From patchwork Tue Jan 30 12:57:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Bartzen Acosta X-Patchwork-Id: 1892944 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=luizalabs.com header.i=@luizalabs.com header.a=rsa-sha256 header.s=google header.b=IEV37gMK; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TPQCq4vjkz23gZ for ; Tue, 30 Jan 2024 23:56:39 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 0DCA360C01; Tue, 30 Jan 2024 12:56:37 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 0DCA360C01 Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=luizalabs.com header.i=@luizalabs.com header.a=rsa-sha256 header.s=google header.b=IEV37gMK X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dMrLoF0z59e9; Tue, 30 Jan 2024 12:56:36 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id 01B7E60C12; Tue, 30 Jan 2024 12:56:34 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 01B7E60C12 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 51FDAC0072; Tue, 30 Jan 2024 12:56:34 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 26E91C0037 for ; Tue, 30 Jan 2024 12:56:33 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 02D5560C12 for ; Tue, 30 Jan 2024 12:56:33 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 02D5560C12 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bLI6-TUE9eHR for ; Tue, 30 Jan 2024 12:56:32 +0000 (UTC) Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) by smtp3.osuosl.org (Postfix) with ESMTPS id F166660C01 for ; Tue, 30 Jan 2024 12:56:31 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org F166660C01 Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-1d7232dcb3eso18773235ad.2 for ; Tue, 30 Jan 2024 04:56:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=luizalabs.com; s=google; t=1706619390; x=1707224190; darn=openvswitch.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=6yEBA0w7r2C6Ehp9Xi2mqj9ZQpUQYsmmbX3YqYhBXCA=; b=IEV37gMKLUSk7jmaektjUfKEsgPejeYaRG3ybs4wdMhm9bWz4OfINWk9s+5pYkBawq vaV3EFLg2EFpyYtgs8d49qFSQXlKOQnNWglppSfXZmbQpr3MDtvL6EHH462ntlhFaDvk syJQs1tjiOdozlbQcOeWr1HbPynST6i9BSP3A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706619390; x=1707224190; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6yEBA0w7r2C6Ehp9Xi2mqj9ZQpUQYsmmbX3YqYhBXCA=; b=jesPIlaL+yY0PByovAjpIQMm98y4FdKihmCbmJC+SXq1zjDLYScct+SapQDQ7JoWyg UlpAqixeJSg7k2I4gadH9CupplcMm382C+uz+4sUy4MBhuSPOoDpJLqturHxV9WsW+fX TzFd6hcyKuxl0bmSm19OiF6tJXuUIFeYlHDeODQV0N+/G+3WNk9v5TiTWUI16WWNI8hf +gm0V/9i33MG5dRVi9wRa2NBX8I/Wpny1xQq4bDr9Tc8Py/LwFHMmzEYNSLRSvf5PVgx rGJRbTF/8zKvp7KPaF0s+9ece8ySaaaAshRzP8jwstBovdU3pdBX9GzkXrKYxfMrm/Xt +ucg== X-Gm-Message-State: AOJu0Yx1U2jYuoow9u8Ob8bAd7YEZGAqBMOjYon5RqyAlTc+Q9ZW7TbF W75KRXJwNy3+0cOOVUfi0gyz1uw6uWh2bbCkl4imGqLuOi/+MvxRXA6d6pA8fZv2wmT4KX9qjAg 2Iu/XdcU+G+mwCT4fEFdCMO7oSl052BMwHaIzJA1iJT3Iw21BtIqWYl+O X-Google-Smtp-Source: AGHT+IH3ObxTRXU0xpUSWk3iuCcWuE9EE2yVIW7JURqPOTlKf9/vlqtueOXJASODrzAIMdpMMmGN2w== X-Received: by 2002:a17:903:22d0:b0:1d9:11bd:e212 with SMTP id y16-20020a17090322d000b001d911bde212mr883242plg.60.1706619390434; Tue, 30 Jan 2024 04:56:30 -0800 (PST) Received: from WNL1099LABS421.magazineluiza.intranet ([191.187.213.146]) by smtp.gmail.com with ESMTPSA id r8-20020a170902be0800b001d7405022ecsm7067774pls.159.2024.01.30.04.56.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 04:56:30 -0800 (PST) To: dev@openvswitch.org Date: Tue, 30 Jan 2024 09:57:22 -0300 Message-Id: <20240130125722.23113-1-roberto.acosta@luizalabs.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn v2] ovn-ic: fix global blacklist filter for IPv6 addresses X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Roberto Bartzen Acosta via dev From: Roberto Bartzen Acosta Reply-To: Roberto Bartzen Acosta Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This commit fixes the prefix filter function as the return condition for IPv6 addresses is disabling the advertisement of all learned prefixes regardless of the match with the blacklist or not. Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/2046804 Fixes: 57b347c55168 ("ovn-ic: Route advertisement.") --- ic/ovn-ic.c | 22 ++++++++--- tests/ovn-ic.at | 100 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 116 insertions(+), 6 deletions(-) diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c index 6f8f5734d..1c9c9ae2c 100644 --- a/ic/ovn-ic.c +++ b/ic/ovn-ic.c @@ -1024,6 +1024,20 @@ prefix_is_link_local(struct in6_addr *prefix, unsigned int plen) ((prefix->s6_addr[1] & 0xc0) == 0x80)); } +static bool +compare_ipv6_prefixes(const struct in6_addr *s_prefix, + const struct in6_addr *d_prefix2, int plen) +{ + struct in6_addr mask = ipv6_create_mask(plen); + for (int i = 0; i <= (plen / 8); i++) { + if ((s_prefix->s6_addr[i] & mask.s6_addr[i]) ^ + (d_prefix2->s6_addr[i] & mask.s6_addr[i])) { + return false; + } + } + return true; +} + static bool prefix_is_black_listed(const struct smap *nb_options, struct in6_addr *prefix, @@ -1064,12 +1078,8 @@ prefix_is_black_listed(const struct smap *nb_options, continue; } } else { - struct in6_addr mask = ipv6_create_mask(bl_plen); - for (int i = 0; i < 16 && mask.s6_addr[i] != 0; i++) { - if ((prefix->s6_addr[i] & mask.s6_addr[i]) - != (bl_prefix.s6_addr[i] & mask.s6_addr[i])) { - continue; - } + if (!compare_ipv6_prefixes(prefix, &bl_prefix, bl_plen)) { + continue; } } matched = true; diff --git a/tests/ovn-ic.at b/tests/ovn-ic.at index d4c436f84..1f9df71e9 100644 --- a/tests/ovn-ic.at +++ b/tests/ovn-ic.at @@ -1274,3 +1274,103 @@ OVN_CLEANUP_IC([az1], [az2]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn-ic -- route sync -- IPv6 blacklist filter]) +AT_KEYWORDS([IPv6-route-sync-blacklist]) + +ovn_init_ic_db +ovn-ic-nbctl ts-add ts1 + +for i in 1 2; do + ovn_start az$i + ovn_as az$i + + # Enable route learning at AZ level + ovn-nbctl set nb_global . options:ic-route-learn=true + # Enable route advertising at AZ level + ovn-nbctl set nb_global . options:ic-route-adv=true + # Enable blacklist single filter for IPv6 + ovn-nbctl set nb_global . options:ic-route-blacklist="2003:db8:1::/64,\ + 2004:aaaa::/32,2005:1234::/21" + + OVS_WAIT_UNTIL([ovn-nbctl show | grep ts1]) + + # Create LRP and connect to TS + ovn-nbctl lr-add lr$i + ovn-nbctl lrp-add lr$i lrp-lr$i-ts1 aa:aa:aa:aa:aa:0$i 2001:db8:1::$i/64 + ovn-nbctl lsp-add ts1 lsp-ts1-lr$i \ + -- lsp-set-addresses lsp-ts1-lr$i router \ + -- lsp-set-type lsp-ts1-lr$i router \ + -- lsp-set-options lsp-ts1-lr$i router-port=lrp-lr$i-ts1 + + ovn-nbctl lrp-add lr$i lrp-lr$i-p$i 00:00:00:00:00:0$i 2002:db8:1::$i/64 + + # Create blacklisted LRPs and connect to TS + ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext$i \ + 11:11:11:11:11:1$i 2003:db8:1::$i/64 + + ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext2$i \ + 22:22:22:22:22:2$i 2004:aaaa:bbb::$i/48 + + # filtered by 2005:1234::/21 - (2005:1000: - 2005:17ff:) + ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext3$i \ + 33:33:33:33:33:3$i 2005:1734:5678::$i/50 + + # additional not filtered prefix -> different subnet bits + ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext4$i \ + 33:33:33:33:33:3$i 2005:1834:5678::$i/50 + +done + +for i in 1 2; do + OVS_WAIT_UNTIL([ovn_as az$i ovn-nbctl lr-route-list lr$i | grep learned]) +done + +AT_CHECK([ovn_as az1 ovn-nbctl lr-route-list lr1 | + awk '/learned/{print $1, $2}' ], [0], [dnl +2002:db8:1::/64 2001:db8:1::2 +2005:1834:5678::/50 2001:db8:1::2 +]) + +for i in 1 2; do + ovn_as az$i + + # Drop blacklist + ovn-nbctl remove nb_global . options ic-route-blacklist + +done + +OVS_WAIT_FOR_OUTPUT([ovn_as az1 ovn-nbctl lr-route-list lr1 | + awk '/learned/{print $1, $2}' | sort ], [0], [dnl +2002:db8:1::/64 2001:db8:1::2 +2003:db8:1::/64 2001:db8:1::2 +2004:aaaa:bbb::/48 2001:db8:1::2 +2005:1734:5678::/50 2001:db8:1::2 +2005:1834:5678::/50 2001:db8:1::2 +]) + +for i in 1 2; do + ovn_as az$i + + ovn-nbctl set nb_global . \ + options:ic-route-blacklist="2003:db8:1::/64,2004:db8:1::/64" + + # Create an 'extra' blacklisted LRP and connect to TS + ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext2$i \ + 44:44:44:44:44:4$i 2004:db8:1::$i/64 + +done + +OVS_WAIT_FOR_OUTPUT([ovn_as az1 ovn-nbctl lr-route-list lr1 | + awk '/learned/{print $1, $2}' | sort ], [0], [dnl +2002:db8:1::/64 2001:db8:1::2 +2004:aaaa:bbb::/48 2001:db8:1::2 +2005:1734:5678::/50 2001:db8:1::2 +2005:1834:5678::/50 2001:db8:1::2 +]) + +OVN_CLEANUP_IC([az1], [az2]) + +AT_CLEANUP +])