From patchwork Thu May 10 06:32:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Han Zhou X-Patchwork-Id: 911290 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="TdDX8d/x"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40hNgN1qHgz9s3Z for ; Thu, 10 May 2018 16:32:15 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id CB83E5AC; Thu, 10 May 2018 06:32:11 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0DAA44A3 for ; Thu, 10 May 2018 06:32:11 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf0-f194.google.com (mail-pf0-f194.google.com [209.85.192.194]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 8CF6D685 for ; Thu, 10 May 2018 06:32:08 +0000 (UTC) Received: by mail-pf0-f194.google.com with SMTP id x9-v6so578614pfm.2 for ; Wed, 09 May 2018 23:32:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=Ek5I5LimecZGgHBOS6AkiCzfYtRVCNapIVhtDLzZVeA=; b=TdDX8d/xfltm2fdqwrgIwq9gXE72rR/X0xEKWfCBQ+BLOy4/QXZm64aBHgRVlJJr6C fVfb9PXI4aNHjhF9upQKNmyxLzDEPUJlajMoCbiR/CnIdWxSFcD7jdOoW9CcVV+KmXHC S/4uFMEX43jj79tHlP7tcWwyFMy7sFhivjeICHqlw1srofSByw9Q6n/5VI1q/A6Xv/dX u2/MY2lF0m4+XDqbsROarTGSAEqqALHA6Xw1E/c9OwfhfxS+94PhJnbR87XI1P8x/Iyi 7RleCWCEnijAs20UoMdIbahXcVoBay0M/jSm1cD3kTFWzSFDHTLIF/hDMvNbxSxu5RoN bHow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Ek5I5LimecZGgHBOS6AkiCzfYtRVCNapIVhtDLzZVeA=; b=dpy/S+Y/XTXrcI+UkxeeaDC/B2hvTIUd/uRJD3Qqpq8U/MYY8RxRw+fpSD8jitOs98 1nlPDkN+IHt4DiHBSABVIMPZSZHgqrPptDZWiKn67ITOh+nC0NOIdD7V10b1+c1LLvcK QJPBYsbOV/Fa+Ukn3c7EQS4y8oBRjTL9DkzWZfH0yUx5Nbn1Gt24/e36I6e45Y6/DtZr oByP3GN4+uw/AxKUXV2sr+hDrgdKnIJvuqGxhbzUv/lbeip8+eUXCJa+qR6qrL3nKur/ 9twyM2/BUcBtd9JGiOeH38oQ0sTk0r5kzGqDsld3pJ5l2sFCKH5r0JfF5v0oR+OWZUWP QFFQ== X-Gm-Message-State: ALKqPwduCoAPyE9z/ZUIEbZwuxUiX69krKYSFBePuzBhfrSeVuXrgUif 3vCgCe/G9F5vWMc+wfZgWcymyA== X-Google-Smtp-Source: AB8JxZqd28ZxtTDR/j4SiDWiy/aTfQKNdSJf1PHelRK559D9i9DvRMfoyUNUHX9HyRKD+6zcL/JVTw== X-Received: by 2002:a65:4289:: with SMTP id j9-v6mr135526pgp.136.1525933927364; Wed, 09 May 2018 23:32:07 -0700 (PDT) Received: from localhost.localdomain.localdomain (c-73-162-150-77.hsd1.ca.comcast.net. [73.162.150.77]) by smtp.gmail.com with ESMTPSA id r8-v6sm211681pfk.179.2018.05.09.23.32.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 May 2018 23:32:06 -0700 (PDT) From: Han Zhou X-Google-Original-From: Han Zhou To: dev@openvswitch.org Date: Wed, 9 May 2018 23:32:04 -0700 Message-Id: <1525933924-19994-1-git-send-email-hzhou8@ebay.com> X-Mailer: git-send-email 2.1.0 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v2] ovn-nbctl: Support ACL commands on port groups. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Add support for using ovn-nbctl to add/delete/list ACLs on port groups. A new option --type is also supported for these commands to explicitely specify, when needed, whether the operation is on a port-group or a logical switch. E.g. ovn-nbctl --type=port-group acl-add port_group1 to-lport 1000 \ 'outport == @port_group1 && ip4.src == $port_group1_ip4' \ allow-related Signed-off-by: Han Zhou --- Notes: v1->v2: Add option --type={switch | port-group} to specify whether the acl applies to a logical switch or a port group, and be able to guess when the option is not specified. ovn/utilities/ovn-nbctl.8.xml | 46 ++++++---- ovn/utilities/ovn-nbctl.c | 201 +++++++++++++++++++++++++++++++----------- tests/ovn-nbctl.at | 70 +++++++++------ tests/ovn.at | 11 +-- 4 files changed, 221 insertions(+), 107 deletions(-) diff --git a/ovn/utilities/ovn-nbctl.8.xml b/ovn/utilities/ovn-nbctl.8.xml index bfbd842..eadd206 100644 --- a/ovn/utilities/ovn-nbctl.8.xml +++ b/ovn/utilities/ovn-nbctl.8.xml @@ -74,19 +74,27 @@ -

Logical Switch ACL Commands

+

ACL Commands

+

+ These commands operates on ACL objects for a given entity. + The entity can be either a logical switch or a port group. + The entity can be specified as uuid or name. The + --type option can be used to specify the type of the + entity, in case both a logical switch and a port groups exist + with the same name specified for entity. type + must be either switch or port-group. +

-
[--log] [--severity=severity] [--name=name] [--may-exist] acl-add switch direction priority match verdict
+
[--type={switch | port-group}] [--log] [--severity=severity] [--name=name] [--may-exist] acl-add entity direction priority match verdict

- Adds the specified ACL to switch. - direction must be either from-lport or - to-lport. priority must be between - 0 and 32767, inclusive. A full - description of the fields are in ovn-nb(5). If - --may-exist is specified, adding a duplicated ACL - succeeds but the ACL is not really created. Without - --may-exist, adding a duplicated ACL results in + Adds the specified ACL to entity. direction + must be either from-lport or to-lport. + priority must be between 0 and + 32767, inclusive. A full description of the fields are + in ovn-nb(5). If --may-exist is specified, + adding a duplicated ACL succeeds but the ACL is not really created. + Without --may-exist, adding a duplicated ACL results in error.

@@ -101,19 +109,19 @@

-
acl-del switch [direction [priority match]]
+
[--type={switch | port-group}] acl-del entity [direction [priority match]]
- Deletes ACLs from switch. If only - switch is supplied, all the ACLs from the logical - switch are deleted. If direction is also specified, - then all the flows in that direction will be deleted from the - logical switch. If all the fields are given, then a single flow - that matches all the fields will be deleted. + Deletes ACLs from entity. If only entity is + supplied, all the ACLs from the entity are deleted. If + direction is also specified, then all the flows in that + direction will be deleted from the entity. If all the + fields are given, then a single flow that matches all the fields will + be deleted.
-
acl-list switch
+
[--type={switch | port-group}] acl-list entity
- Lists the ACLs on switch. + Lists the ACLs on entity.
