[{"id":1796261,"web_url":"http://patchwork.ozlabs.org/comment/1796261/","msgid":"<20171030205225.GU27530@ovn.org>","list_archive_url":null,"date":"2017-10-30T20:52:25","subject":"Re: [ovs-dev] [PATCH] ovn: support acl logging for INVALID packets","submitter":{"id":67603,"url":"http://patchwork.ozlabs.org/api/people/67603/","name":"Ben Pfaff","email":"blp@ovn.org"},"content":"Justin, are you going to take a look at this?\n\nOn Wed, Aug 30, 2017 at 03:42:31PM -0700, Han Zhou wrote:\n> INVALID packets doesn't map to any ACL, but sometimes we need to\n> know when these packets are detected and dropped. This patch supports\n> logging for such packets and provides a global configuration in NB\n> to enable/disable this behavior. Default behavior is not logging,\n> so that it is backward compatible.\n> \n> Signed-off-by: Han Zhou \n> ---\n> ovn/northd/ovn-northd.c | 20 +++++++++++++-------\n> ovn/ovn-nb.ovsschema | 8 +++++---\n> ovn/ovn-nb.xml | 6 ++++++\n> tests/ovn.at | 11 ++++++++++-\n> 4 files changed, 34 insertions(+), 11 deletions(-)\n> \n> diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c\n> index 49e4ac3..b003d96 100644\n> --- a/ovn/northd/ovn-northd.c\n> +++ b/ovn/northd/ovn-northd.c\n> @@ -3052,7 +3052,8 @@ build_acl_log(struct ds *actions, const struct nbrec_acl *acl)\n> }\n> \n> static void\n> -build_acls(struct ovn_datapath *od, struct hmap *lflows)\n> +build_acls(struct northd_context *ctx, struct ovn_datapath *od,\n> + struct hmap *lflows)\n> {\n> bool has_stateful = has_stateful_acl(od);\n> \n> @@ -3098,12 +3099,16 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows)\n> * for deletion (bit 0 of ct_label is set).\n> *\n> * This is enforced at a higher priority than ACLs can be defined. */\n> + const struct nbrec_nb_global *nbg = nbrec_nb_global_first(ctx->ovnnb_idl);\n> + bool acl_log_invalid = nbg ? nbg->acl_log_invalid : false;\n> ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,\n> \"ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)\",\n> - \"drop;\");\n> + acl_log_invalid ?\n> + \"log(name=\\\"INVALID\\\", verdict=drop); /* drop */\" : \"drop;\");\n> ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,\n> \"ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)\",\n> - \"drop;\");\n> + acl_log_invalid ?\n> + \"log(name=\\\"INVALID\\\", verdict=drop); /* drop */\" : \"drop;\");\n> \n> /* Ingress and Egress ACL Table (Priority 65535).\n> *\n> @@ -3478,8 +3483,9 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows)\n> }\n> \n> static void\n> -build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,\n> - struct hmap *lflows, struct hmap *mcgroups)\n> +build_lswitch_flows(struct northd_context *ctx, struct hmap *datapaths,\n> + struct hmap *ports, struct hmap *lflows,\n> + struct hmap *mcgroups)\n> {\n> /* This flow table structure is documented in ovn-northd(8), so please\n> * update ovn-northd.8.xml if you change anything. */\n> @@ -3498,7 +3504,7 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,\n> build_pre_acls(od, lflows);\n> build_pre_lb(od, lflows);\n> build_pre_stateful(od, lflows);\n> - build_acls(od, lflows);\n> + build_acls(ctx, od, lflows);\n> build_qos(od, lflows);\n> build_lb(od, lflows);\n> build_stateful(od, lflows);\n> @@ -5658,7 +5664,7 @@ build_lflows(struct northd_context *ctx, struct hmap *datapaths,\n> struct hmap lflows = HMAP_INITIALIZER(&lflows);\n> struct hmap mcgroups = HMAP_INITIALIZER(&mcgroups);\n> \n> - build_lswitch_flows(datapaths, ports, &lflows, &mcgroups);\n> + build_lswitch_flows(ctx, datapaths, ports, &lflows, &mcgroups);\n> build_lrouter_flows(datapaths, ports, &lflows);\n> \n> /* Push changes to the Logical_Flow table to database. */\n> diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema\n> index a077bfb..2db788e 100644\n> --- a/ovn/ovn-nb.ovsschema\n> +++ b/ovn/ovn-nb.ovsschema\n> @@ -1,7 +1,7 @@\n> {\n> \"name\": \"OVN_Northbound\",\n> - \"version\": \"5.8.0\",\n> - \"cksum\": \"2812300190 16766\",\n> + \"version\": \"5.9.0\",\n> + \"cksum\": \"2103124828 16872\",\n> \"tables\": {\n> \"NB_Global\": {\n> \"columns\": {\n> @@ -19,7 +19,9 @@\n> \"ssl\": {\n> \"type\": {\"key\": {\"type\": \"uuid\",\n> \"refTable\": \"SSL\"},\n> - \"min\": 0, \"max\": 1}}},\n> + \"min\": 0, \"max\": 1}},\n> + \"acl_log_invalid\": {\n> + \"type\": {\"key\": \"boolean\", \"min\": 0, \"max\": 1}}},\n> \"maxRows\": 1,\n> \"isRoot\": true},\n> \"Logical_Switch\": {\n> diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml\n> index be72610..1cf349e 100644\n> --- a/ovn/ovn-nb.xml\n> +++ b/ovn/ovn-nb.xml\n> @@ -80,6 +80,12 @@\n> Global SSL configuration.