From patchwork Tue Dec 6 23:53:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lorenzo Bianconi X-Patchwork-Id: 1712971 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=iCn/1qjl; dkim-atps=neutral Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4NRchS1Sh9z23pB for ; Wed, 7 Dec 2022 10:54:15 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id A797561068; Tue, 6 Dec 2022 23:54:12 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org A797561068 Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=iCn/1qjl X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x-GBVAbeIlLE; Tue, 6 Dec 2022 23:54:11 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id 2F78F60E46; Tue, 6 Dec 2022 23:54:10 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 2F78F60E46 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id D61DEC0032; Tue, 6 Dec 2022 23:54:09 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 2AC2AC002D for ; Tue, 6 Dec 2022 23:54:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id F1AF681EB9 for ; Tue, 6 Dec 2022 23:54:07 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org F1AF681EB9 Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=iCn/1qjl X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kPB92xkDEieo for ; Tue, 6 Dec 2022 23:54:05 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9052F81EA6 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 9052F81EA6 for ; Tue, 6 Dec 2022 23:54:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1670370844; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KapykoAEJ6UlWRKSoxg8kGq+CJYTxOFzr3P2yzDVKv0=; b=iCn/1qjlWrLex5Bym6xZuNPqHRrd1bVQTYtKjKAy/SxzWGdz9sbK3LulQIwswtxjVK25iE NWsGEUj0pdB6EIoSQSzGG1TqfZPdnk+cgksEIIVZ88MzBEq/eeeqlAz9UHi4tUM0vspPK9 kDjltckTG2u1KmDVg2dqKyF4IJR85Gc= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-356-d8THbLqKOBqX_NZR_gkdWg-1; Tue, 06 Dec 2022 18:54:03 -0500 X-MC-Unique: d8THbLqKOBqX_NZR_gkdWg-1 Received: by mail-wm1-f69.google.com with SMTP id r67-20020a1c4446000000b003d09b0fbf54so5922430wma.3 for ; Tue, 06 Dec 2022 15:54:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=anFILzTBo41bkEdiu49roqB5JC027IluhL/57e61JIU=; b=xAmkB5ayKOE2wni667PTIWl5jCA+jOJwg//EKTXaKeDiJRgjwCIiJHketIIEPsc0z4 Lhgr5Hrge3zbA/wqa3o6tp/+HIUKmAPMm1qQiQXyhPlQrkknRsRVPhs0BouNT/ZNpAaD xdLWfUxt5s41e4hVKIh62moZsH2tOX3+CnRwKpzEGk6BvIc8OHIoXuWRw+NPMjnr1OXZ wt2ZD9rb5uUjIuF7s2G3pqEKGvABd0PFVWnEnHcAWcMOaukydJigr3BcYxcKwRa2l+C/ NV57kZMB1AhGx7WrOGSgZ0/Sb8lfiqNwM0Bi79yjFAZZb1bhVADZ3JIyMsunmgYC4Mx7 1A7Q== X-Gm-Message-State: ANoB5pm9uydnsG9JK3hSZzkzvAOYDM4eOKcCjhcqUcI3oB4ADkIRQIx7 XL/Kc+eCFjRldMALfNGBiThKgl/H0Y4qdMV54VqZ0kSUHRrfgK1vR8YV2FuVFpwWetDwIW+tsTI wKzMk65yvcfAdBRn7M9q1SdHHHcFQlT6pJ7JfgdQSnLTAFHSjjpewQGmxSl3X/G+BXLen+Sm8Lp ik5JCF X-Received: by 2002:a05:6000:104b:b0:242:3b8d:fdb1 with SMTP id c11-20020a056000104b00b002423b8dfdb1mr14831697wrx.193.1670370841566; Tue, 06 Dec 2022 15:54:01 -0800 (PST) X-Google-Smtp-Source: AA0mqf5QSZhnDx5jytJ03Nqm7EnsHwQQpiknXT7cd43WMah4XUmoTw6pmOk3EaEyetEK4ZxIwl9TVQ== X-Received: by 2002:a05:6000:104b:b0:242:3b8d:fdb1 with SMTP id c11-20020a056000104b00b002423b8dfdb1mr14831674wrx.193.1670370840903; Tue, 06 Dec 2022 15:54:00 -0800 (PST) Received: from localhost (net-188-216-77-84.cust.vodafonedsl.it. [188.216.77.84]) by smtp.gmail.com with ESMTPSA id u14-20020a05600c19ce00b003cfd42821dasm24657445wmq.3.2022.12.06.15.54.