[ovs-dev,v2,3/3] northd: Add generic port security logical flows.

Message ID	20220519151812.987296-1-numans@ovn.org
State	Accepted
Headers	show Return-Path: <ovs-dev-bounces@openvswitch.org> sender: numans@ovn.org) by mail.gandi.net (Postfix) with ESMTPSA id 4EB84E0005; Thu, 19 May 2022 15:18:14 +0000 (UTC) From: numans@ovn.org To: dev@openvswitch.org Date: Thu, 19 May 2022 11:18:12 -0400 Message-Id: <20220519151812.987296-1-numans@ovn.org> In-Reply-To: <20220519151706.987120-1-numans@ovn.org> References: <20220519151706.987120-1-numans@ovn.org> MIME-Version: 1.0 Cc: Dumitru Ceara <dceara@redhat.com> Subject: [ovs-dev] [PATCH ovn v2 3/3] northd: Add generic port security logical flows. Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" <ovs-dev-bounces@openvswitch.org>
Series	Adding generic port security flows. \| expand [ovs-dev,v2,0/3] Adding generic port security flows. [ovs-dev,v2,1/3] ovn-controller: Add OF rules for port security. [ovs-dev,v2,2/3] actions: Add new actions check_in_port_sec and check_out_port_sec. [ovs-dev,v2,3/3] northd: Add generic port security logical flows.

Context	Check	Description
ovsrobot/apply-robot	success	apply and check: success
ovsrobot/github-robot-_Build_and_Test	fail	github build: failed
ovsrobot/github-robot-_ovn-kubernetes	success	github build: passed

diff --git a/northd/northd.c b/northd/northd.c index 6138d42ad9..f0c345015d 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -107,32 +107,31 @@ enum ovn_datapath_type { enum ovn_stage { #define PIPELINE_STAGES \ /* Logical switch ingress stages. */ \ - PIPELINE_STAGE(SWITCH, IN, PORT_SEC_L2, 0, "ls_in_port_sec_l2") \ - PIPELINE_STAGE(SWITCH, IN, PORT_SEC_IP, 1, "ls_in_port_sec_ip") \ - PIPELINE_STAGE(SWITCH, IN, PORT_SEC_ND, 2, "ls_in_port_sec_nd") \ - PIPELINE_STAGE(SWITCH, IN, LOOKUP_FDB , 3, "ls_in_lookup_fdb") \ - PIPELINE_STAGE(SWITCH, IN, PUT_FDB, 4, "ls_in_put_fdb") \ - PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 5, "ls_in_pre_acl") \ - PIPELINE_STAGE(SWITCH, IN, PRE_LB, 6, "ls_in_pre_lb") \ - PIPELINE_STAGE(SWITCH, IN, PRE_STATEFUL, 7, "ls_in_pre_stateful") \ - PIPELINE_STAGE(SWITCH, IN, ACL_HINT, 8, "ls_in_acl_hint") \ - PIPELINE_STAGE(SWITCH, IN, ACL, 9, "ls_in_acl") \ - PIPELINE_STAGE(SWITCH, IN, QOS_MARK, 10, "ls_in_qos_mark") \ - PIPELINE_STAGE(SWITCH, IN, QOS_METER, 11, "ls_in_qos_meter") \ - PIPELINE_STAGE(SWITCH, IN, LB, 12, "ls_in_lb") \ - PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB, 13, "ls_in_acl_after_lb") \ - PIPELINE_STAGE(SWITCH, IN, STATEFUL, 14, "ls_in_stateful") \ - PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 15, "ls_in_pre_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 16, "ls_in_nat_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 17, "ls_in_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 18, "ls_in_arp_rsp") \ - PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 19, "ls_in_dhcp_options") \ - PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 20, "ls_in_dhcp_response") \ - PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 21, "ls_in_dns_lookup") \ - PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 22, "ls_in_dns_response") \ - PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 23, "ls_in_external_port") \ - PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 24, "ls_in_l2_lkup") \ - PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 25, "ls_in_l2_unknown") \ + PIPELINE_STAGE(SWITCH, IN, CHECK_PORT_SEC, 0, "ls_in_check_port_sec") \ + PIPELINE_STAGE(SWITCH, IN, APPLY_PORT_SEC, 1, "ls_in_apply_port_sec") \ + PIPELINE_STAGE(SWITCH, IN, LOOKUP_FDB , 2, "ls_in_lookup_fdb") \ + PIPELINE_STAGE(SWITCH, IN, PUT_FDB, 3, "ls_in_put_fdb") \ + PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 4, "ls_in_pre_acl") \ + PIPELINE_STAGE(SWITCH, IN, PRE_LB, 5, "ls_in_pre_lb") \ + PIPELINE_STAGE(SWITCH, IN, PRE_STATEFUL, 6, "ls_in_pre_stateful") \ + PIPELINE_STAGE(SWITCH, IN, ACL_HINT, 7, "ls_in_acl_hint") \ + PIPELINE_STAGE(SWITCH, IN, ACL, 8, "ls_in_acl") \ + PIPELINE_STAGE(SWITCH, IN, QOS_MARK, 9, "ls_in_qos_mark") \ + PIPELINE_STAGE(SWITCH, IN, QOS_METER, 10, "ls_in_qos_meter") \ + PIPELINE_STAGE(SWITCH, IN, LB, 11, "ls_in_lb") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB, 12, "ls_in_acl_after_lb") \ + PIPELINE_STAGE(SWITCH, IN, STATEFUL, 13, "ls_in_stateful") \ + PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 14, "ls_in_pre_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 15, "ls_in_nat_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 16, "ls_in_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 17, "ls_in_arp_rsp") \ + PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 18, "ls_in_dhcp_options") \ + PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 19, "ls_in_dhcp_response") \ + PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 20, "ls_in_dns_lookup") \ + PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 21, "ls_in_dns_response") \ + PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 22, "ls_in_external_port") \ + PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 23, "ls_in_l2_lkup") \ + PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 24, "ls_in_l2_unknown") \ \ /* Logical switch egress stages. */ \ PIPELINE_STAGE(SWITCH, OUT, PRE_LB, 0, "ls_out_pre_lb") \ @@ -143,8 +142,8 @@ enum ovn_stage { PIPELINE_STAGE(SWITCH, OUT, QOS_MARK, 5, "ls_out_qos_mark") \ PIPELINE_STAGE(SWITCH, OUT, QOS_METER, 6, "ls_out_qos_meter") \ PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 7, "ls_out_stateful") \ - PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP, 8, "ls_out_port_sec_ip") \ - PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2, 9, "ls_out_port_sec_l2") \ + PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 8, "ls_out_check_port_sec") \ + PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 9, "ls_out_apply_port_sec") \ \ /* Logical router ingress stages. */ \ PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") \ @@ -207,6 +206,7 @@ enum ovn_stage { #define REGBIT_HAIRPIN_REPLY "reg0[12]" #define REGBIT_ACL_LABEL "reg0[13]" #define REGBIT_FROM_RAMP "reg0[14]" +#define REGBIT_PORT_SEC_DROP "reg0[15]" #define REG_ORIG_DIP_IPV4 "reg1" #define REG_ORIG_DIP_IPV6 "xxreg1" @@ -3606,6 +3606,9 @@ ovn_port_update_sbrec(struct northd_input *input_data, sbrec_port_binding_set_tag(op->sb, op->nbsp->tag, op->nbsp->n_tag); sbrec_port_binding_set_mac(op->sb, (const char **) op->nbsp->addresses, op->nbsp->n_addresses); + sbrec_port_binding_set_port_security( + op->sb, (const char **) op->nbsp->port_security, + op->nbsp->n_port_security); struct smap ids = SMAP_INITIALIZER(&ids); smap_clone(&ids, &op->nbsp->external_ids); @@ -5015,332 +5018,6 @@ ovn_lflow_destroy(struct hmap *lflows, struct ovn_lflow *lflow) } } -/* Appends port security constraints on L2 address field 'eth_addr_field' - * (e.g. "eth.src" or "eth.dst") to 'match'. 'ps_addrs', with 'n_ps_addrs' - * elements, is the collection of port_security constraints from an - * OVN_NB Logical_Switch_Port row generated by extract_lsp_addresses(). */ -static void -build_port_security_l2(const char *eth_addr_field, - struct lport_addresses *ps_addrs, - unsigned int n_ps_addrs, - struct ds *match) -{ - if (!n_ps_addrs) { - return; - } - - ds_put_format(match, " && %s == {", eth_addr_field); - - for (size_t i = 0; i < n_ps_addrs; i++) { - ds_put_format(match, "%s ", ps_addrs[i].ea_s); - } - ds_chomp(match, ' '); - ds_put_cstr(match, "}"); -} - -static void -build_port_security_ipv6_nd_flow( - struct ds *match, struct eth_addr ea, struct ipv6_netaddr *ipv6_addrs, - int n_ipv6_addrs) -{ - ds_put_format(match, " && ip6 && nd && ((nd.sll == "ETH_ADDR_FMT" || " - "nd.sll == "ETH_ADDR_FMT") || ((nd.tll == "ETH_ADDR_FMT" || " - "nd.tll == "ETH_ADDR_FMT")", ETH_ADDR_ARGS(eth_addr_zero), - ETH_ADDR_ARGS(ea), ETH_ADDR_ARGS(eth_addr_zero), - ETH_ADDR_ARGS(ea)); - if (!n_ipv6_addrs) { - ds_put_cstr(match, "))"); - return; - } - - char ip6_str[INET6_ADDRSTRLEN + 1]; - struct in6_addr lla; - in6_generate_lla(ea, &lla); - memset(ip6_str, 0, sizeof(ip6_str)); - ipv6_string_mapped(ip6_str, &lla); - ds_put_format(match, " && (nd.target == %s", ip6_str); - - for (size_t i = 0; i < n_ipv6_addrs; i++) { - /* When the netmask is applied, if the host portion is - * non-zero, the host can only use the specified - * address in the nd.target. If zero, the host is allowed - * to use any address in the subnet. - */ - if (ipv6_addrs[i].plen == 128 - || !ipv6_addr_is_host_zero(&ipv6_addrs[i].addr, - &ipv6_addrs[i].mask)) { - ds_put_format(match, " || nd.target == %s", ipv6_addrs[i].addr_s); - } else { - ds_put_format(match, " || nd.target == %s/%d", - ipv6_addrs[i].network_s, ipv6_addrs[i].plen); - } - } - - ds_put_format(match, ")))"); -} - -static void -build_port_security_ipv6_flow( - enum ovn_pipeline pipeline, struct ds *match, struct eth_addr ea, - struct ipv6_netaddr *ipv6_addrs, int n_ipv6_addrs) -{ - char ip6_str[INET6_ADDRSTRLEN + 1]; - - ds_put_format(match, " && %s == {", - pipeline == P_IN ? "ip6.src" : "ip6.dst"); - - /* Allow link-local address. */ - struct in6_addr lla; - in6_generate_lla(ea, &lla); - ipv6_string_mapped(ip6_str, &lla); - ds_put_format(match, "%s, ", ip6_str); - - /* Allow ip6.dst=ff00::/8 for multicast packets */ - if (pipeline == P_OUT) { - ds_put_cstr(match, "ff00::/8, "); - } - for (size_t i = 0; i < n_ipv6_addrs; i++) { - /* When the netmask is applied, if the host portion is - * non-zero, the host can only use the specified - * address. If zero, the host is allowed to use any - * address in the subnet. - */ - if (ipv6_addrs[i].plen == 128 - || !ipv6_addr_is_host_zero(&ipv6_addrs[i].addr, - &ipv6_addrs[i].mask)) { - ds_put_format(match, "%s, ", ipv6_addrs[i].addr_s); - } else { - ds_put_format(match, "%s/%d, ", ipv6_addrs[i].network_s, - ipv6_addrs[i].plen); - } - } - /* Replace ", " by "}". */ - ds_chomp(match, ' '); - ds_chomp(match, ','); - ds_put_cstr(match, "}"); -} - -/** - * Build port security constraints on ARP and IPv6 ND fields - * and add logical flows to S_SWITCH_IN_PORT_SEC_ND stage. - * - * For each port security of the logical port, following - * logical flows are added - * - If the port security has no IP (both IPv4 and IPv6) or - * if it has IPv4 address(es) - * - Priority 90 flow to allow ARP packets for known MAC addresses - * in the eth.src and arp.spa fields. If the port security - * has IPv4 addresses, allow known IPv4 addresses in the arp.tpa field. - * - * - If the port security has no IP (both IPv4 and IPv6) or - * if it has IPv6 address(es) - * - Priority 90 flow to allow IPv6 ND packets for known MAC addresses - * in the eth.src and nd.sll/nd.tll fields. If the port security - * has IPv6 addresses, allow known IPv6 addresses in the nd.target field - * for IPv6 Neighbor Advertisement packet. - * - * - Priority 80 flow to drop ARP and IPv6 ND packets. - */ -static void -build_port_security_nd(struct ovn_port *op, struct hmap *lflows, - const struct ovsdb_idl_row *stage_hint) -{ - struct ds match = DS_EMPTY_INITIALIZER; - - for (size_t i = 0; i < op->n_ps_addrs; i++) { - struct lport_addresses *ps = &op->ps_addrs[i]; - - bool no_ip = !(ps->n_ipv4_addrs || ps->n_ipv6_addrs); - - ds_clear(&match); - if (ps->n_ipv4_addrs || no_ip) { - ds_put_format(&match, - "inport == %s && eth.src == %s && arp.sha == %s", - op->json_key, ps->ea_s, ps->ea_s); - - if (ps->n_ipv4_addrs) { - ds_put_cstr(&match, " && arp.spa == {"); - for (size_t j = 0; j < ps->n_ipv4_addrs; j++) { - /* When the netmask is applied, if the host portion is - * non-zero, the host can only use the specified - * address in the arp.spa. If zero, the host is allowed - * to use any address in the subnet. */ - if (ps->ipv4_addrs[j].plen == 32 - || ps->ipv4_addrs[j].addr & ~ps->ipv4_addrs[j].mask) { - ds_put_cstr(&match, ps->ipv4_addrs[j].addr_s); - } else { - ds_put_format(&match, "%s/%d", - ps->ipv4_addrs[j].network_s, - ps->ipv4_addrs[j].plen); - } - ds_put_cstr(&match, ", "); - } - ds_chomp(&match, ' '); - ds_chomp(&match, ','); - ds_put_cstr(&match, "}"); - } - ovn_lflow_add_with_lport_and_hint(lflows, op->od, - S_SWITCH_IN_PORT_SEC_ND, 90, - ds_cstr(&match), "next;", - op->key, stage_hint); - } - - if (ps->n_ipv6_addrs || no_ip) { - ds_clear(&match); - ds_put_format(&match, "inport == %s && eth.src == %s", - op->json_key, ps->ea_s); - build_port_security_ipv6_nd_flow(&match, ps->ea, ps->ipv6_addrs, - ps->n_ipv6_addrs); - ovn_lflow_add_with_lport_and_hint(lflows, op->od, - S_SWITCH_IN_PORT_SEC_ND, 90, - ds_cstr(&match), "next;", - op->key, stage_hint); - } - } - - ds_clear(&match); - ds_put_format(&match, "inport == %s && (arp || nd)", op->json_key); - ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND, - 80, ds_cstr(&match), "drop;", op->key, - stage_hint); - ds_destroy(&match); -} - -/** - * Build port security constraints on IPv4 and IPv6 src and dst fields - * and add logical flows to S_SWITCH_(IN/OUT)_PORT_SEC_IP stage. - * - * For each port security of the logical port, following - * logical flows are added - * - If the port security has IPv4 addresses, - * - Priority 90 flow to allow IPv4 packets for known IPv4 addresses - * - * - If the port security has IPv6 addresses, - * - Priority 90 flow to allow IPv6 packets for known IPv6 addresses - * - * - If the port security has IPv4 addresses or IPv6 addresses or both - * - Priority 80 flow to drop all IPv4 and IPv6 traffic - */ -static void -build_port_security_ip(enum ovn_pipeline pipeline, struct ovn_port *op, - struct hmap *lflows, - const struct ovsdb_idl_row *stage_hint) -{ - char *port_direction; - enum ovn_stage stage; - if (pipeline == P_IN) { - port_direction = "inport"; - stage = S_SWITCH_IN_PORT_SEC_IP; - } else { - port_direction = "outport"; - stage = S_SWITCH_OUT_PORT_SEC_IP; - } - - for (size_t i = 0; i < op->n_ps_addrs; i++) { - struct lport_addresses *ps = &op->ps_addrs[i]; - - if (!(ps->n_ipv4_addrs || ps->n_ipv6_addrs)) { - continue; - } - - if (ps->n_ipv4_addrs) { - struct ds match = DS_EMPTY_INITIALIZER; - if (pipeline == P_IN) { - /* Permit use of the unspecified address for DHCP discovery */ - struct ds dhcp_match = DS_EMPTY_INITIALIZER; - ds_put_format(&dhcp_match, "inport == %s" - " && eth.src == %s" - " && ip4.src == 0.0.0.0" - " && ip4.dst == 255.255.255.255" - " && udp.src == 68 && udp.dst == 67", - op->json_key, ps->ea_s); - ovn_lflow_add_with_lport_and_hint(lflows, op->od, stage, 90, - ds_cstr(&dhcp_match), - "next;", op->key, - stage_hint); - ds_destroy(&dhcp_match); - ds_put_format(&match, "inport == %s && eth.src == %s" - " && ip4.src == {", op->json_key, - ps->ea_s); - } else { - ds_put_format(&match, "outport == %s && eth.dst == %s" - " && ip4.dst == {255.255.255.255, 224.0.0.0/4, ", - op->json_key, ps->ea_s); - } - - for (int j = 0; j < ps->n_ipv4_addrs; j++) { - ovs_be32 mask = ps->ipv4_addrs[j].mask; - /* When the netmask is applied, if the host portion is - * non-zero, the host can only use the specified - * address. If zero, the host is allowed to use any - * address in the subnet. - */ - if (ps->ipv4_addrs[j].plen == 32 - || ps->ipv4_addrs[j].addr & ~mask) { - ds_put_format(&match, "%s", ps->ipv4_addrs[j].addr_s); - if (pipeline == P_OUT && ps->ipv4_addrs[j].plen != 32) { - /* Host is also allowed to receive packets to the - * broadcast address in the specified subnet. */ - ds_put_format(&match, ", %s", - ps->ipv4_addrs[j].bcast_s); - } - } else { - /* host portion is zero */ - ds_put_format(&match, "%s/%d", ps->ipv4_addrs[j].network_s, - ps->ipv4_addrs[j].plen); - } - ds_put_cstr(&match, ", "); - } - - /* Replace ", " by "}". */ - ds_chomp(&match, ' '); - ds_chomp(&match, ','); - ds_put_cstr(&match, "}"); - ovn_lflow_add_with_lport_and_hint(lflows, op->od, stage, 90, - ds_cstr(&match), "next;", - op->key, stage_hint); - ds_destroy(&match); - } - - if (ps->n_ipv6_addrs) { - struct ds match = DS_EMPTY_INITIALIZER; - if (pipeline == P_IN) { - /* Permit use of unspecified address for duplicate address - * detection */ - struct ds dad_match = DS_EMPTY_INITIALIZER; - ds_put_format(&dad_match, "inport == %s" - " && eth.src == %s" - " && ip6.src == ::" - " && ip6.dst == ff02::/16" - " && icmp6.type == {131, 135, 143}", - op->json_key, ps->ea_s); - ovn_lflow_add_with_lport_and_hint(lflows, op->od, stage, 90, - ds_cstr(&dad_match), "next;", - op->key, stage_hint); - ds_destroy(&dad_match); - } - ds_put_format(&match, "%s == %s && %s == %s", - port_direction, op->json_key, - pipeline == P_IN ? "eth.src" : "eth.dst", ps->ea_s); - build_port_security_ipv6_flow(pipeline, &match, ps->ea, - ps->ipv6_addrs, ps->n_ipv6_addrs); - ovn_lflow_add_with_lport_and_hint(lflows, op->od, stage, 90, - ds_cstr(&match), "next;", - op->key, stage_hint); - ds_destroy(&match); - } - - char *match = xasprintf("%s == %s && %s == %s && ip", - port_direction, op->json_key, - pipeline == P_IN ? "eth.src" : "eth.dst", - ps->ea_s); - ovn_lflow_add_with_lport_and_hint(lflows, op->od, stage, 80, match, - "drop;", op->key, stage_hint); - free(match); - } - -} - static bool build_dhcpv4_action(struct ovn_port *op, ovs_be32 offer_ip, struct ds *options_action, struct ds *response_action, @@ -5620,27 +5297,22 @@ ls_get_acl_flags(struct ovn_datapath *od) } } -/* Logical switch ingress table 0: Ingress port security - L2 - * (priority 50). - * Ingress table 1: Ingress port security - IP (priority 90 and 80) - * Ingress table 2: Ingress port security - ND (priority 90 and 80) +/* Adds the logical flows in the (in/out) check port sec stage only if + * - the lport is disabled or + * - lport is of type vtep - to skip the ingress pipeline. + * - lport has qdisc queue id is configured. + * + * For all the other logical ports, generic flow added in + * build_lswitch_lflows_admission_control() handles the port security. */ static void -build_lswitch_input_port_sec_op( - struct ovn_port *op, struct hmap *lflows, - struct ds *actions, struct ds *match) +build_lswitch_port_sec_op(struct ovn_port *op, struct hmap *lflows, + struct ds *actions, struct ds *match) { - if (!op->nbsp) { return; } - if (!lsp_is_enabled(op->nbsp)) { - /* Drop packets from disabled logical ports (since logical flow - * tables are default-drop). */ - return; - } - if (lsp_is_external(op->nbsp)) { return; } @@ -5648,8 +5320,21 @@ build_lswitch_input_port_sec_op( ds_clear(match); ds_clear(actions); ds_put_format(match, "inport == %s", op->json_key); - build_port_security_l2("eth.src", op->ps_addrs, op->n_ps_addrs, - match); + if (!lsp_is_enabled(op->nbsp)) { + /* Drop packets from disabled logical ports. */ + ovn_lflow_add_with_lport_and_hint( + lflows, op->od, S_SWITCH_IN_CHECK_PORT_SEC, + 100, ds_cstr(match), REGBIT_PORT_SEC_DROP" = 1; next;", + op->key, &op->nbsp->header_); + + ds_clear(match); + ds_put_format(match, "outport == %s", op->json_key); + ovn_lflow_add_with_lport_and_hint( + lflows, op->od, S_SWITCH_OUT_CHECK_PORT_SEC, 150, + ds_cstr(match), REGBIT_PORT_SEC_DROP" = 1; next;", + op->key, &op->nbsp->header_); + return; + } const char *queue_id = smap_get(&op->sb->options, "qdisc_queue_id"); if (queue_id) { @@ -5660,31 +5345,28 @@ build_lswitch_input_port_sec_op( ds_put_format(actions, REGBIT_FROM_RAMP" = 1; "); ds_put_format(actions, "next(pipeline=ingress, table=%d);", ovn_stage_get_table(S_SWITCH_IN_HAIRPIN)); - } else { - ds_put_cstr(actions, "next;"); - } - - ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, - 50, ds_cstr(match), ds_cstr(actions), - op->key, &op->nbsp->header_); - - if (op->nbsp->n_port_security) { - build_port_security_ip(P_IN, op, lflows, &op->nbsp->header_); - build_port_security_nd(op, lflows, &op->nbsp->header_); - } -} - -/* Ingress table 1 and 2: Port security - IP and ND, by default - * goto next. (priority 0) - */ -static void -build_lswitch_input_port_sec_od( - struct ovn_datapath *od, struct hmap *lflows) -{ + ovn_lflow_add_with_lport_and_hint(lflows, op->od, + S_SWITCH_IN_CHECK_PORT_SEC, 70, + ds_cstr(match), ds_cstr(actions), + op->key, &op->nbsp->header_); + } else if (queue_id) { + ds_put_cstr(actions, + REGBIT_PORT_SEC_DROP" = check_in_port_sec(); next;"); + ovn_lflow_add_with_lport_and_hint(lflows, op->od, + S_SWITCH_IN_CHECK_PORT_SEC, 70, + ds_cstr(match), ds_cstr(actions), + op->key, &op->nbsp->header_); - if (od->nbs) { - ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_ND, 0, "1", "next;"); - ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_IP, 0, "1", "next;"); + if (!strcmp(op->nbsp->type, "localnet")) { + ds_clear(match); + ds_clear(actions); + ds_put_format(match, "outport == %s", op->json_key); + ds_put_format(actions, "set_queue(%s); output;", queue_id); + ovn_lflow_add_with_lport_and_hint(lflows, op->od, + S_SWITCH_OUT_APPLY_PORT_SEC, 100, + ds_cstr(match), ds_cstr(actions), + op->key, &op->nbsp->header_); + } } } @@ -5726,58 +5408,6 @@ build_lswitch_learn_fdb_od( } } -/* Egress table 8: Egress port security - IP (priorities 90 and 80) - * if port security enabled. - * - * Egress table 9: Egress port security - L2 (priorities 50 and 150). - * - * Priority 50 rules implement port security for enabled logical port. - * - * Priority 150 rules drop packets to disabled logical ports, so that - * they don't even receive multicast or broadcast packets. - */ -static void -build_lswitch_output_port_sec_op(struct ovn_port *op, - struct hmap *lflows, - struct ds *match, - struct ds *actions) -{ - - if (op->nbsp && (!lsp_is_external(op->nbsp))) { - - ds_clear(actions); - ds_clear(match); - - ds_put_format(match, "outport == %s", op->json_key); - if (lsp_is_enabled(op->nbsp)) { - build_port_security_l2("eth.dst", op->ps_addrs, op->n_ps_addrs, - match); - - if (!strcmp(op->nbsp->type, "localnet")) { - const char *queue_id = smap_get(&op->sb->options, - "qdisc_queue_id"); - if (queue_id) { - ds_put_format(actions, "set_queue(%s); ", queue_id); - } - } - ds_put_cstr(actions, "output;"); - ovn_lflow_add_with_lport_and_hint(lflows, op->od, - S_SWITCH_OUT_PORT_SEC_L2, 50, - ds_cstr(match), ds_cstr(actions), - op->key, &op->nbsp->header_); - } else { - ovn_lflow_add_with_lport_and_hint(lflows, op->od, - S_SWITCH_OUT_PORT_SEC_L2, 150, - ds_cstr(match), "drop;", op->key, - &op->nbsp->header_); - } - - if (op->nbsp->n_port_security) { - build_port_security_ip(P_OUT, op, lflows, &op->nbsp->header_); - } - } -} - /* Egress tables 8: Egress port security - IP (priority 0) * Egress table 9: Egress port security L2 - multicast/broadcast * (priority 100). */ @@ -5786,9 +5416,16 @@ build_lswitch_output_port_sec_od(struct ovn_datapath *od, struct hmap *lflows) { if (od->nbs) { - ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_IP, 0, "1", "next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_L2, 100, "eth.mcast", - "output;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_CHECK_PORT_SEC, 100, + "eth.mcast", REGBIT_PORT_SEC_DROP" = 0; next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_CHECK_PORT_SEC, 0, "1", + REGBIT_PORT_SEC_DROP" = check_out_port_sec(); next;"); + + ovn_lflow_add(lflows, od, S_SWITCH_OUT_APPLY_PORT_SEC, 50, + REGBIT_PORT_SEC_DROP" == 1", "drop;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_APPLY_PORT_SEC, 0, + "1", "output;"); + } } @@ -7947,17 +7584,21 @@ build_lswitch_lflows_admission_control(struct ovn_datapath *od, /* Logical VLANs not supported. */ if (!is_vlan_transparent(od)) { /* Block logical VLANs. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, + ovn_lflow_add(lflows, od, S_SWITCH_IN_CHECK_PORT_SEC, 100, "vlan.present", "drop;"); } /* Broadcast/multicast source address is invalid. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "eth.src[40]", - "drop;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_CHECK_PORT_SEC, 100, + "eth.src[40]", "drop;"); + + ovn_lflow_add(lflows, od, S_SWITCH_IN_CHECK_PORT_SEC, 50, "1", + REGBIT_PORT_SEC_DROP" = check_in_port_sec(); next;"); + + ovn_lflow_add(lflows, od, S_SWITCH_IN_APPLY_PORT_SEC, 50, + REGBIT_PORT_SEC_DROP" == 1", "drop;"); - /* Port security flows have priority 50 - * (see build_lswitch_input_port_sec()) and will continue - * to the next table if packet source is acceptable. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_APPLY_PORT_SEC, 0, "1", "next;"); } } @@ -13863,7 +13504,6 @@ build_lswitch_and_lrouter_iterate_by_od(struct ovn_datapath *od, build_fwd_group_lflows(od, lsi->lflows); build_lswitch_lflows_admission_control(od, lsi->lflows); - build_lswitch_input_port_sec_od(od, lsi->lflows); build_lswitch_learn_fdb_od(od, lsi->lflows); build_lswitch_arp_nd_responder_default(od, lsi->lflows); build_lswitch_dns_lookup_and_response(od, lsi->lflows, lsi->meter_groups); @@ -13904,8 +13544,7 @@ build_lswitch_and_lrouter_iterate_by_op(struct ovn_port *op, struct lswitch_flow_build_info *lsi) { /* Build Logical Switch Flows. */ - build_lswitch_input_port_sec_op(op, lsi->lflows, &lsi->actions, - &lsi->match); + build_lswitch_port_sec_op(op, lsi->lflows, &lsi->actions, &lsi->match); build_lswitch_learn_fdb_op(op, lsi->lflows, &lsi->actions, &lsi->match); build_lswitch_arp_nd_responder_skip_local(op, lsi->lflows, @@ -13920,8 +13559,6 @@ build_lswitch_and_lrouter_iterate_by_op(struct ovn_port *op, build_lswitch_external_port(op, lsi->lflows); build_lswitch_ip_unicast_lookup(op, lsi->lflows, lsi->mcgroups, &lsi->actions, &lsi->match); - build_lswitch_output_port_sec_op(op, lsi->lflows, - &lsi->actions, &lsi->match); /* Build Logical Router Flows. */ build_adm_ctrl_flows_for_lrouter_port(op, lsi->lflows, &lsi->match, diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 73ecfbc2d9..10fc3bcc89 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -291,7 +291,7 @@ <h2>Logical Switch Datapaths</h2> - <h3>Ingress Table 0: Admission Control and Ingress Port Security - L2</h3> + <h3>Ingress Table 0: Admission Control and Ingress Port Security check</h3> <p> Ingress table 0 contains these logical flows: @@ -304,122 +304,60 @@ </li> <li> - Priority 50 flows that implement ingress port security for each enabled - logical port. For logical ports on which port security is enabled, - these match the <code>inport</code> and the valid <code>eth.src</code> - address(es) and advance only those packets to the next flow table. For - logical ports on which port security is not enabled, these advance all - packets that match the <code>inport</code>. + For each disabled logical port, a priority 100 flow is added which + matches on all packets and applies the action + <code>REGBIT_PORT_SEC_DROP" = 1; next;"</code> so that the packets are + dropped in the next stage. </li> + <li> - For logical ports of type <code>vtep</code>, the above logical flow - will apply the action + For each (enabled) vtep logical port, a priority 70 flow is added which + matches on all packets and applies the action <code>next(pipeline=ingress, table=S_SWITCH_IN_L2_LKUP) = 1;</code> to skip most stages of ingress pipeline and go directly to ingress L2 lookup table to determine the output port. Packets from VTEP (RAMP) switch should not be subjected to any ACL checks. Egress pipeline will do the ACL checks. </li> - </ul> - - <p> - There are no flows for disabled logical ports because the default-drop - behavior of logical flow tables causes packets that ingress from them to - be dropped. - </p> - - <h3>Ingress Table 1: Ingress Port Security - IP</h3> - - <p> - Ingress table 1 contains these logical flows: - </p> - <ul> <li> - <p> - For each element in the port security set having one or more IPv4 or - IPv6 addresses (or both), - </p> - - <ul> - <li> - Priority 90 flow to allow IPv4 traffic if it has IPv4 addresses - which match the <code>inport</code>, valid <code>eth.src</code> - and valid <code>ip4.src</code> address(es). - </li> - - <li> - Priority 90 flow to allow IPv4 DHCP discovery traffic if it has a - valid <code>eth.src</code>. This is necessary since DHCP discovery - messages are sent from the unspecified IPv4 address (0.0.0.0) since - the IPv4 address has not yet been assigned. - </li> - - <li> - Priority 90 flow to allow IPv6 traffic if it has IPv6 addresses - which match the <code>inport</code>, valid <code>eth.src</code> and - valid <code>ip6.src</code> address(es). - </li> - - <li> - Priority 90 flow to allow IPv6 DAD (Duplicate Address Detection) - traffic if it has a valid <code>eth.src</code>. This is is - necessary since DAD include requires joining an multicast group and - sending neighbor solicitations for the newly assigned address. Since - no address is yet assigned, these are sent from the unspecified - IPv6 address (::). - </li> - - <li> - Priority 80 flow to drop IP (both IPv4 and IPv6) traffic which - match the <code>inport</code> and valid <code>eth.src</code>. - </li> - </ul> + For each enabled logical port configured with qdisc queue id in the + <ref column="options:qdisc_queue_id" table="Logical_Switch_Port" + db="OVN_Northbound"/> column of <ref table="Logical_Switch_Port" + db="OVN_Northbound"/>, a priority 70 flow is added which + matches on all packets and applies the action + <code>set_queue(id); + REGBIT_PORT_SEC_DROP" = check_in_port_sec(); next;"</code>. </li> <li> - One priority-0 fallback flow that matches all packets and advances to - the next table. + A priority 1 flow is added which matches on all packets for all the + logical ports and applies the action + <code>REGBIT_PORT_SEC_DROP" = check_in_port_sec(); next;</code> to + evaluate the port security. The action <code>check_in_port_sec</code> + applies the port security rules defined in the + <ref column="port_security" table="Logical_Switch_Port" + db="OVN_Northbound"/> column of <ref table="Logical_Switch_Port" + db="OVN_Northbound"/> table. </li> </ul> - <h3>Ingress Table 2: Ingress Port Security - Neighbor discovery</h3> + <h3>Ingress Table 1: Ingress Port Security - Apply</h3> + + <p> + This table drops the packets if the port security check failed + in the previous stage i.e the register bit + <code>REGBIT_PORT_SEC_DROP</code> is set to 1. + </p> <p> - Ingress table 2 contains these logical flows: + Ingress table 1 contains these logical flows: </p> <ul> <li> - <p> - For each element in the port security set, - </p> - - <ul> - <li> - Priority 90 flow to allow ARP traffic which match the - <code>inport</code> and valid <code>eth.src</code> and - <code>arp.sha</code>. If the element has one or more - IPv4 addresses, then it also matches the valid - <code>arp.spa</code>. - </li> - - <li> - Priority 90 flow to allow IPv6 Neighbor Solicitation and - Advertisement traffic which match the <code>inport</code>, - valid <code>eth.src</code> and - <code>nd.sll</code>/<code>nd.tll</code>. - If the element has one or more IPv6 addresses, then it also - matches the valid <code>nd.target</code> address(es) for Neighbor - Advertisement traffic. - </li> - - <li> - Priority 80 flow to drop ARP and IPv6 Neighbor Solicitation and - Advertisement traffic which match the <code>inport</code> and - valid <code>eth.src</code>. - </li> - </ul> + A priority-50 fallback flow that drops the packet if the register + bit <code>REGBIT_PORT_SEC_DROP</code> is set to 1. </li> <li> @@ -428,7 +366,7 @@ </li> </ul> - <h3>Ingress Table 3: Lookup MAC address learning table</h3> + <h3>Ingress Table 2: Lookup MAC address learning table</h3> <p> This table looks up the MAC learning table of the logical switch @@ -460,7 +398,7 @@ </li> </ul> - <h3>Ingress Table 4: Learn MAC of 'unknown' ports.</h3> + <h3>Ingress Table 3: Learn MAC of 'unknown' ports.</h3> <p> This table learns the MAC addresses seen on the logical ports @@ -494,7 +432,7 @@ </li> </ul> - <h3>Ingress Table 5: <code>from-lport</code> Pre-ACLs</h3> + <h3>Ingress Table 4: <code>from-lport</code> Pre-ACLs</h3> <p> This table prepares flows for possible stateful ACL processing in @@ -521,7 +459,7 @@ db="OVN_Northbound"/> table. </p> - <h3>Ingress Table 6: Pre-LB</h3> + <h3>Ingress Table 5: Pre-LB</h3> <p> This table prepares flows for possible stateful load balancing processing @@ -595,7 +533,7 @@ logical router datapath to logical switch datapath. </p> - <h3>Ingress Table 7: Pre-stateful</h3> + <h3>Ingress Table 6: Pre-stateful</h3> <p> This table prepares flows for all possible stateful processing @@ -633,7 +571,7 @@ </li> </ul> - <h3>Ingress Table 8: <code>from-lport</code> ACL hints</h3> + <h3>Ingress Table 7: <code>from-lport</code> ACL hints</h3> <p> This table consists of logical flows that set hints @@ -718,7 +656,7 @@ </li> </ul> - <h3>Ingress table 9: <code>from-lport</code> ACLs before LB</h3> + <h3>Ingress table 8: <code>from-lport</code> ACLs before LB</h3> <p> Logical flows in this table closely reproduce those in the @@ -881,7 +819,7 @@ </li> </ul> - <h3>Ingress Table 10: <code>from-lport</code> QoS Marking</h3> + <h3>Ingress Table 9: <code>from-lport</code> QoS Marking</h3> <p> Logical flows in this table closely reproduce those in the @@ -903,7 +841,7 @@ </li> </ul> - <h3>Ingress Table 11: <code>from-lport</code> QoS Meter</h3> + <h3>Ingress Table 10: <code>from-lport</code> QoS Meter</h3> <p> Logical flows in this table closely reproduce those in the @@ -925,7 +863,7 @@ </li> </ul> - <h3>Ingress Table 12: LB</h3> + <h3>Ingress Table 11: LB</h3> <ul> <li> @@ -978,7 +916,7 @@ </li> </ul> - <h3>Ingress table 13: <code>from-lport</code> ACLs after LB</h3> + <h3>Ingress table 12: <code>from-lport</code> ACLs after LB</h3> <p> Logical flows in this table closely reproduce those in the @@ -1040,7 +978,7 @@ </li> </ul> - <h3>Ingress Table 14: Stateful</h3> + <h3>Ingress Table 13: Stateful</h3> <ul> <li> @@ -1063,7 +1001,7 @@ </li> </ul> - <h3>Ingress Table 15: Pre-Hairpin</h3> + <h3>Ingress Table 14: Pre-Hairpin</h3> <ul> <li> If the logical switch has load balancer(s) configured, then a @@ -1081,7 +1019,7 @@ </li> </ul> - <h3>Ingress Table 16: Nat-Hairpin</h3> + <h3>Ingress Table 15: Nat-Hairpin</h3> <ul> <li> If the logical switch has load balancer(s) configured, then a @@ -1116,7 +1054,7 @@ </li> </ul> - <h3>Ingress Table 17: Hairpin</h3> + <h3>Ingress Table 16: Hairpin</h3> <ul> <li> <p> @@ -1150,7 +1088,7 @@ </li> </ul> - <h3>Ingress Table 18: ARP/ND responder</h3> + <h3>Ingress Table 17: ARP/ND responder</h3> <p> This table implements ARP/ND responder in a logical switch for known @@ -1452,7 +1390,7 @@ output; </li> </ul> - <h3>Ingress Table 19: DHCP option processing</h3> + <h3>Ingress Table 18: DHCP option processing</h3> <p> This table adds the DHCPv4 options to a DHCPv4 packet from the @@ -1513,7 +1451,7 @@ next; </li> </ul> - <h3>Ingress Table 20: DHCP responses</h3> + <h3>Ingress Table 19: DHCP responses</h3> <p> This table implements DHCP responder for the DHCP replies generated by @@ -1594,7 +1532,7 @@ output; </li> </ul> - <h3>Ingress Table 21 DNS Lookup</h3> + <h3>Ingress Table 20 DNS Lookup</h3> <p> This table looks up and resolves the DNS names to the corresponding @@ -1623,7 +1561,7 @@ reg0[4] = dns_lookup(); next; </li> </ul> - <h3>Ingress Table 22 DNS Responses</h3> + <h3>Ingress Table 21 DNS Responses</h3> <p> This table implements DNS responder for the DNS replies generated by @@ -1658,7 +1596,7 @@ output; </li> </ul> - <h3>Ingress table 23 External ports</h3> + <h3>Ingress table 22 External ports</h3> <p> Traffic from the <code>external</code> logical ports enter the ingress @@ -1701,7 +1639,7 @@ output; </li> </ul> - <h3>Ingress Table 24 Destination Lookup</h3> + <h3>Ingress Table 23 Destination Lookup</h3> <p> This table implements switching behavior. It contains these logical @@ -1873,7 +1811,7 @@ output; </li> </ul> - <h3>Ingress Table 25 Destination unknown</h3> + <h3>Ingress Table 24 Destination unknown</h3> <p> This table handles the packets whose destination was not found or @@ -2063,38 +2001,83 @@ output; there are no rules added for load balancing new connections. </p> - <h3>Egress Table 8: Egress Port Security - IP</h3> + <h3>Egress Table 8: Egress Port Security - check</h3> <p> This is similar to the port security logic in table - <code>Ingress Port Security - IP</code> except that <code>outport</code>, - <code>eth.dst</code>, <code>ip4.dst</code> and <code>ip6.dst</code> - are checked instead of <code>inport</code>, <code>eth.src</code>, - <code>ip4.src</code> and <code>ip6.src</code> + <code>Ingress Port Security check</code> except that action + <code>check_out_port_sec</code> is used to check the port security + rules. This table adds the below logical flows. </p> - <h3>Egress Table 9: Egress Port Security - L2</h3> + <ul> + <li> + A priority 100 flow which matches on the multicast traffic and applies + the action <code>REGBIT_PORT_SEC_DROP" = 0; next;"</code> to skip + the out port security checks. + </li> + + <li> + For each disabled logical port, a priority 150 flow is added which + matches on all packets and applies the action + <code>REGBIT_PORT_SEC_DROP" = 1; next;"</code> so that the packets are + dropped in the next stage. + </li> + + <li> + A priority 0 logical flow is added which matches on all the packets + and applies the action + <code>REGBIT_PORT_SEC_DROP" = check_out_port_sec(); next;"</code>. + The action <code>check_out_port_sec</code> applies the port security + rules based on the addresses defined in the + <ref column="port_security" table="Logical_Switch_Port" + db="OVN_Northbound"/> column