Acked-by: Mark Michelson Acked-by: Numan Siddique Signed-off-by: Dumitru Ceara --- V4: - Addressed Mark's comment: - fixed up build_lb_affinity_ls_flows() comment - Added Mark's and Numan's acks. --- northd/northd.c | 14 ++---- tests/ovn-northd.at | 110 +++++++++++++++++++++++++++++++------------- tests/ovn.at | 4 +- 3 files changed, 84 insertions(+), 44 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index fbfd5a7f35..8b4ef1403a 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -7437,14 +7437,12 @@ build_lb_affinity_lr_flows(struct lflow_table *lflows, * table=ls_in_lb, priority=150 * match=(REGBIT_KNOWN_LB_SESSION == 1 && ct.new && ip4.dst == V * && REG_LB_AFF_BACKEND_IP4 == B1 && REG_LB_AFF_MATCH_PORT == BP1) - * action=(REGBIT_CONNTRACK_COMMIT = 0; - * REG_ORIG_DIP_IPV4 = V; REG_ORIG_TP_DPORT = VP; + * action=(REG_ORIG_DIP_IPV4 = V; REG_ORIG_TP_DPORT = VP; * ct_lb_mark(backends=B1:BP1);) * table=ls_in_lb, priority=150 * match=(REGBIT_KNOWN_LB_SESSION == 1 && ct.new && ip4.dst == V * && REG_LB_AFF_BACKEND_IP4 == B2 && REG_LB_AFF_MATCH_PORT == BP2) - * action=(REGBIT_CONNTRACK_COMMIT = 0; - * REG_ORIG_DIP_IPV4 = V; + * action=(REG_ORIG_DIP_IPV4 = V; * REG_ORIG_TP_DPORT = VP; * ct_lb_mark(backends=B1:BP2);) * @@ -7514,8 +7512,7 @@ build_lb_affinity_ls_flows(struct lflow_table *lflows, ipv6 ? REG_LB_L2_AFF_BACKEND_IP6 : REG_LB_AFF_BACKEND_IP4; /* Prepare common part of affinity LB and affinity learn action. */ - ds_put_format(&aff_action, REGBIT_CONNTRACK_COMMIT" = 0; %s = %s; ", - reg_vip, lb_vip->vip_str); + ds_put_format(&aff_action, "%s = %s; ", reg_vip, lb_vip->vip_str); ds_put_cstr(&aff_action_learn, "commit_lb_aff(vip = \""); if (lb_vip->port_str) { @@ -7655,11 +7652,6 @@ build_lb_rules(struct lflow_table *lflows, struct ovn_lb_datapaths *lb_dps, ds_clear(action); ds_clear(match); - /* Make sure that we clear the REGBIT_CONNTRACK_COMMIT flag. Otherwise - * the load balanced packet will be committed again in - * S_SWITCH_IN_STATEFUL. */ - ds_put_format(action, REGBIT_CONNTRACK_COMMIT" = 0; "); - /* New connections in Ingress table. */ const char *meter = NULL; bool reject = build_lb_vip_actions(lb, lb_vip, lb_vip_nb, action, diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 199197f09d..27e8ec3388 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -1413,7 +1413,7 @@ check ovn-nbctl --wait=sb ls-lb-add sw0 lb1 AT_CAPTURE_FILE([sbflows]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows | grep 'priority=120.*backends' | ovn_strip_lflows], 0, [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) # disabled LSPs should not be a backend of Load Balancer @@ -1422,7 +1422,7 @@ check ovn-nbctl lsp-set-enabled sw0-p1 disabled AT_CAPTURE_FILE([sbflows]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows | grep 'priority=120.*backends' | ovn_strip_lflows], 0, [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=20.0.0.3:80);) ]) wait_row_count Service_Monitor 1 @@ -1431,7 +1431,7 @@ check ovn-nbctl lsp-set-enabled sw0-p1 enabled AT_CAPTURE_FILE([sbflows]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows | grep 'priority=120.*backends' | ovn_strip_lflows], 0, [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) wait_row_count Service_Monitor 2 @@ -1442,7 +1442,7 @@ wait_row_count Service_Monitor 0 AT_CAPTURE_FILE([sbflows2]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows2 | grep 'priority=120.*backends' | ovn_strip_lflows], [0], -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) AS_BOX([Create the Load_Balancer_Health_Check again.]) @@ -1454,7 +1454,7 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows sw0 | grep backends | grep priority=120 > lflows.txt AT_CHECK([cat lflows.txt | ovn_strip_lflows], [0], [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) AS_BOX([Get the uuid of both the service_monitor]) @@ -1464,7 +1464,7 @@ sm_sw1_p1=$(fetch_column Service_Monitor _uuid logical_port=sw1-p1) AT_CAPTURE_FILE([sbflows3]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows 3 | grep 'priority=120.*backends' | ovn_strip_lflows], [0], -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) AS_BOX([Set the service monitor for sw1-p1 to offline]) @@ -1475,7 +1475,7 @@ check ovn-nbctl --wait=sb sync AT_CAPTURE_FILE([sbflows4]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows4 | grep 'priority=120.*backends' | ovn_strip_lflows], [0], -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80);) ]) AS_BOX([Set the service monitor for sw0-p1 to offline]) @@ -1504,7 +1504,7 @@ check ovn-nbctl --wait=sb sync AT_CAPTURE_FILE([sbflows7]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows7 | grep backends | grep priority=120 | ovn_strip_lflows], 0, -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) AS_BOX([Set the service monitor for sw1-p1 to error]) @@ -1515,7 +1515,7 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \ | grep priority=120 > lflows.txt AT_CHECK([cat lflows.txt | grep ls_in_lb | ovn_strip_lflows], [0], [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80);) ]) AS_BOX([Add one more vip to lb1]) @@ -1541,8 +1541,8 @@ AT_CAPTURE_FILE([sbflows9]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows9 | grep backends | grep priority=120 | ovn_strip_lflows], 0, -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:1000);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb_mark(backends=10.0.0.3:1000);) ]) AS_BOX([Set the service monitor for sw1-p1 to online]) @@ -1555,8 +1555,8 @@ AT_CAPTURE_FILE([sbflows10]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows10 | grep backends | grep priority=120 | ovn_strip_lflows], 0, -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:1000,20.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb_mark(backends=10.0.0.3:1000,20.0.0.3:80);) ]) AS_BOX([Associate lb1 to sw1]) @@ -1565,8 +1565,8 @@ AT_CAPTURE_FILE([sbflows11]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw1 | tee sbflows11 | grep backends | grep priority=120 | ovn_strip_lflows], 0, [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:1000,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb_mark(backends=10.0.0.3:1000,20.0.0.3:80);) ]) AS_BOX([Now create lb2 same as lb1 but udp protocol.]) @@ -4602,8 +4602,8 @@ check_stateful_flows() { AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.4:8080);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.20 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.40:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.20 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.40:8080);) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4805,6 +4805,51 @@ AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ovn -- ACL label commit - load balancers]) +ovn_start + +dnl One logical switch, two ports, one load balancer and ACLs with label set. +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls lsp1 \ + -- lsp-set-addresses lsp1 "00:00:00:00:00:01" \ + -- lsp-add ls lsp2 \ + -- lsp-set-addresses lsp2 "00:00:00:00:00:02" \ + -- lb-add lb-test 42.42.42.42:4242 43.43.43.43:4343 udp \ + -- ls-lb-add ls lb-test + +check ovn-nbctl --wait=sb sync + +flow="inport == \"lsp1\" && eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02 && ip4.src == 42.42.42.1 && ip4.dst == 42.42.42.42 && ip.ttl==64 && udp.dst == 4242" + +AS_BOX([from-lport allow-related ACL]) +check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls from-lport 1 ip allow-related + +dnl Check that the label is committed to conntrack in the ingress pipeline +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; +]) + +AS_BOX([from-lport --apply-after-lb allow-related ACL]) +check ovn-nbctl --wait=sb -- acl-del ls -- --apply-after-lb --label=1234 acl-add ls from-lport 1 ip allow-related + +dnl Check that the label is committed to conntrack in the ingress pipeline +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; +]) + +AS_BOX([to-lport allow-related ACL]) +check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls to-lport 1 ip allow-related + +dnl Check that the label is committed to conntrack in the ingress pipeline +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_out_stateful -A 2 | grep commit], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV_PARALLELIZATION([ AT_SETUP([ovn -- ct.inv usage]) ovn_start @@ -7629,7 +7674,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | ovn_strip_lflo AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.10);) + table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(ct_lb_mark(backends=10.0.0.10);) ]) AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl @@ -7684,7 +7729,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | ovn_strip_lflo AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.10);) + table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(ct_lb_mark(backends=10.0.0.10);) ]) AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl @@ -7739,7 +7784,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | ovn_strip_lflo AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.10);) + table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(ct_lb_mark(backends=10.0.0.10);) ]) AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl @@ -9063,13 +9108,13 @@ AT_CAPTURE_FILE([S1flows]) AT_CHECK([grep "ls_in_lb " S0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(ct_lb_mark(backends=10.0.0.2:8080);) ]) AT_CHECK([grep "ls_in_lb " S1flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(ct_lb_mark(backends=10.0.0.2:8080);) ]) ovn-sbctl get datapath S0 _uuid > dp_uuids @@ -9199,9 +9244,9 @@ AT_CHECK([grep "ls_in_lb_aff_check" S0flows | ovn_strip_lflows], [0], [dnl ]) AT_CHECK([grep "ls_in_lb " S0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) - table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.2:80);) - table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=20.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) + table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=20.0.0.2:80);) ]) AT_CHECK([grep "ls_in_lb_aff_learn" S0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) @@ -10286,14 +10331,17 @@ dnl It should not commit anything in the egress pipeline of S1 or in the dnl ingress pipeline of S2. flow="inport == \"vm1\" && eth.src == 00:de:ad:01:00:01 && eth.dst == 00:de:ad:fe:00:01 && ip4.src == 173.0.1.2 && ip4.dst == 30.0.0.1 && ip.ttl==64" -dnl Check that we only commit once for ACLs, in the egress ACL pipeline -dnl (in S2, towards vm2). The original problem this test is trying to -dnl cover was that ct_state wasn't cleared when traversing from s1 -> r1 -dnl which caused two additional commits to happen: +dnl Check that we only commit twice for ACLs: +dnl - in the ingress ACL pipeline (in s1, from vm1) +dnl - in the egress ACL pipeline (in S2, towards vm2) +dnl The original problem this test is trying to cover was that ct_state +dnl wasn't cleared when traversing from s1 -> r1 which caused two additional +dnl commits to happen: dnl - in the egress pipeline of S1, when sending the packet out on s1_r1 dnl - in the ingress pipeline of S2, when processing the packet on s2_r1 AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new s1 "$flow" | grep -e ls_in_stateful -e ls_out_stateful -A 2 | grep commit], [0], [dnl ct_commit { ct_mark.blocked = 0; }; + ct_commit { ct_mark.blocked = 0; }; ]) AT_CLEANUP diff --git a/tests/ovn.at b/tests/ovn.at index b31afbfb37..cee361188a 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -25509,7 +25509,7 @@ OVS_WAIT_FOR_OUTPUT( ovn-sbctl dump-flows sw0 | grep ct_lb_mark | grep priority=120 | sed 's/table=..//'], 0, [dnl (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark;) - (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) + (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) ]) AT_CAPTURE_FILE([sbflows2]) @@ -25708,7 +25708,7 @@ OVS_WAIT_FOR_OUTPUT( ovn-sbctl dump-flows sw0 | grep ct_lb_mark | grep priority=120 | sed 's/table=..//'], 0, [dnl (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6.dst == 2001::a && tcp.dst == 80), action=(xxreg1 = 2001::a; reg2[[0..15]] = 80; ct_lb_mark;) - (ls_in_lb ), priority=120 , match=(ct.new && ip6.dst == 2001::a && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=[[2001::3]]:80,[[2002::3]]:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) + (ls_in_lb ), priority=120 , match=(ct.new && ip6.dst == 2001::a && tcp.dst == 80), action=(ct_lb_mark(backends=[[2001::3]]:80,[[2002::3]]:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) ]) AT_CAPTURE_FILE([sbflows2]) From patchwork Tue Aug 6 09:44:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969402 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=dJbHNDsk; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdT2V1YR9z1ydt for ; Tue, 6 Aug 2024 19:45:54 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 90E1E400D6; Tue, 6 Aug 2024 09:45:52 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id rNd3Nerttkj5; Tue, 6 Aug 2024 09:45:50 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 6E96640931 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=dJbHNDsk Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 6E96640931; Tue, 6 Aug 2024 09:45:50 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 4C96BC002B; Tue, 6 Aug 2024 09:45:50 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 11D81C002B for ; Tue, 6 Aug 2024 09:45:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 9FFA460807 for ; Tue, 6 Aug 2024 09:45:44 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id ZbEDrzrBrI5s for ; Tue, 6 Aug 2024 09:45:41 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org B93E5607F8 Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org B93E5607F8 Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=dJbHNDsk Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id B93E5607F8 for ; Tue, 6 Aug 2024 09:45:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722937538; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bcQspMVDSYHMy/aWaHdfaZcod5hu2CIBKaqHb36I7Xc=; b=dJbHNDsk6ixDXj89yS4SLroaGEUB9h1HpXr3p8ysEsgdOYmpcWK81RDs0VMD8/qg2BzbXI DIDlZv2PmDcY23uXfiz6HpeM1yBPUj/f0I+WZ7k5uG/8qj5zgaH6O23YkiWlWCrGGBJQQh oChLTptcadibvBVArjPFtKjoby1wXBE= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-532-GU2l1iayPPCZFGOJUC4Fpg-1; Tue, 06 Aug 2024 05:45:37 -0400 X-MC-Unique: GU2l1iayPPCZFGOJUC4Fpg-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id DC5991955D4B; Tue, 6 Aug 2024 09:45:35 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.207]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 61C791955F65; Tue, 6 Aug 2024 09:45:24 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Tue, 6 Aug 2024 11:44:45 +0200 Message-ID: <20240806094451.730622-4-dceara@redhat.com> In-Reply-To: <20240806094451.730622-1-dceara@redhat.com> References: <20240806094451.730622-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v6 3/9] northd: Add Sampling_App table. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This will represent a unified place to store IPFIX observation domain ID configurations for sampling applications (currently only drop sampling is supported as application but following commits will add more). Acked-by: Numan Siddique Signed-off-by: Dumitru Ceara --- V5: - Addressed Ilya's and Numan's comments: - changed sampling_app 'name' column to 'type' - removed IPFIX reference from documentation - Added Numan's ack (I removed the one from Mark because quite a few changes were introduced by the rename). V4: - Addressed Ales' comments: - fix up indentation - bump NB schema version - Added Mark's ack. --- northd/automake.mk | 2 + northd/en-lflow.c | 5 ++ northd/en-sampling-app.c | 117 +++++++++++++++++++++++++++++++++++++++ northd/en-sampling-app.h | 51 +++++++++++++++++ northd/inc-proc-northd.c | 10 +++- northd/northd.h | 1 + ovn-nb.ovsschema | 20 ++++++- ovn-nb.xml | 16 ++++++ tests/ovn-northd.at | 17 ++++++ 9 files changed, 235 insertions(+), 4 deletions(-) create mode 100644 northd/en-sampling-app.c create mode 100644 northd/en-sampling-app.h diff --git a/northd/automake.mk b/northd/automake.mk index d491973a8b..6566ad2999 100644 --- a/northd/automake.mk +++ b/northd/automake.mk @@ -32,6 +32,8 @@ northd_ovn_northd_SOURCES = \ northd/en-lr-stateful.h \ northd/en-ls-stateful.c \ northd/en-ls-stateful.h \ + northd/en-sampling-app.c \ + northd/en-sampling-app.h \ northd/inc-proc-northd.c \ northd/inc-proc-northd.h \ northd/ipam.c \ diff --git a/northd/en-lflow.c b/northd/en-lflow.c index c4b927fb8c..eb91f2a651 100644 --- a/northd/en-lflow.c +++ b/northd/en-lflow.c @@ -25,6 +25,7 @@ #include "en-ls-stateful.h" #include "en-northd.h" #include "en-meters.h" +#include "en-sampling-app.h" #include "lflow-mgr.h" #include "lib/inc-proc-eng.h" @@ -86,6 +87,10 @@ lflow_get_input_data(struct engine_node *node, lflow_input->ovn_internal_version_changed = global_config->ovn_internal_version_changed; lflow_input->svc_monitor_mac = global_config->svc_monitor_mac; + + struct ed_type_sampling_app_data *sampling_app_data = + engine_get_input_data("sampling_app", node); + lflow_input->sampling_apps = &sampling_app_data->apps; } void en_lflow_run(struct engine_node *node, void *data) diff --git a/northd/en-sampling-app.c b/northd/en-sampling-app.c new file mode 100644 index 0000000000..e6c816c404 --- /dev/null +++ b/northd/en-sampling-app.c @@ -0,0 +1,117 @@ +/* + * Copyright (c) 2024, Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include "openvswitch/vlog.h" + +#include "en-sampling-app.h" + +VLOG_DEFINE_THIS_MODULE(en_sampling_app); + +/* Static function declarations. */ +static void sampling_app_table_add(struct sampling_app_table *, + const struct nbrec_sampling_app *); +static uint8_t sampling_app_table_get_id(const struct sampling_app_table *, + enum sampling_app); +static void sampling_app_table_reset(struct sampling_app_table *); +static enum sampling_app sampling_app_get_by_type(const char *app_type); + +void * +en_sampling_app_init(struct engine_node *node OVS_UNUSED, + struct engine_arg *arg OVS_UNUSED) +{ + struct ed_type_sampling_app_data *data = xzalloc(sizeof *data); + sampling_app_table_reset(&data->apps); + return data; +} + +void +en_sampling_app_cleanup(void *data OVS_UNUSED) +{ +} + +void +en_sampling_app_run(struct engine_node *node, void *data_) +{ + const struct nbrec_sampling_app_table *nb_sampling_app_table = + EN_OVSDB_GET(engine_get_input("NB_sampling_app", node)); + struct ed_type_sampling_app_data *data = data_; + + sampling_app_table_reset(&data->apps); + + const struct nbrec_sampling_app *sa; + NBREC_SAMPLING_APP_TABLE_FOR_EACH (sa, nb_sampling_app_table) { + sampling_app_table_add(&data->apps, sa); + } + + engine_set_node_state(node, EN_UPDATED); +} + +uint8_t +sampling_app_get_id(const struct sampling_app_table *app_table, + enum sampling_app app) +{ + return sampling_app_table_get_id(app_table, app); +} + +/* Static functions. */ +static void +sampling_app_table_add(struct sampling_app_table *table, + const struct nbrec_sampling_app *sa) +{ + enum sampling_app app = sampling_app_get_by_type(sa->type); + + if (app == SAMPLING_APP_MAX) { + static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); + VLOG_WARN_RL(&rl, "Unexpected Sampling_App type: %s", sa->type); + return; + } + table->app_ids[app] = sa->id; +} + +static uint8_t +sampling_app_table_get_id(const struct sampling_app_table *table, + enum sampling_app app) +{ + ovs_assert(app < SAMPLING_APP_MAX); + return table->app_ids[app]; +} + +static void +sampling_app_table_reset(struct sampling_app_table *table) +{ + for (size_t i = 0; i < SAMPLING_APP_MAX; i++) { + table->app_ids[i] = SAMPLING_APP_ID_NONE; + } +} + +static const char *app_types[] = { + [SAMPLING_APP_DROP_DEBUG] = "drop", + [SAMPLING_APP_ACL_NEW] = "acl-new", + [SAMPLING_APP_ACL_EST] = "acl-est", +}; + +static enum sampling_app +sampling_app_get_by_type(const char *app_type) +{ + for (size_t app = 0; app < ARRAY_SIZE(app_types); app++) { + if (!strcmp(app_type, app_types[app])) { + return app; + } + } + return SAMPLING_APP_MAX; +} diff --git a/northd/en-sampling-app.h b/northd/en-sampling-app.h new file mode 100644 index 0000000000..a5b5ae4222 --- /dev/null +++ b/northd/en-sampling-app.h @@ -0,0 +1,51 @@ +/* + * Copyright (c) 2024, Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef EN_SAMPLING_APP_H +#define EN_SAMPLING_APP_H 1 + +/* OVS includes. */ +#include "openvswitch/shash.h" + +/* OVN includes. */ +#include "lib/inc-proc-eng.h" +#include "lib/ovn-nb-idl.h" + +/* Valid sample IDs are in the 1..255 interval. */ +#define SAMPLING_APP_ID_NONE 0 + +/* Supported sampling applications. */ +enum sampling_app { + SAMPLING_APP_DROP_DEBUG, + SAMPLING_APP_ACL_NEW, + SAMPLING_APP_ACL_EST, + SAMPLING_APP_MAX, +}; + +struct sampling_app_table { + uint8_t app_ids[SAMPLING_APP_MAX]; +}; + +struct ed_type_sampling_app_data { + struct sampling_app_table apps; +}; + +void *en_sampling_app_init(struct engine_node *, struct engine_arg *); +void en_sampling_app_cleanup(void *data); +void en_sampling_app_run(struct engine_node *, void *data); +uint8_t sampling_app_get_id(const struct sampling_app_table *, + enum sampling_app); + +#endif /* EN_SAMPLING_APP_H */ diff --git a/northd/inc-proc-northd.c b/northd/inc-proc-northd.c index 522236ad2a..5d89670c29 100644 --- a/northd/inc-proc-northd.c +++ b/northd/inc-proc-northd.c @@ -39,6 +39,7 @@ #include "en-lflow.h" #include "en-northd-output.h" #include "en-meters.h" +#include "en-sampling-app.h" #include "en-sync-sb.h" #include "en-sync-from-sb.h" #include "unixctl.h" @@ -61,7 +62,8 @@ static unixctl_cb_func chassis_features_list; NB_NODE(meter, "meter") \ NB_NODE(bfd, "bfd") \ NB_NODE(static_mac_binding, "static_mac_binding") \ - NB_NODE(chassis_template_var, "chassis_template_var") + NB_NODE(chassis_template_var, "chassis_template_var") \ + NB_NODE(sampling_app, "sampling_app") enum nb_engine_node { #define NB_NODE(NAME, NAME_STR) NB_##NAME, @@ -138,6 +140,7 @@ enum sb_engine_node { * avoid sparse errors. */ static ENGINE_NODE_WITH_CLEAR_TRACK_DATA(northd, "northd"); static ENGINE_NODE(sync_from_sb, "sync_from_sb"); +static ENGINE_NODE(sampling_app, "sampling_app"); static ENGINE_NODE(lflow, "lflow"); static ENGINE_NODE(mac_binding_aging, "mac_binding_aging"); static ENGINE_NODE(mac_binding_aging_waker, "mac_binding_aging_waker"); @@ -170,6 +173,8 @@ void inc_proc_northd_init(struct ovsdb_idl_loop *nb, engine_add_input(&en_lb_data, &en_nb_logical_router, lb_data_logical_router_handler); + engine_add_input(&en_sampling_app, &en_nb_sampling_app, NULL); + engine_add_input(&en_global_config, &en_nb_nb_global, global_config_nb_global_handler); engine_add_input(&en_global_config, &en_sb_sb_global, @@ -251,6 +256,9 @@ void inc_proc_northd_init(struct ovsdb_idl_loop *nb, engine_add_input(&en_lflow, &en_sb_logical_dp_group, NULL); engine_add_input(&en_lflow, &en_global_config, node_global_config_handler); + + engine_add_input(&en_lflow, &en_sampling_app, NULL); + engine_add_input(&en_lflow, &en_northd, lflow_northd_handler); engine_add_input(&en_lflow, &en_port_group, lflow_port_group_handler); engine_add_input(&en_lflow, &en_lr_stateful, lflow_lr_stateful_handler); diff --git a/northd/northd.h b/northd/northd.h index d4a8d75abc..e50aa6731a 100644 --- a/northd/northd.h +++ b/northd/northd.h @@ -190,6 +190,7 @@ struct lflow_input { const struct hmap *svc_monitor_map; bool ovn_internal_version_changed; const char *svc_monitor_mac; + const struct sampling_app_table *sampling_apps; }; extern int parallelization_state; diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index e3c4aff9df..a6a377f20b 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "7.4.0", - "cksum": "1908497390 35615", + "version": "7.5.0", + "cksum": "1137408189 36223", "tables": { "NB_Global": { "columns": { @@ -691,6 +691,20 @@ "type": {"key": "string", "value": "string", "min": 0, "max": "unlimited"}}}, "indexes": [["chassis"]], - "isRoot": true} + "isRoot": true}, + "Sampling_App": { + "columns": { + "type": {"type": {"key": {"type": "string", + "enum": ["set", ["drop", "acl-new", "acl-est"]]}}}, + "id": {"type": {"key": {"type": "integer", + "minInteger": 1, + "maxInteger": 255}}}, + "external_ids": { + "type": {"key": "string", "value": "string", + "min": 0, "max": "unlimited"}} + }, + "indexes": [["type"]], + "isRoot": true + } } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 6376320d31..0cf2478cf3 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -5093,4 +5093,20 @@ or + + + The type of the application to be configured for sampling. Currently + supported options are: "drop", "acl-new", "acl-est". + + + The identifier to be encoded in the samples generated for this type of + application. This identifier is used as part of the sample's + observation domain ID. + + + + See External IDs at the beginning of this document. + + +
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 27e8ec3388..66a651e68e 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -12479,6 +12479,23 @@ check_engine_stats lflow recompute nocompute AT_CLEANUP +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([Sampling_App incremental processing]) + +ovn_start + +check as northd ovn-appctl -t ovn-northd inc-engine/clear-stats + +ovn-nbctl create Sampling_App type="acl-new" id="42" +check_row_count nb:Sampling_App 1 +check_engine_stats sampling_app recompute nocompute +check_engine_stats northd norecompute nocompute +check_engine_stats lflow recompute nocompute +CHECK_NO_CHANGE_AFTER_RECOMPUTE + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([NAT with match]) ovn_start From patchwork Tue Aug 6 09:44:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969403 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZMteVw2Y; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdT2h6j1Bz1ydt for ; Tue, 6 Aug 2024 19:46:04 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 5C14C409D3; Tue, 6 Aug 2024 09:46:03 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id id6U1onL6_JT; Tue, 6 Aug 2024 09:46:01 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 796C44091E Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZMteVw2Y Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 796C44091E; Tue, 6 Aug 2024 09:46:01 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5CF68C003D; Tue, 6 Aug 2024 09:46:01 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 28BE7C0033 for ; Tue, 6 Aug 2024 09:46:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 8C13B8115E for ; Tue, 6 Aug 2024 09:45:46 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id tM2r1hiTasIs for ; Tue, 6 Aug 2024 09:45:44 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 2D3448116A Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 2D3448116A Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZMteVw2Y Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 2D3448116A for ; Tue, 6 Aug 2024 09:45:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722937542; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jfa31asEvB3lP1AGSUp8HrLIuKYZsKjFqKuCNXmJ0/8=; b=ZMteVw2YIcPnssf/b7+zZjTPG4UHnJD9GM4+JXj5adVF3bncPwbVSe03T/phUPOPrQxWOt JpwabClrrs1v8NKx57hvMmtFjG616iy9+auXR7rpOUToin8Mv6dRIbk/7wCwpbwdBNRWL8 MQ2RdfxVwao0hSypHvQ6W165BW6gw0c= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-586-OfE5KZzRO3OG734rFAVb6A-1; Tue, 06 Aug 2024 05:45:40 -0400 X-MC-Unique: OfE5KZzRO3OG734rFAVb6A-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id BF98519560B1; Tue, 6 Aug 2024 09:45:39 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.207]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 229631956046; Tue, 6 Aug 2024 09:45:36 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Tue, 6 Aug 2024 11:44:46 +0200 Message-ID: <20240806094451.730622-5-dceara@redhat.com> In-Reply-To: <20240806094451.730622-1-dceara@redhat.com> References: <20240806094451.730622-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v6 4/9] northd: Override NB_Global drop sampling id with Sampling_App config. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Acked-by: Mark Michelson Signed-off-by: Dumitru Ceara --- V6: - Removed Ales' ack. V5: - Added Ales' ack. V4: - Addressed Ales' comments: - deprecated old config knob - fixed unit test typo - Added Mark's ack. --- NEWS | 3 +++ northd/debug.c | 12 +++++++----- northd/debug.h | 3 ++- northd/en-global-config.c | 31 +++++++++++++++++++++++-------- northd/inc-proc-northd.c | 1 + ovn-nb.xml | 5 +++++ tests/ovn-northd.at | 27 ++++++++++++++++++++++++++- 7 files changed, 67 insertions(+), 15 deletions(-) diff --git a/NEWS b/NEWS index 136f890f52..0c91e9608e 100644 --- a/NEWS +++ b/NEWS @@ -50,6 +50,9 @@ Post v24.03.0 - A new LSP option "disable_garp_rarp" has been added to prevent OVN from sending GARP or RARP announcements when a VIF is created on a bridged logical switch. + - The NB_Global.debug_drop_domain_id configured value is now overridden by + the ID associated with the Sampling_App record created for drop sampling + (Sampling_App.type configured as "drop"). OVN v24.03.0 - 01 Mar 2024 -------------------------- diff --git a/northd/debug.c b/northd/debug.c index 59da5d4f66..457993b7cf 100644 --- a/northd/debug.c +++ b/northd/debug.c @@ -3,6 +3,7 @@ #include #include "debug.h" +#include "en-sampling-app.h" #include "openvswitch/dynamic-string.h" #include "openvswitch/vlog.h" @@ -26,16 +27,17 @@ debug_enabled(void) } void -init_debug_config(const struct nbrec_nb_global *nb) +init_debug_config(const struct nbrec_nb_global *nb, + uint8_t drop_domain_id_override) { - const struct smap *options = &nb->options; uint32_t collector_set_id = smap_get_uint(options, "debug_drop_collector_set", 0); - uint32_t observation_domain_id = smap_get_uint(options, - "debug_drop_domain_id", - 0); + uint32_t observation_domain_id = + drop_domain_id_override != SAMPLING_APP_ID_NONE + ? drop_domain_id_override + : smap_get_uint(options, "debug_drop_domain_id", 0); if (collector_set_id != config.collector_set_id || observation_domain_id != config.observation_domain_id || diff --git a/northd/debug.h b/northd/debug.h index c1a5e5aadb..a0b535253a 100644 --- a/northd/debug.h +++ b/northd/debug.h @@ -21,7 +21,8 @@ #include "lib/ovn-nb-idl.h" #include "openvswitch/dynamic-string.h" -void init_debug_config(const struct nbrec_nb_global *nb); +void init_debug_config(const struct nbrec_nb_global *nb, + uint8_t drop_domain_id_override); void destroy_debug_config(void); const char *debug_drop_action(void); diff --git a/northd/en-global-config.c b/northd/en-global-config.c index c5e65966b8..d7607aa074 100644 --- a/northd/en-global-config.c +++ b/northd/en-global-config.c @@ -24,6 +24,7 @@ /* OVN includes */ #include "debug.h" #include "en-global-config.h" +#include "en-sampling-app.h" #include "include/ovn/features.h" #include "ipam.h" #include "lib/ovn-nb-idl.h" @@ -42,8 +43,10 @@ static bool chassis_features_changed(const struct chassis_features *, static bool config_out_of_sync(const struct smap *config, const struct smap *saved_config, const char *key, bool must_be_present); -static bool check_nb_options_out_of_sync(const struct nbrec_nb_global *, - struct ed_type_global_config *); +static bool check_nb_options_out_of_sync( + const struct nbrec_nb_global *, + struct ed_type_global_config *, + const struct sampling_app_table *); static void update_sb_config_options_to_sbrec(struct ed_type_global_config *, const struct sbrec_sb_global *); @@ -72,6 +75,9 @@ en_global_config_run(struct engine_node *node , void *data) EN_OVSDB_GET(engine_get_input("SB_sb_global", node)); const struct sbrec_chassis_table *sbrec_chassis_table = EN_OVSDB_GET(engine_get_input("SB_chassis", node)); + const struct ed_type_sampling_app_data *sampling_app_data = + engine_get_input_data("sampling_app", node); + const struct sampling_app_table *sampling_apps = &sampling_app_data->apps; struct ed_type_global_config *config_data = data; @@ -145,7 +151,8 @@ en_global_config_run(struct engine_node *node , void *data) build_chassis_features(sbrec_chassis_table, &config_data->features); } - init_debug_config(nb); + init_debug_config(nb, sampling_app_get_id(sampling_apps, + SAMPLING_APP_DROP_DEBUG)); const struct sbrec_sb_global *sb = sbrec_sb_global_table_first(sb_global_table); @@ -186,6 +193,9 @@ global_config_nb_global_handler(struct engine_node *node, void *data) EN_OVSDB_GET(engine_get_input("NB_nb_global", node)); const struct sbrec_sb_global_table *sb_global_table = EN_OVSDB_GET(engine_get_input("SB_sb_global", node)); + const struct ed_type_sampling_app_data *sampling_app_data = + engine_get_input_data("sampling_app", node); + const struct sampling_app_table *sampling_apps = &sampling_app_data->apps; const struct nbrec_nb_global *nb = nbrec_nb_global_table_first(nb_global_table); @@ -248,7 +258,7 @@ global_config_nb_global_handler(struct engine_node *node, void *data) return false; } - if (check_nb_options_out_of_sync(nb, config_data)) { + if (check_nb_options_out_of_sync(nb, config_data, sampling_apps)) { config_data->tracked_data.nb_options_changed = true; } @@ -461,8 +471,10 @@ config_out_of_sync(const struct smap *config, const struct smap *saved_config, } static bool -check_nb_options_out_of_sync(const struct nbrec_nb_global *nb, - struct ed_type_global_config *config_data) +check_nb_options_out_of_sync( + const struct nbrec_nb_global *nb, + struct ed_type_global_config *config_data, + const struct sampling_app_table *sampling_apps) { if (config_out_of_sync(&nb->options, &config_data->nb_options, "mac_binding_removal_limit", false)) { @@ -496,13 +508,16 @@ check_nb_options_out_of_sync(const struct nbrec_nb_global *nb, if (config_out_of_sync(&nb->options, &config_data->nb_options, "debug_drop_domain_id", false)) { - init_debug_config(nb); + init_debug_config(nb, sampling_app_get_id(sampling_apps, + SAMPLING_APP_DROP_DEBUG)); + return true; } if (config_out_of_sync(&nb->options, &config_data->nb_options, "debug_drop_collector_set", false)) { - init_debug_config(nb); + init_debug_config(nb, sampling_app_get_id(sampling_apps, + SAMPLING_APP_DROP_DEBUG)); return true; } diff --git a/northd/inc-proc-northd.c b/northd/inc-proc-northd.c index 5d89670c29..95bedc5cd0 100644 --- a/northd/inc-proc-northd.c +++ b/northd/inc-proc-northd.c @@ -181,6 +181,7 @@ void inc_proc_northd_init(struct ovsdb_idl_loop *nb, global_config_sb_global_handler); engine_add_input(&en_global_config, &en_sb_chassis, global_config_sb_chassis_handler); + engine_add_input(&en_global_config, &en_sampling_app, NULL); engine_add_input(&en_northd, &en_nb_mirror, NULL); engine_add_input(&en_northd, &en_nb_static_mac_binding, NULL); diff --git a/ovn-nb.xml b/ovn-nb.xml index 0cf2478cf3..bc44f67642 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -351,6 +351,11 @@ The observation_point_id will be set to the first 32 bits of the logical flow's UUID.

