From patchwork Wed Aug 7 06:51:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969834 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=L/jIGP+Z; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wf17K6sWTz1yfM for ; Wed, 7 Aug 2024 16:51:57 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 2C35F4054A; Wed, 7 Aug 2024 06:51:54 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id DkIHEgkrZ8yw; Wed, 7 Aug 2024 06:51:52 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 10EB640360 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=L/jIGP+Z Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 10EB640360; Wed, 7 Aug 2024 06:51:52 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id E1B8EC002B; Wed, 7 Aug 2024 06:51:51 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 40811C002B for ; Wed, 7 Aug 2024 06:51:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 1EEB240340 for ; Wed, 7 Aug 2024 06:51:49 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id wtb_lVv514Wp for ; Wed, 7 Aug 2024 06:51:48 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org BBFEC4019D Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org BBFEC4019D Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=L/jIGP+Z Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id BBFEC4019D for ; Wed, 7 Aug 2024 06:51:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723013506; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pwV9z6mUXP5YMMRZtnUCM4kotyoHNM8ZE9aZWe/oOws=; b=L/jIGP+Z9b8W/v3gDkozzntyFvrqtVHzxZQzYRtNLFy85Vs9UzWcsvQWSuM946g/5FWlkJ CoBu2S3XFaMqAGNtzqayK2dEsmSWZgzV8PiCVH8mzY0qRU4d5Nuw3+QoYWVeXDgtZISU0y ZOwSNfO5rQsW1LZOiw+p+b9O5LJGrhA= Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-179-7_v81i3yPpuHSHloE8Tkeg-1; Wed, 07 Aug 2024 02:51:45 -0400 X-MC-Unique: 7_v81i3yPpuHSHloE8Tkeg-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8403919560B3; Wed, 7 Aug 2024 06:51:44 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.13]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D11091956053; Wed, 7 Aug 2024 06:51:41 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Wed, 7 Aug 2024 08:51:18 +0200 Message-ID: <20240807065126.38132-2-dceara@redhat.com> In-Reply-To: <20240807065126.38132-1-dceara@redhat.com> References: <20240807065126.38132-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v7 1/9] northd: Fix up logical flow documentation for QoS. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: npinaeva@redhat.com, i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" When the QoS stages were merged the documentation wasn't updated properly. Also fix up some small style issues in the northd code itself. Fixes: 5dd573757699 ("Merge QoS logical pipelines.") Acked-by: Numan Siddique Acked-by: Mark Michelson Signed-off-by: Dumitru Ceara --- V7: - Added Mark's ack. V6: - Removed Ales' ack. V5: - Added acks from Ales and Numan --- northd/northd.c | 11 +++-- northd/ovn-northd.8.xml | 92 +++++++++++++---------------------------- 2 files changed, 34 insertions(+), 69 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index a8a0b6f94c..fbfd5a7f35 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -7137,7 +7137,6 @@ build_qos(struct ovn_datapath *od, struct lflow_table *lflows, } } if (rate) { - stage = ingress ? S_SWITCH_IN_QOS : S_SWITCH_OUT_QOS; if (burst) { ds_put_format(&action, "set_meter(%"PRId64", %"PRId64"); ", @@ -7164,11 +7163,11 @@ build_qos(struct ovn_datapath *od, struct lflow_table *lflows, qos->value_action[j]); } } - ds_put_cstr(&action, "next;"); - ovn_lflow_add_with_hint(lflows, od, stage, - qos->priority, - qos->match, ds_cstr(&action), - &qos->header_, lflow_ref); + ds_put_cstr(&action, "next;"); + ovn_lflow_add_with_hint(lflows, od, stage, + qos->priority, + qos->match, ds_cstr(&action), + &qos->header_, lflow_ref); } ds_destroy(&action); } diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index b06b09ac5f..ba85e4bfd7 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -907,48 +907,21 @@ -

Ingress Table 10: from-lport QoS Marking

+

Ingress Table 10: from-lport QoS

Logical flows in this table closely reproduce those in the - QoS table with the action column set in - the OVN_Northbound database for the + QoS table with the action or + bandwidth column set in the + OVN_Northbound database for the from-lport direction.

  • - For every qos_rules entry in a logical switch with DSCP marking - enabled, a flow will be added at the priority mentioned in the - QoS table. -
    • - -
  • - For every qos_rules entry in a logical switch with packet marking - enabled, a flow will be added at the priority mentioned in the - QoS table. -
    • - -
  • - One priority-0 fallback flow that matches all packets and advances to - the next table. -
    • -
- -

Ingress Table 11: from-lport QoS Meter

- -

- Logical flows in this table closely reproduce those in the - QoS table with the bandwidth column set - in the OVN_Northbound database for the - from-lport direction. -

- -
    -
  • - For every qos_rules entry in a logical switch with metering - enabled, a flow will be added at the priority mentioned in the - QoS table. + For every qos_rules entry in a logical switch with DSCP marking, + packet marking or metering enabled a flow will be added at the priority + mentioned in the QoS table.
  • @@ -957,7 +930,7 @@
-

Ingress Table 12: Load balancing affinity check

+

Ingress Table 11: Load balancing affinity check

Load balancing affinity check table contains the following @@ -985,7 +958,7 @@ -

Ingress Table 13: LB

+

Ingress Table 12: LB

  • @@ -1065,7 +1038,7 @@
-

Ingress Table 14: Load balancing affinity learn

+

Ingress Table 13: Load balancing affinity learn

Load balancing affinity learn table contains the following @@ -1096,7 +1069,7 @@ -

Ingress Table 15: Pre-Hairpin

+

Ingress Table 14: Pre-Hairpin

  • If the logical switch has load balancer(s) configured, then a @@ -1114,7 +1087,7 @@
-

Ingress Table 16: Nat-Hairpin

+

Ingress Table 15: Nat-Hairpin

  • If the logical switch has load balancer(s) configured, then a @@ -1149,7 +1122,7 @@
-

Ingress Table 17: Hairpin

+

Ingress Table 16: Hairpin

  • @@ -1187,7 +1160,7 @@

-

Ingress table 18: from-lport ACL evaluation after LB

+

Ingress table 17: from-lport ACL evaluation after LB

Logical flows in this table closely reproduce those in the @@ -1272,7 +1245,7 @@ -

Ingress Table 19: from-lport ACL action after LB

+

Ingress Table 18: from-lport ACL action after LB

Logical flows in this table decide how to proceed based on the values of @@ -1312,7 +1285,7 @@ -

Ingress Table 20: Stateful

+

Ingress Table 19: Stateful

  • @@ -1335,7 +1308,7 @@
-

Ingress Table 21: ARP/ND responder

+

Ingress Table 20: ARP/ND responder

This table implements ARP/ND responder in a logical switch for known @@ -1670,7 +1643,7 @@ output; -

Ingress Table 22: DHCP option processing

+

Ingress Table 21: DHCP option processing

This table adds the DHCPv4 options to a DHCPv4 packet from the @@ -1731,7 +1704,7 @@ next; -

Ingress Table 23: DHCP responses

+

Ingress Table 22: DHCP responses

This table implements DHCP responder for the DHCP replies generated by @@ -1812,7 +1785,7 @@ output; -

Ingress Table 24 DNS Lookup

+

Ingress Table 23 DNS Lookup

This table looks up and resolves the DNS names to the corresponding @@ -1841,7 +1814,7 @@ reg0[4] = dns_lookup(); next; -

Ingress Table 25 DNS Responses

+

Ingress Table 24 DNS Responses

This table implements DNS responder for the DNS replies generated by @@ -1876,7 +1849,7 @@ output; -

Ingress table 26 External ports

+

Ingress table 25 External ports

Traffic from the external logical ports enter the ingress @@ -1919,7 +1892,7 @@ output; -

Ingress Table 27 Destination Lookup

+

Ingress Table 26 Destination Lookup

This table implements switching behavior. It contains these logical @@ -2117,7 +2090,7 @@ output; -

Ingress Table 28 Destination unknown

+

Ingress Table 27 Destination unknown

This table handles the packets whose destination was not found or @@ -2330,28 +2303,21 @@ output; This is similar to ingress table ACL action.

-

Egress Table 6: to-lport QoS Marking

- -

- This is similar to ingress table QoS marking except - they apply to to-lport QoS rules. -

- -

Egress Table 7: to-lport QoS Meter

+

Egress Table 6: to-lport QoS

- This is similar to ingress table QoS meter except + This is similar to ingress table QoS except they apply to to-lport QoS rules.

-

Egress Table 8: Stateful

+

Egress Table 7: Stateful

This is similar to ingress table Stateful except that there are no rules added for load balancing new connections.

-

Egress Table 9: Egress Port Security - check

+

Egress Table 8: Egress Port Security - check

This is similar to the port security logic in table @@ -2380,7 +2346,7 @@ output; -

