From patchwork Tue Oct 18 15:33:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abhiram Sangana X-Patchwork-Id: 1691595 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256 header.s=proofpoint20171006 header.b=IZCp0sOC; dkim-atps=neutral Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MsHw36Hrfz23jp for ; Wed, 19 Oct 2022 02:34:11 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id D41EE610D9; Tue, 18 Oct 2022 15:34:09 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org D41EE610D9 Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256 header.s=proofpoint20171006 header.b=IZCp0sOC X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvUkch7ZXOI7; Tue, 18 Oct 2022 15:34:08 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id 28363610CE; Tue, 18 Oct 2022 15:34:07 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 28363610CE Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id D6E59C0033; Tue, 18 Oct 2022 15:34:06 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id E72DBC002D for ; Tue, 18 Oct 2022 15:34:05 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id B265E419FE for ; Tue, 18 Oct 2022 15:34:05 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org B265E419FE Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256 header.s=proofpoint20171006 header.b=IZCp0sOC X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KnM5SyXlh8bi for ; Tue, 18 Oct 2022 15:34:03 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 15058419DA Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp4.osuosl.org (Postfix) with ESMTPS id 15058419DA for ; Tue, 18 Oct 2022 15:34:02 +0000 (UTC) Received: from pps.filterd (m0127842.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 29IEQcAc022236 for ; Tue, 18 Oct 2022 08:34:01 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : content-transfer-encoding : content-type : mime-version; s=proofpoint20171006; bh=ICcEsSWOpGpsdicaT31KEZIcSvuaSqLkk2psqhu5bT8=; b=IZCp0sOCeNLObvhlktfcMU8tjzc8D5pRwzShJyz2Q2Jq29TI+nu6eAW+1KUAdOJK0gfX o1iS4R5AYCYer+ZJxP4MjGkopT2LoYgXJwHyurNtcesZahXOHf1224sqhiXuqfOftozM Fo6gADCSa57LYfeeSAMcJFfqaPx6roLfgNpOwnb6CwWB636rAtx0CisL7Lb1QSYL2j/4 /OcD4sgReTJEKbqMiXA4sraUm0cH4fy59lUamyCFnioMdkSzrWad0kveJiJJhJomUyl8 jrrUXuaPQd1OZf4Z/z2TcMr8lKMLnkLD5DwJoonFCKxI34us+jJxH0I7xH88eONliC4P HA== Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 3k7v6h7fuf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 18 Oct 2022 08:34:01 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IWBmIC8HSHPUWebNWU7206WHiQI5rY1DC05j2x9Rc+hwyMgq7Pq73R7Vqh67ChljCk7g+y0Grk2HP9hVltTxFQGTDHU6FwyxlcqzrYB/+yrLs4E0WFtY9bH8LI1afm5ocWIg6hNldjAui1BbfpetSLiEjWh9eHpJvVndXCy1k3kmhDCCiMv4TydtaGj0HC+eO86wTYGNXyeAb/ND7MPqNS+1qCnm+DJ9Z+WWus4sq9FFJJyAXN2qKofh1xOz6UHuewKw6/lWrdIqLDP86iKEip+MAIQxKcAF/hLI1X0Vh78jf6HUHnTX0KG24tLa0gw9UVUBMx7HQftFkefCNdP4hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ICcEsSWOpGpsdicaT31KEZIcSvuaSqLkk2psqhu5bT8=; b=b0BY+CGLW1Em/5qiYkXBr5GFhmU97MrGe/q/ql0pbuKE7LGPnrfTzadZfPANLoFAPKKhtpGcjz37+V+SfSFAawfMCqXq/H4Og6IHjzjDyCbUiIKo3PCyQXY+mUK+qJsfnV5EWLz/lyQ922s4OQi8jZ6/CLhDhf841XAeUEsT6+TOE93pgmQqv+o1I0HyT3LxZqU1GdCOBn/6KRO9vHDseo+dazZEE4CAB+dSDXktRKQZNUBl7ar20CLi5QVHEAc/+ZjPBb6eXtlyBvP10oYqIeFtw275CwWI3IP+8sU5a8rC3BDBd3UUXEy5Yja305h1r5zUrFuXlq3A5953HlkQMA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none