From patchwork Fri Feb 9 12:00:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Bartzen Acosta X-Patchwork-Id: 1897023 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=luizalabs.com header.i=@luizalabs.com header.a=rsa-sha256 header.s=google header.b=XyRp/Z7Y; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TWXTl3NDPz23hb for ; Fri, 9 Feb 2024 22:59:55 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 6166683E60; Fri, 9 Feb 2024 11:59:53 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DXk2430jM-GE; Fri, 9 Feb 2024 11:59:52 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 085D183DEA Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key, unprotected) header.d=luizalabs.com header.i=@luizalabs.com header.a=rsa-sha256 header.s=google header.b=XyRp/Z7Y Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id 085D183DEA; Fri, 9 Feb 2024 11:59:52 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id AF0B3C0077; Fri, 9 Feb 2024 11:59:51 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 65DBEC0037 for ; Fri, 9 Feb 2024 11:59:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 4F6A44EBE8 for ; Fri, 9 Feb 2024 11:59:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HfzQ75eDQ0tk for ; Fri, 9 Feb 2024 11:59:49 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::c35; helo=mail-oo1-xc35.google.com; envelope-from=roberto.acosta@luizalabs.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org 223F04EBE6 Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=reject dis=none) header.from=luizalabs.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 223F04EBE6 Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key, unprotected) header.d=luizalabs.com header.i=@luizalabs.com header.a=rsa-sha256 header.s=google header.b=XyRp/Z7Y Received: from mail-oo1-xc35.google.com (mail-oo1-xc35.google.com [IPv6:2607:f8b0:4864:20::c35]) by smtp4.osuosl.org (Postfix) with ESMTPS id 223F04EBE6 for ; Fri, 9 Feb 2024 11:59:48 +0000 (UTC) Received: by mail-oo1-xc35.google.com with SMTP id 006d021491bc7-59a7682486aso285075eaf.2 for ; Fri, 09 Feb 2024 03:59:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=luizalabs.com; s=google; t=1707479987; x=1708084787; darn=openvswitch.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=7L3uneVxB+xS5PtNIOMococaSgC0bpYjwMGhJNQpeSM=; b=XyRp/Z7Ymqhdrci/zU6LQ9xB2Jt4ykXDUFfKf/4mpGQaeyOp20ra/zg8/F9/roRsoG w2Xg8sCdMiXCAK3ExqDWuAHBieZhV56v8rxpM4v6ujRkhQnCdG2WexFD+WDpVy1ws9Mq IURp/0HQWmVzA37bOiM3J9dfUOwGfs21qB1Xs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707479987; x=1708084787; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7L3uneVxB+xS5PtNIOMococaSgC0bpYjwMGhJNQpeSM=; b=VDN5sV82kGicr7oSiYvmB9kuwnOSOK1AkMAEkP85h6K9FuuKzJB3kw5YdBuyJFt30p H78jCMrRxBFgh6zrw9QGTeU/4s74n1Xc4jjp54VDjUYIw3fKhCxlPj3ghumxNEpCIHlu mCm74vIkc/eOk7fGB/15zxP8GY2WNNb6JC0205nZNft9c+7bB7rrZlP5br5cxMsnPTNF cQBs3KGTU+2lH0bJ+9NJs/zu1irGONGQL8Tn+p8HvyjKRPR4xxmPzZdz3Vj3Fflli7TX AzrUw7934eQDa2xlLdayAGKzsAPWcB1+rjY5VqIYJhTFGMfPobSPpc/5gPJBCnYilNGw aPGg== X-Gm-Message-State: AOJu0YxHSFflJ+u9kBNXDGcNinctGcv8n4r1WnOMuAvoU7NOdIf3FZWk IBXO22sSe7Bl7QmEhLy6yduUJH0EqK/E4hYspNhkFPJ4SoaEmdCRGQPnRdi6b+C0+Js2Gjl9jvC C7mI6o88u8a56KkC9DpdYqxE7HKC4Bo+BFyuRgeds1vTVr4mNaliqEwig X-Google-Smtp-Source: AGHT+IHjnuVgl+cOSrbu4x0jqM+Es8VuiwgHdxiRaydkHsOSIWvbX55VxTkvPkgzBzKnpkcj7nk+AQ== X-Received: by 2002:a05:6358:e49b:b0:176:2bb2:12bb with SMTP id by27-20020a056358e49b00b001762bb212bbmr1379164rwb.1.1707479987095; Fri, 09 Feb 2024 03:59:47 -0800 (PST) Received: from WNL1099LABS421.magazineluiza.intranet ([191.187.213.146]) by smtp.gmail.com with ESMTPSA id p7-20020a056a0026c700b006e041f098absm295190pfw.129.2024.02.09.03.59.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Feb 2024 03:59:46 -0800 (PST) To: dev@openvswitch.org Date: Fri, 9 Feb 2024 09:00:45 -0300 Message-Id: <20240209120045.404007-1-roberto.acosta@luizalabs.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v5] ovn-ic: Fix global blacklist filter for IPv6 addresses. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Roberto Bartzen Acosta via dev From: Roberto Bartzen Acosta Reply-To: Roberto Bartzen Acosta Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This commit fixes the prefix filter function as the return condition for IPv6 addresses is disabling the advertisement of all learned prefixes regardless of the match with the blacklist or not. Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/2046804 Fixes: 57b347c55168 ("ovn-ic: Route advertisement.") Signed-off-by: Roberto Bartzen Acosta --- ic/ovn-ic.c | 15 +++++--- tests/ovn-ic.at | 99 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+), 6 deletions(-) diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c index 6f8f5734d..bc9aea057 100644 --- a/ic/ovn-ic.c +++ b/ic/ovn-ic.c @@ -1064,12 +1064,15 @@ prefix_is_black_listed(const struct smap *nb_options, continue; } } else { - struct in6_addr mask = ipv6_create_mask(bl_plen); - for (int i = 0; i < 16 && mask.s6_addr[i] != 0; i++) { - if ((prefix->s6_addr[i] & mask.s6_addr[i]) - != (bl_prefix.s6_addr[i] & mask.s6_addr[i])) { - continue; - } + struct in6_addr mask = ipv6_create_mask(plen); + /* First calculate the difference between bl_prefix and prefix, so + * use the bl mask to ensure prefixes are correctly validated. + * e.g.: 2005:1734:5678::/50 is a subnet of 2005:1234::/21 */ + struct in6_addr m_prefixes = ipv6_addr_bitand(prefix, &bl_prefix); + struct in6_addr m_prefix = ipv6_addr_bitand(&m_prefixes, &mask); + struct in6_addr m_bl_prefix = ipv6_addr_bitand(&bl_prefix, &mask); + if (!ipv6_addr_equals(&m_prefix, &m_bl_prefix)) { + continue; } } matched = true; diff --git a/tests/ovn-ic.at b/tests/ovn-ic.at index d4c436f84..6eb81e158 100644 --- a/tests/ovn-ic.at +++ b/tests/ovn-ic.at @@ -1274,3 +1274,102 @@ OVN_CLEANUP_IC([az1], [az2]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn-ic -- route sync -- IPv6 blacklist filter]) +AT_KEYWORDS([IPv6-route-sync-blacklist]) + +ovn_init_ic_db +check ovn-ic-nbctl ts-add ts1 + +for i in 1 2; do + ovn_start az$i + ovn_as az$i + + # Enable route learning at AZ level + check ovn-nbctl set nb_global . options:ic-route-learn=true + # Enable route advertising at AZ level + check ovn-nbctl set nb_global . options:ic-route-adv=true + # Enable blacklist single filter for IPv6 + check ovn-nbctl set nb_global . options:ic-route-blacklist=" \ + 2003:db8:1::/64,2004:aaaa::/32,2005:1234::/21" + + OVS_WAIT_UNTIL([ovn-nbctl show | grep ts1]) + + # Create LRP and connect to TS + check ovn-nbctl lr-add lr$i + check ovn-nbctl lrp-add lr$i lrp-lr$i-ts1 aa:aa:aa:aa:aa:0$i \ + 2001:db8:1::$i/64 + check ovn-nbctl lsp-add ts1 lsp-ts1-lr$i \ + -- lsp-set-addresses lsp-ts1-lr$i router \ + -- lsp-set-type lsp-ts1-lr$i router \ + -- lsp-set-options lsp-ts1-lr$i router-port=lrp-lr$i-ts1 + + check ovn-nbctl lrp-add lr$i lrp-lr$i-p$i 00:00:00:00:00:0$i \ + 2002:db8:1::$i/64 + + # Create blacklisted LRPs and connect to TS + check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext$i \ + 11:11:11:11:11:1$i 2003:db8:1::$i/64 + + check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext2$i \ + 22:22:22:22:22:2$i 2004:aaaa:bbb::$i/48 + + # filtered by 2005:1234::/21 - (2005:1000: - 2005:17ff:) + check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext3$i \ + 33:33:33:33:33:3$i 2005:1734:5678::$i/50 + + # additional not filtered prefix -> different subnet bits + check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext4$i \ + 44:44:44:44:44:4$i 2005:1834:5678::$i/50 +done + +for i in 1 2; do + OVS_WAIT_UNTIL([ovn_as az$i ovn-nbctl lr-route-list lr$i | grep learned]) +done + +AT_CHECK([ovn_as az1 ovn-nbctl lr-route-list lr1 | + awk '/learned/{print $1, $2}' ], [0], [dnl +2002:db8:1::/64 2001:db8:1::2 +2005:1834:5678::/50 2001:db8:1::2 +]) + +for i in 1 2; do + ovn_as az$i + + # Drop blacklist + check ovn-nbctl remove nb_global . options ic-route-blacklist +done + +OVS_WAIT_FOR_OUTPUT([ovn_as az1 ovn-nbctl lr-route-list lr1 | + awk '/learned/{print $1, $2}' | sort ], [0], [dnl +2002:db8:1::/64 2001:db8:1::2 +2003:db8:1::/64 2001:db8:1::2 +2004:aaaa:bbb::/48 2001:db8:1::2 +2005:1734:5678::/50 2001:db8:1::2 +2005:1834:5678::/50 2001:db8:1::2 +]) + +for i in 1 2; do + ovn_as az$i + + check ovn-nbctl set nb_global . \ + options:ic-route-blacklist="2003:db8:1::/64,2004:db8:1::/64" + + # Create an 'extra' blacklisted LRP and connect to TS + check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext5$i \ + 55:55:55:55:55:5$i 2004:db8:1::$i/64 +done + +OVS_WAIT_FOR_OUTPUT([ovn_as az1 ovn-nbctl lr-route-list lr1 | + awk '/learned/{print $1, $2}' | sort ], [0], [dnl +2002:db8:1::/64 2001:db8:1::2 +2004:aaaa:bbb::/48 2001:db8:1::2 +2005:1734:5678::/50 2001:db8:1::2 +2005:1834:5678::/50 2001:db8:1::2 +]) + +OVN_CLEANUP_IC([az1], [az2]) + +AT_CLEANUP +])