[ovs-dev,07/13] tests: Use fmt_pkt in portsecurity : 3 HVs, 1 LS, 3 lports/HV.

Message ID	20231010203400.1045353-8-mmichels@redhat.com
State	Changes Requested
Headers	show Return-Path: <ovs-dev-bounces@openvswitch.org> From: Mark Michelson <mmichels@redhat.com> To: dev@openvswitch.org Date: Tue, 10 Oct 2023 16:33:53 -0400 Message-Id: <20231010203400.1045353-8-mmichels@redhat.com> In-Reply-To: <20231010203400.1045353-1-mmichels@redhat.com> References: <20231010203400.1045353-1-mmichels@redhat.com> MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn 07/13] tests: Use fmt_pkt in portsecurity : 3 HVs, 1 LS, 3 lports/HV. Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" <ovs-dev-bounces@openvswitch.org>
Series	tests: Convert some tests to use fmt_pkt. \| expand [ovs-dev,00/13] tests: Convert some tests to use fmt_pkt. [ovs-dev,01/13] tests: Use fmt_pkt in ovn -- allows ACLs to match ... [ovs-dev,02/13] tests: Use fmt_pkt in 3 HVs, 1 LS, 3 lports/HV. [ovs-dev,03/13] tests: Use fmt_pkt in VLAN transparency, ... [ovs-dev,04/13] tests: Use fmt_pkt in VLAN transparency, ... [ovs-dev,05/13] tests: Use fmt_pkt in vtep: 3 HVs, 1 VIFs/HV, 1 GW, 1 LS. [ovs-dev,06/13] tests: Use fmt_pkt in 3 HVs, 3 LS, 3 lports/LS. [ovs-dev,07/13] tests: Use fmt_pkt in portsecurity : 3 HVs, 1 LS, 3 lports/HV. [ovs-dev,08/13] tests: Use fmt_pkt in 1 HV, 1 LS, 2 lport/LS, 1 LR. [ovs-dev,09/13] tests: Use fmt_pkt in 1 HV, 2 LSs, 1 lport/LS, 1 LR. [ovs-dev,10/13] tests: Use fmt_pkt in 2 HVs, 3 LS, 1 lport/LS, ... [ovs-dev,11/13] tests: Use fmt_pkt in 2 HVs, 3 LRs connected via LS, static routes. [ovs-dev,12/13] tests: Use fmt_pkt in 2 HVs, 2 LRs connected via LS, gateway router. [ovs-dev,13/13] tests: Use fmt_pkt in icmp_reply: 1 HVs, 2 LSs, 1 lport/LS, 1 LR.

Context	Check	Description
ovsrobot/apply-robot	success	apply and check: success
ovsrobot/github-robot-_Build_and_Test	fail	github build: failed
ovsrobot/github-robot-_ovn-kubernetes	fail	github build: failed

diff --git a/tests/ovn.at b/tests/ovn.at index 1ab98eb80..304d9623e 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -5497,9 +5497,10 @@ done # be received. INPORT and the OUTPORTs are specified as logical switch # port numbers, e.g. 11 for vif11. test_ip() { - # This packet has bad checksums but logical L3 routing doesn't check. local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5 - local packet=${dst_mac}${src_mac}08004500001c0000000040110000${src_ip}${dst_ip}0035111100080000 + local packet=$(fmt_pkt "Ether(dst='${dst_mac}', src='${src_mac}')/ \ + IP(src='${src_ip}', dst='${dst_ip}')/ \ + UDP(sport=53, dport=4369)") shift; shift; shift; shift; shift hv=`vif_to_hv $inport` as $hv ovs-appctl netdev-dummy/receive vif$inport $packet @@ -5520,7 +5521,8 @@ test_ip() { # SPA and TPA are each 8 hex digits. test_arp() { local inport=$1 smac=$2 sha=$3 spa=$4 tpa=$5 drop=$6 reply_ha=$7 - local