+

+ Note: This key is deprecated in favor of the value configured in the + table for the drop + application. +

diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 66a651e68e..ebf02ef10a 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -12489,13 +12489,38 @@ check as northd ovn-appctl -t ovn-northd inc-engine/clear-stats ovn-nbctl create Sampling_App type="acl-new" id="42" check_row_count nb:Sampling_App 1 check_engine_stats sampling_app recompute nocompute -check_engine_stats northd norecompute nocompute +check_engine_stats northd recompute nocompute check_engine_stats lflow recompute nocompute +check_engine_stats global_config recompute nocompute CHECK_NO_CHANGE_AFTER_RECOMPUTE AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([Sampling_App override debug_drop_domain_id]) + +ovn_start + +check ovn-nbctl -- set NB_Global . options:debug_drop_collector_set="123" \ + -- set NB_Global . options:debug_drop_domain_id="1" \ + -- ls-add ls +check ovn-nbctl --wait=sb sync + +AT_CHECK([ovn-sbctl lflow-list | grep ls_in_l2_unknown.*sample | ovn_strip_lflows], [0], [dnl + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(sample(probability=65535,collector_set=123,obs_domain=1,obs_point=$cookie); /* drop */) +]) + +ovn-nbctl --wait=sb create Sampling_App type="drop" id="42" +check_row_count nb:Sampling_App 1 + +AT_CHECK([ovn-sbctl lflow-list | grep ls_in_l2_unknown.*sample | ovn_strip_lflows], [0], [dnl + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(sample(probability=65535,collector_set=123,obs_domain=42,obs_point=$cookie); /* drop */) +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([NAT with match]) ovn_start From patchwork Tue Aug 6 09:44:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969406 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=KDJMBbTm; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdT3R0Z0Wz1ydt for ; Tue, 6 Aug 2024 19:46:42 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id F286560839; Tue, 6 Aug 2024 09:46:40 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 0EniLM1Ng9tN; Tue, 6 Aug 2024 09:46:35 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 7F8006082A Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=KDJMBbTm Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id 7F8006082A; Tue, 6 Aug 2024 09:46:35 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5154FC002B; Tue, 6 Aug 2024 09:46:35 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0A05EC002A for ; Tue, 6 Aug 2024 09:46:34 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 17EAC40928 for ; Tue, 6 Aug 2024 09:46:09 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id MuJaskdGRp8m for ; Tue, 6 Aug 2024 09:46:02 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 17DDE40917 Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 17DDE40917 Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=KDJMBbTm Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 17DDE40917 for ; Tue, 6 Aug 2024 09:46:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722937561; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rv6OVxGVYLjTJUnRcgsKqAZYoxJ4vUpv4nSRzrv/iqo=; b=KDJMBbTmURWsTOhv/MTPuROnabVTVA02j/8iEcLKT140Zgfg9Es8c/+0vP9FxQ2opR4MMS ztNjtXzl/GfV9T6wwM4rzNmCrv3yTZC6ZuWuvIuI9Uj+g2OXbQwOAD3POIAJjP0XJDUMeo rCjQe6evjI2z6jwpzCq56l5fVUrttRY= Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-153-r1d9rbmKN6evtsi836Sb0Q-1; Tue, 06 Aug 2024 05:45:57 -0400 X-MC-Unique: r1d9rbmKN6evtsi836Sb0Q-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 2A8C51955D4F; Tue, 6 Aug 2024 09:45:56 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.207]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id EE43A1955F65; Tue, 6 Aug 2024 09:45:45 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Tue, 6 Aug 2024 11:44:47 +0200 Message-ID: <20240806094451.730622-6-dceara@redhat.com> In-Reply-To: <20240806094451.730622-1-dceara@redhat.com> References: <20240806094451.730622-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v6 5/9] northd: Add ACL Sampling. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Adrian Moreno Introduce a new table called Sample where per-flow IPFIX configuration can be specified. Also, reference rows from such table from the ACL table to enable the configuration of ACL sampling. If enabled, northd will add a sample action to each ACL related logical flow. Packets that hit stateful ACLs are sampled in different ways depending whether they are initiating a new session or are just forwarded on an existing (already allowed) session. Two new columns ("sample_new" and "sample_est") are added to the ACL table to allow for potentially different sampling rates for the two cases. Note: If an ACL has both sampling enabled and a label associated to it then the label value overrides the observation point ID defined in the sample configuration. This is a side effect of the implementation (observation point IDs are stored in conntrack in the same part of the ct_label where ACL labels are also stored). The two features (sampling and ACL labels) serve however similar purposes so it's not expected that they're both enabled together. When sampling is enabled on an ACL additional logical flows are created for that ACL (one for stateless ACLs and 3 for stateful ACLs) in the ACL action stage of the logical pipeline. These additional flows match on a combination of conntrack state values and observation point id values (either against a logical register or against the stored ct_label state) in order to determine whether the packets hitting the ACLs must be sampled or not. This comes with a slight increase in the number of logical flows and in the number of OpenFlow rules. The number of additional flows _does not_ depend on the original ACL match or action. New --sample-new and --sample-est optional arguments are added to the 'ovn-nbctl acl-add' command to allow configuring these new types of sampling for ACLs. An example workflow of configuring ACL samples is: # Create Sampling_App mappings for ACL traffic types: ovn-nbctl create Sampling_App name="acl-new-traffic-sampling" \ id="42" ovn-nbctl create sampling_app name="acl-est-traffic-sampling" \ id="43" # Create two sample collectors, one that samples all packets (c1) # and another one that samples with a probability of 10% (c2): c1=$(ovn-nbctl create Sample_Collector name=c1 \ probability=65535 set_id=1) c2=$(ovn-nbctl create Sample_Collector name=c2 \ probability=6553 set_id=2) # Create two sample configurations (for new and for established # traffic) and an ingress ACL to allow IP traffic: ovn-nbctl \ -- --id=@s1 create sample collector="$c1 $c2" metadata=4301 \ -- --id=@s2 create sample collector="$c1 $c2" metadata=4302 \ -- --sample-new=@s1 --sample-est=@s2 acl-add ls \ from-lport 1 "ip" allow-related The config above will generate IPFIX samples with: - 8 MSB of observation domain id set to 42 (Sampling_App "acl-new-traffic-sampling" config) and observation point id set to 4301 (Sample s1) for packets that create a new connection - 8 MSB of observation domain id set to 43 (Sampling_app "acl-est-traffic-sampling" config) and observation point id set to 4302 (Sample s2) for packets that are part of an already existing connection Note: in general, all generated IPFIX sample observation domain IDs are built by ovn-controller in the following way: The 8 MSB taken from the sample action's obs_domain_id and the last 24 LSB taken from the Southbound logical datapath tunnel_key (datapath ID). Reported-at: https://issues.redhat.com/browse/FDP-305 Signed-off-by: Adrian Moreno Co-authored-by: Ales Musil Signed-off-by: Ales Musil Co-authored-by: Dumitru Ceara Signed-off-by: Dumitru Ceara --- V6: - Address Ilya's comments: - make Sample non-root - Add unique ID to Sample_Collector to be stored in the session conntrack information. Limit the max number of Sample_Collector records to 15 (4 bit). - Remove the Sample.external_ids: with non-root it doesn't really make sense, there's always going to be a direct mapping from a single ACL object to the sample. - Remove HAVE_TCPDUMP from system tests. - Add fix and test for to-lport ACLs with sampling enabled hit on egress towards routers. - Add test with different collectors (multiple probabilities) that share the same set_id. - Fixed system test checking nfcapd output files (these can auto rotate). V5: - rebase - address Ilya's comment: - add documentation notes about behavior when mixing ACL labels with ACL sampling. V4: - added explicit sampling stages - reduced set_id max supported value - added support for tiered "pass" ACLs - improved system test + added tiered ACL system test - added Ales as co-author for most of the above - Addressed Mark's comment about better error messages in ovn-nbctl V3: - Addressed Ilya's comment: - Bumped NB schema version. V2: - Addressed Adrian's comments: - fixed up observation domain id comment in commit log. - store the obs_domain_id in the ct_label as an 8 bit value (add a test). - removed redundant check in build_acl_sample_label_action(). - added missing space after ternary ":" operator. - documented limitation for sampling ACLs with action "pass". - documented sample_new behavior for stateless ACLs. - Removed unused OVN_CT_SAMPLE_ID_SET_BIT and OVN_CT_SAMPLE_ID_SET. --- NEWS | 3 + controller/lflow.h | 12 +- lib/logical-fields.c | 4 + lib/ovn-util.h | 2 +- northd/northd.c | 463 ++++++++++++++++++++++-- northd/northd.h | 54 +-- northd/ovn-northd.8.xml | 133 +++++-- ovn-nb.ovsschema | 47 ++- ovn-nb.xml | 75 ++++ tests/atlocal.in | 6 + tests/ovn-controller.at | 168 ++++----- tests/ovn-macros.at | 14 +- tests/ovn-nbctl.at | 36 ++ tests/ovn-northd.at | 381 ++++++++++++++++++-- tests/ovn.at | 69 ++-- tests/system-common-macros.at | 11 + tests/system-ovn.at | 465 +++++++++++++++++++++++++ utilities/containers/fedora/Dockerfile | 1 + utilities/containers/ubuntu/Dockerfile | 1 + utilities/ovn-nbctl.8.xml | 8 +- utilities/ovn-nbctl.c | 35 +- 21 files changed, 1749 insertions(+), 239 deletions(-) diff --git a/NEWS b/NEWS index 0c91e9608e..676c49e3fa 100644 --- a/NEWS +++ b/NEWS @@ -53,6 +53,9 @@ Post v24.03.0 - The NB_Global.debug_drop_domain_id configured value is now overridden by the ID associated with the Sampling_App record created for drop sampling (Sampling_App.type configured as "drop"). + - Add support for ACL sampling through the new Sample_Collector and Sample + tables. Sampling is supported for both traffic that creates new + connections and for traffic that is part of an existing connection. OVN v24.03.0 - 01 Mar 2024 -------------------------- diff --git a/controller/lflow.h b/controller/lflow.h index c8a2a3f494..e95a016501 100644 --- a/controller/lflow.h +++ b/controller/lflow.h @@ -67,17 +67,17 @@ struct uuid; /* Start of LOG_PIPELINE_LEN tables. */ #define OFTABLE_LOG_INGRESS_PIPELINE 8 -#define OFTABLE_OUTPUT_LARGE_PKT_DETECT 37 -#define OFTABLE_OUTPUT_LARGE_PKT_PROCESS 38 -#define OFTABLE_REMOTE_OUTPUT 39 -#define OFTABLE_LOCAL_OUTPUT 40 -#define OFTABLE_CHECK_LOOPBACK 41 +#define OFTABLE_OUTPUT_LARGE_PKT_DETECT 40 +#define OFTABLE_OUTPUT_LARGE_PKT_PROCESS 41 +#define OFTABLE_REMOTE_OUTPUT 42 +#define OFTABLE_LOCAL_OUTPUT 43 +#define OFTABLE_CHECK_LOOPBACK 44 /* Start of the OUTPUT section of the pipeline. */ #define OFTABLE_OUTPUT_INIT OFTABLE_OUTPUT_LARGE_PKT_DETECT /* Start of LOG_PIPELINE_LEN tables. */ -#define OFTABLE_LOG_EGRESS_PIPELINE 42 +#define OFTABLE_LOG_EGRESS_PIPELINE 45 #define OFTABLE_SAVE_INPORT 64 #define OFTABLE_LOG_TO_PHY 65 #define OFTABLE_MAC_BINDING 66 diff --git a/lib/logical-fields.c b/lib/logical-fields.c index 4acf8a677e..0c187e1c84 100644 --- a/lib/logical-fields.c +++ b/lib/logical-fields.c @@ -175,6 +175,10 @@ ovn_init_symtab(struct shash *symtab) WR_CT_COMMIT); expr_symtab_add_subfield_scoped(symtab, "ct_label.label", NULL, "ct_label[96..127]", WR_CT_COMMIT); + expr_symtab_add_subfield_scoped(symtab, "ct_label.obs_point_id", NULL, + "ct_label[96..127]", WR_CT_COMMIT); + expr_symtab_add_subfield_scoped(symtab, "ct_label.obs_unused", NULL, + "ct_label[0..95]", WR_CT_COMMIT); expr_symtab_add_field(symtab, "ct_state", MFF_CT_STATE, NULL, false); diff --git a/lib/ovn-util.h b/lib/ovn-util.h index ae971ce5ab..7b98b9b9a1 100644 --- a/lib/ovn-util.h +++ b/lib/ovn-util.h @@ -308,7 +308,7 @@ BUILD_ASSERT_DECL( #define SCTP_ABORT_CHUNK_FLAG_T (1 << 0) /* The number of tables for the ingress and egress pipelines. */ -#define LOG_PIPELINE_LEN 29 +#define LOG_PIPELINE_LEN 30 static inline uint32_t hash_add_in6_addr(uint32_t hash, const struct in6_addr *addr) diff --git a/northd/northd.c b/northd/northd.c index 8b4ef1403a..13f9faba31 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -50,6 +50,7 @@ #include "en-lr-nat.h" #include "en-lr-stateful.h" #include "en-ls-stateful.h" +#include "en-sampling-app.h" #include "lib/ovn-parallel-hmap.h" #include "ovn/actions.h" #include "ovn/features.h" @@ -184,8 +185,10 @@ static bool vxlan_mode; #define REG_ORIG_TP_DPORT_ROUTER "reg9[16..31]" -/* Register used for setting a label for ACLs in a Logical Switch. */ -#define REG_LABEL "reg3" +/* Registers used for pasing observability information for switches: + * domain and point ID. */ +#define REG_OBS_POINT_ID_NEW "reg3" +#define REG_OBS_POINT_ID_EST "reg9" /* Register used for temporarily store ECMP eth.src to avoid masked ct_label * access. It doesn't really occupy registers because the content of the @@ -209,13 +212,13 @@ static bool vxlan_mode; * | | REGBIT_{HAIRPIN/HAIRPIN_REPLY} | | | * | | REGBIT_ACL_HINT_{ALLOW_NEW/ALLOW/DROP/BLOCK} | | | * | | REGBIT_ACL_{LABEL/STATELESS} | X | | - * +----+----------------------------------------------+ X | | - * | R5 | UNUSED | X | LB_L2_AFF_BACKEND_IP6 | - * | R1 | ORIG_DIP_IPV4 (>= IN_PRE_STATEFUL) | R | | - * +----+----------------------------------------------+ E | | + * +----+----------------------------------------------+ X | LB_L2_AFF_BACKEND_IP6 | + * | R1 | ORIG_DIP_IPV4 (>= IN_PRE_STATEFUL) | R | (>= IN_LB_AFF_CHECK && | + * +----+----------------------------------------------+ E | <= IN_LB_AFF_LEARN) | * | R2 | ORIG_TP_DPORT (>= IN_PRE_STATEFUL) | G | | * +----+----------------------------------------------+ 0 | | - * | R3 | ACL LABEL | | | + * | R3 | OBS_POINT_ID_NEW | | | + * | | (>= ACL_EVAL* && <= ACL_ACTION*) | | | * +----+----------------------------------------------+---+-----------------------------------+ * | R4 | REG_LB_AFF_BACKEND_IP4 | | | * +----+----------------------------------------------+ X | | @@ -225,9 +228,11 @@ static bool vxlan_mode; * +----+----------------------------------------------+ G | | * | R7 | UNUSED | 1 | | * +----+----------------------------------------------+---+-----------------------------------+ - * | R8 | LB_AFF_MATCH_PORT | + * | | LB_AFF_MATCH_PORT | + * | | (>= IN_LB_AFF_CHECK && <= IN_LB_AFF_LEARN) | * +----+----------------------------------------------+ - * | R9 | UNUSED | + * | R9 | OBS_POINT_ID_EST | + * | | (>= ACL_EVAL* && <= ACL_ACTION*) | * +----+----------------------------------------------+ * * Logical Router pipeline: @@ -6482,6 +6487,355 @@ build_acl_log(struct ds *actions, const struct nbrec_acl *acl, ds_put_cstr(actions, "); "); } +/* This builds an ACL specific sample action. + * If the ACL has a label configured the label itself is used as sample + * observation point ID. Otherwise the configured 'sample->metadata' + * is passed as observation point ID. */ +static void +build_acl_sample_action(struct ds *actions, const struct nbrec_acl *acl, + const struct nbrec_sample *sample, + uint8_t sample_domain_id) +{ + if (!sample || sample_domain_id == SAMPLING_APP_ID_NONE) { + return; + } + + uint32_t domain_id = 0; + uint32_t point_id = 0; + + if (acl->label) { + domain_id = 0; + point_id = acl->label; + } else if (sample) { + domain_id = sample_domain_id; + point_id = sample->metadata; + } + + for (size_t i = 0; i < sample->n_collectors; i++) { + ds_put_format(actions, "sample(probability=%"PRIu16"," + "collector_set=%"PRIu8"," + "obs_domain=%"PRIu32"," + "obs_point=%"PRIu32");", + (uint16_t) sample->collectors[i]->probability, + (uint8_t) sample->collectors[i]->set_id, + domain_id, point_id); + } + ds_put_cstr(actions, " next;"); +} + +/* This builds an ACL logical flow specific action that stores the observation + * point IDs to be used for samples generated for traffic that hits the ACL. + * Two observation point IDs are stored in registers, the one for traffic + * that creates new connections and the one for traffic that's part of an + * existing connection. + */ +static void +build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, + const struct nbrec_sample *sample_new, + const struct nbrec_sample *sample_est) +{ + if (!acl->label && !sample_new && !sample_est) { + return; + } + + uint32_t point_id_new = 0; + uint32_t point_id_est = 0; + + if (acl->label) { + point_id_new = acl->label; + point_id_est = acl->label; + } else { + if (sample_new) { + point_id_new = sample_new->metadata; + } + if (sample_est) { + point_id_est = sample_est->metadata; + } + } + + ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " + REG_OBS_POINT_ID_NEW " = %"PRIu32"; " + REG_OBS_POINT_ID_EST " = %"PRIu32"; ", + point_id_new, point_id_est); +} + +/* This builds an ACL logical flow specific match that selects traffic + * with an associated observation point ID register equal to that of the + * ACL label (if configured) or sample->metadata. + */ +static void +build_acl_sample_register_match(struct ds *match, const struct nbrec_acl *acl, + const struct nbrec_sample *sample) +{ + uint32_t point_id = 0; + + if (acl->label) { + point_id = acl->label; + } else if (sample) { + point_id = sample->metadata; + } + + ds_put_format(match, REG_OBS_POINT_ID_NEW " == %"PRIu32, point_id); +} + +/* This builds an ACL logical flow specific match that selects conntracked + * traffic whose associated ct_label.obs_point ID is equal to that of the + * ACL label (if configured) or sample->metadata. The match also ensures + * that the observation domain ID stored in the ct_label is also equal to + * 'sample_domain_id'. + */ +static void +build_acl_sample_label_match(struct ds *match, const struct nbrec_acl *acl, + const struct nbrec_sample *sample) +{ + uint32_t point_id = 0; + + if (acl->label) { + point_id = acl->label; + } else if (sample) { + point_id = sample->metadata; + } + + /* Match on the complete ct_label to avoid masked access to it in the + * datapath. Some NICs do not support HW offloading when masked-access + * of ct_label is used in the datapath. */ + ds_put_format(match, "ct_label.obs_point_id == %"PRIu32" && " + "ct_label.obs_unused == 0", point_id); +} + +/* This builds a logical flow that samples and forwards/drops traffic + * that hit a stateless ACL ("pass" or "allow-stateless") that has sampling + * enabled. + */ +static void +build_acl_sample_new_stateless_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + if (!acl->sample_new) { + return; + } + + ds_clear(actions); + ds_clear(match); + + ds_put_cstr(match, "ip && "); + build_acl_sample_register_match(match, acl, acl->sample_new); + + build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); + + ovn_lflow_add(lflows, od, stage, 1100, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds a logical flow that samples and forwards/drops traffic + * that created a new conntrack entry and hit a stateful ACL that has sampling + * enabled. + */ +static void +build_acl_sample_new_stateful_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + if (!acl->sample_new) { + return; + } + + ds_clear(actions); + ds_clear(match); + + /* Match on new connections. However, for to-lport ACLs, due to + * skip_port_from_conntrack() conntrack state might be cleared, so + * take that into account too. */ + ds_put_format(match, "ip && %s && ", + stage != S_SWITCH_OUT_ACL_SAMPLE + ? "ct.new" : "(ct.new || !ct.trk)"); + build_acl_sample_register_match(match, acl, acl->sample_new); + + build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); + + ovn_lflow_add(lflows, od, stage, 1100, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds a logical flow that samples and forwards traffic + * that is part of an existing connection (in the original direction) created + * by traffic allowed by a stateful ACL that has sampling enabled. + */ +static void +build_acl_sample_est_orig_stateful_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + ds_clear(actions); + ds_clear(match); + + ds_put_cstr(match, "ip && ct.trk && " + "(ct.est || ct.rel) && " + "!ct.rpl && "); + build_acl_sample_label_match(match, acl, acl->sample_est); + + build_acl_sample_action(actions, acl, acl->sample_est, sample_domain_id); + + ovn_lflow_add(lflows, od, stage, 1200, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds a logical flow that samples and forwards traffic + * that is part of an existing connection (in the reply direction) created + * by traffic allowed by a stateful ACL that has sampling enabled. + * + * NOTE: unlike for traffic in the original direction, this logical flow must + * be installed in the "opposite" pipeline. That is, for "from-lport" ACLs + * the conntrack entry is created in the ingress logical port zone and will be + * hit by reply traffic in the egress pipeline (before being sent out that + * logical port). + */ +static void +build_acl_sample_est_rpl_stateful_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage rpl_stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + ds_clear(actions); + ds_clear(match); + + ds_put_cstr(match, "ip && ct.trk && " + "(ct.est || ct.rel) && " + "ct.rpl && "); + build_acl_sample_label_match(match, acl, acl->sample_est); + + build_acl_sample_action(actions, acl, acl->sample_est, sample_domain_id); + + ovn_lflow_add(lflows, od, rpl_stage, 1200, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds logical flows that sample and forward traffic + * that is part of an existing connection (both in the original and in the + * reply direction) created by traffic allowed by a stateful ACL that has + * sampling enabled. + */ +static void +build_acl_sample_est_stateful_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + if (!acl->sample_est) { + return; + } + build_acl_sample_est_orig_stateful_flows(od, lflows, stage, match, actions, + acl, sample_domain_id, lflow_ref); + + /* Install flows in the "opposite" pipeline direction to handle reply + * traffic on established connections. */ + enum ovn_stage rpl_stage = (stage == S_SWITCH_OUT_ACL_SAMPLE + ? S_SWITCH_IN_ACL_SAMPLE + : S_SWITCH_OUT_ACL_SAMPLE); + build_acl_sample_est_rpl_stateful_flows(od, lflows, rpl_stage, + match, actions, + acl, sample_domain_id, lflow_ref); +} + +static void build_acl_reject_action(struct ds *actions, bool is_ingress); + +/* This builds all ACL sampling related logical flows: + * - for packets creating new connections + * - for packets that are part of an existing connection + */ +static void +build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, + const struct ovn_datapath *od, + struct lflow_table *lflows, + const struct nbrec_acl *acl, + struct ds *match, struct ds *actions, + const struct sampling_app_table *sampling_apps, + struct lflow_ref *lflow_ref) +{ + bool should_sample_established = + ls_stateful_rec->has_stateful_acl + && acl->sample_est + && !strcmp(acl->action, "allow-related"); + + bool stateful_match = + ls_stateful_rec->has_stateful_acl + && strcmp(acl->action, "allow-stateless"); + + /* Only sample if: + * - sampling is enabled for traffic creating new connections + * OR + * - sampling is enabled for traffic on established sessions and the + * switch has stateful ACLs. + */ + if (!acl->sample_new && !should_sample_established) { + return; + } + + bool ingress = !strcmp(acl->direction, "from-lport") ? true : false; + enum ovn_stage stage; + + if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { + stage = S_SWITCH_IN_ACL_AFTER_LB_SAMPLE; + } else if (ingress) { + stage = S_SWITCH_IN_ACL_SAMPLE; + } else { + stage = S_SWITCH_OUT_ACL_SAMPLE; + } + + uint8_t sample_new_domain_id = sampling_app_get_id(sampling_apps, + SAMPLING_APP_ACL_NEW); + uint8_t sample_est_domain_id = sampling_app_get_id(sampling_apps, + SAMPLING_APP_ACL_EST); + + if (!stateful_match) { + build_acl_sample_new_stateless_flows(od, lflows, stage, match, actions, + acl, sample_new_domain_id, + lflow_ref); + } else { + build_acl_sample_new_stateful_flows(od, lflows, stage, match, actions, + acl, sample_new_domain_id, + lflow_ref); + build_acl_sample_est_stateful_flows(od, lflows, stage, match, actions, + acl, sample_est_domain_id, + lflow_ref); + } +} + +/* This builds all default ACL sampling related logical flows. */ +static void +build_acl_sample_default_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + struct lflow_ref *lflow_ref) +{ + /* Rules at priority 1 is added below to pass the packet into next table + * if there isn't any match. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_SAMPLE, 0, "1", "next;", + lflow_ref); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_SAMPLE, 0, "1", "next;", + lflow_ref); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB_SAMPLE, 0, "1", + "next;", lflow_ref); +} + static void consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, const struct nbrec_acl *acl, bool has_stateful, @@ -6529,6 +6883,10 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, if (!has_stateful || !strcmp(acl->action, "pass") || !strcmp(acl->action, "allow-stateless")) { + + /* For stateless ACLs just sample "new" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); + ds_put_cstr(actions, "next;"); ds_put_format(match, "(%s)", acl->match); ovn_lflow_add_with_hint(lflows, od, stage, priority, @@ -6563,10 +6921,10 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_truncate(actions, log_verdict_len); ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); - if (acl->label) { - ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " - REG_LABEL" = %"PRId64"; ", acl->label); - } + + /* For stateful ACLs sample "new" and "established" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, + acl->sample_est); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6586,9 +6944,11 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, acl->match); if (acl->label) { ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); - ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " - REG_LABEL" = %"PRId64"; ", acl->label); } + + /* For stateful ACLs sample "new" and "established" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, + acl->sample_est); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6606,6 +6966,9 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_put_format(match, " && (%s)", acl->match); ds_truncate(actions, log_verdict_len); + + /* For drop ACLs just sample all packets as "new" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6626,6 +6989,9 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_put_format(match, " && (%s)", acl->match); ds_truncate(actions, log_verdict_len); + + /* For drop ACLs just sample all packets as "new" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); ds_put_cstr(actions, "ct_commit { ct_mark.blocked = 1; }; next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6706,6 +7072,20 @@ ovn_update_ipv6_options(struct hmap *lr_ports) #define IPV6_CT_OMIT_MATCH "nd || nd_ra || nd_rs || mldv1 || mldv2" +static void +build_acl_reject_action(struct ds *actions, bool is_ingress) +{ + ds_put_format( + actions, "reg0 = 0; " + "reject { " + "/* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ " + "outport <-> inport; next(pipeline=%s,table=%d); " + "};", + is_ingress ? "egress" : "ingress", + is_ingress ? ovn_stage_get_table(S_SWITCH_OUT_QOS) + : ovn_stage_get_table(S_SWITCH_IN_L2_LKUP)); +} + static void build_acl_action_lflows(const struct ls_stateful_record *ls_stateful_rec, const struct ovn_datapath *od, @@ -6722,6 +7102,12 @@ build_acl_action_lflows(const struct ls_stateful_record *ls_stateful_rec, S_SWITCH_OUT_ACL_ACTION, }; + enum ovn_stage eval_stages[] = { + S_SWITCH_IN_ACL_EVAL, + S_SWITCH_IN_ACL_AFTER_LB_EVAL, + S_SWITCH_OUT_ACL_EVAL, + }; + ds_clear(actions); ds_put_cstr(actions, REGBIT_ACL_VERDICT_ALLOW " = 0; " REGBIT_ACL_VERDICT_DROP " = 0; " @@ -6752,14 +7138,7 @@ build_acl_action_lflows(const struct ls_stateful_record *ls_stateful_rec, bool ingress = ovn_stage_get_pipeline(stage) == P_IN; ds_truncate(actions, verdict_len); - ds_put_format( - actions, "reg0 = 0; " - "reject { " - "/* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ " - "outport <-> inport; next(pipeline=%s,table=%d); };", - ingress ? "egress" : "ingress", - ingress ? ovn_stage_get_table(S_SWITCH_OUT_QOS) - : ovn_stage_get_table(S_SWITCH_IN_L2_LKUP)); + build_acl_reject_action(actions, ingress); ovn_lflow_metered(lflows, od, stage, 1000, REGBIT_ACL_VERDICT_REJECT " == 1", ds_cstr(actions), @@ -6778,7 +7157,7 @@ build_acl_action_lflows(const struct ls_stateful_record *ls_stateful_rec, ds_put_format(&tier_actions, REG_ACL_TIER " = %"PRIuSIZE"; " "next(pipeline=%s,table=%d);", j + 1, ingress ? "ingress" : "egress", - ovn_stage_get_table(stage) - 1); + ovn_stage_get_table(eval_stages[i])); ovn_lflow_add(lflows, od, stage, 500, ds_cstr(match), ds_cstr(&tier_actions), lflow_ref); } @@ -6799,12 +7178,6 @@ build_acl_log_related_flows(const struct ovn_datapath *od, * the ACL, then we need to ensure that the related and reply * traffic is logged, so we install a slightly higher-priority * flow that matches the ACL, allows the traffic, and logs it. - * - * Note: Matching the ct_label.label may prevent OVS flow HW - * offloading to work for some NICs because masked-access of - * ct_label is not supported on those NICs due to HW - * limitations. In such case the user may choose to avoid using the - * "log-related" option. */ bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; bool log_related = smap_get_bool(&acl->options, "log-related", @@ -6863,6 +7236,7 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, struct lflow_table *lflows, const struct ls_port_group_table *ls_port_groups, const struct shash *meter_groups, + const struct sampling_app_table *sampling_apps, struct lflow_ref *lflow_ref) { const char *default_acl_action = default_acl_drop @@ -7043,6 +7417,8 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, REGBIT_ACL_VERDICT_ALLOW " = 1; next;", lflow_ref); + build_acl_sample_default_flows(od, lflows, lflow_ref); + /* Ingress or Egress ACL Table (Various priorities). */ for (size_t i = 0; i < od->nbs->n_acls; i++) { struct nbrec_acl *acl = od->nbs->acls[i]; @@ -7052,6 +7428,8 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, consider_acl(lflows, od, acl, has_stateful, meter_groups, ls_stateful_rec->max_acl_tier, &match, &actions, lflow_ref); + build_acl_sample_flows(ls_stateful_rec, od, lflows, acl, + &match, &actions, sampling_apps, lflow_ref); } const struct ls_port_group *ls_pg = @@ -7068,6 +7446,9 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, consider_acl(lflows, od, acl, has_stateful, meter_groups, ls_stateful_rec->max_acl_tier, &match, &actions, lflow_ref); + build_acl_sample_flows(ls_stateful_rec, od, lflows, acl, + &match, &actions, sampling_apps, + lflow_ref); } } } @@ -7727,8 +8108,11 @@ build_stateful(struct ovn_datapath *od, struct lflow_table *lflows, * We always set ct_mark.blocked to 0 here as * any packet that makes it this far is part of a connection we * want to allow to continue. */ - ds_put_cstr(&actions, "ct_commit { ct_mark.blocked = 0; " - "ct_label.label = " REG_LABEL "; }; next;"); + ds_put_cstr(&actions, + "ct_commit { " + "ct_mark.blocked = 0; " + "ct_label.obs_point_id = " REG_OBS_POINT_ID_EST "; " + "}; next;"); ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100, REGBIT_CONNTRACK_COMMIT" == 1 && " REGBIT_ACL_LABEL" == 1", @@ -15776,6 +16160,7 @@ build_ls_stateful_flows(const struct ls_stateful_record *ls_stateful_rec, const struct ovn_datapath *od, const struct ls_port_group_table *ls_pgs, const struct shash *meter_groups, + const struct sampling_app_table *sampling_apps, struct lflow_table *lflows) { build_ls_stateful_rec_pre_acls(ls_stateful_rec, od, ls_pgs, lflows, @@ -15785,7 +16170,7 @@ build_ls_stateful_flows(const struct ls_stateful_record *ls_stateful_rec, build_acl_hints(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref); build_acls(ls_stateful_rec, od, lflows, ls_pgs, meter_groups, - ls_stateful_rec->lflow_ref); + sampling_apps, ls_stateful_rec->lflow_ref); build_lb_hairpin(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref); } @@ -15809,6 +16194,7 @@ struct lswitch_flow_build_info { struct ds actions; size_t thread_lflow_counter; const char *svc_monitor_mac; + const struct sampling_app_table *sampling_apps; }; /* Helper function to combine all lflow generation which is iterated by @@ -16100,6 +16486,7 @@ build_lflows_thread(void *arg) build_ls_stateful_flows(ls_stateful_rec, od, lsi->ls_port_groups, lsi->meter_groups, + lsi->sampling_apps, lsi->lflows); } } @@ -16173,7 +16560,8 @@ build_lswitch_and_lrouter_flows( const struct hmap *svc_monitor_map, const struct hmap *bfd_connections, const struct chassis_features *features, - const char *svc_monitor_mac) + const char *svc_monitor_mac, + const struct sampling_app_table *sampling_apps) { char *svc_check_match = xasprintf("eth.dst == %s", svc_monitor_mac); @@ -16207,6 +16595,7 @@ build_lswitch_and_lrouter_flows( lsiv[index].svc_check_match = svc_check_match; lsiv[index].thread_lflow_counter = 0; lsiv[index].svc_monitor_mac = svc_monitor_mac; + lsiv[index].sampling_apps = sampling_apps; ds_init(&lsiv[index].match); ds_init(&lsiv[index].actions); @@ -16247,6 +16636,7 @@ build_lswitch_and_lrouter_flows( .features = features, .svc_check_match = svc_check_match, .svc_monitor_mac = svc_monitor_mac, + .sampling_apps = sampling_apps, .match = DS_EMPTY_INITIALIZER, .actions = DS_EMPTY_INITIALIZER, }; @@ -16319,6 +16709,7 @@ build_lswitch_and_lrouter_flows( &od->nbs->header_.uuid)); build_ls_stateful_flows(ls_stateful_rec, od, lsi.ls_port_groups, lsi.meter_groups, + lsi.sampling_apps, lsi.lflows); } stopwatch_stop(LFLOWS_LS_STATEFUL_STOPWATCH_NAME, time_msec()); @@ -16408,7 +16799,8 @@ void build_lflows(struct ovsdb_idl_txn *ovnsb_txn, input_data->svc_monitor_map, input_data->bfd_connections, input_data->features, - input_data->svc_monitor_mac); + input_data->svc_monitor_mac, + input_data->sampling_apps); if (parallelization_state == STATE_INIT_HASH_SIZES) { parallelization_state = STATE_USE_PARALLELIZATION; @@ -16832,6 +17224,7 @@ lflow_handle_ls_stateful_changes(struct ovsdb_idl_txn *ovnsb_txn, build_ls_stateful_flows(ls_stateful_rec, od, lflow_input->ls_port_groups, lflow_input->meter_groups, + lflow_input->sampling_apps, lflows); /* Sync the new flows to SB. */ diff --git a/northd/northd.h b/northd/northd.h index e50aa6731a..b628911510 100644 --- a/northd/northd.h +++ b/northd/northd.h @@ -397,27 +397,30 @@ enum ovn_stage { PIPELINE_STAGE(SWITCH, IN, PRE_STATEFUL, 6, "ls_in_pre_stateful") \ PIPELINE_STAGE(SWITCH, IN, ACL_HINT, 7, "ls_in_acl_hint") \ PIPELINE_STAGE(SWITCH, IN, ACL_EVAL, 8, "ls_in_acl_eval") \ - PIPELINE_STAGE(SWITCH, IN, ACL_ACTION, 9, "ls_in_acl_action") \ - PIPELINE_STAGE(SWITCH, IN, QOS, 10, "ls_in_qos") \ - PIPELINE_STAGE(SWITCH, IN, LB_AFF_CHECK, 11, "ls_in_lb_aff_check") \ - PIPELINE_STAGE(SWITCH, IN, LB, 12, "ls_in_lb") \ - PIPELINE_STAGE(SWITCH, IN, LB_AFF_LEARN, 13, "ls_in_lb_aff_learn") \ - PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 14, "ls_in_pre_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 15, "ls_in_nat_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 16, "ls_in_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_EVAL, 17, \ - "ls_in_acl_after_lb_eval") \ - PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_ACTION, 18, \ + PIPELINE_STAGE(SWITCH, IN, ACL_SAMPLE, 9, "ls_in_acl_sample") \ + PIPELINE_STAGE(SWITCH, IN, ACL_ACTION, 10, "ls_in_acl_action") \ + PIPELINE_STAGE(SWITCH, IN, QOS, 11, "ls_in_qos") \ + PIPELINE_STAGE(SWITCH, IN, LB_AFF_CHECK, 12, "ls_in_lb_aff_check") \ + PIPELINE_STAGE(SWITCH, IN, LB, 13, "ls_in_lb") \ + PIPELINE_STAGE(SWITCH, IN, LB_AFF_LEARN, 14, "ls_in_lb_aff_learn") \ + PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 15, "ls_in_pre_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 16, "ls_in_nat_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 17, "ls_in_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_EVAL, 18, \ + "ls_in_acl_after_lb_eval") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_SAMPLE, 19, \ + "ls_in_acl_after_lb_sample") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_ACTION, 20, \ "ls_in_acl_after_lb_action") \ - PIPELINE_STAGE(SWITCH, IN, STATEFUL, 19, "ls_in_stateful") \ - PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 20, "ls_in_arp_rsp") \ - PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 21, "ls_in_dhcp_options") \ - PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 22, "ls_in_dhcp_response") \ - PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 23, "ls_in_dns_lookup") \ - PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 24, "ls_in_dns_response") \ - PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 25, "ls_in_external_port") \ - PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 26, "ls_in_l2_lkup") \ - PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 27, "ls_in_l2_unknown") \ + PIPELINE_STAGE(SWITCH, IN, STATEFUL, 21, "ls_in_stateful") \ + PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 22, "ls_in_arp_rsp") \ + PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 23, "ls_in_dhcp_options") \ + PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 24, "ls_in_dhcp_response") \ + PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 25, "ls_in_dns_lookup") \ + PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 26, "ls_in_dns_response") \ + PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 27, "ls_in_external_port") \ + PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 28, "ls_in_l2_lkup") \ + PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 29, "ls_in_l2_unknown") \ \ /* Logical switch egress stages. */ \ PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 0, "ls_out_pre_acl") \ @@ -425,11 +428,12 @@ enum ovn_stage { PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") \ PIPELINE_STAGE(SWITCH, OUT, ACL_HINT, 3, "ls_out_acl_hint") \ PIPELINE_STAGE(SWITCH, OUT, ACL_EVAL, 4, "ls_out_acl_eval") \ - PIPELINE_STAGE(SWITCH, OUT, ACL_ACTION, 5, "ls_out_acl_action") \ - PIPELINE_STAGE(SWITCH, OUT, QOS, 6, "ls_out_qos") \ - PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 7, "ls_out_stateful") \ - PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 8, "ls_out_check_port_sec") \ - PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 9, "ls_out_apply_port_sec") \ + PIPELINE_STAGE(SWITCH, OUT, ACL_SAMPLE, 5, "ls_out_acl_sample") \ + PIPELINE_STAGE(SWITCH, OUT, ACL_ACTION, 6, "ls_out_acl_action") \ + PIPELINE_STAGE(SWITCH, OUT, QOS, 7, "ls_out_qos") \ + PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 8, "ls_out_stateful") \ + PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 9, "ls_out_check_port_sec") \ + PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 10, "ls_out_apply_port_sec") \ \ /* Logical router ingress stages. */ \ PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") \ diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index ba85e4bfd7..3abd5f75bb 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -867,7 +867,47 @@ -

Ingress Table 9: from-lport ACL action

+

Ingress Table 9: from-lport ACL sampling

+ +

+ Logical flows in this table sample traffic matched by + from-lport ACLs with sampling enabled. +

+ +
    +
  • + If no ACLs have sampling enabled, then a priority 0 flow is installed + that matches everything and advances to the next table. +
    • + +
  • + For each ACL with sample_new configured a priority 1100 flow is + installed that matches on the saved observation_point_id value. + This flow generates a sample() action and then advances + the packet to the next table. +
    • + +
  • + For each ACL with sample_est configured a priority 1200 flow is + installed that matches on the saved observation_point_id value + for established traffic in the original direction. This flow + generates a sample() action and then advances + the packet to the next table. +
    • + +
  • + For each ACL with sample_est configured a priority 1200 flow is + installed that matches on the saved observation_point_id + value for established traffic in the reply direction. This flow + generates a sample() action and then advances + the packet to the next table. Note: this flow is installed in the + opposite pipeline (in the ingress pipeline for ACLs applied in the + egress direction and in the egress pipeline for ACLs applied in the + ingress direction). +
    • +
+ +

Ingress Table 10: from-lport ACL action

Logical flows in this table decide how to proceed based on the values of @@ -907,7 +947,7 @@ -

Ingress Table 10: from-lport QoS

+

Ingress Table 11: from-lport QoS

Logical flows in this table closely reproduce those in the @@ -930,7 +970,7 @@ -

Ingress Table 11: Load balancing affinity check

+

Ingress Table 12: Load balancing affinity check

Load balancing affinity check table contains the following @@ -958,7 +998,7 @@ -

Ingress Table 12: LB

+

Ingress Table 13: LB

  • @@ -1038,7 +1078,7 @@
-

Ingress Table 13: Load balancing affinity learn

+

Ingress Table 14: Load balancing affinity learn

Load balancing affinity learn table contains the following @@ -1069,7 +1109,7 @@ -

Ingress Table 14: Pre-Hairpin

+

Ingress Table 15: Pre-Hairpin

  • If the logical switch has load balancer(s) configured, then a @@ -1087,7 +1127,7 @@
-

Ingress Table 15: Nat-Hairpin

+

Ingress Table 16: Nat-Hairpin

  • If the logical switch has load balancer(s) configured, then a @@ -1122,7 +1162,7 @@
-

Ingress Table 16: Hairpin

+

Ingress Table 17: Hairpin

  • @@ -1160,7 +1200,7 @@

-

Ingress table 17: from-lport ACL evaluation after LB

+

Ingress table 18: from-lport ACL evaluation after LB

Logical flows in this table closely reproduce those in the @@ -1245,7 +1285,47 @@ -

Ingress Table 18: from-lport ACL action after LB

+

Ingress Table 19: from-lport ACL sampling after LB

+ +

+ Logical flows in this table sample traffic matched by + from-lport ACLs (evaluation after LB) with sampling enabled. +

+ +
    +
  • + If no ACLs have sampling enabled, then a priority 0 flow is installed + that matches everything and advances to the next table. +
    • + +
  • + For each ACL with sample_new configured a priority 1100 flow is + installed that matches on the saved observation_point_id value. + This flow generates a sample() action and then advances + the packet to the next table. +
    • + +
  • + For each ACL with sample_est configured a priority 1200 flow is + installed that matches on the saved observation_point_id value + for established traffic in the original direction. This flow + generates a sample() action and then advances + the packet to the next table. +
    • + +
  • + For each ACL with sample_est configured a priority 1200 flow is + installed that matches on the saved observation_point_id + value for established traffic in the reply direction. This flow + generates a sample() action and then advances + the packet to the next table. Note: this flow is installed in the + opposite pipeline (in the ingress pipeline for ACLs applied in the + egress direction and in the egress pipeline for ACLs applied in the + ingress direction). +
    • +
+ +

Ingress Table 20: from-lport ACL action after LB

Logical flows in this table decide how to proceed based on the values of @@ -1285,7 +1365,7 @@ -

Ingress Table 19: Stateful

+

Ingress Table 21: Stateful

  • @@ -1308,7 +1388,7 @@
-

Ingress Table 20: ARP/ND responder

+

Ingress Table 22: ARP/ND responder

This table implements ARP/ND responder in a logical switch for known @@ -1643,7 +1723,7 @@ output; -

Ingress Table 21: DHCP option processing

+

Ingress Table 23: DHCP option processing

This table adds the DHCPv4 options to a DHCPv4 packet from the @@ -1704,7 +1784,7 @@ next; -

Ingress Table 22: DHCP responses

+

Ingress Table 24: DHCP responses

This table implements DHCP responder for the DHCP replies generated by @@ -1785,7 +1865,7 @@ output; -

Ingress Table 23 DNS Lookup

+

Ingress Table 25 DNS Lookup

This table looks up and resolves the DNS names to the corresponding @@ -1814,7 +1894,7 @@ reg0[4] = dns_lookup(); next; -

Ingress Table 24 DNS Responses

+

Ingress Table 26 DNS Responses

This table implements DNS responder for the DNS replies generated by @@ -1849,7 +1929,7 @@ output; -

Ingress table 25 External ports

+

Ingress table 27 External ports

Traffic from the external logical ports enter the ingress @@ -1892,7 +1972,7 @@ output; -

Ingress Table 26 Destination Lookup

+

Ingress Table 28 Destination Lookup

This table implements switching behavior. It contains these logical @@ -2090,7 +2170,7 @@ output; -

Ingress Table 27 Destination unknown

+

Ingress Table 29 Destination unknown

This table handles the packets whose destination was not found or @@ -2298,26 +2378,31 @@ output; -

Egress Table 5: to-lport ACL action

+

Egress Table 5: to-lport ACL sampling

+

+ This is similar to ingress table ACL sampling. +

+ +

Egress Table 6: to-lport ACL action

This is similar to ingress table ACL action.

-

Egress Table 6: to-lport QoS

+

Egress Table 7: to-lport QoS

This is similar to ingress table QoS except they apply to to-lport QoS rules.

-

Egress Table 7: Stateful

+

Egress Table 8: Stateful

This is similar to ingress table Stateful except that there are no rules added for load balancing new connections.

-

Egress Table 8: Egress Port Security - check

+

Egress Table 9: Egress Port Security - check

This is similar to the port security logic in table @@ -2346,7 +2431,7 @@ output; -

Egress Table 9: Egress Port Security - Apply

+

Egress Table 10: Egress Port Security - Apply

This is similar to the ingress port security logic in ingress table diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index a6a377f20b..65cdfd1446 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "7.5.0", - "cksum": "1137408189 36223", + "version": "7.6.0", + "cksum": "3043867667 38283", "tables": { "NB_Global": { "columns": { @@ -30,6 +30,41 @@ "ipsec": {"type": "boolean"}}, "maxRows": 1, "isRoot": true}, + "Sample_Collector": { + "columns": { + "id": {"type": {"key": { + "type": "integer", + "minInteger": 1, + "maxInteger": 15}}}, + "name": {"type": "string"}, + "probability": {"type": {"key": { + "type": "integer", + "minInteger": 0, + "maxInteger": 65535}}}, + "set_id": {"type": {"key": { + "type": "integer", + "minInteger": 1, + "maxInteger": 4294967295}}}, + "external_ids": {"type": {"key": "string", "value": "string", + "min": 0, "max": "unlimited"}} + }, + "indexes": [["id"]], + "isRoot": true + }, + "Sample": { + "columns": { + "collectors": {"type": {"key": {"type": "uuid", + "refTable": "Sample_Collector", + "refType": "strong"}, + "min": 0, + "max": "unlimited"}}, + "metadata": {"type": {"key": {"type": "integer", + "minInteger": 1, + "maxInteger": 4294967295}, + "min": 1, "max":1}} + }, + "indexes": [["metadata"]] + }, "Copp": { "columns": { "name": {"type": "string"}, @@ -275,6 +310,14 @@ "tier": {"type": {"key": {"type": "integer", "minInteger": 0, "maxInteger": 3}}}, + "sample_new": {"type": {"key": {"type": "uuid", + "refTable": "Sample", + "refType": "strong"}, + "min": 0, "max": 1}}, + "sample_est": {"type": {"key": {"type": "uuid", + "refTable": "Sample", + "refType": "strong"}, + "min": 0, "max": 1}}, "options": { "type": {"key": "string", "value": "string", diff --git a/ovn-nb.xml b/ovn-nb.xml index bc44f67642..df6cf4c441 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -511,6 +511,48 @@ + + + Sample collector unique id used for differentiating collectors that use + the same set_id with different probability + values. The supported value range for IDs is 1-15. + + Name of the sample collector. + + Sampling probability for this collector. It must be an integer number + between 0 and 65535. A value of 0 corresponds to no packets being + sampled while a value of 65535 corresponds to all packets being sampled. + + + The 8-bit integer identifier of the set of of collectors to send + packets to. See Flow_Sample_Collector_Set Table in ovs-vswitchd's + database schema. + + + See External IDs at the beginning of this document. + +
+ + +

+ This table describes a Sampling configuration. Entries in other tables + might be associated with Sample entries to indicate how the sample + should be generated. + + For an example, see . +

+ + A list of references to records to be + used when generating samples (e.g., IPFIX). A sample can be sent to + multiple collectors simultaneously. + + + Will be used as Observation Point ID in every sample. The Observation + Domain ID will be generated by ovn-northd and includes the logical + datapath key as the least significant 24 bits and the sampling + application type (e.g., drop debugging) as the 8 most significant bits. + +

This table is used to define control plane protection policies, i.e., @@ -2342,6 +2384,12 @@ or created only for allowed connections so the label is valid only for allow and allow-related actions.

+ +

+ Note: if an ACL has both sampling enabled and a label associated to it + then the label value overrides the observation point ID defined in the + sample_new or sample_est configuration. +

@@ -2551,6 +2599,33 @@ or + +

+ The entry in the table to use for sampling for + new sessions matched by this ACL. In case the ACL is stateless + this is used for sampling all traffic matched by the ACL. +

+ +

+ Note: if an ACL has both sampling enabled and a label associated to it + then the label value overrides the observation point ID defined in the + sample_new configuration. +

+ + + +

+ The entry in the table to use for sampling for + established/related sessions matched by this ACL. +

+ +

+ Note: if an ACL has both sampling enabled and a label associated to it + then the label value overrides the observation point ID defined in the + sample_est configuration. +

