From patchwork Wed Dec 1 12:56:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladislav Odintsov X-Patchwork-Id: 1562161 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=Jzg9nyFX; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3zcD2mwSz9sCD for ; Wed, 1 Dec 2021 23:56:28 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 4EB08827A8; Wed, 1 Dec 2021 12:56:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZk0ylbi7gSt; Wed, 1 Dec 2021 12:56:20 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id 41D1781D47; Wed, 1 Dec 2021 12:56:19 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7DAD6C0040; Wed, 1 Dec 2021 12:56:17 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0ABE4C000A for ; Wed, 1 Dec 2021 12:56:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id EC2C081D47 for ; Wed, 1 Dec 2021 12:56:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iSIgDlWw4TcG for ; Wed, 1 Dec 2021 12:56:15 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) by smtp1.osuosl.org (Postfix) with ESMTPS id 01F7A81D2D for ; Wed, 1 Dec 2021 12:56:14 +0000 (UTC) Received: by mail-ed1-x52a.google.com with SMTP id v1so101169900edx.2 for ; Wed, 01 Dec 2021 04:56:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=m2l0UqlzkEreLUPJnZifzW3Xk4DtqjIWVRZh3mvkRJE=; b=Jzg9nyFXWp8hrEvc2XHN+incIvwkS0ZvEntZilSrmRrSTm5bMgDbPqNtC0oksZaTwj sVh+up0sPRw4R6qaz+sKnGHrybF7T/UKm8lFnvH+NwbNvnQjtohkrsOjR0iUySurbqkl G+vBPdHEFM429WYgy6AcJTp5F454yW1pJbo+B5ilKj6xsfp37lSQnqLi6UcdYLqLfg4s QtCthX9wsq+W5BdbhLQujUOBbM5fs1DMXzahCYUeaA0osd0q3+O01/MfJbMM1aH/nyNq BErCr2qzs0/FghVMUT1g8bsQOgQhW3o8ayvoF1NjDAeYKKp5hZScye082G1z18B9Y+7u EtSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=m2l0UqlzkEreLUPJnZifzW3Xk4DtqjIWVRZh3mvkRJE=; b=XyW4eQx2RpI+mYalh6dseQHurVEEhYOOCDxVNY3vjXOxW3LykwcIOcqJPy9iU34HNJ QHkYTq/btWmwyjBCwU7uPVgfCHxyApgCj55fuol3ZyxrSucydSdUFEEvQXkCy82ABzQg CiEit4gdPYo44XAsPk8I1jjE1kDBJfkxc3LMvBWj7cFFwXOeJRISKfqvbWVIPPkEfrNE Pna516ShTVjiZVwpOb68BjWJQElmbjmC/Q4tB7eQKugDhcFWd98m97yUuV02c/DlAsx+ HFyjOoD83oBbz/Sgi243Y2tWDaGXJPHMWsIyqtVGJ/JAGhRGavCyrV/8oHoEHVil7Psc gXaQ== X-Gm-Message-State: AOAM533aNwwUuyu8dnS/pktCc00QL9myYxIzU6Du7bDK5apxWyhSMq0w Ln4aZgE8IY8JYdHcQ7KB3w+Hu+v3KccnMQ== X-Google-Smtp-Source: ABdhPJzbwgb4zJcW3ognppDXMTI4HTJD65uQv0BNLjhcbmv9itA531VJ3muzj68P3V81UAFJ3uxTCw== X-Received: by 2002:a05:6402:405:: with SMTP id q5mr8379722edv.62.1638363372810; Wed, 01 Dec 2021 04:56:12 -0800 (PST) Received: from localhost.localdomain (109-252-131-59.dynamic.spd-mgts.ru. [109.252.131.59]) by smtp.gmail.com with ESMTPSA id dm6sm6499907ejc.89.2021.12.01.04.56.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Dec 2021 04:56:12 -0800 (PST) From: Vladislav Odintsov To: dev@openvswitch.org Date: Wed, 1 Dec 2021 15:56:06 +0300 Message-Id: <20211201125608.36918-2-odivlad@gmail.