From patchwork Mon Apr 25 11:17:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Adri=C3=A1n_Moreno?= X-Patchwork-Id: 1621879 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ELsxT+0N; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4Kn2YN5rB0z9s0B for ; Mon, 25 Apr 2022 21:17:44 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 5432160BDD; Mon, 25 Apr 2022 11:17:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsofvJlLCLh8; Mon, 25 Apr 2022 11:17:39 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp3.osuosl.org (Postfix) with ESMTPS id 5B50A60D4E; Mon, 25 Apr 2022 11:17:38 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 8DD15C0084; Mon, 25 Apr 2022 11:17:37 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id CB65BC002D for ; Mon, 25 Apr 2022 11:17:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id AB0E2409D3 for ; Mon, 25 Apr 2022 11:17:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cBR_UFgAU1i for ; Mon, 25 Apr 2022 11:17:34 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id 7335840991 for ; Mon, 25 Apr 2022 11:17:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1650885452; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OEU4q6kkE4gKu39nSxri1lxqj0jo4EUGssHuzvzeYjk=; b=ELsxT+0NxFweeCZUtGWn7w7mmDDNPXQr7SR5gbL3xBVTzqlsEmG0FjtX2ZFzP0XkdbwYhZ l1wH98L0zrebbib+lqs88PA31FAm9IqVCtsVcCvfPizbtKQFgpFDHwgi2kiVQX6UXpPtDj 5z16UQ9oJ2oGlpDUhktWLRKceswTmHg= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-563-rCcfSdJtPpqv8FiyVu7K_A-1; Mon, 25 Apr 2022 07:17:30 -0400 X-MC-Unique: rCcfSdJtPpqv8FiyVu7K_A-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5A1F0800882 for ; Mon, 25 Apr 2022 11:17:30 +0000 (UTC) Received: from amorenoz.users.ipa.redhat.com (unknown [10.39.194.136]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4721B145BA66; Mon, 25 Apr 2022 11:17:29 +0000 (UTC) From: Adrian Moreno To: dev@openvswitch.org Date: Mon, 25 Apr 2022 13:17:23 +0200 Message-Id: <20220425111724.2981776-3-amorenoz@redhat.com> In-Reply-To: <20220425111724.2981776-1-amorenoz@redhat.com> References: <20220425111724.2981776-1-amorenoz@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=amorenoz@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: trozet@redhat.com, dceara@redhat.com Subject: [ovs-dev] [RFC PATCH ovn 2/3] northd: add drop_debugging option X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" When enabled, a default action to explicitly drop all packets is added to those stages that currently don't have a default action. Signed-off-by: Adrian Moreno --- northd/automake.mk | 2 + northd/debug.c | 35 +++++++++++++ northd/debug.h | 35 +++++++++++++ northd/northd.c | 124 ++++++++++++++++++++++++++++++--------------- ovn-nb.xml | 8 +++ tests/ovn.at | 2 +- 6 files changed, 164 insertions(+), 42 deletions(-) create mode 100644 northd/debug.c create mode 100644 northd/debug.h diff --git a/northd/automake.mk b/northd/automake.mk index 4862ec7b7..7537c00b5 100644 --- a/northd/automake.mk +++ b/northd/automake.mk @@ -1,6 +1,8 @@ # ovn-northd bin_PROGRAMS += northd/ovn-northd northd_ovn_northd_SOURCES = \ + northd/debug.c \ + northd/debug.h \ northd/northd.c \ northd/northd.h \ northd/ovn-northd.c \ diff --git a/northd/debug.c b/northd/debug.c new file mode 100644 index 000000000..5dc40e8ce --- /dev/null +++ b/northd/debug.c @@ -0,0 +1,35 @@ +#include + +#include + +#include "debug.h" + +#include "smap.h" + +static struct debug_config config; + +void +init_debug_config(const struct nbrec_nb_global *nb) +{ + + const struct smap *options = &nb->options; + config.enabled = smap_get_bool(options, "debug_drop_mode", false); +} + +bool +debug_enabled(void) +{ + return config.enabled; +} + +const char * +debug_drop_action(void) +{ + return "drop;"; +} + +const char * +debug_implicit_drop_action(void) +{ + return "/* drop */"; +} diff --git a/northd/debug.h b/northd/debug.h new file mode 100644 index 000000000..0e83b4ca2 --- /dev/null +++ b/northd/debug.h @@ -0,0 +1,35 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef NORTHD_DEBUG_H +#define NORTHD_DEBUG_H 1 + +#include +#include + +#include "lib/ovn-nb-idl.h" + +struct debug_config { + bool enabled; +}; + +void init_debug_config(const struct nbrec_nb_global *nb); + +bool debug_enabled(void); + +const char *debug_drop_action(void); +const char *debug_implicit_drop_action(void); +const char *debug_reject_action(void); + +#endif /* NORTHD_DEBUG_H */ diff --git a/northd/northd.c b/northd/northd.c index bcd36bbaa..56d16d719 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -17,6 +17,7 @@ #include #include +#include "debug.h" #include "bitmap.h" #include "dirs.h" #include "ipam.h" @@ -3739,7 +3740,7 @@ build_lb_vip_actions(struct ovn_lb_vip *lb_vip, if (!n_active_backends) { if (!lb_vip->empty_backend_rej) { ds_clear(action); - ds_put_cstr(action, "drop;"); + ds_put_cstr(action, debug_drop_action()); skip_hash_fields = true; } else { reject = true; @@ -4839,6 +4840,18 @@ ovn_lflow_add_at(struct hmap *lflow_map, struct ovn_datapath *od, io_port, ctrl_meter, stage_hint, where, hash); } +static void +__ovn_lflow_add_default_drop(struct hmap *lflow_map, + struct ovn_datapath *od, + enum ovn_stage stage, + const char *where) +{ + if (OVS_UNLIKELY(debug_enabled())) { + ovn_lflow_add_at(lflow_map, od, stage, 0, "1", debug_drop_action(), + NULL, NULL, NULL, where ); + } +} + /* Adds a row with the specified contents to the Logical_Flow table. */ #define ovn_lflow_add_with_hint__(LFLOW_MAP, OD, STAGE, PRIORITY, MATCH, \ ACTIONS, IN_OUT_PORT, CTRL_METER, \ @@ -4851,6 +4864,10 @@ ovn_lflow_add_at(struct hmap *lflow_map, struct ovn_datapath *od, ovn_lflow_add_at(LFLOW_MAP, OD, STAGE, PRIORITY, MATCH, ACTIONS, \ NULL, NULL, STAGE_HINT, OVS_SOURCE_LOCATOR) +#define ovn_lflow_add_default_drop(LFLOW_MAP, OD, STAGE) \ + __ovn_lflow_add_default_drop(LFLOW_MAP, OD, STAGE, OVS_SOURCE_LOCATOR) + + /* This macro is similar to ovn_lflow_add_with_hint, except that it requires * the IN_OUT_PORT argument, which tells the lport name that appears in the * MATCH, which helps ovn-controller to bypass lflows parsing when the lport is @@ -5095,8 +5112,8 @@ build_port_security_nd(struct ovn_port *op, struct hmap *lflows, ds_clear(&match); ds_put_format(&match, "inport == %s && (arp || nd)", op->json_key); ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND, - 80, ds_cstr(&match), "drop;", op->key, - stage_hint); + 80, ds_cstr(&match), debug_drop_action(), + op->key, stage_hint); ds_destroy(&match); } @@ -5229,7 +5246,8 @@ build_port_security_ip(enum ovn_pipeline pipeline, struct ovn_port *op, pipeline == P_IN ? "eth.src" : "eth.dst", ps->ea_s); ovn_lflow_add_with_lport_and_hint(lflows, op->od, stage, 80, match, - "drop;", op->key, stage_hint); + debug_drop_action(), op->key, + stage_hint); free(match); } @@ -5661,8 +5679,9 @@ build_lswitch_output_port_sec_op(struct ovn_port *op, } else { ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_OUT_PORT_SEC_L2, 150, - ds_cstr(match), "drop;", op->key, - &op->nbsp->header_); + ds_cstr(match), + debug_drop_action(), + op->key, &op->nbsp->header_); } if (op->nbsp->n_port_security) { @@ -5682,6 +5701,9 @@ build_lswitch_output_port_sec_od(struct ovn_datapath *od, ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_IP, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_L2, 100, "eth.mcast", "output;"); + + /* Default action for L2 security is to drop. */ + ovn_lflow_add_default_drop(lflows, od, S_SWITCH_OUT_PORT_SEC_L2); } } @@ -6426,7 +6448,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, } else { ds_put_format(match, " && (%s)", acl->match); build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, "/* drop */"); + ds_put_cstr(actions, debug_implicit_drop_action()); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, ds_cstr(match), ds_cstr(actions), @@ -6453,7 +6475,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, } else { ds_put_format(match, " && (%s)", acl->match); build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, "/* drop */"); + ds_put_cstr(actions, debug_implicit_drop_action()); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, ds_cstr(match), ds_cstr(actions), @@ -6470,7 +6492,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, actions, &acl->header_, meter_groups); } else { build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, "/* drop */"); + ds_put_cstr(actions, debug_implicit_drop_action()); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, acl->match, ds_cstr(actions), @@ -6678,9 +6700,9 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows, ds_put_format(&match, "%s(ct.est && ct.rpl && ct_mark.blocked == 1)", use_ct_inv_match ? "ct.inv || " : ""); ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3, - ds_cstr(&match), "drop;"); + ds_cstr(&match), debug_drop_action()); ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, - ds_cstr(&match), "drop;"); + ds_cstr(&match), debug_drop_action()); /* Ingress and Egress ACL Table (Priority 65535 - 3). * @@ -7669,7 +7691,7 @@ build_drop_arp_nd_flows_for_unbound_router_ports(struct ovn_port *op, rp->lsp_addrs[k].ipv4_addrs[l].addr_s); ovn_lflow_add_with_lport_and_hint( lflows, op->od, S_SWITCH_IN_EXTERNAL_PORT, 100, - ds_cstr(&match), "drop;", port->key, + ds_cstr(&match), debug_drop_action(), port->key, &op->nbsp->header_); } for (size_t l = 0; l < rp->lsp_addrs[k].n_ipv6_addrs; l++) { @@ -7685,7 +7707,7 @@ build_drop_arp_nd_flows_for_unbound_router_ports(struct ovn_port *op, rp->lsp_addrs[k].ipv6_addrs[l].addr_s); ovn_lflow_add_with_lport_and_hint( lflows, op->od, S_SWITCH_IN_EXTERNAL_PORT, 100, - ds_cstr(&match), "drop;", port->key, + ds_cstr(&match), debug_drop_action(), port->key, &op->nbsp->header_); } @@ -7700,7 +7722,8 @@ build_drop_arp_nd_flows_for_unbound_router_ports(struct ovn_port *op, ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_EXTERNAL_PORT, 100, ds_cstr(&match), - "drop;", port->key, + debug_drop_action(), + port->key, &op->nbsp->header_); } } @@ -7738,7 +7761,7 @@ build_lswitch_flows(const struct hmap *datapaths, "outport = \""MC_UNKNOWN "\"; output;"); } else { ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 50, - "outport == \"none\"", "drop;"); + "outport == \"none\"", debug_drop_action()); } ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_UNKNOWN, 0, "1", "output;"); @@ -7779,16 +7802,19 @@ build_lswitch_lflows_admission_control(struct ovn_datapath *od, if (!is_vlan_transparent(od)) { /* Block logical VLANs. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, - "vlan.present", "drop;"); + "vlan.present", debug_drop_action()); } /* Broadcast/multicast source address is invalid. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "eth.src[40]", - "drop;"); + debug_drop_action()); /* Port security flows have priority 50 * (see build_lswitch_input_port_sec()) and will continue * to the next table if packet source is acceptable. */ + + /* Default action is to drop. */ + ovn_lflow_add_default_drop(lflows, od, S_SWITCH_IN_PORT_SEC_L2); } } @@ -8326,7 +8352,7 @@ build_lswitch_destination_lookup_bmcast(struct ovn_datapath *od, */ if (!mcast_sw_info->flood_relay && !mcast_sw_info->flood_static) { - ds_put_cstr(actions, "drop;"); + ds_put_cstr(actions, debug_drop_action()); } ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 80, @@ -8892,7 +8918,7 @@ build_routing_policy_flow(struct hmap *lflows, struct ovn_datapath *od, out_port->json_key); } else if (!strcmp(rule->action, "drop")) { - ds_put_cstr(&actions, "drop;"); + ds_put_cstr(&actions, debug_drop_action()); } else if (!strcmp(rule->action, "allow")) { uint32_t pkt_mark = ovn_smap_get_uint(&rule->options, "pkt_mark", 0); if (pkt_mark) { @@ -9658,7 +9684,7 @@ add_route(struct hmap *lflows, struct ovn_datapath *od, struct ds common_actions = DS_EMPTY_INITIALIZER; struct ds actions = DS_EMPTY_INITIALIZER; if (is_discard_route) { - ds_put_format(&actions, "drop;"); + ds_put_cstr(&actions, debug_drop_action()); } else { ds_put_format(&common_actions, REG_ECMP_GROUP_ID" = 0; %s = ", is_ipv4 ? REG_NEXT_HOP_IPV4 : REG_NEXT_HOP_IPV6); @@ -9689,6 +9715,10 @@ add_route(struct hmap *lflows, struct ovn_datapath *od, priority + 1, ds_cstr(&match), ds_cstr(&common_actions), stage_hint); } + + /* Default action for S_ROUTER_IN_IP_ROUTING is to