+ + This column provides general key/value settings. The supported diff --git a/tests/atlocal.in b/tests/atlocal.in index 32d1c374ea..29e1bb2982 100644 --- a/tests/atlocal.in +++ b/tests/atlocal.in @@ -196,6 +196,12 @@ find_command bfdd-beacon # Set HAVE_ARPING find_command arping +# Set HAVE_NFCAPD +find_command nfcapd + +# Set HAVE_NFDUMP +find_command nfdump + # Turn off proxies. unset http_proxy unset https_proxy diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index 74bff9035a..50da0de19c 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -944,7 +944,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -965,9 +965,9 @@ for i in $(seq 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i @@ -987,7 +987,7 @@ for i in $(seq 10); do if test "$i" = 9; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi if test "$i" = 10; then @@ -1013,12 +1013,12 @@ for i in $(seq 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i * 2)) @@ -1121,7 +1121,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1142,9 +1142,9 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else # (1 conj_id flow + 3 tp_dst flows) = 4 extra flows @@ -1157,7 +1157,7 @@ priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=33 grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=conjunction,1/2) @@ -1184,9 +1184,9 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((14 - $i)) @@ -1209,7 +1209,7 @@ for i in $(seq 10); do grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=conjunction,1/2) @@ -1319,7 +1319,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1343,7 +1343,7 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else # (1 conj_id + nw_src * i + nw_dst * i) = 1 + i*2 flows @@ -1356,7 +1356,7 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10. grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=conjunction,1/2) @@ -1385,7 +1385,7 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.15 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.15 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((21 - $i*2)) @@ -1411,9 +1411,9 @@ for i in $(seq 2 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i @@ -1437,8 +1437,8 @@ for i in $(seq 10); do if test "$i" = 9; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) elif test "$i" = 10; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100"], [1], [ignore]) @@ -1478,7 +1478,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1504,8 +1504,8 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i*2)) @@ -1517,12 +1517,12 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=lo grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi done @@ -1578,7 +1578,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1604,8 +1604,8 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) elif test "$i" -lt 6; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i*2)) @@ -1620,12 +1620,12 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=lo grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi done @@ -1687,7 +1687,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1708,7 +1708,7 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else # (1 conj_id + nw_src * i + nw_dst * i) = 1 + i*2 flows @@ -1721,7 +1721,7 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10. grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1748,7 +1748,7 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((21 - $i*2)) @@ -1771,7 +1771,7 @@ for i in $(seq 10); do grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1811,7 +1811,7 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1835,7 +1835,7 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1874,7 +1874,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1897,8 +1897,8 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1922,8 +1922,8 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1953,8 +1953,8 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1999,7 +1999,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -2020,9 +2020,9 @@ for i in $(seq 5); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:01 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:02 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:03 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:01 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:02 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:03 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i @@ -2043,7 +2043,7 @@ for i in $(seq 5); do if test "$i" = 4; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:05 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:05 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi if test "$i" = 5; then @@ -2084,7 +2084,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -2105,9 +2105,9 @@ for i in $(seq 5); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i @@ -2127,7 +2127,7 @@ for i in $(seq 5); do if test "$i" = 4; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::5 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::5 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi if test "$i" = 5; then @@ -2167,7 +2167,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) ovn-nbctl create address_set name=as1 addresses=8.8.8.8 check ovn-nbctl acl-add ls1 to-lport 100 'outport == "ls1-lp1" && ip4.src == $as1' drop @@ -2939,7 +2939,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -2950,7 +2950,7 @@ check ovn-nbctl add address_set as1 addresses 10.0.0.0/24 check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) check ovn-nbctl add address_set as1 addresses 10.0.0.1 @@ -2960,22 +2960,22 @@ check ovn-nbctl add address_set as1 addresses 10.0.0.4 check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) check ovn-appctl inc-engine/recompute AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) OVN_CLEANUP([hv1]) diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at index a7a59a9124..eca642a67a 100644 --- a/tests/ovn-macros.at +++ b/tests/ovn-macros.at @@ -1129,6 +1129,10 @@ ovn_strip_lflows() { sed 's/table=[[0-9]]\{1,2\}\s\?/table=??/g' | sort } +ovn_strip_collector_set() { + sed 's/collector_set=[[0-9]]*,\?/collector_set=??,/g' +} + OVS_END_SHELL_HELPERS m4_define([OVN_POPULATE_ARP], [AT_CHECK(ovn_populate_arp__, [0], [ignore])]) @@ -1189,11 +1193,11 @@ m4_define([OVN_CHECK_SCAPY_EDNS_CLIENT_SUBNET_SUPPORT], m4_define([OFTABLE_PHY_TO_LOG], [0]) m4_define([OFTABLE_LOG_INGRESS_PIPELINE], [8]) -m4_define([OFTABLE_OUTPUT_LARGE_PKT_DETECT], [37]) -m4_define([OFTABLE_OUTPUT_LARGE_PKT_PROCESS], [38]) -m4_define([OFTABLE_REMOTE_OUTPUT], [39]) -m4_define([OFTABLE_LOCAL_OUTPUT], [40]) -m4_define([OFTABLE_LOG_EGRESS_PIPELINE], [42]) +m4_define([OFTABLE_OUTPUT_LARGE_PKT_DETECT], [40]) +m4_define([OFTABLE_OUTPUT_LARGE_PKT_PROCESS], [41]) +m4_define([OFTABLE_REMOTE_OUTPUT], [42]) +m4_define([OFTABLE_LOCAL_OUTPUT], [43]) +m4_define([OFTABLE_LOG_EGRESS_PIPELINE], [45]) m4_define([OFTABLE_SAVE_INPORT], [64]) m4_define([OFTABLE_LOG_TO_PHY], [65]) m4_define([OFTABLE_MAC_BINDING], [66]) diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index 797ee0b45e..2efa13b938 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -2803,6 +2803,42 @@ check_row_count nb:ACL 0 dnl --------------------------------------------------------------------- +OVN_NBCTL_TEST([acl_sampling], [ACL sampling operations], [ +check ovn-nbctl ls-add ls +ovn-nbctl \ + --id=@sample1 create Sample metadata=4301 -- \ + --sample-new=@sample1 acl-add ls from-lport 1 1 allow-related +sample1=$(fetch_column nb:Sample _uuid metadata=4301) +check_column "$sample1" nb:ACL sample_new priority=1 + +ovn-nbctl \ + --id=@sample2 create Sample metadata=4302 -- \ + --sample-est=@sample2 acl-add ls from-lport 2 1 allow-related +sample2=$(fetch_column nb:Sample _uuid metadata=4302) +check_column "$sample2" nb:ACL sample_est priority=2 + +ovn-nbctl \ + --id=@sample3 create Sample metadata=4303 -- \ + --id=@sample4 create Sample metadata=4304 -- \ + --sample-new=@sample3 --sample-est=@sample4 acl-add ls from-lport 3 1 allow-related +sample3=$(fetch_column nb:Sample _uuid metadata=4303) +sample4=$(fetch_column nb:Sample _uuid metadata=4304) +check_column "$sample3" nb:ACL sample_new priority=3 +check_column "$sample4" nb:ACL sample_est priority=3 + +dnl Check invalid sample_new and sample_est values. +AT_CHECK([ovn-nbctl --sample-new=foo acl-add ls from-lport 4 1 allow-related], [1], [], [dnl +ovn-nbctl: invalid --sample-new: "foo" is not a valid UUID +]) + +AT_CHECK([ovn-nbctl --sample-est=bar acl-add ls from-lport 4 1 allow-related], [1], [], [dnl +ovn-nbctl: invalid --sample-est: "bar" is not a valid UUID +]) + +]) + +dnl --------------------------------------------------------------------- + AT_SETUP([ovn-nbctl - daemon retry connection]) OVN_NBCTL_TEST_START daemon pid=$(cat ovsdb-server.pid) diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index ebf02ef10a..6cc372b8a4 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -4609,7 +4609,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK_UNQUOTED([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4633,7 +4633,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) } @@ -4676,7 +4676,7 @@ AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4697,7 +4697,7 @@ AT_CHECK([grep "ls_out_pre_stateful" sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) # LB with event=false and reject=false @@ -4726,23 +4726,23 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) # Add new ACL without label @@ -4753,27 +4753,27 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) # Delete new ACL with label @@ -4790,7 +4790,7 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0] AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl @@ -4800,7 +4800,7 @@ AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0 AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP ]) @@ -4828,7 +4828,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls from-lport 1 dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; ]) AS_BOX([from-lport --apply-after-lb allow-related ACL]) @@ -4836,7 +4836,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --apply-after-lb --label=1234 acl-add dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; ]) AS_BOX([to-lport allow-related ACL]) @@ -4844,7 +4844,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls to-lport 1 ip dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_out_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; ]) AT_CLEANUP @@ -7680,7 +7680,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with the apply-after-lb option]) @@ -7735,7 +7735,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with a few ACLs with apply-after-lb option]) @@ -7790,7 +7790,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP @@ -8069,15 +8069,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8094,15 +8097,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8119,15 +8125,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8154,11 +8163,13 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8169,6 +8180,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8191,11 +8203,13 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8206,6 +8220,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8228,11 +8243,13 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) @@ -8243,6 +8260,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8266,6 +8284,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) @@ -8284,6 +8303,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) && flags.tunnel_rx == 1), action=(next;) @@ -8310,6 +8330,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) @@ -8340,10 +8361,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8354,6 +8377,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8377,10 +8401,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8391,6 +8417,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8414,10 +8441,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) @@ -8428,6 +8457,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8453,6 +8483,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) @@ -8469,6 +8500,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) && flags.tunnel_rx == 1), action=(next;) @@ -8495,6 +8527,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) @@ -8524,10 +8557,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8539,6 +8574,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8561,10 +8597,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8576,6 +8614,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8598,10 +8637,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) @@ -8613,6 +8654,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8636,6 +8678,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) @@ -8652,6 +8695,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) && flags.tunnel_rx == 1), action=(next;) @@ -8680,6 +8724,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) @@ -9925,8 +9970,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) check ovn-nbctl --wait=sb acl-del S1 @@ -9940,8 +9987,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) check ovn-nbctl --wait=sb acl-del S1 @@ -9955,8 +10004,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) @@ -9968,8 +10019,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) check ovn-nbctl --wait=sb acl-del S1 @@ -9982,8 +10035,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) AT_CLEANUP @@ -12521,6 +12576,284 @@ AT_CHECK([ovn-sbctl lflow-list | grep ls_in_l2_unknown.*sample | ovn_strip_lflow AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ACL Sampling]) +AT_KEYWORDS([acl]) + +ovn_start + +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=65535 set_id=100) +collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2 probability=65535 set_id=200) +check_row_count nb:Sample_Collector 2 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls lsp1 \ + -- lsp-set-addresses lsp1 00:00:00:00:00:01 \ + -- lsp-add ls lsp2 \ + -- lsp-set-addresses lsp2 00:00:00:00:00:02 +check ovn-nbctl --wait=sb sync + +base_flow="inport == \"lsp1\" && eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02 && ip4.src == 42.42.42.1 && ip4.dst == 42.42.42.2" +m4_define([TRACE_FILTER], [grep -e sample -e commit -e reg9 | grep -v _sample | sort]) + +AS_BOX([from-lport ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1 $collector2" metadata=4302 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); + sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302); +]) + +AS_BOX([from-lport ACL sampling (new)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ + --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + reg9 = 0; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 0; +]) + +AS_BOX([from-lport-after-lb ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1 $collector2" metadata=4302 -- \ + --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); + sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302); +]) + +AS_BOX([from-lport-after-lb ACL sampling (new)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ + --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + reg9 = 0; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 0; +]) + +AS_BOX([to-lport ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1 $collector2" metadata=4302 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls to-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; }; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302" +AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); + sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302); +]) + +AS_BOX([to-lport ACL sampling (new)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ + --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; }; + reg9 = 0; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 0; +]) + +AT_CLEANUP +]) + +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ACL Sampling - same collector set id, multiple probabilities]) +AT_KEYWORDS([acl]) + +ovn_start + +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=10000 set_id=100) +collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2 probability=20000 set_id=100) +check_row_count nb:Sample_Collector 2 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls lsp1 \ + -- lsp-set-addresses lsp1 00:00:00:00:00:01 \ + -- lsp-add ls lsp2 \ + -- lsp-set-addresses lsp2 00:00:00:00:00:02 + +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector2" metadata=4302 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4303 -- \ + --id=@sample2 create Sample collector="$collector2" metadata=4304 -- \ + --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4305 -- \ + --id=@sample2 create Sample collector="$collector2" metadata=4306 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls to-lport 1 "1" allow-related + +check_row_count nb:ACL 3 +check_row_count nb:Sample 6 +check ovn-nbctl --wait=sb sync + +AT_CHECK([ovn-sbctl lflow-list | grep probability | ovn_strip_lflows], [0], [dnl + table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4303), dnl +action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4303); next;) + table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4304 && ct_label.obs_unused == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4304); next;) + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), dnl +action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4301); next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4302); next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4306 && ct_label.obs_unused == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4306); next;) + table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4305), dnl +action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4305); next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4306 && ct_label.obs_unused == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4306); next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4304 && ct_label.obs_unused == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4304); next;) +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([NAT with match]) ovn_start diff --git a/tests/ovn.at b/tests/ovn.at index cee361188a..0f401ab96a 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -329,6 +329,8 @@ ct.trk = ct_state[5] ct_label = NXM_NX_CT_LABEL ct_label.ecmp_reply_eth = ct_label[32..79] ct_label.label = ct_label[96..127] +ct_label.obs_point_id = ct_label[96..127] +ct_label.obs_unused = ct_label[0..95] ct_mark = NXM_NX_CT_MARK ct_mark.blocked = ct_mark[0] ct_mark.ecmp_reply_port = ct_mark[16..31] @@ -1355,6 +1357,11 @@ ct_commit(ct_label=18446744073709551615); ct_commit(ct_label=18446744073709551616); Syntax error at `(' expecting `;'. +# Observation domain and point id. +ct_commit { ct_label.obs_point_id = reg2; }; + encodes as ct(commit,zone=NXM_NX_REG13[[0..15]],exec(move:NXM_NX_XXREG0[[32..63]]->NXM_NX_CT_LABEL[[96..127]])) + has prereqs ip + ct_mark = 12345 Field ct_mark is not modifiable. ct_mark.blocked = 1/1 @@ -13405,7 +13412,7 @@ tpa=$(ip_to_hex 10 0 0 100) send_garp 1 000000000001 ffffffffffff $spa $tpa dnl traffic from localport should not be sent to localnet -AT_CHECK([tcpdump -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl +AT_CHECK([tcpdump -vnne -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl 0 ],[ignore]) @@ -18565,7 +18572,7 @@ AT_CHECK([cat 2.packets], [0], [expout]) # There should be total of 9 flows present with conjunction action and 2 flows # with conj match. Eg. -# table=ls_out_acl_eval, priority=2001,conj_id=2,metadata=0x1 actions=resubmit(,ls_out_acl_action) +# table=ls_out_acl_eval, priority=2001,conj_id=2,metadata=0x1 actions=resubmit(,ls_out_acl_sample) # table=ls_out_acl_eval, priority=2001,conj_id=3,metadata=0x1 actions=drop # priority=2001,ip,metadata=0x1,nw_dst=10.0.0.6 actions=conjunction(2,2/2) # priority=2001,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(2,2/2) @@ -18856,7 +18863,7 @@ check ovn-nbctl --wait=hv sync # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) ovn-sbctl dump-flows > sbflows AT_CAPTURE_FILE([sbflows]) @@ -18924,11 +18931,11 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -18969,11 +18976,11 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -18987,8 +18994,8 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=conjunction(),conjunction() @@ -19027,11 +19034,11 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -19048,16 +19055,16 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction(),conjunction() - table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() - table=$acl_eval, priority=1003,udp,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,udp6,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,udp,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,udp6,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) OVN_CLEANUP([hv1]) @@ -22081,7 +22088,7 @@ check_virtual_offlows_present() { lr0_public_dp_key=$(printf "%x" $(fetch_column Port_Binding tunnel_key logical_port=lr0-public)) AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=$acl_eval,ip | ofctl_strip_all | grep "priority=2000"], [0], [dnl - table=$acl_eval, priority=2000,ip,metadata=0x$sw0_dp_key actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_out_acl_action)) + table=$acl_eval, priority=2000,ip,metadata=0x$sw0_dp_key actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample)) ]) AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=$ip_input | ofctl_strip_all | \ @@ -32529,7 +32536,7 @@ ovs-ofctl dump-flows br-int table=$acl_eval | grep "reg14=0x${rtr_port_key},meta # 42.42.42.42 coming from the router port. AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_strip_all | \ grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42"], [0], [dnl - table=$acl_eval, priority=1001,ip,reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_in_acl_action)) + table=$acl_eval, priority=1001,ip,reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_in_acl_sample)) ]) OVN_CLEANUP([hv1]) @@ -34386,8 +34393,8 @@ check ovn-nbctl set nb_global . options:use_common_zone="true" check ovn-nbctl --wait=hv sync # Use constants so that if tables or registers change, this test can # be updated easily. -DNAT_TABLE=16 -SNAT_TABLE=45 +DNAT_TABLE=$(ovn-debug lflow-stage-to-oftable lr_in_dnat) +SNAT_TABLE=$(ovn-debug lflow-stage-to-oftable lr_out_snat) DNAT_ZONE_REG="NXM_NX_REG11[[0..15]]" SNAT_ZONE_REG="NXM_NX_REG12[[0..15]]" @@ -35528,7 +35535,7 @@ ovn-nbctl --wait=hv sync # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_in_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_in_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_in_acl_sample) dnl Ensure the ACL is not translated to OpenFlow. as hv1 @@ -35543,14 +35550,14 @@ lsp2=0x$(fetch_column Port_Binding tunnel_key logical_port=lsp2) dnl Ensure the ACL is translated to OpenFlows expanding pg1. as hv1 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=$acl_eval, priority=1001,ip,reg14=$lsp1,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,reg14=$lsp1,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) dnl Remove a port from pg1 and expect OpenFlows to be correctly updated. check ovn-nbctl --wait=hv pg-set-ports pg1 lsp2 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) dnl Change the Chassis_Template_Var mapping to use the address set. @@ -35559,14 +35566,14 @@ check ovn-nbctl --wait=hv set Chassis_Template_Var hv1 variables:CONDITION='ip4. dnl Ensure the ACL is translated to OpenFlows expanding as1. as hv1 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) dnl Remove an IP from AS1 and expect OpenFlows to be correctly updated. check ovn-nbctl --wait=hv set address_set as1 addresses=\"1.1.1.1\" AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) dnl Remove the mapping and expect OpenFlows to be removed. diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at index 691c271a3a..c595561734 100644 --- a/tests/system-common-macros.at +++ b/tests/system-common-macros.at @@ -237,6 +237,17 @@ m4_define([STRIP_MONITOR_CSUM], [grep "csum:" | sed 's/csum:.*/csum: /']) m4_define([FORMAT_CT], [[grep -F "dst=$1," | sed -e 's/port=[0-9]*/port=/g' -e 's/id=[0-9]*/id=/g' -e 's/state=[0-9_A-Z]*/state=/g' | sort | uniq]]) +# DAEMONIZE([command], [pidfile]) +# +# Run 'command' as a background process and record its pid to 'pidfile' to +# allow cleanup on exit. +# +m4_define([DAEMONIZE], + [$1 & echo $! > $2 + echo "kill \`cat $2\`" >> cleanup + ] +) + # NETNS_DAEMONIZE([namespace], [command], [pidfile]) # # Run 'command' as a background process within 'namespace' and record its pid diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 7770d58dc3..ef9652f02a 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -13050,3 +13050,468 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d /connection dropped.*/d"]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- ACL Sampling]) +AT_SKIP_IF([test $HAVE_NFCAPD = no]) +AT_SKIP_IF([test $HAVE_NFDUMP = no]) +AT_KEYWORDS([ACL]) + +CHECK_CONNTRACK() +CHECK_CONNTRACK_NAT() +ovn_start +OVS_TRAFFIC_VSWITCHD_START() +ADD_BR([br-int]) + +dnl Set external-ids in br-int needed for ovn-controller +check ovs-vsctl \ + -- set Open_vSwitch . external-ids:system-id=hv1 \ + -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ + -- set bridge br-int fail-mode=secure other-config:disable-in-band=true + +dnl Start ovn-controller +start_daemon ovn-controller + +dnl Logical network: +dnl 1 logical switch connetected to one logical router +dnl 6 UDP load balancers (ports 1000, 1010, 2000, 2010, 3000, 3010) +dnl 2 VIFs + +check ovn-nbctl \ + -- lr-add rtr \ + -- lrp-add rtr rtr-ls 00:00:00:00:01:00 42.42.42.1/24 \ + -- ls-add ls \ + -- lsp-add ls ls-rtr \ + -- lsp-set-addresses ls-rtr 00:00:00:00:01:00 \ + -- lsp-set-type ls-rtr router \ + -- lsp-set-options ls-rtr router-port=rtr-ls \ + -- lsp-add ls vm1 -- lsp-set-addresses vm1 00:00:00:00:00:01 \ + -- lsp-add ls vm2 -- lsp-set-addresses vm2 00:00:00:00:00:02 \ + -- lb-add lb1 43.43.43.43:1000 42.42.42.3:1000 udp \ + -- lb-add lb2 43.43.43.43:1010 42.42.42.3:1010 udp \ + -- lb-add lb3 43.43.43.43:2000 42.42.42.3:2000 udp \ + -- lb-add lb4 43.43.43.43:2010 42.42.42.3:2010 udp \ + -- lb-add lb5 43.43.43.43:3000 42.42.42.3:3000 udp \ + -- lb-add lb6 43.43.43.43:3010 42.42.42.3:3010 udp \ + -- ls-lb-add ls lb1 \ + -- ls-lb-add ls lb2 \ + -- ls-lb-add ls lb3 \ + -- ls-lb-add ls lb4 \ + -- ls-lb-add ls lb5 \ + -- ls-lb-add ls lb6 + +ADD_NAMESPACES(vm1) +ADD_VETH(vm1, vm1, br-int, "42.42.42.2/24", "00:00:00:00:00:01", "42.42.42.1") + +ADD_NAMESPACES(vm2) +ADD_VETH(vm2, vm2, br-int, "42.42.42.3/24", "00:00:00:00:00:02", "42.42.42.1") + +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=65535 set_id=100) +collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2 probability=65535 set_id=200) +check_row_count nb:Sample_Collector 2 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +dnl Create ACLs that match the 3 types of traffic in all 3 possible stages: +dnl from-lport, from-lport-after-lb, to-lport. +ovn-nbctl \ + -- --id=@sample_in_1c_new create Sample collector="$collector1" metadata=1001 \ + -- --id=@sample_in_1c_est create Sample collector="$collector1" metadata=1002 \ + -- --sample-new=@sample_in_1c_new --sample-est=@sample_in_1c_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1000" \ + allow-related +ovn-nbctl \ + -- --id=@sample_in_2c_new create Sample collector="$collector1 $collector2" metadata=1011 \ + -- --id=@sample_in_2c_est create Sample collector="$collector1 $collector2" metadata=1012 \ + -- --sample-new=@sample_in_2c_new --sample-est=@sample_in_2c_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1010" \ + allow-related + +ovn-nbctl \ + -- --id=@sample_in_lb_1c_new create Sample collector="$collector1" metadata=2001 \ + -- --id=@sample_in_lb_1c_est create Sample collector="$collector1" metadata=2002 \ + -- --apply-after-lb --sample-new=@sample_in_lb_1c_new \ + --sample-est=@sample_in_lb_1c_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 2000" \ + allow-related +ovn-nbctl \ + -- --id=@sample_in_lb_2c_new create Sample collector="$collector1 $collector2" metadata=2011 \ + -- --id=@sample_in_lb_2c_est create Sample collector="$collector1 $collector2" metadata=2012 \ + -- --apply-after-lb --sample-new=@sample_in_lb_2c_new --sample-est=@sample_in_lb_2c_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 2010" \ + allow-related + +ovn-nbctl \ + -- --id=@sample_out_1c_new create Sample collector="$collector1" metadata=3001 \ + -- --id=@sample_out_1c_est create Sample collector="$collector1" metadata=3002 \ + -- --sample-new=@sample_out_1c_new --sample-est=@sample_out_1c_est \ + acl-add ls to-lport 1 "outport == \"vm2\" && udp.dst == 3000" \ + allow-related +ovn-nbctl \ + -- --id=@sample_out_2c_new create Sample collector="$collector1 $collector2" metadata=3011 \ + -- --id=@sample_out_2c_est create Sample collector="$collector1 $collector2" metadata=3012 \ + -- --sample-new=@sample_out_2c_new --sample-est=@sample_out_2c_est \ + acl-add ls to-lport 1 "outport == \"vm2\" && udp.dst == 3010" \ + allow-related + +check_row_count nb:ACL 6 +check_row_count nb:Sample 12 + +dnl Wait for ovn-controller to catch up. +wait_for_ports_up +check ovn-nbctl --wait=hv sync + +dnl Start an IPFIX collector. +DAEMONIZE([nfcapd -B 1024000 -w . -p 4242 2> collector.err], [collector.pid]) + +dnl Wait for the collector to be up. +OVS_WAIT_UNTIL([grep -q 'Startup nfcapd.' collector.err]) + +dnl Configure the OVS flow sample collector. +ovs-vsctl --id=@br get Bridge br-int \ + -- --id=@ipfix create IPFIX targets=\"127.0.0.1:4242\" template_interval=1 \ + -- --id=@cs create Flow_Sample_Collector_Set id=100 bridge=@br ipfix=@ipfix + +dnl And wait for it to be up and running. +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q '1 ids']) + +dnl Start UDP echo server on vm2. +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 1000], [nc-vm2-1000.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 1010], [nc-vm2-1010.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 2000], [nc-vm2-2000.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 2010], [nc-vm2-2010.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 3000], [nc-vm2-3000.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 3010], [nc-vm2-3010.pid]) + +dnl Send traffic (2 packets) to the UDP LB1 (hits the from-lport ACL). +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 1000]) +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 1010]) + +dnl Send traffic (2 packets) to the UDP LB1 (hits the from-lport after-lb ACL). +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 2000]) +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 2010]) + +dnl Send traffic (2 packets) to the UDP LB1 (hits the from-lport ACL). +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 3000]) +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 3010]) + +dnl Wait until OVS sampled all expected packets (4 data packets + 1 ICMP +dnl port unreachable error on each session). +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q 'sampled pkts=30']) + +dnl Check the IPFIX samples. +kill $(cat collector.pid) +OVS_WAIT_WHILE([kill -0 $(cat collector.pid) 2>/dev/null]) + +dnl Can't match on observation domain ID due to the followig fix not being +dnl available in any released version of nfdump: +dnl https://github.com/phaag/nfdump/issues/544 +dnl +dnl Only match on the point ID. +dnl +dnl Expect for each ACL: +dnl - one sample for new packets +dnl - four samples for established packets (3 data + one icmp error) +AT_CHECK([for f in $(ls -1 nfcapd.*); do nfdump -o json -r $f; done | grep observationPointID | awk '{$1=$1;print}' | sort], [0], [dnl +"observationPointID" : 1001, +"observationPointID" : 1002, +"observationPointID" : 1002, +"observationPointID" : 1002, +"observationPointID" : 1002, +"observationPointID" : 1011, +"observationPointID" : 1012, +"observationPointID" : 1012, +"observationPointID" : 1012, +"observationPointID" : 1012, +"observationPointID" : 2001, +"observationPointID" : 2002, +"observationPointID" : 2002, +"observationPointID" : 2002, +"observationPointID" : 2002, +"observationPointID" : 2011, +"observationPointID" : 2012, +"observationPointID" : 2012, +"observationPointID" : 2012, +"observationPointID" : 2012, +"observationPointID" : 3001, +"observationPointID" : 3002, +"observationPointID" : 3002, +"observationPointID" : 3002, +"observationPointID" : 3002, +"observationPointID" : 3011, +"observationPointID" : 3012, +"observationPointID" : 3012, +"observationPointID" : 3012, +"observationPointID" : 3012, +]) + +OVS_APP_EXIT_AND_WAIT([ovn-controller]) + +as ovn-sb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as ovn-nb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as northd +OVS_APP_EXIT_AND_WAIT([ovn-northd]) + +as +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d +/connection dropped.*/d"]) + +AT_CLEANUP +]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- Tiered ACL Sampling]) +AT_SKIP_IF([test $HAVE_NFCAPD = no]) +AT_SKIP_IF([test $HAVE_NFDUMP = no]) +AT_KEYWORDS([ACL]) + +CHECK_CONNTRACK() +CHECK_CONNTRACK_NAT() +ovn_start +OVS_TRAFFIC_VSWITCHD_START() +ADD_BR([br-int]) + +dnl Set external-ids in br-int needed for ovn-controller +check ovs-vsctl \ + -- set Open_vSwitch . external-ids:system-id=hv1 \ + -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ + -- set bridge br-int fail-mode=secure other-config:disable-in-band=true + +dnl Start ovn-controller +start_daemon ovn-controller + +dnl Logical network: +dnl 1 logical switch +dnl 2 VIFs + +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls vm1 -- lsp-set-addresses vm1 00:00:00:00:00:01 \ + -- lsp-add ls vm2 -- lsp-set-addresses vm2 00:00:00:00:00:02 +ADD_NAMESPACES(vm1) +ADD_VETH(vm1, vm1, br-int, "42.42.42.2/24", "00:00:00:00:00:01", "42.42.42.1") + +ADD_NAMESPACES(vm2) +ADD_VETH(vm2, vm2, br-int, "42.42.42.3/24", "00:00:00:00:00:02", "42.42.42.1") + +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=65535 set_id=100) +check_row_count nb:Sample_Collector 1 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +dnl Create two tiers of ACLs. +ovn-nbctl \ + -- --id=@sample_1_new create Sample collector="$collector1" metadata=1001 \ + -- --id=@sample_1_est create Sample collector="$collector1" metadata=1002 \ + -- --tier=0 --sample-new=@sample_1_new --sample-est=@sample_1_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1000" \ + pass + +ovn-nbctl \ + -- --id=@sample_2_new create Sample collector="$collector1" metadata=2001 \ + -- --id=@sample_2_est create Sample collector="$collector1" metadata=2002 \ + -- --tier=1 --sample-new=@sample_2_new --sample-est=@sample_2_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1000" \ + allow-related + +check_row_count nb:ACL 2 +check_row_count nb:Sample 4 + +dnl Wait for ovn-controller to catch up. +wait_for_ports_up +check ovn-nbctl --wait=hv sync + +dnl Start an IPFIX collector. +DAEMONIZE([nfcapd -B 1024000 -w . -p 4242 2> collector.err], [collector.pid]) + +dnl Wait for the collector to be up. +OVS_WAIT_UNTIL([grep -q 'Startup nfcapd.' collector.err]) + +dnl Configure the OVS flow sample collector. +ovs-vsctl --id=@br get Bridge br-int \ + -- --id=@ipfix create IPFIX targets=\"127.0.0.1:4242\" template_interval=1 \ + -- --id=@cs create Flow_Sample_Collector_Set id=100 bridge=@br ipfix=@ipfix + +dnl And wait for it to be up and running. +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q '1 ids']) + +dnl Start UDP echo server on vm2. +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 1000], [nc-vm2-1000.pid]) + +dnl Send traffic to the UDP server (hits both ACL tiers). +NS_CHECK_EXEC([vm1], [echo a | nc --send-only -u 42.42.42.3 1000]) + +dnl Wait until OVS sampled all expected packets: +dnl - first packet sampled by both tiers +dnl - reply packet sampled by last tier (established session) +dnl - related ICMP port unreachable error sampled by last tier (established session) +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q 'sampled pkts=4']) + +dnl Check the IPFIX samples. +kill $(cat collector.pid) +OVS_WAIT_WHILE([kill -0 $(cat collector.pid) 2>/dev/null]) + +dnl Can't match on observation domain ID due to the followig fix not being +dnl available in any released version of nfdump: +dnl https://github.com/phaag/nfdump/issues/544 +dnl +dnl Only match on the point ID. +AT_CHECK([for f in $(ls -1 nfcapd.*); do nfdump -o json -r $f; done | grep observationPointID | awk '{$1=$1;print}' | sort], [0], [dnl +"observationPointID" : 1001, +"observationPointID" : 2001, +"observationPointID" : 2002, +"observationPointID" : 2002, +]) + +OVS_APP_EXIT_AND_WAIT([ovn-controller]) + +as ovn-sb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as ovn-nb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as northd +OVS_APP_EXIT_AND_WAIT([ovn-northd]) + +as +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d +/connection dropped.*/d"]) + +AT_CLEANUP +]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- ACL Sampling - Stateful ACL - to-lport router port]) +AT_SKIP_IF([test $HAVE_NFCAPD = no]) +AT_SKIP_IF([test $HAVE_NFDUMP = no]) +AT_KEYWORDS([ACL]) + +CHECK_CONNTRACK() +CHECK_CONNTRACK_NAT() +ovn_start +OVS_TRAFFIC_VSWITCHD_START() +ADD_BR([br-int]) + +dnl Set external-ids in br-int needed for ovn-controller +check ovs-vsctl \ + -- set Open_vSwitch . external-ids:system-id=hv1 \ + -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ + -- set bridge br-int fail-mode=secure other-config:disable-in-band=true + +dnl Start ovn-controller +start_daemon ovn-controller + +dnl Logical network: +dnl 1 router +dnl 1 logical switch +dnl 1 VIF + +check ovn-nbctl \ + -- lr-add lr \ + -- lrp-add lr lrp1 00:00:00:00:01:00 42.42.42.1/24 \ + -- ls-add ls \ + -- lsp-add ls vm1 \ + -- lsp-set-addresses vm1 00:00:00:00:00:01 \ + -- lsp-add ls ls-lr \ + -- lsp-set-type ls-lr router \ + -- lsp-set-options ls-lr router-port=lrp1 \ + -- lsp-set-addresses ls-lr router +check ovn-nbctl --wait=sb sync + +ADD_NAMESPACES(vm1) +ADD_VETH(vm1, vm1, br-int, "42.42.42.2/24", "00:00:00:00:00:01", "42.42.42.1") + +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=65535 set_id=100) +collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2 probability=65535 set_id=200) +check_row_count nb:Sample_Collector 2 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +check_row_count nb:Sampling_App 1 + +dnl Create three ACLs: +dnl - one from-lport, stateful, allowing all traffic +dnl - one to-lport, dropping all traffic to 1.1.1.1 (single collector) +dnl - one to-lport, dropping all traffic to 1.1.1.2 (two collectors) +ovn-nbctl \ + -- --id=@sample1 create Sample collector="$collector1" metadata=1001 \ + -- --id=@sample2 create Sample collector="$collector1" metadata=1002 \ + -- --id=@sample3 create Sample collector="$collector1 $collector2" metadata=1003 \ + -- --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related \ + -- --sample-new=@sample2 acl-add ls to-lport 1 "ip4.dst == 1.1.1.1" drop \ + -- --sample-new=@sample3 acl-add ls to-lport 1 "ip4.dst == 1.1.1.2" drop + +check_row_count nb:ACL 3 +check_row_count nb:Sample 3 + +dnl Wait for ovn-controller to catch up. +wait_for_ports_up +check ovn-nbctl --wait=hv sync + +dnl Start an IPFIX collector. +DAEMONIZE([nfcapd -B 1024000 -w . -p 4242 2> collector.err], [collector.pid]) + +dnl Wait for the collector to be up. +OVS_WAIT_UNTIL([grep -q 'Startup nfcapd.' collector.err]) + +dnl Configure the OVS flow sample collector. +ovs-vsctl --id=@br get Bridge br-int \ + -- --id=@ipfix create IPFIX targets=\"127.0.0.1:4242\" template_interval=1 \ + -- --id=@cs create Flow_Sample_Collector_Set id=100 bridge=@br ipfix=@ipfix + +dnl And wait for it to be up and running. +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q '1 ids']) + +NS_CHECK_EXEC([vm1], [ping -c 1 1.1.1.1], [1], [ignore], [ignore]) +NS_CHECK_EXEC([vm1], [ping -c 1 1.1.1.2], [1], [ignore], [ignore]) + +dnl Wait until OVS sampled the two ICMP packet on two ACLs. +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q 'sampled pkts=4']) + +dnl Check the IPFIX samples. +kill $(cat collector.pid) +OVS_WAIT_WHILE([kill -0 $(cat collector.pid) 2>/dev/null]) + +dnl Can't match on observation domain ID due to the followig fix not being +dnl available in any released version of nfdump: +dnl https://github.com/phaag/nfdump/issues/544 +dnl +dnl Only match on the point ID. +AT_CHECK([for f in $(ls -1 nfcapd.*); do nfdump -o json -r $f; done | grep observationPointID | awk '{$1=$1;print}' | sort], [0], [dnl +"observationPointID" : 1001, +"observationPointID" : 1001, +"observationPointID" : 1002, +"observationPointID" : 1003, +]) + +OVS_APP_EXIT_AND_WAIT([ovn-controller]) + +as ovn-sb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as ovn-nb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as northd +OVS_APP_EXIT_AND_WAIT([ovn-northd]) + +as +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d +/connection dropped.*/d"]) + +AT_CLEANUP +]) diff --git a/utilities/containers/fedora/Dockerfile b/utilities/containers/fedora/Dockerfile index 078180cff3..4dce1e32b4 100755 --- a/utilities/containers/fedora/Dockerfile +++ b/utilities/containers/fedora/Dockerfile @@ -27,6 +27,7 @@ RUN dnf -y update \ libcap-ng-devel \ libtool \ net-tools \ + nfdump \ ninja-build \ nmap-ncat \ numactl-devel \ diff --git a/utilities/containers/ubuntu/Dockerfile b/utilities/containers/ubuntu/Dockerfile index 7cf0751225..073afa8764 100755 --- a/utilities/containers/ubuntu/Dockerfile +++ b/utilities/containers/ubuntu/Dockerfile @@ -33,6 +33,7 @@ RUN apt update -y \ llvm-dev \ ncat \ net-tools \ + nfdump \ ninja-build \ python3-dev \ python3-pip \ diff --git a/utilities/ovn-nbctl.8.xml b/utilities/ovn-nbctl.8.xml index e2657ca02c..e1e5b681e1 100644 --- a/utilities/ovn-nbctl.8.xml +++ b/utilities/ovn-nbctl.8.xml @@ -399,7 +399,7 @@ must be either switch or port-group.

