From patchwork Tue Mar 29 14:02:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1610640 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=M7rCjrAW; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KSWVn4RL2z9s5V for ; Wed, 30 Mar 2022 01:03:11 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 5590F842BF; Tue, 29 Mar 2022 14:03:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KoOJpbkNl9_E; Tue, 29 Mar 2022 14:03:07 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id 43B2184192; Tue, 29 Mar 2022 14:03:06 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id EC994C001D; Tue, 29 Mar 2022 14:03:05 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 2E658C0012 for ; Tue, 29 Mar 2022 14:03:05 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 1ABD640132 for ; Tue, 29 Mar 2022 14:03:05 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVjlvBRgw7Jr for ; Tue, 29 Mar 2022 14:03:03 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id 3A1F14012E for ; Tue, 29 Mar 2022 14:03:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1648562582; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=flaPg5C51joibWep75AbijE6i04L9oiVNcnuRH+tVuc=; b=M7rCjrAWFVA3iWBrLCnIGvb1ncazJVhfmtudTWo2+YUjRNThEASiSlBYN78Pxn44HJBeNL MlZLdm4+xZt3jbHwnk0S2LG/WQvTB2S4I2KDEzrLNvSCs4QkEPXGsA19kA/tavr+JdnqOJ a/I5hYEdSdnCUwdJClPGcL43Ya8Wlmk= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-527-4c7tJC8NMw-7hFaONGX1Vg-1; Tue, 29 Mar 2022 10:03:00 -0400 X-MC-Unique: 4c7tJC8NMw-7hFaONGX1Vg-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2350928035F1 for ; Tue, 29 Mar 2022 14:03:00 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.22.48.5]) by smtp.corp.redhat.com (Postfix) with ESMTP id 65AE740CF917 for ; Tue, 29 Mar 2022 14:02:59 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Tue, 29 Mar 2022 10:02:58 -0400 Message-Id: <20220329140258.272430-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mmichels@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [[PATCH v21.12] ovn] acl-log: Log the direction (logical pipeline) of the matching ACL. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Dumitru Ceara This is a backport of d7514abe117. Its original commit message is below, including the original sign-offs and acks. ------------------------- It's useful to differentiate between ingress and egress pipelines in the ACL logs. To achieve this we determine the direction by interpreting the openflow table ID when processing packets punted to pinctrl by "log()" action. Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1992641 Acked-by: Numan Siddique Signed-off-by: Dumitru Ceara Signed-off-by: Numan Siddique Signed-off-by: Mark Michelson --- NEWS | 3 ++ controller/pinctrl.c | 4 ++- lib/acl-log.c | 8 +++-- lib/acl-log.h | 3 +- tests/ovn.at | 68 ++++++++++++++++++++++++++++++++++--------- utilities/ovn-trace.c | 9 ++++-- 6 files changed, 74 insertions(+), 21 deletions(-) diff --git a/NEWS b/NEWS index d0570aabb..221208b20 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,8 @@ +<<<<<<< HEAD OVN v21.12.2 - xx xxx xxxx -------------------------- + - When configured to log packets matching ACLs, log the direction (logical + pipeline) too. OVN v21.12.1 - 11 Mar 2022 -------------------------- diff --git a/controller/pinctrl.c b/controller/pinctrl.c index 1b8b47523..2dd1bc7bd 100644 --- a/controller/pinctrl.c +++ b/controller/pinctrl.c @@ -3166,7 +3166,9 @@ process_packet_in(struct rconn *swconn, const struct ofp_header *msg) break; case ACTION_OPCODE_LOG: - handle_acl_log(&headers, &userdata); + handle_acl_log(&headers, &userdata, + pin.table_id < OFTABLE_LOG_EGRESS_PIPELINE + ? "from-lport" : "to-lport"); break; case ACTION_OPCODE_PUT_ND_RA_OPTS: diff --git a/lib/acl-log.c b/lib/acl-log.c index 220b6dc30..9530dd763 100644 --- a/lib/acl-log.c +++ b/lib/acl-log.c @@ -76,7 +76,8 @@ log_severity_from_string(const char *name) } void -handle_acl_log(const struct flow *headers, struct ofpbuf *userdata) +handle_acl_log(const struct flow *headers, struct ofpbuf *userdata, + const char *direction) { if (!VLOG_IS_INFO_ENABLED()) { return; @@ -94,9 +95,10 @@ handle_acl_log(const struct flow *headers, struct ofpbuf *userdata) struct ds ds = DS_EMPTY_INITIALIZER; ds_put_cstr(&ds, "name="); json_string_escape(name_len ? name : "", &ds); - ds_put_format(&ds, ", verdict=%s, severity=%s: ", + ds_put_format(&ds, ", verdict=%s, severity=%s, direction=%s: ", log_verdict_to_string(lph->verdict), - log_severity_to_string(lph->severity)); + log_severity_to_string(lph->severity), + direction); flow_format(&ds, headers, NULL); VLOG_INFO("%s", ds_cstr(&ds)); diff --git a/lib/acl-log.h b/lib/acl-log.h index 4f23f790d..da7fa2f02 100644 --- a/lib/acl-log.h +++ b/lib/acl-log.h @@ -49,6 +49,7 @@ const char *log_verdict_to_string(uint8_t verdict); const char *log_severity_to_string(uint8_t severity); uint8_t log_severity_from_string(const char *name); -void handle_acl_log(const struct flow *headers, struct ofpbuf *userdata); +void handle_acl_log(const struct flow *headers, struct ofpbuf *userdata, + const char *direction); #endif /* lib/acl-log.h */ diff --git a/tests/ovn.at b/tests/ovn.at index 5625f7767..426a1fbb0 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -9003,33 +9003,59 @@ ovn-nbctl lsp-set-addresses lp2 $lp2_mac ovn-nbctl --wait=sb sync wait_for_ports_up -ovn-nbctl acl-add lsw0 to-lport 1000 'tcp.dst==80' drop -ovn-nbctl --log --severity=alert --name=drop-flow acl-add lsw0 to-lport 1000 'tcp.dst==81' drop +ovn-nbctl acl-add lsw0 from-lport 1000 'tcp.dst==80' drop +ovn-nbctl --log --severity=alert --name=drop-flow acl-add lsw0 from-lport 1000 'tcp.dst==81' drop + +ovn-nbctl acl-add lsw0 to-lport 1000 'tcp.dst==180' drop +ovn-nbctl --log --severity=alert --name=drop-flow acl-add lsw0 to-lport 1000 'tcp.dst==181' drop + +ovn-nbctl acl-add lsw0 from-lport 1000 'tcp.dst==82' allow +ovn-nbctl --log --severity=info --name=allow-flow acl-add lsw0 from-lport 1000 'tcp.dst==83' allow ovn-nbctl acl-add lsw0 to-lport 1000 'tcp.dst==82' allow ovn-nbctl --log --severity=info --name=allow-flow acl-add lsw0 to-lport 1000 'tcp.dst==83' allow +ovn-nbctl acl-add lsw0 from-lport 1000 'tcp.dst==84' allow-related +ovn-nbctl --log acl-add lsw0 from-lport 1000 'tcp.dst==85' allow-related + ovn-nbctl acl-add lsw0 to-lport 1000 'tcp.dst==84' allow-related ovn-nbctl --log acl-add lsw0 to-lport 1000 'tcp.dst==85' allow-related -ovn-nbctl acl-add lsw0 to-lport 1000 'tcp.dst==86' reject -ovn-nbctl --wait=hv --log --severity=alert --name=reject-flow acl-add lsw0 to-lport 1000 'tcp.dst==87' reject +ovn-nbctl acl-add lsw0 from-lport 1000 'tcp.dst==86' reject +ovn-nbctl --log --severity=alert --name=reject-flow acl-add lsw0 from-lport 1000 'tcp.dst==87' reject + +ovn-nbctl acl-add lsw0 to-lport 1000 'tcp.dst==186' reject +ovn-nbctl --log --severity=alert --name=reject-flow acl-add lsw0 to-lport 1000 'tcp.dst==187' reject + +ovn-nbctl --wait=hv sync ovn-sbctl dump-flows > sbflows AT_CAPTURE_FILE([sbflows]) -# Send packet that should be dropped without logging. +# Send packet that should be dropped without logging in the ingress pipeline. packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac && ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip && tcp && tcp.flags==2 && tcp.src==4360 && tcp.dst==80" as hv ovs-appctl -t ovn-controller inject-pkt "$packet" -# Send packet that should be dropped with logging. +# Send packet that should be dropped with logging in the ingress pipeline. packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac && ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip && tcp && tcp.flags==2 && tcp.src==4361 && tcp.dst==81" as hv ovs-appctl -t ovn-controller inject-pkt "$packet" +# Send packet that should be dropped without logging in the eggress pipeline. +packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac && + ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip && + tcp && tcp.flags==2 && tcp.src==4360 && tcp.dst==180" +as hv ovs-appctl -t ovn-controller inject-pkt "$packet" + +# Send packet that should be dropped with logging in the egress pipeline. +packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac && + ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip && + tcp && tcp.flags==2 && tcp.src==4361 && tcp.dst==181" +as hv ovs-appctl -t ovn-controller inject-pkt "$packet" + # Send packet that should be allowed without logging. packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac && ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip && @@ -9054,25 +9080,41 @@ packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac && tcp && tcp.flags==2 && tcp.src==4365 && tcp.dst==85" as hv ovs-appctl -t ovn-controller inject-pkt "$packet" -# Send packet that should be rejected without logging. +# Send packet that should be rejected without logging in the ingress pipeline. packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac && ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip && tcp && tcp.flags==2 && tcp.src==4366 && tcp.dst==86" as hv ovs-appctl -t ovn-controller inject-pkt "$packet" -# Send packet that should be rejected with logging. +# Send packet that should be rejected with logging in the ingress pipeline. packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac && ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip && tcp && tcp.flags==2 && tcp.src==4367 && tcp.dst==87" as hv ovs-appctl -t ovn-controller inject-pkt "$packet" -OVS_WAIT_UNTIL([ test 4 = $(grep -c 'acl_log' hv/ovn-controller.log) ]) +# Send packet that should be rejected without logging in the egress pipeline. +packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac && + ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip && + tcp && tcp.flags==2 && tcp.src==4366 && tcp.dst==186" +as hv ovs-appctl -t ovn-controller inject-pkt "$packet" + +# Send packet that should be rejected with logging in the egress pipeline. +packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac && + ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip && + tcp && tcp.flags==2 && tcp.src==4367 && tcp.dst==187" +as hv ovs-appctl -t ovn-controller inject-pkt "$packet" + +OVS_WAIT_UNTIL([ test 8 = $(grep -c 'acl_log' hv/ovn-controller.log) ]) AT_CHECK([grep 'acl_log' hv/ovn-controller.log | sed 's/.*name=/name=/'], [0], [dnl -name="drop-flow", verdict=drop, severity=alert: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4361,tp_dst=81,tcp_flags=syn -name="allow-flow", verdict=allow, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4363,tp_dst=83,tcp_flags=syn -name="", verdict=allow, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4365,tp_dst=85,tcp_flags=syn -name="reject-flow", verdict=reject, severity=alert: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=87,tcp_flags=syn +name="drop-flow", verdict=drop, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4361,tp_dst=81,tcp_flags=syn +name="drop-flow", verdict=drop, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4361,tp_dst=181,tcp_flags=syn +name="allow-flow", verdict=allow, severity=info, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4363,tp_dst=83,tcp_flags=syn +name="allow-flow", verdict=allow, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4363,tp_dst=83,tcp_flags=syn +name="", verdict=allow, severity=info, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4365,tp_dst=85,tcp_flags=syn +name="", verdict=allow, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4365,tp_dst=85,tcp_flags=syn +name="reject-flow", verdict=reject, severity=alert, direction=from-lport: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=87,tcp_flags=syn +name="reject-flow", verdict=reject, severity=alert, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=187,tcp_flags=syn ]) OVN_CLEANUP([hv]) diff --git a/utilities/ovn-trace.c b/utilities/ovn-trace.c index 0795913d3..ece5803f2 100644 --- a/utilities/ovn-trace.c +++ b/utilities/ovn-trace.c @@ -2457,12 +2457,14 @@ execute_select(const struct ovnact_select *select, static void execute_log(const struct ovnact_log *log, struct flow *uflow, - struct ovs_list *super) + struct ovs_list *super, const char *direction) { char *packet_str = flow_to_string(uflow, NULL); ovntrace_node_append(super, OVNTRACE_NODE_TRANSFORMATION, - "LOG: ACL name=%s, verdict=%s, severity=%s, packet=\"%s\"", + "LOG: ACL name=%s, direction=%s, verdict=%s, " + "severity=%s, packet=\"%s\"", log->name ? log->name : "", + direction, log_verdict_to_string(log->verdict), log_severity_to_string(log->severity), packet_str); @@ -2726,7 +2728,8 @@ trace_actions(const struct ovnact *ovnacts, size_t ovnacts_len, break; case OVNACT_LOG: - execute_log(ovnact_get_LOG(a), uflow, super); + execute_log(ovnact_get_LOG(a), uflow, super, + pipeline == OVNACT_P_INGRESS ? "IN" : "OUT"); break; case OVNACT_SET_METER: