From patchwork Wed Sep 2 23:44:11 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Pfaff X-Patchwork-Id: 513709 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id 90DEA14029C for ; Thu, 3 Sep 2015 09:45:57 +1000 (AEST) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id B197710AC1; Wed, 2 Sep 2015 16:44:42 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx1e3.cudamail.com (mx1.cudamail.com [69.90.118.67]) by archives.nicira.com (Postfix) with ESMTPS id 4207210AB4 for ; Wed, 2 Sep 2015 16:44:41 -0700 (PDT) Received: from bar5.cudamail.com (localhost [127.0.0.1]) by mx1e3.cudamail.com (Postfix) with ESMTPS id AB63D4203AC for ; Wed, 2 Sep 2015 17:44:40 -0600 (MDT) X-ASG-Debug-ID: 1441237480-09eadd4ef3586a0001-byXFYA Received: from mx1-pf1.cudamail.com ([192.168.24.1]) by bar5.cudamail.com with ESMTP id QO9BurSMD6uojCM3 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 02 Sep 2015 17:44:40 -0600 (MDT) X-Barracuda-Envelope-From: blp@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.1 Received: from unknown (HELO mail-pa0-f49.google.com) (209.85.220.49) by mx1-pf1.cudamail.com with ESMTPS (RC4-SHA encrypted); 2 Sep 2015 23:44:40 -0000 Received-SPF: unknown (mx1-pf1.cudamail.com: Multiple SPF records returned) X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.49 Received: by pacfv12 with SMTP id fv12so26692418pac.2 for ; Wed, 02 Sep 2015 16:44:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=9ZkmgYiGcFq8YsFGRAjpc3gUeSLQHuuD02oqF+l/xb8=; b=FDXm0HZjCYD3BH4tojsgmli4FupNIwpwP3EntfzgN9tEfT61E4KFa/2ggu5RozEkvq 6jCIan8f6yxTl80ZdEG1gByGxkcRKCF0fNYE2iPNJcQ9BSkssDW3H7iRfvioucEGuHTQ rsUxGYfKF1lt2JRdoWQJWDxJyUqcqksDEB2Rkne+8NGuAYcg5ArwK1ZSUJPc/sB8pfin hEwb8A4kqsMM+DbZNxBHL6s85hn974S2X6HhGrjUjs+XVb8jxHfAqDRbX2A/1aMtYQ6e Go5uUczVxwq1bwrXRehTFWiiqoK2MdAZ68a/AQtbW+jFSznbDQy3EtIwrqkCMlCuzYDX +ahQ== X-Gm-Message-State: ALoCoQk7EaQev8Tj0g+YfySpiyshu/zIEZAGQZytNb5yRBHuNTIm1dxEc3o9HQmldjkWgcJe1G81 X-Received: by 10.66.63.99 with SMTP id f3mr69182327pas.6.1441237479577; Wed, 02 Sep 2015 16:44:39 -0700 (PDT) Received: from sigabrt.benpfaff.org ([208.91.2.4]) by smtp.gmail.com with ESMTPSA id f5sm23046151pas.23.2015.09.02.16.44.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 02 Sep 2015 16:44:38 -0700 (PDT) X-CudaMail-Envelope-Sender: blp@nicira.com X-Barracuda-Apparent-Source-IP: 208.91.2.4 From: Ben Pfaff To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-E1-901091885 X-CudaMail-DTE: 090215 X-CudaMail-Originating-IP: 209.85.220.49 Date: Wed, 2 Sep 2015 16:44:11 -0700 X-ASG-Orig-Subj: [##CM-E1-901091885##][PATCH v2 14/14] tests: Test ACLs in OVN end-to-end test. Message-Id: <1441237451-17940-14-git-send-email-blp@nicira.com> X-Mailer: git-send-email 2.1.3 In-Reply-To: <1441237451-17940-1-git-send-email-blp@nicira.com> References: <1441237451-17940-1-git-send-email-blp@nicira.com> X-Barracuda-Connect: UNKNOWN[192.168.24.1] X-Barracuda-Start-Time: 1441237480 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Cc: Ben Pfaff Subject: [ovs-dev] [PATCH v2 14/14] tests: Test ACLs in OVN end-to-end test. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" Signed-off-by: Ben Pfaff --- tests/ovn.at | 57 ++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 44 insertions(+), 13 deletions(-) diff --git a/tests/ovn.at b/tests/ovn.at index 8e442fa..a83b127 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -435,6 +435,7 @@ ovn_start # Add all of the vifs to a single logical switch lsw0. # Turn on port security on all the vifs except vif[123]1. # Make vif13, vif2[23], vif3[123] destinations for unknown MACs. +# Add some ACLs for Ethertypes 1234, 1235, 1236. ovn-nbctl lswitch-add lsw0 net_add n1 for i in 1 2 3; do @@ -454,6 +455,14 @@ for i in 1 2 3; do fi done done +ovn-nbctl \ + -- --id=@acl1 create acl priority=1000 action=drop \ + match='"eth.type == 0x1234"' \ + -- --id=@acl2 create acl priority=1000 action=drop \ + match='"eth.type == 0x1235 && inport == \"lp11\""' \ + -- --id=@acl3 create acl priority=1000 action=drop \ + match='"eth.type == 0x1236 && outport == \"lp33\""' \ + -- set Logical_Switch lsw0 acls=@acl1,@acl2,@acl3 # Pre-populate the hypervisors' ARP tables so that we don't lose any # packets for ARP resolution (native tunneling doesn't queue packets @@ -508,31 +517,46 @@ test_packet() { # # 6. The lswitch delivers packets with an unknown destination to lports with # "unknown" among their MAC addresses (and port security disabled). +# +# 7. The lswitch drops unicast packets that violate an ACL. +# +# 8. The lswitch drops multicast and broadcast packets that violate an ACL. for is in 1 2 3; do for js in 1 2 3; do s=$is$js bcast= unknown= + bacl2= + bacl3= for id in 1 2 3; do for jd in 1 2 3; do d=$id$jd - impersonate= - if test $d != $s; then - unicast=$d - bcast="$bcast $d" - if test $js = 1; then - impersonate=$d - fi - if test $jd = 1; then - unknown="$unknown $d" - fi - else - unicast= - fi + + if test $d != $s; then unicast=$d; else unicast=; fi test_packet $s f000000000$d f000000000$s $s$d $unicast #1 + + if test $d != $s && test $js = 1; then + impersonate=$d + else + impersonate= + fi test_packet $s f000000000$d f00000000055 55$d $impersonate #3 + + if test $d != $s && test $s != 11; then acl2=$d; else acl2=; fi + if test $d != $s && test $d != 33; then acl3=$d; else acl3=; fi + test_packet $s f000000000$d f000000000$s 1234 #7, acl1 + test_packet $s f000000000$d f000000000$s 1235 $acl2 #7, acl2 + test_packet $s f000000000$d f000000000$s 1236 $acl3 #7, acl3 + test_packet $s f000000000$d f00000000055 810000091234 #4 test_packet $s f000000000$d 0100000000$s $s$d #5 + + if test $d != $s && test $jd = 1; then + unknown="$unknown $d" + fi + bcast="$bcast $unicast" + bacl2="$bacl2 $acl2" + bacl3="$bacl3 $acl3" done done @@ -547,6 +571,13 @@ for is in 1 2 3; do test_packet $s 010000000000 f00000000044 44ff $bcast_impersonate #3 test_packet $s f0000000ffff f000000000$s ${s}66 $unknown #6 + + test_packet $s ffffffffffff f000000000$s 1234 #8, acl1 + test_packet $s ffffffffffff f000000000$s 1235 $bacl2 #8, acl2 + test_packet $s ffffffffffff f000000000$s 1236 $bacl3 #8, acl3 + test_packet $s 010000000000 f000000000$s 1234 #8, acl1 + test_packet $s 010000000000 f000000000$s 1235 $bacl2 #8, acl2 + test_packet $s 010000000000 f000000000$s 1236 $bacl3 #8, acl3 done done