From patchwork Tue Jan 30 04:38:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Bartzen Acosta X-Patchwork-Id: 1892648 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=luizalabs.com header.i=@luizalabs.com header.a=rsa-sha256 header.s=google header.b=Nur+shXB; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TPC7x0c3Bz1yQ0 for ; Tue, 30 Jan 2024 15:37:32 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 5BA034188C; Tue, 30 Jan 2024 04:37:30 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 5BA034188C Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=luizalabs.com header.i=@luizalabs.com header.a=rsa-sha256 header.s=google header.b=Nur+shXB X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ehQL0lNtHXBt; Tue, 30 Jan 2024 04:37:29 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp4.osuosl.org (Postfix) with ESMTPS id 4ABF54186B; Tue, 30 Jan 2024 04:37:28 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4ABF54186B Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 19F25C0077; Tue, 30 Jan 2024 04:37:28 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1A925C0037 for ; Tue, 30 Jan 2024 04:37:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id D657740165 for ; Tue, 30 Jan 2024 04:37:26 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org D657740165 Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key) header.d=luizalabs.com header.i=@luizalabs.com header.a=rsa-sha256 header.s=google header.b=Nur+shXB X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25eYOd7wxi96 for ; Tue, 30 Jan 2024 04:37:25 +0000 (UTC) Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by smtp2.osuosl.org (Postfix) with ESMTPS id 47FB2400F1 for ; Tue, 30 Jan 2024 04:37:25 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 47FB2400F1 Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-1d911c2103aso135245ad.0 for ; Mon, 29 Jan 2024 20:37:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=luizalabs.com; s=google; t=1706589444; x=1707194244; darn=openvswitch.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=cQvb1DpmzLXoAZT9B3G1VuscyJKFTVyPZ/CBtdQRxEc=; b=Nur+shXB+wLTK3ndiaSR0fECc2atbwojfYH1GY0xfndMI4P2uOl+DzYI4o5M7vU/Ay ZB/BRaoDdBF0Zq3+57f3CkJdvVUc6pz0rBrjGWXOyErfZb0PvtUHiGVI8BMx598ecKvn 41qqy/VMdQFpSPkzUOblXj2+jBr7EDoj7HX2I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706589444; x=1707194244; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cQvb1DpmzLXoAZT9B3G1VuscyJKFTVyPZ/CBtdQRxEc=; b=N2CqpoukwGVzc2b+EB6PalPJzF9pzxmoCrzetf/32XK4mo2/SY4cCsU2dhdtrK1ve9 JTZlOk8RNw1iGHMQWcC8QSQZR8ViupcuiUs3U7rpLuPQ7hcbWUwoouMOGIJ15o7UzqKy FQCFbGd0cDgur+I5Zg87yQ3ZwJoZK97vktaff6zhBbUnGaI7K3EZ4ARc18aFl8S4yYT4 9uQXcUnT18M1090qKPGhjBylbmhgAvhS6KVxY8FhaE+x01+td+FBs6ubaZi3DeQ9X5NA dPrcKiw5/F5KWlYW57wubJ51angbZ/yMfqtJaMUmIaLlaEXGUYMCiUEjdHjIozfjAvrp K+0A== X-Gm-Message-State: AOJu0YzQ0RXa6yQlspPRyY1PbKZMyAlUZt6AVDoqOHCQZoOw6Kkp7zdy wbqZosPalFpHWMUNtNnPQjxfhuNCtM0lMp+GQJXnLT1b0W6NRcKP8XoCskA2NxLI32PU09uoqCF PERm21GXf9FHFOaJ53dpDBE9m7lulqJLKuM+0x4MNk8dz3nC1a6wp1JbO X-Google-Smtp-Source: AGHT+IGNCMh7KKnAXTtUSzj0r4/fQqHLqV8MdXK011sLcWe3iL0VZbHaINS0qy2Vr8kqI8x/1C9yMQ== X-Received: by 2002:a17:902:6b86:b0:1d8:fff8:bed2 with SMTP id p6-20020a1709026b8600b001d8fff8bed2mr1339870plk.113.1706589443842; Mon, 29 Jan 2024 20:37:23 -0800 (PST) Received: from WNL1099LABS421.magazineluiza.intranet ([191.187.213.146]) by smtp.gmail.com with ESMTPSA id jw9-20020a170903278900b001d71a0b1109sm3572921plb.116.2024.01.29.20.37.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 20:37:23 -0800 (PST) To: dev@openvswitch.org Date: Tue, 30 Jan 2024 01:38:13 -0300 Message-Id: <20240130043813.85217-1-roberto.acosta@luizalabs.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn] ovn-ic: fix global blacklist filter for IPv6 addresses X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Roberto Bartzen Acosta via dev From: Roberto Bartzen Acosta Reply-To: Roberto Bartzen Acosta Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This commit fixes the prefix filter function as the return condition for IPv6 addresses is disabling the advertisement of all learned prefixes regardless of the match with the blacklist or not. Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/2046804 Fixes: 57b347c55168 ("ovn-ic: Route advertisement.") --- ic/ovn-ic.c | 22 ++++++++---- tests/ovn-ic.at | 92 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+), 6 deletions(-) diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c index 6f8f5734d..d8e038801 100644 --- a/ic/ovn-ic.c +++ b/ic/ovn-ic.c @@ -1024,6 +1024,20 @@ prefix_is_link_local(struct in6_addr *prefix, unsigned int plen) ((prefix->s6_addr[1] & 0xc0) == 0x80)); } +static bool +compare_ipv6_prefixes(const struct in6_addr *s_prefix, + const struct in6_addr *d_prefix2, int plen) +{ + struct in6_addr mask = ipv6_create_mask(plen); + for (int i = 0; i < (plen/8); i++) { + if ((s_prefix->s6_addr[i] & mask.s6_addr[i]) ^ + (d_prefix2->s6_addr[i] & mask.s6_addr[i])) { + return false; + } + } + return true; +} + static bool prefix_is_black_listed(const struct smap *nb_options, struct in6_addr *prefix, @@ -1064,12 +1078,8 @@ prefix_is_black_listed(const struct smap *nb_options, continue; } } else { - struct in6_addr mask = ipv6_create_mask(bl_plen); - for (int i = 0; i < 16 && mask.s6_addr[i] != 0; i++) { - if ((prefix->s6_addr[i] & mask.s6_addr[i]) - != (bl_prefix.s6_addr[i] & mask.s6_addr[i])) { - continue; - } + if (!compare_ipv6_prefixes(prefix, &bl_prefix, bl_plen)) { + continue; } } matched = true; diff --git a/tests/ovn-ic.at b/tests/ovn-ic.at index d4c436f84..42ab89aef 100644 --- a/tests/ovn-ic.at +++ b/tests/ovn-ic.at @@ -1274,3 +1274,95 @@ OVN_CLEANUP_IC([az1], [az2]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn-ic -- route sync -- IPv6 blacklist filter]) +AT_KEYWORDS([IPv6-route-sync-blacklist]) + +ovn_init_ic_db +ovn-ic-nbctl ts-add ts1 + +for i in 1 2; do + ovn_start az$i + ovn_as az$i + + # Enable route learning at AZ level + ovn-nbctl set nb_global . options:ic-route-learn=true + # Enable route advertising at AZ level + ovn-nbctl set nb_global . options:ic-route-adv=true + # Enable blacklist single filter for IPv6 + ovn-nbctl set nb_global . options:ic-route-blacklist="2003:db8:1::/64,\ + 2004:aaaa::/32,2005:1234:5678::/40" + + OVS_WAIT_UNTIL([ovn-nbctl show | grep ts1]) + + # Create LRP and connect to TS + ovn-nbctl lr-add lr$i + ovn-nbctl lrp-add lr$i lrp-lr$i-ts1 aa:aa:aa:aa:aa:0$i 2001:db8:1::$i/64 + ovn-nbctl lsp-add ts1 lsp-ts1-lr$i \ + -- lsp-set-addresses lsp-ts1-lr$i router \ + -- lsp-set-type lsp-ts1-lr$i router \ + -- lsp-set-options lsp-ts1-lr$i router-port=lrp-lr$i-ts1 + + ovn-nbctl lrp-add lr$i lrp-lr$i-p$i 00:00:00:00:00:0$i 2002:db8:1::$i/64 + + # Create blacklisted LRPs and connect to TS + ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext$i \ + 11:11:11:11:11:1$i 2003:db8:1::$i/64 + + ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext2$i \ + 22:22:22:22:22:2$i 2004:aaaa:bbb::$i/48 + + ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext3$i \ + 33:33:33:33:33:3$i 2005:1234:5678::$i/50 + +done + +for i in 1 2; do + OVS_WAIT_UNTIL([ovn_as az$i ovn-nbctl lr-route-list lr$i | grep learned]) +done + +AT_CHECK([ovn_as az1 ovn-nbctl lr-route-list lr1 | + awk '/learned/{print $1, $2}' ], [0], [dnl +2002:db8:1::/64 2001:db8:1::2 +]) + +for i in 1 2; do + ovn_as az$i + + # Drop blacklist + ovn-nbctl remove nb_global . options ic-route-blacklist + +done + +OVS_WAIT_FOR_OUTPUT([ovn_as az1 ovn-nbctl lr-route-list lr1 | + awk '/learned/{print $1, $2}' | sort ], [0], [dnl +2002:db8:1::/64 2001:db8:1::2 +2003:db8:1::/64 2001:db8:1::2 +2004:aaaa:bbb::/48 2001:db8:1::2 +2005:1234:5678::/50 2001:db8:1::2 +]) + +for i in 1 2; do + ovn_as az$i + + ovn-nbctl set nb_global . \ + options:ic-route-blacklist="2003:db8:1::/64,2004:db8:1::/64" + + # Create an 'extra' blacklisted LRP and connect to TS + ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext2$i \ + 44:44:44:44:44:4$i 2004:db8:1::$i/64 + +done + +OVS_WAIT_FOR_OUTPUT([ovn_as az1 ovn-nbctl lr-route-list lr1 | + awk '/learned/{print $1, $2}' | sort ], [0], [dnl +2002:db8:1::/64 2001:db8:1::2 +2004:aaaa:bbb::/48 2001:db8:1::2 +2005:1234:5678::/50 2001:db8:1::2 +]) + +OVN_CLEANUP_IC([az1], [az2]) + +AT_CLEANUP +])