drop. */ + ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_IP_ROUTING); + ds_destroy(&match); ds_destroy(&common_actions); ds_destroy(&actions); @@ -10346,7 +10376,7 @@ build_lrouter_arp_flow(struct ovn_datapath *od, struct ovn_port *op, ds_put_format(&match, " && %s", ds_cstr(extra_match)); } if (drop) { - ds_put_format(&actions, "drop;"); + ds_put_cstr(&actions, debug_drop_action()); } else { ds_put_format(&actions, "eth.dst = eth.src; " @@ -10402,7 +10432,7 @@ build_lrouter_nd_flow(struct ovn_datapath *od, struct ovn_port *op, } if (drop) { - ds_put_format(&actions, "drop;"); + ds_put_cstr(&actions, debug_drop_action()); ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_IP_INPUT, priority, ds_cstr(&match), ds_cstr(&actions), hint); } else { @@ -10549,7 +10579,7 @@ build_lrouter_drop_own_dest(struct ovn_port *op, enum ovn_stage stage, char *match = xasprintf("ip4.dst == {%s}", ds_cstr(&match_ips)); ovn_lflow_add_with_hint(lflows, op->od, stage, priority, - match, "drop;", + match, debug_drop_action(), &op->nbrp->header_); free(match); } @@ -10575,7 +10605,7 @@ build_lrouter_drop_own_dest(struct ovn_port *op, enum ovn_stage stage, char *match = xasprintf("ip6.dst == {%s}", ds_cstr(&match_ips)); ovn_lflow_add_with_hint(lflows, op->od, stage, priority, - match, "drop;", + match, debug_drop_action(), &op->nbrp->header_); free(match); } @@ -10743,7 +10773,10 @@ build_adm_ctrl_flows_for_lrouter( /* Logical VLANs not supported. * Broadcast/multicast source address is invalid. */ ovn_lflow_add(lflows, od, S_ROUTER_IN_ADMISSION, 100, - "vlan.present || eth.src[40]", "drop;"); + "vlan.present || eth.src[40]", debug_drop_action()); + + /* Default action for L2 security is to drop. */ + ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_ADMISSION); } } @@ -10939,6 +10972,8 @@ build_neigh_learning_flows_for_lrouter( "nd_ns", "put_nd(inport, ip6.src, nd.sll); next;", copp_meter_get(COPP_ND_NS, od->nbr->copp, meter_groups)); + + ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_LEARN_NEIGHBOR); } } @@ -11281,7 +11316,7 @@ build_mcast_lookup_flows_for_lrouter( * i.e., router solicitation and router advertisement. */ ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING, 10550, - "nd_rs || nd_ra", "drop;"); + "nd_rs || nd_ra", debug_drop_action()); if (!od->mcast_info.rtr.relay) { return; } @@ -11328,13 +11363,13 @@ build_mcast_lookup_flows_for_lrouter( ds_put_format(match, "eth.src == %s && igmp", op->lrp_networks.ea_s); ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING, 10550, - ds_cstr(match), "drop;"); + ds_cstr(match), debug_drop_action()); ds_clear(match); ds_put_format(match, "eth.src == %s && (mldv1 || mldv2)", op->lrp_networks.ea_s); ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING, 10550, - ds_cstr(match), "drop;"); + ds_cstr(match), debug_drop_action()); } ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING, 10460, @@ -11358,7 +11393,7 @@ build_mcast_lookup_flows_for_lrouter( "};"); } else { ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING, 10450, - "ip4.mcast || ip6.mcast", "drop;"); + "ip4.mcast || ip6.mcast", debug_drop_action()); } } } @@ -11416,11 +11451,13 @@ build_arp_resolve_flows_for_lrouter( ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 500, "ip4.mcast || ip6.mcast", "next;"); - ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 0, "ip4", + ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 1, "ip4", "get_arp(outport, " REG_NEXT_HOP_IPV4 "); next;"); - ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 0, "ip6", + ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 1, "ip6", "get_nd(outport, " REG_NEXT_HOP_IPV6 "); next;"); + + ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_ARP_RESOLVE); } } @@ -11546,9 +11583,9 @@ build_arp_resolve_flows_for_lrouter_port( * in stage "lr_in_ip_input" but traffic that could have been unSNATed * but didn't match any existing session might still end up here. * - * Priority 1. + * Priority 2. */ - build_lrouter_drop_own_dest(op, S_ROUTER_IN_ARP_RESOLVE, 1, true, + build_lrouter_drop_own_dest(op, S_ROUTER_IN_ARP_RESOLVE, 