Egress Table 10: Egress Port Security - Apply

+

Egress Table 9: Egress Port Security - Apply

This is similar to the ingress port security logic in ingress table From patchwork Wed Aug 7 06:51:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969835 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=IM10wR/V; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wf17R19ZLz1yfC for ; Wed, 7 Aug 2024 16:52:02 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 5024C60887; Wed, 7 Aug 2024 06:52:01 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id Gi0c4-SEpWXI; Wed, 7 Aug 2024 06:51:59 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 763FB6087B Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=IM10wR/V Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id 763FB6087B; Wed, 7 Aug 2024 06:51:59 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id E7E5BC002B; Wed, 7 Aug 2024 06:51:58 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1A760C002B for ; Wed, 7 Aug 2024 06:51:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 44F9160876 for ; Wed, 7 Aug 2024 06:51:56 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id J59_AyJH-dZl for ; Wed, 7 Aug 2024 06:51:54 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 5D54260717 Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5D54260717 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id 5D54260717 for ; Wed, 7 Aug 2024 06:51:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723013513; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ET5UGnwvV7yXiwE8Fg6WM553EKio8drBDbiuYaqzHhA=; b=IM10wR/Vqjd+upNkohP7L5gigz4t7Ccaie0kjiyP9ImUhHirNRTU8nZARUZFiQUNmNTE7i 4paumNT69FRUt4bj5RJDPpGrm21PtRAr9yqucEduYVwEqYHkipYAAFNvlKYiFBZvHn1Djq 0APFkSvSunKCLAAf8SSO7rpj2/236U8= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-664-ViZ1Y8WIPIKlBgXbNXIlbA-1; Wed, 07 Aug 2024 02:51:49 -0400 X-MC-Unique: ViZ1Y8WIPIKlBgXbNXIlbA-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 9F8A81956096; Wed, 7 Aug 2024 06:51:48 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.13]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id A64D919560A3; Wed, 7 Aug 2024 06:51:45 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Wed, 7 Aug 2024 08:51:19 +0200 Message-ID: <20240807065126.38132-3-dceara@redhat.com> In-Reply-To: <20240807065126.38132-1-dceara@redhat.com> References: <20240807065126.38132-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v7 2/9] northd: Commit from-lport ACL label (and state) when LBs are used. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: npinaeva@redhat.com, i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Quoting the ACL label section in the ovn.nb.5 man page: Associates an identifier with the ACL. The same value will be written to corresponding connection tracker entry. The value should be a valid 32-bit unsigned integer. This value can help in debugging from connection tracker side. For example, through this "label" we can backtrack to the ACL rule which is causing a "leaked" connection. Connection tracker entries are created only for allowed connections so the label is valid only for allow and allow-related actions. The above states that the ACL label must always be stored in the connection tracker entry label for allow-related ACLs (regardless of the direction of the ACL). However, since 74d82e296f80 ("northd: Support the option to apply from-lport ACLs after load balancer."), the connection is not re-committed in the ls_in_stateful stage (because it already was committed as part of the load balancer DNAT). Moreover, by not re-committing the connection after LB we also risk not re-setting any potential ct_mark.blocked value the connection might have. This patch addresses the issue by always committing packets matched by allow-related (or stateful in general) ACLs even if they were also committed as part of the load balancing stage. There's potentially a slight overhead when doing this (an additional commit call into conntrack but _no_ recirculation). This is however acceptable as it is required for a correct packet processing pipeline implementation. Even without this fix, packets creating new connections that hit "--apply-after-lb" ACLs trigger a re-commit (for storing the label and ct_mark.blocked). A new test is added to ensure we don't break this functionality in the future. CC: Numan Siddique Fixes: 74d82e296f80 ("northd: Support the option to apply from-lport ACLs after load balancer.") Acked-by: Mark Michelson Acked-by: Numan Siddique Signed-off-by: Dumitru Ceara --- V4: - Addressed Mark's comment: - fixed up build_lb_affinity_ls_flows() comment - Added Mark's and Numan's acks. --- northd/northd.c | 14 ++---- tests/ovn-northd.at | 110 +++++++++++++++++++++++++++++++------------- tests/ovn.at | 4 +- 3 files changed, 84 insertions(+), 44 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index fbfd5a7f35..8b4ef1403a 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -7437,14 +7437,12 @@ build_lb_affinity_lr_flows(struct lflow_table *lflows, * table=ls_in_lb, priority=150 * match=(REGBIT_KNOWN_LB_SESSION == 1 && ct.new && ip4.dst == V * && REG_LB_AFF_BACKEND_IP4 == B1 && REG_LB_AFF_MATCH_PORT == BP1) - * action=(REGBIT_CONNTRACK_COMMIT = 0; - * REG_ORIG_DIP_IPV4 = V; REG_ORIG_TP_DPORT = VP; + * action=(REG_ORIG_DIP_IPV4 = V; REG_ORIG_TP_DPORT = VP; * ct_lb_mark(backends=B1:BP1);) * table=ls_in_lb, priority=150 * match=(REGBIT_KNOWN_LB_SESSION == 1 && ct.new && ip4.dst == V * && REG_LB_AFF_BACKEND_IP4 == B2 && REG_LB_AFF_MATCH_PORT == BP2) - * action=(REGBIT_CONNTRACK_COMMIT = 0; - * REG_ORIG_DIP_IPV4 = V; + * action=(REG_ORIG_DIP_IPV4 = V; * REG_ORIG_TP_DPORT = VP; * ct_lb_mark(backends=B1:BP2);) * @@ -7514,8 +7512,7 @@ build_lb_affinity_ls_flows(struct lflow_table *lflows, ipv6 ? REG_LB_L2_AFF_BACKEND_IP6 : REG_LB_AFF_BACKEND_IP4; /* Prepare common part of affinity LB and affinity learn action. */ - ds_put_format(&aff_action, REGBIT_CONNTRACK_COMMIT" = 0; %s = %s; ", - reg_vip, lb_vip->vip_str); + ds_put_format(&aff_action, "%s = %s; ", reg_vip, lb_vip->vip_str); ds_put_cstr(&aff_action_learn, "commit_lb_aff(vip = \""); if (lb_vip->port_str) { @@ -7655,11 +7652,6 @@ build_lb_rules(struct lflow_table *lflows, struct ovn_lb_datapaths *lb_dps, ds_clear(action); ds_clear(match); - /* Make sure that we clear the REGBIT_CONNTRACK_COMMIT flag. Otherwise - * the load balanced packet will be committed again in - * S_SWITCH_IN_STATEFUL. */ - ds_put_format(action, REGBIT_CONNTRACK_COMMIT" = 0; "); - /* New connections in Ingress table. */ const char *meter = NULL; bool reject = build_lb_vip_actions(lb, lb_vip, lb_vip_nb, action, diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 199197f09d..27e8ec3388 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -1413,7 +1413,7 @@ check ovn-nbctl --wait=sb ls-lb-add sw0 lb1 AT_CAPTURE_FILE([sbflows]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows | grep 'priority=120.*backends' | ovn_strip_lflows], 0, [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) # disabled LSPs should not be a backend of Load Balancer @@ -1422,7 +1422,7 @@ check ovn-nbctl lsp-set-enabled sw0-p1 disabled AT_CAPTURE_FILE([sbflows]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows | grep 'priority=120.*backends' | ovn_strip_lflows], 0, [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=20.0.0.3:80);) ]) wait_row_count Service_Monitor 1 @@ -1431,7 +1431,7 @@ check ovn-nbctl lsp-set-enabled sw0-p1 enabled AT_CAPTURE_FILE([sbflows]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows | grep 'priority=120.*backends' | ovn_strip_lflows], 0, [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) wait_row_count Service_Monitor 2 @@ -1442,7 +1442,7 @@ wait_row_count Service_Monitor 0 AT_CAPTURE_FILE([sbflows2]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows2 | grep 'priority=120.*backends' | ovn_strip_lflows], [0], -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) AS_BOX([Create the Load_Balancer_Health_Check again.]) @@ -1454,7 +1454,7 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows sw0 | grep backends | grep priority=120 > lflows.txt AT_CHECK([cat lflows.txt | ovn_strip_lflows], [0], [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) AS_BOX([Get the uuid of both the service_monitor]) @@ -1464,7 +1464,7 @@ sm_sw1_p1=$(fetch_column Service_Monitor _uuid logical_port=sw1-p1) AT_CAPTURE_FILE([sbflows3]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows 3 | grep 'priority=120.*backends' | ovn_strip_lflows], [0], -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) AS_BOX([Set the service monitor for sw1-p1 to offline]) @@ -1475,7 +1475,7 @@ check ovn-nbctl --wait=sb sync AT_CAPTURE_FILE([sbflows4]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows4 | grep 'priority=120.*backends' | ovn_strip_lflows], [0], -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80);) ]) AS_BOX([Set the service monitor for sw0-p1 to offline]) @@ -1504,7 +1504,7 @@ check ovn-nbctl --wait=sb sync AT_CAPTURE_FILE([sbflows7]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows7 | grep backends | grep priority=120 | ovn_strip_lflows], 0, -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) ]) AS_BOX([Set the service monitor for sw1-p1 to error]) @@ -1515,7 +1515,7 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \ | grep priority=120 > lflows.txt AT_CHECK([cat lflows.txt | grep ls_in_lb | ovn_strip_lflows], [0], [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80);) ]) AS_BOX([Add one more vip to lb1]) @@ -1541,8 +1541,8 @@ AT_CAPTURE_FILE([sbflows9]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows9 | grep backends | grep priority=120 | ovn_strip_lflows], 0, -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:1000);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb_mark(backends=10.0.0.3:1000);) ]) AS_BOX([Set the service monitor for sw1-p1 to online]) @@ -1555,8 +1555,8 @@ AT_CAPTURE_FILE([sbflows10]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows10 | grep backends | grep priority=120 | ovn_strip_lflows], 0, -[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:1000,20.0.0.3:80);) +[ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb_mark(backends=10.0.0.3:1000,20.0.0.3:80);) ]) AS_BOX([Associate lb1 to sw1]) @@ -1565,8 +1565,8 @@ AT_CAPTURE_FILE([sbflows11]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw1 | tee sbflows11 | grep backends | grep priority=120 | ovn_strip_lflows], 0, [dnl - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:1000,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40 && tcp.dst == 1000), action=(ct_lb_mark(backends=10.0.0.3:1000,20.0.0.3:80);) ]) AS_BOX([Now create lb2 same as lb1 but udp protocol.]) @@ -4602,8 +4602,8 @@ check_stateful_flows() { AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.4:8080);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.20 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.40:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.20 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.40:8080);) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4805,6 +4805,51 @@ AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ovn -- ACL label commit - load balancers]) +ovn_start + +dnl One logical switch, two ports, one load balancer and ACLs with label set. +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls lsp1 \ + -- lsp-set-addresses lsp1 "00:00:00:00:00:01" \ + -- lsp-add ls lsp2 \ + -- lsp-set-addresses lsp2 "00:00:00:00:00:02" \ + -- lb-add lb-test 42.42.42.42:4242 43.43.43.43:4343 udp \ + -- ls-lb-add ls lb-test + +check ovn-nbctl --wait=sb sync + +flow="inport == \"lsp1\" && eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02 && ip4.src == 42.42.42.1 && ip4.dst == 42.42.42.42 && ip.ttl==64 && udp.dst == 4242" + +AS_BOX([from-lport allow-related ACL]) +check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls from-lport 1 ip allow-related + +dnl Check that the label is committed to conntrack in the ingress pipeline +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; +]) + +AS_BOX([from-lport --apply-after-lb allow-related ACL]) +check ovn-nbctl --wait=sb -- acl-del ls -- --apply-after-lb --label=1234 acl-add ls from-lport 1 ip allow-related + +dnl Check that the label is committed to conntrack in the ingress pipeline +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; +]) + +AS_BOX([to-lport allow-related ACL]) +check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls to-lport 1 ip allow-related + +dnl Check that the label is committed to conntrack in the ingress pipeline +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_out_stateful -A 2 | grep commit], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV_PARALLELIZATION([ AT_SETUP([ovn -- ct.inv usage]) ovn_start @@ -7629,7 +7674,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | ovn_strip_lflo AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.10);) + table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(ct_lb_mark(backends=10.0.0.10);) ]) AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl @@ -7684,7 +7729,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | ovn_strip_lflo AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.10);) + table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(ct_lb_mark(backends=10.0.0.10);) ]) AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl @@ -7739,7 +7784,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | ovn_strip_lflo AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.10);) + table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.2), action=(ct_lb_mark(backends=10.0.0.10);) ]) AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl @@ -9063,13 +9108,13 @@ AT_CAPTURE_FILE([S1flows]) AT_CHECK([grep "ls_in_lb " S0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(ct_lb_mark(backends=10.0.0.2:8080);) ]) AT_CHECK([grep "ls_in_lb " S1flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(ct_lb_mark(backends=10.0.0.2:8080);) ]) ovn-sbctl get datapath S0 _uuid > dp_uuids @@ -9199,9 +9244,9 @@ AT_CHECK([grep "ls_in_lb_aff_check" S0flows | ovn_strip_lflows], [0], [dnl ]) AT_CHECK([grep "ls_in_lb " S0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) - table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.2:80);) - table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=20.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) + table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=20.0.0.2:80);) ]) AT_CHECK([grep "ls_in_lb_aff_learn" S0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) @@ -10286,14 +10331,17 @@ dnl It should not commit anything in the egress pipeline of S1 or in the dnl ingress pipeline of S2. flow="inport == \"vm1\" && eth.src == 00:de:ad:01:00:01 && eth.dst == 00:de:ad:fe:00:01 && ip4.src == 173.0.1.2 && ip4.dst == 30.0.0.1 && ip.ttl==64" -dnl Check that we only commit once for ACLs, in the egress ACL pipeline -dnl (in S2, towards vm2). The original problem this test is trying to -dnl cover was that ct_state wasn't cleared when traversing from s1 -> r1 -dnl which caused two additional commits to happen: +dnl Check that we only commit twice for ACLs: +dnl - in the ingress ACL pipeline (in s1, from vm1) +dnl - in the egress ACL pipeline (in S2, towards vm2) +dnl The original problem this test is trying to cover was that ct_state +dnl wasn't cleared when traversing from s1 -> r1 which caused two additional +dnl commits to happen: dnl - in the egress pipeline of S1, when sending the packet out on s1_r1 dnl - in the ingress pipeline of S2, when processing the packet on s2_r1 AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new s1 "$flow" | grep -e ls_in_stateful -e ls_out_stateful -A 2 | grep commit], [0], [dnl ct_commit { ct_mark.blocked = 0; }; + ct_commit { ct_mark.blocked = 0; }; ]) AT_CLEANUP diff --git a/tests/ovn.at b/tests/ovn.at index b31afbfb37..cee361188a 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -25509,7 +25509,7 @@ OVS_WAIT_FOR_OUTPUT( ovn-sbctl dump-flows sw0 | grep ct_lb_mark | grep priority=120 | sed 's/table=..//'], 0, [dnl (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark;) - (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) + (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) ]) AT_CAPTURE_FILE([sbflows2]) @@ -25708,7 +25708,7 @@ OVS_WAIT_FOR_OUTPUT( ovn-sbctl dump-flows sw0 | grep ct_lb_mark | grep priority=120 | sed 's/table=..//'], 0, [dnl (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6.dst == 2001::a && tcp.dst == 80), action=(xxreg1 = 2001::a; reg2[[0..15]] = 80; ct_lb_mark;) - (ls_in_lb ), priority=120 , match=(ct.new && ip6.dst == 2001::a && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=[[2001::3]]:80,[[2002::3]]:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) + (ls_in_lb ), priority=120 , match=(ct.new && ip6.dst == 2001::a && tcp.dst == 80), action=(ct_lb_mark(backends=[[2001::3]]:80,[[2002::3]]:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");) ]) AT_CAPTURE_FILE([sbflows2]) From patchwork Wed Aug 7 06:51:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969837 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DfNuBb4Z; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wf17X3kM4z1yfC for ; Wed, 7 Aug 2024 16:52:08 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 3276740A95; Wed, 7 Aug 2024 06:52:05 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 6pcwhNc3crue; Wed, 7 Aug 2024 06:52:03 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 417C540A97 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DfNuBb4Z Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 417C540A97; Wed, 7 Aug 2024 06:52:03 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 13271C0033; Wed, 7 Aug 2024 06:52:03 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3E187C0928 for ; Wed, 7 Aug 2024 06:52:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id B0D5E40A41 for ; Wed, 7 Aug 2024 06:51:59 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id SVw_V2X_kVt2 for ; Wed, 7 Aug 2024 06:51:58 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org BB08740A66 Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org BB08740A66 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id BB08740A66 for ; Wed, 7 Aug 2024 06:51:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723013516; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=r4w6sd4RydT2576pTeHl27EP8eboUZgOk2Hz1d4/mJ0=; b=DfNuBb4ZCahHqOf9CH88AYX7NA/BzUbASaH9VXknqSGn9pG8sEv6ihTSEB8qgNUA0kWKIQ PsCsLpfJM6t2rG1wMsAp4D0+8JX88iRK6Xb75CzZdRaLaVnE+h1Mythaqi1lNh09uSAc4d bTPe2W4ZTscYXpNXF8T39lUihvPsB4Y= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-650-TmvW3Gc6N1CVf_G0p1TYeQ-1; Wed, 07 Aug 2024 02:51:53 -0400 X-MC-Unique: TmvW3Gc6N1CVf_G0p1TYeQ-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 80623195609F; Wed, 7 Aug 2024 06:51:52 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.13]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id CD95319560A3; Wed, 7 Aug 2024 06:51:49 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Wed, 7 Aug 2024 08:51:20 +0200 Message-ID: <20240807065126.38132-4-dceara@redhat.com> In-Reply-To: <20240807065126.38132-1-dceara@redhat.com> References: <20240807065126.38132-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v7 3/9] northd: Add Sampling_App table. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: npinaeva@redhat.com, i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This will represent a unified place to store IPFIX observation domain ID configurations for sampling applications (currently only drop sampling is supported as application but following commits will add more). Acked-by: Numan Siddique Acked-by: Mark Michelson Signed-off-by: Dumitru Ceara --- V7: - Added Mark's ack. V5: - Addressed Ilya's and Numan's comments: - changed sampling_app 'name' column to 'type' - removed IPFIX reference from documentation - Added Numan's ack (I removed the one from Mark because quite a few changes were introduced by the rename). V4: - Addressed Ales' comments: - fix up indentation - bump NB schema version - Added Mark's ack. --- northd/automake.mk | 2 + northd/en-lflow.c | 5 ++ northd/en-sampling-app.c | 117 +++++++++++++++++++++++++++++++++++++++ northd/en-sampling-app.h | 51 +++++++++++++++++ northd/inc-proc-northd.c | 10 +++- northd/northd.h | 1 + ovn-nb.ovsschema | 20 ++++++- ovn-nb.xml | 16 ++++++ tests/ovn-northd.at | 17 ++++++ 9 files changed, 235 insertions(+), 4 deletions(-) create mode 100644 northd/en-sampling-app.c create mode 100644 northd/en-sampling-app.h diff --git a/northd/automake.mk b/northd/automake.mk index d491973a8b..6566ad2999 100644 --- a/northd/automake.mk +++ b/northd/automake.mk @@ -32,6 +32,8 @@ northd_ovn_northd_SOURCES = \ northd/en-lr-stateful.h \ northd/en-ls-stateful.c \ northd/en-ls-stateful.h \ + northd/en-sampling-app.c \ + northd/en-sampling-app.h \ northd/inc-proc-northd.c \ northd/inc-proc-northd.h \ northd/ipam.c \ diff --git a/northd/en-lflow.c b/northd/en-lflow.c index c4b927fb8c..eb91f2a651 100644 --- a/northd/en-lflow.c +++ b/northd/en-lflow.c @@ -25,6 +25,7 @@ #include "en-ls-stateful.h" #include "en-northd.h" #include "en-meters.h" +#include "en-sampling-app.h" #include "lflow-mgr.h" #include "lib/inc-proc-eng.h" @@ -86,6 +87,10 @@ lflow_get_input_data(struct engine_node *node, lflow_input->ovn_internal_version_changed = global_config->ovn_internal_version_changed; lflow_input->svc_monitor_mac = global_config->svc_monitor_mac; + + struct ed_type_sampling_app_data *sampling_app_data = + engine_get_input_data("sampling_app", node); + lflow_input->sampling_apps = &sampling_app_data->apps; } void en_lflow_run(struct engine_node *node, void *data) diff --git a/northd/en-sampling-app.c b/northd/en-sampling-app.c new file mode 100644 index 0000000000..e6c816c404 --- /dev/null +++ b/northd/en-sampling-app.c @@ -0,0 +1,117 @@ +/* + * Copyright (c) 2024, Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include "openvswitch/vlog.h" + +#include "en-sampling-app.h" + +VLOG_DEFINE_THIS_MODULE(en_sampling_app); + +/* Static function declarations. */ +static void sampling_app_table_add(struct sampling_app_table *, + const struct nbrec_sampling_app *); +static uint8_t sampling_app_table_get_id(const struct sampling_app_table *, + enum sampling_app); +static void sampling_app_table_reset(struct sampling_app_table *); +static enum sampling_app sampling_app_get_by_type(const char *app_type); + +void * +en_sampling_app_init(struct engine_node *node OVS_UNUSED, + struct engine_arg *arg OVS_UNUSED) +{ + struct ed_type_sampling_app_data *data = xzalloc(sizeof *data); + sampling_app_table_reset(&data->apps); + return data; +} + +void +en_sampling_app_cleanup(void *data OVS_UNUSED) +{ +} + +void +en_sampling_app_run(struct engine_node *node, void *data_) +{ + const struct nbrec_sampling_app_table *nb_sampling_app_table = + EN_OVSDB_GET(engine_get_input("NB_sampling_app", node)); + struct ed_type_sampling_app_data *data = data_; + + sampling_app_table_reset(&data->apps); + + const struct nbrec_sampling_app *sa; + NBREC_SAMPLING_APP_TABLE_FOR_EACH (sa, nb_sampling_app_table) { + sampling_app_table_add(&data->apps, sa); + } + + engine_set_node_state(node, EN_UPDATED); +} + +uint8_t +sampling_app_get_id(const struct sampling_app_table *app_table, + enum sampling_app app) +{ + return sampling_app_table_get_id(app_table, app); +} + +/* Static functions. */ +static void +sampling_app_table_add(struct sampling_app_table *table, + const struct nbrec_sampling_app *sa) +{ + enum sampling_app app = sampling_app_get_by_type(sa->type); + + if (app == SAMPLING_APP_MAX) { + static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); + VLOG_WARN_RL(&rl, "Unexpected Sampling_App type: %s", sa->type); + return; + } + table->app_ids[app] = sa->id; +} + +static uint8_t +sampling_app_table_get_id(const struct sampling_app_table *table, + enum sampling_app app) +{ + ovs_assert(app < SAMPLING_APP_MAX); + return table->app_ids[app]; +} + +static void +sampling_app_table_reset(struct sampling_app_table *table) +{ + for (size_t i = 0; i < SAMPLING_APP_MAX; i++) { + table->app_ids[i] = SAMPLING_APP_ID_NONE; + } +} + +static const char *app_types[] = { + [SAMPLING_APP_DROP_DEBUG] = "drop", + [SAMPLING_APP_ACL_NEW] = "acl-new", + [SAMPLING_APP_ACL_EST] = "acl-est", +}; + +static enum sampling_app +sampling_app_get_by_type(const char *app_type) +{ + for (size_t app = 0; app < ARRAY_SIZE(app_types); app++) { + if (!strcmp(app_type, app_types[app])) { + return app; + } + } + return SAMPLING_APP_MAX; +} diff --git a/northd/en-sampling-app.h b/northd/en-sampling-app.h new file mode 100644 index 0000000000..a5b5ae4222 --- /dev/null +++ b/northd/en-sampling-app.h @@ -0,0 +1,51 @@ +/* + * Copyright (c) 2024, Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef EN_SAMPLING_APP_H +#define EN_SAMPLING_APP_H 1 + +/* OVS includes. */ +#include "openvswitch/shash.h" + +/* OVN includes. */ +#include "lib/inc-proc-eng.h" +#include "lib/ovn-nb-idl.h" + +/* Valid sample IDs are in the 1..255 interval. */ +#define SAMPLING_APP_ID_NONE 0 + +/* Supported sampling applications. */ +enum sampling_app { + SAMPLING_APP_DROP_DEBUG, + SAMPLING_APP_ACL_NEW, + SAMPLING_APP_ACL_EST, + SAMPLING_APP_MAX, +}; + +struct sampling_app_table { + uint8_t app_ids[SAMPLING_APP_MAX]; +}; + +struct ed_type_sampling_app_data { + struct sampling_app_table apps; +}; + +void *en_sampling_app_init(struct engine_node *, struct engine_arg *); +void en_sampling_app_cleanup(void *data); +void en_sampling_app_run(struct engine_node *, void *data); +uint8_t sampling_app_get_id(const struct sampling_app_table *, + enum sampling_app); + +#endif /* EN_SAMPLING_APP_H */ diff --git a/northd/inc-proc-northd.c b/northd/inc-proc-northd.c index 522236ad2a..5d89670c29 100644 --- a/northd/inc-proc-northd.c +++ b/northd/inc-proc-northd.c @@ -39,6 +39,7 @@ #include "en-lflow.h" #include "en-northd-output.h" #include "en-meters.h" +#include "en-sampling-app.h" #include "en-sync-sb.h" #include "en-sync-from-sb.h" #include "unixctl.h" @@ -61,7 +62,8 @@ static unixctl_cb_func chassis_features_list; NB_NODE(meter, "meter") \ NB_NODE(bfd, "bfd") \ NB_NODE(static_mac_binding, "static_mac_binding") \ - NB_NODE(chassis_template_var, "chassis_template_var") + NB_NODE(chassis_template_var, "chassis_template_var") \ + NB_NODE(sampling_app, "sampling_app") enum nb_engine_node { #define NB_NODE(NAME, NAME_STR) NB_##NAME, @@ -138,6 +140,7 @@ enum sb_engine_node { * avoid sparse errors. */ static ENGINE_NODE_WITH_CLEAR_TRACK_DATA(northd, "northd"); static ENGINE_NODE(sync_from_sb, "sync_from_sb"); +static ENGINE_NODE(sampling_app, "sampling_app"); static ENGINE_NODE(lflow, "lflow"); static ENGINE_NODE(mac_binding_aging, "mac_binding_aging"); static ENGINE_NODE(mac_binding_aging_waker, "mac_binding_aging_waker"); @@ -170,6 +173,8 @@ void inc_proc_northd_init(struct ovsdb_idl_loop *nb, engine_add_input(&en_lb_data, &en_nb_logical_router, lb_data_logical_router_handler); + engine_add_input(&en_sampling_app, &en_nb_sampling_app, NULL); + engine_add_input(&en_global_config, &en_nb_nb_global, global_config_nb_global_handler); engine_add_input(&en_global_config, &en_sb_sb_global, @@ -251,6 +256,9 @@ void inc_proc_northd_init(struct ovsdb_idl_loop *nb, engine_add_input(&en_lflow, &en_sb_logical_dp_group, NULL); engine_add_input(&en_lflow, &en_global_config, node_global_config_handler); + + engine_add_input(&en_lflow, &en_sampling_app, NULL); + engine_add_input(&en_lflow, &en_northd, lflow_northd_handler); engine_add_input(&en_lflow, &en_port_group, lflow_port_group_handler); engine_add_input(&en_lflow, &en_lr_stateful, lflow_lr_stateful_handler); diff --git a/northd/northd.h b/northd/northd.h index d4a8d75abc..e50aa6731a 100644 --- a/northd/northd.h +++ b/northd/northd.h @@ -190,6 +190,7 @@ struct lflow_input { const struct hmap *svc_monitor_map; bool ovn_internal_version_changed; const char *svc_monitor_mac; + const struct sampling_app_table *sampling_apps; }; extern int parallelization_state; diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index e3c4aff9df..a6a377f20b 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "7.4.0", - "cksum": "1908497390 35615", + "version": "7.5.0", + "cksum": "1137408189 36223", "tables": { "NB_Global": { "columns": { @@ -691,6 +691,20 @@ "type": {"key": "string", "value": "string", "min": 0, "max": "unlimited"}}}, "indexes": [["chassis"]], - "isRoot": true} + "isRoot": true}, + "Sampling_App": { + "columns": { + "type": {"type": {"key": {"type": "string", + "enum": ["set", ["drop", "acl-new", "acl-est"]]}}}, + "id": {"type": {"key": {"type": "integer", + "minInteger": 1, + "maxInteger": 255}}}, + "external_ids": { + "type": {"key": "string", "value": "string", + "min": 0, "max": "unlimited"}} + }, + "indexes": [["type"]], + "isRoot": true + } } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 6376320d31..0cf2478cf3 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -5093,4 +5093,20 @@ or + + + The type of the application to be configured for sampling. Currently + supported options are: "drop", "acl-new", "acl-est". + + + The identifier to be encoded in the samples generated for this type of + application. This identifier is used as part of the sample's + observation domain ID. + + + + See External IDs at the beginning of this document. + + +
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 27e8ec3388..66a651e68e 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -12479,6 +12479,23 @@ check_engine_stats lflow recompute nocompute AT_CLEANUP +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([Sampling_App incremental processing]) + +ovn_start + +check as northd ovn-appctl -t ovn-northd inc-engine/clear-stats + +ovn-nbctl create Sampling_App type="acl-new" id="42" +check_row_count nb:Sampling_App 1 +check_engine_stats sampling_app recompute nocompute +check_engine_stats northd norecompute nocompute +check_engine_stats lflow recompute nocompute +CHECK_NO_CHANGE_AFTER_RECOMPUTE + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([NAT with match]) ovn_start From patchwork Wed Aug 7 06:51:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969838 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=K94wtkQ0; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wf17h3qg1z1yfC for ; Wed, 7 Aug 2024 16:52:16 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 3CEE681272; Wed, 7 Aug 2024 06:52:14 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id SwbppYhvqXPp; Wed, 7 Aug 2024 06:52:12 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 83A9681296 Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=K94wtkQ0 Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id 83A9681296; Wed, 7 Aug 2024 06:52:12 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3C5D8C002B; Wed, 7 Aug 2024 06:52:12 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0CD7CC002B for ; Wed, 7 Aug 2024 06:52:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id D0CC560877 for ; Wed, 7 Aug 2024 06:52:03 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id mnXJRJ51LvIx for ; Wed, 7 Aug 2024 06:52:01 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 4C41B60875 Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 4C41B60875 Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=K94wtkQ0 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id 4C41B60875 for ; Wed, 7 Aug 2024 06:52:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723013520; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jfa31asEvB3lP1AGSUp8HrLIuKYZsKjFqKuCNXmJ0/8=; b=K94wtkQ0hMNU40Pezkwgg0UC2FN+nlK9LRB9Zz3mq/3RyeemxlfKg5dVDBYSoXzGQuaINE kAW6cdcY4JzLQXzEO3Y2KAUVTeVaul2t7Y+i2xgxBZhX9yg2Zaylv/xyIlodZDHnUzPMDI kiFL3fDbCnVZPM8UE5D28xrQQJyunmM= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-639--JR8K1GaOxWbwwZnlGDVUQ-1; Wed, 07 Aug 2024 02:51:57 -0400 X-MC-Unique: -JR8K1GaOxWbwwZnlGDVUQ-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 2CC471955F54; Wed, 7 Aug 2024 06:51:56 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.13]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8317A1956052; Wed, 7 Aug 2024 06:51:53 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Wed, 7 Aug 2024 08:51:21 +0200 Message-ID: <20240807065126.38132-5-dceara@redhat.com> In-Reply-To: <20240807065126.38132-1-dceara@redhat.com> References: <20240807065126.38132-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v7 4/9] northd: Override NB_Global drop sampling id with Sampling_App config. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: npinaeva@redhat.com, i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Acked-by: Mark Michelson Signed-off-by: Dumitru Ceara --- V6: - Removed Ales' ack. V5: - Added Ales' ack. V4: - Addressed Ales' comments: - deprecated old config knob - fixed unit test typo - Added Mark's ack. --- NEWS | 3 +++ northd/debug.c | 12 +++++++----- northd/debug.h | 3 ++- northd/en-global-config.c | 31 +++++++++++++++++++++++-------- northd/inc-proc-northd.c | 1 + ovn-nb.xml | 5 +++++ tests/ovn-northd.at | 27 ++++++++++++++++++++++++++- 7 files changed, 67 insertions(+), 15 deletions(-) diff --git a/NEWS b/NEWS index 136f890f52..0c91e9608e 100644 --- a/NEWS +++ b/NEWS @@ -50,6 +50,9 @@ Post v24.03.0 - A new LSP option "disable_garp_rarp" has been added to prevent OVN from sending GARP or RARP announcements when a VIF is created on a bridged logical switch. + - The NB_Global.debug_drop_domain_id configured value is now overridden by + the ID associated with the Sampling_App record created for drop sampling + (Sampling_App.type configured as "drop"). OVN v24.03.0 - 01 Mar 2024 -------------------------- diff --git a/northd/debug.c b/northd/debug.c index 59da5d4f66..457993b7cf 100644 --- a/northd/debug.c +++ b/northd/debug.c @@ -3,6 +3,7 @@ #include #include "debug.h" +#include "en-sampling-app.h" #include "openvswitch/dynamic-string.h" #include "openvswitch/vlog.h" @@ -26,16 +27,17 @@ debug_enabled(void) } void -init_debug_config(const struct nbrec_nb_global *nb) +init_debug_config(const struct nbrec_nb_global *nb, + uint8_t drop_domain_id_override) { - const struct smap *options = &nb->options; uint32_t collector_set_id = smap_get_uint(options, "debug_drop_collector_set", 0); - uint32_t observation_domain_id = smap_get_uint(options, - "debug_drop_domain_id", - 0); + uint32_t observation_domain_id = + drop_domain_id_override != SAMPLING_APP_ID_NONE + ? drop_domain_id_override + : smap_get_uint(options, "debug_drop_domain_id", 0); if (collector_set_id != config.collector_set_id || observation_domain_id != config.observation_domain_id || diff --git a/northd/debug.h b/northd/debug.h index c1a5e5aadb..a0b535253a 100644 --- a/northd/debug.h +++ b/northd/debug.h @@ -21,7 +21,8 @@ #include "lib/ovn-nb-idl.h" #include "openvswitch/dynamic-string.h" -void init_debug_config(const struct nbrec_nb_global *nb); +void init_debug_config(const struct nbrec_nb_global *nb, + uint8_t drop_domain_id_override); void destroy_debug_config(void); const char *debug_drop_action(void); diff --git a/northd/en-global-config.c b/northd/en-global-config.c index c5e65966b8..d7607aa074 100644 --- a/northd/en-global-config.c +++ b/northd/en-global-config.c @@ -24,6 +24,7 @@ /* OVN includes */ #include "debug.h" #include "en-global-config.h" +#include "en-sampling-app.h" #include "include/ovn/features.h" #include "ipam.h" #include "lib/ovn-nb-idl.h" @@ -42,8 +43,10 @@ static bool chassis_features_changed(const struct chassis_features *, static bool config_out_of_sync(const struct smap *config, const struct smap *saved_config, const char *key, bool must_be_present); -static bool check_nb_options_out_of_sync(const struct nbrec_nb_global *, - struct ed_type_global_config *); +static bool check_nb_options_out_of_sync( + const struct nbrec_nb_global *, + struct ed_type_global_config *, + const struct sampling_app_table *); static void update_sb_config_options_to_sbrec(struct ed_type_global_config *, const struct sbrec_sb_global *); @@ -72,6 +75,9 @@ en_global_config_run(struct engine_node *node , void *data) EN_OVSDB_GET(engine_get_input("SB_sb_global", node)); const struct sbrec_chassis_table *sbrec_chassis_table = EN_OVSDB_GET(engine_get_input("SB_chassis", node)); + const struct ed_type_sampling_app_data *sampling_app_data = + engine_get_input_data("sampling_app", node); + const struct sampling_app_table *sampling_apps = &sampling_app_data->apps; struct ed_type_global_config *config_data = data; @@ -145,7 +151,8 @@ en_global_config_run(struct engine_node *node , void *data) build_chassis_features(sbrec_chassis_table, &config_data->features); } - init_debug_config(nb); + init_debug_config(nb, sampling_app_get_id(sampling_apps, + SAMPLING_APP_DROP_DEBUG)); const struct sbrec_sb_global *sb = sbrec_sb_global_table_first(sb_global_table); @@ -186,6 +193,9 @@ global_config_nb_global_handler(struct engine_node *node, void *data) EN_OVSDB_GET(engine_get_input("NB_nb_global", node)); const struct sbrec_sb_global_table *sb_global_table = EN_OVSDB_GET(engine_get_input("SB_sb_global", node)); + const struct ed_type_sampling_app_data *sampling_app_data = + engine_get_input_data("sampling_app", node); + const struct sampling_app_table *sampling_apps = &sampling_app_data->apps; const struct nbrec_nb_global *nb = nbrec_nb_global_table_first(nb_global_table); @@ -248,7 +258,7 @@ global_config_nb_global_handler(struct engine_node *node, void *data) return false; } - if (check_nb_options_out_of_sync(nb, config_data)) { + if (check_nb_options_out_of_sync(nb, config_data, sampling_apps)) { config_data->tracked_data.nb_options_changed = true; } @@ -461,8 +471,10 @@ config_out_of_sync(const struct smap *config, const struct smap *saved_config, } static bool -check_nb_options_out_of_sync(const struct nbrec_nb_global *nb, - struct ed_type_global_config *config_data) +check_nb_options_out_of_sync( + const struct nbrec_nb_global *nb, + struct ed_type_global_config *config_data, + const struct sampling_app_table *sampling_apps) { if (config_out_of_sync(&nb->options, &config_data->nb_options, "mac_binding_removal_limit", false)) { @@ -496,13 +508,16 @@ check_nb_options_out_of_sync(const struct nbrec_nb_global *nb, if (config_out_of_sync(&nb->options, &config_data->nb_options, "debug_drop_domain_id", false)) { - init_debug_config(nb); + init_debug_config(nb, sampling_app_get_id(sampling_apps, + SAMPLING_APP_DROP_DEBUG)); + return true; } if (config_out_of_sync(&nb->options, &config_data->nb_options, "debug_drop_collector_set", false)) { - init_debug_config(nb); + init_debug_config(nb, sampling_app_get_id(sampling_apps, + SAMPLING_APP_DROP_DEBUG)); return true; } diff --git a/northd/inc-proc-northd.c b/northd/inc-proc-northd.c index 5d89670c29..95bedc5cd0 100644 --- a/northd/inc-proc-northd.c +++ b/northd/inc-proc-northd.c @@ -181,6 +181,7 @@ void inc_proc_northd_init(struct ovsdb_idl_loop *nb, global_config_sb_global_handler); engine_add_input(&en_global_config, &en_sb_chassis, global_config_sb_chassis_handler); + engine_add_input(&en_global_config, &en_sampling_app, NULL); engine_add_input(&en_northd, &en_nb_mirror, NULL); engine_add_input(&en_northd, &en_nb_static_mac_binding, NULL); diff --git a/ovn-nb.xml b/ovn-nb.xml index 0cf2478cf3..bc44f67642 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -351,6 +351,11 @@ The observation_point_id will be set to the first 32 bits of the logical flow's UUID.

+

+ Note: This key is deprecated in favor of the value configured in the + table for the drop + application. +

diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 66a651e68e..ebf02ef10a 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -12489,13 +12489,38 @@ check as northd ovn-appctl -t ovn-northd inc-engine/clear-stats ovn-nbctl create Sampling_App type="acl-new" id="42" check_row_count nb:Sampling_App 1 check_engine_stats sampling_app recompute nocompute -check_engine_stats northd norecompute nocompute +check_engine_stats northd recompute nocompute check_engine_stats lflow recompute nocompute +check_engine_stats global_config recompute nocompute CHECK_NO_CHANGE_AFTER_RECOMPUTE AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([Sampling_App override debug_drop_domain_id]) + +ovn_start + +check ovn-nbctl -- set NB_Global . options:debug_drop_collector_set="123" \ + -- set NB_Global . options:debug_drop_domain_id="1" \ + -- ls-add ls +check ovn-nbctl --wait=sb sync + +AT_CHECK([ovn-sbctl lflow-list | grep ls_in_l2_unknown.*sample | ovn_strip_lflows], [0], [dnl + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(sample(probability=65535,collector_set=123,obs_domain=1,obs_point=$cookie); /* drop */) +]) + +ovn-nbctl --wait=sb create Sampling_App type="drop" id="42" +check_row_count nb:Sampling_App 1 + +AT_CHECK([ovn-sbctl lflow-list | grep ls_in_l2_unknown.*sample | ovn_strip_lflows], [0], [dnl + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(sample(probability=65535,collector_set=123,obs_domain=42,obs_point=$cookie); /* drop */) +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([NAT with match]) ovn_start From patchwork Wed Aug 7 06:51:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969844 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=EZKg31S3; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wf18S2CBFz1yfC for ; Wed, 7 Aug 2024 16:52:56 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id E548160901; Wed, 7 Aug 2024 06:52:53 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id g5EKl8lgamyv; Wed, 7 Aug 2024 06:52:43 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org C8F18608E8 Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=EZKg31S3 Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id C8F18608E8; Wed, 7 Aug 2024 06:52:43 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9EE65C002B; Wed, 7 Aug 2024 06:52:43 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 02FAFC002A for ; Wed, 7 Aug 2024 06:52:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 4369E60875 for ; Wed, 7 Aug 2024 06:52:16 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id YJpHnLeIhKPX for ; Wed, 7 Aug 2024 06:52:09 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 8452A60888 Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 8452A60888 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id 8452A60888 for ; Wed, 7 Aug 2024 06:52:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723013526; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5kutwilvZDqJ0hakorW0cGdnReu66wRZBXZgntySlK0=; b=EZKg31S3bmnPv/ltNlDx56b4bzosgsA0K2QsxIRGEd3ygBDpUCQRfpt9FTiyAMn7FONaRN X8hfmlidPs+bI+vyoWO3Uw+On+2j8Ff+wplauqeFnmDy9n5qyqhyli4S1DD3aTtrp/sBO7 RKq5yprOAGKQwK4mbG9Ld8Jhz67Od4c= Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-608-eQwwmowXOdm654exdG4eQg-1; Wed, 07 Aug 2024 02:52:01 -0400 X-MC-Unique: eQwwmowXOdm654exdG4eQg-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id D18C71955D44; Wed, 7 Aug 2024 06:52:00 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.13]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 3C34819560A3; Wed, 7 Aug 2024 06:51:56 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Wed, 7 Aug 2024 08:51:22 +0200 Message-ID: <20240807065126.38132-6-dceara@redhat.com> In-Reply-To: <20240807065126.38132-1-dceara@redhat.com> References: <20240807065126.38132-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v7 5/9] northd: Add ACL Sampling. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: npinaeva@redhat.com, i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Adrian Moreno Introduce a new table called Sample where per-flow IPFIX configuration can be specified. Also, reference rows from such table from the ACL table to enable the configuration of ACL sampling. If enabled, northd will add a sample action to each ACL related logical flow. Packets that hit stateful ACLs are sampled in different ways depending whether they are initiating a new session or are just forwarded on an existing (already allowed) session. Two new columns ("sample_new" and "sample_est") are added to the ACL table to allow for potentially different sampling rates for the two cases. Note: If an ACL has both sampling enabled and a label associated to it then the label value overrides the observation point ID defined in the sample configuration. This is a side effect of the implementation (observation point IDs are stored in conntrack in the same part of the ct_label where ACL labels are also stored). The two features (sampling and ACL labels) serve however similar purposes so it's not expected that they're both enabled together. When sampling is enabled on an ACL additional logical flows are created for that ACL (one for stateless ACLs and 3 for stateful ACLs) in the ACL action stage of the logical pipeline. These additional flows match on a combination of conntrack state values and observation point id values (either against a logical register or against the stored ct_label state) in order to determine whether the packets hitting the ACLs must be sampled or not. This comes with a slight increase in the number of logical flows and in the number of OpenFlow rules. The number of additional flows _does not_ depend on the original ACL match or action. New --sample-new and --sample-est optional arguments are added to the 'ovn-nbctl acl-add' command to allow configuring these new types of sampling for ACLs. An example workflow of configuring ACL samples is: # Create Sampling_App mappings for ACL traffic types: ovn-nbctl create Sampling_App name="acl-new-traffic-sampling" \ id="42" ovn-nbctl create sampling_app name="acl-est-traffic-sampling" \ id="43" # Create two sample collectors, one that samples all packets (c1) # and another one that samples with a probability of 10% (c2): c1=$(ovn-nbctl create Sample_Collector name=c1 \ probability=65535 set_id=1) c2=$(ovn-nbctl create Sample_Collector name=c2 \ probability=6553 set_id=2) # Create two sample configurations (for new and for established # traffic) and an ingress ACL to allow IP traffic: ovn-nbctl \ -- --id=@s1 create sample collector="$c1 $c2" metadata=4301 \ -- --id=@s2 create sample collector="$c1 $c2" metadata=4302 \ -- --sample-new=@s1 --sample-est=@s2 acl-add ls \ from-lport 1 "ip" allow-related The config above will generate IPFIX samples with: - 8 MSB of observation domain id set to 42 (Sampling_App "acl-new-traffic-sampling" config) and observation point id set to 4301 (Sample s1) for packets that create a new connection - 8 MSB of observation domain id set to 43 (Sampling_app "acl-est-traffic-sampling" config) and observation point id set to 4302 (Sample s2) for packets that are part of an already existing connection Note: in general, all generated IPFIX sample observation domain IDs are built by ovn-controller in the following way: The 8 MSB taken from the sample action's obs_domain_id and the last 24 LSB taken from the Southbound logical datapath tunnel_key (datapath ID). Acked-by: Mark Michelson Reported-at: https://issues.redhat.com/browse/FDP-305 Signed-off-by: Adrian Moreno Co-authored-by: Ales Musil Signed-off-by: Ales Musil Co-authored-by: Dumitru Ceara Signed-off-by: Dumitru Ceara --- V7: - Address Nadia's comment: - Make Sample_Collector.ID 8 bit long (255 values). - Added Mark's ack. V6: - Address Ilya's comments: - make Sample non-root - Add unique ID to Sample_Collector to be stored in the session conntrack information. Limit the max number of Sample_Collector records to 15 (4 bit). - Remove the Sample.external_ids: with non-root it doesn't really make sense, there's always going to be a direct mapping from a single ACL object to the sample. - Remove HAVE_TCPDUMP from system tests. - Add fix and test for to-lport ACLs with sampling enabled hit on egress towards routers. - Add test with different collectors (multiple probabilities) that share the same set_id. - Fixed system test checking nfcapd output files (these can auto rotate). V5: - rebase - address Ilya's comment: - add documentation notes about behavior when mixing ACL labels with ACL sampling. V4: - added explicit sampling stages - reduced set_id max supported value - added support for tiered "pass" ACLs - improved system test + added tiered ACL system test - added Ales as co-author for most of the above - Addressed Mark's comment about better error messages in ovn-nbctl V3: - Addressed Ilya's comment: - Bumped NB schema version. V2: - Addressed Adrian's comments: - fixed up observation domain id comment in commit log. - store the obs_domain_id in the ct_label as an 8 bit value (add a test). - removed redundant check in build_acl_sample_label_action(). - added missing space after ternary ":" operator. - documented limitation for sampling ACLs with action "pass". - documented sample_new behavior for stateless ACLs. - Removed unused OVN_CT_SAMPLE_ID_SET_BIT and OVN_CT_SAMPLE_ID_SET. --- NEWS | 3 + controller/lflow.h | 12 +- lib/logical-fields.c | 4 + lib/ovn-util.h | 2 +- northd/northd.c | 463 ++++++++++++++++++++++-- northd/northd.h | 54 +-- northd/ovn-northd.8.xml | 133 +++++-- ovn-nb.ovsschema | 47 ++- ovn-nb.xml | 75 ++++ tests/atlocal.in | 6 + tests/ovn-controller.at | 168 ++++----- tests/ovn-macros.at | 14 +- tests/ovn-nbctl.at | 36 ++ tests/ovn-northd.at | 381 ++++++++++++++++++-- tests/ovn.at | 69 ++-- tests/system-common-macros.at | 11 + tests/system-ovn.at | 465 +++++++++++++++++++++++++ utilities/containers/fedora/Dockerfile | 1 + utilities/containers/ubuntu/Dockerfile | 1 + utilities/ovn-nbctl.8.xml | 8 +- utilities/ovn-nbctl.c | 35 +- 21 files changed, 1749 insertions(+), 239 deletions(-) diff --git a/NEWS b/NEWS index 0c91e9608e..676c49e3fa 100644 --- a/NEWS +++ b/NEWS @@ -53,6 +53,9 @@ Post v24.03.0 - The NB_Global.debug_drop_domain_id configured value is now overridden by the ID associated with the Sampling_App record created for drop sampling (Sampling_App.type configured as "drop"). + - Add support for ACL sampling through the new Sample_Collector and Sample + tables. Sampling is supported for both traffic that creates new + connections and for traffic that is part of an existing connection. OVN v24.03.0 - 01 Mar 2024 -------------------------- diff --git a/controller/lflow.h b/controller/lflow.h index c8a2a3f494..e95a016501 100644 --- a/controller/lflow.h +++ b/controller/lflow.h @@ -67,17 +67,17 @@ struct uuid; /* Start of LOG_PIPELINE_LEN tables. */ #define OFTABLE_LOG_INGRESS_PIPELINE 8 -#define OFTABLE_OUTPUT_LARGE_PKT_DETECT 37 -#define OFTABLE_OUTPUT_LARGE_PKT_PROCESS 38 -#define OFTABLE_REMOTE_OUTPUT 39 -#define OFTABLE_LOCAL_OUTPUT 40 -#define OFTABLE_CHECK_LOOPBACK 41 +#define OFTABLE_OUTPUT_LARGE_PKT_DETECT 40 +#define OFTABLE_OUTPUT_LARGE_PKT_PROCESS 41 +#define OFTABLE_REMOTE_OUTPUT 42 +#define OFTABLE_LOCAL_OUTPUT 43 +#define OFTABLE_CHECK_LOOPBACK 44 /* Start of the OUTPUT section of the pipeline. */ #define OFTABLE_OUTPUT_INIT OFTABLE_OUTPUT_LARGE_PKT_DETECT /* Start of LOG_PIPELINE_LEN tables. */ -#define OFTABLE_LOG_EGRESS_PIPELINE 42 +#define OFTABLE_LOG_EGRESS_PIPELINE 45 #define OFTABLE_SAVE_INPORT 64 #define OFTABLE_LOG_TO_PHY 65 #define OFTABLE_MAC_BINDING 66 diff --git a/lib/logical-fields.c b/lib/logical-fields.c index 4acf8a677e..0c187e1c84 100644 --- a/lib/logical-fields.c +++ b/lib/logical-fields.c @@ -175,6 +175,10 @@ ovn_init_symtab(struct shash *symtab) WR_CT_COMMIT); expr_symtab_add_subfield_scoped(symtab, "ct_label.label", NULL, "ct_label[96..127]", WR_CT_COMMIT); + expr_symtab_add_subfield_scoped(symtab, "ct_label.obs_point_id", NULL, + "ct_label[96..127]", WR_CT_COMMIT); + expr_symtab_add_subfield_scoped(symtab, "ct_label.obs_unused", NULL, + "ct_label[0..95]", WR_CT_COMMIT); expr_symtab_add_field(symtab, "ct_state", MFF_CT_STATE, NULL, false); diff --git a/lib/ovn-util.h b/lib/ovn-util.h index ae971ce5ab..7b98b9b9a1 100644 --- a/lib/ovn-util.h +++ b/lib/ovn-util.h @@ -308,7 +308,7 @@ BUILD_ASSERT_DECL( #define SCTP_ABORT_CHUNK_FLAG_T (1 << 0) /* The number of tables for the ingress and egress pipelines. */ -#define LOG_PIPELINE_LEN 29 +#define LOG_PIPELINE_LEN 30 static inline uint32_t hash_add_in6_addr(uint32_t hash, const struct in6_addr *addr) diff --git a/northd/northd.c b/northd/northd.c index 8b4ef1403a..13f9faba31 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -50,6 +50,7 @@ #include "en-lr-nat.h" #include "en-lr-stateful.h" #include "en-ls-stateful.h" +#include "en-sampling-app.h" #include "lib/ovn-parallel-hmap.h" #include "ovn/actions.h" #include "ovn/features.h" @@ -184,8 +185,10 @@ static bool vxlan_mode; #define REG_ORIG_TP_DPORT_ROUTER "reg9[16..31]" -/* Register used for setting a label for ACLs in a Logical Switch. */ -#define REG_LABEL "reg3" +/* Registers used for pasing observability information for switches: + * domain and point ID. */ +#define REG_OBS_POINT_ID_NEW "reg3" +#define REG_OBS_POINT_ID_EST "reg9" /* Register used for temporarily store ECMP eth.src to avoid masked ct_label * access. It doesn't really occupy registers because the content of the @@ -209,13 +212,13 @@ static bool vxlan_mode; * | | REGBIT_{HAIRPIN/HAIRPIN_REPLY} | | | * | | REGBIT_ACL_HINT_{ALLOW_NEW/ALLOW/DROP/BLOCK} | | | * | | REGBIT_ACL_{LABEL/STATELESS} | X | | - * +----+----------------------------------------------+ X | | - * | R5 | UNUSED | X | LB_L2_AFF_BACKEND_IP6 | - * | R1 | ORIG_DIP_IPV4 (>= IN_PRE_STATEFUL) | R | | - * +----+----------------------------------------------+ E | | + * +----+----------------------------------------------+ X | LB_L2_AFF_BACKEND_IP6 | + * | R1 | ORIG_DIP_IPV4 (>= IN_PRE_STATEFUL) | R | (>= IN_LB_AFF_CHECK && | + * +----+----------------------------------------------+ E | <= IN_LB_AFF_LEARN) | * | R2 | ORIG_TP_DPORT (>= IN_PRE_STATEFUL) | G | | * +----+----------------------------------------------+ 0 | | - * | R3 | ACL LABEL | | | + * | R3 | OBS_POINT_ID_NEW | | | + * | | (>= ACL_EVAL* && <= ACL_ACTION*) | | | * +----+----------------------------------------------+---+-----------------------------------+ * | R4 | REG_LB_AFF_BACKEND_IP4 | | | * +----+----------------------------------------------+ X | | @@ -225,9 +228,11 @@ static bool vxlan_mode; * +----+----------------------------------------------+ G | | * | R7 | UNUSED | 1 | | * +----+----------------------------------------------+---+-----------------------------------+ - * | R8 | LB_AFF_MATCH_PORT | + * | | LB_AFF_MATCH_PORT | + * | | (>= IN_LB_AFF_CHECK && <= IN_LB_AFF_LEARN) | * +----+----------------------------------------------+ - * | R9 | UNUSED | + * | R9 | OBS_POINT_ID_EST | + * | | (>= ACL_EVAL* && <= ACL_ACTION*) | * +----+----------------------------------------------+ * * Logical Router pipeline: @@ -6482,6 +6487,355 @@ build_acl_log(struct ds *actions, const struct nbrec_acl *acl, ds_put_cstr(actions, "); "); } +/* This builds an ACL specific sample action. + * If the ACL has a label configured the label itself is used as sample + * observation point ID. Otherwise the configured 'sample->metadata' + * is passed as observation point ID. */ +static void +build_acl_sample_action(struct ds *actions, const struct nbrec_acl *acl, + const struct nbrec_sample *sample, + uint8_t sample_domain_id) +{ + if (!sample || sample_domain_id == SAMPLING_APP_ID_NONE) { + return; + } + + uint32_t domain_id = 0; + uint32_t point_id = 0; + + if (acl->label) { + domain_id = 0; + point_id = acl->label; + } else if (sample) { + domain_id = sample_domain_id; + point_id = sample->metadata; + } + + for (size_t i = 0; i < sample->n_collectors; i++) { + ds_put_format(actions, "sample(probability=%"PRIu16"," + "collector_set=%"PRIu8"," + "obs_domain=%"PRIu32"," + "obs_point=%"PRIu32");", + (uint16_t) sample->collectors[i]->probability, + (uint8_t) sample->collectors[i]->set_id, + domain_id, point_id); + } + ds_put_cstr(actions, " next;"); +} + +/* This builds an ACL logical flow specific action that stores the observation + * point IDs to be used for samples generated for traffic that hits the ACL. + * Two observation point IDs are stored in registers, the one for traffic + * that creates new connections and the one for traffic that's part of an + * existing connection. + */ +static void +build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, + const struct nbrec_sample *sample_new, + const struct nbrec_sample *sample_est) +{ + if (!acl->label && !sample_new && !sample_est) { + return; + } + + uint32_t point_id_new = 0; + uint32_t point_id_est = 0; + + if (acl->label) { + point_id_new = acl->label; + point_id_est = acl->label; + } else { + if (sample_new) { + point_id_new = sample_new->metadata; + } + if (sample_est) { + point_id_est = sample_est->metadata; + } + } + + ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " + REG_OBS_POINT_ID_NEW " = %"PRIu32"; " + REG_OBS_POINT_ID_EST " = %"PRIu32"; ", + point_id_new, point_id_est); +} + +/* This builds an ACL logical flow specific match that selects traffic + * with an associated observation point ID register equal to that of the + * ACL label (if configured) or sample->metadata. + */ +static void +build_acl_sample_register_match(struct ds *match, const struct nbrec_acl *acl, + const struct nbrec_sample *sample) +{ + uint32_t point_id = 0; + + if (acl->label) { + point_id = acl->label; + } else if (sample) { + point_id = sample->metadata; + } + + ds_put_format(match, REG_OBS_POINT_ID_NEW " == %"PRIu32, point_id); +} + +/* This builds an ACL logical flow specific match that selects conntracked + * traffic whose associated ct_label.obs_point ID is equal to that of the + * ACL label (if configured) or sample->metadata. The match also ensures + * that the observation domain ID stored in the ct_label is also equal to + * 'sample_domain_id'. + */ +static void +build_acl_sample_label_match(struct ds *match, const struct nbrec_acl *acl, + const struct nbrec_sample *sample) +{ + uint32_t point_id = 0; + + if (acl->label) { + point_id = acl->label; + } else if (sample) { + point_id = sample->metadata; + } + + /* Match on the complete ct_label to avoid masked access to it in the + * datapath. Some NICs do not support HW offloading when masked-access + * of ct_label is used in the datapath. */ + ds_put_format(match, "ct_label.obs_point_id == %"PRIu32" && " + "ct_label.obs_unused == 0", point_id); +} + +/* This builds a logical flow that samples and forwards/drops traffic + * that hit a stateless ACL ("pass" or "allow-stateless") that has sampling + * enabled. + */ +static void +build_acl_sample_new_stateless_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + if (!acl->sample_new) { + return; + } + + ds_clear(actions); + ds_clear(match); + + ds_put_cstr(match, "ip && "); + build_acl_sample_register_match(match, acl, acl->sample_new); + + build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); + + ovn_lflow_add(lflows, od, stage, 1100, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds a logical flow that samples and forwards/drops traffic + * that created a new conntrack entry and hit a stateful ACL that has sampling + * enabled. + */ +static void +build_acl_sample_new_stateful_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + if (!acl->sample_new) { + return; + } + + ds_clear(actions); + ds_clear(match); + + /* Match on new connections. However, for to-lport ACLs, due to + * skip_port_from_conntrack() conntrack state might be cleared, so + * take that into account too. */ + ds_put_format(match, "ip && %s && ", + stage != S_SWITCH_OUT_ACL_SAMPLE + ? "ct.new" : "(ct.new || !ct.trk)"); + build_acl_sample_register_match(match, acl, acl->sample_new); + + build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); + + ovn_lflow_add(lflows, od, stage, 1100, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds a logical flow that samples and forwards traffic + * that is part of an existing connection (in the original direction) created + * by traffic allowed by a stateful ACL that has sampling enabled. + */ +static void +build_acl_sample_est_orig_stateful_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + ds_clear(actions); + ds_clear(match); + + ds_put_cstr(match, "ip && ct.trk && " + "(ct.est || ct.rel) && " + "!ct.rpl && "); + build_acl_sample_label_match(match, acl, acl->sample_est); + + build_acl_sample_action(actions, acl, acl->sample_est, sample_domain_id); + + ovn_lflow_add(lflows, od, stage, 1200, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds a logical flow that samples and forwards traffic + * that is part of an existing connection (in the reply direction) created + * by traffic allowed by a stateful ACL that has sampling enabled. + * + * NOTE: unlike for traffic in the original direction, this logical flow must + * be installed in the "opposite" pipeline. That is, for "from-lport" ACLs + * the conntrack entry is created in the ingress logical port zone and will be + * hit by reply traffic in the egress pipeline (before being sent out that + * logical port). + */ +static void +build_acl_sample_est_rpl_stateful_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage rpl_stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + ds_clear(actions); + ds_clear(match); + + ds_put_cstr(match, "ip && ct.trk && " + "(ct.est || ct.rel) && " + "ct.rpl && "); + build_acl_sample_label_match(match, acl, acl->sample_est); + + build_acl_sample_action(actions, acl, acl->sample_est, sample_domain_id); + + ovn_lflow_add(lflows, od, rpl_stage, 1200, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds logical flows that sample and forward traffic + * that is part of an existing connection (both in the original and in the + * reply direction) created by traffic allowed by a stateful ACL that has + * sampling enabled. + */ +static void +build_acl_sample_est_stateful_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + if (!acl->sample_est) { + return; + } + build_acl_sample_est_orig_stateful_flows(od, lflows, stage, match, actions, + acl, sample_domain_id, lflow_ref); + + /* Install flows in the "opposite" pipeline direction to handle reply + * traffic on established connections. */ + enum ovn_stage rpl_stage = (stage == S_SWITCH_OUT_ACL_SAMPLE + ? S_SWITCH_IN_ACL_SAMPLE + : S_SWITCH_OUT_ACL_SAMPLE); + build_acl_sample_est_rpl_stateful_flows(od, lflows, rpl_stage, + match, actions, + acl, sample_domain_id, lflow_ref); +} + +static void build_acl_reject_action(struct ds *actions, bool is_ingress); + +/* This builds all ACL sampling related logical flows: + * - for packets creating new connections + * - for packets that are part of an existing connection + */ +static void +build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, + const struct ovn_datapath *od, + struct lflow_table *lflows, + const struct nbrec_acl *acl, + struct ds *match, struct ds *actions, + const struct sampling_app_table *sampling_apps, + struct lflow_ref *lflow_ref) +{ + bool should_sample_established = + ls_stateful_rec->has_stateful_acl + && acl->sample_est + && !strcmp(acl->action, "allow-related"); + + bool stateful_match = + ls_stateful_rec->has_stateful_acl + && strcmp(acl->action, "allow-stateless"); + + /* Only sample if: + * - sampling is enabled for traffic creating new connections + * OR + * - sampling is enabled for traffic on established sessions and the + * switch has stateful ACLs. + */ + if (!acl->sample_new && !should_sample_established) { + return; + } + + bool ingress = !strcmp(acl->direction, "from-lport") ? true : false; + enum ovn_stage stage; + + if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { + stage = S_SWITCH_IN_ACL_AFTER_LB_SAMPLE; + } else if (ingress) { + stage = S_SWITCH_IN_ACL_SAMPLE; + } else { + stage = S_SWITCH_OUT_ACL_SAMPLE; + } + + uint8_t sample_new_domain_id = sampling_app_get_id(sampling_apps, + SAMPLING_APP_ACL_NEW); + uint8_t sample_est_domain_id = sampling_app_get_id(sampling_apps, + SAMPLING_APP_ACL_EST); + + if (!stateful_match) { + build_acl_sample_new_stateless_flows(od, lflows, stage, match, actions, + acl, sample_new_domain_id, + lflow_ref); + } else { + build_acl_sample_new_stateful_flows(od, lflows, stage, match, actions, + acl, sample_new_domain_id, + lflow_ref); + build_acl_sample_est_stateful_flows(od, lflows, stage, match, actions, + acl, sample_est_domain_id, + lflow_ref); + } +} + +/* This builds all default ACL sampling related logical flows. */ +static void +build_acl_sample_default_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + struct lflow_ref *lflow_ref) +{ + /* Rules at priority 1 is added below to pass the packet into next table + * if there isn't any match. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_SAMPLE, 0, "1", "next;", + lflow_ref); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_SAMPLE, 0, "1", "next;", + lflow_ref); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB_SAMPLE, 0, "1", + "next;", lflow_ref); +} + static void consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, const struct nbrec_acl *acl, bool has_stateful, @@ -6529,6 +6883,10 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, if (!has_stateful || !strcmp(acl->action, "pass") || !strcmp(acl->action, "allow-stateless")) { + + /* For stateless ACLs just sample "new" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); + ds_put_cstr(actions, "next;"); ds_put_format(match, "(%s)", acl->match); ovn_lflow_add_with_hint(lflows, od, stage, priority, @@ -6563,10 +6921,10 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_truncate(actions, log_verdict_len); ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); - if (acl->label) { - ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " - REG_LABEL" = %"PRId64"; ", acl->label); - } + + /* For stateful ACLs sample "new" and "established" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, + acl->sample_est); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6586,9 +6944,11 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, acl->match); if (acl->label) { ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); - ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " - REG_LABEL" = %"PRId64"; ", acl->label); } + + /* For stateful ACLs sample "new" and "established" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, + acl->sample_est); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6606,6 +6966,9 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_put_format(match, " && (%s)", acl->match); ds_truncate(actions, log_verdict_len); + + /* For drop ACLs just sample all packets as "new" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6626,6 +6989,9 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_put_format(match, " && (%s)", acl->match); ds_truncate(actions, log_verdict_len); + + /* For drop ACLs just sample all packets as "new" packets. */ + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); ds_put_cstr(actions, "ct_commit { ct_mark.blocked = 1; }; next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6706,6 +7072,20 @@ ovn_update_ipv6_options(struct hmap *lr_ports) #define IPV6_CT_OMIT_MATCH "nd || nd_ra || nd_rs || mldv1 || mldv2" +static void +build_acl_reject_action(struct ds *actions, bool is_ingress) +{ + ds_put_format( + actions, "reg0 = 0; " + "reject { " + "/* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ " + "outport <-> inport; next(pipeline=%s,table=%d); " + "};", + is_ingress ? "egress" : "ingress", + is_ingress ? ovn_stage_get_table(S_SWITCH_OUT_QOS) + : ovn_stage_get_table(S_SWITCH_IN_L2_LKUP)); +} + static void build_acl_action_lflows(const struct ls_stateful_record *ls_stateful_rec, const struct ovn_datapath *od, @@ -6722,6 +7102,12 @@ build_acl_action_lflows(const struct ls_stateful_record *ls_stateful_rec, S_SWITCH_OUT_ACL_ACTION, }; + enum ovn_stage eval_stages[] = { + S_SWITCH_IN_ACL_EVAL, + S_SWITCH_IN_ACL_AFTER_LB_EVAL, + S_SWITCH_OUT_ACL_EVAL, + }; + ds_clear(actions); ds_put_cstr(actions, REGBIT_ACL_VERDICT_ALLOW " = 0; " REGBIT_ACL_VERDICT_DROP " = 0; " @@ -6752,14 +7138,7 @@ build_acl_action_lflows(const struct ls_stateful_record *ls_stateful_rec, bool ingress = ovn_stage_get_pipeline(stage) == P_IN; ds_truncate(actions, verdict_len); - ds_put_format( - actions, "reg0 = 0; " - "reject { " - "/* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ " - "outport <-> inport; next(pipeline=%s,table=%d); };", - ingress ? "egress" : "ingress", - ingress ? ovn_stage_get_table(S_SWITCH_OUT_QOS) - : ovn_stage_get_table(S_SWITCH_IN_L2_LKUP)); + build_acl_reject_action(actions, ingress); ovn_lflow_metered(lflows, od, stage, 1000, REGBIT_ACL_VERDICT_REJECT " == 1", ds_cstr(actions), @@ -6778,7 +7157,7 @@ build_acl_action_lflows(const struct ls_stateful_record *ls_stateful_rec, ds_put_format(&tier_actions, REG_ACL_TIER " = %"PRIuSIZE"; " "next(pipeline=%s,table=%d);", j + 1, ingress ? "ingress" : "egress", - ovn_stage_get_table(stage) - 1); + ovn_stage_get_table(eval_stages[i])); ovn_lflow_add(lflows, od, stage, 500, ds_cstr(match), ds_cstr(&tier_actions), lflow_ref); } @@ -6799,12 +7178,6 @@ build_acl_log_related_flows(const struct ovn_datapath *od, * the ACL, then we need to ensure that the related and reply * traffic is logged, so we install a slightly higher-priority * flow that matches the ACL, allows the traffic, and logs it. - * - * Note: Matching the ct_label.label may prevent OVS flow HW - * offloading to work for some NICs because masked-access of - * ct_label is not supported on those NICs due to HW - * limitations. In such case the user may choose to avoid using the - * "log-related" option. */ bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; bool log_related = smap_get_bool(&acl->options, "log-related", @@ -6863,6 +7236,7 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, struct lflow_table *lflows, const struct ls_port_group_table *ls_port_groups, const struct shash *meter_groups, + const struct sampling_app_table *sampling_apps, struct lflow_ref *lflow_ref) { const char *default_acl_action = default_acl_drop @@ -7043,6 +7417,8 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, REGBIT_ACL_VERDICT_ALLOW " = 1; next;", lflow_ref); + build_acl_sample_default_flows(od, lflows, lflow_ref); + /* Ingress or Egress ACL Table (Various priorities). */ for (size_t i = 0; i < od->nbs->n_acls; i++) { struct nbrec_acl *acl = od->nbs->acls[i]; @@ -7052,6 +7428,8 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, consider_acl(lflows, od, acl, has_stateful, meter_groups, ls_stateful_rec->max_acl_tier, &match, &actions, lflow_ref); + build_acl_sample_flows(ls_stateful_rec, od, lflows, acl, + &match, &actions, sampling_apps, lflow_ref); } const struct ls_port_group *ls_pg = @@ -7068,6 +7446,9 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, consider_acl(lflows, od, acl, has_stateful, meter_groups, ls_stateful_rec->max_acl_tier, &match, &actions, lflow_ref); + build_acl_sample_flows(ls_stateful_rec, od, lflows, acl, + &match, &actions, sampling_apps, + lflow_ref); } } } @@ -7727,8 +8108,11 @@ build_stateful(struct ovn_datapath *od, struct lflow_table *lflows, * We always set ct_mark.blocked to 0 here as * any packet that makes it this far is part of a connection we * want to allow to continue. */ - ds_put_cstr(&actions, "ct_commit { ct_mark.blocked = 0; " - "ct_label.label = " REG_LABEL "; }; next;"); + ds_put_cstr(&actions, + "ct_commit { " + "ct_mark.blocked = 0; " + "ct_label.obs_point_id = " REG_OBS_POINT_ID_EST "; " + "}; next;"); ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100, REGBIT_CONNTRACK_COMMIT" == 1 && " REGBIT_ACL_LABEL" == 1", @@ -15776,6 +16160,7 @@ build_ls_stateful_flows(const struct ls_stateful_record *ls_stateful_rec, const struct ovn_datapath *od, const struct ls_port_group_table *ls_pgs, const struct shash *meter_groups, + const struct sampling_app_table *sampling_apps, struct lflow_table *lflows) { build_ls_stateful_rec_pre_acls(ls_stateful_rec, od, ls_pgs, lflows, @@ -15785,7 +16170,7 @@ build_ls_stateful_flows(const struct ls_stateful_record *ls_stateful_rec, build_acl_hints(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref); build_acls(ls_stateful_rec, od, lflows, ls_pgs, meter_groups, - ls_stateful_rec->lflow_ref); + sampling_apps, ls_stateful_rec->lflow_ref); build_lb_hairpin(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref); } @@ -15809,6 +16194,7 @@ struct lswitch_flow_build_info { struct ds actions; size_t thread_lflow_counter; const char *svc_monitor_mac; + const struct sampling_app_table *sampling_apps; }; /* Helper function to combine all lflow generation which is iterated by @@ -16100,6 +16486,7 @@ build_lflows_thread(void *arg) build_ls_stateful_flows(ls_stateful_rec, od, lsi->ls_port_groups, lsi->meter_groups, + lsi->sampling_apps, lsi->lflows); } } @@ -16173,7 +16560,8 @@ build_lswitch_and_lrouter_flows( const struct hmap *svc_monitor_map, const struct hmap *bfd_connections, const struct chassis_features *features, - const char *svc_monitor_mac) + const char *svc_monitor_mac, + const struct sampling_app_table *sampling_apps) { char *svc_check_match = xasprintf("eth.dst == %s", svc_monitor_mac); @@ -16207,6 +16595,7 @@ build_lswitch_and_lrouter_flows( lsiv[index].svc_check_match = svc_check_match; lsiv[index].thread_lflow_counter = 0; lsiv[index].svc_monitor_mac = svc_monitor_mac; + lsiv[index].sampling_apps = sampling_apps; ds_init(&lsiv[index].match); ds_init(&lsiv[index].actions); @@ -16247,6 +16636,7 @@ build_lswitch_and_lrouter_flows( .features = features, .svc_check_match = svc_check_match, .svc_monitor_mac = svc_monitor_mac, + .sampling_apps = sampling_apps, .match = DS_EMPTY_INITIALIZER, .actions = DS_EMPTY_INITIALIZER, }; @@ -16319,6 +16709,7 @@ build_lswitch_and_lrouter_flows( &od->nbs->header_.uuid)); build_ls_stateful_flows(ls_stateful_rec, od, lsi.ls_port_groups, lsi.meter_groups, + lsi.sampling_apps, lsi.lflows); } stopwatch_stop(LFLOWS_LS_STATEFUL_STOPWATCH_NAME, time_msec()); @@ -16408,7 +16799,8 @@ void build_lflows(struct ovsdb_idl_txn *ovnsb_txn, input_data->svc_monitor_map, input_data->bfd_connections, input_data->features, - input_data->svc_monitor_mac); + input_data->svc_monitor_mac, + input_data->sampling_apps); if (parallelization_state == STATE_INIT_HASH_SIZES) { parallelization_state = STATE_USE_PARALLELIZATION; @@ -16832,6 +17224,7 @@ lflow_handle_ls_stateful_changes(struct ovsdb_idl_txn *ovnsb_txn, build_ls_stateful_flows(ls_stateful_rec, od, lflow_input->ls_port_groups, lflow_input->meter_groups, + lflow_input->sampling_apps, lflows); /* Sync the new flows to SB. */ diff --git a/northd/northd.h b/northd/northd.h index e50aa6731a..b628911510 100644 --- a/northd/northd.h +++ b/northd/northd.h @@ -397,27 +397,30 @@ enum ovn_stage { PIPELINE_STAGE(SWITCH, IN, PRE_STATEFUL, 6, "ls_in_pre_stateful") \ PIPELINE_STAGE(SWITCH, IN, ACL_HINT, 7, "ls_in_acl_hint") \ PIPELINE_STAGE(SWITCH, IN, ACL_EVAL, 8, "ls_in_acl_eval") \ - PIPELINE_STAGE(SWITCH, IN, ACL_ACTION, 9, "ls_in_acl_action") \ - PIPELINE_STAGE(SWITCH, IN, QOS, 10, "ls_in_qos") \ - PIPELINE_STAGE(SWITCH, IN, LB_AFF_CHECK, 11, "ls_in_lb_aff_check") \ - PIPELINE_STAGE(SWITCH, IN, LB, 12, "ls_in_lb") \ - PIPELINE_STAGE(SWITCH, IN, LB_AFF_LEARN, 13, "ls_in_lb_aff_learn") \ - PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 14, "ls_in_pre_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 15, "ls_in_nat_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 16, "ls_in_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_EVAL, 17, \ - "ls_in_acl_after_lb_eval") \ - PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_ACTION, 18, \ + PIPELINE_STAGE(SWITCH, IN, ACL_SAMPLE, 9, "ls_in_acl_sample") \ + PIPELINE_STAGE(SWITCH, IN, ACL_ACTION, 10, "ls_in_acl_action") \ + PIPELINE_STAGE(SWITCH, IN, QOS, 11, "ls_in_qos") \ + PIPELINE_STAGE(SWITCH, IN, LB_AFF_CHECK, 12, "ls_in_lb_aff_check") \ + PIPELINE_STAGE(SWITCH, IN, LB, 13, "ls_in_lb") \ + PIPELINE_STAGE(SWITCH, IN, LB_AFF_LEARN, 14, "ls_in_lb_aff_learn") \ + PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 15, "ls_in_pre_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 16, "ls_in_nat_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 17, "ls_in_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_EVAL, 18, \ + "ls_in_acl_after_lb_eval") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_SAMPLE, 19, \ + "ls_in_acl_after_lb_sample") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_ACTION, 20, \ "ls_in_acl_after_lb_action") \ - PIPELINE_STAGE(SWITCH, IN, STATEFUL, 19, "ls_in_stateful") \ - PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 20, "ls_in_arp_rsp") \ - PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 21, "ls_in_dhcp_options") \ - PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 22, "ls_in_dhcp_response") \ - PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 23, "ls_in_dns_lookup") \ - PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 24, "ls_in_dns_response") \ - PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 25, "ls_in_external_port") \ - PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 26, "ls_in_l2_lkup") \ - PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 27, "ls_in_l2_unknown") \ + PIPELINE_STAGE(SWITCH, IN, STATEFUL, 21, "ls_in_stateful") \ + PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 22, "ls_in_arp_rsp") \ + PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 23, "ls_in_dhcp_options") \ + PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 24, "ls_in_dhcp_response") \ + PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 25, "ls_in_dns_lookup") \ + PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 26, "ls_in_dns_response") \ + PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 27, "ls_in_external_port") \ + PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 28, "ls_in_l2_lkup") \ + PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 29, "ls_in_l2_unknown") \ \ /* Logical switch egress stages. */ \ PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 0, "ls_out_pre_acl") \ @@ -425,11 +428,12 @@ enum ovn_stage { PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") \ PIPELINE_STAGE(SWITCH, OUT, ACL_HINT, 3, "ls_out_acl_hint") \ PIPELINE_STAGE(SWITCH, OUT, ACL_EVAL, 4, "ls_out_acl_eval") \ - PIPELINE_STAGE(SWITCH, OUT, ACL_ACTION, 5, "ls_out_acl_action") \ - PIPELINE_STAGE(SWITCH, OUT, QOS, 6, "ls_out_qos") \ - PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 7, "ls_out_stateful") \ - PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 8, "ls_out_check_port_sec") \ - PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 9, "ls_out_apply_port_sec") \ + PIPELINE_STAGE(SWITCH, OUT, ACL_SAMPLE, 5, "ls_out_acl_sample") \ + PIPELINE_STAGE(SWITCH, OUT, ACL_ACTION, 6, "ls_out_acl_action") \ + PIPELINE_STAGE(SWITCH, OUT, QOS, 7, "ls_out_qos") \ + PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 8, "ls_out_stateful") \ + PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 9, "ls_out_check_port_sec") \ + PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 10, "ls_out_apply_port_sec") \ \ /* Logical router ingress stages. */ \ PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") \ diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index ba85e4bfd7..3abd5f75bb 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -867,7 +867,47 @@ -