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20211201125608.36918-1-odivlad@gmail.com> References: <20211201125608.36918-1-odivlad@gmail.com> MIME-Version: 1.0 Cc: Vladislav Odintsov Subject: [ovs-dev] [PATCH ovn 1/3] Revert "northd: support HW VTEP with stateful datapath" X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This reverts commit 62ca8b9620cc1168ace6905575b7d36438363aed. Signed-off-by: Vladislav Odintsov --- northd/northd.c | 14 -------------- northd/ovn-northd.8.xml | 28 ---------------------------- northd/ovn_northd.dl | 33 ++------------------------------- tests/ovn-northd.at | 2 -- 4 files changed, 2 insertions(+), 75 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index e784ae192..4c1a2a382 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -197,7 +197,6 @@ enum ovn_stage { #define REGBIT_LKUP_FDB "reg0[11]" #define REGBIT_HAIRPIN_REPLY "reg0[12]" #define REGBIT_ACL_LABEL "reg0[13]" -#define REGBIT_FROM_RAMP "reg0[14]" #define REG_ORIG_DIP_IPV4 "reg1" #define REG_ORIG_DIP_IPV6 "xxreg1" @@ -5477,15 +5476,10 @@ build_lswitch_input_port_sec_op( build_port_security_l2("eth.src", op->ps_addrs, op->n_ps_addrs, match); - if (!strcmp(op->nbsp->type, "vtep")) { - ds_put_format(actions, REGBIT_FROM_RAMP" = 1; "); - } - const char *queue_id = smap_get(&op->sb->options, "qdisc_queue_id"); if (queue_id) { ds_put_format(actions, "set_queue(%s); ", queue_id); } - ds_put_cstr(actions, "next;"); ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, ds_cstr(match), ds_cstr(actions), @@ -5734,10 +5728,6 @@ build_pre_acls(struct ovn_datapath *od, const struct hmap *port_groups, "nd || nd_rs || nd_ra || mldv1 || mldv2 || " "(udp && udp.src == 546 && udp.dst == 547)", "next;"); - /* Do not send coming from RAMP switch packets to conntrack. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, - REGBIT_FROM_RAMP" == 1", "next;"); - /* Ingress and Egress Pre-ACL Table (Priority 100). * * Regardless of whether the ACL is "from-lport" or "to-lport", @@ -5828,10 +5818,6 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows) ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110, "eth.src == $svc_monitor_mac", "next;"); - /* Do not send coming from RAMP switch packets to conntrack. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110, - REGBIT_FROM_RAMP" == 1", "next;"); - /* Allow all packets to go to next tables by default. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;"); diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 5d06ac6a7..00fb925f8 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -262,16 +262,6 @@ logical ports on which port security is not enabled, these advance all packets that match the inport. -
  • - For logical ports of type vtep, the above logical flow - will also apply the action REGBIT_FROM_RAMP = 1; to - indicate that the packet is coming from a RAMP (controller-vtep) - device. Later pipelines will use this information to skip - sending the packet to the conntrack. Packets from vtep - logical ports should go though ingress pipeline only to determine - the output port and they should not be subjected to any ACL checks. - Egress pipeline will do the ACL checks. -

    • @@ -463,15 +453,6 @@ processing.

    -

    - This table has a priority-110 flow with the match - REGBIT_FROM_RAMP == 1 for all logical switch datapaths to - resubmit traffic to the next table. REGBIT_FROM_RAMP - indicates that packet was received from vtep logical ports - and it can be skipped from the stateful ACL processing in the ingress - pipeline. -

    -

    This table also has a priority-110 flow with the match eth.dst == E for all logical switch @@ -531,15 +512,6 @@ configured. We can now add a lflow to drop ct.inv packets.