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c index 05d783c..6f13377 100644 --- a/ovn/utilities/ovn-nbctl.c +++ b/ovn/utilities/ovn-nbctl.c @@ -342,12 +342,15 @@ Logical switch commands:\n\ ls-list print the names of all logical switches\n\ \n\ ACL commands:\n\ - [--log] [--severity=SEVERITY] [--name=NAME] [--may-exist]\n\ - acl-add SWITCH DIRECTION PRIORITY MATCH ACTION\n\ - add an ACL to SWITCH\n\ - acl-del SWITCH [DIRECTION [PRIORITY MATCH]]\n\ - remove ACLs from SWITCH\n\ - acl-list SWITCH print ACLs for SWITCH\n\ + [--type={switch | port-group}] [--log] [--severity=SEVERITY] [--name=NAME] [--may-exist]\n\ + acl-add {SWITCH | PORTGROUP} DIRECTION PRIORITY MATCH ACTION\n\ + add an ACL to SWITCH/PORTGROUP\n\ + [--type={switch | port-group}]\n\ + acl-del {SWITCH | PORTGROUP} [DIRECTION [PRIORITY MATCH]]\n\ + remove ACLs from SWITCH/PORTGROUP\n\ + [--type={switch | port-group}]\n\ + acl-list {SWITCH | PORTGROUP}\n\ + print ACLs for SWITCH\n\ \n\ QoS commands:\n\ qos-add SWITCH DIRECTION PRIORITY MATCH [rate=RATE [burst=BURST]] [dscp=DSCP]\n\ @@ -598,6 +601,36 @@ lb_by_name_or_uuid(struct ctl_context *ctx, const char *id, bool must_exist) return lb; } +static const struct nbrec_port_group * +pg_by_name_or_uuid(struct ctl_context *ctx, const char *id, bool must_exist) +{ + const struct nbrec_port_group *pg = NULL; + + struct uuid pg_uuid; + bool is_uuid = uuid_from_string(&pg_uuid, id); + if (is_uuid) { + pg = nbrec_port_group_get_for_uuid(ctx->idl, &pg_uuid); + } + + if (!pg) { + const struct nbrec_port_group *iter; + + NBREC_PORT_GROUP_FOR_EACH (iter, ctx->idl) { + if (!strcmp(iter->name, id)) { + pg = iter; + break; + } + } + } + + if (!pg && must_exist) { + ctl_fatal("%s: port group %s not found", id, + is_uuid ? "UUID" : "name"); + } + + return pg; +} + static void print_alias(const struct smap *external_ids, const char *key, struct ds *s) { @@ -845,19 +878,19 @@ static void nbctl_ls_list(struct ctl_context *ctx) { const struct nbrec_logical_switch *ls; - struct smap lswitches; + struct smap switches; - smap_init(&lswitches); + smap_init(&switches); NBREC_LOGICAL_SWITCH_FOR_EACH(ls, ctx->idl) { - smap_add_format(&lswitches, ls->name, UUID_FMT " (%s)", + smap_add_format(&switches, ls->name, UUID_FMT " (%s)", UUID_ARGS(&ls->header_.uuid), ls->name); } - const struct smap_node **nodes = smap_sort(&lswitches); - for (size_t i = 0; i < smap_count(&lswitches); i++) { + const struct smap_node **nodes = smap_sort(&switches); + for (size_t i = 0; i < smap_count(&switches); i++) { const struct smap_node *node = nodes[i]; ds_put_format(&ctx->output, "%s\n", node->value); } - smap_destroy(&lswitches); + smap_destroy(&switches); free(nodes); } @@ -1407,22 +1440,54 @@ acl_cmp(const void *acl1_, const void *acl2_) } static void +acl_cmd_get_pg_or_ls(struct ctl_context *ctx, + const struct nbrec_logical_switch **ls, + const struct nbrec_port_group **pg) +{ + const char *opt_type = shash_find_data(&ctx->options, "--type"); + if (!opt_type) { + *pg = pg_by_name_or_uuid(ctx, ctx->argv[1], false); + *ls = ls_by_name_or_uuid(ctx, ctx->argv[1], false); + if (*pg && *ls) { + ctl_fatal("Same name '%s' exists in both port-groups and " + "logical switches. Specify --type=port-group or " + "switch, or use a UUID.", ctx->argv[1]); + } + if (!