Message ID | 20201005174948.4169663-1-numans@ovn.org |
---|---|
State | Not Applicable |
Headers | show |
Series | None | expand |
On Mon, Oct 5, 2020 at 11:20 PM <numans@ovn.org> wrote: > > From: Numan Siddique <numans@ovn.org> > > Before this patch, we were adding 4 lflows for a reject ACL (with no allow-related) > ACLs and 8 lflows for a reject ACL (with other allow-related ACLs present). > > With this patch, there will be just one lflow for each reject ACL. This reduces the > number of lflows and size of the south db and it will be helpful in large scale > deployments. > > Signed-off-by: Numan Siddique <numans@ovn.org> I made a mistake in sending the patches. Please ignore this patch. Instead consider this one - https://mail.openvswitch.org/pipermail/ovs-dev/2020-October/375763.html Both are the same except the commit message. Thanks Numan > --- > northd/ovn-northd.c | 50 +---------- > tests/ovn-northd.at | 214 +++++++------------------------------------- > tests/system-ovn.at | 46 +++++++++- > 3 files changed, 81 insertions(+), 229 deletions(-) > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > index d5fd7da03a..12a27611cc 100644 > --- a/northd/ovn-northd.c > +++ b/northd/ovn-northd.c > @@ -5422,57 +5422,15 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows, > if (extra_match->length > 0) { > ds_put_format(&match, "(%s) && ", extra_match->string); > } > - ds_put_format(&match, "ip4 && tcp && (%s)", acl->match); > - ds_put_format(&actions, "reg0 = 0; " > - "eth.dst <-> eth.src; ip4.dst <-> ip4.src; " > - "tcp_reset { outport <-> inport; %s };", next_action); > - ovn_lflow_add_with_hint(lflows, od, stage, > - acl->priority + OVN_ACL_PRI_OFFSET + 10, > - ds_cstr(&match), ds_cstr(&actions), stage_hint); > - ds_clear(&match); > - ds_clear(&actions); > - build_acl_log(&actions, acl); > - if (extra_match->length > 0) { > - ds_put_format(&match, "(%s) && ", extra_match->string); > - } > - ds_put_format(&match, "ip6 && tcp && (%s)", acl->match); > - ds_put_format(&actions, "reg0 = 0; " > - "eth.dst <-> eth.src; ip6.dst <-> ip6.src; " > - "tcp_reset { outport <-> inport; %s };", next_action); > - ovn_lflow_add_with_hint(lflows, od, stage, > - acl->priority + OVN_ACL_PRI_OFFSET + 10, > - ds_cstr(&match), ds_cstr(&actions), stage_hint); > + ds_put_cstr(&match, acl->match); > > - /* IP traffic */ > - ds_clear(&match); > - ds_clear(&actions); > - build_acl_log(&actions, acl); > - if (extra_match->length > 0) { > - ds_put_format(&match, "(%s) && ", extra_match->string); > - } > - ds_put_format(&match, "ip4 && (%s)", acl->match); > if (extra_actions->length > 0) { > ds_put_format(&actions, "%s ", extra_actions->string); > } > + > ds_put_format(&actions, "reg0 = 0; " > - "icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; " > - "outport <-> inport; %s };", next_action); > - ovn_lflow_add_with_hint(lflows, od, stage, > - acl->priority + OVN_ACL_PRI_OFFSET, > - ds_cstr(&match), ds_cstr(&actions), stage_hint); > - ds_clear(&match); > - ds_clear(&actions); > - build_acl_log(&actions, acl); > - if (extra_match->length > 0) { > - ds_put_format(&match, "(%s) && ", extra_match->string); > - } > - ds_put_format(&match, "ip6 && (%s)", acl->match); > - if (extra_actions->length > 0) { > - ds_put_format(&actions, "%s ", extra_actions->string); > - } > - ds_put_format(&actions, "reg0 = 0; icmp6 { " > - "eth.dst <-> eth.src; ip6.dst <-> ip6.src; " > - "outport <-> inport; %s };", next_action); > + "reject { eth.dst <-> eth.src; ip.dst <-> ip.src; " > + "outport <-> inport; %s };", next_action); > ovn_lflow_add_with_hint(lflows, od, stage, > acl->priority + OVN_ACL_PRI_OFFSET, > ds_cstr(&match), ds_cstr(&actions), stage_hint); > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at > index d020d3921a..fe92a99533 100644 > --- a/tests/ovn-northd.at > +++ b/tests/ovn-northd.at > @@ -2047,232 +2047,86 @@ ovn-nbctl --wait=hv sync > > AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl > table=7 (ls_in_acl ), priority=2002 , dnl > -match=(ip4 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl > -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=egress,table=6); };) > - table=7 (ls_in_acl ), priority=2002 , dnl > -match=(ip6 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl > -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=egress,table=6); };) > - table=7 (ls_in_acl ), priority=2012 , dnl > -match=(ip4 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };) > - table=7 (ls_in_acl ), priority=2012 , dnl > -match=(ip6 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };) > +match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), dnl > +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=egress,table=6); };) > ]) > > AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl > table=7 (ls_in_acl ), priority=2002 , dnl > -match=(ip4 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl > -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=egress,table=6); };) > - table=7 (ls_in_acl ), priority=2002 , dnl > -match=(ip6 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl > -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=egress,table=6); };) > - table=7 (ls_in_acl ), priority=2012 , dnl > -match=(ip4 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };) > - table=7 (ls_in_acl ), priority=2012 , dnl > -match=(ip6 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };) > +match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), dnl > +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=egress,table=6); };) > ]) > > AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl > table=5 (ls_out_acl ), priority=2003 , dnl > -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2003 , dnl > -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > +match=(outport == @pg0 && ip6 && udp), dnl > +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > ]) > > AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl > table=5 (ls_out_acl ), priority=2003 , dnl > -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2003 , dnl > -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > +match=(outport == @pg0 && ip6 && udp), dnl > +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > ]) > > ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && udp" reject > > AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl > table=5 (ls_out_acl ), priority=2002 , dnl > -match=(ip4 && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2002 , dnl > -match=(ip6 && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2003 , dnl > -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > +match=(outport == @pg0 && ip4 && udp), dnl > +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > table=5 (ls_out_acl ), priority=2003 , dnl > -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2012 , dnl > -match=(ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2012 , dnl > -match=(ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > +match=(outport == @pg0 && ip6 && udp), dnl > +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > ]) > > AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl > table=5 (ls_out_acl ), priority=2002 , dnl > -match=(ip4 && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2002 , dnl > -match=(ip6 && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2003 , dnl > -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > +match=(outport == @pg0 && ip4 && udp), dnl > +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > table=5 (ls_out_acl ), priority=2003 , dnl > -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2012 , dnl > -match=(ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2012 , dnl > -match=(ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > +match=(outport == @pg0 && ip6 && udp), dnl > +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > ]) > > ovn-nbctl --wait=sb acl-add pg0 to-lport 1001 "outport == @pg0 && ip" allow-related > > AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl > table=5 (ls_out_acl ), priority=2001 , dnl > -match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), dnl > -action=(reg0[[1]] = 1; next;) > +match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) > table=5 (ls_out_acl ), priority=2001 , dnl > match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;) > table=5 (ls_out_acl ), priority=2002 , dnl > -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl > -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > +match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), dnl > +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > table=5 (ls_out_acl ), priority=2002 , dnl > -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl > -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2002 , dnl > -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2002 , dnl > -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2003 , dnl > -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl > -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2003 , dnl > -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl > -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > +match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), dnl > +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > table=5 (ls_out_acl ), priority=2003 , dnl > -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > +match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), dnl > +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > table=5 (ls_out_acl ), priority=2003 , dnl > -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2012 , dnl > -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2012 , dnl > -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2012 , dnl > -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2012 , dnl > -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > +match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), dnl > +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > ]) > > AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl > table=5 (ls_out_acl ), priority=2001 , dnl > -match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), dnl > -action=(reg0[[1]] = 1; next;) > +match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) > table=5 (ls_out_acl ), priority=2001 , dnl > match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;) > table=5 (ls_out_acl ), priority=2002 , dnl > -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl > -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > +match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), dnl > +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > table=5 (ls_out_acl ), priority=2002 , dnl > -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl > -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2002 , dnl > -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2002 , dnl > -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2003 , dnl > -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl > -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2003 , dnl > -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl > -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > +match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), dnl > +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > table=5 (ls_out_acl ), priority=2003 , dnl > -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) > +match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), dnl > +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > table=5 (ls_out_acl ), priority=2003 , dnl > -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2012 , dnl > -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2012 , dnl > -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2012 , dnl > -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2012 , dnl > -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > - table=5 (ls_out_acl ), priority=2013 , dnl > -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl > -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) > +match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), dnl > +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) > ]) > > AT_CLEANUP > diff --git a/tests/system-ovn.at b/tests/system-ovn.at > index 420610f89f..b8e6ea32a8 100644 > --- a/tests/system-ovn.at > +++ b/tests/system-ovn.at > @@ -4473,9 +4473,6 @@ ovn-nbctl lsp-add sw0 sw0-p2-rej > ovn-nbctl lsp-set-addresses sw0-p2-rej "50:54:00:00:00:04 10.0.0.4 aef0::4" > ovn-nbctl lsp-set-port-security sw0-p2-rej "50:54:00:00:00:04 10.0.0.4 aef0::4" > > -#ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p1\" && tcp && tcp.dst == 80" reject > -#ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p2\" && ip6 && tcp && tcp.dst == 80" reject > - > # Create port group and ACLs for sw0 ports. > ovn-nbctl pg-add pg0_drop sw0-p1-rej sw0-p2-rej > ovn-nbctl acl-add pg0_drop from-lport 1001 "inport == @pg0_drop && ip" drop > @@ -4638,6 +4635,49 @@ aef0::3 udp port objcall" | uniq | wc -l) > test $c -eq 1 > ]) > > +# Delete all the ACLs of pg0 and add the ACL with a generic match with reject action. > +ovn-nbctl pg-del pg0 > +ovn-nbctl pg-add pg0 sw0-p1-rej sw0-p2-rej > +ovn-nbctl --log acl-add pg0 from-lport 1004 "inport == @pg0 && ip && (tcp || udp)" reject > + > +OVS_WAIT_UNTIL([ > + ip netns exec sw0-p1-rej nc 10.0.0.4 80 2> r > + res=$(cat r) > + echo "result = $res" > + test "$res" = "Ncat: Connection refused." > +]) > + > +OVS_WAIT_UNTIL([ > + ip netns exec sw0-p2-rej nc -6 aef0::3 80 2> r > + res=$(cat r) > + test "$res" = "Ncat: Connection refused." > +]) > + > +rm -f *.pcap > + > +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 1 -i sw0-p1-rej icmp > sw0-p1-rej-icmp.pcap &], [0]) > + > +printf '.