From patchwork Fri Sep 16 01:14:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladislav Odintsov X-Patchwork-Id: 1678459 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=TyeuYDWU; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MTGMk40FWz1ynm for ; Fri, 16 Sep 2022 11:15:13 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 577B841193; Fri, 16 Sep 2022 01:15:10 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 577B841193 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=TyeuYDWU X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y8Nji4vjU2CB; Fri, 16 Sep 2022 01:15:08 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 99C45400E5; Fri, 16 Sep 2022 01:15:07 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 99C45400E5 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5342DC0033; Fri, 16 Sep 2022 01:15:07 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 8228BC002D for ; Fri, 16 Sep 2022 01:15:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 56BC7409D8 for ; Fri, 16 Sep 2022 01:15:06 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 56BC7409D8 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zhcPoowRSjk1 for ; Fri, 16 Sep 2022 01:15:04 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 52AAD400E5 Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) by smtp2.osuosl.org (Postfix) with ESMTPS id 52AAD400E5 for ; Fri, 16 Sep 2022 01:15:04 +0000 (UTC) Received: by mail-lf1-x133.google.com with SMTP id i26so33129247lfp.11 for ; Thu, 15 Sep 2022 18:15:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date; bh=68qTJWTJqe2W48358womVUA3LxIYHdzQTOzLovOdJBk=; b=TyeuYDWUgAQq7YZTIvJZF+4+kDRTNTPuq2xn3QPOvUhtyet8ZdisC1uRiIuW9ilP5T r5V1097aa33v1EMK07mYws6sQR5yM8jlcmlTho6p+CgFNOQ4E3dWvXV+ClXO3UdnJ8w7 jK5LlZQy91MNXJh1ihOrTCh8Uey+f8iJmRU/f5jiO3RHq4gJ8zpqqBmlFzhCPdTQwpx6 a7ADD9JxSNFA5ycdwA4k8CasIXFPhYJljpRCRb+tT+8zqIrWbRHLuaBh+E7JWuOv0Ul9 6yDgLxH5zuPGEqnUSiyTluLiAUp2iVFcdhOiwasRxtc5a9Ope3yzyLyYEOf0jvKR1jLI zhlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=68qTJWTJqe2W48358womVUA3LxIYHdzQTOzLovOdJBk=; b=qKwDXZZOYI67VlQvfrbE3eCdLbfewYVdwaXoaP+FQ02vjcCLNeWDm0zWlmG+SLyf9x 5GAcwE3npPWAvsN8QOvP6k5ylQkE6bobysUj84nBPWnIQlK4A2Vavt1MZ+ehRzxoul/N JGfcdpJe0TrDmdZ2292VhKf2Lof+1j5uoK07Ct63IQPpifuDDnjnH5nddPI1QfyELZkj gVL0ttUTbjYYt12I4BO/QNbfMrS0+3iTcRqpGcHNy6QSZWdd/TLEDAbTYRZ/9TQicdf1 HnDL3AxG2nQXkAwcu3bolrnwebUDotTi+q6A5w1b6zxQdQddtb4OZDt6wX1945FzGL/5 9U0w== X-Gm-Message-State: ACrzQf3ejwqbgwBKC2MxNfejcoLyxwEwgHixJ/ZsqmphtZLd4CUBN9O8 CQ+alDvZ6nvslHxKoOV3VEAx8ijLd5w= X-Google-Smtp-Source: AMsMyM7LGFOSUOx4jA9WtNAoUInJ8hq4cvKOKgj9plwO5Hv8L4Y2GeXC8U4Rc+gZs2vD1lWVf45j1g== X-Received: by 2002:a05:6512:a8e:b0:49e:2ef9:8372 with SMTP id m14-20020a0565120a8e00b0049e2ef98372mr811029lfu.258.1663290901304; Thu, 15 Sep 2022 18:15:01 -0700 (PDT) Received: from ip-10-70-112-12.vpc-1e810be1.internal (c2-178-216-98-9.elastic.cloud.croc.ru. [178.216.98.9]) by smtp.gmail.com with ESMTPSA id o5-20020ac25e25000000b00492b0d23d24sm3220989lfg.247.2022.09.15.18.15.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Sep 2022 18:15:00 -0700 (PDT) From: Vladislav Odintsov To: dev@openvswitch.org Date: Fri, 16 Sep 2022 04:14:59 +0300 Message-Id: <20220916011459.2683707-1-odivlad@gmail.com> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 Cc: Vladislav Odintsov Subject: [ovs-dev] [PATCH ovn v3] northd: drop traffic to disabled LSPs in ingress pipeline X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Prior to this patch traffic to LSPs, which are disabled with `ovn-nbctl lsp-set-enabled disabled` was dropped in the end of lswitch egress