Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/807957/?format=api
{ "id": 807957, "url": "http://patchwork.ozlabs.org/api/1.2/patches/807957/?format=api", "web_url": "http://patchwork.ozlabs.org/project/openvswitch/patch/1504132951-53688-1-git-send-email-zhouhan@gmail.com/", "project": { "id": 47, "url": "http://patchwork.ozlabs.org/api/1.2/projects/47/?format=api", "name": "Open vSwitch", "link_name": "openvswitch", "list_id": "ovs-dev.openvswitch.org", "list_email": "ovs-dev@openvswitch.org", "web_url": "http://openvswitch.org/", "scm_url": "git@github.com:openvswitch/ovs.git", "webscm_url": "https://github.com/openvswitch/ovs", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<1504132951-53688-1-git-send-email-zhouhan@gmail.com>", "list_archive_url": null, "date": "2017-08-30T22:42:31", "name": "[ovs-dev] ovn: support acl logging for INVALID packets", "commit_ref": null, "pull_url": null, "state": "deferred", "archived": false, "hash": "7b53a69b40cd32ddb14c15ff04b2a83f117d472e", "submitter": { "id": 67381, "url": "http://patchwork.ozlabs.org/api/1.2/people/67381/?format=api", "name": "Han Zhou", "email": "zhouhan@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/openvswitch/patch/1504132951-53688-1-git-send-email-zhouhan@gmail.com/mbox/", "series": [ { "id": 715, "url": "http://patchwork.ozlabs.org/api/1.2/series/715/?format=api", "web_url": "http://patchwork.ozlabs.org/project/openvswitch/list/?series=715", "date": "2017-08-30T22:42:31", "name": "[ovs-dev] ovn: support acl logging for INVALID packets", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/715/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/807957/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/807957/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<ovs-dev-bounces@openvswitch.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "dev@openvswitch.org" ], "Delivered-To": [ "patchwork-incoming@bilbo.ozlabs.org", "ovs-dev@mail.linuxfoundation.org" ], "Authentication-Results": [ "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=openvswitch.org\n\t(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;\n\tenvelope-from=ovs-dev-bounces@openvswitch.org;\n\treceiver=<UNKNOWN>)", "ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"hRia/wYz\"; dkim-atps=neutral" ], "Received": [ "from mail.linuxfoundation.org (mail.linuxfoundation.org\n\t[140.211.169.12])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xjLBF4B5dz9s83\n\tfor <incoming@patchwork.ozlabs.org>;\n\tThu, 31 Aug 2017 08:43:01 +1000 (AEST)", "from mail.linux-foundation.org (localhost [127.0.0.1])\n\tby mail.linuxfoundation.org (Postfix) with ESMTP id 56F4AB16;\n\tWed, 30 Aug 2017 22:42:45 +0000 (UTC)", "from smtp1.linuxfoundation.org (smtp1.linux-foundation.org\n\t[172.17.192.35])\n\tby mail.linuxfoundation.org (Postfix) with ESMTPS id C7ECFB00\n\tfor <dev@openvswitch.org>; Wed, 30 Aug 2017 22:42:43 +0000 (UTC)", "from mail-pg0-f54.google.com (mail-pg0-f54.google.com\n\t[74.125.83.54])\n\tby smtp1.linuxfoundation.org (Postfix) with ESMTPS id 53551134\n\tfor <dev@openvswitch.org>; Wed, 30 Aug 2017 22:42:43 +0000 (UTC)", "by mail-pg0-f54.google.com with SMTP id t193so6835902pgc.1\n\tfor <dev@openvswitch.org>; Wed, 30 Aug 2017 15:42:43 -0700 (PDT)", "from localhost.localdomain.localdomain ([216.113.160.70])\n\tby smtp.gmail.com with ESMTPSA id\n\tn29sm401341pgf.78.2017.08.30.15.42.41\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tWed, 30 Aug 2017 15:42:42 -0700 (PDT)" ], "X-Greylist": "whitelisted by SQLgrey-1.7.6", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;\n\th=from:to:cc:subject:date:message-id;\n\tbh=IB2TJ0Qkqsh0ptTwjx9ocO8VeWPeHWZChIYMmPE0DoU=;\n\tb=hRia/wYzfyMOqghznpByqjMMQHOhGL7kFGYJep1GpsvGylPQ8QCsRAK8ErKreWM77C\n\tG2I3LvKj3kwxrx+6gB05g9FQ29t+KX3ZewnQYmSWTCRL940xm6RkuecGeWWvLrMujcY2\n\t+icRng913QzonoG1WpaPBbmp5ysWFVNYKXOuC3ZjwFQCYhZhI9ZKnbo2ueuTbeGQJNCR\n\t518vhAqWsqdt3PnbYrt2g4UzgsqWZVwOfESPdvbD543hQzRoGDaq9dUbfqYetVAU2ByV\n\tVk+4NAV4m6TYpDCcdJiXJCDv39K8svhyKix9oHWb5iTb+ytmynWhfWw19q2r8aoaq1+Y\n\tvJlA==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:cc:subject:date:message-id;\n\tbh=IB2TJ0Qkqsh0ptTwjx9ocO8VeWPeHWZChIYMmPE0DoU=;\n\tb=G3a192RNOiH63SUVLhH5M/cvpnprIkLMHbrfKVaspF9mSOTxyomdcT/yjTEu2UcyIy\n\t2U5Ae9CgUehiJh+MjxMIlhdRD427hp6MSb/2Ac6WAQVA8Hu61YptIyJq8ppkE8Cu5jx8\n\teRDHYwXTG3o01EjlBiaBahgrV9XEd4GOfAtkG11qQZKIJN35RtGHTehj1r1VJ71xIZDB\n\tLYbD1dqqgwmWdzhVTmYkyojS11piFnWpH9pjdCXiL1kViPS6m+jZdnTw3KzkmAMDsHHx\n\tVIOkw3yc+Uq0B21495Xj9ys2pIHE4uKc23zs2YdiQAmoPNlClaUmWLjVhpOVyxeDiv1h\n\t8t8w==", "X-Gm-Message-State": "AHYfb5hk5MZeUVCK1UcUmu3iB09UfxsMwLseaI5w2/DHYrb6T7PaANi8\n\t3oTu4FadDLXwq+lw", "X-Received": "by 10.98.198.12 with SMTP id m12mr177929pfg.46.1504132962617;\n\tWed, 30 Aug 2017 15:42:42 -0700 (PDT)", "From": "Han Zhou <zhouhan@gmail.com>", "To": "dev@openvswitch.org", "Date": "Wed, 30 Aug 2017 15:42:31 -0700", "Message-Id": "<1504132951-53688-1-git-send-email-zhouhan@gmail.com>", "X-Mailer": "git-send-email 2.1.0", "X-Spam-Status": "No, score=0.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,\n\tDKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM\n\tautolearn=disabled version=3.3.1", "X-Spam-Checker-Version": "SpamAssassin 3.3.1 (2010-03-16) on\n\tsmtp1.linux-foundation.org", "Subject": "[ovs-dev] [PATCH] ovn: support acl logging for INVALID packets", "X-BeenThere": "ovs-dev@openvswitch.org", "X-Mailman-Version": "2.1.12", "Precedence": "list", "List-Id": "<ovs-dev.openvswitch.org>", "List-Unsubscribe": "<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n\t<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>", "List-Archive": "<http://mail.openvswitch.org/pipermail/ovs-dev/>", "List-Post": "<mailto:ovs-dev@openvswitch.org>", "List-Help": "<mailto:ovs-dev-request@openvswitch.org?subject=help>", "List-Subscribe": "<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n\t<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Sender": "ovs-dev-bounces@openvswitch.org", "Errors-To": "ovs-dev-bounces@openvswitch.org" }, "content": "INVALID packets doesn't map to any ACL, but sometimes we need to\nknow when these packets are detected and dropped. This patch supports\nlogging for such packets and provides a global configuration in NB\nto enable/disable this behavior. Default behavior is not logging,\nso that it is backward compatible.