-
[--type={switch | port-group}] [--log] [--meter=meter] [--severity=severity] [--name=name] [--label=label] [--may-exist] [--apply-after-lb] [--tier] acl-add entity direction priority match verdict
+
[--type={switch | port-group}] [--log] [--meter=meter] [--severity=severity] [--name=name] [--label=label] [--sample-new=sample] [--sample-est=sample] [--may-exist] [--apply-after-lb] [--tier] acl-add entity direction priority match verdict

Adds the specified ACL to entity. direction @@ -424,6 +424,12 @@ names a meter configured by meter-add.

+

+ The --sample-new (and optionally + --sample-est) enable ACL sampling. A valid uuid of a + row of the table must be provided. +

+

The --apply-after-lb option sets apply-after-lb=true in the options column diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index 679d3f2d93..d45be75c78 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -2318,6 +2318,11 @@ nbctl_pre_acl(struct ctl_context *ctx) ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_match); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_options); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_tier); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample_new); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample_est); + + ovsdb_idl_add_table(ctx->idl, &nbrec_table_sample_collector); + ovsdb_idl_add_table(ctx->idl, &nbrec_table_sample); } static void @@ -2331,6 +2336,8 @@ nbctl_pre_acl_list(struct ctl_context *ctx) ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_severity); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_meter); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_label); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample_new); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample_est); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_options); } @@ -2382,6 +2389,8 @@ nbctl_acl_add(struct ctl_context *ctx) const char *severity = shash_find_data(&ctx->options, "--severity"); const char *name = shash_find_data(&ctx->options, "--name"); const char *meter = shash_find_data(&ctx->options, "--meter"); + const char *sample_new = shash_find_data(&ctx->options, "--sample-new"); + const char *sample_est = shash_find_data(&ctx->options, "--sample-est"); if (log || severity || name || meter) { nbrec_acl_set_log(acl, true); } @@ -2399,6 +2408,30 @@ nbctl_acl_add(struct ctl_context *ctx) nbrec_acl_set_meter(acl, meter); } + if (sample_new) { + char *sample_setting = xasprintf("sample_new=%s", sample_new); + error = ctl_set_column("ACL", &acl->header_, sample_setting, + ctx->symtab); + free(sample_setting); + if (error) { + ctl_error(ctx, "invalid --sample-new: %s", error); + free(error); + return; + } + } + + if (sample_est) { + char *sample_setting = xasprintf("sample_est=%s", sample_est); + error = ctl_set_column("ACL", &acl->header_, sample_setting, + ctx->symtab); + free(sample_setting); + if (error) { + ctl_error(ctx, "invalid --sample-est: %s", error); + free(error); + return; + } + } + /* Set the ACL label */ const char *label = shash_find_data(&ctx->options, "--label"); if (label) { @@ -7925,7 +7958,7 @@ static const struct ctl_command_syntax nbctl_commands[] = { { "acl-add", 5, 6, "{SWITCH | PORTGROUP} DIRECTION PRIORITY MATCH ACTION", nbctl_pre_acl, nbctl_acl_add, NULL, "--log,--may-exist,--type=,--name=,--severity=,--meter=,--label=," - "--apply-after-lb,--tier=", RW }, + "--apply-after-lb,--tier=,--sample-new=,--sample-est=", RW }, { "acl-del", 1, 4, "{SWITCH | PORTGROUP} [DIRECTION [PRIORITY MATCH]]", nbctl_pre_acl, nbctl_acl_del, NULL, "--type=,--tier=", RW }, { "acl-list", 1, 1, "{SWITCH | PORTGROUP}", From patchwork Tue Aug 6 09:44:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969405 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Mb/cyYIR; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdT3D6RDBz1ydt for ; Tue, 6 Aug 2024 19:46:32 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 676AA40359; Tue, 6 Aug 2024 09:46:31 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 1gTw8Y9YC5LL; Tue, 6 Aug 2024 09:46:29 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 49E644009E Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Mb/cyYIR Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp4.osuosl.org (Postfix) with ESMTPS id 49E644009E; Tue, 6 Aug 2024 09:46:29 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 18BD6C002B; Tue, 6 Aug 2024 09:46:29 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 8AB55C002A for ; Tue, 6 Aug 2024 09:46:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 2EED94038D for ; Tue, 6 Aug 2024 09:46:07 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 5POuWi154mnd for ; Tue, 6 Aug 2024 09:46:06 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org E56CB403A8 Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org E56CB403A8 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id E56CB403A8 for ; Tue, 6 Aug 2024 09:46:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722937564; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NSxlxamSColPLTFU7Xbf4iNmMS1/vc1kecjn5yTW7RE=; b=Mb/cyYIR/QIOf3L8UOuMl/twoolfuWx15H7mjN/YxmMiaTwgfRueEE5g69Rcsye+U4DyeO xIU6Y43Jt0oCzGe2UADzE/7IJnv0reOVcsQdBuRHxTMY6Qz7G+lR/HCSoO/9SErtF36m5J QEY2cquBt4F/UBnPmmYGJFtQfABTznA= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-209-B3ezW-N3NFm6gQMhtp2OJw-1; Tue, 06 Aug 2024 05:46:02 -0400 X-MC-Unique: B3ezW-N3NFm6gQMhtp2OJw-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id E9F6B1956048; Tue, 6 Aug 2024 09:46:01 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.207]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8FE591955F65; Tue, 6 Aug 2024 09:45:59 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Tue, 6 Aug 2024 11:44:48 +0200 Message-ID: <20240806094451.730622-7-dceara@redhat.com> In-Reply-To: <20240806094451.730622-1-dceara@redhat.com> References: <20240806094451.730622-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v6 6/9] features: Make querying of OpenFlow features more versatile. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Ales Musil Up until now we were interested only in two OpenFlow features, meters and groups. The current system of querying worked, however it wasn't very versatile, and it would be hard to query more features, make the system more extensible instead. Signed-off-by: Ales Musil --- V6: - Removed Dumitru's ack. V5: - Address Ilya's comment: - Rename OVS_DP_GROUP_SUPPORT to OVS_OF_GROUP_SUPPORT - Added Dumitru's ack --- include/ovn/features.h | 2 + lib/features.c | 269 +++++++++++++++++++++++++++++------------ 2 files changed, 196 insertions(+), 75 deletions(-) diff --git a/include/ovn/features.h b/include/ovn/features.h index d7bceb62c4..97669410af 100644 --- a/include/ovn/features.h +++ b/include/ovn/features.h @@ -38,6 +38,7 @@ enum ovs_feature_support_bits { OVS_DP_METER_SUPPORT_BIT, OVS_CT_TUPLE_FLUSH_BIT, OVS_DP_HASH_L4_SYM_BIT, + OVS_OF_GROUP_SUPPORT_BIT, }; enum ovs_feature_value { @@ -45,6 +46,7 @@ enum ovs_feature_value { OVS_DP_METER_SUPPORT = (1 << OVS_DP_METER_SUPPORT_BIT), OVS_CT_TUPLE_FLUSH_SUPPORT = (1 << OVS_CT_TUPLE_FLUSH_BIT), OVS_DP_HASH_L4_SYM_SUPPORT = (1 << OVS_DP_HASH_L4_SYM_BIT), + OVS_OF_GROUP_SUPPORT = (1 << OVS_OF_GROUP_SUPPORT_BIT), }; void ovs_feature_support_destroy(void); diff --git a/lib/features.c b/lib/features.c index 607e4bd313..d3591d6410 100644 --- a/lib/features.c +++ b/lib/features.c @@ -28,6 +28,7 @@ #include "openvswitch/ofp-msgs.h" #include "openvswitch/ofp-meter.h" #include "openvswitch/ofp-group.h" +#include "openvswitch/ofp-print.h" #include "openvswitch/ofp-util.h" #include "openvswitch/rconn.h" #include "ovn/features.h" @@ -47,6 +48,18 @@ struct ovs_feature { ovs_feature_parse_func *parse; }; +struct ovs_openflow_feature { + enum ovs_feature_value value; + const char *name; + bool queued; + ovs_be32 xid; + ovs_be32 barrier_xid; + void (*send_request)(struct ovs_openflow_feature *feature); + bool (*handle_response)(struct ovs_openflow_feature *feature, + enum ofptype type, const struct ofp_header *oh); + bool (*handle_barrier)(struct ovs_openflow_feature *feature); +}; + static bool bool_parser(const struct smap *ovs_capabilities, const char *cap_name) { @@ -83,24 +96,172 @@ static struct ovs_feature all_ovs_features[] = { /* A bitmap of OVS features that have been detected as 'supported'. */ static uint32_t supported_ovs_features; -/* Last set of received feature replies. */ -static struct ofputil_meter_features ovs_meter_features_reply; -static struct ofputil_group_features ovs_group_features_reply; /* Currently discovered set of features. */ static struct ofputil_meter_features ovs_meter_features; static struct ofputil_group_features ovs_group_features; -/* Number of features replies still expected to receive for the requests - * we sent already. */ -static uint32_t n_features_reply_expected; - -static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 5); +static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 10); /* ovs-vswitchd connection. */ static struct rconn *swconn; static uint32_t conn_seq_no; +static void +log_unexpected_reply(struct ovs_openflow_feature *feature, + const struct ofp_header *oh) +{ + if (VLOG_IS_WARN_ENABLED()) { + char *s = ofp_to_string(oh, ntohs(oh->length), NULL, NULL, 2); + VLOG_WARN_RL(&rl, "OVS Feature: %s, unexpected reply: %s", + feature->name, s); + free(s); + } +} + +static bool +default_barrier_response_handle(struct ovs_openflow_feature *feature) +{ + VLOG_WARN_RL(&rl, "OVS Feature: %s, didn't receive any reply", + feature->name); + return supported_ovs_features & feature->value; +} + +static void +meter_features_send_request(struct ovs_openflow_feature *feature) +{ + struct ofpbuf *msg = ofpraw_alloc(OFPRAW_OFPST13_METER_FEATURES_REQUEST, + rconn_get_version(swconn), 0); + feature->xid = ((struct ofp_header *) msg->data)->xid; + rconn_send(swconn, msg, NULL); +} + +static bool +meter_features_handle_response(struct ovs_openflow_feature *feature, + enum ofptype type, const struct ofp_header *oh) +{ + if (type != OFPTYPE_METER_FEATURES_STATS_REPLY) { + log_unexpected_reply(feature, oh); + return supported_ovs_features & feature->value; + } + + struct ofputil_meter_features features; + ofputil_decode_meter_features(oh, &features); + + if (memcmp(&ovs_meter_features, &features, sizeof features)) { + ovs_meter_features = features; + return ovs_meter_features.max_meters; + } + + return supported_ovs_features & feature->value; +} + +static void +group_features_send_request(struct ovs_openflow_feature *feature) +{ + struct ofpbuf *msg = + ofputil_encode_group_features_request(rconn_get_version(swconn)); + feature->xid = ((struct ofp_header *) msg->data)->xid; + rconn_send(swconn, msg, NULL); +} + +static bool +group_features_handle_response(struct ovs_openflow_feature *feature, + enum ofptype type, const struct ofp_header *oh) +{ + if (type != OFPTYPE_GROUP_FEATURES_STATS_REPLY) { + log_unexpected_reply(feature, oh); + return supported_ovs_features & feature->value; + } + + struct ofputil_group_features features; + ofputil_decode_group_features_reply(oh, &features); + + if (memcmp(&ovs_group_features, &features, sizeof features)) { + ovs_group_features = features; + return ovs_group_features.max_groups[OFPGT11_SELECT]; + } + + return supported_ovs_features & feature->value; +} + +static struct ovs_openflow_feature all_openflow_features[] = { + { + .value = OVS_DP_METER_SUPPORT, + .name = "meter_support", + .send_request = meter_features_send_request, + .handle_response = meter_features_handle_response, + .handle_barrier = default_barrier_response_handle, + }, + { + .value = OVS_OF_GROUP_SUPPORT, + .name = "group_support", + .send_request = group_features_send_request, + .handle_response = group_features_handle_response, + .handle_barrier = default_barrier_response_handle, + } +}; + +static bool +handle_feature_state_update(bool new_state, enum ovs_feature_value value, + const char *name) +{ + bool updated = false; + + bool old_state = supported_ovs_features & value; + if (new_state != old_state) { + updated = true; + if (new_state) { + supported_ovs_features |= value; + } else { + supported_ovs_features &= ~value; + } + VLOG_INFO_RL(&rl, "OVS Feature: %s, state: %s", name, + new_state ? "supported" : "not supported"); + } + + return updated; +} + +static bool +features_handle_rconn_msg(struct ofpbuf *msg) +{ + const struct ofp_header *oh = msg->data; + + enum ofptype type; + ofptype_decode(&type, oh); + + if (type == OFPTYPE_ECHO_REQUEST) { + rconn_send(swconn, ofputil_encode_echo_reply(oh), NULL); + return false; + } + + for (size_t i = 0; i < ARRAY_SIZE(all_openflow_features); i++) { + struct ovs_openflow_feature *feature = &all_openflow_features[i]; + + bool new_state; + if (feature->queued && feature->xid == oh->xid) { + new_state = feature->handle_response(feature, type, oh); + } else if (feature->queued && feature->barrier_xid == oh->xid) { + new_state = feature->handle_barrier(feature); + } else { + continue; + } + + feature->queued = false; + return handle_feature_state_update(new_state, feature->value, + feature->name); + } + + if (VLOG_IS_DBG_ENABLED()) { + char *s = ofp_to_string(oh, ntohs(oh->length), NULL, NULL, 2); + VLOG_DBG_RL(&rl, "OpenFlow packet ignored: %s", s); + free(s); + } + + return false; +} + static bool ovs_feature_is_valid(enum ovs_feature_value feature) { @@ -109,6 +270,7 @@ ovs_feature_is_valid(enum ovs_feature_value feature) case OVS_DP_METER_SUPPORT: case OVS_CT_TUPLE_FLUSH_SUPPORT: case OVS_DP_HASH_L4_SYM_SUPPORT: + case OVS_OF_GROUP_SUPPORT: return true; default: return false; @@ -126,8 +288,6 @@ ovs_feature_is_supported(enum ovs_feature_value feature) static bool ovs_feature_get_openflow_cap(void) { - struct ofpbuf *msg; - rconn_run(swconn); if (!rconn_is_connected(swconn)) { rconn_run_wait(swconn); @@ -137,67 +297,33 @@ ovs_feature_get_openflow_cap(void) /* send new requests just after reconnect. */ if (conn_seq_no != rconn_get_connection_seqno(swconn)) { - n_features_reply_expected = 0; - - /* Dump OpenFlow switch meter capabilities. */ - msg = ofpraw_alloc(OFPRAW_OFPST13_METER_FEATURES_REQUEST, - rconn_get_version(swconn), 0); - rconn_send(swconn, msg, NULL); - n_features_reply_expected++; - /* Dump OpenFlow switch group capabilities. */ - msg = ofputil_encode_group_features_request(rconn_get_version(swconn)); - rconn_send(swconn, msg, NULL); - n_features_reply_expected++; + for (size_t i = 0; i < ARRAY_SIZE(all_openflow_features); i++) { + struct ovs_openflow_feature *feature = &all_openflow_features[i]; + + feature->queued = true; + feature->send_request(feature); + + struct ofpbuf *msg = + ofputil_encode_barrier_request(rconn_get_version(swconn)); + feature->barrier_xid = ((struct ofp_header *) msg->data)->xid; + rconn_send(swconn, msg, NULL); + } } conn_seq_no = rconn_get_connection_seqno(swconn); bool ret = false; for (int i = 0; i < 50; i++) { - msg = rconn_recv(swconn); + struct ofpbuf *msg = rconn_recv(swconn); if (!msg) { break; } - const struct ofp_header *oh = msg->data; - enum ofptype type; - ofptype_decode(&type, oh); - - if (type == OFPTYPE_METER_FEATURES_STATS_REPLY) { - ofputil_decode_meter_features(oh, &ovs_meter_features_reply); - ovs_assert(n_features_reply_expected); - n_features_reply_expected--; - } else if (type == OFPTYPE_GROUP_FEATURES_STATS_REPLY) { - ofputil_decode_group_features_reply(oh, &ovs_group_features_reply); - ovs_assert(n_features_reply_expected); - n_features_reply_expected--; - } else if (type == OFPTYPE_ECHO_REQUEST) { - rconn_send(swconn, ofputil_encode_echo_reply(oh), NULL); - } + ret |= features_handle_rconn_msg(msg); ofpbuf_delete(msg); } rconn_run_wait(swconn); rconn_recv_wait(swconn); - /* If all feature replies were received, update the set of supported - * features. */ - if (!n_features_reply_expected) { - if (memcmp(&ovs_meter_features, &ovs_meter_features_reply, - sizeof ovs_meter_features_reply)) { - ovs_meter_features = ovs_meter_features_reply; - if (ovs_meter_features.max_meters) { - supported_ovs_features |= OVS_DP_METER_SUPPORT; - } else { - supported_ovs_features &= ~OVS_DP_METER_SUPPORT; - } - ret = true; - } - if (memcmp(&ovs_group_features, &ovs_group_features_reply, - sizeof ovs_group_features_reply)) { - ovs_group_features = ovs_group_features_reply; - ret = true; - } - } - return ret; } @@ -214,7 +340,6 @@ ovs_feature_support_run(const struct smap *ovs_capabilities, const char *conn_target, int probe_interval) { static struct smap empty_caps = SMAP_INITIALIZER(&empty_caps); - bool updated = false; if (!ovs_capabilities) { ovs_capabilities = &empty_caps; @@ -225,24 +350,13 @@ ovs_feature_support_run(const struct smap *ovs_capabilities, } ovn_update_swconn_at(swconn, conn_target, probe_interval, "features"); - if (ovs_feature_get_openflow_cap()) { - updated = true; - } + bool updated = ovs_feature_get_openflow_cap(); for (size_t i = 0; i < ARRAY_SIZE(all_ovs_features); i++) { struct ovs_feature *feature = &all_ovs_features[i]; - bool old_state = supported_ovs_features & feature->value; - bool new_state = feature->parse(ovs_capabilities, feature->name); - if (new_state != old_state) { - updated = true; - if (new_state) { - supported_ovs_features |= feature->value; - } else { - supported_ovs_features &= ~feature->value; - } - VLOG_INFO_RL(&rl, "OVS Feature: %s, state: %s", feature->name, - new_state ? "supported" : "not supported"); - } + bool new_value = feature->parse(ovs_capabilities, feature->name); + updated |= handle_feature_state_update(new_value, feature->value, + feature->name); } return updated; } @@ -252,8 +366,13 @@ ovs_feature_set_discovered(void) { /* The supported feature set has been discovered if we're connected * to OVS and it replied to all our feature request messages. */ - return swconn && rconn_is_connected(swconn) && - n_features_reply_expected == 0; + bool replied_to_all = false; + for (size_t i = 0; i < ARRAY_SIZE(all_openflow_features); i++) { + struct ovs_openflow_feature *feature = &all_openflow_features[i]; + replied_to_all |= !feature->queued; + } + + return swconn && rconn_is_connected(swconn) && replied_to_all; } /* Returns the number of meters the OVS datapath supports. */ From patchwork Tue Aug 6 09:44:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969408 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Q7mEgmS4; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdT3j0ZL5z1ydt for ; Tue, 6 Aug 2024 19:46:57 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 28B154046D; Tue, 6 Aug 2024 09:46:54 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 85QiNXP78P1p; Tue, 6 Aug 2024 09:46:49 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org E249A40448 Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Q7mEgmS4 Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp4.osuosl.org (Postfix) with ESMTPS id E249A40448; Tue, 6 Aug 2024 09:46:48 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id B82B2C002B; Tue, 6 Aug 2024 09:46:48 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 178C0C002A for ; Tue, 6 Aug 2024 09:46:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 2B63B81184 for ; Tue, 6 Aug 2024 09:46:12 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 0lt6EXd-47Xe for ; Tue, 6 Aug 2024 09:46:11 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 2C9E2811B6 Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 2C9E2811B6 Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Q7mEgmS4 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 2C9E2811B6 for ; Tue, 6 Aug 2024 09:46:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722937570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zEQ1wUUiCt7AB61XLfe5/ineEgSQsnUBCSTBGMLecSk=; b=Q7mEgmS4J0QAawah3PoSRmiZxSb1GZ7+javYNPy4bnvXdC+ZV9RpNvSdtuk1BgGZuFFipN kkfPlOkyfiFN4LNmS+7/oPRam8Q76A5700vPLjhrr5oj5HZHg8geek2VnyE37pOT+8WWEc UXKqmIDx1/qgYXvIIfzuLOVBARvFncY= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-453-ZipVpm09M36O6OHoluDY5g-1; Tue, 06 Aug 2024 05:46:06 -0400 X-MC-Unique: ZipVpm09M36O6OHoluDY5g-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id B4F581955D4A; Tue, 6 Aug 2024 09:46:05 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.207]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 7E0AA1955F6B; Tue, 6 Aug 2024 09:46:03 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Tue, 6 Aug 2024 11:44:49 +0200 Message-ID: <20240806094451.730622-8-dceara@redhat.com> In-Reply-To: <20240806094451.730622-1-dceara@redhat.com> References: <20240806094451.730622-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v6 7/9] features: Add detection for sample with registers. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Ales Musil Add detection for sample action that allows to configure obs_domain_id and obs_point_id via registers. This feature is available only from OvS version 3.4. Signed-off-by: Ales Musil --- V5: - Addressed Ilya's comments: - Fixed SB chassis reconciliation. - Rename OVS_DP_SAMPLE_REG_SUPPORT to OVS_SAMPLE_REG_SUPPORT --- controller/chassis.c | 15 +++++++ include/ovn/features.h | 3 ++ lib/features.c | 91 +++++++++++++++++++++++++++++++++++++++ northd/en-global-config.c | 10 +++++ northd/en-global-config.h | 1 + 5 files changed, 120 insertions(+) diff --git a/controller/chassis.c b/controller/chassis.c index 4942ba281d..42a2894dce 100644 --- a/controller/chassis.c +++ b/controller/chassis.c @@ -67,6 +67,8 @@ struct ovs_chassis_cfg { struct ds iface_types; /* Is this chassis an interconnection gateway. */ bool is_interconn; + /* Does OVS support sampling with ids taken from registers? */ + bool sample_with_regs; }; static void @@ -338,6 +340,8 @@ chassis_parse_ovs_config(const struct ovsrec_open_vswitch_table *ovs_table, &ovs_cfg->iface_types); ovs_cfg->is_interconn = get_is_interconn(&cfg->external_ids, chassis_id); + ovs_cfg->sample_with_regs = + ovs_feature_is_supported(OVS_SAMPLE_REG_SUPPORT); return true; } @@ -372,6 +376,8 @@ chassis_build_other_config(const struct ovs_chassis_cfg *ovs_cfg, smap_replace(config, OVN_FEATURE_LS_DPG_COLUMN, "true"); smap_replace(config, OVN_FEATURE_CT_COMMIT_NAT_V2, "true"); smap_replace(config, OVN_FEATURE_CT_COMMIT_TO_ZONE, "true"); + smap_replace(config, OVN_FEATURE_SAMPLE_WITH_REGISTERS, + ovs_cfg->sample_with_regs ? "true" : "false"); } /* @@ -523,6 +529,14 @@ chassis_other_config_changed(const struct ovs_chassis_cfg *ovs_cfg, return true; } + bool chassis_sample_with_regs = + smap_get_bool(&chassis_rec->other_config, + OVN_FEATURE_SAMPLE_WITH_REGISTERS, + false); + if (chassis_sample_with_regs != ovs_cfg->sample_with_regs) { + return true; + } + return false; } @@ -656,6 +670,7 @@ update_supported_sset(struct sset *supported) sset_add(supported, OVN_FEATURE_LS_DPG_COLUMN); sset_add(supported, OVN_FEATURE_CT_COMMIT_NAT_V2); sset_add(supported, OVN_FEATURE_CT_COMMIT_TO_ZONE); + sset_add(supported, OVN_FEATURE_SAMPLE_WITH_REGISTERS); } static void diff --git a/include/ovn/features.h b/include/ovn/features.h index 97669410af..4275f75269 100644 --- a/include/ovn/features.h +++ b/include/ovn/features.h @@ -29,6 +29,7 @@ #define OVN_FEATURE_LS_DPG_COLUMN "ls-dpg-column" #define OVN_FEATURE_CT_COMMIT_NAT_V2 "ct-commit-nat-v2" #define OVN_FEATURE_CT_COMMIT_TO_ZONE "ct-commit-to-zone" +#define OVN_FEATURE_SAMPLE_WITH_REGISTERS "ovn-sample-with-registers" /* OVS datapath supported features. Based on availability OVN might generate * different types of openflows. @@ -39,6 +40,7 @@ enum ovs_feature_support_bits { OVS_CT_TUPLE_FLUSH_BIT, OVS_DP_HASH_L4_SYM_BIT, OVS_OF_GROUP_SUPPORT_BIT, + OVS_SAMPLE_REG_SUPPORT_BIT, }; enum ovs_feature_value { @@ -47,6 +49,7 @@ enum ovs_feature_value { OVS_CT_TUPLE_FLUSH_SUPPORT = (1 << OVS_CT_TUPLE_FLUSH_BIT), OVS_DP_HASH_L4_SYM_SUPPORT = (1 << OVS_DP_HASH_L4_SYM_BIT), OVS_OF_GROUP_SUPPORT = (1 << OVS_OF_GROUP_SUPPORT_BIT), + OVS_SAMPLE_REG_SUPPORT = (1 << OVS_SAMPLE_REG_SUPPORT_BIT), }; void ovs_feature_support_destroy(void); diff --git a/lib/features.c b/lib/features.c index d3591d6410..ab0327d516 100644 --- a/lib/features.c +++ b/lib/features.c @@ -25,6 +25,8 @@ #include "openvswitch/vlog.h" #include "openvswitch/ofpbuf.h" #include "openvswitch/rconn.h" +#include "openvswitch/ofp-actions.h" +#include "openvswitch/ofp-bundle.h" #include "openvswitch/ofp-msgs.h" #include "openvswitch/ofp-meter.h" #include "openvswitch/ofp-group.h" @@ -185,6 +187,87 @@ group_features_handle_response(struct ovs_openflow_feature *feature, return supported_ovs_features & feature->value; } +static void +sample_with_reg_send_request(struct ovs_openflow_feature *feature) +{ + struct ofputil_bundle_ctrl_msg ctrl = { + .bundle_id = 0, + .flags = OFPBF_ORDERED | OFPBF_ATOMIC, + .type = OFPBCT_OPEN_REQUEST, + }; + rconn_send(swconn, + ofputil_encode_bundle_ctrl_request(OFP15_VERSION, &ctrl), NULL); + + uint8_t actions_stub[64]; + struct ofpbuf actions; + ofpbuf_use_stub(&actions, actions_stub, sizeof(actions_stub)); + + struct mf_subfield subfield = { + .field = mf_from_id(MFF_REG0), + .n_bits = 32, + .ofs = 0 + }; + + struct ofpact_sample *sample = ofpact_put_SAMPLE(&actions); + sample->probability = UINT16_MAX; + sample->collector_set_id = 0; + sample->obs_domain_src = subfield; + sample->obs_point_src = subfield; + sample->sampling_port = OFPP_NONE; + + struct ofputil_flow_mod fm = { + .priority = 0, + .table_id = 0, + .ofpacts = actions.data, + .ofpacts_len = actions.size, + .command = OFPFC_ADD, + .new_cookie = htonll(0), + .buffer_id = UINT32_MAX, + .out_port = OFPP_ANY, + .out_group = OFPG_ANY, + }; + + struct match match; + match_init_catchall(&match); + minimatch_init(&fm.match, &match); + + struct ofpbuf *fm_msg = ofputil_encode_flow_mod(&fm, OFPUTIL_P_OF15_OXM); + + struct ofputil_bundle_add_msg bam = { + .bundle_id = ctrl.bundle_id, + .flags = ctrl.flags, + .msg = fm_msg->data, + }; + struct ofpbuf *msg = ofputil_encode_bundle_add(OFP15_VERSION, &bam); + + feature->xid = ((struct ofp_header *) msg->data)->xid; + rconn_send(swconn, msg, NULL); + + ctrl.type = OFPBCT_DISCARD_REQUEST; + rconn_send(swconn, + ofputil_encode_bundle_ctrl_request(OFP15_VERSION, &ctrl), NULL); + + minimatch_destroy(&fm.match); + ofpbuf_delete(fm_msg); +} + +static bool +sample_with_reg_handle_response(struct ovs_openflow_feature *feature, + enum ofptype type, const struct ofp_header *oh) +{ + if (type != OFPTYPE_ERROR) { + log_unexpected_reply(feature, oh); + } + + return false; +} + +static bool +sample_with_reg_handle_barrier(struct ovs_openflow_feature *feature OVS_UNUSED) +{ + return true; +} + static struct ovs_openflow_feature all_openflow_features[] = { { .value = OVS_DP_METER_SUPPORT, @@ -199,6 +282,13 @@ static struct ovs_openflow_feature all_openflow_features[] = { .send_request = group_features_send_request, .handle_response = group_features_handle_response, .handle_barrier = default_barrier_response_handle, + }, + { + .value = OVS_SAMPLE_REG_SUPPORT, + .name = "sample_action_with_registers", + .send_request = sample_with_reg_send_request, + .handle_response = sample_with_reg_handle_response, + .handle_barrier = sample_with_reg_handle_barrier, } }; @@ -271,6 +361,7 @@ ovs_feature_is_valid(enum ovs_feature_value feature) case OVS_CT_TUPLE_FLUSH_SUPPORT: case OVS_DP_HASH_L4_SYM_SUPPORT: case OVS_OF_GROUP_SUPPORT: + case OVS_SAMPLE_REG_SUPPORT: return true; default: return false; diff --git a/northd/en-global-config.c b/northd/en-global-config.c index d7607aa074..0ce7f83083 100644 --- a/northd/en-global-config.c +++ b/northd/en-global-config.c @@ -381,6 +381,7 @@ northd_enable_all_features(struct ed_type_global_config *data) .ls_dpg_column = true, .ct_commit_nat_v2 = true, .ct_commit_to_zone = true, + .sample_with_reg = true, }; } @@ -442,6 +443,15 @@ build_chassis_features(const struct sbrec_chassis_table *sbrec_chassis_table, chassis_features->ct_commit_to_zone) { chassis_features->ct_commit_to_zone = false; } + + bool sample_with_reg = + smap_get_bool(&chassis->other_config, + OVN_FEATURE_SAMPLE_WITH_REGISTERS, + false); + if (!sample_with_reg && + chassis_features->sample_with_reg) { + chassis_features->sample_with_reg = false; + } } } diff --git a/northd/en-global-config.h b/northd/en-global-config.h index 8a1c35fc8f..0cf34482af 100644 --- a/northd/en-global-config.h +++ b/northd/en-global-config.h @@ -19,6 +19,7 @@ struct chassis_features { bool ls_dpg_column; bool ct_commit_nat_v2; bool ct_commit_to_zone; + bool sample_with_reg; }; struct global_config_tracked_data { From patchwork Tue Aug 6 09:44:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969407 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Y1kFLGZF; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdT3W14Tzz1ydt for ; Tue, 6 Aug 2024 19:46:46 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id B59DA811D6; Tue, 6 Aug 2024 09:46:44 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 8NuLbu7rtDwj; Tue, 6 Aug 2024 09:46:43 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org C2AEE811C4 Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Y1kFLGZF Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id C2AEE811C4; Tue, 6 Aug 2024 09:46:42 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7B36BC002B; Tue, 6 Aug 2024 09:46:42 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 4189DC002A for ; Tue, 6 Aug 2024 09:46:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 90E97403A2 for ; Tue, 6 Aug 2024 09:46:14 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id kZtf7cM21cpY for ; Tue, 6 Aug 2024 09:46:13 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org 6B0BC40396 Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 6B0BC40396 Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Y1kFLGZF Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id 6B0BC40396 for ; Tue, 6 Aug 2024 09:46:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722937572; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hD5eRqoEBa+BMNDjqSsFTgQV8LJMJ3H9jGopkim0/Fo=; b=Y1kFLGZFBz+sftDwnaYigpt0CeF2OmsdGKB6azWauOPg6BNe61G79Qy8zdiveCQvDMOxAK Tr5MhGpxIwZ1TseFdlPpuPiU4hYOW2XhxVW/UuUIvQ6a50bH7OPebF7k+JAZ8p8FckhB2c Ue8TE4FTxrDR2TTHRLQ0W6DJh+k3iuk= Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-616-r3lVIESoNEe5eXL1sjuPew-1; Tue, 06 Aug 2024 05:46:11 -0400 X-MC-Unique: r3lVIESoNEe5eXL1sjuPew-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 16AEC1955F0D; Tue, 6 Aug 2024 09:46:10 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.207]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D2EE81955F66; Tue, 6 Aug 2024 09:46:07 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Tue, 6 Aug 2024 11:44:50 +0200 Message-ID: <20240806094451.730622-9-dceara@redhat.com> In-Reply-To: <20240806094451.730622-1-dceara@redhat.com> References: <20240806094451.730622-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v6 8/9] actions: Add support for sample with register. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Ales Musil Allow sample to accept obs_point_id as register instead of integer literal value. Signed-off-by: Ales Musil --- V6: - Removed Dumitru's ack. V5: - Added Dumitru's ack --- include/ovn/actions.h | 16 +++++++++------- lib/actions.c | 12 ++++++++---- tests/ovn.at | 13 ++++++++++++- 3 files changed, 29 insertions(+), 12 deletions(-) diff --git a/include/ovn/actions.h b/include/ovn/actions.h index 88cf4de79f..c8dd66ed83 100644 --- a/include/ovn/actions.h +++ b/include/ovn/actions.h @@ -498,13 +498,15 @@ struct ovnact_lookup_fdb { /* OVNACT_SAMPLE */ struct ovnact_sample { struct ovnact ovnact; - uint16_t probability; /* probability over UINT16_MAX. */ - uint8_t obs_domain_id; /* most significant byte of the - observation domain id. The other 24 bits - will come from the datapath's tunnel key. */ - uint32_t collector_set_id; /* colector_set_id. */ - uint32_t obs_point_id; /* observation point id. */ - bool use_cookie; /* use cookie as obs_point_id */ + uint16_t probability; /* probability over UINT16_MAX. */ + uint8_t obs_domain_id; /* most significant byte of the + observation domain id. The other + 24 bits will come from the + datapath's tunnel key. */ + uint32_t collector_set_id; /* colector_set_id. */ + struct expr_field obs_point_id_src; /* observation point id source reg */ + uint32_t obs_point_id; /* observation point id */ + bool use_cookie; /* use cookie as obs_point_id */ }; /* OVNACT_COMMIT_ECMP_NH. */ diff --git a/lib/actions.c b/lib/actions.c index 37676ef81b..586c64af36 100644 --- a/lib/actions.c +++ b/lib/actions.c @@ -4523,10 +4523,13 @@ format_SAMPLE(const struct ovnact_sample *sample, struct ds *s) ds_put_format(s, ",collector_set=%"PRIu32, sample->collector_set_id); ds_put_format(s, ",obs_domain=%"PRIu8, sample->obs_domain_id); + ds_put_cstr(s, ",obs_point="); if (sample->use_cookie) { - ds_put_cstr(s, ",obs_point=$cookie"); + ds_put_cstr(s, "$cookie"); + } else if (sample->obs_point_id_src.symbol) { + expr_field_format(&sample->obs_point_id_src, s); } else { - ds_put_format(s, ",obs_point=%"PRIu32, sample->obs_point_id); + ds_put_format(s, "%"PRIu32, sample->obs_point_id); } ds_put_format(s, ");"); } @@ -4551,6 +4554,8 @@ encode_SAMPLE(const struct ovnact_sample *sample, if (sample->use_cookie) { os->obs_point_imm = ep->lflow_uuid.parts[0]; + } else if (sample->obs_point_id_src.symbol) { + os->obs_point_src = expr_resolve_field(&sample->obs_point_id_src); } else { os->obs_point_imm = sample->obs_point_id; } @@ -4584,8 +4589,7 @@ parse_sample_arg(struct action_context *ctx, struct ovnact_sample *sample) sample->obs_point_id = ntohll(ctx->lexer->token.value.integer); lexer_get(ctx->lexer); } else { - lexer_syntax_error(ctx->lexer, - "malformed sample observation_point_id"); + action_parse_field(ctx, 32, false, &sample->obs_point_id_src); } } else if (lexer_match_id(ctx->lexer, "obs_domain")) { if (!lexer_force_match(ctx->lexer, LEX_T_EQUALS)) { diff --git a/tests/ovn.at b/tests/ovn.at index 0f401ab96a..f1fc29503f 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -2333,11 +2333,19 @@ sample(probability=10); sample(probability=100,collector_set=999,obs_domain=0,obs_point=1000); encodes as drop +sample(probability=10, obs_point=reg3); + formats as sample(probability=10,collector_set=0,obs_domain=0,obs_point=reg3); + encodes as sample(probability=10,collector_set_id=0,obs_domain_id=11259375,obs_point_id=NXM_NX_XXREG0[[0..31]]) + +sample(probability=10, obs_point=ct_label.obs_point_id); + formats as sample(probability=10,collector_set=0,obs_domain=0,obs_point=ct_label.obs_point_id); + encodes as sample(probability=10,collector_set_id=0,obs_domain_id=11259375,obs_point_id=NXM_NX_CT_LABEL[[96..127]]) + sample(probability=0,collector_set=200,obs_domain=0,obs_point=1000); probability must be greater than zero sample(probability=0,collector_set=200,obs_domain=0,obs_point=foo); - Syntax error at `foo' malformed sample observation_point_id. + Syntax error at `foo' expecting field name. sample(probability=0,collector_set=200,obs_domain=300,obs_point=foo); Syntax error at `300' obs_domain must be 8-bit long. @@ -2345,6 +2353,9 @@ sample(probability=0,collector_set=200,obs_domain=300,obs_point=foo); sample(probability=10,foo=bar,obs_domain=0,obs_point=1000); Syntax error at `foo' unknown argument. +sample(probability=10, obs_point=ct_label); + Cannot use 128-bit field ct_label[[0..127]] where 32-bit field is required. + # mac_cache_use mac_cache_use; encodes as resubmit(,OFTABLE_MAC_CACHE_USE) From patchwork Tue Aug 6 09:44:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969409 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZkOkrOrH; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdT4255zDz1ydt for ; Tue, 6 Aug 2024 19:47:14 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 12CB8404EE; Tue, 6 Aug 2024 09:47:13 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id yzMkdkNJRkg9; Tue, 6 Aug 2024 09:46:55 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 224FB40492 Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZkOkrOrH Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp4.osuosl.org (Postfix) with ESMTPS id 224FB40492; Tue, 6 Aug 2024 09:46:55 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0F40BC002B; Tue, 6 Aug 2024 09:46:54 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 2712AC0035 for ; Tue, 6 Aug 2024 09:46:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id B9A3E40921 for ; Tue, 6 Aug 2024 09:46:22 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id UtELSbRvR35H for ; Tue, 6 Aug 2024 09:46:19 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 3A6274090F Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 3A6274090F Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZkOkrOrH Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 3A6274090F for ; Tue, 6 Aug 2024 09:46:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722937578; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6XGfK0oRR+zxUlop1Kyyqm+PB/NQDQ2/Is0woS3q464=; b=ZkOkrOrHeauXtZ+nMIhyt9KuZTxr6rRdoAZmVYsV5lCdk4LRs3v2mm76FLmDm4QO+tBxfV pfW0CLeMIgMQstjvf88N0vfxrfCvGXu560SqXun7pdrBwWOb94NnTFva6MOy2zS4N1lEvx TD9BTG1DFLX9sIPO+jN2h8bzQRzusQ0= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-551-wAGgrwfAM1uAzzbzmpKLRw-1; Tue, 06 Aug 2024 05:46:15 -0400 X-MC-Unique: wAGgrwfAM1uAzzbzmpKLRw-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 95C3D1955D53; Tue, 6 Aug 2024 09:46:14 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.207]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id BF3D51955F65; Tue, 6 Aug 2024 09:46:11 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Tue, 6 Aug 2024 11:44:51 +0200 Message-ID: <20240806094451.730622-10-dceara@redhat.com> In-Reply-To: <20240806094451.730622-1-dceara@redhat.com> References: <20240806094451.730622-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v6 9/9] northd: Allow flow simplification for ACL sampling. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Ales Musil Currently, OVN would generate up to 2 flows per sample, depending on the configuration. Add optimization that can reduce the number of flows added into the ACL pipeline down to 3 per collector. This optimization can be achieved only when the sample action with registers is supported in OvS and the sample has only single collector. The single collector per sample should be the case in most configurations, usually even the same collector for all samples which greatly reduces the number of flows per ACL with sampling. If there are more collectors per sample or the OvS feature is not supported, the implementation will fall back to flows per sample. Reported-at: https://issues.redhat.com/browse/FDP-709 Signed-off-by: Ales Musil --- V6: - Rebased. - Removed Dumitru's ack. - Store (newly created) Sample_Collector.id in ct state - instead of the actual set-id to avoid ambiguity when multiple probabilities are used with the same collector set id. - Fixed bug with stateful to-lport ACLs on router ports. - Reduced number of ct mark bits used for storing the collector id to 4. V5: - Address Ilya's comments: - Explicitly set acl_observation_stage enum values. - Added Dumitru's ack --- include/ovn/logical-fields.h | 2 + lib/logical-fields.c | 8 + northd/northd.c | 273 ++++++++++++++++++------ tests/ovn-northd.at | 388 +++++++++++++++++++++++++++++------ tests/ovn.at | 2 + tests/system-ovn.at | 10 +- 6 files changed, 553 insertions(+), 130 deletions(-) diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h index ce79b501cf..d6c4a9b6b3 100644 --- a/include/ovn/logical-fields.h +++ b/include/ovn/logical-fields.h @@ -197,6 +197,8 @@ const struct ovn_field *ovn_field_from_name(const char *name); #define OVN_CT_NATTED_BIT 1 #define OVN_CT_LB_SKIP_SNAT_BIT 2 #define OVN_CT_LB_FORCE_SNAT_BIT 3 +#define OVN_CT_OBS_STAGE_1ST_BIT 4 +#define OVN_CT_OBS_STAGE_END_BIT 5 #define OVN_CT_BLOCKED 1 #define OVN_CT_NATTED 2 diff --git a/lib/logical-fields.c b/lib/logical-fields.c index 0c187e1c84..00bbc4a1c4 100644 --- a/lib/logical-fields.c +++ b/lib/logical-fields.c @@ -165,6 +165,14 @@ ovn_init_symtab(struct shash *symtab) OVN_CT_STR(OVN_CT_LB_FORCE_SNAT_BIT) "]", WR_CT_COMMIT); + expr_symtab_add_subfield_scoped(symtab, "ct_mark.obs_stage", NULL, + "ct_mark[" + OVN_CT_STR(OVN_CT_OBS_STAGE_1ST_BIT) ".." + OVN_CT_STR(OVN_CT_OBS_STAGE_END_BIT) + "]", + WR_CT_COMMIT); + expr_symtab_add_subfield_scoped(symtab, "ct_mark.obs_collector_id", NULL, + "ct_mark[16..19]", WR_CT_COMMIT); expr_symtab_add_field_scoped(symtab, "ct_label", MFF_CT_LABEL, NULL, false, WR_CT_COMMIT); diff --git a/northd/northd.c b/northd/northd.c index 13f9faba31..b1201bcc86 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -144,8 +144,20 @@ static bool vxlan_mode; #define REGBIT_ACL_VERDICT_ALLOW "reg8[16]" #define REGBIT_ACL_VERDICT_DROP "reg8[17]" #define REGBIT_ACL_VERDICT_REJECT "reg8[18]" +#define REGBIT_ACL_OBS_STAGE "reg8[19..20]" #define REG_ACL_TIER "reg8[30..31]" +enum acl_observation_stage { + ACL_OBS_FROM_LPORT = 0, + ACL_OBS_FROM_LPORT_AFTER_LB = 1, + ACL_OBS_TO_LPORT = 2, + ACL_OBS_STAGE_MAX +}; + +/* enum acl_observation_stage_t values must fit in the 2 bits of + * REGBIT_ACL_OBS_STAGE .*/ +BUILD_ASSERT_DECL(ACL_OBS_STAGE_MAX < (1 << 2)); + /* Indicate that this packet has been recirculated using egress * loopback. This allows certain checks to be bypassed, such as a * logical router dropping packets with source IP address equals @@ -189,6 +201,8 @@ static bool vxlan_mode; * domain and point ID. */ #define REG_OBS_POINT_ID_NEW "reg3" #define REG_OBS_POINT_ID_EST "reg9" +#define REG_OBS_COLLECTOR_ID_NEW "reg8[0..3]" +#define REG_OBS_COLLECTOR_ID_EST "reg8[4..7]" /* Register used for temporarily store ECMP eth.src to avoid masked ct_label * access. It doesn't really occupy registers because the content of the @@ -228,12 +242,13 @@ static bool vxlan_mode; * +----+----------------------------------------------+ G | | * | R7 | UNUSED | 1 | | * +----+----------------------------------------------+---+-----------------------------------+ - * | | LB_AFF_MATCH_PORT | - * | | (>= IN_LB_AFF_CHECK && <= IN_LB_AFF_LEARN) | - * +----+----------------------------------------------+ - * | R9 | OBS_POINT_ID_EST | - * | | (>= ACL_EVAL* && <= ACL_ACTION*) | - * +----+----------------------------------------------+ + * | R8 | LB_AFF_MATCH_PORT | X | REG_OBS_COLLECTOR_ID_NEW | + * | | (>= IN_LB_AFF_CHECK && <= IN_LB_AFF_LEARN) | R | REG_OBS_COLLECTOR_ID_EST | + * | | | E | (>= ACL_EVAL* && <= ACL_ACTION*) | + * +----+----------------------------------------------+ G +-----------------------------------+ + * | R9 | OBS_POINT_ID_EST | 4 | | + * | | (>= ACL_EVAL* && <= ACL_ACTION*) | | | + * +----+----------------------------------------------+---+-----------------------------------+ * * Logical Router pipeline: * +-----+---------------------------+---+-----------------+---+------------------------------------+ @@ -6532,7 +6547,8 @@ build_acl_sample_action(struct ds *actions, const struct nbrec_acl *acl, static void build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, const struct nbrec_sample *sample_new, - const struct nbrec_sample *sample_est) + const struct nbrec_sample *sample_est, + enum acl_observation_stage obs_stage) { if (!acl->label && !sample_new && !sample_est) { return; @@ -6540,6 +6556,8 @@ build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, uint32_t point_id_new = 0; uint32_t point_id_est = 0; + uint8_t collector_id_new = 0; + uint8_t collector_id_est = 0; if (acl->label) { point_id_new = acl->label; @@ -6547,16 +6565,27 @@ build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, } else { if (sample_new) { point_id_new = sample_new->metadata; + if (sample_new->n_collectors == 1) { + collector_id_new = sample_new->collectors[0]->id; + } } if (sample_est) { point_id_est = sample_est->metadata; + if (sample_est->n_collectors == 1) { + collector_id_est = sample_est->collectors[0]->id; + } } } ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " REG_OBS_POINT_ID_NEW " = %"PRIu32"; " - REG_OBS_POINT_ID_EST " = %"PRIu32"; ", - point_id_new, point_id_est); + REG_OBS_POINT_ID_EST " = %"PRIu32"; " + REG_OBS_COLLECTOR_ID_NEW " = %"PRIu8"; " + REG_OBS_COLLECTOR_ID_EST " = %"PRIu8"; " + REGBIT_ACL_OBS_STAGE " = %"PRIu8"; ", + point_id_new, point_id_est, + collector_id_new, collector_id_est, + (uint8_t) obs_stage); } /* This builds an ACL logical flow specific match that selects traffic @@ -6604,46 +6633,16 @@ build_acl_sample_label_match(struct ds *match, const struct nbrec_acl *acl, } /* This builds a logical flow that samples and forwards/drops traffic - * that hit a stateless ACL ("pass" or "allow-stateless") that has sampling - * enabled. + * that hit a stateless/stateful ACL that has sampling enabled. */ static void -build_acl_sample_new_stateless_flows(const struct ovn_datapath *od, - struct lflow_table *lflows, - enum ovn_stage stage, - struct ds *match, struct ds *actions, - const struct nbrec_acl *acl, - uint8_t sample_domain_id, - struct lflow_ref *lflow_ref) -{ - if (!acl->sample_new) { - return; - } - - ds_clear(actions); - ds_clear(match); - - ds_put_cstr(match, "ip && "); - build_acl_sample_register_match(match, acl, acl->sample_new); - - build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); - - ovn_lflow_add(lflows, od, stage, 1100, ds_cstr(match), - ds_cstr(actions), lflow_ref); -} - -/* This builds a logical flow that samples and forwards/drops traffic - * that created a new conntrack entry and hit a stateful ACL that has sampling - * enabled. - */ -static void -build_acl_sample_new_stateful_flows(const struct ovn_datapath *od, - struct lflow_table *lflows, - enum ovn_stage stage, - struct ds *match, struct ds *actions, - const struct nbrec_acl *acl, - uint8_t sample_domain_id, - struct lflow_ref *lflow_ref) +build_acl_sample_new_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, bool stateful, + struct lflow_ref *lflow_ref) { if (!acl->sample_new) { return; @@ -6652,12 +6651,16 @@ build_acl_sample_new_stateful_flows(const struct ovn_datapath *od, ds_clear(actions); ds_clear(match); - /* Match on new connections. However, for to-lport ACLs, due to + /* Match on new connections. However, for stateful to-lport ACLs, due to * skip_port_from_conntrack() conntrack state might be cleared, so * take that into account too. */ - ds_put_format(match, "ip && %s && ", - stage != S_SWITCH_OUT_ACL_SAMPLE - ? "ct.new" : "(ct.new || !ct.trk)"); + if (!stateful) { + ds_put_format(match, "ip && "); + } else if (stage != S_SWITCH_OUT_ACL_SAMPLE) { + ds_put_format(match, "ip && ct.new && "); + } else { + ds_put_format(match, "ip && (ct.new || !ct.trk) && "); + } build_acl_sample_register_match(match, acl, acl->sample_new); build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); @@ -6758,6 +6761,112 @@ build_acl_sample_est_stateful_flows(const struct ovn_datapath *od, static void build_acl_reject_action(struct ds *actions, bool is_ingress); +/* This builds a generic logical flow that samples traffic + * that hit a stateless/stateful ACL that has sampling enabled with + * single collector and all chassis supporting the sample with match action. + */ +static void +build_acl_sample_generic_new_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + enum acl_observation_stage obs_stage, + struct ds *match, struct ds *actions, + const struct nbrec_sample_collector *coll, + uint8_t sample_domain_id, bool stateful, + struct lflow_ref *lflow_ref) +{ + ds_clear(match); + ds_clear(actions); + + /* Match on new connections. However, for stateful to-lport ACLs, due to + * skip_port_from_conntrack() conntrack state might be cleared, so + * take that into account too. */ + const char *new_conn_match = ""; + if (stateful) { + if (stage != S_SWITCH_OUT_ACL_SAMPLE) { + new_conn_match = "&& ct.new "; + } else { + new_conn_match = "&& (ct.new || !ct.trk) "; + } + } + + ds_put_format(match, "ip %s&& "REG_OBS_COLLECTOR_ID_NEW" == %"PRIu8" && " + REGBIT_ACL_OBS_STAGE " == %"PRIu8, new_conn_match, + (uint8_t) coll->id, + (uint8_t) obs_stage); + + ds_put_format(actions, "sample(probability=%"PRIu16"," + "collector_set=%"PRIu8"," + "obs_domain=%"PRIu32"," + "obs_point="REG_OBS_POINT_ID_NEW");" + " next;", + (uint16_t) coll->probability, + (uint8_t) coll->set_id, + sample_domain_id); + + ovn_lflow_add(lflows, od, stage, stateful ? 