\n> \n> \n> + \n> + These columns controls the behaviour related to ACL logging.\n> + \n> + Whether to log the packets classified as invalid by conntrack.\n> + \n> + \n> \n> \n> \n> diff --git a/tests/ovn.at b/tests/ovn.at\n> index fb9fc73..c3af03d 100644\n> --- a/tests/ovn.at\n> +++ b/tests/ovn.at\n> @@ -5775,6 +5775,8 @@ ovn-nbctl --wait=sb lsp-add lsw0 lp1\n> ovn-nbctl --wait=sb lsp-add lsw0 lp2\n> ovn-nbctl lsp-set-addresses lp1 $lp1_mac\n> ovn-nbctl lsp-set-addresses lp2 $lp2_mac\n> +# enable logging for invalid packets\n> +ovn-nbctl set nb_global . acl_log_invalid=true\n> ovn-nbctl --wait=sb sync\n> \n> ovn-nbctl acl-add lsw0 to-lport 1000 'tcp.dst==80' drop\n> @@ -5840,13 +5842,20 @@ packet=\"inport==\\\"lp1\\\" && eth.src==$lp1_mac && eth.dst==$lp2_mac &&\n> tcp && tcp.flags==2 && tcp.src==4367 && tcp.dst==87\"\n> as hv ovs-appctl -t ovn-controller inject-pkt \"$packet\"\n> \n> -OVS_WAIT_UNTIL([ test 4 = $(grep -c 'acl_log' hv/ovn-controller.log) ])\n> +# Send packet that is invalid and should be dropped with logging.\n> +packet=\"inport==\\\"lp1\\\" && eth.src==$lp1_mac && eth.dst==$lp2_mac &&\n> + ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip &&\n> + tcp && tcp.src==4367 && tcp.dst==99\"\n> +as hv ovs-appctl -t ovn-controller inject-pkt \"$packet\"\n> +\n> +OVS_WAIT_UNTIL([ test 5 = $(grep -c 'acl_log' hv/ovn-controller.log) ])\n> \n> AT_CHECK([grep 'acl_log' hv/ovn-controller.log | sed 's/.*name=/name=/'], [0], [dnl\n> name=\"drop-flow\", verdict=drop, severity=alert: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4361,tp_dst=81,tcp_flags=syn\n> name=\"allow-flow\", verdict=allow, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4363,tp_dst=83,tcp_flags=syn\n> name=\"\", verdict=allow, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4365,tp_dst=85,tcp_flags=syn\n> name=\"reject-flow\", verdict=reject, severity=alert: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=87,tcp_flags=syn\n> +name=\"INVALID\", verdict=drop, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=99,tcp_flags=0\n> ])\n> \n> OVN_CLEANUP([hv])\n> -- \n> 2.1.0\n> \n> _______________________________________________\n> dev mailing list\n> dev@openvswitch.org\n> https://mail.openvswitch.org/mailman/listinfo/ovs-dev","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","ovs-dev@mail.linuxfoundation.org"],"Authentication-Results":"ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=openvswitch.org\n\t(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;\n\tenvelope-from=ovs-dev-bounces@openvswitch.org;\n\treceiver=)","Received":["from mail.linuxfoundation.org (mail.linuxfoundation.org\n\t[140.211.169.12])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3yQmrg4Rtyz9sxR\n\tfor ;\n\tTue, 31 Oct 2017 07:52:35 +1100 (AEDT)","from mail.linux-foundation.org (localhost [127.0.0.1])\n\tby mail.linuxfoundation.org (Postfix) with ESMTP id DB4FDC26;\n\tMon, 30 Oct 2017 20:52:32 +0000 (UTC)","from smtp1.linuxfoundation.org (smtp1.linux-foundation.org\n\t[172.17.192.35])\n\tby mail.linuxfoundation.org (Postfix) with ESMTPS id 3C4ECBD9\n\tfor ; Mon, 30 Oct 2017 20:52:32 +0000 (UTC)","from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net\n\t[217.70.183.194])\n\tby smtp1.linuxfoundation.org (Postfix) with ESMTPS id 2323DF8\n\tfor ; Mon, 30 Oct 2017 20:52:31 +0000 (UTC)","from ovn.org (unknown [208.91.3.26])\n\t(Authenticated sender: blp@ovn.org)\n\tby relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 779CAC5A5F;\n\tMon, 30 Oct 2017 21:52:28 +0100 (CET)"],"X-Greylist":"domain auto-whitelisted by SQLgrey-1.7.6","X-Originating-IP":"208.91.3.26","Date":"Mon, 30 Oct 2017 13:52:25 -0700","From":"Ben Pfaff ","To":"Han Zhou , Justin Pettit ","Message-ID":"<20171030205225.GU27530@ovn.org>","References":"<1504132951-53688-1-git-send-email-zhouhan@gmail.com>","MIME-Version":"1.0","Content-Disposition":"inline","In-Reply-To":"<1504132951-53688-1-git-send-email-zhouhan@gmail.com>","User-Agent":"Mutt/1.5.23 (2014-03-12)","X-Spam-Status":"No, score=-0.2 required=5.0 tests=RCVD_IN_DNSWL_LOW,\n\tRCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1","X-Spam-Checker-Version":"SpamAssassin 3.3.1 (2010-03-16) on\n\tsmtp1.linux-foundation.org","Cc":"dev@openvswitch.org","Subject":"Re: [ovs-dev] [PATCH] ovn: support acl logging for INVALID packets","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.12","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"ovs-dev-bounces@openvswitch.org","Errors-To":"ovs-dev-bounces@openvswitch.org"}}]