From patchwork Mon Jun 25 16:56:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Han Zhou X-Patchwork-Id: 934479 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="vQSRUfHE"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41DwLm4Dynz9ry1 for ; Tue, 26 Jun 2018 02:56:48 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 6D6ECCEB; Mon, 25 Jun 2018 16:56:43 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 30E0EAF3 for ; Mon, 25 Jun 2018 16:56:42 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg0-f51.google.com (mail-pg0-f51.google.com [74.125.83.51]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7061C19B for ; Mon, 25 Jun 2018 16:56:41 +0000 (UTC) Received: by mail-pg0-f51.google.com with SMTP id b10-v6so2650625pgq.11 for ; Mon, 25 Jun 2018 09:56:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=yHMMc7MYc8UwSlvo0TKj7R6tyQZhC/jGJG5xnKvlmNA=; b=vQSRUfHEfQRvbYHQAUFoHoaY0dKeihPKXHbV0lsrVA/Dg84b3HZEsu4J8sHSN9NzUl CTewrSSEhii5PBbcFTlyhb6GB8+rs+DO60FBBp6Q7qgDqt4EkC6HcTCZU2cYl9OipHoJ GFxAe9NdTSgkItzYuaDhB+1GegClsmkx+V0uqPH9lxXGVsJyDMd7tA4Q4KGgo0vr8+1M BwQYEDkVIXmCfmsgkwV1LXDjbf52NXxwREioqyucZDe+BlnKl4Xl30AKhDvszq2McdCF QlnTSane51YM5/wzofF59P17XWbrTiWXZFNDjp5T4koeKTMgMcRGzzK+uxgTb9VQxi3Z E4xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=yHMMc7MYc8UwSlvo0TKj7R6tyQZhC/jGJG5xnKvlmNA=; b=BWxKck6eXRt5jV8VHcVgPXBm4kxXsLWGA9KXRtetcTXZv2aI3cVo1q7+l6UJA2+Zhj DvTovcRqdPtbL9Fumdc+P5+9bSQoGfeh4ss7yak/UuPUntwBszsA9BS+Co1A8Ni3A18a dYUTxp/q8V5Kr+cRnBdH24NWm24WItQO1D0XhADSKw5qkjGBeiEqqaeVzgTG/fHiGA2B VkPTZ40EF9apIiAezIxCHblmgs9xcxIb9ex789mY68uaLMsKKvEsjS5m6/J/RegVd8cH /xREJfiPzMc51MCDEyd62GIGf8a5uMufb3pnav40zk7060ElmJtDYftzSSkuPyZi6we3 b6ng== X-Gm-Message-State: APt69E2+9LgfYbOYscJFf5EpZucVY9jmgrkyYEuFWZtr+Cj2V+Dp6vJd yzcZqPUc36O2j1IdPAjlCJX+vg== X-Google-Smtp-Source: ADUXVKIopIDh8sME1YyD9a+t0Evd50TrdUYGunFw262Ieov4pjwmSKBFjnpvgBGVvRTgbTMYKMsKkw== X-Received: by 2002:a63:541:: with SMTP id 62-v6mr8145471pgf.368.1529945800745; Mon, 25 Jun 2018 09:56:40 -0700 (PDT) Received: from localhost.localdomain.localdomain (c-73-162-150-77.hsd1.ca.comcast.net. [73.162.150.77]) by smtp.gmail.com with ESMTPSA id x71-v6sm10795843pfe.139.2018.06.25.09.56.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Jun 2018 09:56:40 -0700 (PDT) From: Han Zhou X-Google-Original-From: Han Zhou To: dev@openvswitch.org Date: Mon, 25 Jun 2018 09:56:30 -0700 Message-Id: <1529945790-20901-1-git-send-email-hzhou8@ebay.com> X-Mailer: git-send-email 2.1.0 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, LOTS_OF_MONEY, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v2] ovn.at: Add stateful test for ACL on port groups. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org A bug was reported on the feature of applying ACLs on port groups [1]. This bug was not detected by the original test case, because it didn't test the return traffic and so didn't ensure the stateful feature is working. The fix [2] causes the original test case fail, because once the conntrack is enabled, the test packets are dropped because the checksum in those packets are invalid and so marked with "invalid" state by conntrack. To avoid the test case failure, the fix [2] changed it to test stateless acl only, which leaves the scenario untested, although it is fixed. This patch adds back the stateful ACL in the test, and replaced the dummy/receive with inject-pkt to send the test packets, so that checksums can be properly filled in, and it also adds tests for the return traffic, which ensures the stateful is working. [1] https://mail.openvswitch.org/pipermail/ovs-discuss/2018-June/046927.html [2] https://patchwork.ozlabs.org/patch/931913/ Signed-off-by: Han Zhou --- Note: this patch depends on Daniel's patch [2] which is not merged yet. v1->v2: - Addressed Jacub's comments - simplified packet expr and removed debug information. - Renamed test_ip to