request=ffffffffffff${smac}08060001080006040001${sha}${spa}ffffffffffff${tpa} + local request=$(fmt_pkt "Ether(dst='ff:ff:ff:ff:ff:ff', src='${smac}')/ \ + ARP(hwsrc='${sha}', hwdst='ff:ff:ff:ff:ff:ff', psrc='${spa}', pdst='${tpa}')") hv=`vif_to_hv $inport` as $hv ovs-appctl netdev-dummy/receive vif$inport $request if test $drop != 1; then @@ -5537,7 +5539,8 @@ test_arp() { done else # Expect to receive the reply, if any. - local reply=${smac}${reply_ha}08060001080006040002${reply_ha}${tpa}${sha}${spa} + local reply=$(fmt_pkt "Ether(dst='${smac}', src='${reply_ha}')/ \ + ARP(op=2, hwsrc='${reply_ha}', hwdst='${sha}', psrc='${tpa}', pdst='${spa}')") echo $reply >> $inport.expected fi fi @@ -5548,7 +5551,8 @@ test_arp() { # ipv6 packet test_ipv6() { local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5 - local packet=${dst_mac}${src_mac}86dd6000000000083aff${src_ip}${dst_ip}0000000000000000 + local packet=$(fmt_pkt "Ether(dst='${dst_mac}', src='${src_mac}')/ \ + IPv6(src='${src_ip}', dst='${dst_ip}')") shift; shift; shift; shift; shift hv=`vif_to_hv $inport` as $hv ovs-appctl netdev-dummy/receive vif$inport $packet @@ -5557,12 +5561,14 @@ test_ipv6() { done } -# test_icmpv6 INPORT SRC_MAC DST_MAC SRC_IP DST_IP ICMP_TYPE OUTPORT... -# This function is similar to test_ipv6() except it specifies the ICMPv6 type +# test_icmpv6 INPORT SRC_MAC DST_MAC SRC_IP DST_IP ICMPV6 OUTPORT... +# This function is similar to test_ipv6() except it specifies the ICMPv6 sub-packet # of the test packet test_icmpv6() { - local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5 icmp_type=$6 - local packet=${dst_mac}${src_mac}86dd6000000000083aff${src_ip}${dst_ip}${icmp_type}00000000000000 + local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5 icmpv6=$6 + local packet=$(fmt_pkt "Ether(dst='${dst_mac}', src='${src_mac}')/ \ + IPv6(src='${src_ip}', dst='${dst_ip}')/ \ + ${icmpv6}") shift; shift; shift; shift; shift; shift hv=`vif_to_hv $inport` as $hv ovs-appctl netdev-dummy/receive vif$inport $packet @@ -5572,226 +5578,226 @@ test_icmpv6() { } # no port security -sip=`ip_to_hex 192 168 0 12` -tip=`ip_to_hex 192 168 0 13` +sip=192.168.0.12 +tip=192.168.0.13 # the arp packet should be allowed even if lp[123]1 is -# not configured with mac f00000000023 and ip 192.168.0.12 +# not configured with mac f0:00:00:00:00:23 and ip 192.168.0.12 for i in 1 2 3; do - test_arp ${i}1 f00000000023 f00000000023 $sip $tip 0 f00000000013 + test_arp ${i}1 f0:00:00:00:00:23 f0:00:00:00:00:23 $sip $tip 0 f0:00:00:00:00:13 for j in 1 2 3; do if test $i != $j; then - test_ip ${i}1 f000000000${i}1 f000000000${j}1 $sip $tip ${j}1 + test_ip ${i}1 f0:00:00:00:00:${i}1 f0:00:00:00:00:${j}1 $sip $tip ${j}1 fi done done # l2 port security -sip=`ip_to_hex 192 168 0 12` -tip=`ip_to_hex 192 168 0 13` +sip=192.168.0.12 +tip=192.168.0.13 # arp packet should be allowed since lp22 is