    -

    - This table has a priority-110 flow with the match - REGBIT_FROM_RAMP == 1 for all logical switch datapaths to - resubmit traffic to the next table. REGBIT_FROM_RAMP - indicates that packet was received from vtep logical ports - and it can be skipped from the load balancer processing in the ingress - pipeline. -

    -

    This table also has a priority-110 flow with the match eth.dst == E for all logical switch diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl index 817b11bdc..ffa2e06db 100644 --- a/northd/ovn_northd.dl +++ b/northd/ovn_northd.dl @@ -1738,7 +1738,6 @@ function rEGBIT_ACL_HINT_BLOCK() : istring = i"reg0[10]" function rEGBIT_LKUP_FDB() : istring = i"reg0[11]" function rEGBIT_HAIRPIN_REPLY() : istring = i"reg0[12]" function rEGBIT_ACL_LABEL() : istring = i"reg0[13]" -function rEGBIT_FROM_RAMP() : istring = i"reg0[14]" function rEG_ORIG_DIP_IPV4() : istring = i"reg1" function rEG_ORIG_DIP_IPV6() : istring = i"xxreg1" @@ -2178,16 +2177,6 @@ for (&Switch(._uuid = ls_uuid, .has_stateful_acl = true)) { .io_port = None, .controller_meter = None); - /* Do not send coming from RAMP switch packets to conntrack. */ - Flow(.logical_datapath = ls_uuid, - .stage = s_SWITCH_IN_PRE_ACL(), - .priority = 110, - .__match = i"${rEGBIT_FROM_RAMP()} == 1", - .actions = i"next;", - .stage_hint = 0, - .io_port = None, - .controller_meter = None); - /* Ingress and Egress Pre-ACL Table (Priority 100). * * Regardless of whether the ACL is "from-lport" or "to-lport", @@ -2254,16 +2243,6 @@ for (&Switch(._uuid = ls_uuid)) { .io_port = None, .controller_meter = None); - /* Do not send coming from RAMP switch packets to conntrack. */ - Flow(.logical_datapath = ls_uuid, - .stage = s_SWITCH_IN_PRE_LB(), - .priority = 110, - .__match = i"${rEGBIT_FROM_RAMP()} == 1", - .actions = i"next;", - .stage_hint = 0, - .io_port = None, - .controller_meter = None); - /* Allow all packets to go to next tables by default. */ Flow(.logical_datapath = ls_uuid, .stage = s_SWITCH_IN_PRE_LB(), @@ -3489,18 +3468,10 @@ for (&SwitchPort(.lsp = lsp, .sw = sw, .json_name = json_name, .ps_eth_addresses } else { i"inport == ${json_name} && eth.src == {${ps_eth_addresses.join(\" \")}}" } in - var actions = { - var ramp = if (lsp.__type == i"vtep") { - i"${rEGBIT_FROM_RAMP()} = 1; " - } else { - i"" - }; - var queue = match (pbinding.options.get(i"qdisc_queue_id")) { + var actions = match (pbinding.options.get(i"qdisc_queue_id")) { None -> i"next;", Some{id} -> i"set_queue(${id}); next;" - }; - i"${ramp}${queue}" - } in + } in Flow(.logical_datapath = sw._uuid, .stage = s_SWITCH_IN_PORT_SEC_L2(), .priority = 50, diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index f03d14082..c4424ab14 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -3834,7 +3834,6 @@ check_stateful_flows() { table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) - table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1), action=(next;) ]) AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl @@ -3901,7 +3900,6 @@ AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort], [0], [dnl table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) - table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1), action=(next;) ]) AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl From patchwork Wed Dec 1 12:56:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladislav Odintsov X-Patchwork-Id: 1562160 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=My2VvYMN; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3zcB5KN2z9sCD for ; Wed, 1 Dec 2021 23:56:26 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 