2, true, lflows); } else if (op->od->n_router_ports && !lsp_is_router(op->nbsp) && strcmp(op->nbsp->type, "virtual")) { @@ -12112,6 +12149,8 @@ build_egress_delivery_flows_for_lrouter_port( ds_put_format(match, "outport == %s", op->json_key); ovn_lflow_add(lflows, op->od, S_ROUTER_OUT_DELIVERY, 100, ds_cstr(match), "output;"); + + ovn_lflow_add_default_drop(lflows, op->od, S_ROUTER_OUT_DELIVERY); } } @@ -12141,7 +12180,7 @@ build_misc_local_traffic_drop_flows_for_lrouter( "ip4.dst == 127.0.0.0/8 || " "ip4.src == 0.0.0.0/8 || " "ip4.dst == 0.0.0.0/8", - "drop;"); + debug_drop_action()); /* Drop ARP packets (priority 85). ARP request packets for router's own * IPs are handled with priority-90 flows. @@ -12149,7 +12188,7 @@ build_misc_local_traffic_drop_flows_for_lrouter( * IPs are handled with priority-90 flows. */ ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 85, - "arp || nd", "drop;"); + "arp || nd", debug_drop_action()); /* Allow IPv6 multicast traffic that's supposed to reach the * router pipeline (e.g., router solicitations). @@ -12159,21 +12198,22 @@ build_misc_local_traffic_drop_flows_for_lrouter( /* Drop other reserved multicast. */ ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 83, - "ip6.mcast_rsvd", "drop;"); + "ip6.mcast_rsvd", debug_drop_action()); /* Allow other multicast if relay enabled (priority 82). */ ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 82, "ip4.mcast || ip6.mcast", - od->mcast_info.rtr.relay ? "next;" : "drop;"); + (od->mcast_info.rtr.relay ? "next;" : + debug_drop_action())); /* Drop Ethernet local broadcast. By definition this traffic should * not be forwarded.*/ ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 50, - "eth.bcast", "drop;"); + "eth.bcast", debug_drop_action()); /* TTL discard */ ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 30, - "ip4 && ip.ttl == {0, 1}", "drop;"); + "ip4 && ip.ttl == {0, 1}", debug_drop_action()); /* Pass other traffic not already handled to the next table for * routing. */ @@ -12435,7 +12475,7 @@ build_lrouter_ipv4_ip_input(struct ovn_port *op, op_put_v4_networks(match, op, true); ds_put_cstr(match, " && "REGBIT_EGRESS_LOOPBACK" == 0"); ovn_lflow_add_with_hint(lflows, op->od, S_ROUTER_IN_IP_INPUT, 100, - ds_cstr(match), "drop;", + ds_cstr(match), debug_drop_action(), &op->nbrp->header_); /* ICMP echo reply. These flows reply to ICMP echo requests @@ -13463,7 +13503,7 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows, struct ovn_port *op = ovn_port_find(ports, nat->logical_port); if (op && op->nbsp && !strcmp(op->nbsp->type, "virtual")) { ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_GW_REDIRECT, - 80, ds_cstr(match), "drop;", + 80, ds_cstr(match), debug_drop_action(), &nat->header_); } ds_put_format(match, " && is_chassis_resident(\"%s\")", @@ -15322,6 +15362,8 @@ ovnnb_db_run(struct northd_input *input_data, check_lsp_is_up = !smap_get_bool(&nb->options, "ignore_lsp_down", true); + init_debug_config(nb); + build_datapaths(input_data, ovnsb_txn, &data->datapaths, &data->lr_list); build_lbs(input_data, &data->datapaths, &data->lbs); build_ports(input_data, ovnsb_txn, sbrec_chassis_by_name, diff --git a/ovn-nb.xml b/ovn-nb.xml index 547f7f48a..76b6bab17 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -255,6 +255,14 @@

+ +

+ If set to true, ovn-northd will add an explicit 'drop' + logical flow when possible instead of relying on the OVS implicitly + dropping packets that do not match any flow. +

+ +

These options control how routes are advertised between OVN diff --git a/tests/ovn.at b/tests/ovn.at index d1b062fb3..3e22ecf4b 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -26102,7 +26102,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep "actions=controller" | grep ]) # The packet should've been dropped in the lr_in_arp_resolve stage. -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=23, n_packets=1,.* priority=1,ip,metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=23, n_packets=1,.* priority=2,ip,metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl 1 ])