@@ -909,14 +909,14 @@ AT_CHECK([
])
# Stateful FIP with ALLOWED_IPs
-ovn-nbctl lr-nat-del DR snat 50.0.0.11
-ovn-nbctl lr-nat-del CR snat 50.0.0.11
+check ovn-nbctl lr-nat-del DR snat 50.0.0.11
+check ovn-nbctl lr-nat-del CR snat 50.0.0.11
-ovn-nbctl lr-nat-add DR dnat_and_snat 172.16.1.2 50.0.0.11
-ovn-nbctl lr-nat-add CR dnat_and_snat 172.16.1.2 50.0.0.11
+check ovn-nbctl lr-nat-add DR dnat_and_snat 172.16.1.2 50.0.0.11
+check ovn-nbctl lr-nat-add CR dnat_and_snat 172.16.1.2 50.0.0.11
-ovn-nbctl lr-nat-update-ext-ip DR dnat_and_snat 172.16.1.2 allowed_range
-ovn-nbctl lr-nat-update-ext-ip CR dnat_and_snat 172.16.1.2 allowed_range
+check ovn-nbctl lr-nat-update-ext-ip DR dnat_and_snat 172.16.1.2 allowed_range
+check ovn-nbctl lr-nat-update-ext-ip CR dnat_and_snat 172.16.1.2 allowed_range
ovn-nbctl show DR
ovn-sbctl dump-flows DR
@@ -1691,45 +1691,59 @@ AT_CLEANUP
AT_SETUP([ovn-northd -- reject ACL])
ovn_start
-ovn-nbctl ls-add sw0
-ovn-nbctl lsp-add sw0 sw0-p1
+check ovn-nbctl ls-add sw0
+check ovn-nbctl lsp-add sw0 sw0-p1
-ovn-nbctl ls-add sw1
-ovn-nbctl lsp-add sw1 sw1-p1
+check ovn-nbctl ls-add sw1
+check ovn-nbctl lsp-add sw1 sw1-p1
+
+check ovn-nbctl pg-add pg0 sw0-p1 sw1-p1
+check ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4 && tcp && tcp.dst == 80" reject
+check ovn-nbctl acl-add pg0 to-lport 1003 "outport == @pg0 && ip6 && udp" reject
+
+check ovn-nbctl --wait=hv sync
-ovn-nbctl pg-add pg0 sw0-p1 sw1-p1
-ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4 && tcp && tcp.dst == 80" reject
-ovn-nbctl acl-add pg0 to-lport 1003 "outport == @pg0 && ip6 && udp" reject
+AS_BOX([1])
-ovn-nbctl --wait=hv sync
+ovn-sbctl dump-flows sw0 > sw0flows
+AT_CAPTURE_FILE([sw0flows])
+ovn-sbctl dump-flows sw1 > sw1flows
+AT_CAPTURE_FILE([sw1flows])
-AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl
+AT_CHECK([grep "ls_in_acl" sw0flows | grep pg0 | sort], [0], [dnl
table=7 (ls_in_acl ), priority=2002 , dnl
match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), dnl
action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };)
])
-AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl
+AT_CHECK([grep "ls_in_acl" sw1flows | grep pg0 | sort], [0], [dnl
table=7 (ls_in_acl ), priority=2002 , dnl
match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), dnl
action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };)
])
-AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
+AT_CHECK([grep "ls_out_acl" sw0flows | grep pg0 | sort], [0], [dnl
table=5 (ls_out_acl ), priority=2003 , dnl
match=(outport == @pg0 && ip6 && udp), dnl
action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };)
])
-AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
+AT_CHECK([grep "ls_out_acl" sw1flows | grep pg0 | sort], [0], [dnl
table=5 (ls_out_acl ), priority=2003 , dnl
match=(outport == @pg0 && ip6 && udp), dnl
action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };)
])
-ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && udp" reject
+AS_BOX([2])
-AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
+ovn-nbctl --wait=sb acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && udp" reject
+
+ovn-sbctl dump-flows sw0 > sw0flows2
+AT_CAPTURE_FILE([sw0flows2])
+ovn-sbctl dump-flows sw1 > sw1flows2
+AT_CAPTURE_FILE([sw1flows2])
+
+AT_CHECK([grep "ls_out_acl" sw0flows2 | grep pg0 | sort], [0], [dnl
table=5 (ls_out_acl ), priority=2002 , dnl
match=(outport == @pg0 && ip4 && udp), dnl
action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };)
@@ -1738,7 +1752,7 @@ match=(outport == @pg0 && ip6 && udp), dnl
action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };)
])
-AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
+AT_CHECK([grep "ls_out_acl" sw1flows2 | grep pg0 | sort], [0], [dnl
table=5 (ls_out_acl ), priority=2002 , dnl
match=(outport == @pg0 && ip4 && udp), dnl
action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };)
@@ -1747,9 +1761,16 @@ match=(outport == @pg0 && ip6 && udp), dnl
action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };)
])
+AS_BOX([3])
+
ovn-nbctl --wait=sb acl-add pg0 to-lport 1001 "outport == @pg0 && ip" allow-related
-AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
+ovn-sbctl dump-flows sw0 > sw0flows3
+AT_CAPTURE_FILE([sw0flows3])
+ovn-sbctl dump-flows sw1 > sw1flows3
+AT_CAPTURE_FILE([sw1flows3])
+
+AT_CHECK([grep "ls_out_acl" sw0flows3 | grep pg0 | sort], [0], [dnl
table=5 (ls_out_acl ), priority=2001 , dnl
match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;)
table=5 (ls_out_acl ), priority=2001 , dnl
@@ -1768,7 +1789,7 @@ match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), dnl
action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=20); };)
])
-AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
+AT_CHECK([grep "ls_out_acl" sw1flows3 | grep pg0 | sort], [0], [dnl
table=5 (ls_out_acl ), priority=2001 , dnl
match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;)
table=5 (ls_out_acl ), priority=2001 , dnl
This makes it more debuggable. Signed-off-by: Ben Pfaff <blp@ovn.org> --- tests/ovn-northd.at | 67 +++++++++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 23 deletions(-)