*pg && !*ls) { + ctl_fatal("'%s' is not found for port-group or switch.", + ctx->argv[1]); + } + } else if (!strcmp(opt_type, "port-group")) { + *pg = pg_by_name_or_uuid(ctx, ctx->argv[1], true); + *ls = NULL; + } else if (!strcmp(opt_type, "switch")) { + *ls = ls_by_name_or_uuid(ctx, ctx->argv[1], true); + *pg = NULL; + } else { + ctl_fatal("Invalid value '%s' for option --type", opt_type); + } +} + +static void nbctl_acl_list(struct ctl_context *ctx) { - const struct nbrec_logical_switch *ls; + const struct nbrec_logical_switch *ls = NULL; + const struct nbrec_port_group *pg = NULL; const struct nbrec_acl **acls; size_t i; - ls = ls_by_name_or_uuid(ctx, ctx->argv[1], true); + acl_cmd_get_pg_or_ls(ctx, &ls, &pg); + size_t n_acls = pg ? pg->n_acls : ls->n_acls; + struct nbrec_acl **nb_acls = pg ? pg->acls : ls->acls; - acls = xmalloc(sizeof *acls * ls->n_acls); - for (i = 0; i < ls->n_acls; i++) { - acls[i] = ls->acls[i]; + acls = xmalloc(sizeof *acls * n_acls); + for (i = 0; i < n_acls; i++) { + acls[i] = nb_acls[i]; } - qsort(acls, ls->n_acls, sizeof *acls, acl_cmp); + qsort(acls, n_acls, sizeof *acls, acl_cmp); - for (i = 0; i < ls->n_acls; i++) { + for (i = 0; i < n_acls; i++) { const struct nbrec_acl *acl = acls[i]; ds_put_format(&ctx->output, "%10s %5"PRId64" (%s) %s", acl->direction, acl->priority, acl->match, @@ -1492,10 +1557,11 @@ parse_priority(const char *arg) static void nbctl_acl_add(struct ctl_context *ctx) { - const struct nbrec_logical_switch *ls; + const struct nbrec_logical_switch *ls = NULL; + const struct nbrec_port_group *pg = NULL; const char *action = ctx->argv[5]; - ls = ls_by_name_or_uuid(ctx, ctx->argv[1], true); + acl_cmd_get_pg_or_ls(ctx, &ls, &pg); const char *direction = parse_direction(ctx->argv[2]); int64_t priority = parse_priority(ctx->argv[3]); @@ -1532,9 +1598,11 @@ nbctl_acl_add(struct ctl_context *ctx) nbrec_acl_set_name(acl, name); } - /* Check if same acl already exists for the ls */ - for (size_t i = 0; i < ls->n_acls; i++) { - if (!acl_cmp(&ls->acls[i], &acl)) { + /* Check if same acl already exists for the ls/portgroup */ + size_t n_acls = pg ? pg->n_acls : ls->n_acls; + struct nbrec_acl **acls = pg ? pg->acls : ls->acls; + for (size_t i = 0; i < n_acls; i++) { + if (!acl_cmp(&acls[i], &acl)) { bool may_exist = shash_find(&ctx->options, "--may-exist") != NULL; if (!may_exist) { ctl_fatal("Same ACL already existed on the ls %s.", @@ -1544,45 +1612,64 @@ nbctl_acl_add(struct ctl_context *ctx) } } - /* Insert the acl into the logical switch. */ - nbrec_logical_switch_verify_acls(ls); - struct nbrec_acl **new_acls = xmalloc(sizeof *new_acls * (ls->n_acls + 