\n\nSigned-off-by: Han Zhou <zhouhan@gmail.com>\n---\n ovn/northd/ovn-northd.c | 20 +++++++++++++-------\n ovn/ovn-nb.ovsschema | 8 +++++---\n ovn/ovn-nb.xml | 6 ++++++\n tests/ovn.at | 11 ++++++++++-\n 4 files changed, 34 insertions(+), 11 deletions(-)", "diff": "diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c\nindex 49e4ac3..b003d96 100644\n--- a/ovn/northd/ovn-northd.c\n+++ b/ovn/northd/ovn-northd.c\n@@ -3052,7 +3052,8 @@ build_acl_log(struct ds *actions, const struct nbrec_acl *acl)\n }\n \n static void\n-build_acls(struct ovn_datapath *od, struct hmap *lflows)\n+build_acls(struct northd_context *ctx, struct ovn_datapath *od,\n+ struct hmap *lflows)\n {\n bool has_stateful = has_stateful_acl(od);\n \n@@ -3098,12 +3099,16 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows)\n * for deletion (bit 0 of ct_label is set).\n *\n * This is enforced at a higher priority than ACLs can be defined. */\n+ const struct nbrec_nb_global *nbg = nbrec_nb_global_first(ctx->ovnnb_idl);\n+ bool acl_log_invalid = nbg ? nbg->acl_log_invalid : false;\n ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,\n \"ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)\",\n- \"drop;\");\n+ acl_log_invalid ?\n+ \"log(name=\\\"INVALID\\\", verdict=drop); /* drop */\" : \"drop;\");\n ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,\n \"ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)\",\n- \"drop;\");\n+ acl_log_invalid ?\n+ \"log(name=\\\"INVALID\\\", verdict=drop); /* drop */\" : \"drop;\");\n \n /* Ingress and Egress ACL Table (Priority 65535).\n *\n@@ -3478,8 +3483,9 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows)\n }\n \n static void\n-build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,\n- struct hmap *lflows, struct hmap *mcgroups)\n+build_lswitch_flows(struct northd_context *ctx, struct hmap *datapaths,\n+ struct hmap *ports, struct hmap *lflows,\n+ struct hmap *mcgroups)\n {\n /* This flow table structure is documented in ovn-northd(8), so please\n * update ovn-northd.8.xml if you change anything. */\n@@ -3498,7 +3504,7 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,\n build_pre_acls(od, lflows);\n build_pre_lb(od, lflows);\n build_pre_stateful(od, lflows);\n- build_acls(od, lflows);\n+ build_acls(ctx, od, lflows);\n build_qos(od, lflows);\n build_lb(od, lflows);\n build_stateful(od, lflows);\n@@ -5658,7 +5664,7 @@ build_lflows(struct northd_context *ctx, struct hmap *datapaths,\n struct hmap lflows = HMAP_INITIALIZER(&lflows);\n struct hmap mcgroups = HMAP_INITIALIZER(&mcgroups);\n \n- build_lswitch_flows(datapaths, ports, &lflows, &mcgroups);\n+ build_lswitch_flows(ctx, datapaths, ports, &lflows, &mcgroups);\n build_lrouter_flows(datapaths, ports, &lflows);\n \n /* Push changes to the Logical_Flow table to database. */\ndiff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema\nindex