configured with -# mac f00000000022 -test_arp 22 f00000000022 f00000000022 $sip $tip 0 f00000000013 +# mac f0:00:00:00:00:22 +test_arp 22 f0:00:00:00:00:22 f0:00:00:00:00:22 $sip $tip 0 f0:00:00:00:00:13 # arp packet should not be allowed since lp32 is not configured with -# mac f00000000021 -test_arp 32 f00000000021 f00000000021 $sip $tip 1 +# mac f0:00:00:00:00:21 +test_arp 32 f0:00:00:00:00:21 f0:00:00:00:00:21 $sip $tip 1 -# arp packet with sha set to f00000000021 should not be allowed +# arp packet with sha set to f0:00:00:00:00:21 should not be allowed # for lp12 -test_arp 12 f00000000012 f00000000021 $sip $tip 1 +test_arp 12 f0:00:00:00:00:12 f0:00:00:00:00:21 $sip $tip 1 # ip packets should be allowed and received since lp[123]2 do not # have l3 port security -sip=`ip_to_hex 192 168 0 55` -tip=`ip_to_hex 192 168 0 66` +sip=192.168.0.55 +tip=192.168.0.66 for i in 1 2 3; do for j in 1 2 3; do if test $i != $j; then - test_ip ${i}2 f000000000${i}2 f000000000${j}2 $sip $tip ${j}2 + test_ip ${i}2 f0:00:00:00:00:${i}2 f0:00:00:00:00:${j}2 $sip $tip ${j}2 fi done done # ipv6 packets should be received by lp[123]2 # lp[123]1 can send ipv6 traffic as there is no port security -sip=fe800000000000000000000000000000 -tip=ff020000000000000000000000000000 +sip=fe80:: +tip=ff02:: for i in 1 2 3; do - test_ipv6 ${i}1 f000000000${i}1 f000000000${i}2 $sip $tip ${i}2 + test_ipv6 ${i}1 f0:00:00:00:00:${i}1 f0:00:00:00:00:${i}2 $sip $tip ${i}2 done # l2 and l3 port security -sip=`ip_to_hex 192 168 0 13` -tip=`ip_to_hex 192 168 0 22` +sip=192.168.0.13 +tip=192.168.0.22 # arp packet should be allowed since lp13 is configured with -# f00000000013 and 192.168.0.13 -test_arp 13 f00000000013 f00000000013 $sip $tip 0 f00000000022 +# f0:00:00:00:00:13 and 192.168.0.13 +test_arp 13 f0:00:00:00:00:13 f0:00:00:00:00:13 $sip $tip 0 f0:00:00:00:00:22 # the arp packet should be dropped because lp23 is not configured -# with mac f00000000022 -sip=`ip_to_hex 192 168 0 13` -tip=`ip_to_hex 192 168 0 22` -test_arp 23 f00000000022 f00000000022 $sip $tip 1 +# with mac f0:00:00:00:00:22 +sip=192.168.0.13 +tip=192.168.0.22 +test_arp 23 f0:00:00:00:00:22 f0:00:00:00:00:22 $sip $tip 1 # the arp packet should be dropped because lp33 is not configured # with ip 192.168.0.55 -spa=`ip_to_hex 192 168 0 55` -tpa=`ip_to_hex 192 168 0 22` -test_arp 33 f00000000031 f00000000031 $spa $tpa 1 +spa=192.168.0.55 +tpa=192.168.0.22 +test_arp 33 f0:00:00:00:00:31 f0:00:00:00:00:31 $spa $tpa 1 # ip packets should not be received by lp[123]3 since # l3 port security is enabled -sip=`ip_to_hex 192 168 0 55` -tip=`ip_to_hex 192 168 0 66` +sip=192.168.0.55 +tip=192.168.0.66 for i in 1 2 3; do for j in 1 2 3; do - test_ip ${i}2 f000000000${i}2 f000000000${j}3 $sip $tip + test_ip ${i}2 f0:00:00:00:00:${i}2 f0:00:00:00:00:${j}3 $sip $tip done done # ipv6 packets should be dropped for lp[123]3 since # it is configured with only ipv4 address -sip=fe800000000000000000000000000000 -tip=ff020000000000000000000000000000 +sip=fe80:: +tip=ff02:: for i in 1 2 3; do - test_ipv6 ${i}3 f000000000${i}3 f00000000022 $sip $tip + test_ipv6 ${i}3 f0:00:00:00:00:${i}3 f0:00:00:00:00:22 $sip $tip done -# ipv6 packets should not be received by lp[123]3 with mac f000000000$[123]3 +# ipv6 packets should not be received by lp[123]3 with mac f0:00:00:00:00:$[123]3 # lp[123]1 can send ipv6 traffic as there is no port security for i in 1 2 3; do - test_ipv6 ${i}1 f000000000${i}1 f000000000${i}3 $sip $tip + test_ipv6 ${i}1 f0:00:00:00:00:${i}1 f0:00:00:00:00:${i}3 $sip $tip done # lp13 has extra port security with mac f0000000113 and ipv6 addr # fe80::ea2a:eaff:fe28:0012 and 4242::0013 # ipv4 packet should be dropped for lp13 with mac f0000000113 -sip=`ip_to_hex 192 168 0 13` -tip=`ip_to_hex 192 168 0 23` -test_ip 13 f00000000113 f00000000023 $sip $tip +sip=192.168.0.13 +tip=192.168.0.23 +test_ip 13 f0:00:00:00:01:13 f0:00:00:00:00:23 $sip $tip -# ipv6 packet should be received by lp[123]3 with mac f00000000${i}${i}3 +# ipv6 packet should be received by lp[123]3 with mac f0:00:00:00:0${i}:${i}3 # and ip6.dst as fe80::ea2a:eaff:fe28:0${i}${i}3. # lp11 can send ipv6 traffic as there is no port security -sip=ee800000000000000000000000000000 +sip=ee80:: for i in 1 2 3; do - tip=fe80000000000000ea2aeafffe2800${i}3 - test_ipv6 11 f00000000011 f00000000${i}${i}3 $sip $tip ${i}3 - tip=424200000000000000000000000000${i}3 - test_ipv6 11 f00000000011 f00000000${i}${i}3 $sip $tip ${i}3 + tip=fe80::ea2a:eaff:fe28:00${i}3 + test_ipv6 11 f0:00:00:00:00:11 f0:00:00:00:0${i}:${i}3 $sip $tip ${i}3 + tip=4242::${i}3 + test_ipv6 11 f0:00:00:00:00:11 f0:00:00:00:0${i}:${i}3 $sip $tip ${i}3 done -# ipv6 packet should not be received by lp33 with mac f0000000333 +# ipv6 packet should not be received by lp33 with mac f0:00:00:00:03:33 # and ip6.dst as fe80::ea2a:eaff:fe28:0023 or 4242::0023 as it is # configured with fe80::ea2a:eaff:fe28:0033 and 4242::0033 # lp11 can send ipv6 traffic as there is no port security -sip=ee800000000000000000000000000000 -tip=fe80000000000000ea2aeafffe280023 -test_ipv6 11 f00000000011 f00000000333 $sip $tip -tip=42420000000000000000000000000023 -test_ipv6 11 f00000000011 f00000000333 $sip $tip +sip=ee80:: +tip=fe80::ea2a:eaff:fe28:0023 +test_ipv6 11 f0:00:00:00:00:11 f0:00:00:00:03:33 $sip $tip +tip=4242::23 +test_ipv6 11 f0:00:00:00:00:11 f0:00:00:00:03:33 $sip $tip -# ipv6 packet should be allowed for lp[123]3 with mac f0000000${i}${i}3 +# ipv6 packet should be allowed for lp[123]3 with mac f0:00:00:00:0${i}:${i}3 # and ip6.src fe80::ea2a:eaff:fe28:0${i}${i}3, 4242::00${i}3 and ip6.src ::. # and should be dropped for any other ip6.src # lp21 can receive ipv6 traffic as there is no port security -tip=ee800000000000000000000000000000 +tip=ee80:: for