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Dec 2022 15:54:00 -0800 (PST) From: Lorenzo Bianconi To: ovs-dev@openvswitch.org Date: Wed, 7 Dec 2022 00:53:50 +0100 Message-Id: <804194d4ee223edb50f094ddb8793a07035d44d9.1670370365.git.lorenzo.bianconi@redhat.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH v2 ovn] actions: introduce ct_commit_continue action X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" In the current codebase ct_commit {} action clears ct_state metadata of the incoming packet. This behaviour introduces an issue if we need to check the connection tracking state in the subsequent pipeline stages, e.g. for hairpin traffic: table=14(ls_in_pre_hairpin ), priority=100 , match=(ip && ct.trk), action=(reg0[6] = chk_lb_hairpin(); reg0[12] = chk_lb_hairpin_reply(); next;) Fix the issue introducing ct_commit_continue action used to allow the ct packet to proceed in the pipeline instead of the original one. Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2103086 Signed-off-by: Lorenzo Bianconi --- Changes since v1: - introduce new nested action ct_commit_continue instead of modifying ct_commit_v2 --- controller/chassis.c | 7 +++++ include/ovn/actions.h | 2 ++ include/ovn/features.h | 1 + lib/actions.c | 61 ++++++++++++++++++++++++++++++++++++++--- northd/northd.c | 40 +++++++++++++++++++++++---- northd/northd.h | 2 ++ northd/ovn-northd.8.xml | 7 +++++ ovn-sb.xml | 15 ++++++++++ tests/ovn-controller.at | 42 ++++++++++++++++++++++++++++ tests/ovn-northd.at | 8 +++--- tests/ovn.at | 4 +++ utilities/ovn-trace.c | 2 ++ 12 files changed, 177 insertions(+), 14 deletions(-) diff --git a/controller/chassis.c b/controller/chassis.c index 685d9b2ae..8dc7ecc07 100644 --- a/controller/chassis.c +++ b/controller/chassis.c @@ -352,6 +352,7 @@ chassis_build_other_config(const struct ovs_chassis_cfg *ovs_cfg, smap_replace(config, OVN_FEATURE_PORT_UP_NOTIF, "true"); smap_replace(config, OVN_FEATURE_CT_NO_MASKED_LABEL, "true"); smap_replace(config, OVN_FEATURE_MAC_BINDING_TIMESTAMP, "true"); + smap_replace(config, OVN_FEATURE_CT_COMMIT_CONTINUE, "true"); } /* @@ -469,6 +470,12 @@ chassis_other_config_changed(const struct ovs_chassis_cfg *ovs_cfg, return true; } + if (!smap_get_bool(&chassis_rec->other_config, + OVN_FEATURE_CT_COMMIT_CONTINUE, + false)) { + return true; + } + return false; } diff --git a/include/ovn/actions.h b/include/ovn/actions.h index a56351081..927818976 100644 --- a/include/ovn/actions.h +++ b/include/ovn/actions.h @@ -66,6 +66,7 @@ struct ovn_extend_table; OVNACT(CT_NEXT, ovnact_ct_next) \ OVNACT(CT_COMMIT_V1, ovnact_ct_commit_v1) \ OVNACT(CT_COMMIT_V2, ovnact_nest) \ + OVNACT(CT_COMMIT_CONTINUE, ovnact_nest) \ OVNACT(CT_DNAT, ovnact_ct_nat) \ OVNACT(CT_SNAT, ovnact_ct_nat) \ OVNACT(CT_DNAT_IN_CZONE, ovnact_ct_nat) \ @@ -321,6 +322,7 @@ struct ovnact_nest { struct ovnact ovnact; struct