pipeline. This means that traffic is processed in vain: - traffic, which should be dropped, first travels from one chassis to another (if source/dest LSPs reside on different nodes) and dropped on the destination chassis; - when such traffic reaches destination chassis, if stateful services are enabled within logical switch, first traffic is sent to conntrack and is dropped after that. So it is costly to drop traffic in such manner especially in case LSP is disabled to prevent chassis and/or VM attack by any harmful traffic. This patch changes "to-lport" drop behaviour. Now it is dropped in lswitch ingress pipeline to avoid sending traffic to disabled LSP from one chassis to another. Traffic doesn't reach conntrack in destination LSP's zone now as well. Signed-off-by: Vladislav Odintsov Acked-by: Mark Michelson --- v3: Addressed Numan's review comments: turned back drop lflow in egress pipeline --- northd/northd.c | 17 ++-- northd/ovn-northd.8.xml | 14 ++- tests/ovn-northd.at | 188 +++++++++++++++++++++++++--------------- 3 files changed, 140 insertions(+), 79 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 4a40ec9b0..ef93500c5 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -5478,6 +5478,10 @@ build_lswitch_port_sec_op(struct ovn_port *op, struct hmap *lflows, lflows, op->od, S_SWITCH_OUT_CHECK_PORT_SEC, 150, ds_cstr(match), REGBIT_PORT_SEC_DROP" = 1; next;", op->key, &op->nbsp->header_); + + ovn_lflow_add_with_lport_and_hint( + lflows, op->od, S_SWITCH_IN_L2_UNKNOWN, 50, ds_cstr(match), + "drop;", op->key, &op->nbsp->header_); return; } @@ -8466,6 +8470,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, * Ethernet address followed by zero or more IPv4 * or IPv6 addresses (or both). */ struct eth_addr mac; + bool lsp_enabled = lsp_is_enabled(op->nbsp); + char *action = lsp_enabled ? "outport = %s; output;" : "drop;"; if (ovs_scan(op->nbsp->addresses[i], ETH_ADDR_SCAN_FMT, ETH_ADDR_SCAN_ARGS(mac))) { ds_clear(match); @@ -8473,13 +8479,13 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, ETH_ADDR_ARGS(mac)); ds_clear(actions); - ds_put_format(actions, "outport = %s; output;", op->json_key); + ds_put_format(actions, action, op->json_key); ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP, 50, ds_cstr(match), ds_cstr(actions), &op->nbsp->header_); } else if (!strcmp(op->nbsp->addresses[i], "unknown")) { - if (lsp_is_enabled(op->nbsp)) { + if (lsp_enabled) { ovs_mutex_lock(&mcgroup_mutex); ovn_multicast_add(mcgroups, &mc_unknown, op); ovs_mutex_unlock(&mcgroup_mutex); @@ -8496,7 +8502,7 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, ETH_ADDR_ARGS(mac)); ds_clear(actions); - ds_put_format(actions, "outport = %s; output;", op->json_key); + ds_put_format(actions, action, op->json_key); ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP, 50, ds_cstr(match), ds_cstr(actions), @@ -8544,7 +8550,7 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, } ds_clear(actions); - ds_put_format(actions, "outport = %s; output;", op->json_key); + ds_put_format(actions, action, op->json_key); ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP, 50, ds_cstr(match), ds_cstr(actions), @@ -8567,8 +8573,7 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, nat->logical_port); ds_clear(actions); - ds_put_format(actions, "outport = %s; output;", - op->json_key); + ds_put_format(actions, action, op->json_key); ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP, 50, ds_cstr(match), diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index f4eceb0ec..fc9b2e222 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -1737,8 +1737,9 @@ output;