test_icmp. tests/ovn.at | 60 ++++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 16 deletions(-) diff --git a/tests/ovn.at b/tests/ovn.at index 93644b0..7317d39 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -9981,7 +9981,7 @@ ovn-nbctl create Port_Group name=pg2 ports="$pg2_ports" # create ACLs on pg1 to drop traffic from pg2 to pg1 ovn-nbctl acl-add pg1 to-lport 1001 'outport == @pg1' drop ovn-nbctl --type=port-group acl-add pg1 to-lport 1002 \ - 'outport == @pg1 && ip4.src == $pg2_ip4' allow + 'outport == @pg1 && ip4.src == $pg2_ip4' allow-related # Physical network: # @@ -10043,7 +10043,7 @@ OVN_POPULATE_ARP # XXX This should be more systematic. sleep 1 -# test_ip INPORT SRC_MAC DST_MAC SRC_IP DST_IP OUTPORT... +# test_ip INPORT SRC_MAC DST_MAC SRC_IP DST_IP ICMP_TYPE OUTPORT... # # This shell function causes a packet to be received on INPORT. The packet's # content has Ethernet destination DST and source SRC (each exactly 12 hex @@ -10057,26 +10057,42 @@ for i in 1 2 3; do done done done -test_ip() { - # This packet has bad checksums but logical L3 routing doesn't check. - local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5 - local packet=${dst_mac}${src_mac}08004500001c0000000040110000${src_ip}${dst_ip}0035111100080000 - shift; shift; shift; shift; shift + +lsp_to_mac() { + echo f0:00:00:00:0${1:0:1}:${1:1:2} +} + +lrp_to_mac() { + echo 00:00:00:00:ff:$1 +} + +test_icmp() { + local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5 icmp_type=$6 + local packet="inport==\"lp$inport\" && eth.src==$src_mac && + eth.dst==$dst_mac && ip.ttl==64 && ip4.src==$src_ip + && ip4.dst==$dst_ip && icmp4.type==$icmp_type && + icmp4.code==0" + shift; shift; shift; shift; shift; shift hv=hv`vif_to_hv $inport` - as $hv ovs-appctl netdev-dummy/receive vif$inport $packet - #as $hv ovs-appctl ofproto/trace br-int in_port=$inport $packet + as $hv ovs-appctl -t ovn-controller inject-pkt "$packet" in_ls=`vif_to_ls $inport` in_lrp=`vif_to_lrp $inport` for outport; do out_ls=`vif_to_ls $outport` if test $in_ls = $out_ls; then # Ports on the same logical switch receive exactly the same packet. - echo $packet + echo $packet | ovstest test-ovn expr-to-packets else # Routing decrements TTL and updates source and dest MAC # (and checksum). out_lrp=`vif_to_lrp $outport` - echo f00000000${outport}00000000ff${out_lrp}08004500001c00000000"3f1101"00${src_ip}${dst_ip}0035111100080000 + exp_smac=`lrp_to_mac $out_lrp` + exp_dmac=`lsp_to_mac $outport` + exp_packet="eth.src==$exp_smac && eth.dst==$exp_dmac && + ip.ttl==63 && ip4.src==$src_ip && ip4.dst==$dst_ip && + icmp4.type==$icmp_type && icmp4.code==0" + echo $exp_packet | ovstest test-ovn expr-to-packets + fi >> $outport.expected done } @@ -10099,14 +10115,17 @@ for is in 1 2 3; do for ks in 1 2 3; do bcast= s=$is$js$ks - smac=f00000000$s - sip=`ip_to_hex 192 168 $is$js $ks` + slsp_mac=`lsp_to_mac $s` + slrp_mac=`lrp_to_mac $is$js` + sip=192.168.$is$js.$ks for id in 1 2 3; do for jd in 1 2 3; do for kd in 1 2 3; do d=$id$jd$kd - dip=`ip_to_hex 192 168 $id$jd $kd` - if test $is = $id; then dmac=f00000000$d; else dmac=00000000ff$is$js; fi + dlsp_mac=`lsp_to_mac $d` + dlrp_mac=`lrp_to_mac $id$jd` + dip=192.168.$id$jd.$kd + if test $is = $id; then dmac=$dlsp_mac; else dmac=$slrp_mac; fi if test $d != $s; then unicast=$d; else unicast=; fi # packets matches ACL1 but not ACL2 should be dropped @@ -10115,7 +10134,16 @@ for is in 1 2 3; do unicast= fi fi - test_ip $s $smac $dmac $sip $dip $unicast #1 + # icmp request (type = 8) + test_icmp $s $slsp_mac $dmac $sip $dip 8 $unicast + + # if packets are not dropped, test the return traffic (icmp echo) + # to make sure stateful works, too. + if test x$unicast != x; then + if test $is = $id; then dmac=$slsp_mac; else dmac=$dlrp_mac; fi + # icmp echo (type = 0) + test_icmp $unicast $dlsp_mac $dmac $dip $sip 0 $s + fi done done done