Received: from PH0PR02MB7542.namprd02.prod.outlook.com (2603:10b6:510:51::5) by CH3PR02MB9068.namprd02.prod.outlook.com (2603:10b6:610:148::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.30; Tue, 18 Oct 2022 15:33:59 +0000 Received: from PH0PR02MB7542.namprd02.prod.outlook.com ([fe80::50a9:1fb4:84f9:bcbc]) by PH0PR02MB7542.namprd02.prod.outlook.com ([fe80::50a9:1fb4:84f9:bcbc%4]) with mapi id 15.20.5723.033; Tue, 18 Oct 2022 15:33:59 +0000 From: Abhiram Sangana To: dev@openvswitch.org Date: Tue, 18 Oct 2022 15:33:41 +0000 Message-Id: <20221018153342.164530-1-sangana.abhiram@nutanix.com> X-Mailer: git-send-email 2.22.3 X-ClientProxiedBy: SJ0PR03CA0066.namprd03.prod.outlook.com (2603:10b6:a03:331::11) To PH0PR02MB7542.namprd02.prod.outlook.com (2603:10b6:510:51::5) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH0PR02MB7542:EE_|CH3PR02MB9068:EE_ X-MS-Office365-Filtering-Correlation-Id: 55e96bf1-d35a-4d44-58f2-08dab11e2d14 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: xkQrgAGu66J0EujI2EtKAJBYPjen1mgUxgYv3cuU/CCKWrG50G7mL9qT5QefCb3qmhEtrfA3GgN2l7xcS7LWQR5vgsyUHtpA2MXPKVzuNLuqLRo2L5ZQ6fkpo6O/v7sqwMRq/g4Vt3s1eijATYmY9Kxocz2/fqM2hY3qq0IaS6IK3Syt/W9FSabLTCdZg0kCQFqVjOdpUG04iklyhzxRtzCf2wHsEcLDj6fuQ43pxPQdTGd+NLNsMVmqJfh3po1uZY4COv35U0Am7CUcFj6e1sTuNQpdwicIYJvELCHKocQ1imX322wy95zCnTOeNW0RTP2s8Me5MhB13ytYmYSRb8yqvVZjL3O2O9vLonc0VwSyxPHYiQrzG2Vdv+Njx6Fww8HP69w4szsXHQfnkYN9rvx61x86nDWtbYL9fEU9+AFbaH4zzrXOtvVAcJJdcxwZeSpHcl6BhDV1v3+/Y8/gazi+v1cf623t2Kejk8SZful5cRmps/4rZr85lTz6mtp7kUVSa344bwzMCDYhwoWnh+ZSWpaDUsMV9sojO8tI0Lv538r3UrZCMOGcH4f1vDnXha6/sXTwJotnviaODWEhtfDHf+1mktRSLWgRRYM0TxE5sicw+wBepdJDRqBgdKdkuh/DNsa3xY10I3ITsshSGyzXbOMpOZHft9MFxqUIV6LwkEVpM0WBY+q3MHqSs8h7Af6K19NAHj8D9Rnj5QzJ7+u7lctKcAh3UgGuxgWcuQVZDfxUj4NY8USZfvc/3PpfMYI40PHflK8CFnlBTXGLmnf52+T9iHkJ5eo6gA8W6NQ= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR02MB7542.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(39860400002)(376002)(136003)(396003)(346002)(366004)(451199015)(66556008)(2906002)(66946007)(4326008)(8676002)(66476007)(5660300002)(36756003)(30864003)(6916009)(6486002)(41300700001)(8936002)(478600001)(107886003)(6506007)(6666004)(86362001)(52116002)(38100700002)(83380400001)(186003)(1076003)(316002)(2616005)(66574015)(38350700002)(6512007)(26005)(21314003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: siXsapR3z4I8XiR9TLvmg+ZD08Fkzp1KJJRiq3jFG1J450mbW+VY1YJD+de274SoN6ut6NgtFhg/OXk5Oynt7YI04foLL86u+1HgsglH0JNPswsa/ftUT1JPadrT3PCqExqPd8FMIc+wnQtbOVVEIg7hNoYktVsj9xqyCaw2yrzZgwhHZyMCsNFEUJM1YK+i3ecJ4fZZX7x5zs8cK+lKaSwfkckQcjEFCZ3VUQYVR8onqxivFydafcr4Jy0aNvWb9jWCEqkeqLyPP0enODp2GoDU7b5v1P0LfPyvkU2ZmT+wcL1gFBTBTiRzXIGx/6JEChg8Ed4nQ+w4n4KppYhdoLFl8lPXVUjIc/ckJXY8NfyPL7NaSzFhLXue8X0+YKBLRwpZ/sefiDx5YG5ntmSF/E3bDWwkx/pJ/byhxWtzu+ii9kEurAoJlmLHUMVZRIoDdiU+wMmzlMvqk20bFD7K9IsUwFmtWbwTtn3iMTK7UuLstNI4RZ1w1hAtDEb3TxZwL2w5M/JFIGeYh+tN+yos2LKtpGA66o76G40/+OCgRCRiDFPkI6KnGEbrRXznfrFDvVTA8uli2FZOpAum+28IX5OSglE7JMh66qoxKpPD1R/ur9iTf5TsnhptFIFPaQZMdaZbgFHAXpoJuzV9I+J18ZDBjiNKewgKWKATo4YZfNnm2GM1kJQnCpepf7J0UCD8v4H1aGUva0Tq+v0RJwHhuE9Nr13KcNGFcI7KOEORghpRjdluVs/l7o3xhjds8ZfSF4K7ii+CdqkBYhN7FeIAxuZgbwCRAT7WXKpGljeysadDDJFnVzxAJZYOXYWMQtvLuYdo3IvNirwq+9tP9tbtTlu3T8BVfjaDembQRYKJBZqHZ46QhjmiZd/0xzYjwxq0w32/a7c4HsTU5XSax09pYAaZkx4Wgqykk8l4oSrUhbR9nAhkITUdmMFqtJmuNPWG036KaIv2a2uUWX2DisFb38hY7Xi2C/dakcK/9LOtIOP+UWB42BpTzRlry62o9K4Yp1uND2wOUPzo7f8FV9IeRifOl3MKMUliIGJ807gpLriymFtmlVkJloALBLU1tlrry/K+/R2ZamAjyMDAm9X0tNAVANS1vcmgCMV7RzYtE8V2lvf7BL3wLbww7Ir8cPlKsya977P+WnITQBywt3+e/dGs4ZoHYnoW9lh3p4xcYRtRT+cNrv63imLb9D5tp4f9QXD8lbZ3kKfp6w51Z/dE5UUvCDosoJo+5+VucEL3BDOe/RkBhmBKouKh9DL3rBvqchwKUatM53aNTKYKQS9XQiOo23J2qeOQCihUS+K8xEKjy1AmviDiilPUPcfZf8EUVKmPMu/1VduoKSOk90OizbpzODA9azG7vjqmTsZwIfteieyY6/kq83CqI+4sqvhH0qFccGJqddf0RpA/F/ErHQpd+kVPwXHovt5KgNkIbQPE03686Kfo58eVqiJ9uiNp+1v2fOl7IdXu/XgXL1bvtqRM4Fy+B5mUtX/CniFY+7qzRmtHNwDayVTyk+DHT5PEX0skfe1HeJa7UN9or48WTUtD8HTk3cclQEJ0ipc80yFV499FL0e3I2ks7vwQeiPs2h9OwqWY2qWwYuLIKdwaiQ== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 55e96bf1-d35a-4d44-58f2-08dab11e2d14 X-MS-Exchange-CrossTenant-AuthSource: PH0PR02MB7542.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Oct 2022 15:33:59.1664 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: lZzBzMU16JTTHjsDUd9ocf1Z9l13MartB9djvdT+X7q7Q8kEpVvk63OLL0gE3m95xbV9P8IA98W08wlGQHJz2Vn91qIaPdWLModmO/MaaOs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR02MB9068 X-Proofpoint-GUID: valgPnZJaiiOcqw-X95gheDtuQBoTtTA X-Proofpoint-ORIG-GUID: valgPnZJaiiOcqw-X95gheDtuQBoTtTA X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-10-18_05,2022-10-18_01,2022-06-22_01 X-Proofpoint-Spam-Reason: safe Subject: [ovs-dev] [RFC PATCH ovn] northd, controller: Commit flows dropped by ACLs in a separate CT zone X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" To identify connections dropped by ACLs, users can enable logging for ACLs but this approach does not scale. ACL logging uses "controller" action which causes a significant spike in the CPU usage of ovs-vswitchd (and ovn-controller to a lesser extent) even with metering enabled (observed 65% ovs-vswitchd CPU usage for logging 1000 packets per second). Another approach is to use drop sampling (patch by Adrian Moreno currently in review) but we might miss specific connections of interest with this approach. This patch commits connections dropped by ACLs to the connection tracking table with a specific ACL label that was introduced in 0e0228be ( northd: Add ACL label). The dropped connections are committed in a separate CT zone so that they can be managed independently. Each logical port is assigned a new zone for committing dropped flows. The zone is loaded into register MFF_LOG_ACL_DROP_ZONE. A new lflow action "ct_commit_drop" is introduced that commits flows to connection tracking table in a zone identified by MFF_LOG_ACL_DROP_ZONE register. An ACL with "drop" action and non-empty label is translated to "ct_commit_drop" instead of silently dropping the packet. Signed-off-by: Abhiram Sangana --- controller/ovn-controller.c | 23 ++++++++++++++--- controller/physical.c | 32 +++++++++++++++++++++-- include/ovn/actions.h | 1 + include/ovn/logical-fields.h | 1 + lib/actions.c | 50 ++++++++++++++++++++++++++++++++++++ lib/ovn-util.c | 4 +-- lib/ovn-util.h | 2 +- northd/northd.c | 14 ++++++++-- northd/ovn-northd.8.xml | 14 ++++++++-- ovn-sb.xml | 17 ++++++++++++ ovs | 2 +- utilities/ovn-nbctl.c | 7 ++--- 12 files changed, 151 insertions(+), 16 deletions(-) diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c index c97744d57..1ad20fe55 100644 --- a/controller/ovn-controller.c +++ b/controller/ovn-controller.c @@ -660,8 +660,15 @@ update_ct_zones(const struct shash *binding_lports, unsigned long unreq_snat_zones[BITMAP_N_LONGS(MAX_CT_ZONES)]; struct shash_node *shash_node; + const struct binding_lport *lport; SHASH_FOR_EACH (shash_node, binding_lports) { sset_add(&all_users, shash_node->name); + + /* Zone for committing dropped connections of a vNIC. */ + lport = shash_node->data; + char *drop_zone = alloc_ct_zone_key(&lport->pb->header_.uuid, "drop"); + sset_add(&all_users, drop_zone); + free(drop_zone); } /* Local patched datapath (gateway routers) need zones assigned. */ @@ -670,8 +677,8 @@ update_ct_zones(const struct shash *binding_lports, HMAP_FOR_EACH (ld, hmap_node, local_datapaths) { /* XXX Add method to limit zone assignment to logical router * datapaths with NAT */ - char *dnat = alloc_nat_zone_key(&ld->datapath->header_.uuid, "dnat"); - char *snat = alloc_nat_zone_key(&ld->datapath->header_.uuid, "snat"); + char *dnat = alloc_ct_zone_key(&ld->datapath->header_.uuid, "dnat"); + char *snat = alloc_ct_zone_key(&ld->datapath->header_.uuid, "snat"); sset_add(&all_users, dnat); sset_add(&all_users, snat); shash_add(&all_lds, dnat, ld); @@ -2090,7 +2097,7 @@ ct_zones_datapath_binding_handler(struct engine_node *node, void *data) /* Check if the requested snat zone has changed for the datapath * or not. If so, then fall back to full recompute of * ct_zone engine. */ - char *snat_dp_zone_key = alloc_nat_zone_key(&dp->header_.uuid, "snat"); + char *snat_dp_zone_key = alloc_ct_zone_key(&dp->header_.uuid, "snat"); struct simap_node *simap_node = simap_find(&ct_zones_data->current, snat_dp_zone_key); free(snat_dp_zone_key); @@ -2148,6 +2155,16 @@ ct_zones_runtime_data_handler(struct engine_node *node, void *data) &ct_zones_data->pending); updated = true; } + char *drop_zone = alloc_ct_zone_key( + &t_lport->pb->header_.uuid, "drop"); + if (!simap_contains(&ct_zones_data->current, drop_zone)) { + alloc_id_to_ct_zone(drop_zone, + &ct_zones_data->current, + ct_zones_data->bitmap, &scan_start, + &ct_zones_data->pending); + updated = true; + } + free(drop_zone); } else if (t_lport->tracked_type == TRACKED_RESOURCE_REMOVED) { struct simap_node *ct_zone = simap_find(&ct_zones_data->current, diff --git a/controller/physical.c b/controller/physical.c index f3c8bddce..fc46669c1 100644 --- a/controller/physical.c +++ b/controller/physical.c @@ -60,6 +60,7 @@ struct zone_ids { int ct; /* MFF_LOG_CT_ZONE. */ int dnat; /* MFF_LOG_DNAT_ZONE. */ int snat; /* MFF_LOG_SNAT_ZONE. */ + int drop; /* MFF_LOG_ACL_DROP_ZONE. */ }; struct tunnel { @@ -204,14 +205,18 @@ get_zone_ids(const struct sbrec_port_binding *binding, const struct uuid *key = &binding->datapath->header_.uuid; - char *dnat = alloc_nat_zone_key(key, "dnat"); + char *dnat = alloc_ct_zone_key(key, "dnat"); zone_ids.dnat = simap_get(ct_zones, dnat); free(dnat); - char *snat = alloc_nat_zone_key(key, "snat"); + char *snat = alloc_ct_zone_key(key, "snat"); zone_ids.snat = simap_get(ct_zones, snat); free(snat); + char *drop_zone = alloc_ct_zone_key(&binding->header_.uuid, "drop"); + zone_ids.drop = simap_get(ct_zones, drop_zone); + free(drop_zone); + return zone_ids; } @@ -822,6 +827,9 @@ put_zones_ofpacts(const struct zone_ids *zone_ids, struct ofpbuf *ofpacts_p) if (zone_ids->snat) { put_load(zone_ids->snat, MFF_LOG_SNAT_ZONE, 0, 32, ofpacts_p); } + if (zone_ids->drop) { + put_load(zone_ids->drop, MFF_LOG_ACL_DROP_ZONE, 0, 32, ofpacts_p); + } } } @@ -858,6 +866,26 @@ put_local_common_flows(uint32_t dp_key, pb->header_.uuid.parts[0], &match, ofpacts_p, &pb->header_.uuid); + if (zone_ids->drop) { + /* Table 39, Priority 1. + * ======================= + * + * Clear the logical registers (for consistent behavior with packets + * that get tunneled) except MFF_LOG_ACL_DROP_ZONE. */ + match_init_catchall(&match); + ofpbuf_clear(ofpacts_p); + match_set_metadata(&match, htonll(dp_key)); + for (int i = 0; i < MFF_N_LOG_REGS; i++) { + if ((MFF_REG0 + i) != MFF_LOG_ACL_DROP_ZONE) { + put_load(0, MFF_REG0 + i, 0, 32, ofpacts_p); + } + } + put_resubmit(OFTABLE_LOG_EGRESS_PIPELINE, ofpacts_p); + ofctrl_add_flow(flow_table, OFTABLE_CHECK_LOOPBACK, 1, + pb->datapath->header_.uuid.parts[0], &match, + ofpacts_p, &pb->datapath->header_.uuid); + } + /* Table 39, Priority 100. * ======================= * diff --git a/include/ovn/actions.h b/include/ovn/actions.h index d7ee84dac..6424250a6 100644 --- a/include/ovn/actions.h +++ b/include/ovn/actions.h @@ -121,6 +121,7 @@ struct ovn_extend_table; OVNACT(COMMIT_ECMP_NH, ovnact_commit_ecmp_nh) \ OVNACT(CHK_ECMP_NH_MAC, ovnact_result) \ OVNACT(CHK_ECMP_NH, ovnact_result) \ + OVNACT(CT_COMMIT_DROP, ovnact_nest) \ /* enum ovnact_type, with a member OVNACT_ for each action. */ enum OVS_PACKED_ENUM ovnact_type { diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h index 3db7265e4..889f5f9e3 100644 --- a/include/ovn/logical-fields.h +++ b/include/ovn/logical-fields.h @@ -47,6 +47,7 @@ enum ovn_controller_event { #define MFF_LOG_REG0 MFF_REG0 #define MFF_LOG_LB_ORIG_DIP_IPV4 MFF_REG1 #define MFF_LOG_LB_ORIG_TP_DPORT MFF_REG2 +#define MFF_LOG_ACL_DROP_ZONE MFF_REG8 #define MFF_LOG_XXREG0 MFF_XXREG0 #define MFF_LOG_LB_ORIG_DIP_IPV6 MFF_XXREG1 diff --git a/lib/actions.c b/lib/actions.c index adbb42db4..dfff3e793 100644 --- a/lib/actions.c +++ b/lib/actions.c @@ -4600,6 +4600,54 @@ encode_CHK_ECMP_NH(const struct ovnact_result *res, MLF_LOOKUP_COMMIT_ECMP_NH_BIT, ofpacts); } +static void +parse_ct_commit_drop(struct action_context *ctx) +{ + parse_nested_action(ctx, OVNACT_CT_COMMIT_DROP, "ip", WR_CT_COMMIT); +} + +static void +format_CT_COMMIT_DROP(const struct ovnact_nest *on, struct ds *s) +{ + format_nested_action(on, "ct_commit_drop", s); +} + +static void +encode_CT_COMMIT_DROP(const struct ovnact_nest *on, + const struct ovnact_encode_params *ep OVS_UNUSED, + struct ofpbuf *ofpacts) +{ + struct ofpact_conntrack *ct = ofpact_put_CT(ofpacts); + ct->flags = NX_CT_F_COMMIT; + ct->recirc_table = NX_CT_RECIRC_NONE; + ct->zone_src.field = mf_from_id(MFF_LOG_ACL_DROP_ZONE); + ct->zone_src.ofs = 0; + ct->zone_src.n_bits = 16; + + /* If the datapath supports all-zero SNAT then use it to avoid tuple + * collisions