From patchwork Mon Jun 25 17:03:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Han Zhou X-Patchwork-Id: 934484 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Nk47Hnfo"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41DwVD1PnHz9ry1 for ; Tue, 26 Jun 2018 03:03:15 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 8BA7FC50; Mon, 25 Jun 2018 17:03:12 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 439ADA7B for ; Mon, 25 Jun 2018 17:03:11 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg0-f49.google.com (mail-pg0-f49.google.com [74.125.83.49]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9D0791A0 for ; Mon, 25 Jun 2018 17:03:10 +0000 (UTC) Received: by mail-pg0-f49.google.com with SMTP id m5-v6so6336420pgd.3 for ; Mon, 25 Jun 2018 10:03:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=FcjAcIj1WHJLN5SgUf7asy+c7lLGZNl63AKSXqgi/H8=; b=Nk47Hnfotrr++sMS3GrQaecTD26GWtsyxqmVE4CEZzZ4EydVhYVIO2nDDRS5Roqnt+ Rl6f5MPXvap2xK6K8/BhCXSpY/VVhadBLdjybFsoAgbFDWGzunGmhDWKVzpLA7tZ2sZZ WS+Gr/c1uMyw25deC/0zmk19jlnlxuoShKgKg9Q8/8sGt7Kcgwe1uMaJPghRrZl6QC8S 9LbTFj2ecAciwvt3neRFru19sIbr6w+FgIlwq3rObQLoO8o/p5pxPaRPZcKAj9UDGE6L hjBPv1Sfkiw5SUb0QYFHVJt671bxf2Y60nIjh+7pgG77IPS18Ms/tjJVESlPY8XMXY9v d3+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=FcjAcIj1WHJLN5SgUf7asy+c7lLGZNl63AKSXqgi/H8=; b=R460NvmqdKZxiVrIoG3vZ5PVN2vYQXI9S9lXcD7qZi3aHpNEMUvzGGVoq/wlLqYUNp YYGlHkxD82h8IfyfcTsnBw7gWGoK33edHrIXS7KaGTtp2TU0MopA6DWJNDDyMa527dK3 u4YPddLV8i1oUm9fDc1ZMTeHb/+/aQal5G2P1lq3DM1cjqb0FZ+rZT60w8dacLf5y3ug JIRYaitmLQhQUWlZB5qdiqodbygDGwGA/PbmkHF7MdByEpb5FGMms2weoTyBU+3gd6ZT IIIemR4f5pE935UXZqPpZHcyKeHJYGY9Izwbf8cbgyTY0Yy97cOeKJv9pVNf/SDi3m0I aEvg== X-Gm-Message-State: APt69E33m9Nuz2/gh4rH/PlvhvxBa+iKKKkc5xjq6S9gvyUFafbq0io/ a0G1Sq16Dh3VThj6g/5rezPNXA== X-Google-Smtp-Source: ADUXVKJNA8KF5oUoTbcm957ODv6chRusF/8zeaDZnFLxN5rKDJH2COyazxkaLEqsbkx2zbOCpgz0Wg== X-Received: by 2002:a62:6406:: with SMTP id y6-v6mr13900967pfb.204.1529946189639; Mon, 25 Jun 2018 10:03:09 -0700 (PDT) Received: from localhost.localdomain.localdomain (c-73-162-150-77.hsd1.ca.comcast.net. [73.162.150.77]) by smtp.gmail.com with ESMTPSA id 74-v6sm27900534pfj.127.2018.06.25.10.03.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Jun 2018 10:03:09 -0700 (PDT) From: Han Zhou X-Google-Original-From: Han Zhou To: dev@openvswitch.org Date: Mon, 25 Jun 2018 10:03:02 -0700 Message-Id: <1529946182-38004-1-git-send-email-hzhou8@ebay.com> X-Mailer: git-send-email 2.1.0 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, LOTS_OF_MONEY, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v3] ovn.at: Add stateful test for ACL on port groups. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org A bug was reported on the feature of applying ACLs on port groups [1]. This bug was not detected by the original test case, because it didn't test the return traffic and so didn't ensure the stateful feature is working. The fix [2] causes the original test case fail, because once the conntrack is enabled, the test packets are dropped because the checksum in those packets are invalid and so marked with "invalid" state by conntrack. To avoid the test case failure, the fix [2] changed it to test stateless acl only, which leaves the scenario untested, although it is fixed. This patch adds back the stateful ACL in the test, and replaced the dummy/receive with inject-pkt to send the test packets, so that checksums can be properly filled in, and it also adds tests for the return traffic, which ensures the stateful is working. [1] https://mail.openvswitch.org/pipermail/ovs-discuss/2018-June/046927.html [2] https://patchwork.ozlabs.org/patch/931913/ Signed-off-by: Han Zhou Acked-by: Jakub Sitnicki Acked-by: Daniel Alvarez --- Note: this patch depends on Daniel's patch [2] which is not merged yet. v1->v2: - Addressed Jacub's comments - simplified packet expr and removed debug information. - Renamed test_ip to test_icmp. v2->v3: - Updated comments. tests/ovn.at | 69 ++++++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 48 insertions(+), 21 deletions(-) diff --git a/tests/ovn.at b/tests/ovn.at index 93644b0..2af00a9 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -9981,7 +9981,7 @@ ovn-nbctl create Port_Group name=pg2 ports="$pg2_ports" # create ACLs on pg1 to drop traffic from pg2 to pg1 ovn-nbctl acl-add pg1 to-lport 1001 'outport == @pg1' drop ovn-nbctl --type=port-group acl-add pg1 to-lport 1002 \ - 'outport == @pg1 && ip4.src == $pg2_ip4' allow + 'outport == @pg1 && ip4.src == $pg2_ip4' allow-related # Physical network: # @@ -10043,13 +10043,20 @@ OVN_POPULATE_ARP # XXX This should be more systematic. sleep 1 -# test_ip INPORT SRC_MAC DST_MAC SRC_IP DST_IP OUTPORT... +lsp_to_mac() { + echo f0:00:00:00:0${1:0:1}:${1:1:2} +} + +lrp_to_mac() { + echo 00:00:00:00:ff:$1 +} + +# test_icmp INPORT SRC_MAC DST_MAC SRC_IP DST_IP ICMP_TYPE OUTPORT... # -# This shell function causes a packet to be received on INPORT. The packet's -# content has Ethernet destination DST and source SRC (each exactly 12 hex -# digits) and Ethernet type ETHTYPE (4 hex digits). The OUTPORTs (zero or -# more) list the VIFs on which the packet should be received. INPORT and the -# OUTPORTs are specified as logical switch port numbers, e.g. 123 for vif123. +# This shell function causes a ICMP packet to be received on INPORT. +# The OUTPORTs (zero or more) list the VIFs on which the packet should +# be received. INPORT and the OUTPORTs are specified as logical switch +# port numbers, e.g. 123 for vif123. for i in 1 2 3; do for j in 1 2 3; do for k in 1 2 3; do @@ -10057,26 +10064,34 @@ for i in 1 2 3; do done done done -test_ip() { - # This packet has bad checksums but logical L3 routing doesn't check. - local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5 - local packet=${dst_mac}${src_mac}08004500001c0000000040110000${src_ip}${dst_ip}0035111100080000 - shift; shift; shift; shift; shift + +test_icmp() { + local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5 icmp_type=$6 + local packet="inport==\"lp$inport\" && eth.src==$src_mac && + eth.dst==$dst_mac && ip.ttl==64 && ip4.src==$src_ip + && ip4.dst==$dst_ip && icmp4.type==$icmp_type && + icmp4.code==0" + shift; shift; shift; shift; shift; shift hv=hv`vif_to_hv $inport` - as $hv ovs-appctl netdev-dummy/receive vif$inport $packet - #as $hv ovs-appctl ofproto/trace br-int in_port=$inport $packet + as $hv ovs-appctl -t ovn-controller inject-pkt "$packet" in_ls=`vif_to_ls $inport` in_lrp=`vif_to_lrp $inport` for outport; do out_ls=`vif_to_ls $outport` if test $in_ls = $out_ls; then # Ports on the same logical switch receive exactly the same packet. - echo $packet + echo $packet | ovstest test-ovn expr-to-packets else # Routing decrements TTL and updates source and dest MAC # (and checksum). out_lrp=`vif_to_lrp $outport` - echo f00000000${outport}00000000ff${out_lrp}08004500001c00000000"3f1101"00${src_ip}${dst_ip}0035111100080000 + exp_smac=`lrp_to_mac $out_lrp` + exp_dmac=`lsp_to_mac $outport` + exp_packet="eth.src==$exp_smac && eth.dst==$exp_dmac && + ip.ttl==63 && ip4.src==$src_ip && ip4.dst==$dst_ip && + icmp4.type==$icmp_type && icmp4.code==0" + echo $exp_packet | ovstest test-ovn expr-to-packets + fi >> $outport.expected done } @@ -10099,14 +10114,17 @@ for is in 1 2 3; do for ks in 1 2 3; do bcast= s=$is$js$ks - smac=f00000000$s - sip=`ip_to_hex 192 168 $is$js $ks` + slsp_mac=`lsp_to_mac $s` + slrp_mac=`lrp_to_mac $is$js` + sip=192.168.$is$js.$ks for id in 1 2 3; do for jd in 1 2 3; do for kd in 1 2 3; do d=$id$jd$kd - dip=`ip_to_hex 192 168 $id$jd $kd` - if test $is = $id; then dmac=f00000000$d; else dmac=00000000ff$is$js; fi + dlsp_mac=`lsp_to_mac $d` + dlrp_mac=`lrp_to_mac $id$jd` + dip=192.168.$id$jd.$kd + if test $is = $id; then dmac=$dlsp_mac; else dmac=$slrp_mac; fi if test $d != $s; then unicast=$d; else unicast=; fi # packets matches ACL1 but not ACL2 should be dropped @@ -10115,7 +10133,16 @@ for is in 1 2 3; do unicast= fi fi - test_ip $s $smac $dmac $sip $dip $unicast #1 + # icmp request (type = 8) + test_icmp $s $slsp_mac $dmac $sip $dip 8 $unicast + + # if packets are not dropped, test the return traffic (icmp echo) + # to make sure stateful works, too. + if test x$unicast != x; then + if test $is = $id; then dmac=$slsp_mac; else dmac=$dlrp_mac; fi + # icmp echo (type = 0) + test_icmp $unicast $dlsp_mac $dmac $dip $sip 0 $s + fi done done done