i in 1 2 3; do - sip=fe80000000000000ea2aeafffe2800${i}3 - test_ipv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip $tip 21 - sip=424200000000000000000000000000${i}3 - test_ipv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip $tip 21 + sip=fe80::ea2a:eaff:fe28:00${i}3 + test_ipv6 ${i}3 f0:00:00:00:0${i}:${i}3 f0:00:00:00:00:21 $sip $tip 21 + sip=4242::${i}3 + test_ipv6 ${i}3 f0:00:00:00:0${i}:${i}3 f0:00:00:00:00:21 $sip $tip 21 # Test ICMPv6 MLD reports (v1 and v2) and NS for DAD - sip=00000000000000000000000000000000 - test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip ff020000000000000000000000160000 83 21 - test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip ff020000000000000000000000160000 8f 21 - test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip ff0200000000000000ea2aeafffe2800 87 21 + sip=:: + test_icmpv6 ${i}3 f0:00:00:00:0${i}:${i}3 f0:00:00:00:00:21 $sip ff02::16:0 "ICMPv6MLReport()" 21 + test_icmpv6 ${i}3 f0:00:00:00:0${i}:${i}3 f0:00:00:00:00:21 $sip ff02::16:0 "ICMPv6MLReport2()" 21 + test_icmpv6 ${i}3 f0:00:00:00:0${i}:${i}3 f0:00:00:00:00:21 $sip ff02::ea:2aea:fffe:2800 "ICMPv6ND_NS()" 21 # Traffic to non-multicast traffic should be dropped - test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip $tip 83 + test_icmpv6 ${i}3 f0:00:00:00:0${i}:${i}3 f0:00:00:00:00:21 $sip $tip "ICMPv6MLReport()" # Traffic of other ICMPv6 types should be dropped - test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip ff020000000000000000000000160000 80 + test_icmpv6 ${i}3 f0:00:00:00:0${i}:${i}3 f0:00:00:00:00:21 $sip ff02::16:0 "ICMPv6EchoRequest()" # should be dropped - sip=ae80000000000000ea2aeafffe2800aa - test_ipv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip $tip + sip=ae80::ea2aeafffe2800aa + test_ipv6 ${i}3 f0:00:00:00:0${i}:${i}3 f0:00:00:00:00:21 $sip $tip done # configure lsp13 to send and received IPv4 packets with an address range ovn-nbctl --wait=hv lsp-set-port-security lp13 "f0:00:00:00:00:13 192.168.0.13 20.0.0.4/24 10.0.0.0/24 4242::/64" -sip=`ip_to_hex 10 0 0 13` -tip=`ip_to_hex 192 168 0 22` +sip=10.0.0.13 +tip=192.168.0.22 # arp packet with inner ip 10.0.0.13 should be allowed for lsp13 -test_arp 13 f00000000013 f00000000013 $sip $tip 0 f00000000022 +test_arp 13 f0:00:00:00:00:13 f0:00:00:00:00:13 $sip $tip 0 f0:00:00:00:00:22 -sip=`ip_to_hex 10 0 0 14` -tip=`ip_to_hex 192 168 0 23` +sip=10.0.0.14 +tip=192.168.0.23 # IPv4 packet from lsp13 with src ip 10.0.0.14 destined to lsp23 # with dst ip 192.168.0.23 should be allowed -test_ip 13 f00000000013 f00000000023 $sip $tip 23 +test_ip 13 f0:00:00:00:00:13 f0:00:00:00:00:23 $sip $tip 23 -sip=42420000000000000000000000000014 -tip=42420000000000000000000000000023 +sip=4242::14 +tip=4242::23 # IPv6 packet from lsp13 with src ip 4242::14 destined to lsp23 # with dst ip 4242::23 should be received by lsp23 -test_ipv6 