at commit time between NATed and firewalled-only sessions. + */ + if (ovs_feature_is_supported(OVS_CT_ZERO_SNAT_SUPPORT)) { + size_t nat_offset = ofpacts->size; + ofpbuf_pull(ofpacts, nat_offset); + + struct ofpact_nat *nat = ofpact_put_NAT(ofpacts); + nat->flags = 0; + nat->range_af = AF_UNSPEC; + nat->flags |= NX_NAT_F_SRC; + ofpacts->header = ofpbuf_push_uninit(ofpacts, nat_offset); + ct = ofpacts->header; + } + + size_t set_field_offset = ofpacts->size; + ofpbuf_pull(ofpacts, set_field_offset); + + ovnacts_encode(on->nested, on->nested_len, ep, ofpacts); + ofpacts->header = ofpbuf_push_uninit(ofpacts, set_field_offset); + ct = ofpacts->header; + ofpact_finish(ofpacts, &ct->ofpact); +} + /* Parses an assignment or exchange or put_dhcp_opts action. */ static void parse_set_action(struct action_context *ctx) @@ -4790,6 +4838,8 @@ parse_action(struct action_context *ctx) parse_put_fdb(ctx, ovnact_put_PUT_FDB(ctx->ovnacts)); } else if (lexer_match_id(ctx->lexer, "commit_ecmp_nh")) { parse_commit_ecmp_nh(ctx, ovnact_put_COMMIT_ECMP_NH(ctx->ovnacts)); + } else if (lexer_match_id(ctx->lexer, "ct_commit_drop")) { + parse_ct_commit_drop(ctx); } else { lexer_syntax_error(ctx->lexer, "expecting action"); } diff --git a/lib/ovn-util.c b/lib/ovn-util.c index 616999eab..a72533a9e 100644 --- a/lib/ovn-util.c +++ b/lib/ovn-util.c @@ -443,12 +443,12 @@ split_addresses(const char *addresses, struct svec *ipv4_addrs, destroy_lport_addresses(&laddrs); } -/* Allocates a key for NAT conntrack zone allocation for a provided +/* Allocates a key for conntrack zone allocation for a provided * 'key' record and a 'type'. * * It is the caller's responsibility to free the allocated memory. */ char * -alloc_nat_zone_key(const struct uuid *key, const char *type) +alloc_ct_zone_key(const struct uuid *key, const char *type) { return xasprintf(UUID_FMT"_%s", UUID_ARGS(key), type); } diff --git a/lib/ovn-util.h b/lib/ovn-util.h index b3905ef7b..e0855f19e 100644 --- a/lib/ovn-util.h +++ b/lib/ovn-util.h @@ -92,7 +92,7 @@ const char *find_lport_address(const struct lport_addresses *laddrs, void split_addresses(const char *addresses, struct svec *ipv4_addrs, struct svec *ipv6_addrs); -char *alloc_nat_zone_key(const struct uuid *key, const char *type); +char *alloc_ct_zone_key(const struct uuid *key, const char *type); const char *default_nb_db(void); const char *default_sb_db(void); diff --git a/northd/northd.c b/northd/northd.c index 7e2681865..2aff3458c 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -287,7 +287,7 @@ enum ovn_stage { * +----+----------------------------------------------+ G | | * | R7 | UNUSED | 1 | | * +----+----------------------------------------------+---+------------------+ - * | R8 | UNUSED | + * | R8 | DROP_CT_ZONE (<= IN(/OUT)_ACL | * +----+----------------------------------------------+ * | R9 | UNUSED | * +----+----------------------------------------------+ @@ -6343,6 +6343,11 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, } else { ds_put_format(match, " && (%s)", acl->match); build_acl_log(actions, acl, meter_groups); + if (acl->label) { + ds_put_format(actions, "ct_commit_drop { " + "ct_label.label = %"PRId64"; }; ", + acl->label); + } ds_put_cstr(actions, "/* drop */"); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, @@ -6363,8 +6368,13 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, ds_clear(match); ds_clear(actions); ds_put_cstr(match, REGBIT_ACL_HINT_BLOCK " == 1"); - ds_put_format(actions, "ct_commit { %s = 1; }; ", + ds_put_format(actions, "ct_commit { %s = 1; ", ct_blocked_match); + if (acl->label) { + ds_put_format(actions, "ct_label.label = %"PRId64"; ", + acl->label); + } + ds_put_cstr(actions, "}; "); if (!strcmp(acl->action, "reject")) { build_reject_acl_rules(od, lflows, stage, acl, match, actions, &acl->header_, meter_groups); diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index b8f871394..af653be4d 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -699,7 +699,12 @@ connections and ct_commit(ct_label=1/1); for known connections. Setting ct_label marks a connection as one that was previously allowed, but should no longer be - allowed due to a policy change. + allowed due to a policy change. If the ACL has a label, + then it translates to + ct_commit_drop(ct_label.label=label) for new and + untracked connections and + ct_commit(ct_label.blocked=1; ct_label.label=label); + for known connections. @@ -969,7 +974,12 @@ or untracked connections and ct_commit(ct_label=1/1); for known connections. Setting ct_label marks a connection as one that was previously allowed, but should no longer be - allowed due to a policy change. + allowed due to a policy change. If the ACL has a label, + then it translates to + ct_commit_drop(ct_label.label=label) for new and + untracked connections and + ct_commit(ct_label.blocked=1; ct_label.label=label); + for known connections. diff --git a/ovn-sb.xml b/ovn-sb.xml index 37a709f83..4e294a212 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -1377,6 +1377,23 @@

+
ct_commit_drop { };
+
ct_commit_drop { ct_mark=value[/mask]; };
+
ct_commit_drop { ct_label=value[/mask]; };
+
ct_commit_drop { ct_mark=value[/mask]; ct_label=value[/mask]; };
+
+

+ This action is identical to ct_commit except that the + connection tracking entry is committed in a different zone. +

+ +

+ This action was added to store connections dropped by ACLs in a + separate zone that is managed independently of the + ct_commit zone, for debugging. +

+
+
ct_dnat;
ct_dnat(IP);
diff --git a/ovs b/ovs index 6f24c2bc7..d94cd0d3e 160000 --- a/ovs +++ b/ovs @@ -1 +1 @@ -Subproject commit 6f24c2bc769afde0a390ce344de1a7d9c592e5a6 +Subproject commit d94cd0d3eec33e4290d7ca81918f5ac61444886e diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index 3bbdbd998..07509f488 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -2225,10 +2225,11 @@ nbctl_acl_add(struct ctl_context *ctx) /* Set the ACL label */ const char *label = shash_find_data(&ctx->options, "--label"); if (label) { - /* Ensure that the action is either allow or allow-related */ - if (strcmp(action, "allow") && strcmp(action, "allow-related")) { + /* Ensure that the action is either allow or allow-related or drop */ + if (strcmp(action, "allow") && strcmp(action, "allow-related") && + strcmp(action, "drop")) { ctl_error(ctx, "label can only be set with actions \"allow\" or " - "\"allow-related\""); + "\"allow-related\" or \"drop\""); return; }