1)); - nullable_memcpy(new_acls, ls->acls, sizeof *new_acls * ls->n_acls); - new_acls[ls->n_acls] = acl; - nbrec_logical_switch_set_acls(ls, new_acls, ls->n_acls + 1); + /* Insert the acl into the logical switch/port group. */ + struct nbrec_acl **new_acls = xmalloc(sizeof *new_acls * (n_acls + 1)); + nullable_memcpy(new_acls, acls, sizeof *new_acls * n_acls); + new_acls[n_acls] = acl; + if (pg) { + nbrec_port_group_verify_acls(pg); + nbrec_port_group_set_acls(pg, new_acls, n_acls + 1); + } else { + nbrec_logical_switch_verify_acls(ls); + nbrec_logical_switch_set_acls(ls, new_acls, n_acls + 1); + } free(new_acls); } static void nbctl_acl_del(struct ctl_context *ctx) { - const struct nbrec_logical_switch *ls; - ls = ls_by_name_or_uuid(ctx, ctx->argv[1], true); + const struct nbrec_logical_switch *ls = NULL; + const struct nbrec_port_group *pg = NULL; + + acl_cmd_get_pg_or_ls(ctx, &ls, &pg); if (ctx->argc == 2) { /* If direction, priority, and match are not specified, delete * all ACLs. */ - nbrec_logical_switch_verify_acls(ls); - nbrec_logical_switch_set_acls(ls, NULL, 0); + if (pg) { + nbrec_port_group_verify_acls(pg); + nbrec_port_group_set_acls(pg, NULL, 0); + } else { + nbrec_logical_switch_verify_acls(ls); + nbrec_logical_switch_set_acls(ls, NULL, 0); + } return; } const char *direction = parse_direction(ctx->argv[2]); + size_t n_acls = pg ? pg->n_acls : ls->n_acls; + struct nbrec_acl **acls = pg ? pg->acls : ls->acls; /* If priority and match are not specified, delete all ACLs with the * specified direction. */ if (ctx->argc == 3) { - struct nbrec_acl **new_acls = xmalloc(sizeof *new_acls * ls->n_acls); + struct nbrec_acl **new_acls = xmalloc(sizeof *new_acls * n_acls); - int n_acls = 0; - for (size_t i = 0; i < ls->n_acls; i++) { - if (strcmp(direction, ls->acls[i]->direction)) { - new_acls[n_acls++] = ls->acls[i]; + int n_new_acls = 0; + for (size_t i = 0; i < n_acls; i++) { + if (strcmp(direction, acls[i]->direction)) { + new_acls[n_new_acls++] = acls[i]; } } - nbrec_logical_switch_verify_acls(ls); - nbrec_logical_switch_set_acls(ls, new_acls, n_acls); + if (pg) { + nbrec_port_group_verify_acls(pg); + nbrec_port_group_set_acls(pg, new_acls, n_new_acls); + } else { + nbrec_logical_switch_verify_acls(ls); + nbrec_logical_switch_set_acls(ls, new_acls, n_new_acls); + } free(new_acls); return; } @@ -1594,17 +1681,23 @@ nbctl_acl_del(struct ctl_context *ctx) } /* Remove the matching rule. */ - for (size_t i = 0; i < ls->n_acls; i++) { - struct nbrec_acl *acl = ls->acls[i]; + for (size_t i = 0; i < n_acls; i++) { + struct nbrec_acl *acl = acls[i]; if (priority == acl->priority && !strcmp(ctx->argv[4], acl->match) && !strcmp(direction, acl->direction)) { struct nbrec_acl **new_acls - = xmemdup(ls->acls, sizeof *new_acls * ls->n_acls); - new_acls[i] = ls->acls[ls->n_acls - 1]; - nbrec_logical_switch_verify_acls(ls); - nbrec_logical_switch_set_acls(ls, new_acls, - ls->n_acls - 1); + = xmemdup(acls, sizeof *new_acls * n_acls); + new_acls[i] = acls[n_acls - 1]; + if (pg) { + nbrec_port_group_verify_acls(pg); + nbrec_port_group_set_acls(pg, new_acls, + n_acls - 1); + } else { + nbrec_logical_switch_verify_acls(ls); + nbrec_logical_switch_set_acls(ls, new_acls, + n_acls - 1); + } free(new_acls); return; } @@ -3925,11 +4018,13 @@ static const struct ctl_command_syntax nbctl_commands[] = { { "ls-list", 0, 0, "", NULL, nbctl_ls_list, NULL, "", RO }, /* acl commands. */ - { "acl-add", 5, 6, "SWITCH DIRECTION PRIORITY MATCH ACTION", NULL, - nbctl_acl_add, NULL, "--log,--may-exist,--name=,--severity=", RW }, - { "acl-del", 1, 4, "SWITCH [DIRECTION [PRIORITY MATCH]]", NULL, - nbctl_acl_del, NULL, "", RW }, - { "acl-list", 1, 1, "SWITCH", NULL, nbctl_acl_list, NULL, "", RO }, + { "acl-add", 5, 6, "{SWITCH | PORTGROUP} DIRECTION PRIORITY MATCH ACTION", + NULL, nbctl_acl_add, NULL, + "--log,--may-exist,--type=,--name=,--severity=", RW }, + { "acl-del", 1, 4, "{SWITCH | PORTGROUP} [DIRECTION [PRIORITY MATCH]]", + NULL, nbctl_acl_del, NULL, "--type=", RW }, + { "acl-list", 1, 1, "{SWITCH | PORTGROUP}", + NULL, nbctl_acl_list, NULL, "--type=", RO }, /* qos commands. */ { "qos-add", 5, 7, diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index e1e8173..62d8228 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -178,22 +178,19 @@ AT_CLEANUP dnl --------------------------------------------------------------------- -AT_SETUP([ovn-nbctl - ACLs]) -OVN_NBCTL_TEST_START - -AT_CHECK([ovn-nbctl ls-add ls0]) -AT_CHECK([ovn-nbctl --log acl-add ls0 from-lport 600 udp drop]) -AT_CHECK([ovn-nbctl --log --name=test --severity=info acl-add ls0 to-lport 500 udp drop]) -AT_CHECK([ovn-nbctl acl-add ls0 from-lport 400 tcp drop]) -AT_CHECK([ovn-nbctl acl-add ls0 to-lport 300 tcp drop]) -AT_CHECK([ovn-nbctl acl-add ls0 from-lport 200 ip drop]) -AT_CHECK([ovn-nbctl acl-add ls0 to-lport 100 ip drop]) -dnl Add duplicated ACL -AT_CHECK([ovn-nbctl acl-add ls0 to-lport 100 ip drop], [1], [], [stderr]) -AT_CHECK([grep 'already existed' stderr], [0], [ignore]) -AT_CHECK([ovn-nbctl --may-exist acl-add ls0 to-lport 100 ip drop]) - -AT_CHECK([ovn-nbctl acl-list ls0], [0], [dnl +m4_define([OVN_NBCTL_TEST_ACL], + [AT_CHECK([ovn-nbctl $2 --log acl-add $1 from-lport 600 udp drop]) + AT_CHECK([ovn-nbctl $2 --log --name=test --severity=info acl-add $1 to-lport 500 udp drop]) + AT_CHECK([ovn-nbctl $2 acl-add $1 from-lport 400 tcp drop]) + AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 300 tcp drop]) + AT_CHECK([ovn-nbctl $2 acl-add $1 from-lport 200 ip drop]) + AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 100 ip drop]) + dnl Add duplicated ACL + AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 100 ip drop], [1], [], [stderr]) + AT_CHECK([grep 'already existed' stderr], [0], [ignore]) + AT_CHECK([ovn-nbctl $2 --may-exist acl-add $1 to-lport 100 ip drop]) + + AT_CHECK([ovn-nbctl $2 acl-list $1], [0], [dnl from-lport 600 (udp) drop log() from-lport 