ovnact *nested; size_t nested_len; + uint8_t ltable; /* Logical table ID of next table. */ }; /* OVNACT_GET_ARP, OVNACT_GET_ND. */ diff --git a/include/ovn/features.h b/include/ovn/features.h index 679f67457..0ad8a27b9 100644 --- a/include/ovn/features.h +++ b/include/ovn/features.h @@ -24,6 +24,7 @@ #define OVN_FEATURE_PORT_UP_NOTIF "port-up-notif" #define OVN_FEATURE_CT_NO_MASKED_LABEL "ct-no-masked-label" #define OVN_FEATURE_MAC_BINDING_TIMESTAMP "mac-binding-timestamp" +#define OVN_FEATURE_CT_COMMIT_CONTINUE "ct-commit-continue" /* OVS datapath supported features. Based on availability OVN might generate * different types of openflows. diff --git a/lib/actions.c b/lib/actions.c index 47ec654e1..807b84127 100644 --- a/lib/actions.c +++ b/lib/actions.c @@ -766,6 +766,13 @@ parse_CT_COMMIT(struct action_context *ctx) if (ctx->lexer->token.type == LEX_T_LCURLY) { parse_nested_action(ctx, OVNACT_CT_COMMIT_V2, "ip", WR_CT_COMMIT); + + if (ctx->lexer->error) { + return; + } + + struct ovnact_nest *on = ctx->ovnacts->header; + on->ltable = 0; } else if (ctx->lexer->token.type == LEX_T_LPAREN) { parse_CT_COMMIT_V1(ctx); } else { @@ -775,6 +782,7 @@ parse_CT_COMMIT(struct action_context *ctx) OVNACT_ALIGN(sizeof *on)); on->nested_len = 0; on->nested = NULL; + on->ltable = 0; } } @@ -871,13 +879,13 @@ format_CT_COMMIT_V2(const struct ovnact_nest *on, struct ds *s) } static void -encode_CT_COMMIT_V2(const struct ovnact_nest *on, - const struct ovnact_encode_params *ep OVS_UNUSED, - struct ofpbuf *ofpacts) +encode_ct_commit_nested(const struct ovnact_nest *on, + const struct ovnact_encode_params *ep, + uint8_t recirc_table, struct ofpbuf *ofpacts) { struct ofpact_conntrack *ct = ofpact_put_CT(ofpacts); ct->flags = NX_CT_F_COMMIT; - ct->recirc_table = NX_CT_RECIRC_NONE; + ct->recirc_table = recirc_table; ct->zone_src.field = ep->is_switch ? mf_from_id(MFF_LOG_CT_ZONE) : mf_from_id(MFF_LOG_DNAT_ZONE); @@ -907,6 +915,49 @@ encode_CT_COMMIT_V2(const struct ovnact_nest *on, ct = ofpacts->header; ofpact_finish(ofpacts, &ct->ofpact); } + +static void +encode_CT_COMMIT_V2(const struct ovnact_nest *on, + const struct ovnact_encode_params *ep, + struct ofpbuf *ofpacts) +{ + encode_ct_commit_nested(on, ep, NX_CT_RECIRC_NONE, ofpacts); +} + +static void +parse_CT_COMMIT_CONTINUE(struct action_context *ctx) +{ + int table = ctx->pp->cur_ltable + 1; + if (table >= ctx->pp->n_tables) { + table = 0; + } + parse_nested_action(ctx, OVNACT_CT_COMMIT_CONTINUE, "ip", + WR_CT_COMMIT); + + struct ovnact_nest *on = ctx->ovnacts->header; + on->ltable = table; +} + +static void +format_CT_COMMIT_CONTINUE(const struct ovnact_nest *on, struct ds *s) +{ + if (on->nested_len) { + format_nested_action(on, "ct_commit_continue", s); + } else { + ds_put_cstr(s, "ct_commit_continue;"); + } +} + +static void +encode_CT_COMMIT_CONTINUE(const struct ovnact_nest *on, + const struct ovnact_encode_params *ep, + struct ofpbuf *ofpacts) +{ + uint8_t recirc_table = first_ptable(ep, ep->pipeline) + on->ltable; + + encode_ct_commit_nested(on, ep, recirc_table, ofpacts); +} + static void parse_ct_nat(struct action_context *ctx, const char *name, @@ -5288,6 +5339,8 @@ parse_action(struct action_context *ctx) parse_DEC_TTL(ctx); } else if (lexer_match_id(ctx->lexer, "ct_next")) { parse_CT_NEXT(ctx); + } else if (lexer_match_id(ctx->lexer, "ct_commit_continue")) { + parse_CT_COMMIT_CONTINUE(ctx); } else if (lexer_match_id(ctx->lexer, "ct_commit")) { parse_CT_COMMIT(ctx); } else if (lexer_match_id(ctx->lexer, "ct_dnat")) { diff --git a/northd/northd.c b/northd/northd.c index 74facce7a..5170e20e2 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -446,6 +446,14 @@ build_chassis_features(const struct northd_input *input_data, chassis_features->mac_binding_timestamp) { chassis_features->mac_binding_timestamp = false; } + + bool ct_commit_continue = + smap_get_bool(&chassis->other_config, + OVN_FEATURE_CT_COMMIT_CONTINUE, + false); + if (!ct_commit_continue && chassis_features->ct_commit_continue) { + chassis_features->ct_commit_continue = false; + } } } @@ -5494,6 +5502,7 @@ ls_get_acl_flags(struct ovn_datapath *od) { od->has_acls = false; od->has_stateful_acl = false; + od->has_apply_after_lb_acls = false; if (od->nbs->n_acls) { od->has_acls = true; @@ -5502,7 +5511,9 @@ ls_get_acl_flags(struct ovn_datapath *od) struct nbrec_acl *acl = od->nbs->acls[i]; if (!strcmp(acl->action, "allow-related")) { od->has_stateful_acl = true; - return; + } + if (smap_get_bool(&acl->options, "apply-after-lb", false)) { + od->has_apply_after_lb_acls = true; } } } @@ -5516,7 +5527,9 @@ ls_get_acl_flags(struct ovn_datapath *od) struct nbrec_acl *acl = ls_pg->nb_pg->acls[i]; if (!strcmp(acl->action, "allow-related")) { od->has_stateful_acl = true; - return; + } + if (smap_get_bool(&acl->options, "apply-after-lb", false)) { + od->has_apply_after_lb_acls = true; } } } @@ -7447,9 +7460,17 @@ build_stateful(struct ovn_datapath *od, * We always set ct_mark.blocked to 0 here as * any packet that makes it this far is part of a connection we * want to allow to continue. */ - ds_put_format(&actions, "ct_commit { %s = 0; " - "ct_label.label = " REG_LABEL "; }; next;", - ct_block_action); + if (features->ct_commit_continue && od->has_apply_after_lb_acls) { + ds_put_format(&actions, + "ct_commit_continue { %s = 0; " + "ct_label.label = " REG_LABEL "; };", + ct_block_action); + } else { + ds_put_format(&actions, + "ct_commit { %s = 0; " + "ct_label.label = " REG_LABEL "; }; next;", + ct_block_action); + } ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100, REGBIT_CONNTRACK_COMMIT" == 1 && " REGBIT_ACL_LABEL" == 1", @@ -7464,7 +7485,13 @@ build_stateful(struct ovn_datapath *od, * any packet that makes it this far is part of a connection we * want to allow to continue. */ ds_clear(&actions); - ds_put_format(&actions, "ct_commit { %s = 0; }; next;", ct_block_action); + if (features->ct_commit_continue && od->has_apply_after_lb_acls) { + ds_put_format(&actions, "ct_commit_continue { %s = 0; };", + ct_block_action); + } else { + ds_put_format(&actions, "ct_commit { %s = 0; }; next;", + ct_block_action); + } ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100, REGBIT_CONNTRACK_COMMIT" == 1 && " REGBIT_ACL_LABEL" == 0", @@ -15875,6 +15902,7 @@ northd_init(struct northd_data *data) data->features = (struct chassis_features) { .ct_no_masked_label = true, .mac_binding_timestamp = true, + .ct_commit_continue = true, }; data->ovn_internal_version_changed = false; } diff --git a/northd/northd.h b/northd/northd.h index 7942c0a34..fee68d1e7 100644 --- a/northd/northd.h +++ b/northd/northd.h @@ -69,6 +69,7 @@ struct northd_input { struct chassis_features { bool ct_no_masked_label; bool mac_binding_timestamp; + bool ct_commit_continue; }; struct northd_data { @@ -211,6 +212,7 @@ struct ovn_datapath { bool has_unknown; bool has_acls; bool has_vtep_lports; + bool has_apply_after_lb_acls; /* IPAM data. */ struct ipam_info ipam_info; diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index dffbba96d..6a6425dd4 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -1108,6 +1108,13 @@ action based on a hint provided by the previous tables (with a match for reg0[1] == 1 && reg0[13] == 0). + +
  • + If the ACL is configured with apply-after-lb option, + ct_commit_continue action will be used instead of + ct_commit in order to preserve ct_state metadata. +
    • +
  • A priority-0 flow that simply moves traffic to the next table.
    • diff --git a/ovn-sb.xml b/ovn-sb.xml index 4f485b860..6f759b428 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -1408,6 +1408,21 @@

    +
    ct_commit_continue { };
    +
    ct_commit_continue { ct_mark=value[/mask]; };
    +
    ct_commit_continue { ct_label=value[/mask]; };
    +
    ct_commit_continue { ct_mark=value[/mask]; ct_label=value[/mask]; };
    + +
    +

    + ct_commit_continue action exports the same features + supported by ct_commit but allow the packet committed + to the ct table to continue the processing in the next pipeline + stage. This is useful to maintain ct metadata of the processed + packet. +

    +
    +
    ct_dnat;
    ct_dnat(IP);
    diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index 6bc9ba75d..67c74f9cd 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -2499,3 +2499,45 @@ AT_CHECK([GET_LOCAL_TEMPLATE_VARS], [1], []) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn-controller - ct_commit_continue]) +AT_KEYWORDS([ct_commit_continue]) + +ovn_start + +net_add n1 +sim_add hv1 +ovs-vsctl add-br br-phys +ovn_attach n1 br-phys 192.168.0.1 + +check ovn-nbctl ls-add sw0 \ + -- lsp-add sw0 sw0-p0 \ + -- lsp-set-addresses sw0-p0 "00:00:00:00:00:01 192.168.1.1" + +as hv1 +ovs-vsctl \ + -- add-port br-int vif0 \ + -- set Interface vif0 external_ids:iface-id=sw0-p0 + +check ovn-nbctl pg-add pg0 sw0-p0 +check ovn-nbctl --apply-after-lb acl-add pg0 from-lport 1004 "ip4 && ip4.dst == 192.168.1.2" drop +check ovn-nbctl --apply-after-lb acl-add pg0 from-lport 1002 "ip4 && tcp" allow-related +check ovn-nbctl --apply-after-lb acl-add pg0 from-lport 1003 "ip4 && icmp" allow-related +check ovn-nbctl --apply-after-lb acl-add pg0 from-lport 1001 "ip4" drop + +check ovn-nbctl lb-add lb0 192.168.1.10 192.168.1.2 +check ovn-nbctl ls-lb-add sw0 lb0 + +check ovn-nbctl --wait=hv sync +wait_for_ports_up + +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=23 | grep table=24 | sed -e 's/cookie=0x[[a-z,0-9]]*/cookie=0x0/; s/duration=[[0-9]]*.