381E66090B; Wed, 1 Dec 2021 12:56:23 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pbFFOAbM9cmO; Wed, 1 Dec 2021 12:56:21 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id 8CDAC615F2; Wed, 1 Dec 2021 12:56:20 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 77E99C0043; Wed, 1 Dec 2021 12:56:18 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 46D40C003E for ; Wed, 1 Dec 2021 12:56:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 2F0456077D for ; Wed, 1 Dec 2021 12:56:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_99RGqAsSiU for ; Wed, 1 Dec 2021 12:56:16 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) by smtp3.osuosl.org (Postfix) with ESMTPS id 458756074F for ; Wed, 1 Dec 2021 12:56:16 +0000 (UTC) Received: by mail-ed1-x52f.google.com with SMTP id g14so101307820edb.8 for ; Wed, 01 Dec 2021 04:56:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=h/M0Z/mxMFKxerQzRcrPGx8/nuICGphzxiiAiDxbi2k=; b=My2VvYMNlyMuGIDqq5lOnaXqTSX3Sapd8qAG+MZ+u3XBB1pt1ivwWvAU5sNAMLATRh rXWNJW9c6LHqQ9Nj+twsEuENBE6+WzQfTNZfP7iZ4cFBJbd3Vb2MbpmrvL1FEQiIL26f fJ2MUVwED1uRQnxvwyfTdnflvZ2ykHptE4demUJTOPe6s2HFSlHVoZnxc0WgUX+9jkDR 9DayoCUjVo1p0nsqFvOjEpnrv/L8kwYx0X0Lms09eIPrs7wcai4X+ZcCDvqAe+tvYB1q mNsaIqsR7wwi7pEz83xSkyuwZMgKUOuXIApTKfSHU4CJ0kbA7k2zYerBe5cLJrwkW0aQ cyXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=h/M0Z/mxMFKxerQzRcrPGx8/nuICGphzxiiAiDxbi2k=; b=7YgRvNlhtMJ2lvNo9lAxksO/8NQGppqLParp52koR9tjj93HMJ4mXzCz4x6GDM39e7 FxDZWSlGayYLT/RW/gcO8+sFlWSon4WoCXUlVgKVJyNheyXRlR/Qg63RK9z8N9Svq1vD bdpZS1BDGM/t0YELbZoX2LkNMk3PCKc/C2kvFhEmGHHmyKF53MGhmK6Kx2Zlr2cNBnex 0IcDvINWr2qxTH0ECBo255ubCml88b9X7DyR+YyKF5Z7/JLvmMUl+wX9C6WZs2lArZMB 40hRR/SyJ+jY/xcnLL6W9OweTajjRukKyhp15gU+aAZL31qDRRI9Cy89F62VXCxXUXh4 ntKw== X-Gm-Message-State: AOAM533qljcx6bSoN64b5Q/hDdnUXHLBGpg2w1/ES0C4USq9xaim3mrH yiJ0hUlcZFT8uWDEYUvpW/jjqGEJvboi1A== X-Google-Smtp-Source: ABdhPJzPVOcMCvExKQAYm7d6Eb08eq0SfVADnzJjaI+xltX2Bg44zNmhYA0ZFL6R49vIduZb1ZojYw== X-Received: by 2002:a05:6402:445:: with SMTP id p5mr8334362edw.110.1638363374282; Wed, 01 Dec 2021 04:56:14 -0800 (PST) Received: from localhost.localdomain (109-252-131-59.dynamic.spd-mgts.ru. [109.252.131.59]) by smtp.gmail.com with ESMTPSA id dm6sm6499907ejc.89.2021.12.01.04.56.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Dec 2021 04:56:13 -0800 (PST) From: Vladislav Odintsov To: dev@openvswitch.org Date: Wed, 1 Dec 2021 15:56:07 +0300 Message-Id: <20211201125608.36918-3-odivlad@gmail.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20211201125608.36918-1-odivlad@gmail.com> References: <20211201125608.36918-1-odivlad@gmail.com> MIME-Version: 1.0 Cc: Vladislav Odintsov Subject: [ovs-dev] [PATCH ovn 2/3] northd: send ingress packets from HW VTEP directly to L2_LKUP table X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Recently the patch [1] fixed the ingress pipeline for packets coming from HW VTEP switch within a stateful datapath. This patch assumes the [1] is reverted and applies more efficient "next(pipeline=ingress, table=S_SWITCH_IN_L2_LKUP);" action to skip unneeded stages for such packets. 1: https://github.com/ovn-org/ovn/commit/62ca8b9620cc1168ace6905575b7d36438363aed Signed-off-by: Vladislav Odintsov --- northd/northd.c | 9 ++++++++- northd/ovn-northd.8.xml | 9 +++++++++ northd/ovn_northd.dl | 16 +++++++++++++--- 3 files changed, 30 insertions(+), 4 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 4c1a2a382..2efc4bb1f 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -5480,7 +5480,14 @@ build_lswitch_input_port_sec_op( if (queue_id) { ds_put_format(actions, "set_queue(%s); ", queue_id); } - ds_put_cstr(actions, "next;"); + + if (!strcmp(op->nbsp->type, "vtep")) { + ds_put_format(actions, "next(pipeline=ingress, table=%d);", + S_SWITCH_IN_L2_LKUP); + } else { + ds_put_cstr(actions, "next;"); + } + ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, ds_cstr(match), ds_cstr(actions), op->key, &op->nbsp->header_); diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 00fb925f8..bd3c3aa26 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -262,6 +262,15 @@ logical ports on which port security is not enabled, these advance all packets that match the inport. +

  • + For logical ports of type vtep, the above logical flow + will apply the action + next(pipeline=ingress, table=S_SWITCH_IN_L2_LKUP) = 1; + to skip most stages of ingress pipeline and go directly to ingress L2 + lookup table to determine the output port. Packets from VTEP (RAMP) + switch should not be subjected to any ACL checks. Egress pipeline will + do the ACL checks. +

    • diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl index ffa2e06db..530bb1e9d 100644 --- a/northd/ovn_northd.dl +++ b/northd/ovn_northd.dl @@ -3468,9 +3468,19 @@ for (&SwitchPort(.lsp = lsp, .sw = sw, .json_name = json_name, .ps_eth_addresses } else { i"inport == ${json_name} && eth.src == {${ps_eth_addresses.join(\" \")}}" } in - var actions = match (pbinding.options.get(i"qdisc_queue_id")) { - None -> i"next;", - Some{id} -> i"set_queue(${id}); next;" + + var actions = { + var queue = match (pbinding.options.get(i"qdisc_queue_id")) { + None -> i"next;", + Some{id} -> i"set_queue(${id}); " + }; + var ramp = if (lsp.__type == i"vtep") { + i"next(pipeline=ingress, table=${s_SWITCH_IN_L2_LKUP()});" + } else { + i"next;" + } in + }; + i"${queue}${ramp}" } in Flow(.logical_datapath = sw._uuid, .stage = s_SWITCH_IN_PORT_SEC_L2(), From patchwork Wed Dec 1 12:56:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladislav Odintsov X-Patchwork-Id: 1562162 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=dHEsPuwz; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3zcG1Hg7z9sCD for ; Wed, 1 Dec 2021 23:56:30 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 3C9A561BC3; Wed, 1 Dec 2021 12:56:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wRLtZTGojDmH; Wed, 1 Dec 2021 12:56:23 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id 2372B61BC5; Wed, 1 Dec 2021 12:56:22 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id BF128C003C; Wed, 1 Dec 2021 12:56:20 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id C93BDC003F for ; Wed, 1 Dec 2021 12:56:19 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id A69414033C for ; Wed, 1 Dec 2021 12:56:19 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Op0GCI-Qp5JN for ; Wed, 1 Dec 2021 12:56:18 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) by smtp2.osuosl.org (Postfix) with ESMTPS id 11A4F400FB for ; Wed, 1 Dec 2021 12:56:17 +0000 (UTC) Received: by mail-ed1-x534.google.com with SMTP id v1so101170689edx.2 for ; Wed, 01 Dec 2021 04:56:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=GduZQm5a726nI1lN0MDPF0x1VLr8YR9kC2mMA7TaW4E=; b=dHEsPuwzTkVGtyx2vXCqk5X0bgAx/fN4AvwhujaaUmF44EUBmNll6knVZQPyEaAinJ Dgyi87/KACWh/naPVCvk8TofNNQkWb7u3M3hjMIXmcOyVsOLAI7O+GKeY7sCmTAUgJKv NxSN+vOVmH8se4hXzcoqIFSBy64oW8Mqm+YcBoQKodPCNX9FYwiocKli/vZnxLLgzQdA HfllSxIcrBm82qOi45AyBowfYDhaN3QilHtLLCC5iPLwa2dWpJaCkE2wIidvmQribSq+ sCxk+9/IZDOnkES9X62+k1YNlijFn3bUe6WomlKeOTbL32kvhpcgw8SbCZTd7/c08j9j dT7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GduZQm5a726nI1lN0MDPF0x1VLr8YR9kC2mMA7TaW4E=; b=sEHVsRF/Ox6aMOScO7rTbJ4tzs8aE2C4HecsoOQU/ldf2xhp/L0DANjccnVMRUyZFJ J262uIAN82WyzeFL3jAG1GmGYm8QQuCV8IBRSrre/UWjw7XJTCiXBF8Ipcau01a78E3V