Ingress Table 9: from-lport ACL action

+

Ingress Table 9: from-lport ACL sampling

+ +

+ Logical flows in this table sample traffic matched by + from-lport ACLs with sampling enabled. +

+ +
    +
  • + If no ACLs have sampling enabled, then a priority 0 flow is installed + that matches everything and advances to the next table. +
    • + +
  • + For each ACL with sample_new configured a priority 1100 flow is + installed that matches on the saved observation_point_id value. + This flow generates a sample() action and then advances + the packet to the next table. +
    • + +
  • + For each ACL with sample_est configured a priority 1200 flow is + installed that matches on the saved observation_point_id value + for established traffic in the original direction. This flow + generates a sample() action and then advances + the packet to the next table. +
    • + +
  • + For each ACL with sample_est configured a priority 1200 flow is + installed that matches on the saved observation_point_id + value for established traffic in the reply direction. This flow + generates a sample() action and then advances + the packet to the next table. Note: this flow is installed in the + opposite pipeline (in the ingress pipeline for ACLs applied in the + egress direction and in the egress pipeline for ACLs applied in the + ingress direction). +
    • +
+ +

Ingress Table 10: from-lport ACL action

Logical flows in this table decide how to proceed based on the values of @@ -907,7 +947,7 @@ -

Ingress Table 10: from-lport QoS

+

Ingress Table 11: from-lport QoS

Logical flows in this table closely reproduce those in the @@ -930,7 +970,7 @@ -

Ingress Table 11: Load balancing affinity check

+

Ingress Table 12: Load balancing affinity check

Load balancing affinity check table contains the following @@ -958,7 +998,7 @@ -

Ingress Table 12: LB

+

Ingress Table 13: LB

  • @@ -1038,7 +1078,7 @@
-

Ingress Table 13: Load balancing affinity learn

+

Ingress Table 14: Load balancing affinity learn

Load balancing affinity learn table contains the following @@ -1069,7 +1109,7 @@ -

Ingress Table 14: Pre-Hairpin

+

Ingress Table 15: Pre-Hairpin

  • If the logical switch has load balancer(s) configured, then a @@ -1087,7 +1127,7 @@
-

Ingress Table 15: Nat-Hairpin

+

Ingress Table 16: Nat-Hairpin

  • If the logical switch has load balancer(s) configured, then a @@ -1122,7 +1162,7 @@
-

Ingress Table 16: Hairpin

+

Ingress Table 17: Hairpin

  • @@ -1160,7 +1200,7 @@

-

Ingress table 17: from-lport ACL evaluation after LB

+

Ingress table 18: from-lport ACL evaluation after LB

Logical flows in this table closely reproduce those in the @@ -1245,7 +1285,47 @@ -

Ingress Table 18: from-lport ACL action after LB

+

Ingress Table 19: from-lport ACL sampling after LB

+ +

+ Logical flows in this table sample traffic matched by + from-lport ACLs (evaluation after LB) with sampling enabled. +

+ +
    +
  • + If no ACLs have sampling enabled, then a priority 0 flow is installed + that matches everything and advances to the next table. +
    • + +
  • + For each ACL with sample_new configured a priority 1100 flow is + installed that matches on the saved observation_point_id value. + This flow generates a sample() action and then advances + the packet to the next table. +
    • + +
  • + For each ACL with sample_est configured a priority 1200 flow is + installed that matches on the saved observation_point_id value + for established traffic in the original direction. This flow + generates a sample() action and then advances + the packet to the next table. +
    • + +
  • + For each ACL with sample_est configured a priority 1200 flow is + installed that matches on the saved observation_point_id + value for established traffic in the reply direction. This flow + generates a sample() action and then advances + the packet to the next table. Note: this flow is installed in the + opposite pipeline (in the ingress pipeline for ACLs applied in the + egress direction and in the egress pipeline for ACLs applied in the + ingress direction). +
    • +
+ +

Ingress Table 20: from-lport ACL action after LB

Logical flows in this table decide how to proceed based on the values of @@ -1285,7 +1365,7 @@ -

Ingress Table 19: Stateful

+

Ingress Table 21: Stateful

  • @@ -1308,7 +1388,7 @@
-

Ingress Table 20: ARP/ND responder

+

Ingress Table 22: ARP/ND responder

This table implements ARP/ND responder in a logical switch for known @@ -1643,7 +1723,7 @@ output; -

Ingress Table 21: DHCP option processing

+

Ingress Table 23: DHCP option processing

This table adds the DHCPv4 options to a DHCPv4 packet from the @@ -1704,7 +1784,7 @@ next; -

Ingress Table 22: DHCP responses

+

Ingress Table 24: DHCP responses

This table implements DHCP responder for the DHCP replies generated by @@ -1785,7 +1865,7 @@ output; -

Ingress Table 23 DNS Lookup

+

Ingress Table 25 DNS Lookup

This table looks up and resolves the DNS names to the corresponding @@ -1814,7 +1894,7 @@ reg0[4] = dns_lookup(); next; -

Ingress Table 24 DNS Responses

+

Ingress Table 26 DNS Responses

This table implements DNS responder for the DNS replies generated by @@ -1849,7 +1929,7 @@ output; -

Ingress table 25 External ports

+

Ingress table 27 External ports

Traffic from the external logical ports enter the ingress @@ -1892,7 +1972,7 @@ output; -

Ingress Table 26 Destination Lookup

+

Ingress Table 28 Destination Lookup

This table implements switching behavior. It contains these logical @@ -2090,7 +2170,7 @@ output; -

Ingress Table 27 Destination unknown

+

Ingress Table 29 Destination unknown

This table handles the packets whose destination was not found or @@ -2298,26 +2378,31 @@ output; -

Egress Table 5: to-lport ACL action

+

Egress Table 5: to-lport ACL sampling

+

+ This is similar to ingress table ACL sampling. +

+ +

Egress Table 6: to-lport ACL action

This is similar to ingress table ACL action.

-

Egress Table 6: to-lport QoS

+

Egress Table 7: to-lport QoS

This is similar to ingress table QoS except they apply to to-lport QoS rules.

-

Egress Table 7: Stateful

+

Egress Table 8: Stateful

This is similar to ingress table Stateful except that there are no rules added for load balancing new connections.

-

Egress Table 8: Egress Port Security - check

+

Egress Table 9: Egress Port Security - check

This is similar to the port security logic in table @@ -2346,7 +2431,7 @@ output; -

Egress Table 9: Egress Port Security - Apply

+

Egress Table 10: Egress Port Security - Apply

This is similar to the ingress port security logic in ingress table diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index a6a377f20b..b4a395c567 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "7.5.0", - "cksum": "1137408189 36223", + "version": "7.6.0", + "cksum": "2171465655 38284", "tables": { "NB_Global": { "columns": { @@ -30,6 +30,41 @@ "ipsec": {"type": "boolean"}}, "maxRows": 1, "isRoot": true}, + "Sample_Collector": { + "columns": { + "id": {"type": {"key": { + "type": "integer", + "minInteger": 1, + "maxInteger": 255}}}, + "name": {"type": "string"}, + "probability": {"type": {"key": { + "type": "integer", + "minInteger": 0, + "maxInteger": 65535}}}, + "set_id": {"type": {"key": { + "type": "integer", + "minInteger": 1, + "maxInteger": 4294967295}}}, + "external_ids": {"type": {"key": "string", "value": "string", + "min": 0, "max": "unlimited"}} + }, + "indexes": [["id"]], + "isRoot": true + }, + "Sample": { + "columns": { + "collectors": {"type": {"key": {"type": "uuid", + "refTable": "Sample_Collector", + "refType": "strong"}, + "min": 0, + "max": "unlimited"}}, + "metadata": {"type": {"key": {"type": "integer", + "minInteger": 1, + "maxInteger": 4294967295}, + "min": 1, "max":1}} + }, + "indexes": [["metadata"]] + }, "Copp": { "columns": { "name": {"type": "string"}, @@ -275,6 +310,14 @@ "tier": {"type": {"key": {"type": "integer", "minInteger": 0, "maxInteger": 3}}}, + "sample_new": {"type": {"key": {"type": "uuid", + "refTable": "Sample", + "refType": "strong"}, + "min": 0, "max": 1}}, + "sample_est": {"type": {"key": {"type": "uuid", + "refTable": "Sample", + "refType": "strong"}, + "min": 0, "max": 1}}, "options": { "type": {"key": "string", "value": "string", diff --git a/ovn-nb.xml b/ovn-nb.xml index bc44f67642..181eab0999 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -511,6 +511,48 @@ + + + Sample collector unique id used for differentiating collectors that use + the same set_id with different probability + values. The supported value range for IDs is 1-255. + + Name of the sample collector. + + Sampling probability for this collector. It must be an integer number + between 0 and 65535. A value of 0 corresponds to no packets being + sampled while a value of 65535 corresponds to all packets being sampled. + + + The 8-bit integer identifier of the set of of collectors to send + packets to. See Flow_Sample_Collector_Set Table in ovs-vswitchd's + database schema. + + + See External IDs at the beginning of this document. + +
+ + +

+ This table describes a Sampling configuration. Entries in other tables + might be associated with Sample entries to indicate how the sample + should be generated. + + For an example, see . +

+ + A list of references to records to be + used when generating samples (e.g., IPFIX). A sample can be sent to + multiple collectors simultaneously. + + + Will be used as Observation Point ID in every sample. The Observation + Domain ID will be generated by ovn-northd and includes the logical + datapath key as the least significant 24 bits and the sampling + application type (e.g., drop debugging) as the 8 most significant bits. + +

This table is used to define control plane protection policies, i.e., @@ -2342,6 +2384,12 @@ or created only for allowed connections so the label is valid only for allow and allow-related actions.

+ +

+ Note: if an ACL has both sampling enabled and a label associated to it + then the label value overrides the observation point ID defined in the + sample_new or sample_est configuration. +

@@ -2551,6 +2599,33 @@ or + +

+ The entry in the table to use for sampling for + new sessions matched by this ACL. In case the ACL is stateless + this is used for sampling all traffic matched by the ACL. +

+ +

+ Note: if an ACL has both sampling enabled and a label associated to it + then the label value overrides the observation point ID defined in the + sample_new configuration. +

+ + + +

+ The entry in the table to use for sampling for + established/related sessions matched by this ACL. +

+ +

+ Note: if an ACL has both sampling enabled and a label associated to it + then the label value overrides the observation point ID defined in the + sample_est configuration. +