  • One priority-50 flow that matches each known Ethernet address against - eth.dst and outputs the packet to the single associated - output port. + eth.dst. Action of this flow outputs the packet to the + single associated output port if it is enabled. drop; + action is applied if LSP is disabled.

    @@ -1814,6 +1815,13 @@ output;

      +
    • +

      + Priority 50 flow with the match outport == P + is added for each disabled Logical Switch Port P. This + flow has action drop;. +

      +

    • If the logical switch has logical ports with 'unknown' addresses set, @@ -1822,7 +1830,7 @@ output;

      • - Priority 50 flow with the match outport == none then + Priority 50 flow with the match outport == "none" then outputs them to the MC_UNKNOWN multicast group, which ovn-northd populates with all enabled logical ports that accept unknown destination packets. As a small optimization, diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index d5136ac6d..66cbbc3c6 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -5461,7 +5461,7 @@ AT_CHECK([ovn-sbctl --columns=tags list logical_flow | grep lsp0 -c], [0], [dnl check ovn-nbctl set logical_switch_port lsp0 enabled=false check ovn-nbctl --wait=sb sync AT_CHECK([ovn-sbctl --columns=tags list logical_flow | grep lsp0 -c], [0], [dnl -3 +4 ]) AT_CLEANUP @@ -7425,16 +7425,22 @@ check ovn-nbctl --wait=sb ls-add sw0 ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) - table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) - table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown | \ +sort | sed 's/table=../table=??/' ], [0], [dnl + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) + table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1 "00:00:00:00:00:01" @@ -7444,16 +7450,24 @@ check ovn-nbctl --wait=sb lsp-add sw0 localnetport -- lsp-set-type localnetport ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) - table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) - table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown | \ +sort | sed 's/table=../table=??/' ], [0], [dnl + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) + table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl lsp-set-port-security sw0p1 "00:00:00:00:00:01 10.0.0.3 1000::3" @@ -7462,16 +7476,24 @@ check ovn-nbctl --wait=sb lsp-set-port-security sw0p2 "00:00:00:00:00:02 10.0.0. ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) - table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) - table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown | \ +sort | sed 's/table=../table=??/' ], [0], [dnl + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) + table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) # Disable sw0p1 @@ -7480,37 +7502,55 @@ check ovn-nbctl --wait=sb set logical_switch_port sw0p1 enabled=false ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) - table=? (ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), action=(reg0[[15]] = 1; next;) - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) - table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) - table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=? (ls_out_check_port_sec), priority=150 , match=(outport == "sw0p1"), action=(reg0[[15]] = 1; next;) - table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown | \ +sort | sed 's/table=../table=??/' ], [0], [dnl + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=??(ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), action=(reg0[[15]] = 1; next;) + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(drop;) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"), action=(drop;) + table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=??(ls_out_check_port_sec), priority=150 , match=(outport == "sw0p1"), action=(reg0[[15]] = 1; next;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl --wait=sb lsp-set-options sw0p2 qdisc_queue_id=10 ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) - table=? (ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), action=(reg0[[15]] = 1; next;) - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) - table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) - table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=? (ls_out_check_port_sec), priority=150 , match=(outport == "sw0p1"), action=(reg0[[15]] = 1; next;) - table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown | \ +sort | sed 's/table=../table=??/' ], [0], [dnl + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=??(ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), action=(reg0[[15]] = 1; next;) + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(drop;) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"), action=(drop;) + table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=??(ls_out_check_port_sec), priority=150 , match=(outport == "sw0p1"), action=(reg0[[15]] = 1; next;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl set logical_switch_port sw0p1 enabled=true @@ -7519,20 +7559,28 @@ check ovn-nbctl --wait=sb lsp-set-options localnetport qdisc_queue_id=10 ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ], [0], [dnl - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) - table=? (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) - table=? (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=? (ls_out_apply_port_sec), priority=100 , match=(outport == "localnetport"), action=(set_queue(10); output;) - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown | \ +sort | sed 's/table=../table=??/' ], [0], [dnl + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), action=(drop;) + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) + table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) + table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=100 , match=(outport == "localnetport"), action=(set_queue(10); output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) AT_CLEANUP