of <ref table="Logical_Switch_Port" + db="OVN_Northbound"/> table before delivering the packet to the + <code>outport</code>. + </li> + </ul> + + <h3>Egress Table 9: Egress Port Security - Apply</h3> <p> This is similar to the ingress port security logic in ingress table - <code>Admission Control and Ingress Port Security - L2</code>, - but with important differences. Most obviously, <code>outport</code> and - <code>eth.dst</code> are checked instead of <code>inport</code> and - <code>eth.src</code>. Second, packets directed to broadcast or multicast - <code>eth.dst</code> are always accepted instead of being subject to the - port security rules; this is implemented through a priority-100 flow that - matches on <code>eth.mcast</code> with action <code>output;</code>. - Moreover, to ensure that even broadcast and multicast packets are not - delivered to disabled logical ports, a priority-150 flow for each - disabled logical <code>outport</code> overrides the priority-100 flow - with a <code>drop;</code> action. - Finally if egress qos has been enabled on a localnet port, the outgoing - queue id is set through <code>set_queue</code> action. Please remember to - mark the corresponding physical interface with - <code>ovn-egress-iface</code> set to true in <ref column="external_ids" - table="Interface" db="Open_vSwitch"/> + <code>A Ingress Port Security - Apply</code>. This table drops the + packets if the port security check failed in the previous stage i.e + the register bit <code>REGBIT_PORT_SEC_DROP</code> is set to 1. </p> + <p> + The following flows are added. + </p> + + <ul> + <li> + <p> + For each localnet port configured with egress qos in the + <ref column="options:qdisc_queue_id" table="Logical_Switch_Port" + db="OVN_Northbound"/> column of <ref table="Logical_Switch_Port" + db="OVN_Northbound"/>, a priority 100 flow is added which + matches on the localnet <code>outport</code> and applies the action + <code>set_queue(id); output;"</code>. + </p> + + <p> + Please remember to mark the corresponding physical interface with + <code>ovn-egress-iface</code> set to true in + <ref column="external_ids" table="Interface" db="Open_vSwitch"/>. + </p> + </li> + + <li> + A priority-50 flow that drops the packet if the register + bit <code>REGBIT_PORT_SEC_DROP</code> is set to 1. + </li> + + <li> + A priority-0 flow that outputs the packet to the <code>outport</code>. + </li> + </ul> + <h2>Logical Router Datapaths</h2> <p> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 1804067cbe..20ec14bed8 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -2043,10 +2043,10 @@ AT_CAPTURE_FILE([sw1flows]) AT_CHECK( [grep -E 'ls_(in|out)_acl' sw0flows sw1flows | grep pg0 | sort], [0], [dnl -sw0flows: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) -sw0flows: table=9 (ls_in_acl ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) -sw1flows: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) -sw1flows: table=9 (ls_in_acl ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) +sw0flows: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) +sw0flows: table=8 (ls_in_acl ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) +sw1flows: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) +sw1flows: table=8 (ls_in_acl ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) ]) AS_BOX([2]) @@ -2059,10 +2059,10 @@ ovn-sbctl dump-flows sw1 > sw1flows2 AT_CAPTURE_FILE([sw1flows2]) AT_CHECK([grep "ls_out_acl" sw0flows2 sw1flows2 | grep pg0 | sort], [0], [dnl -sw0flows2: table=4 (ls_out_acl ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) -sw0flows2: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) -sw1flows2: table=4 (ls_out_acl ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) -sw1flows2: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) +sw0flows2: table=4 (ls_out_acl ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) +sw0flows2: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) +sw1flows2: table=4 (ls_out_acl ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) +sw1flows2: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) ]) AS_BOX([3]) @@ -2077,16 +2077,16 @@ AT_CAPTURE_FILE([sw1flows3]) AT_CHECK([grep "ls_out_acl" sw0flows3 sw1flows3 | grep pg0 | sort], [0], [dnl sw0flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) sw0flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;) -sw0flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) -sw0flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) -sw0flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) -sw0flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) +sw0flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) +sw0flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) +sw0flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) +sw0flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) sw1flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) sw1flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;) -sw1flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) -sw1flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) -sw1flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) -sw1flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) +sw1flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) +sw1flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) +sw1flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) +sw1flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) ]) AT_CLEANUP ]) @@ -2238,18 +2238,18 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=8 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) - table=8 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) - table=8 (ls_in_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[[9]] = 1; next;) - table=8 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) - table=8 (ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) - table=8 (ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) - table=8 (ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) - table=9 (ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=9 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=9 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) - table=9 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) - table=9 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) + table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) + table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) + table=7 (ls_in_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[[9]] = 1; next;) + table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) + table=7 (ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) + table=7 (ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=7 (ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=8 (ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) + table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) + table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) ]) AS_BOX([Check match ct_state with load balancer]) @@ -2260,7 +2260,7 @@ check ovn-nbctl --wait=sb \ -- ls-lb-add ls lb AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl -e ls_out_acl | sort], [0], [dnl - table=13(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=12(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) table=3 (ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -2279,35 +2279,35 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=8 (ls_in_acl_hint ), priority=0 , match=(1), action=(next;) - table=8 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) - table=8 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) - table=8 (ls_in_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[[9]] = 1; next;) - table=8 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) - table=8 (ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) - table=8 (ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) - table=8 (ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) - table=9 (ls_in_acl ), priority=0 , match=(1), action=(next;) - table=9 (ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=9 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=9 (ls_in_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg0[[1]] = 1; next;) - table=9 (ls_in_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(next;) - table=9 (ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=9 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) - table=9 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) - table=9 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=9 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=7 (ls_in_acl_hint ), priority=0 , match=(1), action=(next;) + table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) + table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) + table=7 (ls_in_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[[9]] = 1; next;) + table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) + table=7 (ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) + table=7 (ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=7 (ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) + table=8 (ls_in_acl ), priority=0 , match=(1), action=(next;) + table=8 (ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(next;) + table=8 (ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) + table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) + table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) + table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) + table=8 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) ]) ovn-nbctl --wait=sb clear logical_switch ls acls ovn-nbctl --wait=sb clear logical_switch ls load_balancer AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl -e ls_out_acl | sort], [0], [dnl - table=13(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=12(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) table=3 (ls_out_acl_hint ), priority=65535, match=(1), action=(next;) table=4 (ls_out_acl ), priority=65535, match=(1), action=(next;) - table=8 (ls_in_acl_hint ), priority=65535, match=(1), action=(next;) - table=9 (ls_in_acl ), priority=65535, match=(1), action=(next;) + table=7 (ls_in_acl_hint ), priority=65535, match=(1), action=(next;) + table=8 (ls_in_acl ), priority=65535, match=(1), action=(next;) ]) @@ -3942,37 +3942,37 @@ check_stateful_flows() { ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) - AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort], [0], [dnl - table=6 (ls_in_pre_lb ), priority=0 , match=(1), action=(next;) - table=6 (ls_in_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;) - table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=6 (ls_in_pre_lb ), priority=110 , match=(eth.mcast), action=(next;) - table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) - table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) + AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_pre_lb ), priority=0 , match=(1), action=(next;) + table=? (ls_in_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;) + table=? (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) + table=? (ls_in_pre_lb ), priority=110 , match=(eth.mcast), action=(next;) + table=? (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) + table=? (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) ]) - AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1), action=(ct_next;) - table=7 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) - table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;) - table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && tcp), action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;) - table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && udp), action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;) - table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;) - table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && tcp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;) - table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && udp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;) + AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;) + table=? (ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1), action=(ct_next;) + table=? (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) + table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;) + table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && tcp), action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;) + table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && udp), action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;) + table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;) + table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && tcp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;) + table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && udp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;) ]) - AT_CHECK([grep "ls_in_lb" sw0flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=12(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.4:8080);) - table=12(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.20 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.20; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.40:8080);) + AT_CHECK([grep "ls_in_lb" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.4:8080);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.20 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.20; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.40:8080);) ]) - AT_CHECK([grep "ls_in_stateful" sw0flows | sort], [0], [dnl - table=14(ls_in_stateful ), priority=0 , match=(1), action=(next;) - table=14(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=14(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl + table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) AT_CHECK([grep "ls_out_pre_lb" sw0flows | sort], [0], [dnl @@ -4015,34 +4015,34 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort], [0], [dnl - table=6 (ls_in_pre_lb ), priority=0 , match=(1), action=(next;) - table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=6 (ls_in_pre_lb ), priority=110 , match=(eth.mcast), action=(next;) - table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) - table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) +AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_pre_lb ), priority=0 , match=(1), action=(next;) + table=? (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) + table=? (ls_in_pre_lb ), priority=110 , match=(eth.mcast), action=(next;) + table=? (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) + table=? (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) ]) -AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1), action=(ct_next;) - table=7 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) - table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;) - table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && tcp), action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;) - table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && udp), action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;) - table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;) - table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && tcp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;) - table=7 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && udp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;) +AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;) + table=? (ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1), action=(ct_next;) + table=? (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) + table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;) + table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && tcp), action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;) + table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && udp), action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;) + table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;) + table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && tcp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;) + table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && udp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;) ]) -AT_CHECK([grep "ls_in_lb" sw0flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) ]) -AT_CHECK([grep "ls_in_stateful" sw0flows | sort], [0], [dnl - table=14(ls_in_stateful ), priority=0 , match=(1), action=(next;) - table=14(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=14(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl + table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) AT_CHECK([grep "ls_out_pre_lb" sw0flows | sort], [0], [dnl @@ -4081,14 +4081,14 @@ check ovn-nbctl --wait=sb --label=1234 acl-add sw0 from-lport 1002 tcp allow-rel ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort], [0], [dnl - table=9 (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=9 (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) +AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) ]) -AT_CHECK([grep "ls_in_stateful" sw0flows | sort], [0], [dnl - table=14(ls_in_stateful ), priority=0 , match=(1), action=(next;) - table=14(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=14(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl + table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 2002 | sort], [0], [dnl @@ -4108,16 +4108,16 @@ check ovn-nbctl --wait=sb acl-add sw0 from-lport 1002 udp allow-related ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort], [0], [dnl - table=9 (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=9 (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=9 (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=9 (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) + table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) ]) -AT_CHECK([grep "ls_in_stateful" sw0flows | sort], [0], [dnl - table=14(ls_in_stateful ), priority=0 , match=(1), action=(next;) - table=14(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=14(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl + table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 2002 | sort], [0], [dnl @@ -4139,14 +4139,14 @@ check ovn-nbctl --wait=sb acl-del sw0 from-lport 1002 tcp ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort], [0], [dnl - table=9 (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=9 (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) + table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) ]) -AT_CHECK([grep "ls_in_stateful" sw0flows | sort], [0], [dnl - table=14(ls_in_stateful ), priority=0 , match=(1), action=(next;) - table=14(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=14(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl + table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 2002 | sort], [0], [dnl @@ -4173,18 +4173,18 @@ check ovn-nbctl --wait=sb acl-add sw0 to-lport 1002 ip allow-related ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort], [0], [dnl - table=9 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) - table=9 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) - table=9 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=9 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) + table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) + table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) + table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort], [0], [dnl - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) + table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) + table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) + table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) ]) # Disable ct.inv usage. @@ -4193,18 +4193,18 @@ check ovn-nbctl --wait=sb set NB_Global . options:use_ct_inv_match=false ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort], [0], [dnl - table=9 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(next;) - table=9 (ls_in_acl ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=9 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) - table=9 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(next;) + table=? (ls_in_acl ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) + table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) + table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort], [0], [dnl - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(next;) + table=? (ls_out_acl ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) + table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(next;) + table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) ]) AT_CHECK([grep -c "ct.inv" sw0flows], [1], [dnl @@ -4217,18 +4217,18 @@ check ovn-nbctl --wait=sb set NB_Global . options:use_ct_inv_match=true ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort], [0], [dnl - table=9 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) - table=9 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) - table=9 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=9 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) + table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;) + table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) + table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort], [0], [dnl - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) + table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) + table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) + table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) ]) AT_CHECK([grep -c "ct.inv" sw0flows], [0], [dnl @@ -5449,7 +5449,13 @@ check ovn-nbctl lsp-add sw0 lsp0 \ check ovn-nbctl --wait=sb sync AT_CHECK([ovn-sbctl --columns=tags list logical_flow | grep lsp0 -c], [0], [dnl -10 +1 +]) + +check ovn-nbctl set logical_switch_port lsp0 enabled=false +check ovn-nbctl --wait=sb sync +AT_CHECK([ovn-sbctl --columns=tags list logical_flow | grep lsp0 -c], [0], [dnl +3 ]) AT_CLEANUP @@ -7180,3 +7186,126 @@ ct_next(ct_state=new|trk); AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([Port security lflows]) +ovn_start + +# Create logical routers +check ovn-nbctl --wait=sb ls-add sw0 + +ovn-sbctl dump-flows sw0 > sw0flows +AT_CAPTURE_FILE([sw0flows]) + +AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl + table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +]) + +check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1 "00:00:00:00:00:01" +check ovn-nbctl lsp-add sw0 sw0p2 -- lsp-set-addresses sw0p2 "00:00:00:00:00:02" +check ovn-nbctl --wait=sb lsp-add sw0 localnetport -- lsp-set-type localnetport localnet + +ovn-sbctl dump-flows sw0 > sw0flows +AT_CAPTURE_FILE([sw0flows]) + +AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl + table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +]) + +check ovn-nbctl lsp-set-port-security sw0p1 "00:00:00:00:00:01 10.0.0.3 1000::3" +check ovn-nbctl --wait=sb lsp-set-port-security sw0p2 "00:00:00:00:00:02 10.0.0.4 1000::4" + +ovn-sbctl dump-flows sw0 > sw0flows +AT_CAPTURE_FILE([sw0flows]) + +AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl + table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +]) + +# Disable sw0p1 +check ovn-nbctl --wait=sb set logical_switch_port sw0p1 enabled=false + +ovn-sbctl dump-flows sw0 > sw0flows +AT_CAPTURE_FILE([sw0flows]) + +AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl + table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=? (ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), action=(reg0[[15]] = 1; next;) + table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=? (ls_out_check_port_sec), priority=150 , match=(outport == "sw0p1"), action=(reg0[[15]] = 1; next;) + table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +]) + +check ovn-nbctl --wait=sb lsp-set-options sw0p2 qdisc_queue_id=10 +ovn-sbctl dump-flows sw0 > sw0flows +AT_CAPTURE_FILE([sw0flows]) + +AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl + table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=? (ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), action=(reg0[[15]] = 1; next;) + table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) + table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=? (ls_out_check_port_sec), priority=150 , match=(outport == "sw0p1"), action=(reg0[[15]] = 1; next;) + table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +]) + +check ovn-nbctl set logical_switch_port sw0p1 enabled=true +check ovn-nbctl lsp-set-type sw0p1 vtep +check ovn-nbctl --wait=sb lsp-set-options localnetport qdisc_queue_id=10 +ovn-sbctl dump-flows sw0 > sw0flows +AT_CAPTURE_FILE([sw0flows]) + +AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl + table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=? (ls_in_check_port_sec), priority=50 , match=(inport == "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) + table=? (ls_in_check_port_sec), priority=70 , match=(inport == "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) + table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) + table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=? (ls_out_apply_port_sec), priority=100 , match=(outport == "localnetport"), action=(set_queue(10); output;) + table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +]) + +AT_CLEANUP +]) diff --git a/tests/ovn.at b/tests/ovn.at index 45cc6d5483..8d4f914462 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -4270,7 +4270,7 @@ response=${sha}${lrpmac}08060001080006040002${lrpmac}${tpa}${sha}${spa} echo $response >> 3.expected AT_CHECK([ovn-sbctl lflow-list lsw0 | grep 'reg0[\[14\]]' | sort | sed 's/table=../table=??/g'], [0], [dnl - table=??(ls_in_port_sec_l2 ), priority=50 , match=(inport == "lp-vtep"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=??);) + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "lp-vtep"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=??);) table=??(ls_in_hairpin ), priority=1000 , match=(reg0[[14]] == 1), action=(next(pipeline=ingress, table=??);) table=??(ls_in_hairpin ), priority=2000 , match=(reg0[[14]] == 1 && (is_chassis_resident("cr-lrp1") || is_chassis_resident("cr-lrp2"))), action=(next;) ]) @@ -14816,7 +14816,7 @@ ovn-sbctl dump-flows sw0 > sw0-flows AT_CAPTURE_FILE([sw0-flows]) AT_CHECK([grep -E 'ls_(in|out)_acl' sw0-flows |grep reject| sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_out_acl ), priority=2002 , match=(ip), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=24); };) + table=??