[[0-9]]*s/duration=/' |sort], [0], [dnl + cookie=0x0 duration=, table=23, n_packets=0, n_bytes=0, idle_age=0, priority=100,ip,reg0=0x2/0x2002,metadata=0x1 actions=ct(commit,table=24,zone=NXM_NX_REG13[[0..15]],nat(src),exec(load:0->NXM_NX_CT_MARK[[0]])) + cookie=0x0 duration=, table=23, n_packets=0, n_bytes=0, idle_age=0, priority=100,ip,reg0=0x2002/0x2002,metadata=0x1 actions=ct(commit,table=24,zone=NXM_NX_REG13[[0..15]],nat(src),exec(load:0->NXM_NX_CT_MARK[[0]],move:NXM_NX_XXREG0[[0..31]]->NXM_NX_CT_LABEL[[96..127]])) + cookie=0x0 duration=, table=23, n_packets=0, n_bytes=0, idle_age=0, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x1 actions=ct(commit,table=24,zone=NXM_NX_REG13[[0..15]],nat(src),exec(load:0->NXM_NX_CT_MARK[[0]])) + cookie=0x0 duration=, table=23, n_packets=0, n_bytes=0, idle_age=0, priority=100,ipv6,reg0=0x2002/0x2002,metadata=0x1 actions=ct(commit,table=24,zone=NXM_NX_REG13[[0..15]],nat(src),exec(load:0->NXM_NX_CT_MARK[[0]],move:NXM_NX_XXREG0[[0..31]]->NXM_NX_CT_LABEL[[96..127]])) +]) + +AT_CLEANUP +]) diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 9a76ca340..7eb965ce8 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -6623,8 +6623,8 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | sed 's/table=../table=??/' | sort], [0], AT_CHECK([grep -e "ls_in_stateful" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit_continue { ct_mark.blocked = 0; };) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit_continue { ct_mark.blocked = 0; ct_label.label = reg3; };) ]) AS_BOX([Remove and add the ACLs back with a few ACLs with apply-after-lb option]) @@ -6676,8 +6676,8 @@ AT_CHECK([grep -e "ls_in_lb " lsflows | sed 's/table=../table=??/' | sort], [0], AT_CHECK([grep -e "ls_in_stateful" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit_continue { ct_mark.blocked = 0; };) + table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit_continue { ct_mark.blocked = 0; ct_label.label = reg3; };) ]) AT_CLEANUP diff --git a/tests/ovn.at b/tests/ovn.at index f3bd53242..ed4a2f50d 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -1187,6 +1187,10 @@ ct_commit { ct_mark=1; }; formats as ct_commit { ct_mark = 1; }; encodes as ct(commit,zone=NXM_NX_REG13[0..15],exec(set_field:0x1->ct_mark)) has prereqs ip +ct_commit_continue { ct_mark=1; }; + formats as ct_commit_continue { ct_mark = 1; }; + encodes as ct(commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:0x1->ct_mark)) + has prereqs ip ct_commit { ct_mark=1/1; }; formats as ct_commit { ct_mark = 1/1; }; encodes as ct(commit,zone=NXM_NX_REG13[0..15],exec(set_field:0x1/0x1->ct_mark)) diff --git a/utilities/ovn-trace.c b/utilities/ovn-trace.c index 79ed5a9af..e1def9eea 100644 --- a/utilities/ovn-trace.c +++ b/utilities/ovn-trace.c @@ -3098,6 +3098,8 @@ trace_actions(const struct ovnact *ovnacts, size_t ovnacts_len, case OVNACT_CT_COMMIT_V2: /* Nothing to do. */ break; + case OVNACT_CT_COMMIT_CONTINUE: + break; case OVNACT_CT_DNAT: execute_ct_nat(ovnact_get_CT_DNAT(a), dp, uflow, pipeline, super);