From patchwork Thu Feb 8 18:17:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ales Musil X-Patchwork-Id: 1896711 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=WEDpniTP; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TW4wL1TQJz23h2 for ; Fri, 9 Feb 2024 05:17:54 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id AB1E0424B8; Thu, 8 Feb 2024 18:17:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VluZIXR6HyD3; Thu, 8 Feb 2024 18:17:42 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 37767424A4 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=WEDpniTP Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 37767424A4; Thu, 8 Feb 2024 18:17:41 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id A93E9C0072; Thu, 8 Feb 2024 18:17:41 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 19828C0DD4 for ; Thu, 8 Feb 2024 18:17:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 4EB04852B5 for ; Thu, 8 Feb 2024 18:17:36 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-owPt6byJc3 for ; Thu, 8 Feb 2024 18:17:29 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=amusil@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org CD8E5851BB Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org CD8E5851BB Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=WEDpniTP Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id CD8E5851BB for ; Thu, 8 Feb 2024 18:17:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1707416247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=byAcjvoW/zRGHK6VpZASCgp7whcwfRNR7vgpiOqRD8o=; b=WEDpniTPo9rlV+17YAh/xkKlDLRcfExc8OKigX4eMg29eO7zUSZ5vVS0iRrrymDRp4c+Jw umiGgdG/cRaaQ4JIgUxFywL3degvHligbPO46iO7THXqdjtMGFTbCp1DQ1CQ6FxrGaAg0K OrMSLLPa8vJfxuEzacYjm2k5bM1zF1U= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-633-td4F_8srNnmBCyFXai0rog-1; Thu, 08 Feb 2024 13:17:25 -0500 X-MC-Unique: td4F_8srNnmBCyFXai0rog-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 58BCE3812595 for ; Thu, 8 Feb 2024 18:17:25 +0000 (UTC) Received: from amusil.redhat.com (unknown [10.45.224.18]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0973F1C0652C; Thu, 8 Feb 2024 18:17:23 +0000 (UTC) From: Ales Musil To: dev@openvswitch.org Date: Thu, 8 Feb 2024 19:17:19 +0100 Message-ID: <20240208181719.224501-5-amusil@redhat.com> In-Reply-To: <20240208181719.224501-1-amusil@redhat.com> References: <20240208181719.224501-1-amusil@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v3 4/4] tests: Use the ovn-debug binary to determine table numbers. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Use the ovn-debug commands to determine OpenFlow table numbers based on stage name. With this there is no need to hardcode them and it should be future proof for stage shifts/updates. Signed-off-by: Ales Musil Acked-by: Mark Michelson --- tests/ovn-controller.at | 342 +++++++++++++++++++--------------- tests/ovn.at | 389 ++++++++++++++++++++++----------------- tests/system-ovn-kmod.at | 16 +- tests/system-ovn.at | 20 +- 4 files changed, 438 insertions(+), 329 deletions(-) diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index f77e032d4..66e870876 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -901,6 +901,10 @@ check ovn-nbctl lsp-add ls1 ls1-lp1 \ wait_for_ports_up ovn-appctl -t ovn-controller vlog/set file:dbg +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) +acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) + dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -918,14 +922,14 @@ for i in $(seq 10); do check ovn-nbctl add address_set as1 addresses 10.0.0.$i check ovn-nbctl --wait=hv sync if test "$i" = 3; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) fi - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$i + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i ]) done @@ -940,15 +944,15 @@ for i in $(seq 10); do check ovn-nbctl remove address_set as1 addresses 10.0.0.$i check ovn-nbctl --wait=hv sync if test "$i" = 9; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) fi if test "$i" = 10; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep "priority=1100"], [1], [ignore]) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100"], [1], [ignore]) else - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$((10 - $i)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((10 - $i)) ]) fi done @@ -966,17 +970,17 @@ for i in $(seq 10); do check ovn-nbctl add address_set as1 addresses 10.0.0.$i,10.0.1.