(ls_out_acl ), priority=2002 , match=(ip), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=23); };) ]) @@ -16793,17 +16793,17 @@ ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys AT_CHECK([ovn-sbctl dump-flows ls1 | grep "offerip = 10.0.0.6" | \ wc -l], [0], [0 ]) -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=25 | \ +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=26 | \ grep controller | grep "0a.00.00.06" | wc -l], [0], [0 ]) -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=25 | \ +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=26 | \ grep controller | grep "0a.00.00.06" | wc -l], [0], [0 ]) -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=25 | \ +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=26 | \ grep controller | grep tp_src=546 | grep \ "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0 ]) -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=25 | \ +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=26 | \ grep controller | grep tp_src=546 | grep \ "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0 ]) @@ -17415,7 +17415,7 @@ wait_for_ports_up ls1-lp_ext1 # There should be a flow in hv2 to drop traffic from ls1-lp_ext1 destined # to router mac. AT_CHECK([as hv2 ovs-ofctl dump-flows br-int \ -table=31,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \ +table=30,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \ grep -c "actions=drop"], [0], [1 ]) # Stop ovn-controllers on hv1 and hv3. @@ -19091,7 +19091,7 @@ check_row_count Port_Binding 1 logical_port=sw0-vir virtual_parent=sw0-p1 wait_for_ports_up sw0-vir check ovn-nbctl --wait=hv sync AT_CHECK([test 2 = `cat hv1/ovn-controller.log | grep "pinctrl received packet-in" | \ -grep opcode=BIND_VPORT | grep OF_Table_ID=26 | wc -l`]) +grep opcode=BIND_VPORT | grep OF_Table_ID=25 | wc -l`]) wait_row_count Port_Binding 1 logical_port=sw0-vir6 chassis=$hv1_ch_uuid check_row_count Port_Binding 1 logical_port=sw0-vir6 virtual_parent=sw0-p1 @@ -27010,12 +27010,8 @@ ovs-vsctl -- add-port br-int hv1-vif1 -- \ wait_for_ports_up ovn-nbctl --wait=hv sync -# Expected conjunction flows: -# ... nd_tll=00:00:00:00:00:00 actions=conjunction(2,2/2) -# ... nd_tll=f0:00:00:00:00:01 actions=conjunction(2,2/2) -# ... nd_target=fe80::f200:ff:fe00:1 actions=conjunction(2,1/2) -# ... nd_target=2001::1 actions=conjunction(2,1/2) -OVS_WAIT_UNTIL([test 4 = `as hv1 ovs-ofctl dump-flows br-int | \ +# Expected conjunction flows: None +OVS_WAIT_UNTIL([test 0 = `as hv1 ovs-ofctl dump-flows br-int | \ grep conjunction | wc -l`]) # unbind the port @@ -27025,7 +27021,7 @@ grep conjunction | wc -l`]) # bind the port again ovs-vsctl set interface hv1-vif1 external_ids:iface-id=lsp1 -OVS_WAIT_UNTIL([test 4 = `as hv1 ovs-ofctl dump-flows br-int | \ +OVS_WAIT_UNTIL([test 0 = `as hv1 ovs-ofctl dump-flows br-int | \ grep conjunction | wc -l`]) # unbind the port again @@ -28163,20 +28159,20 @@ ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) AT_CHECK([grep "ls_in_lookup_fdb" sw0flows | sort], [0], [dnl - table=3 (ls_in_lookup_fdb ), priority=0 , dnl + table=2 (ls_in_lookup_fdb ), priority=0 , dnl match=(1), action=(next;) - table=3 (ls_in_lookup_fdb ), priority=100 , dnl + table=2 (ls_in_lookup_fdb ), priority=100 , dnl match=(inport == "sw0-p1"), action=(reg0[[11]] = lookup_fdb(inport, eth.src); next;) - table=3 (ls_in_lookup_fdb ), priority=100 , dnl + table=2 (ls_in_lookup_fdb ), priority=100 , dnl match=(inport == "sw0-p3"), action=(reg0[[11]] = lookup_fdb(inport, eth.src); next;) ]) AT_CHECK([grep "ls_in_put_fdb" sw0flows | sort], [0], [dnl - table=4 (ls_in_put_fdb ), priority=0 , dnl + table=3 (ls_in_put_fdb ), priority=0 , dnl match=(1), action=(next;) - table=4 (ls_in_put_fdb ), priority=100 , dnl + table=3 (ls_in_put_fdb ), priority=100 , dnl match=(inport == "sw0-p1" && reg0[[11]] == 0), action=(put_fdb(inport, eth.src); next;) - table=4 (ls_in_put_fdb ), priority=100 , dnl + table=3 (ls_in_put_fdb ), priority=100 , dnl match=(inport == "sw0-p3" && reg0[[11]] == 0), action=(put_fdb(inport, eth.src); next;) ]) @@ -29319,7 +29315,7 @@ rtr_port_key=$(fetch_column Port_Binding tunnel_key logical_port=ls_lr) # Check that ovn-controller adds a flow to drop packets with dest IP # 42.42.42.42 coming from the router port. -AT_CHECK([ovs-ofctl dump-flows br-int table=17 | grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=drop" -c], [0], [dnl +AT_CHECK([ovs-ofctl dump-flows br-int table=16 | grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=drop" -c], [0], [dnl 1 ]) @@ -29948,15 +29944,15 @@ done check ovn-nbctl --wait=hv sync # hv0 should see flows for lsp1 but not lsp2 -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=26 | grep 10.0.1.2], [0], [ignore]) -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=26 | grep 10.0.2.2], [1]) +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=25 | grep 10.0.1.2], [0], [ignore]) +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=25 | grep 10.0.2.2], [1]) # hv2 should see flows for lsp2 but not lsp1 -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=26 | grep 10.0.2.2], [0], [ignore]) -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=26 | grep 10.0.1.2], [1]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=25 | grep 10.0.2.2], [0], [ignore]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=25 | grep 10.0.1.2], [1]) # Change lrp_lr_ls1 to a regular lrp, hv2 should see flows for lsp1 check ovn-nbctl --wait=hv lrp-del-gateway-chassis lrp_lr_ls1 hv1 -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=26 | grep 10.0.1.2], [0], [ignore]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=25 | grep 10.0.1.2], [0], [ignore]) # Change it back, and trigger recompute to make sure extra flows are removed # from hv2 (recompute is needed because currently I-P adds local datapaths but @@ -29964,11 +29960,11 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=26 | grep 10.0.1.2], [0], [ig check ovn-nbctl --wait=hv lrp-set-gateway-chassis lrp_lr_ls1 hv1 1 as hv2 check ovn-appctl -t ovn-controller recompute ovn-nbctl --wait=hv sync -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=26 | grep 10.0.1.2], [1]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=25 | grep 10.0.1.2], [1]) # Enable dnat_and_snat on lr, and now hv2 should see flows for lsp1. AT_CHECK([ovn-nbctl --wait=hv --gateway-port=lrp_lr_ls1 lr-nat-add lr dnat_and_snat 192.168.0.1 10.0.1.3 lsp1 f0:00:00:00:00:03]) -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=26 | grep 10.0.1.2], [0], [ignore]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=25 | grep 10.0.1.2], [0], [ignore]) OVN_CLEANUP([hv1],[hv2]) AT_CLEANUP @@ -30743,8 +30739,7 @@ check_port_sec_offlows hv2 74 check_port_sec_offlows hv2 75 # Set port security for sw0p1 -check ovn-sbctl set port-binding sw0p1 port_security='"00:00:00:00:00:03"' -check ovn-nbctl --wait=hv sync +check ovn-nbctl --wait=hv lsp-set-port-security sw0p1 "00:00:00:00:00:03" check_port_sec_offlows() { hv=$1 @@ -30785,8 +30780,7 @@ check_port_sec_offlows hv2 74 check_port_sec_offlows hv2 75 # Add IPv4 addresses to sw0p1 -check ovn-sbctl set port-binding sw0p1 port_security='"00:00:00:00:00:03 10.0.0.3" "00:00:00:00:00:13 10.0.0.13"' -check ovn-nbctl --wait=hv sync +check ovn-nbctl --wait=hv lsp-set-port-security sw0p1 "00:00:00:00:00:03 10.0.0.3" "00:00:00:00:00:13 10.0.0.13" echo " table=73, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]] table=73, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:00:03,nw_src=10.0.0.3 actions=load:0->NXM_NX_REG10[[12]] @@ -30832,7 +30826,7 @@ check_port_sec_offlows hv2 74 check_port_sec_offlows hv2 75 # Configure IPv4 and IPv6 addresses in sw0p2 -check ovn-sbctl set port-binding sw0p2 port_security='"00:00:00:00:00:04 10.0.0.4 20.0.0.4/24 30.0.0.0/16 1000::4 2000::/64" "00:00:00:00:00:13 aef0::4"' +check ovn-nbctl --wait=hv lsp-set-port-security sw0p2 "00:00:00:00:00:04 10.0.0.4 20.0.0.4/24 30.0.0.0/16 1000::4 2000::/64" "00:00:00:00:00:13 aef0::4" # There should be no changes in hv1 and hv2 as sw0p2 is not claimed. check_port_sec_offlows hv1 73 @@ -30919,8 +30913,7 @@ echo " table=75, priority=80,reg15=0x2,metadata=0x1 actions=load:0x1->NXM_NX_REG check_port_sec_offlows hv2 75 -check ovn-sbctl clear port-binding sw0p2 port_security -check ovn-nbctl --wait=hv sync +check ovn-nbctl --wait=hv lsp-set-port-security sw0p2 "" check_port_sec_offlows hv1 73 check_port_sec_offlows hv1 74 @@ -30934,7 +30927,7 @@ check_port_sec_offlows hv2 73 check_port_sec_offlows hv2 74 check_port_sec_offlows hv2 75 -check ovn-sbctl set port-binding sw0p2 port_security='"00:00:00:00:00:04"' +check ovn-nbctl --wait=hv lsp-set-port-security sw0p2 "00:00:00:00:00:04" check_port_sec_offlows hv1 73 check_port_sec_offlows hv1 74 @@ -31029,9 +31022,11 @@ SNAT_TABLE=43 DNAT_ZONE_REG="NXM_NX_REG11[[0..15]]" SNAT_ZONE_REG="NXM_NX_REG12[[0..15]]" -dnat_zone=$(ovs-ofctl dump-flows br-int | grep table=$DNAT_TABLE | grep -o zone=.*, | cut -d '=' -f 2) +lr0_dp_key=$(printf "%x" $(fetch_column Datapath_Binding tunnel_key external_ids:name=lr0)) + +dnat_zone=$(ovs-ofctl dump-flows br-int table=$DNAT_TABLE,metadata=0x${lr0_dp_key} | grep -o zone=.*, | cut -d '=' -f 2) dnat_zone=${dnat_zone::-1} -snat_zone=$(ovs-ofctl dump-flows br-int | grep table=$SNAT_TABLE | grep priority=153 | grep -o zone=.*, | cut -d '=' -f 2) +snat_zone=$(ovs-ofctl dump-flows br-int table=$SNAT_TABLE,metadata=0x${lr0_dp_key} | grep priority=153 | grep -o zone=.*, | cut -d '=' -f 2) snat_zone=${snat_zone::-1} # For now, we expect that the common zone is the dnat zone @@ -31041,9 +31036,9 @@ check test "$snat_zone" = "$DNAT_ZONE_REG" check ovn-nbctl --wait=hv set logical_router lr0 options:snat-ct-zone=666 -dnat_zone=$(ovs-ofctl dump-flows br-int | grep table=$DNAT_TABLE | grep -o zone=.*, | cut -d '=' -f 2) +dnat_zone=$(ovs-ofctl dump-flows br-int table=$DNAT_TABLE,metadata=0x${lr0_dp_key} | grep -o zone=.*, | cut -d '=' -f 2) dnat_zone=${dnat_zone::-1} -snat_zone=$(ovs-ofctl dump-flows br-int | grep table=$SNAT_TABLE | grep priority=153 | grep -o zone=.*, | cut -d '=' -f 2) +snat_zone=$(ovs-ofctl dump-flows br-int table=$SNAT_TABLE,metadata=0x${lr0_dp_key} | grep priority=153 | grep -o zone=.*, | cut -d '=' -f 2) snat_zone=${snat_zone::-1} # Now with an snat-ct-zone set, the common zone is the snat zone

[ovs-dev,v2,3/3] northd: Add generic port security logical flows.

Checks

Commit Message

Patch