400 (tcp) drop from-lport 200 (ip) drop @@ -202,29 +199,46 @@ from-lport 200 (ip) drop to-lport 100 (ip) drop ]) -dnl Delete in one direction. -AT_CHECK([ovn-nbctl acl-del ls0 to-lport]) -AT_CHECK([ovn-nbctl acl-list ls0], [0], [dnl + dnl Delete in one direction. + AT_CHECK([ovn-nbctl $2 acl-del $1 to-lport]) + AT_CHECK([ovn-nbctl $2 acl-list $1], [0], [dnl from-lport 600 (udp) drop log() from-lport 400 (tcp) drop from-lport 200 (ip) drop ]) -dnl Delete all ACLs. -AT_CHECK([ovn-nbctl acl-del ls0]) -AT_CHECK([ovn-nbctl acl-list ls0], [0], [dnl + dnl Delete all ACLs. + AT_CHECK([ovn-nbctl $2 acl-del $1]) + AT_CHECK([ovn-nbctl $2 acl-list $1], [0], [dnl ]) -AT_CHECK([ovn-nbctl acl-add ls0 from-lport 600 udp drop]) -AT_CHECK([ovn-nbctl acl-add ls0 from-lport 400 tcp drop]) -AT_CHECK([ovn-nbctl acl-add ls0 from-lport 200 ip drop]) + AT_CHECK([ovn-nbctl $2 acl-add $1 from-lport 600 udp drop]) + AT_CHECK([ovn-nbctl $2 acl-add $1 from-lport 400 tcp drop]) + AT_CHECK([ovn-nbctl $2 acl-add $1 from-lport 200 ip drop]) -dnl Delete a single flow. -AT_CHECK([ovn-nbctl acl-del ls0 from-lport 400 tcp]) -AT_CHECK([ovn-nbctl acl-list ls0], [0], [dnl + dnl Delete a single flow. + AT_CHECK([ovn-nbctl $2 acl-del $1 from-lport 400 tcp]) + AT_CHECK([ovn-nbctl $2 acl-list $1], [0], [dnl from-lport 600 (udp) drop from-lport 200 (ip) drop ]) +]) + +AT_SETUP([ovn-nbctl - ACLs]) +OVN_NBCTL_TEST_START + +AT_CHECK([ovn-nbctl ls-add ls0]) +OVN_NBCTL_TEST_ACL([ls0]) +AT_CHECK([ovn-nbctl ls-add ls1]) +OVN_NBCTL_TEST_ACL([ls1], [--type=switch]) +AT_CHECK([ovn-nbctl create port_group name=pg0], [0], [ignore]) +OVN_NBCTL_TEST_ACL([pg0], [--type=port-group]) + +dnl Test when same name exists in logical switches and portgroups +AT_CHECK([ovn-nbctl create port_group name=ls0], [0], [ignore]) +AT_CHECK([ovn-nbctl acl-add ls0 to-lport 100 ip drop], [1], [], [stderr]) +AT_CHECK([grep 'exists in both' stderr], [0], [ignore]) +AT_CHECK([ovn-nbctl --type=port-group acl-add ls0 to-lport 100 ip drop], [0], [ignore]) OVN_NBCTL_TEST_STOP AT_CLEANUP diff --git a/tests/ovn.at b/tests/ovn.at index c4a8188..55c24ce 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -9862,16 +9862,13 @@ for i in 1 2 3; do done done -pg1_uuid=`ovn-nbctl create Port_Group name=pg1 ports="$pg1_ports"` +ovn-nbctl create Port_Group name=pg1 ports="$pg1_ports" ovn-nbctl create Port_Group name=pg2 ports="$pg2_ports" # create ACLs on pg1 to drop traffic from pg2 to pg1 -ovn-nbctl --id=@acl1 create acl priority=1001 direction=to-lport \ - match='"outport == @pg1"' action=drop \ - -- add port_group $pg1_uuid acls @acl1 -ovn-nbctl --id=@acl2 create acl priority=1002 direction=to-lport \ - match='"outport == @pg1 && ip4.src == $pg2_ip4"' action=allow-related \ - -- add port_group $pg1_uuid acls @acl2 +ovn-nbctl acl-add pg1 to-lport 1001 'outport == @pg1' drop +ovn-nbctl --type=port-group acl-add pg1 to-lport 1002 \ + 'outport == @pg1 && ip4.src == $pg2_ip4' allow-related # Physical network: #