13 f00000000013 f00000000223 $sip $tip 23 +test_ipv6 13 f0:00:00:00:00:13 f0:00:00:00:02:23 $sip $tip 23 -sip=`ip_to_hex 192 168 0 33` -tip=`ip_to_hex 10 0 0 15` +sip=192.168.0.33 +tip=10.0.0.15 # IPv4 packet from lsp33 with src ip 192.168.0.33 destined to lsp13 # with dst ip 10.0.0.15 should be received by lsp13 -test_ip 33 f00000000033 f00000000013 $sip $tip 13 +test_ip 33 f0:00:00:00:00:33 f0:00:00:00:00:13 $sip $tip 13 -sip=42420000000000000000000000000033 -tip=42420000000000000000000000000013 +sip=4242::33 +tip=4242::13 # IPv6 packet from lsp33 with src ip 4242::33 destined to lsp13 # with dst ip 4242::13 should be received by lsp13 -test_ipv6 33 f00000000333 f00000000013 $sip $tip 13 +test_ipv6 33 f0:00:00:00:03:33 f0:00:00:00:00:13 $sip $tip 13 -sip=`ip_to_hex 192 168 0 33` -tip=`ip_to_hex 20 0 0 4` +sip=192.168.0.33 +tip=20.0.0.4 # IPv4 packet from lsp33 with src ip 192.168.0.33 destined to lsp13 # with dst ip 20.0.0.4 should be received by lsp13 -test_ip 33 f00000000033 f00000000013 $sip $tip 13 +test_ip 33 f0:00:00:00:00:33 f0:00:00:00:00:13 $sip $tip 13 -sip=`ip_to_hex 192 168 0 33` -tip=`ip_to_hex 20 0 0 5` +sip=192.168.0.33 +tip=20.0.0.5 # IPv4 packet from lsp33 with src ip 192.168.0.33 destined to lsp13 # with dst ip 20.0.0.5 should not be received by lsp13 -test_ip 33 f00000000033 f00000000013 $sip $tip +test_ip 33 f0:00:00:00:00:33 f0:00:00:00:00:13 $sip $tip -sip=42420000000000000000000000000033 -tip=42420000000000000000000000000005 +sip=4242::33 +tip=4242::5 # IPv6 packet from lsp33 with src ip 4242::33 destined to lsp13 # with dst ip 4242::5 should not be received by lsp13 -test_ipv6 33 f00000000333 f00000000013 $sip $tip 13 +test_ipv6 33 f0:00:00:00:03:33 f0:00:00:00:00:13 $sip $tip 13 -sip=`ip_to_hex 192 168 0 33` -tip=`ip_to_hex 20 0 0 255` +sip=192.168.0.33 +tip=20.0.0.255 # IPv4 packet from lsp33 with src ip 192.168.0.33 destined to lsp13 # with dst ip 20.0.0.255 should be received by lsp13 -test_ip 33 f00000000033 f00000000013 $sip $tip 13 +test_ip 33 f0:00:00:00:00:33 f0:00:00:00:00:13 $sip $tip 13 -sip=`ip_to_hex 192 168 0 33` -tip=`ip_to_hex 192 168 0 255` +sip=192.168.0.33 +tip=192.168.0.255 # IPv4 packet from lsp33 with src ip 192.168.0.33 destined to lsp13 # with dst ip 192.168.0.255 should not be received by lsp13 -test_ip 33 f00000000033 f00000000013 $sip $tip +test_ip 33 f0:00:00:00:00:33 f0:00:00:00:00:13 $sip $tip -sip=`ip_to_hex 192 168 0 33` -tip=`ip_to_hex 224 0 0 4` +sip=192.168.0.33 +tip=224.0.0.4 # IPv4 packet from lsp33 with src ip 192.168.0.33 destined to lsp13 # with dst ip 224.0.0.4 should be received by lsp13 -test_ip 33 f00000000033 f00000000013 $sip $tip 13 +test_ip 33 f0:00:00:00:00:33 f0:00:00:00:00:13 $sip $tip 13 #dump information including flow counters ovn-nbctl show

[ovs-dev,07/13] tests: Use fmt_pkt in portsecurity : 3 HVs, 1 LS, 3 lports/HV.

Checks

Commit Message

Patch