From patchwork Tue Mar 21 17:59:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1759537 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=NBILNRWi; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4PgzrV1wpBz247m for ; Wed, 22 Mar 2023 04:59:22 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id F271F40C1E; Tue, 21 Mar 2023 17:59:19 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org F271F40C1E Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=NBILNRWi X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZeenIiAXUox; Tue, 21 Mar 2023 17:59:18 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id CE43940496; Tue, 21 Mar 2023 17:59:17 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org CE43940496 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9F738C0071; Tue, 21 Mar 2023 17:59:17 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id CDA8CC0032 for ; Tue, 21 Mar 2023 17:59:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 9C1E681E3E for ; Tue, 21 Mar 2023 17:59:16 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9C1E681E3E Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=NBILNRWi X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QrgYKpxB2fyR for ; Tue, 21 Mar 2023 17:59:15 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9416181E2D Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 9416181E2D for ; Tue, 21 Mar 2023 17:59:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1679421554; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9q+TTKsLXeN9oCkH0DAaBoYGpKJ1wG6Xg6rzbaQWjmc=; b=NBILNRWia13cPNjRVJSLCuLu/aKTQQK9GsdKIy0pNmLjargTkocHN01lTQWuC12/Ebf3Mq v+UZdfr1jyMj3glDHE9Loo1QHY0/LqmenqJ3V17wCDIWYgXlbkvRr4VerX2rmT6jMiZ0X7 K+HVVuK9oefHVcpZObp9qmfTTVwqo80= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-524-16qumCOlMAOJDlHgQyqeGw-1; Tue, 21 Mar 2023 13:59:13 -0400 X-MC-Unique: 16qumCOlMAOJDlHgQyqeGw-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C6AE1185A790 for ; Tue, 21 Mar 2023 17:59:12 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-0-12.rdu2.redhat.com [10.22.0.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7378B4619F5 for ; Tue, 21 Mar 2023 17:59:12 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Tue, 21 Mar 2023 13:59:08 -0400 Message-Id: <20230321175909.3794119-3-mmichels@redhat.com> In-Reply-To: <20230321175909.3794119-1-mmichels@redhat.com> References: <20230321175909.3794119-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 3/4] ovn-nbctl: Add tier ACL options. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This modifies the acl-add and acl-del commands so that an ACL tier can be specified when adding or deleting ACLs. For acl-add, if the tier is specified, then the ACL created by the command will have that tier set. For acl-del, if the tier is specified, then the tier will be one of the criteria used when deciding which ACLs to delete. Because the tier is not any more or less specific than the other criteria used for deleting ACLs, a bitmap approach is used to determine the final set of ACLs that should be deleted. Signed-off-by: Mark Michelson --- tests/ovn-nbctl.at | 81 ++++++++++++++++++++++++++ utilities/ovn-nbctl.c | 131 +++++++++++++++++++++++++++++------------- 2 files changed, 172 insertions(+), 40 deletions(-) diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index 2fffe1850..d21554f2b 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -2590,6 +2590,87 @@ ovn-nbctl: no row "foo1" in table Logical_Switch dnl --------------------------------------------------------------------- +OVN_NBCTL_TEST([acl_tiers], [ACL tier operations], [ +check ovn-nbctl ls-add ls +#check ovn-nbctl acl-add ls from-lport 1000 "ip" drop +#check_column 0 nb:ACL tier priority=1000 +# +#check ovn-nbctl acl-del ls +check ovn-nbctl --tier=3 acl-add ls from-lport 1000 "ip" drop +check_column 3 nb:ACL tier priority=1000 + +check ovn-nbctl --tier=3 acl-add ls from-lport 1001 "ip" drop +check_column 3 nb:ACL tier priority=1001 + +check ovn-nbctl --tier=2 acl-add ls from-lport 1002 "ip" drop +check_column 2 nb:ACL tier priority=1002 + +# Removing the tier 3 acls from ls should result in 1 ACL +# remaining. +check ovn-nbctl --tier=3 acl-del ls +check_row_count nb:ACL 1 +check_column 2 nb:ACL tier priority=1002 + +# Add two egress ACLs at tier 2. +check ovn-nbctl --tier=2 acl-add ls to-lport 1000 "ip" drop +check ovn-nbctl --tier=2 acl-add ls to-lport 1001 "ip" drop + +check_row_count nb:ACL 3 tier=2 + +# This should remove the egress tier 2 ACLs and leave the +# ingress tier 2 ACL +check ovn-nbctl --tier=2 acl-del ls to-lport +check_row_count nb:ACL 1 +check_column 2 nb:ACL tier priority=1002 +check_column from-lport nb:ACL direction priority=1002 + +# Re-add two ingress ACLs at tier 2. +check ovn-nbctl --tier=2 acl-add ls from-lport 1000 "ip" drop +check ovn-nbctl --tier=2 acl-add ls from-lport 1001 "ip" drop + +check_row_count nb:ACL 3 + +# Attempt to remove all tier 3 ACLs. All three ACLs are tier 2 +# so this shouldn't have any effect. +check ovn-nbctl --tier=3 acl-del ls +check_row_count nb:ACL 3 + +# Attempt to remove all ingress tier 3 ACLs. All three ACLs are tier +# 2, so this shouldn't have any effect. +check ovn-nbctl --tier=3 acl-del ls from-lport +check_row_count nb:ACL 3 + +# Attempt to remove the 1000 priority ACL but specify tier 3. Since +# all ACLs are tier 2, this should have no effect. +check ovn-nbctl --tier=3 acl-del ls from-lport 1000 "ip" +check_row_count nb:ACL 3 + +# Specifying the proper tier should result in all ACLs being deleted. +check ovn-nbctl --tier=2 acl-del ls +check_row_count nb:ACL 0 + +# Now let's experiment with identical ACLs at different tiers. +check ovn-nbctl --tier=1 acl-add ls from-lport 1000 "ip" drop +check ovn-nbctl --tier=2 acl-add ls from-lport 1000 "ip" drop +check ovn-nbctl --tier=3 acl-add ls from-lport 1000 "ip" drop +check_row_count nb:ACL 3 +check_row_count nb:ACL 1 tier=1 +check_row_count nb:ACL 1 tier=2 +check_row_count nb:ACL 1 tier=3 + +# Specifying tier 1 should result in only one ACL being deleted. +check ovn-nbctl --tier=1 acl-del ls from-lport 1000 "ip" +check_row_count nb:ACL 2 +check_row_count nb:ACL 1 tier=2 +check_row_count nb:ACL 1 tier=3 + +# Not specifying a tier should result in all ACLs being deleted. +check ovn-nbctl acl-del ls from-lport 1000 "ip" +check_row_count nb:ACL 0 +]) + +dnl --------------------------------------------------------------------- + AT_SETUP([ovn-nbctl - daemon retry connection]) OVN_NBCTL_TEST_START daemon AT_CHECK([kill `cat ovsdb-server.pid`]) diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index 45572fd30..d41ff9ad1 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -48,6 +48,7 @@ #include "unixctl.h" #include "util.h" #include "openvswitch/vlog.h" +#include "bitmap.h" VLOG_DEFINE_THIS_MODULE(nbctl); @@ -2100,6 +2101,8 @@ acl_cmp(const void *acl1_, const void *acl2_) return after_lb2 ? -1 : 1; } else if (acl1->priority != acl2->priority) { return acl1->priority > acl2->priority ? -1 : 1; + } else if (acl1->tier != acl2->tier) { + return acl1->tier > acl2->tier ? -1 : 1; } else { return strcmp(acl1->match, acl2->match); } @@ -2283,6 +2286,7 @@ nbctl_pre_acl(struct ctl_context *ctx) ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_priority); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_match); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_options); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_tier); } static void @@ -2390,6 +2394,16 @@ nbctl_acl_add(struct ctl_context *ctx) nbrec_acl_set_options(acl, &options); } + const char *tier_s = shash_find_data(&ctx->options, "--tier"); + if (tier_s) { + int64_t tier; + if (!str_to_long(tier_s, 10, &tier)) { + ctl_error(ctx, "Invalid tier %s", tier_s); + return; + } + nbrec_acl_set_tier(acl, tier); + } + /* Check if same acl already exists for the ls/portgroup */ size_t n_acls = pg ? pg->n_acls : ls->n_acls; struct nbrec_acl **acls = pg ? pg->acls : ls->acls; @@ -2418,6 +2432,10 @@ nbctl_acl_del(struct ctl_context *ctx) { const struct nbrec_logical_switch *ls = NULL; const struct nbrec_port_group *pg = NULL; + const char *tier_s = shash_find_data(&ctx->options, "--tier"); + int64_t