+ + This column provides general key/value settings. The supported diff --git a/tests/atlocal.in b/tests/atlocal.in index 32d1c374ea..29e1bb2982 100644 --- a/tests/atlocal.in +++ b/tests/atlocal.in @@ -196,6 +196,12 @@ find_command bfdd-beacon # Set HAVE_ARPING find_command arping +# Set HAVE_NFCAPD +find_command nfcapd + +# Set HAVE_NFDUMP +find_command nfdump + # Turn off proxies. unset http_proxy unset https_proxy diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index 74bff9035a..50da0de19c 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -944,7 +944,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -965,9 +965,9 @@ for i in $(seq 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i @@ -987,7 +987,7 @@ for i in $(seq 10); do if test "$i" = 9; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi if test "$i" = 10; then @@ -1013,12 +1013,12 @@ for i in $(seq 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i * 2)) @@ -1121,7 +1121,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1142,9 +1142,9 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else # (1 conj_id flow + 3 tp_dst flows) = 4 extra flows @@ -1157,7 +1157,7 @@ priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=33 grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=conjunction,1/2) @@ -1184,9 +1184,9 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((14 - $i)) @@ -1209,7 +1209,7 @@ for i in $(seq 10); do grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=conjunction,1/2) @@ -1319,7 +1319,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1343,7 +1343,7 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else # (1 conj_id + nw_src * i + nw_dst * i) = 1 + i*2 flows @@ -1356,7 +1356,7 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10. grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=conjunction,1/2) @@ -1385,7 +1385,7 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.15 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.15 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((21 - $i*2)) @@ -1411,9 +1411,9 @@ for i in $(seq 2 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i @@ -1437,8 +1437,8 @@ for i in $(seq 10); do if test "$i" = 9; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) elif test "$i" = 10; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100"], [1], [ignore]) @@ -1478,7 +1478,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1504,8 +1504,8 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i*2)) @@ -1517,12 +1517,12 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=lo grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi done @@ -1578,7 +1578,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1604,8 +1604,8 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) elif test "$i" -lt 6; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i*2)) @@ -1620,12 +1620,12 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=lo grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi done @@ -1687,7 +1687,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1708,7 +1708,7 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else # (1 conj_id + nw_src * i + nw_dst * i) = 1 + i*2 flows @@ -1721,7 +1721,7 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10. grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1748,7 +1748,7 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((21 - $i*2)) @@ -1771,7 +1771,7 @@ for i in $(seq 10); do grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1811,7 +1811,7 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1835,7 +1835,7 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1874,7 +1874,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1897,8 +1897,8 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1922,8 +1922,8 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1953,8 +1953,8 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1999,7 +1999,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -2020,9 +2020,9 @@ for i in $(seq 5); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:01 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:02 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:03 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:01 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:02 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:03 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i @@ -2043,7 +2043,7 @@ for i in $(seq 5); do if test "$i" = 4; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:05 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:05 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi if test "$i" = 5; then @@ -2084,7 +2084,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -2105,9 +2105,9 @@ for i in $(seq 5); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i @@ -2127,7 +2127,7 @@ for i in $(seq 5); do if test "$i" = 4; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::5 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::5 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) fi if test "$i" = 5; then @@ -2167,7 +2167,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) ovn-nbctl create address_set name=as1 addresses=8.8.8.8 check ovn-nbctl acl-add ls1 to-lport 100 'outport == "ls1-lp1" && ip4.src == $as1' drop @@ -2939,7 +2939,7 @@ ovn-appctl -t ovn-controller vlog/set file:dbg # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -2950,7 +2950,7 @@ check ovn-nbctl add address_set as1 addresses 10.0.0.0/24 check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) check ovn-nbctl add address_set as1 addresses 10.0.0.1 @@ -2960,22 +2960,22 @@ check ovn-nbctl add address_set as1 addresses 10.0.0.4 check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) check ovn-appctl inc-engine/recompute AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.0/24 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_sample) ]) OVN_CLEANUP([hv1]) diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at index a7a59a9124..eca642a67a 100644 --- a/tests/ovn-macros.at +++ b/tests/ovn-macros.at @@ -1129,6 +1129,10 @@ ovn_strip_lflows() { sed 's/table=[[0-9]]\{1,2\}\s\?/table=??/g' | sort } +ovn_strip_collector_set() { + sed 's/collector_set=[[0-9]]*,\?/collector_set=??,/g' +} + OVS_END_SHELL_HELPERS m4_define([OVN_POPULATE_ARP], [AT_CHECK(ovn_populate_arp__, [0], [ignore])]) @@ -1189,11 +1193,11 @@ m4_define([OVN_CHECK_SCAPY_EDNS_CLIENT_SUBNET_SUPPORT], m4_define([OFTABLE_PHY_TO_LOG], [0]) m4_define([OFTABLE_LOG_INGRESS_PIPELINE], [8]) -m4_define([OFTABLE_OUTPUT_LARGE_PKT_DETECT], [37]) -m4_define([OFTABLE_OUTPUT_LARGE_PKT_PROCESS], [38]) -m4_define([OFTABLE_REMOTE_OUTPUT], [39]) -m4_define([OFTABLE_LOCAL_OUTPUT], [40]) -m4_define([OFTABLE_LOG_EGRESS_PIPELINE], [42]) +m4_define([OFTABLE_OUTPUT_LARGE_PKT_DETECT], [40]) +m4_define([OFTABLE_OUTPUT_LARGE_PKT_PROCESS], [41]) +m4_define([OFTABLE_REMOTE_OUTPUT], [42]) +m4_define([OFTABLE_LOCAL_OUTPUT], [43]) +m4_define([OFTABLE_LOG_EGRESS_PIPELINE], [45]) m4_define([OFTABLE_SAVE_INPORT], [64]) m4_define([OFTABLE_LOG_TO_PHY], [65]) m4_define([OFTABLE_MAC_BINDING], [66]) diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index 797ee0b45e..2efa13b938 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -2803,6 +2803,42 @@ check_row_count nb:ACL 0 dnl --------------------------------------------------------------------- +OVN_NBCTL_TEST([acl_sampling], [ACL sampling operations], [ +check ovn-nbctl ls-add ls +ovn-nbctl \ + --id=@sample1 create Sample metadata=4301 -- \ + --sample-new=@sample1 acl-add ls from-lport 1 1 allow-related +sample1=$(fetch_column nb:Sample _uuid metadata=4301) +check_column "$sample1" nb:ACL sample_new priority=1 + +ovn-nbctl \ + --id=@sample2 create Sample metadata=4302 -- \ + --sample-est=@sample2 acl-add ls from-lport 2 1 allow-related +sample2=$(fetch_column nb:Sample _uuid metadata=4302) +check_column "$sample2" nb:ACL sample_est priority=2 + +ovn-nbctl \ + --id=@sample3 create Sample metadata=4303 -- \ + --id=@sample4 create Sample metadata=4304 -- \ + --sample-new=@sample3 --sample-est=@sample4 acl-add ls from-lport 3 1 allow-related +sample3=$(fetch_column nb:Sample _uuid metadata=4303) +sample4=$(fetch_column nb:Sample _uuid metadata=4304) +check_column "$sample3" nb:ACL sample_new priority=3 +check_column "$sample4" nb:ACL sample_est priority=3 + +dnl Check invalid sample_new and sample_est values. +AT_CHECK([ovn-nbctl --sample-new=foo acl-add ls from-lport 4 1 allow-related], [1], [], [dnl +ovn-nbctl: invalid --sample-new: "foo" is not a valid UUID +]) + +AT_CHECK([ovn-nbctl --sample-est=bar acl-add ls from-lport 4 1 allow-related], [1], [], [dnl +ovn-nbctl: invalid --sample-est: "bar" is not a valid UUID +]) + +]) + +dnl --------------------------------------------------------------------- + AT_SETUP([ovn-nbctl - daemon retry connection]) OVN_NBCTL_TEST_START daemon pid=$(cat ovsdb-server.pid) diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index ebf02ef10a..6cc372b8a4 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -4609,7 +4609,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK_UNQUOTED([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4633,7 +4633,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) } @@ -4676,7 +4676,7 @@ AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4697,7 +4697,7 @@ AT_CHECK([grep "ls_out_pre_stateful" sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) # LB with event=false and reject=false @@ -4726,23 +4726,23 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) # Add new ACL without label @@ -4753,27 +4753,27 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) # Delete new ACL with label @@ -4790,7 +4790,7 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0] AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl @@ -4800,7 +4800,7 @@ AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0 AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP ]) @@ -4828,7 +4828,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls from-lport 1 dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; ]) AS_BOX([from-lport --apply-after-lb allow-related ACL]) @@ -4836,7 +4836,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --apply-after-lb --label=1234 acl-add dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; ]) AS_BOX([to-lport allow-related ACL]) @@ -4844,7 +4844,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls to-lport 1 ip dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_out_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; ]) AT_CLEANUP @@ -7680,7 +7680,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with the apply-after-lb option]) @@ -7735,7 +7735,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with a few ACLs with apply-after-lb option]) @@ -7790,7 +7790,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP @@ -8069,15 +8069,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8094,15 +8097,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8119,15 +8125,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8154,11 +8163,13 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8169,6 +8180,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8191,11 +8203,13 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8206,6 +8220,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8228,11 +8243,13 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) @@ -8243,6 +8260,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8266,6 +8284,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) @@ -8284,6 +8303,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) && flags.tunnel_rx == 1), action=(next;) @@ -8310,6 +8330,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) @@ -8340,10 +8361,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8354,6 +8377,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8377,10 +8401,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8391,6 +8417,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8414,10 +8441,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) @@ -8428,6 +8457,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8453,6 +8483,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) @@ -8469,6 +8500,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) && flags.tunnel_rx == 1), action=(next;) @@ -8495,6 +8527,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) @@ -8524,10 +8557,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8539,6 +8574,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8561,10 +8597,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) @@ -8576,6 +8614,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8598,10 +8637,12 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=??); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) @@ -8613,6 +8654,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) ]) @@ -8636,6 +8678,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) @@ -8652,6 +8695,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) && flags.tunnel_rx == 1), action=(next;) @@ -8680,6 +8724,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | ovn_strip_lflows], [0], [ table=??(ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=??(ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]] = 1; next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) @@ -9925,8 +9970,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) check ovn-nbctl --wait=sb acl-del S1 @@ -9940,8 +9987,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) check ovn-nbctl --wait=sb acl-del S1 @@ -9955,8 +10004,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) @@ -9968,8 +10019,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) check ovn-nbctl --wait=sb acl-del S1 @@ -9982,8 +10035,10 @@ AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | ovn_stri table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) ]) AT_CLEANUP @@ -12521,6 +12576,284 @@ AT_CHECK([ovn-sbctl lflow-list | grep ls_in_l2_unknown.*sample | ovn_strip_lflow AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ACL Sampling]) +AT_KEYWORDS([acl]) + +ovn_start + +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=65535 set_id=100) +collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2 probability=65535 set_id=200) +check_row_count nb:Sample_Collector 2 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls lsp1 \ + -- lsp-set-addresses lsp1 00:00:00:00:00:01 \ + -- lsp-add ls lsp2 \ + -- lsp-set-addresses lsp2 00:00:00:00:00:02 +check ovn-nbctl --wait=sb sync + +base_flow="inport == \"lsp1\" && eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02 && ip4.src == 42.42.42.1 && ip4.dst == 42.42.42.2" +m4_define([TRACE_FILTER], [grep -e sample -e commit -e reg9 | grep -v _sample | sort]) + +AS_BOX([from-lport ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1 $collector2" metadata=4302 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); + sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302); +]) + +AS_BOX([from-lport ACL sampling (new)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ + --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + reg9 = 0; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 0; +]) + +AS_BOX([from-lport-after-lb ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1 $collector2" metadata=4302 -- \ + --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); + sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302); +]) + +AS_BOX([from-lport-after-lb ACL sampling (new)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ + --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + reg9 = 0; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 0; +]) + +AS_BOX([to-lport ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1 $collector2" metadata=4302 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls to-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; }; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302" +AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); + sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302); +]) + +AS_BOX([to-lport ACL sampling (new)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ + --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; }; + reg9 = 0; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); + sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg9 = 0; +]) + +AT_CLEANUP +]) + +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ACL Sampling - same collector set id, multiple probabilities]) +AT_KEYWORDS([acl]) + +ovn_start + +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=10000 set_id=100) +collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2 probability=20000 set_id=100) +check_row_count nb:Sample_Collector 2 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls lsp1 \ + -- lsp-set-addresses lsp1 00:00:00:00:00:01 \ + -- lsp-add ls lsp2 \ + -- lsp-set-addresses lsp2 00:00:00:00:00:02 + +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector2" metadata=4302 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4303 -- \ + --id=@sample2 create Sample collector="$collector2" metadata=4304 -- \ + --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4305 -- \ + --id=@sample2 create Sample collector="$collector2" metadata=4306 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls to-lport 1 "1" allow-related + +check_row_count nb:ACL 3 +check_row_count nb:Sample 6 +check ovn-nbctl --wait=sb sync + +AT_CHECK([ovn-sbctl lflow-list | grep probability | ovn_strip_lflows], [0], [dnl + table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4303), dnl +action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4303); next;) + table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4304 && ct_label.obs_unused == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4304); next;) + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), dnl +action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4301); next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4302); next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4306 && ct_label.obs_unused == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4306); next;) + table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4305), dnl +action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4305); next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4306 && ct_label.obs_unused == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4306); next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4304 && ct_label.obs_unused == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4304); next;) +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([NAT with match]) ovn_start diff --git a/tests/ovn.at b/tests/ovn.at index cee361188a..0f401ab96a 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -329,6 +329,8 @@ ct.trk = ct_state[5] ct_label = NXM_NX_CT_LABEL ct_label.ecmp_reply_eth = ct_label[32..79] ct_label.label = ct_label[96..127] +ct_label.obs_point_id = ct_label[96..127] +ct_label.obs_unused = ct_label[0..95] ct_mark = NXM_NX_CT_MARK ct_mark.blocked = ct_mark[0] ct_mark.ecmp_reply_port = ct_mark[16..31] @@ -1355,6 +1357,11 @@ ct_commit(ct_label=18446744073709551615); ct_commit(ct_label=18446744073709551616); Syntax error at `(' expecting `;'. +# Observation domain and point id. +ct_commit { ct_label.obs_point_id = reg2; }; + encodes as ct(commit,zone=NXM_NX_REG13[[0..15]],exec(move:NXM_NX_XXREG0[[32..63]]->NXM_NX_CT_LABEL[[96..127]])) + has prereqs ip + ct_mark = 12345 Field ct_mark is not modifiable. ct_mark.blocked = 1/1 @@ -13405,7 +13412,7 @@ tpa=$(ip_to_hex 10 0 0 100) send_garp 1 000000000001 ffffffffffff $spa $tpa dnl traffic from localport should not be sent to localnet -AT_CHECK([tcpdump -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl +AT_CHECK([tcpdump -vnne -r hv1/br-phys_n1-tx.pcap arp[[24:4]]=0x0a000064 | wc -l],[0],[dnl 0 ],[ignore]) @@ -18565,7 +18572,7 @@ AT_CHECK([cat 2.packets], [0], [expout]) # There should be total of 9 flows present with conjunction action and 2 flows # with conj match. Eg. -# table=ls_out_acl_eval, priority=2001,conj_id=2,metadata=0x1 actions=resubmit(,ls_out_acl_action) +# table=ls_out_acl_eval, priority=2001,conj_id=2,metadata=0x1 actions=resubmit(,ls_out_acl_sample) # table=ls_out_acl_eval, priority=2001,conj_id=3,metadata=0x1 actions=drop # priority=2001,ip,metadata=0x1,nw_dst=10.0.0.6 actions=conjunction(2,2/2) # priority=2001,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(2,2/2) @@ -18856,7 +18863,7 @@ check ovn-nbctl --wait=hv sync # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample) ovn-sbctl dump-flows > sbflows AT_CAPTURE_FILE([sbflows]) @@ -18924,11 +18931,11 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -18969,11 +18976,11 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -18987,8 +18994,8 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=conjunction(),conjunction() @@ -19027,11 +19034,11 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -19048,16 +19055,16 @@ AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_st grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction(),conjunction() - table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction(),conjunction() table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() - table=$acl_eval, priority=1003,udp,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1003,udp6,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,udp,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1003,udp6,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) OVN_CLEANUP([hv1]) @@ -22081,7 +22088,7 @@ check_virtual_offlows_present() { lr0_public_dp_key=$(printf "%x" $(fetch_column Port_Binding tunnel_key logical_port=lr0-public)) AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=$acl_eval,ip | ofctl_strip_all | grep "priority=2000"], [0], [dnl - table=$acl_eval, priority=2000,ip,metadata=0x$sw0_dp_key actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_out_acl_action)) + table=$acl_eval, priority=2000,ip,metadata=0x$sw0_dp_key actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_out_acl_sample)) ]) AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=$ip_input | ofctl_strip_all | \ @@ -32529,7 +32536,7 @@ ovs-ofctl dump-flows br-int table=$acl_eval | grep "reg14=0x${rtr_port_key},meta # 42.42.42.42 coming from the router port. AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_strip_all | \ grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42"], [0], [dnl - table=$acl_eval, priority=1001,ip,reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_in_acl_action)) + table=$acl_eval, priority=1001,ip,reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_in_acl_sample)) ]) OVN_CLEANUP([hv1]) @@ -34386,8 +34393,8 @@ check ovn-nbctl set nb_global . options:use_common_zone="true" check ovn-nbctl --wait=hv sync # Use constants so that if tables or registers change, this test can # be updated easily. -DNAT_TABLE=16 -SNAT_TABLE=45 +DNAT_TABLE=$(ovn-debug lflow-stage-to-oftable lr_in_dnat) +SNAT_TABLE=$(ovn-debug lflow-stage-to-oftable lr_out_snat) DNAT_ZONE_REG="NXM_NX_REG11[[0..15]]" SNAT_ZONE_REG="NXM_NX_REG12[[0..15]]" @@ -35528,7 +35535,7 @@ ovn-nbctl --wait=hv sync # Get the OF table numbers acl_eval=$(ovn-debug lflow-stage-to-oftable ls_in_acl_eval) -acl_action=$(ovn-debug lflow-stage-to-oftable ls_in_acl_action) +acl_sample=$(ovn-debug lflow-stage-to-oftable ls_in_acl_sample) dnl Ensure the ACL is not translated to OpenFlow. as hv1 @@ -35543,14 +35550,14 @@ lsp2=0x$(fetch_column Port_Binding tunnel_key logical_port=lsp2) dnl Ensure the ACL is translated to OpenFlows expanding pg1. as hv1 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=$acl_eval, priority=1001,ip,reg14=$lsp1,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,reg14=$lsp1,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) dnl Remove a port from pg1 and expect OpenFlows to be correctly updated. check ovn-nbctl --wait=hv pg-set-ports pg1 lsp2 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) dnl Change the Chassis_Template_Var mapping to use the address set. @@ -35559,14 +35566,14 @@ check ovn-nbctl --wait=hv set Chassis_Template_Var hv1 variables:CONDITION='ip4. dnl Ensure the ACL is translated to OpenFlows expanding as1. as hv1 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) - table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) + table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) dnl Remove an IP from AS1 and expect OpenFlows to be correctly updated. check ovn-nbctl --wait=hv set address_set as1 addresses=\"1.1.1.1\" AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_sample) ]) dnl Remove the mapping and expect OpenFlows to be removed. diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at index 691c271a3a..c595561734 100644 --- a/tests/system-common-macros.at +++ b/tests/system-common-macros.at @@ -237,6 +237,17 @@ m4_define([STRIP_MONITOR_CSUM], [grep "csum:" | sed 's/csum:.*/csum: /']) m4_define([FORMAT_CT], [[grep -F "dst=$1," | sed -e 's/port=[0-9]*/port=/g' -e 's/id=[0-9]*/id=/g' -e 's/state=[0-9_A-Z]*/state=/g' | sort | uniq]]) +# DAEMONIZE([command], [pidfile]) +# +# Run 'command' as a background process and record its pid to 'pidfile' to +# allow cleanup on exit. +# +m4_define([DAEMONIZE], + [$1 & echo $! > $2 + echo "kill \`cat $2\`" >> cleanup + ] +) + # NETNS_DAEMONIZE([namespace], [command], [pidfile]) # # Run 'command' as a background process within 'namespace' and record its pid diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 7770d58dc3..ef9652f02a 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -13050,3 +13050,468 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d /connection dropped.*/d"]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- ACL Sampling]) +AT_SKIP_IF([test $HAVE_NFCAPD = no]) +AT_SKIP_IF([test $HAVE_NFDUMP = no]) +AT_KEYWORDS([ACL]) + +CHECK_CONNTRACK() +CHECK_CONNTRACK_NAT() +ovn_start +OVS_TRAFFIC_VSWITCHD_START() +ADD_BR([br-int]) + +dnl Set external-ids in br-int needed for ovn-controller +check ovs-vsctl \ + -- set Open_vSwitch . external-ids:system-id=hv1 \ + -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ + -- set bridge br-int fail-mode=secure other-config:disable-in-band=true + +dnl Start ovn-controller +start_daemon ovn-controller + +dnl Logical network: +dnl 1 logical switch connetected to one logical router +dnl 6 UDP load balancers (ports 1000, 1010, 2000, 2010, 3000, 3010) +dnl 2 VIFs + +check ovn-nbctl \ + -- lr-add rtr \ + -- lrp-add rtr rtr-ls 00:00:00:00:01:00 42.42.42.1/24 \ + -- ls-add ls \ + -- lsp-add ls ls-rtr \ + -- lsp-set-addresses ls-rtr 00:00:00:00:01:00 \ + -- lsp-set-type ls-rtr router \ + -- lsp-set-options ls-rtr router-port=rtr-ls \ + -- lsp-add ls vm1 -- lsp-set-addresses vm1 00:00:00:00:00:01 \ + -- lsp-add ls vm2 -- lsp-set-addresses vm2 00:00:00:00:00:02 \ + -- lb-add lb1 43.43.43.43:1000 42.42.42.3:1000 udp \ + -- lb-add lb2 43.43.43.43:1010 42.42.42.3:1010 udp \ + -- lb-add lb3 43.43.43.43:2000 42.42.42.3:2000 udp \ + -- lb-add lb4 43.43.43.43:2010 42.42.42.3:2010 udp \ + -- lb-add lb5 43.43.43.43:3000 42.42.42.3:3000 udp \ + -- lb-add lb6 43.43.43.43:3010 42.42.42.3:3010 udp \ + -- ls-lb-add ls lb1 \ + -- ls-lb-add ls lb2 \ + -- ls-lb-add ls lb3 \ + -- ls-lb-add ls lb4 \ + -- ls-lb-add ls lb5 \ + -- ls-lb-add ls lb6 + +ADD_NAMESPACES(vm1) +ADD_VETH(vm1, vm1, br-int, "42.42.42.2/24", "00:00:00:00:00:01", "42.42.42.1") + +ADD_NAMESPACES(vm2) +ADD_VETH(vm2, vm2, br-int, "42.42.42.3/24", "00:00:00:00:00:02", "42.42.42.1") + +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=65535 set_id=100) +collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2 probability=65535 set_id=200) +check_row_count nb:Sample_Collector 2 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +dnl Create ACLs that match the 3 types of traffic in all 3 possible stages: +dnl from-lport, from-lport-after-lb, to-lport. +ovn-nbctl \ + -- --id=@sample_in_1c_new create Sample collector="$collector1" metadata=1001 \ + -- --id=@sample_in_1c_est create Sample collector="$collector1" metadata=1002 \ + -- --sample-new=@sample_in_1c_new --sample-est=@sample_in_1c_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1000" \ + allow-related +ovn-nbctl \ + -- --id=@sample_in_2c_new create Sample collector="$collector1 $collector2" metadata=1011 \ + -- --id=@sample_in_2c_est create Sample collector="$collector1 $collector2" metadata=1012 \ + -- --sample-new=@sample_in_2c_new --sample-est=@sample_in_2c_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1010" \ + allow-related + +ovn-nbctl \ + -- --id=@sample_in_lb_1c_new create Sample collector="$collector1" metadata=2001 \ + -- --id=@sample_in_lb_1c_est create Sample collector="$collector1" metadata=2002 \ + -- --apply-after-lb --sample-new=@sample_in_lb_1c_new \ + --sample-est=@sample_in_lb_1c_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 2000" \ + allow-related +ovn-nbctl \ + -- --id=@sample_in_lb_2c_new create Sample collector="$collector1 $collector2" metadata=2011 \ + -- --id=@sample_in_lb_2c_est create Sample collector="$collector1 $collector2" metadata=2012 \ + -- --apply-after-lb --sample-new=@sample_in_lb_2c_new --sample-est=@sample_in_lb_2c_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 2010" \ + allow-related + +ovn-nbctl \ + -- --id=@sample_out_1c_new create Sample collector="$collector1" metadata=3001 \ + -- --id=@sample_out_1c_est create Sample collector="$collector1" metadata=3002 \ + -- --sample-new=@sample_out_1c_new --sample-est=@sample_out_1c_est \ + acl-add ls to-lport 1 "outport == \"vm2\" && udp.dst == 3000" \ + allow-related +ovn-nbctl \ + -- --id=@sample_out_2c_new create Sample collector="$collector1 $collector2" metadata=3011 \ + -- --id=@sample_out_2c_est create Sample collector="$collector1 $collector2" metadata=3012 \ + -- --sample-new=@sample_out_2c_new --sample-est=@sample_out_2c_est \ + acl-add ls to-lport 1 "outport == \"vm2\" && udp.dst == 3010" \ + allow-related + +check_row_count nb:ACL 6 +check_row_count nb:Sample 12 + +dnl Wait for ovn-controller to catch up. +wait_for_ports_up +check ovn-nbctl --wait=hv sync + +dnl Start an IPFIX collector. +DAEMONIZE([nfcapd -B 1024000 -w . -p 4242 2> collector.err], [collector.pid]) + +dnl Wait for the collector to be up. +OVS_WAIT_UNTIL([grep -q 'Startup nfcapd.' collector.err]) + +dnl Configure the OVS flow sample collector. +ovs-vsctl --id=@br get Bridge br-int \ + -- --id=@ipfix create IPFIX targets=\"127.0.0.1:4242\" template_interval=1 \ + -- --id=@cs create Flow_Sample_Collector_Set id=100 bridge=@br ipfix=@ipfix + +dnl And wait for it to be up and running. +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q '1 ids']) + +dnl Start UDP echo server on vm2. +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 1000], [nc-vm2-1000.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 1010], [nc-vm2-1010.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 2000], [nc-vm2-2000.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 2010], [nc-vm2-2010.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 3000], [nc-vm2-3000.pid]) +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 3010], [nc-vm2-3010.pid]) + +dnl Send traffic (2 packets) to the UDP LB1 (hits the from-lport ACL). +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 1000]) +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 1010]) + +dnl Send traffic (2 packets) to the UDP LB1 (hits the from-lport after-lb ACL). +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 2000]) +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 2010]) + +dnl Send traffic (2 packets) to the UDP LB1 (hits the from-lport ACL). +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 3000]) +NS_CHECK_EXEC([vm1], [(echo a; sleep 1; echo a) | nc --send-only -u 43.43.43.43 3010]) + +dnl Wait until OVS sampled all expected packets (4 data packets + 1 ICMP +dnl port unreachable error on each session). +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q 'sampled pkts=30']) + +dnl Check the IPFIX samples. +kill $(cat collector.pid) +OVS_WAIT_WHILE([kill -0 $(cat collector.pid) 2>/dev/null]) + +dnl Can't match on observation domain ID due to the followig fix not being +dnl available in any released version of nfdump: +dnl https://github.com/phaag/nfdump/issues/544 +dnl +dnl Only match on the point ID. +dnl +dnl Expect for each ACL: +dnl - one sample for new packets +dnl - four samples for established packets (3 data + one icmp error) +AT_CHECK([for f in $(ls -1 nfcapd.*); do nfdump -o json -r $f; done | grep observationPointID | awk '{$1=$1;print}' | sort], [0], [dnl +"observationPointID" : 1001, +"observationPointID" : 1002, +"observationPointID" : 1002, +"observationPointID" : 1002, +"observationPointID" : 1002, +"observationPointID" : 1011, +"observationPointID" : 1012, +"observationPointID" : 1012, +"observationPointID" : 1012, +"observationPointID" : 1012, +"observationPointID" : 2001, +"observationPointID" : 2002, +"observationPointID" : 2002, +"observationPointID" : 2002, +"observationPointID" : 2002, +"observationPointID" : 2011, +"observationPointID" : 2012, +"observationPointID" : 2012, +"observationPointID" : 2012, +"observationPointID" : 2012, +"observationPointID" : 3001, +"observationPointID" : 3002, +"observationPointID" : 3002, +"observationPointID" : 3002, +"observationPointID" : 3002, +"observationPointID" : 3011, +"observationPointID" : 3012, +"observationPointID" : 3012, +"observationPointID" : 3012, +"observationPointID" : 3012, +]) + +OVS_APP_EXIT_AND_WAIT([ovn-controller]) + +as ovn-sb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as ovn-nb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as northd +OVS_APP_EXIT_AND_WAIT([ovn-northd]) + +as +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d +/connection dropped.*/d"]) + +AT_CLEANUP +]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- Tiered ACL Sampling]) +AT_SKIP_IF([test $HAVE_NFCAPD = no]) +AT_SKIP_IF([test $HAVE_NFDUMP = no]) +AT_KEYWORDS([ACL]) + +CHECK_CONNTRACK() +CHECK_CONNTRACK_NAT() +ovn_start +OVS_TRAFFIC_VSWITCHD_START() +ADD_BR([br-int]) + +dnl Set external-ids in br-int needed for ovn-controller +check ovs-vsctl \ + -- set Open_vSwitch . external-ids:system-id=hv1 \ + -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ + -- set bridge br-int fail-mode=secure other-config:disable-in-band=true + +dnl Start ovn-controller +start_daemon ovn-controller + +dnl Logical network: +dnl 1 logical switch +dnl 2 VIFs + +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls vm1 -- lsp-set-addresses vm1 00:00:00:00:00:01 \ + -- lsp-add ls vm2 -- lsp-set-addresses vm2 00:00:00:00:00:02 +ADD_NAMESPACES(vm1) +ADD_VETH(vm1, vm1, br-int, "42.42.42.2/24", "00:00:00:00:00:01", "42.42.42.1") + +ADD_NAMESPACES(vm2) +ADD_VETH(vm2, vm2, br-int, "42.42.42.3/24", "00:00:00:00:00:02", "42.42.42.1") + +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=65535 set_id=100) +check_row_count nb:Sample_Collector 1 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +dnl Create two tiers of ACLs. +ovn-nbctl \ + -- --id=@sample_1_new create Sample collector="$collector1" metadata=1001 \ + -- --id=@sample_1_est create Sample collector="$collector1" metadata=1002 \ + -- --tier=0 --sample-new=@sample_1_new --sample-est=@sample_1_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1000" \ + pass + +ovn-nbctl \ + -- --id=@sample_2_new create Sample collector="$collector1" metadata=2001 \ + -- --id=@sample_2_est create Sample collector="$collector1" metadata=2002 \ + -- --tier=1 --sample-new=@sample_2_new --sample-est=@sample_2_est \ + acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1000" \ + allow-related + +check_row_count nb:ACL 2 +check_row_count nb:Sample 4 + +dnl Wait for ovn-controller to catch up. +wait_for_ports_up +check ovn-nbctl --wait=hv sync + +dnl Start an IPFIX collector. +DAEMONIZE([nfcapd -B 1024000 -w . -p 4242 2> collector.err], [collector.pid]) + +dnl Wait for the collector to be up. +OVS_WAIT_UNTIL([grep -q 'Startup nfcapd.' collector.err]) + +dnl Configure the OVS flow sample collector. +ovs-vsctl --id=@br get Bridge br-int \ + -- --id=@ipfix create IPFIX targets=\"127.0.0.1:4242\" template_interval=1 \ + -- --id=@cs create Flow_Sample_Collector_Set id=100 bridge=@br ipfix=@ipfix + +dnl And wait for it to be up and running. +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q '1 ids']) + +dnl Start UDP echo server on vm2. +NETNS_DAEMONIZE([vm2], [nc -e /bin/cat -k -u -v -l 1000], [nc-vm2-1000.pid]) + +dnl Send traffic to the UDP server (hits both ACL tiers). +NS_CHECK_EXEC([vm1], [echo a | nc --send-only -u 42.42.42.3 1000]) + +dnl Wait until OVS sampled all expected packets: +dnl - first packet sampled by both tiers +dnl - reply packet sampled by last tier (established session) +dnl - related ICMP port unreachable error sampled by last tier (established session) +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q 'sampled pkts=4']) + +dnl Check the IPFIX samples. +kill $(cat collector.pid) +OVS_WAIT_WHILE([kill -0 $(cat collector.pid) 2>/dev/null]) + +dnl Can't match on observation domain ID due to the followig fix not being +dnl available in any released version of nfdump: +dnl https://github.com/phaag/nfdump/issues/544 +dnl +dnl Only match on the point ID. +AT_CHECK([for f in $(ls -1 nfcapd.*); do nfdump -o json -r $f; done | grep observationPointID | awk '{$1=$1;print}' | sort], [0], [dnl +"observationPointID" : 1001, +"observationPointID" : 2001, +"observationPointID" : 2002, +"observationPointID" : 2002, +]) + +OVS_APP_EXIT_AND_WAIT([ovn-controller]) + +as ovn-sb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as ovn-nb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as northd +OVS_APP_EXIT_AND_WAIT([ovn-northd]) + +as +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d +/connection dropped.*/d"]) + +AT_CLEANUP +]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- ACL Sampling - Stateful ACL - to-lport router port]) +AT_SKIP_IF([test $HAVE_NFCAPD = no]) +AT_SKIP_IF([test $HAVE_NFDUMP = no]) +AT_KEYWORDS([ACL]) + +CHECK_CONNTRACK() +CHECK_CONNTRACK_NAT() +ovn_start +OVS_TRAFFIC_VSWITCHD_START() +ADD_BR([br-int]) + +dnl Set external-ids in br-int needed for ovn-controller +check ovs-vsctl \ + -- set Open_vSwitch . external-ids:system-id=hv1 \ + -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ + -- set bridge br-int fail-mode=secure other-config:disable-in-band=true + +dnl Start ovn-controller +start_daemon ovn-controller + +dnl Logical network: +dnl 1 router +dnl 1 logical switch +dnl 1 VIF + +check ovn-nbctl \ + -- lr-add lr \ + -- lrp-add lr lrp1 00:00:00:00:01:00 42.42.42.1/24 \ + -- ls-add ls \ + -- lsp-add ls vm1 \ + -- lsp-set-addresses vm1 00:00:00:00:00:01 \ + -- lsp-add ls ls-lr \ + -- lsp-set-type ls-lr router \ + -- lsp-set-options ls-lr router-port=lrp1 \ + -- lsp-set-addresses ls-lr router +check ovn-nbctl --wait=sb sync + +ADD_NAMESPACES(vm1) +ADD_VETH(vm1, vm1, br-int, "42.42.42.2/24", "00:00:00:00:00:01", "42.42.42.1") + +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=65535 set_id=100) +collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2 probability=65535 set_id=200) +check_row_count nb:Sample_Collector 2 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +check_row_count nb:Sampling_App 1 + +dnl Create three ACLs: +dnl - one from-lport, stateful, allowing all traffic +dnl - one to-lport, dropping all traffic to 1.1.1.1 (single collector) +dnl - one to-lport, dropping all traffic to 1.1.1.2 (two collectors) +ovn-nbctl \ + -- --id=@sample1 create Sample collector="$collector1" metadata=1001 \ + -- --id=@sample2 create Sample collector="$collector1" metadata=1002 \ + -- --id=@sample3 create Sample collector="$collector1 $collector2" metadata=1003 \ + -- --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related \ + -- --sample-new=@sample2 acl-add ls to-lport 1 "ip4.dst == 1.1.1.1" drop \ + -- --sample-new=@sample3 acl-add ls to-lport 1 "ip4.dst == 1.1.1.2" drop + +check_row_count nb:ACL 3 +check_row_count nb:Sample 3 + +dnl Wait for ovn-controller to catch up. +wait_for_ports_up +check ovn-nbctl --wait=hv sync + +dnl Start an IPFIX collector. +DAEMONIZE([nfcapd -B 1024000 -w . -p 4242 2> collector.err], [collector.pid]) + +dnl Wait for the collector to be up. +OVS_WAIT_UNTIL([grep -q 'Startup nfcapd.' collector.err]) + +dnl Configure the OVS flow sample collector. +ovs-vsctl --id=@br get Bridge br-int \ + -- --id=@ipfix create IPFIX targets=\"127.0.0.1:4242\" template_interval=1 \ + -- --id=@cs create Flow_Sample_Collector_Set id=100 bridge=@br ipfix=@ipfix + +dnl And wait for it to be up and running. +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q '1 ids']) + +NS_CHECK_EXEC([vm1], [ping -c 1 1.1.1.1], [1], [ignore], [ignore]) +NS_CHECK_EXEC([vm1], [ping -c 1 1.1.1.2], [1], [ignore], [ignore]) + +dnl Wait until OVS sampled the two ICMP packet on two ACLs. +OVS_WAIT_UNTIL([ovs-ofctl dump-ipfix-flow br-int | grep -q 'sampled pkts=4']) + +dnl Check the IPFIX samples. +kill $(cat collector.pid) +OVS_WAIT_WHILE([kill -0 $(cat collector.pid) 2>/dev/null]) + +dnl Can't match on observation domain ID due to the followig fix not being +dnl available in any released version of nfdump: +dnl https://github.com/phaag/nfdump/issues/544 +dnl +dnl Only match on the point ID. +AT_CHECK([for f in $(ls -1 nfcapd.*); do nfdump -o json -r $f; done | grep observationPointID | awk '{$1=$1;print}' | sort], [0], [dnl +"observationPointID" : 1001, +"observationPointID" : 1001, +"observationPointID" : 1002, +"observationPointID" : 1003, +]) + +OVS_APP_EXIT_AND_WAIT([ovn-controller]) + +as ovn-sb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as ovn-nb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as northd +OVS_APP_EXIT_AND_WAIT([ovn-northd]) + +as +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d +/connection dropped.*/d"]) + +AT_CLEANUP +]) diff --git a/utilities/containers/fedora/Dockerfile b/utilities/containers/fedora/Dockerfile index 078180cff3..4dce1e32b4 100755 --- a/utilities/containers/fedora/Dockerfile +++ b/utilities/containers/fedora/Dockerfile @@ -27,6 +27,7 @@ RUN dnf -y update \ libcap-ng-devel \ libtool \ net-tools \ + nfdump \ ninja-build \ nmap-ncat \ numactl-devel \ diff --git a/utilities/containers/ubuntu/Dockerfile b/utilities/containers/ubuntu/Dockerfile index 7cf0751225..073afa8764 100755 --- a/utilities/containers/ubuntu/Dockerfile +++ b/utilities/containers/ubuntu/Dockerfile @@ -33,6 +33,7 @@ RUN apt update -y \ llvm-dev \ ncat \ net-tools \ + nfdump \ ninja-build \ python3-dev \ python3-pip \ diff --git a/utilities/ovn-nbctl.8.xml b/utilities/ovn-nbctl.8.xml index e2657ca02c..e1e5b681e1 100644 --- a/utilities/ovn-nbctl.8.xml +++ b/utilities/ovn-nbctl.8.xml @@ -399,7 +399,7 @@ must be either switch or port-group.