F8QNmhnTJjyx3z5RRe7TaegV3/125cObnvorf/+KKD/E6nWO+JJhatVHWTaH1AEJH9VP phLPqN9iUa7sqQUumuFuMThV3/61BU8pz0fcfU83Om/uSHOvovCSx9mdQ3RvXdu+Qvjr bbdTrsNzz+rZlE2hRsna73mplXhJ1cPHABakZdNcG8U1tzHibxE+wwtXDkVum8lb92lm 8dQw== X-Gm-Message-State: AOAM530L36yg1A1RRrmI0MPnjxNFnAOmgCmgDz57PJCv4BS4Dei3WcWf gA7BTndulmJoKTGFtl4SR8YfONTVtxnx7w== X-Google-Smtp-Source: ABdhPJy5AiVVsUL/fTEJudrE06yLFFDDSXwv9jju1T9y4JJFVoMmRRiB3mPqqD/nFexQsNB7ThIqTw== X-Received: by 2002:a05:6402:339:: with SMTP id q25mr8402130edw.251.1638363375481; Wed, 01 Dec 2021 04:56:15 -0800 (PST) Received: from localhost.localdomain (109-252-131-59.dynamic.spd-mgts.ru. [109.252.131.59]) by smtp.gmail.com with ESMTPSA id dm6sm6499907ejc.89.2021.12.01.04.56.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Dec 2021 04:56:15 -0800 (PST) From: Vladislav Odintsov To: dev@openvswitch.org Date: Wed, 1 Dec 2021 15:56:08 +0300 Message-Id: <20211201125608.36918-4-odivlad@gmail.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20211201125608.36918-1-odivlad@gmail.com> References: <20211201125608.36918-1-odivlad@gmail.com> MIME-Version: 1.0 Cc: Vladislav Odintsov Subject: [ovs-dev] [PATCH ovn 3/3] northd: support mix of stateless ACL with lower priority than stateful X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" It was unsupported - to have a mix of stateless ACLs with lower than stateful priority at the same time with stateful (related) ACLs. This patch changes stateless ACLs behaviour, but this change should not be harmful for users. Likely nobody mixed rules in the described manner, so this change should be okay. Signed-off-by: Vladislav Odintsov --- northd/northd.c | 92 +++++++++++++++++++++++++---------------- northd/ovn-northd.8.xml | 4 +- tests/ovn-northd.at | 48 ++++++++++++--------- 3 files changed, 87 insertions(+), 57 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 2efc4bb1f..1831e6e79 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -592,6 +592,7 @@ struct ovn_datapath { uint32_t port_key_hint; bool has_stateful_acl; + bool has_stateless_acl; bool has_lb_vip; bool has_unknown; bool has_acls; @@ -5416,15 +5417,26 @@ ls_get_acl_flags(struct ovn_datapath *od) { od->has_acls = false; od->has_stateful_acl = false; + od->has_stateless_acl = false; if (od->nbs->n_acls) { od->has_acls = true; for (size_t i = 0; i < od->nbs->n_acls; i++) { struct nbrec_acl *acl = od->nbs->acls[i]; - if (!strcmp(acl->action, "allow-related")) { + if (!od->has_stateful_acl && + !strcmp(acl->action, "allow-related")) { od->has_stateful_acl = true; - return; + if (od->has_stateless_acl) { + return; + } + } + if (!od->has_stateless_acl && + !strcmp(acl->action, "allow-stateless")) { + od->has_stateless_acl = true; + if (od->has_stateful_acl) { + return; + } } } } @@ -5436,9 +5448,19 @@ ls_get_acl_flags(struct ovn_datapath *od) for (size_t i = 0; i < ls_pg->nb_pg->n_acls; i++) { struct nbrec_acl *acl = ls_pg->nb_pg->acls[i]; - if (!strcmp(acl->action, "allow-related")) { + if (!od->has_stateful_acl && + !strcmp(acl->action, "allow-related")) { od->has_stateful_acl = true; - return; + if (od->has_stateless_acl) { + return; + } + } + if (!od->has_stateless_acl && + !strcmp(acl->action, "allow-stateless")) { + od->has_stateless_acl = true; + if (od->has_stateful_acl) { + return; + } } } } @@ -5647,45 +5669,42 @@ skip_port_from_conntrack(struct ovn_datapath *od, struct ovn_port *op, } static void -build_stateless_filter(struct ovn_datapath *od, - const struct nbrec_acl *acl, - struct hmap *lflows) +build_acl_filter(struct ovn_datapath *od, const struct nbrec_acl *acl, + struct hmap *lflows) { + int direction; + char *actions; + if (!strcmp(acl->direction, "from-lport")) { - ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, - acl->priority + OVN_ACL_PRI_OFFSET, - acl->match, - "next;", - &acl->header_); + direction = S_SWITCH_IN_PRE_ACL; } else { - ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, - acl->priority + OVN_ACL_PRI_OFFSET, - acl->match, - "next;", - &acl->header_); + direction = S_SWITCH_OUT_PRE_ACL; + } + + if (!strcmp(acl->action, "allow-stateless")) { + actions = "next;"; + } else { + actions = REGBIT_CONNTRACK_DEFRAG" = 1; next;"; } + + ovn_lflow_add_with_hint(lflows, od, direction, + acl->priority + OVN_ACL_PRI_OFFSET, acl->match, + actions, &acl->header_); } static void -build_stateless_filters(struct ovn_datapath *od, - const struct hmap *port_groups, - struct hmap *lflows) +build_acl_filters(struct ovn_datapath *od, const struct hmap *port_groups, + struct hmap *lflows) { for (size_t i = 0; i < od->nbs->n_acls; i++) { - const struct nbrec_acl *acl = od->nbs->acls[i]; - if (!strcmp(acl->action, "allow-stateless")) { - build_stateless_filter(od, acl, lflows); - } + build_acl_filter(od, od->nbs->acls[i], lflows); } struct ovn_port_group *pg; HMAP_FOR_EACH (pg, key_node, port_groups) { if (ovn_port_group_ls_find(pg, &od->nbs->header_.uuid)) { for (size_t i = 0; i < pg->nb_pg->n_acls; i++) { - const struct nbrec_acl *acl = pg->nb_pg->acls[i]; - if (!strcmp(acl->action, "allow-stateless")) { - build_stateless_filter(od, acl, lflows); - } + build_acl_filter(od, pg->nb_pg->acls[i], lflows); } } } @@ -5700,10 +5719,10 @@ build_pre_acls(struct ovn_datapath *od, const struct hmap *port_groups, ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 0, "1", "next;"); - ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 65535, "eth.dst == $svc_monitor_mac", "next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 65535, "eth.src == $svc_monitor_mac", "next;"); /* If there are any stateful ACL rules in this datapath, we may @@ -5713,25 +5732,26 @@ build_pre_acls(struct ovn_datapath *od, const struct hmap *port_groups, for (size_t i = 0; i < od->n_router_ports; i++) { skip_port_from_conntrack(od, od->router_ports[i], S_SWITCH_IN_PRE_ACL, S_SWITCH_OUT_PRE_ACL, - 110, lflows); + 65535, lflows); } for (size_t i = 0; i < od->n_localnet_ports; i++) { skip_port_from_conntrack(od, od->localnet_ports[i], S_SWITCH_IN_PRE_ACL, S_SWITCH_OUT_PRE_ACL, - 110, lflows); + 65535, lflows); } - /* stateless filters always take precedence over stateful ACLs. */ - build_stateless_filters(od, port_groups, lflows); + if (od->has_stateless_acl) { + build_acl_filters(od, port_groups, lflows); + } /* Ingress and Egress Pre-ACL Table (Priority 110). * * Not to do conntrack on ND and ICMP destination * unreachable packets. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 65535, "nd || nd_rs || nd_ra || mldv1 || mldv2 || " "(udp && udp.src == 546 && udp.dst == 547)", "next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 65535, "nd || nd_rs || nd_ra || mldv1 || mldv2 || " "(udp && udp.src == 546 && udp.dst == 547)", "next;"); diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index bd3c3aa26..f92906e5b 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -459,7 +459,9 @@ priority-110 flow is added to skip over stateful ACLs. IPv6 Neighbor Discovery and MLD traffic also skips stateful ACLs. For "allow-stateless" ACLs, a flow is added to bypass setting the hint for connection tracker - processing. + processing. If datapath has "allow-stateless" and "allow-related" ACLs, + a flow for each ACL would be added with priority value calculated as 1000 + plus ACL's priority and action reg0[0] = 1; next;.

    diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index c4424ab14..b168b79c9 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -3100,7 +3100,7 @@ AT_CLEANUP ]) OVN_FOR_EACH_NORTHD([ -AT_SETUP([ACL allow-stateless overrides stateful rules with higher priority - Logical_Switch]) +AT_SETUP([ACL allow-stateless doesn't override stateful rules with higher priority - Logical_Switch]) ovn_start ovn-nbctl ls-add ls @@ -3110,22 +3110,29 @@ ovn-nbctl lsp-add ls lsp2 ovn-nbctl lsp-set-addresses lsp2 00:00:00:00:00:02 for direction in from to; do - ovn-nbctl acl-add ls ${direction}-lport 3 "tcp" allow-related - ovn-nbctl acl-add ls ${direction}-lport 3 "udp" allow + ovn-nbctl acl-add ls ${direction}-lport 3 "ip4.src == 10.0.0.0/24 && tcp" allow-related + ovn-nbctl acl-add ls ${direction}-lport 3 "ip4.src == 10.0.0.0/24 && udp" allow +done + +# Allow stateless with *lower* priority. It should not override stateful rules. +for direction in from to; do + ovn-nbctl acl-add ls ${direction}-lport 1 tcp allow-stateless + ovn-nbctl acl-add ls ${direction}-lport 1 udp allow-stateless done ovn-nbctl --wait=sb sync flow_eth='eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02' -flow_ip='ip.ttl==64 && ip4.src == 42.42.42.1 && ip4.dst == 66.66.66.66' +flow_ip_10='ip.ttl==64 && ip4.src == 10.0.0.1 && ip4.dst == 66.66.66.66' +flow_ip_20='ip.ttl==64 && ip4.src == 20.0.0.1 && ip4.dst == 66.66.66.66' flow_tcp='tcp && tcp.dst == 80' flow_udp='udp && udp.dst == 80' lsp1_inport=$(fetch_column Port_Binding tunnel_key logical_port=lsp1) -# TCP packets should go to conntrack. -flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}" +# TCP and UDP packets should go to conntrack. +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip_10} && ${flow_tcp}" AT_CHECK_UNQUOTED([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl -# tcp,reg14=0x${lsp1_inport},vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0 +# tcp,reg14=0x${lsp1_inport},vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=10.0.0.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0 ct_next(ct_state=new|trk) { ct_next(ct_state=new|trk) { output("lsp2"); @@ -3133,24 +3140,25 @@ ct_next(ct_state=new|trk) { }; ]) -# Allow stateless with *lower* priority. It always beats stateful rules. -for direction in from to; do - ovn-nbctl acl-add ls ${direction}-lport 1 tcp allow-stateless - ovn-nbctl acl-add ls ${direction}-lport 1 udp allow-stateless -done -ovn-nbctl --wait=sb sync +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip_10} && ${flow_udp}" +AT_CHECK_UNQUOTED([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl +# udp,reg14=0x${lsp1_inport},vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=10.0.0.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80 +ct_next(ct_state=new|trk) { + ct_next(ct_state=new|trk) { + output("lsp2"); + }; +}; +]) -# TCP packets should not go to conntrack anymore. -flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}" +# TCP and UDP packets from 20.0.0.1 should go to conntrack. +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip_20} && ${flow_tcp}" AT_CHECK_UNQUOTED([ovn-trace --minimal ls "${flow}"], [0], [dnl -# tcp,reg14=0x${lsp1_inport},vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0 +# tcp,reg14=0x${lsp1_inport},vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=20.0.0.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0 output("lsp2"); ]) - -# UDP packets should not go to conntrack anymore. -flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_udp}" +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip_20} && ${flow_udp}" AT_CHECK_UNQUOTED([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl -# udp,reg14=0x${lsp1_inport},vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80 +# udp,reg14=0x${lsp1_inport},vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=20.0.0.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80 output("lsp2"); ])