tier; + unsigned long *bitmaps[3]; + size_t n_bitmaps = 0; char *error = acl_cmd_get_pg_or_ls(ctx, &ls, &pg); if (error) { @@ -2425,8 +2443,13 @@ nbctl_acl_del(struct ctl_context *ctx) return; } - if (ctx->argc == 2) { - /* If direction, priority, and match are not specified, delete + if (tier_s && !str_to_long(tier_s, 10, &tier)) { + ctl_error(ctx, "Invalid tier %s", tier_s); + return; + } + + if (ctx->argc == 2 && !tier_s) { + /* If direction, priority, tier, and match are not specified, delete * all ACLs. */ if (pg) { nbrec_port_group_verify_acls(pg); @@ -2438,55 +2461,83 @@ nbctl_acl_del(struct ctl_context *ctx) return; } - const char *direction; - error = parse_direction(ctx->argv[2], &direction); - if (error) { - ctx->error = error; - return; - } - size_t n_acls = pg ? pg->n_acls : ls->n_acls; struct nbrec_acl **acls = pg ? pg->acls : ls->acls; - /* If priority and match are not specified, delete all ACLs with the - * specified direction. */ - if (ctx->argc == 3) { + + if (tier_s) { + bitmaps[n_bitmaps] = bitmap_allocate(n_acls); for (size_t i = 0; i < n_acls; i++) { - if (!strcmp(direction, acls[i]->direction)) { - if (pg) { - nbrec_port_group_update_acls_delvalue(pg, acls[i]); - } else { - nbrec_logical_switch_update_acls_delvalue(ls, acls[i]); - } + if (acls[i]->tier == tier) { + bitmap_set1(bitmaps[n_bitmaps], i); } } - return; + n_bitmaps++; } - int64_t priority; - error = parse_priority(ctx->argv[3], &priority); - if (error) { - ctx->error = error; - return; - } + if (ctx->argc >= 3) { + const char *direction; + error = parse_direction(ctx->argv[2], &direction); + if (error) { + ctx->error = error; + goto cleanup; + } - if (ctx->argc == 4) { - ctl_error(ctx, "cannot specify priority without match"); - return; + /* If priority and match are not specified, delete all ACLs with the + * specified direction. */ + bitmaps[n_bitmaps] = bitmap_allocate(n_acls); + for (size_t i = 0; i < n_acls; i++) { + if (!strcmp(direction, acls[i]->direction)) { + bitmap_set1(bitmaps[n_bitmaps], i); + } + } + n_bitmaps++; } - /* Remove the matching rule. */ - for (size_t i = 0; i < n_acls; i++) { - struct nbrec_acl *acl = acls[i]; + if (ctx->argc >= 4) { + int64_t priority; + error = parse_priority(ctx->argv[3], &priority); + if (error) { + ctx->error = error; + goto cleanup; + } - if (priority == acl->priority && !strcmp(ctx->argv[4], acl->match) && - !strcmp(direction, acl->direction)) { - if (pg) { - nbrec_port_group_update_acls_delvalue(pg, acl); - } else { - nbrec_logical_switch_update_acls_delvalue(ls, acl); + if (ctx->argc == 4) { + ctl_error(ctx, "cannot specify priority without match"); + goto cleanup; + } + + /* Remove the matching rule. */ + bitmaps[n_bitmaps] = bitmap_allocate(n_acls); + for (size_t i = 0; i < n_acls; i++) { + struct nbrec_acl *acl = acls[i]; + + if (priority == acl->priority && + !strcmp(ctx->argv[4], acl->match)) { + bitmap_set1(bitmaps[n_bitmaps], i); } - return; } + n_bitmaps++; + } + + unsigned long *bitmap_result = bitmap_allocate1(n_acls); + for (size_t i = 0; i < n_bitmaps; i++) { + bitmap_result = bitmap_and(bitmap_result, bitmaps[i], n_acls); + } + + size_t index; + BITMAP_FOR_EACH_1 (index, n_acls, bitmap_result) { + if (pg) { + nbrec_port_group_update_acls_delvalue(pg, acls[index]); + } else { + nbrec_logical_switch_update_acls_delvalue(ls, acls[index]); + } + } + + free(bitmap_result); + +cleanup: + for (size_t i = 0; i < n_bitmaps; i++) { + free(bitmaps[i]); } } @@ -7658,9 +7709,9 @@ static const struct ctl_command_syntax nbctl_commands[] = { { "acl-add", 5, 6, "{SWITCH | PORTGROUP} DIRECTION PRIORITY MATCH ACTION", nbctl_pre_acl, nbctl_acl_add, NULL, "--log,--may-exist,--type=,--name=,--severity=,--meter=,--label=," - "--apply-after-lb", RW }, + "--apply-after-lb,--tier=", RW }, { "acl-del", 1, 4, "{SWITCH | PORTGROUP} [DIRECTION [PRIORITY MATCH]]", - nbctl_pre_acl, nbctl_acl_del, NULL, "--type=", RW }, + nbctl_pre_acl, nbctl_acl_del, NULL, "--type=,--tier=", RW }, { "acl-list", 1, 1, "{SWITCH | PORTGROUP}", nbctl_pre_acl_list, nbctl_acl_list, NULL, "--type=", RO },