-
[--type={switch | port-group}] [--log] [--meter=meter] [--severity=severity] [--name=name] [--label=label] [--may-exist] [--apply-after-lb] [--tier] acl-add entity direction priority match verdict
+
[--type={switch | port-group}] [--log] [--meter=meter] [--severity=severity] [--name=name] [--label=label] [--sample-new=sample] [--sample-est=sample] [--may-exist] [--apply-after-lb] [--tier] acl-add entity direction priority match verdict

Adds the specified ACL to entity. direction @@ -424,6 +424,12 @@ names a meter configured by meter-add.

+

+ The --sample-new (and optionally + --sample-est) enable ACL sampling. A valid uuid of a + row of the table must be provided. +

+

The --apply-after-lb option sets apply-after-lb=true in the options column diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index 679d3f2d93..d45be75c78 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -2318,6 +2318,11 @@ nbctl_pre_acl(struct ctl_context *ctx) ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_match); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_options); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_tier); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample_new); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample_est); + + ovsdb_idl_add_table(ctx->idl, &nbrec_table_sample_collector); + ovsdb_idl_add_table(ctx->idl, &nbrec_table_sample); } static void @@ -2331,6 +2336,8 @@ nbctl_pre_acl_list(struct ctl_context *ctx) ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_severity); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_meter); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_label); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample_new); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_sample_est); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_options); } @@ -2382,6 +2389,8 @@ nbctl_acl_add(struct ctl_context *ctx) const char *severity = shash_find_data(&ctx->options, "--severity"); const char *name = shash_find_data(&ctx->options, "--name"); const char *meter = shash_find_data(&ctx->options, "--meter"); + const char *sample_new = shash_find_data(&ctx->options, "--sample-new"); + const char *sample_est = shash_find_data(&ctx->options, "--sample-est"); if (log || severity || name || meter) { nbrec_acl_set_log(acl, true); } @@ -2399,6 +2408,30 @@ nbctl_acl_add(struct ctl_context *ctx) nbrec_acl_set_meter(acl, meter); } + if (sample_new) { + char *sample_setting = xasprintf("sample_new=%s", sample_new); + error = ctl_set_column("ACL", &acl->header_, sample_setting, + ctx->symtab); + free(sample_setting); + if (error) { + ctl_error(ctx, "invalid --sample-new: %s", error); + free(error); + return; + } + } + + if (sample_est) { + char *sample_setting = xasprintf("sample_est=%s", sample_est); + error = ctl_set_column("ACL", &acl->header_, sample_setting, + ctx->symtab); + free(sample_setting); + if (error) { + ctl_error(ctx, "invalid --sample-est: %s", error); + free(error); + return; + } + } + /* Set the ACL label */ const char *label = shash_find_data(&ctx->options, "--label"); if (label) { @@ -7925,7 +7958,7 @@ static const struct ctl_command_syntax nbctl_commands[] = { { "acl-add", 5, 6, "{SWITCH | PORTGROUP} DIRECTION PRIORITY MATCH ACTION", nbctl_pre_acl, nbctl_acl_add, NULL, "--log,--may-exist,--type=,--name=,--severity=,--meter=,--label=," - "--apply-after-lb,--tier=", RW }, + "--apply-after-lb,--tier=,--sample-new=,--sample-est=", RW }, { "acl-del", 1, 4, "{SWITCH | PORTGROUP} [DIRECTION [PRIORITY MATCH]]", nbctl_pre_acl, nbctl_acl_del, NULL, "--type=,--tier=", RW }, { "acl-list", 1, 1, "{SWITCH | PORTGROUP}", From patchwork Wed Aug 7 06:51:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969843 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=e/yKJUIM; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wf18P50r5z1yfC for ; Wed, 7 Aug 2024 16:52:53 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 693C440ADD; Wed, 7 Aug 2024 06:52:51 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id isgRR2J_4Dnz; Wed, 7 Aug 2024 06:52:49 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 5F5A040B1B Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=e/yKJUIM Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 5F5A040B1B; Wed, 7 Aug 2024 06:52:49 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 34F56C0033; Wed, 7 Aug 2024 06:52:49 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 26B70C0033 for ; Wed, 7 Aug 2024 06:52:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 465F060630 for ; Wed, 7 Aug 2024 06:52:17 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 5ANEFG3tvNf4 for ; Wed, 7 Aug 2024 06:52:14 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org B664D6089E Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org B664D6089E Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=e/yKJUIM Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id B664D6089E for ; Wed, 7 Aug 2024 06:52:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723013528; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PDuy0mUtdQ2EyYK0U/CzcAucvJDjHrC3Ww3opQ+54nA=; b=e/yKJUIMqlnbeTXO8ubJxqrRZ19kgbOL3xQaj3j/7bco7in9zzfsI91gPz3+twgqutY5a1 ANc+RSDGMswjxTrpIqJvDW/2oENl1nG0tv3HBMjjXIXhAinsbebh9fnfhqkaSbt/gBOm0M ThWzVqho6z/F362u/hPpYdbOJTqkYzU= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-668-TBAsJnXePJm_gUVyo73c_A-1; Wed, 07 Aug 2024 02:52:05 -0400 X-MC-Unique: TBAsJnXePJm_gUVyo73c_A-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 5600D195609E; Wed, 7 Aug 2024 06:52:04 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.13]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id B352519560A3; Wed, 7 Aug 2024 06:52:01 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Wed, 7 Aug 2024 08:51:23 +0200 Message-ID: <20240807065126.38132-7-dceara@redhat.com> In-Reply-To: <20240807065126.38132-1-dceara@redhat.com> References: <20240807065126.38132-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v7 6/9] features: Make querying of OpenFlow features more versatile. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: npinaeva@redhat.com, i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Ales Musil Up until now we were interested only in two OpenFlow features, meters and groups. The current system of querying worked, however it wasn't very versatile, and it would be hard to query more features, make the system more extensible instead. Acked-by: Mark Michelson Signed-off-by: Ales Musil --- V7: - Added Mark's ack. V6: - Removed Dumitru's ack. V5: - Address Ilya's comment: - Rename OVS_DP_GROUP_SUPPORT to OVS_OF_GROUP_SUPPORT - Added Dumitru's ack --- include/ovn/features.h | 2 + lib/features.c | 269 +++++++++++++++++++++++++++++------------ 2 files changed, 196 insertions(+), 75 deletions(-) diff --git a/include/ovn/features.h b/include/ovn/features.h index d7bceb62c4..97669410af 100644 --- a/include/ovn/features.h +++ b/include/ovn/features.h @@ -38,6 +38,7 @@ enum ovs_feature_support_bits { OVS_DP_METER_SUPPORT_BIT, OVS_CT_TUPLE_FLUSH_BIT, OVS_DP_HASH_L4_SYM_BIT, + OVS_OF_GROUP_SUPPORT_BIT, }; enum ovs_feature_value { @@ -45,6 +46,7 @@ enum ovs_feature_value { OVS_DP_METER_SUPPORT = (1 << OVS_DP_METER_SUPPORT_BIT), OVS_CT_TUPLE_FLUSH_SUPPORT = (1 << OVS_CT_TUPLE_FLUSH_BIT), OVS_DP_HASH_L4_SYM_SUPPORT = (1 << OVS_DP_HASH_L4_SYM_BIT), + OVS_OF_GROUP_SUPPORT = (1 << OVS_OF_GROUP_SUPPORT_BIT), }; void ovs_feature_support_destroy(void); diff --git a/lib/features.c b/lib/features.c index 607e4bd313..d3591d6410 100644 --- a/lib/features.c +++ b/lib/features.c @@ -28,6 +28,7 @@ #include "openvswitch/ofp-msgs.h" #include "openvswitch/ofp-meter.h" #include "openvswitch/ofp-group.h" +#include "openvswitch/ofp-print.h" #include "openvswitch/ofp-util.h" #include "openvswitch/rconn.h" #include "ovn/features.h" @@ -47,6 +48,18 @@ struct ovs_feature { ovs_feature_parse_func *parse; }; +struct ovs_openflow_feature { + enum ovs_feature_value value; + const char *name; + bool queued; + ovs_be32 xid; + ovs_be32 barrier_xid; + void (*send_request)(struct ovs_openflow_feature *feature); + bool (*handle_response)(struct ovs_openflow_feature *feature, + enum ofptype type, const struct ofp_header *oh); + bool (*handle_barrier)(struct ovs_openflow_feature *feature); +}; + static bool bool_parser(const struct smap *ovs_capabilities, const char *cap_name) { @@ -83,24 +96,172 @@ static struct ovs_feature all_ovs_features[] = { /* A bitmap of OVS features that have been detected as 'supported'. */ static uint32_t supported_ovs_features; -/* Last set of received feature replies. */ -static struct ofputil_meter_features ovs_meter_features_reply; -static struct ofputil_group_features ovs_group_features_reply; /* Currently discovered set of features. */ static struct ofputil_meter_features ovs_meter_features; static struct ofputil_group_features ovs_group_features; -/* Number of features replies still expected to receive for the requests - * we sent already. */ -static uint32_t n_features_reply_expected; - -static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 5); +static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 10); /* ovs-vswitchd connection. */ static struct rconn *swconn; static uint32_t conn_seq_no; +static void +log_unexpected_reply(struct ovs_openflow_feature *feature, + const struct ofp_header *oh) +{ + if (VLOG_IS_WARN_ENABLED()) { + char *s = ofp_to_string(oh, ntohs(oh->length), NULL, NULL, 2); + VLOG_WARN_RL(&rl, "OVS Feature: %s, unexpected reply: %s", + feature->name, s); + free(s); + } +} + +static bool +default_barrier_response_handle(struct ovs_openflow_feature *feature) +{ + VLOG_WARN_RL(&rl, "OVS Feature: %s, didn't receive any reply", + feature->name); + return supported_ovs_features & feature->value; +} + +static void +meter_features_send_request(struct ovs_openflow_feature *feature) +{ + struct ofpbuf *msg = ofpraw_alloc(OFPRAW_OFPST13_METER_FEATURES_REQUEST, + rconn_get_version(swconn), 0); + feature->xid = ((struct ofp_header *) msg->data)->xid; + rconn_send(swconn, msg, NULL); +} + +static bool +meter_features_handle_response(struct ovs_openflow_feature *feature, + enum ofptype type, const struct ofp_header *oh) +{ + if (type != OFPTYPE_METER_FEATURES_STATS_REPLY) { + log_unexpected_reply(feature, oh); + return supported_ovs_features & feature->value; + } + + struct ofputil_meter_features features; + ofputil_decode_meter_features(oh, &features); + + if (memcmp(&ovs_meter_features, &features, sizeof features)) { + ovs_meter_features = features; + return ovs_meter_features.max_meters; + } + + return supported_ovs_features & feature->value; +} + +static void +group_features_send_request(struct ovs_openflow_feature *feature) +{ + struct ofpbuf *msg = + ofputil_encode_group_features_request(rconn_get_version(swconn)); + feature->xid = ((struct ofp_header *) msg->data)->xid; + rconn_send(swconn, msg, NULL); +} + +static bool +group_features_handle_response(struct ovs_openflow_feature *feature, + enum ofptype type, const struct ofp_header *oh) +{ + if (type != OFPTYPE_GROUP_FEATURES_STATS_REPLY) { + log_unexpected_reply(feature, oh); + return supported_ovs_features & feature->value; + } + + struct ofputil_group_features features; + ofputil_decode_group_features_reply(oh, &features); + + if (memcmp(&ovs_group_features, &features, sizeof features)) { + ovs_group_features = features; + return ovs_group_features.max_groups[OFPGT11_SELECT]; + } + + return supported_ovs_features & feature->value; +} + +static struct ovs_openflow_feature all_openflow_features[] = { + { + .value = OVS_DP_METER_SUPPORT, + .name = "meter_support", + .send_request = meter_features_send_request, + .handle_response = meter_features_handle_response, + .handle_barrier = default_barrier_response_handle, + }, + { + .value = OVS_OF_GROUP_SUPPORT, + .name = "group_support", + .send_request = group_features_send_request, + .handle_response = group_features_handle_response, + .handle_barrier = default_barrier_response_handle, + } +}; + +static bool +handle_feature_state_update(bool new_state, enum ovs_feature_value value, + const char *name) +{ + bool updated = false; + + bool old_state = supported_ovs_features & value; + if (new_state != old_state) { + updated = true; + if (new_state) { + supported_ovs_features |= value; + } else { + supported_ovs_features &= ~value; + } + VLOG_INFO_RL(&rl, "OVS Feature: %s, state: %s", name, + new_state ? "supported" : "not supported"); + } + + return updated; +} + +static bool +features_handle_rconn_msg(struct ofpbuf *msg) +{ + const struct ofp_header *oh = msg->data; + + enum ofptype type; + ofptype_decode(&type, oh); + + if (type == OFPTYPE_ECHO_REQUEST) { + rconn_send(swconn, ofputil_encode_echo_reply(oh), NULL); + return false; + } + + for (size_t i = 0; i < ARRAY_SIZE(all_openflow_features); i++) { + struct ovs_openflow_feature *feature = &all_openflow_features[i]; + + bool new_state; + if (feature->queued && feature->xid == oh->xid) { + new_state = feature->handle_response(feature, type, oh); + } else if (feature->queued && feature->barrier_xid == oh->xid) { + new_state = feature->handle_barrier(feature); + } else { + continue; + } + + feature->queued = false; + return handle_feature_state_update(new_state, feature->value, + feature->name); + } + + if (VLOG_IS_DBG_ENABLED()) { + char *s = ofp_to_string(oh, ntohs(oh->length), NULL, NULL, 2); + VLOG_DBG_RL(&rl, "OpenFlow packet ignored: %s", s); + free(s); + } + + return false; +} + static bool ovs_feature_is_valid(enum ovs_feature_value feature) { @@ -109,6 +270,7 @@ ovs_feature_is_valid(enum ovs_feature_value feature) case OVS_DP_METER_SUPPORT: case OVS_CT_TUPLE_FLUSH_SUPPORT: case OVS_DP_HASH_L4_SYM_SUPPORT: + case OVS_OF_GROUP_SUPPORT: return true; default: return false; @@ -126,8 +288,6 @@ ovs_feature_is_supported(enum ovs_feature_value feature) static bool ovs_feature_get_openflow_cap(void) { - struct ofpbuf *msg; - rconn_run(swconn); if (!rconn_is_connected(swconn)) { rconn_run_wait(swconn); @@ -137,67 +297,33 @@ ovs_feature_get_openflow_cap(void) /* send new requests just after reconnect. */ if (conn_seq_no != rconn_get_connection_seqno(swconn)) { - n_features_reply_expected = 0; - - /* Dump OpenFlow switch meter capabilities. */ - msg = ofpraw_alloc(OFPRAW_OFPST13_METER_FEATURES_REQUEST, - rconn_get_version(swconn), 0); - rconn_send(swconn, msg, NULL); - n_features_reply_expected++; - /* Dump OpenFlow switch group capabilities. */ - msg = ofputil_encode_group_features_request(rconn_get_version(swconn)); - rconn_send(swconn, msg, NULL); - n_features_reply_expected++; + for (size_t i = 0; i < ARRAY_SIZE(all_openflow_features); i++) { + struct ovs_openflow_feature *feature = &all_openflow_features[i]; + + feature->queued = true; + feature->send_request(feature); + + struct ofpbuf *msg = + ofputil_encode_barrier_request(rconn_get_version(swconn)); + feature->barrier_xid = ((struct ofp_header *) msg->data)->xid; + rconn_send(swconn, msg, NULL); + } } conn_seq_no = rconn_get_connection_seqno(swconn); bool ret = false; for (int i = 0; i < 50; i++) { - msg = rconn_recv(swconn); + struct ofpbuf *msg = rconn_recv(swconn); if (!msg) { break; } - const struct ofp_header *oh = msg->data; - enum ofptype type; - ofptype_decode(&type, oh); - - if (type == OFPTYPE_METER_FEATURES_STATS_REPLY) { - ofputil_decode_meter_features(oh, &ovs_meter_features_reply); - ovs_assert(n_features_reply_expected); - n_features_reply_expected--; - } else if (type == OFPTYPE_GROUP_FEATURES_STATS_REPLY) { - ofputil_decode_group_features_reply(oh, &ovs_group_features_reply); - ovs_assert(n_features_reply_expected); - n_features_reply_expected--; - } else if (type == OFPTYPE_ECHO_REQUEST) { - rconn_send(swconn, ofputil_encode_echo_reply(oh), NULL); - } + ret |= features_handle_rconn_msg(msg); ofpbuf_delete(msg); } rconn_run_wait(swconn); rconn_recv_wait(swconn); - /* If all feature replies were received, update the set of supported - * features. */ - if (!n_features_reply_expected) { - if (memcmp(&ovs_meter_features, &ovs_meter_features_reply, - sizeof ovs_meter_features_reply)) { - ovs_meter_features = ovs_meter_features_reply; - if (ovs_meter_features.max_meters) { - supported_ovs_features |= OVS_DP_METER_SUPPORT; - } else { - supported_ovs_features &= ~OVS_DP_METER_SUPPORT; - } - ret = true; - } - if (memcmp(&ovs_group_features, &ovs_group_features_reply, - sizeof ovs_group_features_reply)) { - ovs_group_features = ovs_group_features_reply; - ret = true; - } - } - return ret; } @@ -214,7 +340,6 @@ ovs_feature_support_run(const struct smap *ovs_capabilities, const char *conn_target, int probe_interval) { static struct smap empty_caps = SMAP_INITIALIZER(&empty_caps); - bool updated = false; if (!ovs_capabilities) { ovs_capabilities = &empty_caps; @@ -225,24 +350,13 @@ ovs_feature_support_run(const struct smap *ovs_capabilities, } ovn_update_swconn_at(swconn, conn_target, probe_interval, "features"); - if (ovs_feature_get_openflow_cap()) { - updated = true; - } + bool updated = ovs_feature_get_openflow_cap(); for (size_t i = 0; i < ARRAY_SIZE(all_ovs_features); i++) { struct ovs_feature *feature = &all_ovs_features[i]; - bool old_state = supported_ovs_features & feature->value; - bool new_state = feature->parse(ovs_capabilities, feature->name); - if (new_state != old_state) { - updated = true; - if (new_state) { - supported_ovs_features |= feature->value; - } else { - supported_ovs_features &= ~feature->value; - } - VLOG_INFO_RL(&rl, "OVS Feature: %s, state: %s", feature->name, - new_state ? "supported" : "not supported"); - } + bool new_value = feature->parse(ovs_capabilities, feature->name); + updated |= handle_feature_state_update(new_value, feature->value, + feature->name); } return updated; } @@ -252,8 +366,13 @@ ovs_feature_set_discovered(void) { /* The supported feature set has been discovered if we're connected * to OVS and it replied to all our feature request messages. */ - return swconn && rconn_is_connected(swconn) && - n_features_reply_expected == 0; + bool replied_to_all = false; + for (size_t i = 0; i < ARRAY_SIZE(all_openflow_features); i++) { + struct ovs_openflow_feature *feature = &all_openflow_features[i]; + replied_to_all |= !feature->queued; + } + + return swconn && rconn_is_connected(swconn) && replied_to_all; } /* Returns the number of meters the OVS datapath supports. */ From patchwork Wed Aug 7 06:51:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969841 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=TW2Hf3pC; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wf1836N6xz1yfC for ; Wed, 7 Aug 2024 16:52:35 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id D0A6E405E3; Wed, 7 Aug 2024 06:52:33 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id goRgprzTbw1T; Wed, 7 Aug 2024 06:52:32 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 022C640AC4 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=TW2Hf3pC Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 022C640AC4; Wed, 7 Aug 2024 06:52:32 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id D861CC002B; Wed, 7 Aug 2024 06:52:31 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 29138C002B for ; Wed, 7 Aug 2024 06:52:31 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id C39C78129F for ; Wed, 7 Aug 2024 06:52:12 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id SZEN6SsumrHO for ; Wed, 7 Aug 2024 06:52:11 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org A471A812AE Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org A471A812AE Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=TW2Hf3pC Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id A471A812AE for ; Wed, 7 Aug 2024 06:52:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723013530; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0hBHIIEri7SeN0iOopo3HqVJH3KPsyzlW4iU3e/dUGE=; b=TW2Hf3pCmyqWgq/IG/MCzQiM7UhCKEMv2hgFDqcm5Q4xoNFHXKZTPGLscFDXL4wxwi0v0d Xt9EYI/mxtp/6T6dpwFxB80oarC4N+HVcpCQ2wxzrBISxLJUgX7v9Ck/5MEUbbNqWgf7Sg k0+mCv9YHdUPQ8YaOyEqc5XfPX/cfpY= Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-375-xt35nwBnPhSGqArlugaHsQ-1; Wed, 07 Aug 2024 02:52:08 -0400 X-MC-Unique: xt35nwBnPhSGqArlugaHsQ-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id F1CB71944B2D; Wed, 7 Aug 2024 06:52:07 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.13]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 4A11D19560A3; Wed, 7 Aug 2024 06:52:04 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Wed, 7 Aug 2024 08:51:24 +0200 Message-ID: <20240807065126.38132-8-dceara@redhat.com> In-Reply-To: <20240807065126.38132-1-dceara@redhat.com> References: <20240807065126.38132-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v7 7/9] features: Add detection for sample with registers. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: npinaeva@redhat.com, i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Ales Musil Add detection for sample action that allows to configure obs_domain_id and obs_point_id via registers. This feature is available only from OvS version 3.4. Acked-by: Mark Michelson Signed-off-by: Ales Musil --- V7: - Added Mark's ack. V5: - Addressed Ilya's comments: - Fixed SB chassis reconciliation. - Rename OVS_DP_SAMPLE_REG_SUPPORT to OVS_SAMPLE_REG_SUPPORT --- controller/chassis.c | 15 +++++++ include/ovn/features.h | 3 ++ lib/features.c | 91 +++++++++++++++++++++++++++++++++++++++ northd/en-global-config.c | 10 +++++ northd/en-global-config.h | 1 + 5 files changed, 120 insertions(+) diff --git a/controller/chassis.c b/controller/chassis.c index 4942ba281d..42a2894dce 100644 --- a/controller/chassis.c +++ b/controller/chassis.c @@ -67,6 +67,8 @@ struct ovs_chassis_cfg { struct ds iface_types; /* Is this chassis an interconnection gateway. */ bool is_interconn; + /* Does OVS support sampling with ids taken from registers? */ + bool sample_with_regs; }; static void @@ -338,6 +340,8 @@ chassis_parse_ovs_config(const struct ovsrec_open_vswitch_table *ovs_table, &ovs_cfg->iface_types); ovs_cfg->is_interconn = get_is_interconn(&cfg->external_ids, chassis_id); + ovs_cfg->sample_with_regs = + ovs_feature_is_supported(OVS_SAMPLE_REG_SUPPORT); return true; } @@ -372,6 +376,8 @@ chassis_build_other_config(const struct ovs_chassis_cfg *ovs_cfg, smap_replace(config, OVN_FEATURE_LS_DPG_COLUMN, "true"); smap_replace(config, OVN_FEATURE_CT_COMMIT_NAT_V2, "true"); smap_replace(config, OVN_FEATURE_CT_COMMIT_TO_ZONE, "true"); + smap_replace(config, OVN_FEATURE_SAMPLE_WITH_REGISTERS, + ovs_cfg->sample_with_regs ? "true" : "false"); } /* @@ -523,6 +529,14 @@ chassis_other_config_changed(const struct ovs_chassis_cfg *ovs_cfg, return true; } + bool chassis_sample_with_regs = + smap_get_bool(&chassis_rec->other_config, + OVN_FEATURE_SAMPLE_WITH_REGISTERS, + false); + if (chassis_sample_with_regs != ovs_cfg->sample_with_regs) { + return true; + } + return false; } @@ -656,6 +670,7 @@ update_supported_sset(struct sset *supported) sset_add(supported, OVN_FEATURE_LS_DPG_COLUMN); sset_add(supported, OVN_FEATURE_CT_COMMIT_NAT_V2); sset_add(supported, OVN_FEATURE_CT_COMMIT_TO_ZONE); + sset_add(supported, OVN_FEATURE_SAMPLE_WITH_REGISTERS); } static void diff --git a/include/ovn/features.h b/include/ovn/features.h index 97669410af..4275f75269 100644 --- a/include/ovn/features.h +++ b/include/ovn/features.h @@ -29,6 +29,7 @@ #define OVN_FEATURE_LS_DPG_COLUMN "ls-dpg-column" #define OVN_FEATURE_CT_COMMIT_NAT_V2 "ct-commit-nat-v2" #define OVN_FEATURE_CT_COMMIT_TO_ZONE "ct-commit-to-zone" +#define OVN_FEATURE_SAMPLE_WITH_REGISTERS "ovn-sample-with-registers" /* OVS datapath supported features. Based on availability OVN might generate * different types of openflows. @@ -39,6 +40,7 @@ enum ovs_feature_support_bits { OVS_CT_TUPLE_FLUSH_BIT, OVS_DP_HASH_L4_SYM_BIT, OVS_OF_GROUP_SUPPORT_BIT, + OVS_SAMPLE_REG_SUPPORT_BIT, }; enum ovs_feature_value { @@ -47,6 +49,7 @@ enum ovs_feature_value { OVS_CT_TUPLE_FLUSH_SUPPORT = (1 << OVS_CT_TUPLE_FLUSH_BIT), OVS_DP_HASH_L4_SYM_SUPPORT = (1 << OVS_DP_HASH_L4_SYM_BIT), OVS_OF_GROUP_SUPPORT = (1 << OVS_OF_GROUP_SUPPORT_BIT), + OVS_SAMPLE_REG_SUPPORT = (1 << OVS_SAMPLE_REG_SUPPORT_BIT), }; void ovs_feature_support_destroy(void); diff --git a/lib/features.c b/lib/features.c index d3591d6410..ab0327d516 100644 --- a/lib/features.c +++ b/lib/features.c @@ -25,6 +25,8 @@ #include "openvswitch/vlog.h" #include "openvswitch/ofpbuf.h" #include "openvswitch/rconn.h" +#include "openvswitch/ofp-actions.h" +#include "openvswitch/ofp-bundle.h" #include "openvswitch/ofp-msgs.h" #include "openvswitch/ofp-meter.h" #include "openvswitch/ofp-group.h" @@ -185,6 +187,87 @@ group_features_handle_response(struct ovs_openflow_feature *feature, return supported_ovs_features & feature->value; } +static void +sample_with_reg_send_request(struct ovs_openflow_feature *feature) +{ + struct ofputil_bundle_ctrl_msg ctrl = { + .bundle_id = 0, + .flags = OFPBF_ORDERED | OFPBF_ATOMIC, + .type = OFPBCT_OPEN_REQUEST, + }; + rconn_send(swconn, + ofputil_encode_bundle_ctrl_request(OFP15_VERSION, &ctrl), NULL); + + uint8_t actions_stub[64]; + struct ofpbuf actions; + ofpbuf_use_stub(&actions, actions_stub, sizeof(actions_stub)); + + struct mf_subfield subfield = { + .field = mf_from_id(MFF_REG0), + .n_bits = 32, + .ofs = 0 + }; + + struct ofpact_sample *sample = ofpact_put_SAMPLE(&actions); + sample->probability = UINT16_MAX; + sample->collector_set_id = 0; + sample->obs_domain_src = subfield; + sample->obs_point_src = subfield; + sample->sampling_port = OFPP_NONE; + + struct ofputil_flow_mod fm = { + .priority = 0, + .table_id = 0, + .ofpacts = actions.data, + .ofpacts_len = actions.size, + .command = OFPFC_ADD, + .new_cookie = htonll(0), + .buffer_id = UINT32_MAX, + .out_port = OFPP_ANY, + .out_group = OFPG_ANY, + }; + + struct match match; + match_init_catchall(&match); + minimatch_init(&fm.match, &match); + + struct ofpbuf *fm_msg = ofputil_encode_flow_mod(&fm, OFPUTIL_P_OF15_OXM); + + struct ofputil_bundle_add_msg bam = { + .bundle_id = ctrl.bundle_id, + .flags = ctrl.flags, + .msg = fm_msg->data, + }; + struct ofpbuf *msg = ofputil_encode_bundle_add(OFP15_VERSION, &bam); + + feature->xid = ((struct ofp_header *) msg->data)->xid; + rconn_send(swconn, msg, NULL); + + ctrl.type = OFPBCT_DISCARD_REQUEST; + rconn_send(swconn, + ofputil_encode_bundle_ctrl_request(OFP15_VERSION, &ctrl), NULL); + + minimatch_destroy(&fm.match); + ofpbuf_delete(fm_msg); +} + +static bool +sample_with_reg_handle_response(struct ovs_openflow_feature *feature, + enum ofptype type, const struct ofp_header *oh) +{ + if (type != OFPTYPE_ERROR) { + log_unexpected_reply(feature, oh); + } + + return false; +} + +static bool +sample_with_reg_handle_barrier(struct ovs_openflow_feature *feature OVS_UNUSED) +{ + return true; +} + static struct ovs_openflow_feature all_openflow_features[] = { { .value = OVS_DP_METER_SUPPORT, @@ -199,6 +282,13 @@ static struct ovs_openflow_feature all_openflow_features[] = { .send_request = group_features_send_request, .handle_response = group_features_handle_response, .handle_barrier = default_barrier_response_handle, + }, + { + .value = OVS_SAMPLE_REG_SUPPORT, + .name = "sample_action_with_registers", + .send_request = sample_with_reg_send_request, + .handle_response = sample_with_reg_handle_response, + .handle_barrier = sample_with_reg_handle_barrier, } }; @@ -271,6 +361,7 @@ ovs_feature_is_valid(enum ovs_feature_value feature) case OVS_CT_TUPLE_FLUSH_SUPPORT: case OVS_DP_HASH_L4_SYM_SUPPORT: case OVS_OF_GROUP_SUPPORT: + case OVS_SAMPLE_REG_SUPPORT: return true; default: return false; diff --git a/northd/en-global-config.c b/northd/en-global-config.c index d7607aa074..0ce7f83083 100644 --- a/northd/en-global-config.c +++ b/northd/en-global-config.c @@ -381,6 +381,7 @@ northd_enable_all_features(struct ed_type_global_config *data) .ls_dpg_column = true, .ct_commit_nat_v2 = true, .ct_commit_to_zone = true, + .sample_with_reg = true, }; } @@ -442,6 +443,15 @@ build_chassis_features(const struct sbrec_chassis_table *sbrec_chassis_table, chassis_features->ct_commit_to_zone) { chassis_features->ct_commit_to_zone = false; } + + bool sample_with_reg = + smap_get_bool(&chassis->other_config, + OVN_FEATURE_SAMPLE_WITH_REGISTERS, + false); + if (!sample_with_reg && + chassis_features->sample_with_reg) { + chassis_features->sample_with_reg = false; + } } } diff --git a/northd/en-global-config.h b/northd/en-global-config.h index 8a1c35fc8f..0cf34482af 100644 --- a/northd/en-global-config.h +++ b/northd/en-global-config.h @@ -19,6 +19,7 @@ struct chassis_features { bool ls_dpg_column; bool ct_commit_nat_v2; bool ct_commit_to_zone; + bool sample_with_reg; }; struct global_config_tracked_data { From patchwork Wed Aug 7 06:51:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969842 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=XAQBcv7s; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wf18C1GZZz1yfC for ; Wed, 7 Aug 2024 16:52:43 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id ADA02812DA; Wed, 7 Aug 2024 06:52:41 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id EGnVRHro-Oda; Wed, 7 Aug 2024 06:52:38 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org BCB6E812B5 Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=XAQBcv7s Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id BCB6E812B5; Wed, 7 Aug 2024 06:52:38 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9049AC002B; Wed, 7 Aug 2024 06:52:38 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 34CD6C002A for ; Wed, 7 Aug 2024 06:52:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id AEEDF812B5 for ; Wed, 7 Aug 2024 06:52:16 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 0KVs0ZNSeq69 for ; Wed, 7 Aug 2024 06:52:15 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 1C880812C2 Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 1C880812C2 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 1C880812C2 for ; Wed, 7 Aug 2024 06:52:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723013533; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mvVB4sk0L7yA3JiViktaAF7+P7PgCKeN8hompmasxb8=; b=XAQBcv7s75jTYD2+MjeIpRJaRt3Y4CrcPEPOx6wSY1pX/L2O3bhPBzn3JQmyuxXuuLE1mO 8IAyH7HOvzCdSUEOpru01bsbGqM6leXQsTJXhvUSsSZPnzP3PbJSBfOnTVokeAgP+zCKKP yq17Z4Em3HUUzJfYVl778EIPiQ34d2g= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-501-RRDE725uNf2m1AA4-td5aQ-1; Wed, 07 Aug 2024 02:52:12 -0400 X-MC-Unique: RRDE725uNf2m1AA4-td5aQ-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id B44BC1944D04; Wed, 7 Aug 2024 06:52:11 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.13]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 0103B1956056; Wed, 7 Aug 2024 06:52:08 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Wed, 7 Aug 2024 08:51:25 +0200 Message-ID: <20240807065126.38132-9-dceara@redhat.com> In-Reply-To: <20240807065126.38132-1-dceara@redhat.com> References: <20240807065126.38132-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v7 8/9] actions: Add support for sample with register. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: npinaeva@redhat.com, i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Ales Musil Allow sample to accept obs_point_id as register instead of integer literal value. Acked-by: Mark Michelson Signed-off-by: Ales Musil --- V7: - Added Mark's ack. V6: - Removed Dumitru's ack. V5: - Added Dumitru's ack --- include/ovn/actions.h | 16 +++++++++------- lib/actions.c | 12 ++++++++---- tests/ovn.at | 13 ++++++++++++- 3 files changed, 29 insertions(+), 12 deletions(-) diff --git a/include/ovn/actions.h b/include/ovn/actions.h index 88cf4de79f..c8dd66ed83 100644 --- a/include/ovn/actions.h +++ b/include/ovn/actions.h @@ -498,13 +498,15 @@ struct ovnact_lookup_fdb { /* OVNACT_SAMPLE */ struct ovnact_sample { struct ovnact ovnact; - uint16_t probability; /* probability over UINT16_MAX. */ - uint8_t obs_domain_id; /* most significant byte of the - observation domain id. The other 24 bits - will come from the datapath's tunnel key. */ - uint32_t collector_set_id; /* colector_set_id. */ - uint32_t obs_point_id; /* observation point id. */ - bool use_cookie; /* use cookie as obs_point_id */ + uint16_t probability; /* probability over UINT16_MAX. */ + uint8_t obs_domain_id; /* most significant byte of the + observation domain id. The other + 24 bits will come from the + datapath's tunnel key. */ + uint32_t collector_set_id; /* colector_set_id. */ + struct expr_field obs_point_id_src; /* observation point id source reg */ + uint32_t obs_point_id; /* observation point id */ + bool use_cookie; /* use cookie as obs_point_id */ }; /* OVNACT_COMMIT_ECMP_NH. */ diff --git a/lib/actions.c b/lib/actions.c index 37676ef81b..586c64af36 100644 --- a/lib/actions.c +++ b/lib/actions.c @@ -4523,10 +4523,13 @@ format_SAMPLE(const struct ovnact_sample *sample, struct ds *s) ds_put_format(s, ",collector_set=%"PRIu32, sample->collector_set_id); ds_put_format(s, ",obs_domain=%"PRIu8, sample->obs_domain_id); + ds_put_cstr(s, ",obs_point="); if (sample->use_cookie) { - ds_put_cstr(s, ",obs_point=$cookie"); + ds_put_cstr(s, "$cookie"); + } else if (sample->obs_point_id_src.symbol) { + expr_field_format(&sample->obs_point_id_src, s); } else { - ds_put_format(s, ",obs_point=%"PRIu32, sample->obs_point_id); + ds_put_format(s, "%"PRIu32, sample->obs_point_id); } ds_put_format(s, ");"); } @@ -4551,6 +4554,8 @@ encode_SAMPLE(const struct ovnact_sample *sample, if (sample->use_cookie) { os->obs_point_imm = ep->lflow_uuid.parts[0]; + } else if (sample->obs_point_id_src.symbol) { + os->obs_point_src = expr_resolve_field(&sample->obs_point_id_src); } else { os->obs_point_imm = sample->obs_point_id; } @@ -4584,8 +4589,7 @@ parse_sample_arg(struct action_context *ctx, struct ovnact_sample *sample) sample->obs_point_id = ntohll(ctx->lexer->token.value.integer); lexer_get(ctx->lexer); } else { - lexer_syntax_error(ctx->lexer, - "malformed sample observation_point_id"); + action_parse_field(ctx, 32, false, &sample->obs_point_id_src); } } else if (lexer_match_id(ctx->lexer, "obs_domain")) { if (!lexer_force_match(ctx->lexer, LEX_T_EQUALS)) { diff --git a/tests/ovn.at b/tests/ovn.at index 0f401ab96a..f1fc29503f 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -2333,11 +2333,19 @@ sample(probability=10); sample(probability=100,collector_set=999,obs_domain=0,obs_point=1000); encodes as drop +sample(probability=10, obs_point=reg3); + formats as sample(probability=10,collector_set=0,obs_domain=0,obs_point=reg3); + encodes as sample(probability=10,collector_set_id=0,obs_domain_id=11259375,obs_point_id=NXM_NX_XXREG0[[0..31]]) + +sample(probability=10, obs_point=ct_label.obs_point_id); + formats as sample(probability=10,collector_set=0,obs_domain=0,obs_point=ct_label.obs_point_id); + encodes as sample(probability=10,collector_set_id=0,obs_domain_id=11259375,obs_point_id=NXM_NX_CT_LABEL[[96..127]]) + sample(probability=0,collector_set=200,obs_domain=0,obs_point=1000); probability must be greater than zero sample(probability=0,collector_set=200,obs_domain=0,obs_point=foo); - Syntax error at `foo' malformed sample observation_point_id. + Syntax error at `foo' expecting field name. sample(probability=0,collector_set=200,obs_domain=300,obs_point=foo); Syntax error at `300' obs_domain must be 8-bit long. @@ -2345,6 +2353,9 @@ sample(probability=0,collector_set=200,obs_domain=300,obs_point=foo); sample(probability=10,foo=bar,obs_domain=0,obs_point=1000); Syntax error at `foo' unknown argument. +sample(probability=10, obs_point=ct_label); + Cannot use 128-bit field ct_label[[0..127]] where 32-bit field is required. + # mac_cache_use mac_cache_use; encodes as resubmit(,OFTABLE_MAC_CACHE_USE) From patchwork Wed Aug 7 06:51:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969846 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=C2JrLBPL; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wf18b6nHYz1yfC for ; Wed, 7 Aug 2024 16:53:03 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 1755981312; Wed, 7 Aug 2024 06:53:02 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id sj6yviXwV5mK; Wed, 7 Aug 2024 06:52:56 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org CE3BE812FA Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=C2JrLBPL Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id CE3BE812FA; Wed, 7 Aug 2024 06:52:53 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 8512AC002B; Wed, 7 Aug 2024 06:52:53 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 136D6C0033 for ; Wed, 7 Aug 2024 06:52:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 8925B40AD8 for ; Wed, 7 Aug 2024 06:52:24 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id qxX0VpwlzDGF for ; Wed, 7 Aug 2024 06:52:20 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org E751C40AE9 Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org E751C40AE9 Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=C2JrLBPL Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id E751C40AE9 for ; Wed, 7 Aug 2024 06:52:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1723013538; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7dzbYGaChljq/GLz847UCOQ+lrU7hxP7WD5F6Ox4xng=; b=C2JrLBPLEuf5yiR5oju4dHp+pA1jNIcCgDJiB4ekprBQT33wBoKznt1CzxRKOEnkPRIgEx LCQlrJ5RS6bhT5PgSEjZ0E0yBHspZadyFzSaM1CsDKY+Jtl6YEcvcylvhUSmPEuec01Tbp jAHcrm0LCBCFJQBmoLFGsZFnZGTDnck= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-687-JnrxojpFNCaW6d6Cl4UNag-1; Wed, 07 Aug 2024 02:52:17 -0400 X-MC-Unique: JnrxojpFNCaW6d6Cl4UNag-1 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 25772196CDD0; Wed, 7 Aug 2024 06:52:16 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.13]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 3791E19560A3; Wed, 7 Aug 2024 06:52:12 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Wed, 7 Aug 2024 08:51:26 +0200 Message-ID: <20240807065126.38132-10-dceara@redhat.com> In-Reply-To: <20240807065126.38132-1-dceara@redhat.com> References: <20240807065126.38132-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v7 9/9] northd: Allow flow simplification for ACL sampling. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: npinaeva@redhat.com, i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Ales Musil Currently, OVN would generate up to 2 flows per sample, depending on the configuration. Add optimization that can reduce the number of flows added into the ACL pipeline down to 3 per collector. This optimization can be achieved only when the sample action with registers is supported in OvS and the sample has only single collector. The single collector per sample should be the case in most configurations, usually even the same collector for all samples which greatly reduces the number of flows per ACL with sampling. If there are more collectors per sample or the OvS feature is not supported, the implementation will fall back to flows per sample. Reported-at: https://issues.redhat.com/browse/FDP-709 Signed-off-by: Ales Musil Acked-by: Mark Michelson --- V7: - Addressed Nadia's comment: - Increased number of ct mark bits used for storing the collector id to 8. - Addressed Mark's comment: - cleaned up conditional match build. V6: - Rebased. - Removed Dumitru's ack. - Store (newly created) Sample_Collector.id in ct state - instead of the actual set-id to avoid ambiguity when multiple probabilities are used with the same collector set id. - Fixed bug with stateful to-lport ACLs on router ports. - Reduced number of ct mark bits used for storing the collector id to 4. V5: - Address Ilya's comments: - Explicitly set acl_observation_stage enum values. - Added Dumitru's ack --- include/ovn/logical-fields.h | 2 + lib/logical-fields.c | 8 + northd/northd.c | 273 ++++++++++++++++++------ tests/ovn-northd.at | 388 +++++++++++++++++++++++++++++------ tests/ovn.at | 2 + tests/system-ovn.at | 10 +- 6 files changed, 553 insertions(+), 130 deletions(-) diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h index ce79b501cf..d6c4a9b6b3 100644 --- a/include/ovn/logical-fields.h +++ b/include/ovn/logical-fields.h @@ -197,6 +197,8 @@ const struct ovn_field *ovn_field_from_name(const char *name); #define OVN_CT_NATTED_BIT 1 #define OVN_CT_LB_SKIP_SNAT_BIT 2 #define OVN_CT_LB_FORCE_SNAT_BIT 3 +#define OVN_CT_OBS_STAGE_1ST_BIT 4 +#define OVN_CT_OBS_STAGE_END_BIT 5 #define OVN_CT_BLOCKED 1 #define OVN_CT_NATTED 2 diff --git a/lib/logical-fields.c b/lib/logical-fields.c index 0c187e1c84..134d2674fd 100644 --- a/lib/logical-fields.c +++ b/lib/logical-fields.c @@ -165,6 +165,14 @@ ovn_init_symtab(struct shash *symtab) OVN_CT_STR(OVN_CT_LB_FORCE_SNAT_BIT) "]", WR_CT_COMMIT); + expr_symtab_add_subfield_scoped(symtab, "ct_mark.obs_stage", NULL, + "ct_mark[" + OVN_CT_STR(OVN_CT_OBS_STAGE_1ST_BIT) ".." + OVN_CT_STR(OVN_CT_OBS_STAGE_END_BIT) + "]", + WR_CT_COMMIT); + expr_symtab_add_subfield_scoped(symtab, "ct_mark.obs_collector_id", NULL, + "ct_mark[16..23]", WR_CT_COMMIT); expr_symtab_add_field_scoped(symtab, "ct_label", MFF_CT_LABEL, NULL, false, WR_CT_COMMIT); diff --git a/northd/northd.c b/northd/northd.c index 13f9faba31..70b13c8c98 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -144,8 +144,20 @@ static bool vxlan_mode; #define REGBIT_ACL_VERDICT_ALLOW "reg8[16]" #define REGBIT_ACL_VERDICT_DROP "reg8[17]" #define REGBIT_ACL_VERDICT_REJECT "reg8[18]" +#define REGBIT_ACL_OBS_STAGE "reg8[19..20]" #define REG_ACL_TIER "reg8[30..31]" +enum acl_observation_stage { + ACL_OBS_FROM_LPORT = 0, + ACL_OBS_FROM_LPORT_AFTER_LB = 1, + ACL_OBS_TO_LPORT = 2, + ACL_OBS_STAGE_MAX +}; + +/* enum acl_observation_stage_t values must fit in the 2 bits of + * REGBIT_ACL_OBS_STAGE .*/ +BUILD_ASSERT_DECL(ACL_OBS_STAGE_MAX < (1 << 2)); + /* Indicate that this packet has been recirculated using egress * loopback. This allows certain checks to be bypassed, such as a * logical router dropping packets with source IP address equals @@ -189,6 +201,8 @@ static bool vxlan_mode; * domain and point ID. */ #define REG_OBS_POINT_ID_NEW "reg3" #define REG_OBS_POINT_ID_EST "reg9" +#define REG_OBS_COLLECTOR_ID_NEW "reg8[0..7]" +#define REG_OBS_COLLECTOR_ID_EST "reg8[8..15]" /* Register used for temporarily store ECMP eth.src to avoid masked ct_label * access. It doesn't really occupy registers because the content of the @@ -228,12 +242,13 @@ static bool vxlan_mode; * +----+----------------------------------------------+ G | | * | R7 | UNUSED | 1 | | * +----+----------------------------------------------+---+-----------------------------------+ - * | | LB_AFF_MATCH_PORT | - * | | (>= IN_LB_AFF_CHECK && <= IN_LB_AFF_LEARN) | - * +----+----------------------------------------------+ - * | R9 | OBS_POINT_ID_EST | - * | | (>= ACL_EVAL* && <= ACL_ACTION*) | - * +----+----------------------------------------------+ + * | R8 | LB_AFF_MATCH_PORT | X | REG_OBS_COLLECTOR_ID_NEW | + * | | (>= IN_LB_AFF_CHECK && <= IN_LB_AFF_LEARN) | R | REG_OBS_COLLECTOR_ID_EST | + * | | | E | (>= ACL_EVAL* && <= ACL_ACTION*) | + * +----+----------------------------------------------+ G +-----------------------------------+ + * | R9 | OBS_POINT_ID_EST | 4 | | + * | | (>= ACL_EVAL* && <= ACL_ACTION*) | | | + * +----+----------------------------------------------+---+-----------------------------------+ * * Logical Router pipeline: * +-----+---------------------------+---+-----------------+---+------------------------------------+ @@ -6532,7 +6547,8 @@ build_acl_sample_action(struct ds *actions, const struct nbrec_acl *acl, static void build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, const struct nbrec_sample *sample_new, - const struct nbrec_sample *sample_est) + const struct nbrec_sample *sample_est, + enum acl_observation_stage obs_stage) { if (!acl->label && !sample_new && !sample_est) { return; @@ -6540,6 +6556,8 @@ build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, uint32_t point_id_new = 0; uint32_t point_id_est = 0; + uint8_t collector_id_new = 0; + uint8_t collector_id_est = 0; if (acl->label) { point_id_new = acl->label; @@ -6547,16 +6565,27 @@ build_acl_sample_label_action(struct ds *actions, const struct nbrec_acl *acl, } else { if (sample_new) { point_id_new = sample_new->metadata; + if (sample_new->n_collectors == 1) { + collector_id_new = sample_new->collectors[0]->id; + } } if (sample_est) { point_id_est = sample_est->metadata; + if (sample_est->n_collectors == 1) { + collector_id_est = sample_est->collectors[0]->id; + } } } ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " REG_OBS_POINT_ID_NEW " = %"PRIu32"; " - REG_OBS_POINT_ID_EST " = %"PRIu32"; ", - point_id_new, point_id_est); + REG_OBS_POINT_ID_EST " = %"PRIu32"; " + REG_OBS_COLLECTOR_ID_NEW " = %"PRIu8"; " + REG_OBS_COLLECTOR_ID_EST " = %"PRIu8"; " + REGBIT_ACL_OBS_STAGE " = %"PRIu8"; ", + point_id_new, point_id_est, + collector_id_new, collector_id_est, + (uint8_t) obs_stage); } /* This builds an ACL logical flow specific match that selects traffic @@ -6604,46 +6633,16 @@ build_acl_sample_label_match(struct ds *match, const struct nbrec_acl *acl, } /* This builds a logical flow that samples and forwards/drops traffic - * that hit a stateless ACL ("pass" or "allow-stateless") that has sampling - * enabled. + * that hit a stateless/stateful ACL that has sampling enabled. */ static void -build_acl_sample_new_stateless_flows(const struct ovn_datapath *od, - struct lflow_table *lflows, - enum ovn_stage stage, - struct ds *match, struct ds *actions, - const struct nbrec_acl *acl, - uint8_t sample_domain_id, - struct lflow_ref *lflow_ref) -{ - if (!acl->sample_new) { - return; - } - - ds_clear(actions); - ds_clear(match); - - ds_put_cstr(match, "ip && "); - build_acl_sample_register_match(match, acl, acl->sample_new); - - build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); - - ovn_lflow_add(lflows, od, stage, 1100, ds_cstr(match), - ds_cstr(actions), lflow_ref); -} - -/* This builds a logical flow that samples and forwards/drops traffic - * that created a new conntrack entry and hit a stateful ACL that has sampling - * enabled. - */ -static void -build_acl_sample_new_stateful_flows(const struct ovn_datapath *od, - struct lflow_table *lflows, - enum ovn_stage stage, - struct ds *match, struct ds *actions, - const struct nbrec_acl *acl, - uint8_t sample_domain_id, - struct lflow_ref *lflow_ref) +build_acl_sample_new_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + struct ds *match, struct ds *actions, + const struct nbrec_acl *acl, + uint8_t sample_domain_id, bool stateful, + struct lflow_ref *lflow_ref) { if (!acl->sample_new) { return; @@ -6652,12 +6651,16 @@ build_acl_sample_new_stateful_flows(const struct ovn_datapath *od, ds_clear(actions); ds_clear(match); - /* Match on new connections. However, for to-lport ACLs, due to + /* Match on new connections. However, for stateful to-lport ACLs, due to * skip_port_from_conntrack() conntrack state might be cleared, so * take that into account too. */ - ds_put_format(match, "ip && %s && ", - stage != S_SWITCH_OUT_ACL_SAMPLE - ? "ct.new" : "(ct.new || !ct.trk)"); + if (!stateful) { + ds_put_format(match, "ip && "); + } else if (stage != S_SWITCH_OUT_ACL_SAMPLE) { + ds_put_format(match, "ip && ct.new && "); + } else { + ds_put_format(match, "ip && (ct.new || !ct.trk) && "); + } build_acl_sample_register_match(match, acl, acl->sample_new); build_acl_sample_action(actions, acl, acl->sample_new, sample_domain_id); @@ -6758,6 +6761,112 @@ build_acl_sample_est_stateful_flows(const struct ovn_datapath *od, static void build_acl_reject_action(struct ds *actions, bool is_ingress); +/* This builds a generic logical flow that samples traffic + * that hit a stateless/stateful ACL that has sampling enabled with + * single collector and all chassis supporting the sample with match action. + */ +static void +build_acl_sample_generic_new_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + enum acl_observation_stage obs_stage, + struct ds *match, struct ds *actions, + const struct nbrec_sample_collector *coll, + uint8_t sample_domain_id, bool stateful, + struct lflow_ref *lflow_ref) +{ + ds_clear(match); + ds_clear(actions); + + /* Match on new connections. However, for stateful to-lport ACLs, due to + * skip_port_from_conntrack() conntrack state might be cleared, so + * take that into account too. */ + const char *new_conn_match = "ip"; + if (stateful) { + if (stage != S_SWITCH_OUT_ACL_SAMPLE) { + new_conn_match = "ip && ct.new"; + } else { + new_conn_match = "ip && (ct.new || !ct.trk)"; + } + } + + ds_put_format(match, "%s && "REG_OBS_COLLECTOR_ID_NEW" == %"PRIu8" && " + REGBIT_ACL_OBS_STAGE " == %"PRIu8, new_conn_match, + (uint8_t) coll->id, + (uint8_t) obs_stage); + + ds_put_format(actions, "sample(probability=%"PRIu16"," + "collector_set=%"PRIu8"," + "obs_domain=%"PRIu32"," + "obs_point="REG_OBS_POINT_ID_NEW");" + " next;", + (uint16_t) coll->probability, + (uint8_t) coll->set_id, + sample_domain_id); + + ovn_lflow_add(lflows, od, stage, stateful ? 