1000 : 900, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds a generic logical flow that samples established traffic + * that hit a stateful ACL that has sampling enabled with + * single collector and all chassis supporting the sample with match action. + */ +static void +build_acl_sample_generic_est_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + enum acl_observation_stage obs_stage, + struct ds *match, struct ds *actions, + const struct nbrec_sample_collector *coll, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + ds_clear(match); + ds_clear(actions); + + ds_put_cstr(match, "ip && ct.trk && (ct.est || ct.rel) && " + "ct_label.obs_unused == 0 && "); + + size_t match_len = match->length; + ds_put_format(match, "!ct.rpl && ct_mark.obs_collector_id == %"PRIu8" && " + "ct_mark.obs_stage == %"PRIu8, + (uint8_t) coll->id, + (uint8_t) obs_stage); + + ds_put_format(actions, "sample(probability=%"PRIu16"," + "collector_set=%"PRIu8"," + "obs_domain=%"PRIu32"," + "obs_point=ct_label.obs_point_id);" + " next;", + (uint16_t) coll->probability, + (uint8_t) coll->set_id, + sample_domain_id); + + ovn_lflow_add(lflows, od, stage, 1000, ds_cstr(match), + ds_cstr(actions), lflow_ref); + + enum ovn_stage rpl_stage = (stage == S_SWITCH_OUT_ACL_SAMPLE + ? S_SWITCH_IN_ACL_SAMPLE + : S_SWITCH_OUT_ACL_SAMPLE); + + ds_truncate(match, match_len); + ds_put_format(match, "ct.rpl && ct_mark.obs_collector_id == %"PRIu8, + (uint8_t) coll->id); + + ovn_lflow_add(lflows, od, rpl_stage, 1000, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* Check if the smaple has only single collector and the sample action + * with registers is supported. */ +static bool +acl_use_generic_sample_flows(const struct nbrec_sample *sample, + const struct chassis_features *features) +{ + return sample && sample->n_collectors == 1 && features->sample_with_reg; +} + /* This builds all ACL sampling related logical flows: * - for packets creating new connections * - for packets that are part of an existing connection @@ -6769,6 +6878,7 @@ build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, const struct nbrec_acl *acl, struct ds *match, struct ds *actions, const struct sampling_app_table *sampling_apps, + const struct chassis_features *features, struct lflow_ref *lflow_ref) { bool should_sample_established = @@ -6792,13 +6902,17 @@ build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, bool ingress = !strcmp(acl->direction, "from-lport") ? true : false; enum ovn_stage stage; + enum acl_observation_stage obs_stage; if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { stage = S_SWITCH_IN_ACL_AFTER_LB_SAMPLE; + obs_stage = ACL_OBS_FROM_LPORT_AFTER_LB; } else if (ingress) { stage = S_SWITCH_IN_ACL_SAMPLE; + obs_stage = ACL_OBS_FROM_LPORT; } else { stage = S_SWITCH_OUT_ACL_SAMPLE; + obs_stage = ACL_OBS_TO_LPORT; } uint8_t sample_new_domain_id = sampling_app_get_id(sampling_apps, @@ -6806,14 +6920,28 @@ build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, uint8_t sample_est_domain_id = sampling_app_get_id(sampling_apps, SAMPLING_APP_ACL_EST); + if (acl_use_generic_sample_flows(acl->sample_new, features)) { + build_acl_sample_generic_new_flows(od, lflows, stage, obs_stage, + match, actions, + acl->sample_new->collectors[0], + sample_new_domain_id, + stateful_match, lflow_ref); + } else { + build_acl_sample_new_flows(od, lflows, stage, match, actions, + acl, sample_new_domain_id, stateful_match, + lflow_ref); + } + if (!stateful_match) { - build_acl_sample_new_stateless_flows(od, lflows, stage, match, actions, - acl, sample_new_domain_id, - lflow_ref); + return; + } + + if (acl_use_generic_sample_flows(acl->sample_est, features)) { + build_acl_sample_generic_est_flows(od, lflows, stage, obs_stage, + match, actions, + acl->sample_est->collectors[0], + sample_est_domain_id, lflow_ref); } else { - build_acl_sample_new_stateful_flows(od, lflows, stage, match, actions, - acl, sample_new_domain_id, - lflow_ref); build_acl_sample_est_stateful_flows(od, lflows, stage, match, actions, acl, sample_est_domain_id, lflow_ref); @@ -6845,13 +6973,17 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, { bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; enum ovn_stage stage; + enum acl_observation_stage obs_stage; if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { stage = S_SWITCH_IN_ACL_AFTER_LB_EVAL; + obs_stage = ACL_OBS_FROM_LPORT_AFTER_LB; } else if (ingress) { stage = S_SWITCH_IN_ACL_EVAL; + obs_stage = ACL_OBS_FROM_LPORT; } else { stage = S_SWITCH_OUT_ACL_EVAL; + obs_stage = ACL_OBS_TO_LPORT; } const char *verdict; @@ -6885,7 +7017,8 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, || !strcmp(acl->action, "allow-stateless")) { /* For stateless ACLs just sample "new" packets. */ - build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, + obs_stage); ds_put_cstr(actions, "next;"); ds_put_format(match, "(%s)", acl->match); @@ -6924,7 +7057,7 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, /* For stateful ACLs sample "new" and "established" packets. */ build_acl_sample_label_action(actions, acl, acl->sample_new, - acl->sample_est); + acl->sample_est, obs_stage); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6948,7 +7081,7 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, /* For stateful ACLs sample "new" and "established" packets. */ build_acl_sample_label_action(actions, acl, acl->sample_new, - acl->sample_est); + acl->sample_est, obs_stage); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6968,7 +7101,8 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_truncate(actions, log_verdict_len); /* For drop ACLs just sample all packets as "new" packets. */ - build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, + obs_stage); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6991,7 +7125,8 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_truncate(actions, log_verdict_len); /* For drop ACLs just sample all packets as "new" packets. */ - build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, + obs_stage); ds_put_cstr(actions, "ct_commit { ct_mark.blocked = 1; }; next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -7237,6 +7372,7 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, const struct ls_port_group_table *ls_port_groups, const struct shash *meter_groups, const struct sampling_app_table *sampling_apps, + const struct chassis_features *features, struct lflow_ref *lflow_ref) { const char *default_acl_action = default_acl_drop @@ -7429,7 +7565,8 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, meter_groups, ls_stateful_rec->max_acl_tier, &match, &actions, lflow_ref); build_acl_sample_flows(ls_stateful_rec, od, lflows, acl, - &match, &actions, sampling_apps, lflow_ref); + &match, &actions, sampling_apps, + features, lflow_ref); } const struct ls_port_group *ls_pg = @@ -7448,7 +7585,7 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, &match, &actions, lflow_ref); build_acl_sample_flows(ls_stateful_rec, od, lflows, acl, &match, &actions, sampling_apps, - lflow_ref); + features, lflow_ref); } } } @@ -8111,6 +8248,8 @@ build_stateful(struct ovn_datapath *od, struct lflow_table *lflows, ds_put_cstr(&actions, "ct_commit { " "ct_mark.blocked = 0; " + "ct_mark.obs_stage = " REGBIT_ACL_OBS_STAGE "; " + "ct_mark.obs_collector_id = " REG_OBS_COLLECTOR_ID_EST "; " "ct_label.obs_point_id = " REG_OBS_POINT_ID_EST "; " "}; next;"); ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100, @@ -16161,6 +16300,7 @@ build_ls_stateful_flows(const struct ls_stateful_record *ls_stateful_rec, const struct ls_port_group_table *ls_pgs, const struct shash *meter_groups, const struct sampling_app_table *sampling_apps, + const struct chassis_features *features, struct lflow_table *lflows) { build_ls_stateful_rec_pre_acls(ls_stateful_rec, od, ls_pgs, lflows, @@ -16170,7 +16310,7 @@ build_ls_stateful_flows(const struct ls_stateful_record *ls_stateful_rec, build_acl_hints(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref); build_acls(ls_stateful_rec, od, lflows, ls_pgs, meter_groups, - sampling_apps, ls_stateful_rec->lflow_ref); + sampling_apps, features, ls_stateful_rec->lflow_ref); build_lb_hairpin(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref); } @@ -16487,6 +16627,7 @@ build_lflows_thread(void *arg) lsi->ls_port_groups, lsi->meter_groups, lsi->sampling_apps, + lsi->features, lsi->lflows); } } @@ -16710,6 +16851,7 @@ build_lswitch_and_lrouter_flows( build_ls_stateful_flows(ls_stateful_rec, od, lsi.ls_port_groups, lsi.meter_groups, lsi.sampling_apps, + lsi.features, lsi.lflows); } stopwatch_stop(LFLOWS_LS_STATEFUL_STOPWATCH_NAME, time_msec()); @@ -17225,6 +17367,7 @@ lflow_handle_ls_stateful_changes(struct ovsdb_idl_txn *ovnsb_txn, lflow_input->ls_port_groups, lflow_input->meter_groups, lflow_input->sampling_apps, + lflow_input->features, lflows); /* Sync the new flows to SB. */ diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 6cc372b8a4..afad71685d 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -4609,7 +4609,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK_UNQUOTED([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4633,7 +4633,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) } @@ -4676,7 +4676,7 @@ AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4697,7 +4697,7 @@ AT_CHECK([grep "ls_out_pre_stateful" sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) # LB with event=false and reject=false @@ -4726,23 +4726,23 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) # Add new ACL without label @@ -4753,27 +4753,27 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) # Delete new ACL with label @@ -4790,7 +4790,7 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0] AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl @@ -4800,7 +4800,7 @@ AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0 AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP ]) @@ -4828,7 +4828,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls from-lport 1 dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; ]) AS_BOX([from-lport --apply-after-lb allow-related ACL]) @@ -4836,7 +4836,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --apply-after-lb --label=1234 acl-add dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; ]) AS_BOX([to-lport allow-related ACL]) @@ -4844,7 +4844,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls to-lport 1 ip dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_out_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; ]) AT_CLEANUP @@ -7680,7 +7680,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with the apply-after-lb option]) @@ -7735,7 +7735,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with a few ACLs with apply-after-lb option]) @@ -7790,7 +7790,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP @@ -12608,8 +12608,8 @@ ovn-nbctl --wait=sb \ --id=@sample2 create Sample collector="$collector1 $collector2" metadata=4302 -- \ --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12620,7 +12620,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; reg9 = 4302; sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); @@ -12640,8 +12640,8 @@ ovn-nbctl --wait=sb \ --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) @@ -12650,7 +12650,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; reg9 = 0; sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); @@ -12670,8 +12670,8 @@ ovn-nbctl --wait=sb \ --id=@sample2 create Sample collector="$collector1 $collector2" metadata=4302 -- \ --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 1; next;) table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12682,7 +12682,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_ dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; reg9 = 4302; sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); @@ -12702,8 +12702,8 @@ ovn-nbctl --wait=sb \ --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 1; next;) table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) @@ -12712,7 +12712,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_ dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; reg9 = 0; sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); @@ -12734,8 +12734,8 @@ ovn-nbctl --wait=sb \ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12744,7 +12744,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; ct_commit { ct_mark.blocked = 0; }; reg9 = 4302; sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); @@ -12766,8 +12766,8 @@ ovn-nbctl --wait=sb \ --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 0; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) ]) @@ -12775,7 +12775,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; ct_commit { ct_mark.blocked = 0; }; reg9 = 0; sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); @@ -12792,6 +12792,276 @@ AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ACL Sampling - Generic sample]) +AT_KEYWORDS([acl]) + +ovn_start + +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=65535 set_id=100) +check_row_count nb:Sample_Collector 1 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls lsp1 \ + -- lsp-set-addresses lsp1 00:00:00:00:00:01 \ + -- lsp-add ls lsp2 \ + -- lsp-set-addresses lsp2 00:00:00:00:00:02 +check ovn-nbctl --wait=sb sync + +base_flow="inport == \"lsp1\" && eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02 && ip4.src == 42.42.42.1 && ip4.dst == 42.42.42.2" +m4_define([TRACE_FILTER], [grep -e sample -e commit -e reg9 -e 'reg8\[[0..3\]]' -e 'reg8\[[4..7\]]' | grep -v _sample | sort]) + +AS_BOX([ACL sampling without register support]) +check ovn-sbctl chassis-add gw1 geneve 127.0.0.1 \ + -- set chassis gw1 other_config:ovn-sample-with-registers="false" + +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 1; reg8[[4..7]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 1; reg8[[4..7]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; + reg8[[0..3]] = 1; + reg8[[4..7]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..3]] = 1; + reg8[[4..7]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); +]) + +check ovn-sbctl set chassis gw1 other_config:ovn-sample-with-registers="true" + +AS_BOX([from-lport ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 1; reg8[[4..7]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 1; reg8[[4..7]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..3]] == 1 && reg8[[19..20]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; + reg8[[0..3]] = 1; + reg8[[4..7]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 1" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..3]] = 1; + reg8[[4..7]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); +]) + +AS_BOX([from-lport ACL sampling (new)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 1; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 1; reg8[[4..7]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..3]] == 1 && reg8[[19..20]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; + reg8[[0..3]] = 1; + reg8[[4..7]] = 0; + reg9 = 0; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..3]] = 1; + reg8[[4..7]] = 0; + reg9 = 0; +]) + +AS_BOX([from-lport-after-lb ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \ + --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 1; reg8[[4..7]] = 1; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 1; reg8[[4..7]] = 1; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..3]] == 1 && reg8[[19..20]] == 1), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; + reg8[[0..3]] = 1; + reg8[[4..7]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 1 && ct_mark.obs_collector_id == 1" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..3]] = 1; + reg8[[4..7]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); +]) + +AS_BOX([from-lport-after-lb ACL sampling (new)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 1; reg8[[4..7]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 1; reg8[[4..7]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..3]] == 1 && reg8[[19..20]] == 1), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; + reg8[[0..3]] = 1; + reg8[[4..7]] = 0; + reg9 = 0; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..3]] = 1; + reg8[[4..7]] = 0; + reg9 = 0; +]) + +AS_BOX([to-lport ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls to-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 1; reg8[[4..7]] = 1; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..3]] = 1; reg8[[4..7]] = 1; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new || !ct.trk) && reg8[[0..3]] == 1 && reg8[[19..20]] == 2), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 2), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; }; + reg8[[0..3]] = 1; + reg8[[4..7]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 2 && ct_mark.obs_collector_id == 1" +AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..3]] = 1; + reg8[[4..7]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); +]) + +AS_BOX([to-lport ACL sampling (new)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 1; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..3]] = 1; reg8[[4..7]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new || !ct.trk) && reg8[[0..3]] == 1 && reg8[[19..20]] == 2), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[4..7]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; }; + reg8[[0..3]] = 1; + reg8[[4..7]] = 0; + reg9 = 0; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 2 && ct_mark.obs_collector_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..3]] = 1; + reg8[[4..7]] = 0; + reg9 = 0; +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([ACL Sampling - same collector set id, multiple probabilities]) AT_KEYWORDS([acl]) @@ -12831,24 +13101,22 @@ check_row_count nb:Sample 6 check ovn-nbctl --wait=sb sync AT_CHECK([ovn-sbctl lflow-list | grep probability | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4303), dnl -action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4303); next;) - table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4304 && ct_label.obs_unused == 0), dnl -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4304); next;) - table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), dnl -action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4301); next;) - table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), dnl -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4302); next;) - table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4306 && ct_label.obs_unused == 0), dnl -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4306); next;) - table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4305), dnl -action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4305); next;) - table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4306 && ct_label.obs_unused == 0), dnl -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4306); next;) - table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), dnl -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4302); next;) - table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4304 && ct_label.obs_unused == 0), dnl -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4304); next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..3]] == 1 && reg8[[19..20]] == 1), dnl +action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 1), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..3]] == 1 && reg8[[19..20]] == 0), dnl +action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 2), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new || !ct.trk) && reg8[[0..3]] == 1 && reg8[[19..20]] == 2), dnl +action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 2), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 2), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); next;) ]) AT_CLEANUP diff --git a/tests/ovn.at b/tests/ovn.at index f1fc29503f..602f68161e 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -336,6 +336,8 @@ ct_mark.blocked = ct_mark[0] ct_mark.ecmp_reply_port = ct_mark[16..31] ct_mark.force_snat = ct_mark[3] ct_mark.natted = ct_mark[1] +ct_mark.obs_collector_id = ct_mark[16..19] +ct_mark.obs_stage = ct_mark[4..5] ct_mark.skip_snat = ct_mark[2] ct_state = NXM_NX_CT_STATE ]]) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index ef9652f02a..853004f93a 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -7724,7 +7724,7 @@ NS_CHECK_EXEC([sw0-p3], [ping -q -c 10 -i 0.3 -w 15 10.0.0.2 | FORMAT_PING], \ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.2) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/'], [0], [dnl -icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,labels=0x4d3000000000000000000000000 +icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,mark=32,labels=0x4d3000000000000000000000000 icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone= ]) @@ -7851,7 +7851,7 @@ NS_CHECK_EXEC([sw0-p1], [ping -q -c 10 -i 0.3 -w 15 10.0.0.4 | FORMAT_PING], \ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.4) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d2[[0-9a-f]]*/labels=0x4d2000000000000000000000000/'], [0], [dnl -icmp,orig=(src=10.0.0.2,dst=10.0.0.4,id=,type=8,code=0),reply=(src=10.0.0.4,dst=10.0.0.2,id=,type=0,code=0),zone=,labels=0x4d2000000000000000000000000 +icmp,orig=(src=10.0.0.2,dst=10.0.0.4,id=,type=8,code=0),reply=(src=10.0.0.4,dst=10.0.0.2,id=,type=0,code=0),zone=,mark=16,labels=0x4d2000000000000000000000000 icmp,orig=(src=10.0.0.2,dst=10.0.0.4,id=,type=8,code=0),reply=(src=10.0.0.4,dst=10.0.0.2,id=,type=0,code=0),zone= ]) @@ -7866,7 +7866,7 @@ NS_CHECK_EXEC([sw0-p3], [ping -q -c 10 -i 0.3 -w 15 10.0.0.2 | FORMAT_PING], \ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.2) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/'], [0], [dnl -icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,labels=0x4d3000000000000000000000000 +icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,mark=32,labels=0x4d3000000000000000000000000 icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone= ]) @@ -8081,7 +8081,7 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.3) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d2[[0-9a-f]]*/labels=0x4d2000000000000000000000000/' | sort], [0], [dnl icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone= -icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone=,labels=0x4d2000000000000000000000000 +icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone=,mark=16,labels=0x4d2000000000000000000000000 ]) # Add a higher priority ACL with different label. @@ -8097,7 +8097,7 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.3) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/' | sort], [0], [dnl icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone= -icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone=,labels=0x4d3000000000000000000000000 +icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone=,mark=16,labels=0x4d3000000000000000000000000 ]) OVS_APP_EXIT_AND_WAIT([ovn-controller])