%.0s' {1..100} > foo > +OVS_WAIT_UNTIL([ > + ip netns exec sw0-p1-rej nc -u 10.0.0.4 90 < foo > + c=$(cat sw0-p1-rej-icmp.pcap | grep \ > +"10.0.0.4 > 10.0.0.3: ICMP 10.0.0.4 udp port dnsix unreachable" | uniq | wc -l) > + test $c -eq 1 > +]) > + > +rm -f *.pcap > +# Now test for IPv6 UDP. > +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 1 -i sw0-p2-rej icmp6 > sw0-p2-rej-icmp6.pcap &], [0]) > + > +OVS_WAIT_UNTIL([ > + ip netns exec sw0-p2-rej nc -u -6 aef0::3 90 < foo > + c=$(cat sw0-p2-rej-icmp6.pcap | grep \ > +"IP6 aef0::3 > aef0::4: ICMP6, destination unreachable, unreachable port, \ > +aef0::3 udp port dnsix" | uniq | wc -l) > + test $c -eq 1 > +]) > + > + > OVS_APP_EXIT_AND_WAIT([ovn-controller]) > > as ovn-sb > -- > 2.26.2 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index d5fd7da03a..12a27611cc 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -5422,57 +5422,15 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows, if (extra_match->length > 0) { ds_put_format(&match, "(%s) && ", extra_match->string); } - ds_put_format(&match, "ip4 && tcp && (%s)", acl->match); - ds_put_format(&actions, "reg0 = 0; " - "eth.dst <-> eth.src; ip4.dst <-> ip4.src; " - "tcp_reset { outport <-> inport; %s };", next_action); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET + 10, - ds_cstr(&match), ds_cstr(&actions), stage_hint); - ds_clear(&match); - ds_clear(&actions); - build_acl_log(&actions, acl); - if (extra_match->length > 0) { - ds_put_format(&match, "(%s) && ", extra_match->string); - } - ds_put_format(&match, "ip6 && tcp && (%s)", acl->match); - ds_put_format(&actions, "reg0 = 0; " - "eth.dst <-> eth.src; ip6.dst <-> ip6.src; " - "tcp_reset { outport <-> inport; %s };", next_action); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET + 10, - ds_cstr(&match), ds_cstr(&actions), stage_hint); + ds_put_cstr(&match, acl->match); - /* IP traffic */ - ds_clear(&match); - ds_clear(&actions); - build_acl_log(&actions, acl); - if (extra_match->length > 0) { - ds_put_format(&match, "(%s) && ", extra_match->string); - } - ds_put_format(&match, "ip4 && (%s)", acl->match); if (extra_actions->length > 0) { ds_put_format(&actions, "%s ", extra_actions->string); } + ds_put_format(&actions, "reg0 = 0; " - "icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; " - "outport <-> inport; %s };", next_action); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(&match), ds_cstr(&actions), stage_hint); - ds_clear(&match); - ds_clear(&actions); - build_acl_log(&actions, acl); - if (extra_match->length > 0) { - ds_put_format(&match, "(%s) && ", extra_match->string); - } - ds_put_format(&match, "ip6 && (%s)", acl->match); - if (extra_actions->length > 0) { - ds_put_format(&actions, "%s ", extra_actions->string); - } - ds_put_format(&actions, "reg0 = 0; icmp6 { " - "eth.dst <-> eth.src; ip6.dst <-> ip6.src; " - "outport <-> inport; %s };", next_action); + "reject { eth.dst <-> eth.src; ip.dst <-> ip.src; " + "outport <-> inport; %s };", next_action); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET, ds_cstr(&match), ds_cstr(&actions), stage_hint); diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index d020d3921a..fe92a99533 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -2047,232 +2047,86 @@ ovn-nbctl --wait=hv sync AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl table=7 (ls_in_acl ), priority=2002 , dnl -match=(ip4 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=egress,table=6); };) - table=7 (ls_in_acl ), priority=2002 , dnl -match=(ip6 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=egress,table=6); };) - table=7 (ls_in_acl ), priority=2012 , dnl -match=(ip4 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };) - table=7 (ls_in_acl ), priority=2012 , dnl -match=(ip6 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };) +match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), dnl +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=egress,table=6); };) ]) AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl table=7 (ls_in_acl ), priority=2002 , dnl -match=(ip4 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=egress,table=6); };) - table=7 (ls_in_acl ), priority=2002 , dnl -match=(ip6 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=egress,table=6); };) - table=7 (ls_in_acl ), priority=2012 , dnl -match=(ip4 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };) - table=7 (ls_in_acl ), priority=2012 , dnl -match=(ip6 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };) +match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), dnl +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=egress,table=6); };) ]) AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) +match=(outport == @pg0 && ip6 && udp), dnl +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) ]) AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) +match=(outport == @pg0 && ip6 && udp), dnl +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) ]) ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && udp" reject AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2002 , dnl -match=(ip4 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2002 , dnl -match=(ip6 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=(outport == @pg0 && ip4 && udp), dnl +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=(ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=(ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) +match=(outport == @pg0 && ip6 && udp), dnl +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) ]) AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2002 , dnl -match=(ip4 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2002 , dnl -match=(ip6 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=(outport == @pg0 && ip4 && udp), dnl +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2003 , dnl -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=(ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=(ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) +match=(outport == @pg0 && ip6 && udp), dnl +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) ]) ovn-nbctl --wait=sb acl-add pg0 to-lport 1001 "outport == @pg0 && ip" allow-related AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2001 , dnl -match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), dnl -action=(reg0[[1]] = 1; next;) +match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) table=5 (ls_out_acl ), priority=2001 , dnl match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;) table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), dnl +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), dnl +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), dnl +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), dnl +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) ]) AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl table=5 (ls_out_acl ), priority=2001 , dnl -match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), dnl -action=(reg0[[1]] = 1; next;) +match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) table=5 (ls_out_acl ), priority=2001 , dnl match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;) table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), dnl +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2002 , dnl -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), dnl +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), dnl +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) table=5 (ls_out_acl ), priority=2003 , dnl -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2012 , dnl -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) - table=5 (ls_out_acl ), priority=2013 , dnl -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };) +match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), dnl +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };) ]) AT_CLEANUP diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 420610f89f..b8e6ea32a8 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -4473,9 +4473,6 @@ ovn-nbctl lsp-add sw0 sw0-p2-rej ovn-nbctl lsp-set-addresses sw0-p2-rej "50:54:00:00:00:04 10.0.0.4 aef0::4" ovn-nbctl lsp-set-port-security sw0-p2-rej "50:54:00:00:00:04 10.0.0.4 aef0::4" -#ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p1\" && tcp && tcp.dst == 80" reject -#ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p2\" && ip6 && tcp && tcp.dst == 80" reject - # Create port group and ACLs for sw0 ports. ovn-nbctl pg-add pg0_drop sw0-p1-rej sw0-p2-rej ovn-nbctl acl-add pg0_drop from-lport 1001 "inport == @pg0_drop && ip" drop @@ -4638,6 +4635,49 @@ aef0::3 udp port objcall" | uniq | wc -l) test $c -eq 1 ]) +# Delete all the ACLs of pg0 and add the ACL with a generic match with reject action. +ovn-nbctl pg-del pg0 +ovn-nbctl pg-add pg0 sw0-p1-rej sw0-p2-rej +ovn-nbctl --log acl-add pg0 from-lport 1004 "inport == @pg0 && ip && (tcp || udp)" reject + +OVS_WAIT_UNTIL([ + ip netns exec sw0-p1-rej nc 10.0.0.4 80 2> r + res=$(cat r) + echo "result = $res" + test "$res" = "Ncat: Connection refused." +]) + +OVS_WAIT_UNTIL([ + ip netns exec sw0-p2-rej nc -6 aef0::3 80 2> r + res=$(cat r) + test "$res" = "Ncat: Connection refused." +]) + +rm -f *.pcap + +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 1 -i sw0-p1-rej icmp > sw0-p1-rej-icmp.pcap &], [0]) + +printf '.%.0s' {1..100} > foo +OVS_WAIT_UNTIL([ + ip netns exec sw0-p1-rej nc -u 10.0.0.4 90 < foo + c=$(cat sw0-p1-rej-icmp.pcap | grep \ +"10.0.0.4 > 10.0.0.3: ICMP 10.0.0.4 udp port dnsix unreachable" | uniq | wc -l) + test $c -eq 1 +]) + +rm -f *.pcap +# Now test for IPv6 UDP. +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 1 -i sw0-p2-rej icmp6 > sw0-p2-rej-icmp6.pcap &], [0]) + +OVS_WAIT_UNTIL([ + ip netns exec sw0-p2-rej nc -u -6 aef0::3 90 < foo + c=$(cat sw0-p2-rej-icmp6.pcap | grep \ +"IP6 aef0::3 > aef0::4: ICMP6, destination unreachable, unreachable port, \ +aef0::3 udp port dnsix" | uniq | wc -l) + test $c -eq 1 +]) + + OVS_APP_EXIT_AND_WAIT([ovn-controller]) as ovn-sb