a077bfb..2db788e 100644\n--- a/ovn/ovn-nb.ovsschema\n+++ b/ovn/ovn-nb.ovsschema\n@@ -1,7 +1,7 @@\n {\n \"name\": \"OVN_Northbound\",\n- \"version\": \"5.8.0\",\n- \"cksum\": \"2812300190 16766\",\n+ \"version\": \"5.9.0\",\n+ \"cksum\": \"2103124828 16872\",\n \"tables\": {\n \"NB_Global\": {\n \"columns\": {\n@@ -19,7 +19,9 @@\n \"ssl\": {\n \"type\": {\"key\": {\"type\": \"uuid\",\n \"refTable\": \"SSL\"},\n- \"min\": 0, \"max\": 1}}},\n+ \"min\": 0, \"max\": 1}},\n+ \"acl_log_invalid\": {\n+ \"type\": {\"key\": \"boolean\", \"min\": 0, \"max\": 1}}},\n \"maxRows\": 1,\n \"isRoot\": true},\n \"Logical_Switch\": {\ndiff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml\nindex be72610..1cf349e 100644\n--- a/ovn/ovn-nb.xml\n+++ b/ovn/ovn-nb.xml\n@@ -80,6 +80,12 @@\n Global SSL configuration.\n </column>\n </group>\n+ <group title=\"ACL Logging Options\">\n+ These columns controls the behaviour related to ACL logging.\n+ <column name=\"acl_log_invalid\">\n+ Whether to log the packets classified as invalid by conntrack.\n+ </column>\n+ </group>\n </table>\n \n <table name=\"Logical_Switch\" title=\"L2 logical switch\">\ndiff --git a/tests/ovn.at b/tests/ovn.at\nindex fb9fc73..c3af03d 100644\n--- a/tests/ovn.at\n+++ b/tests/ovn.at\n@@ -5775,6 +5775,8 @@ ovn-nbctl --wait=sb lsp-add lsw0 lp1\n ovn-nbctl --wait=sb lsp-add lsw0 lp2\n ovn-nbctl lsp-set-addresses lp1 $lp1_mac\n ovn-nbctl lsp-set-addresses lp2 $lp2_mac\n+# enable logging for invalid packets\n+ovn-nbctl set nb_global . acl_log_invalid=true\n ovn-nbctl --wait=sb sync\n \n ovn-nbctl acl-add lsw0 to-lport 1000 'tcp.dst==80' drop\n@@ -5840,13 +5842,20 @@ packet=\"inport==\\\"lp1\\\" && eth.src==$lp1_mac && eth.dst==$lp2_mac &&\n tcp && tcp.flags==2 && tcp.src==4367 && tcp.dst==87\"\n as hv ovs-appctl -t ovn-controller inject-pkt \"$packet\"\n \n-OVS_WAIT_UNTIL([ test 4 = $(grep -c 'acl_log' hv/ovn-controller.log) ])\n+# Send packet that is invalid and should be dropped with logging.\n+packet=\"inport==\\\"lp1\\\" && eth.src==$lp1_mac && eth.dst==$lp2_mac &&\n+ ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip &&\n+ tcp && tcp.src==4367 && tcp.dst==99\"\n+as hv ovs-appctl -t ovn-controller inject-pkt \"$packet\"\n+\n+OVS_WAIT_UNTIL([ test 5 = $(grep -c 'acl_log' hv/ovn-controller.log) ])\n \n AT_CHECK([grep 'acl_log' hv/ovn-controller.log | sed 's/.*name=/name=/'], [0], [dnl\n name=\"drop-flow\", verdict=drop, severity=alert: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4361,tp_dst=81,tcp_flags=syn\n name=\"allow-flow\", verdict=allow, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4363,tp_dst=83,tcp_flags=syn\n name=\"<unnamed>\", verdict=allow, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4365,tp_dst=85,tcp_flags=syn\n name=\"reject-flow\", verdict=reject, severity=alert: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=87,tcp_flags=syn\n+name=\"INVALID\", verdict=drop, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=99,tcp_flags=0\n ])\n \n OVN_CLEANUP([hv])\n", "prefixes": [ "ovs-dev" ] }