1000 : 900, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* This builds a generic logical flow that samples established traffic + * that hit a stateful ACL that has sampling enabled with + * single collector and all chassis supporting the sample with match action. + */ +static void +build_acl_sample_generic_est_flows(const struct ovn_datapath *od, + struct lflow_table *lflows, + enum ovn_stage stage, + enum acl_observation_stage obs_stage, + struct ds *match, struct ds *actions, + const struct nbrec_sample_collector *coll, + uint8_t sample_domain_id, + struct lflow_ref *lflow_ref) +{ + ds_clear(match); + ds_clear(actions); + + ds_put_cstr(match, "ip && ct.trk && (ct.est || ct.rel) && " + "ct_label.obs_unused == 0 && "); + + size_t match_len = match->length; + ds_put_format(match, "!ct.rpl && ct_mark.obs_collector_id == %"PRIu8" && " + "ct_mark.obs_stage == %"PRIu8, + (uint8_t) coll->id, + (uint8_t) obs_stage); + + ds_put_format(actions, "sample(probability=%"PRIu16"," + "collector_set=%"PRIu8"," + "obs_domain=%"PRIu32"," + "obs_point=ct_label.obs_point_id);" + " next;", + (uint16_t) coll->probability, + (uint8_t) coll->set_id, + sample_domain_id); + + ovn_lflow_add(lflows, od, stage, 1000, ds_cstr(match), + ds_cstr(actions), lflow_ref); + + enum ovn_stage rpl_stage = (stage == S_SWITCH_OUT_ACL_SAMPLE + ? S_SWITCH_IN_ACL_SAMPLE + : S_SWITCH_OUT_ACL_SAMPLE); + + ds_truncate(match, match_len); + ds_put_format(match, "ct.rpl && ct_mark.obs_collector_id == %"PRIu8, + (uint8_t) coll->id); + + ovn_lflow_add(lflows, od, rpl_stage, 1000, ds_cstr(match), + ds_cstr(actions), lflow_ref); +} + +/* Check if the smaple has only single collector and the sample action + * with registers is supported. */ +static bool +acl_use_generic_sample_flows(const struct nbrec_sample *sample, + const struct chassis_features *features) +{ + return sample && sample->n_collectors == 1 && features->sample_with_reg; +} + /* This builds all ACL sampling related logical flows: * - for packets creating new connections * - for packets that are part of an existing connection @@ -6769,6 +6878,7 @@ build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, const struct nbrec_acl *acl, struct ds *match, struct ds *actions, const struct sampling_app_table *sampling_apps, + const struct chassis_features *features, struct lflow_ref *lflow_ref) { bool should_sample_established = @@ -6792,13 +6902,17 @@ build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, bool ingress = !strcmp(acl->direction, "from-lport") ? true : false; enum ovn_stage stage; + enum acl_observation_stage obs_stage; if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { stage = S_SWITCH_IN_ACL_AFTER_LB_SAMPLE; + obs_stage = ACL_OBS_FROM_LPORT_AFTER_LB; } else if (ingress) { stage = S_SWITCH_IN_ACL_SAMPLE; + obs_stage = ACL_OBS_FROM_LPORT; } else { stage = S_SWITCH_OUT_ACL_SAMPLE; + obs_stage = ACL_OBS_TO_LPORT; } uint8_t sample_new_domain_id = sampling_app_get_id(sampling_apps, @@ -6806,14 +6920,28 @@ build_acl_sample_flows(const struct ls_stateful_record *ls_stateful_rec, uint8_t sample_est_domain_id = sampling_app_get_id(sampling_apps, SAMPLING_APP_ACL_EST); + if (acl_use_generic_sample_flows(acl->sample_new, features)) { + build_acl_sample_generic_new_flows(od, lflows, stage, obs_stage, + match, actions, + acl->sample_new->collectors[0], + sample_new_domain_id, + stateful_match, lflow_ref); + } else { + build_acl_sample_new_flows(od, lflows, stage, match, actions, + acl, sample_new_domain_id, stateful_match, + lflow_ref); + } + if (!stateful_match) { - build_acl_sample_new_stateless_flows(od, lflows, stage, match, actions, - acl, sample_new_domain_id, - lflow_ref); + return; + } + + if (acl_use_generic_sample_flows(acl->sample_est, features)) { + build_acl_sample_generic_est_flows(od, lflows, stage, obs_stage, + match, actions, + acl->sample_est->collectors[0], + sample_est_domain_id, lflow_ref); } else { - build_acl_sample_new_stateful_flows(od, lflows, stage, match, actions, - acl, sample_new_domain_id, - lflow_ref); build_acl_sample_est_stateful_flows(od, lflows, stage, match, actions, acl, sample_est_domain_id, lflow_ref); @@ -6845,13 +6973,17 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, { bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; enum ovn_stage stage; + enum acl_observation_stage obs_stage; if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { stage = S_SWITCH_IN_ACL_AFTER_LB_EVAL; + obs_stage = ACL_OBS_FROM_LPORT_AFTER_LB; } else if (ingress) { stage = S_SWITCH_IN_ACL_EVAL; + obs_stage = ACL_OBS_FROM_LPORT; } else { stage = S_SWITCH_OUT_ACL_EVAL; + obs_stage = ACL_OBS_TO_LPORT; } const char *verdict; @@ -6885,7 +7017,8 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, || !strcmp(acl->action, "allow-stateless")) { /* For stateless ACLs just sample "new" packets. */ - build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, + obs_stage); ds_put_cstr(actions, "next;"); ds_put_format(match, "(%s)", acl->match); @@ -6924,7 +7057,7 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, /* For stateful ACLs sample "new" and "established" packets. */ build_acl_sample_label_action(actions, acl, acl->sample_new, - acl->sample_est); + acl->sample_est, obs_stage); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6948,7 +7081,7 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, /* For stateful ACLs sample "new" and "established" packets. */ build_acl_sample_label_action(actions, acl, acl->sample_new, - acl->sample_est); + acl->sample_est, obs_stage); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6968,7 +7101,8 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_truncate(actions, log_verdict_len); /* For drop ACLs just sample all packets as "new" packets. */ - build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, + obs_stage); ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -6991,7 +7125,8 @@ consider_acl(struct lflow_table *lflows, const struct ovn_datapath *od, ds_truncate(actions, log_verdict_len); /* For drop ACLs just sample all packets as "new" packets. */ - build_acl_sample_label_action(actions, acl, acl->sample_new, NULL); + build_acl_sample_label_action(actions, acl, acl->sample_new, NULL, + obs_stage); ds_put_cstr(actions, "ct_commit { ct_mark.blocked = 1; }; next;"); ovn_lflow_add_with_hint(lflows, od, stage, priority, ds_cstr(match), ds_cstr(actions), @@ -7237,6 +7372,7 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, const struct ls_port_group_table *ls_port_groups, const struct shash *meter_groups, const struct sampling_app_table *sampling_apps, + const struct chassis_features *features, struct lflow_ref *lflow_ref) { const char *default_acl_action = default_acl_drop @@ -7429,7 +7565,8 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, meter_groups, ls_stateful_rec->max_acl_tier, &match, &actions, lflow_ref); build_acl_sample_flows(ls_stateful_rec, od, lflows, acl, - &match, &actions, sampling_apps, lflow_ref); + &match, &actions, sampling_apps, + features, lflow_ref); } const struct ls_port_group *ls_pg = @@ -7448,7 +7585,7 @@ build_acls(const struct ls_stateful_record *ls_stateful_rec, &match, &actions, lflow_ref); build_acl_sample_flows(ls_stateful_rec, od, lflows, acl, &match, &actions, sampling_apps, - lflow_ref); + features, lflow_ref); } } } @@ -8111,6 +8248,8 @@ build_stateful(struct ovn_datapath *od, struct lflow_table *lflows, ds_put_cstr(&actions, "ct_commit { " "ct_mark.blocked = 0; " + "ct_mark.obs_stage = " REGBIT_ACL_OBS_STAGE "; " + "ct_mark.obs_collector_id = " REG_OBS_COLLECTOR_ID_EST "; " "ct_label.obs_point_id = " REG_OBS_POINT_ID_EST "; " "}; next;"); ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100, @@ -16161,6 +16300,7 @@ build_ls_stateful_flows(const struct ls_stateful_record *ls_stateful_rec, const struct ls_port_group_table *ls_pgs, const struct shash *meter_groups, const struct sampling_app_table *sampling_apps, + const struct chassis_features *features, struct lflow_table *lflows) { build_ls_stateful_rec_pre_acls(ls_stateful_rec, od, ls_pgs, lflows, @@ -16170,7 +16310,7 @@ build_ls_stateful_flows(const struct ls_stateful_record *ls_stateful_rec, build_acl_hints(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref); build_acls(ls_stateful_rec, od, lflows, ls_pgs, meter_groups, - sampling_apps, ls_stateful_rec->lflow_ref); + sampling_apps, features, ls_stateful_rec->lflow_ref); build_lb_hairpin(ls_stateful_rec, od, lflows, ls_stateful_rec->lflow_ref); } @@ -16487,6 +16627,7 @@ build_lflows_thread(void *arg) lsi->ls_port_groups, lsi->meter_groups, lsi->sampling_apps, + lsi->features, lsi->lflows); } } @@ -16710,6 +16851,7 @@ build_lswitch_and_lrouter_flows( build_ls_stateful_flows(ls_stateful_rec, od, lsi.ls_port_groups, lsi.meter_groups, lsi.sampling_apps, + lsi.features, lsi.lflows); } stopwatch_stop(LFLOWS_LS_STATEFUL_STOPWATCH_NAME, time_msec()); @@ -17225,6 +17367,7 @@ lflow_handle_ls_stateful_changes(struct ovsdb_idl_txn *ovnsb_txn, lflow_input->ls_port_groups, lflow_input->meter_groups, lflow_input->sampling_apps, + lflow_input->features, lflows); /* Sync the new flows to SB. */ diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 6cc372b8a4..0adc7ee658 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -4609,7 +4609,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK_UNQUOTED([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4633,7 +4633,7 @@ check_stateful_flows() { AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) } @@ -4676,7 +4676,7 @@ AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl @@ -4697,7 +4697,7 @@ AT_CHECK([grep "ls_out_pre_stateful" sw0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) # LB with event=false and reject=false @@ -4726,23 +4726,23 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) # Add new ACL without label @@ -4753,27 +4753,27 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) - table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; next;) + table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) # Delete new ACL with label @@ -4790,7 +4790,7 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0] AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl @@ -4800,7 +4800,7 @@ AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0 AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP ]) @@ -4828,7 +4828,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls from-lport 1 dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; ]) AS_BOX([from-lport --apply-after-lb allow-related ACL]) @@ -4836,7 +4836,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --apply-after-lb --label=1234 acl-add dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_in_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; ]) AS_BOX([to-lport allow-related ACL]) @@ -4844,7 +4844,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234 acl-add ls to-lport 1 ip dnl Check that the label is committed to conntrack in the ingress pipeline AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e ls_out_stateful -A 2 | grep commit], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; ]) AT_CLEANUP @@ -7680,7 +7680,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with the apply-after-lb option]) @@ -7735,7 +7735,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AS_BOX([Remove and add the ACLs back with a few ACLs with apply-after-lb option]) @@ -7790,7 +7790,7 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; next;) ]) AT_CLEANUP @@ -12608,8 +12608,8 @@ ovn-nbctl --wait=sb \ --id=@sample2 create Sample collector="$collector1 $collector2" metadata=4302 -- \ --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12620,7 +12620,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg9 = 4302; sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); @@ -12640,8 +12640,8 @@ ovn-nbctl --wait=sb \ --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) @@ -12650,7 +12650,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e l dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg9 = 0; sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); @@ -12670,8 +12670,8 @@ ovn-nbctl --wait=sb \ --id=@sample2 create Sample collector="$collector1 $collector2" metadata=4302 -- \ --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12682,7 +12682,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_ dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg9 = 4302; sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); @@ -12702,8 +12702,8 @@ ovn-nbctl --wait=sb \ --id=@sample1 create Sample collector="$collector1 $collector2" metadata=4301 -- \ --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) @@ -12712,7 +12712,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_ dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; reg9 = 0; sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301); @@ -12734,8 +12734,8 @@ ovn-nbctl --wait=sb \ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) @@ -12744,7 +12744,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; ct_commit { ct_mark.blocked = 0; }; reg9 = 4302; sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); @@ -12766,8 +12766,8 @@ ovn-nbctl --wait=sb \ --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) ]) @@ -12775,7 +12775,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e dnl Trace new connections. flow="$base_flow" AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl - ct_commit { ct_mark.blocked = 0; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; ct_commit { ct_mark.blocked = 0; }; reg9 = 0; sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); @@ -12792,6 +12792,276 @@ AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ACL Sampling - Generic sample]) +AT_KEYWORDS([acl]) + +ovn_start + +collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1 probability=65535 set_id=100) +check_row_count nb:Sample_Collector 1 + +ovn-nbctl create Sampling_App type="acl-new" id="42" +ovn-nbctl create Sampling_App type="acl-est" id="43" +check_row_count nb:Sampling_App 2 + +check ovn-nbctl \ + -- ls-add ls \ + -- lsp-add ls lsp1 \ + -- lsp-set-addresses lsp1 00:00:00:00:00:01 \ + -- lsp-add ls lsp2 \ + -- lsp-set-addresses lsp2 00:00:00:00:00:02 +check ovn-nbctl --wait=sb sync + +base_flow="inport == \"lsp1\" && eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02 && ip4.src == 42.42.42.1 && ip4.dst == 42.42.42.2" +m4_define([TRACE_FILTER], [grep -e sample -e commit -e reg9 -e 'reg8\[[0..7\]]' -e 'reg8\[[8..15\]]' | grep -v _sample | sort]) + +AS_BOX([ACL sampling without register support]) +check ovn-sbctl chassis-add gw1 geneve 127.0.0.1 \ + -- set chassis gw1 other_config:ovn-sample-with-registers="false" + +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); next;) + table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302); +]) + +check ovn-sbctl set chassis gw1 other_config:ovn-sample-with-registers="true" + +AS_BOX([from-lport ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 0), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 1" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); +]) + +AS_BOX([from-lport ACL sampling (new)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;) + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 0; + reg9 = 0; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 0; + reg9 = 0; +]) + +AS_BOX([from-lport-after-lb ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \ + --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 1 && ct_mark.obs_collector_id == 1" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); +]) + +AS_BOX([from-lport-after-lb ACL sampling (new)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;) + table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 0; + reg9 = 0; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 0 && ct_mark.obs_collector_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 0; + reg9 = 0; +]) + +AS_BOX([to-lport ACL sampling (new, est)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \ + --sample-new=@sample1 --sample-est=@sample2 acl-add ls to-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 1 && ct_mark.obs_stage == 2), action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3); +]) + +dnl Trace estasblished connections. +flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 2 && ct_mark.obs_collector_id == 1" +AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 1; + reg9 = 4302; + sample(probability=65535,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); +]) + +AS_BOX([to-lport ACL sampling (new)]) +check ovn-nbctl acl-del ls +ovn-nbctl --wait=sb \ + --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \ + --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related +AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval -e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl + table=??(ls_in_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;) + table=??(ls_out_acl_sample ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;) +]) + +dnl Trace new connections. +flow="$base_flow" +AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER], [0], [dnl + ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; }; + ct_commit { ct_mark.blocked = 0; }; + reg8[[0..7]] = 1; + reg8[[8..15]] = 0; + reg9 = 0; + sample(probability=65535,collector_set=100,obs_domain=42,obs_point=reg3); +]) + +dnl Trace established connections (no point id was committed in the label in +dnl the original direction). +flow="$base_flow && ct_label.obs_point_id == 0 && ct_mark.obs_stage == 2 && ct_mark.obs_collector_id == 0" +AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER], [0], [dnl + reg8[[0..7]] = 1; + reg8[[8..15]] = 0; + reg9 = 0; +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([ACL Sampling - same collector set id, multiple probabilities]) AT_KEYWORDS([acl]) @@ -12831,24 +13101,22 @@ check_row_count nb:Sample 6 check ovn-nbctl --wait=sb sync AT_CHECK([ovn-sbctl lflow-list | grep probability | ovn_strip_lflows], [0], [dnl - table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && reg3 == 4303), dnl -action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4303); next;) - table=??(ls_in_acl_after_lb_sample), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4304 && ct_label.obs_unused == 0), dnl -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4304); next;) - table=??(ls_in_acl_sample ), priority=1100 , match=(ip && ct.new && reg3 == 4301), dnl -action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4301); next;) - table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), dnl -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4302); next;) - table=??(ls_in_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4306 && ct_label.obs_unused == 0), dnl -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4306); next;) - table=??(ls_out_acl_sample ), priority=1100 , match=(ip && (ct.new || !ct.trk) && reg3 == 4305), dnl -action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=4305); next;) - table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && !ct.rpl && ct_label.obs_point_id == 4306 && ct_label.obs_unused == 0), dnl -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4306); next;) - table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), dnl -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4302); next;) - table=??(ls_out_acl_sample ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && ct.rpl && ct_label.obs_point_id == 4304 && ct_label.obs_unused == 0), dnl -action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=4304); next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 1), dnl +action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 1), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] == 1 && reg8[[19..20]] == 0), dnl +action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3); next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 0), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_in_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 2), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && (ct.new || !ct.trk) && reg8[[0..7]] == 1 && reg8[[19..20]] == 2), dnl +action=(sample(probability=10000,collector_set=100,obs_domain=42,obs_point=reg3); next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && !ct.rpl && ct_mark.obs_collector_id == 2 && ct_mark.obs_stage == 2), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); next;) + table=??(ls_out_acl_sample ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 2), dnl +action=(sample(probability=20000,collector_set=100,obs_domain=43,obs_point=ct_label.obs_point_id); next;) ]) AT_CLEANUP diff --git a/tests/ovn.at b/tests/ovn.at index f1fc29503f..c8aedfddfc 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -336,6 +336,8 @@ ct_mark.blocked = ct_mark[0] ct_mark.ecmp_reply_port = ct_mark[16..31] ct_mark.force_snat = ct_mark[3] ct_mark.natted = ct_mark[1] +ct_mark.obs_collector_id = ct_mark[16..23] +ct_mark.obs_stage = ct_mark[4..5] ct_mark.skip_snat = ct_mark[2] ct_state = NXM_NX_CT_STATE ]]) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index ef9652f02a..853004f93a 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -7724,7 +7724,7 @@ NS_CHECK_EXEC([sw0-p3], [ping -q -c 10 -i 0.3 -w 15 10.0.0.2 | FORMAT_PING], \ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.2) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/'], [0], [dnl -icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,labels=0x4d3000000000000000000000000 +icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,mark=32,labels=0x4d3000000000000000000000000 icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone= ]) @@ -7851,7 +7851,7 @@ NS_CHECK_EXEC([sw0-p1], [ping -q -c 10 -i 0.3 -w 15 10.0.0.4 | FORMAT_PING], \ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.4) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d2[[0-9a-f]]*/labels=0x4d2000000000000000000000000/'], [0], [dnl -icmp,orig=(src=10.0.0.2,dst=10.0.0.4,id=,type=8,code=0),reply=(src=10.0.0.4,dst=10.0.0.2,id=,type=0,code=0),zone=,labels=0x4d2000000000000000000000000 +icmp,orig=(src=10.0.0.2,dst=10.0.0.4,id=,type=8,code=0),reply=(src=10.0.0.4,dst=10.0.0.2,id=,type=0,code=0),zone=,mark=16,labels=0x4d2000000000000000000000000 icmp,orig=(src=10.0.0.2,dst=10.0.0.4,id=,type=8,code=0),reply=(src=10.0.0.4,dst=10.0.0.2,id=,type=0,code=0),zone= ]) @@ -7866,7 +7866,7 @@ NS_CHECK_EXEC([sw0-p3], [ping -q -c 10 -i 0.3 -w 15 10.0.0.2 | FORMAT_PING], \ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.2) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/'], [0], [dnl -icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,labels=0x4d3000000000000000000000000 +icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone=,mark=32,labels=0x4d3000000000000000000000000 icmp,orig=(src=10.0.0.4,dst=10.0.0.2,id=,type=8,code=0),reply=(src=10.0.0.2,dst=10.0.0.4,id=,type=0,code=0),zone= ]) @@ -8081,7 +8081,7 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.3) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d2[[0-9a-f]]*/labels=0x4d2000000000000000000000000/' | sort], [0], [dnl icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone= -icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone=,labels=0x4d2000000000000000000000000 +icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone=,mark=16,labels=0x4d2000000000000000000000000 ]) # Add a higher priority ACL with different label. @@ -8097,7 +8097,7 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.0.0.3) | \ sed -e 's/zone=[[0-9]]*/zone=/' | \ sed -e 's/labels=0x4d3[[0-9a-f]]*/labels=0x4d3000000000000000000000000/' | sort], [0], [dnl icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone= -icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone=,labels=0x4d3000000000000000000000000 +icmp,orig=(src=10.0.0.2,dst=10.0.0.3,id=,type=8,code=0),reply=(src=10.0.0.3,dst=10.0.0.2,id=,type=0,code=0),zone=,mark=16,labels=0x4d3000000000000000000000000 ]) OVS_APP_EXIT_AND_WAIT([ovn-controller])