$i check ovn-nbctl --wait=hv sync if test "$i" = 3; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) fi - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$(($i * 2)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i * 2)) ]) done @@ -993,11 +997,11 @@ reprocess_count_old=$(read_counter consider_logical_flow) check ovn-nbctl add address_set as1 addresses 10.0.0.21,10.0.0.22 -- \ remove address_set as1 addresses 10.0.0.10 check ovn-nbctl --wait=hv sync -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c 10\.0\.0\.21], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c 10\.0\.0\.21], [0], [1 ]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c 10\.0\.0\.22], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c 10\.0\.0\.22], [0], [1 ]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10\.0\.0\.10], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10\.0\.0\.10], [1], [ignore]) reprocess_count_new=$(read_counter consider_logical_flow) AT_CHECK([echo $(($reprocess_count_new - $reprocess_count_old))], [0], [0 @@ -1009,9 +1013,9 @@ reprocess_count_old=$(read_counter consider_logical_flow) check ovn-nbctl remove address_set as1 addresses 10.0.0.21,10.0.0.22 -- \ add address_set as1 addresses 10.0.0.10 check ovn-nbctl --wait=hv sync -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10\.0\.0\.21], [1], [ignore]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10\.0\.0\.22], [1], [ignore]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c 10\.0\.0\.10], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10\.0\.0\.21], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10\.0\.0\.22], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c 10\.0\.0\.10], [0], [1 ]) reprocess_count_new=$(read_counter consider_logical_flow) @@ -1024,9 +1028,9 @@ reprocess_count_old=$(read_counter consider_logical_flow) check ovn-nbctl add address_set as1 addresses 10.0.0.21 -- \ remove address_set as1 addresses 10.0.0.10 check ovn-nbctl --wait=hv sync -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c 10\.0\.0\.21], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c 10\.0\.0\.21], [0], [1 ]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10\.0\.0\.10], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10\.0\.0\.10], [1], [ignore]) reprocess_count_new=$(read_counter consider_logical_flow) AT_CHECK([echo $(($reprocess_count_new - $reprocess_count_old))], [0], [0 @@ -1038,12 +1042,12 @@ reprocess_count_old=$(read_counter consider_logical_flow) check ovn-nbctl add address_set as1 addresses 10.0.0.22,10.0.0.23 -- \ remove address_set as1 addresses 10.0.0.9,10.0.0.8 check ovn-nbctl --wait=hv sync -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c 10\.0\.0\.22], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c 10\.0\.0\.22], [0], [1 ]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c 10\.0\.0\.23], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c 10\.0\.0\.23], [0], [1 ]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10\.0\.0\.8], [1], [ignore]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10\.0\.0\.9], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10\.0\.0\.8], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10\.0\.0\.9], [1], [ignore]) reprocess_count_new=$(read_counter consider_logical_flow) AT_CHECK([echo $(($reprocess_count_new - $reprocess_count_old))], [0], [0 @@ -1074,6 +1078,10 @@ check ovn-nbctl lsp-add ls1 ls1-lp1 \ wait_for_ports_up ovn-appctl -t ovn-controller vlog/set file:dbg +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) +acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) + dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1091,24 +1099,24 @@ for i in $(seq 10); do check ovn-nbctl add address_set as1 addresses 10.0.0.$i check ovn-nbctl --wait=hv sync if test "$i" = 1; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) else # (1 conj_id flow + 3 tp_dst flows) = 4 extra flows - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$(($i + 4)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i + 4)) ]) fi if test "$i" = 3; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=conjunction,1/2) @@ -1130,17 +1138,17 @@ for i in $(seq 10); do check ovn-nbctl remove address_set as1 addresses 10.0.0.$i check ovn-nbctl --wait=hv sync if test "$i" = 10; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep "priority=1100"], [1], [ignore]) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100"], [1], [ignore]) elif test "$i" = 9; then # no conjunction left - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) else - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$((14 - $i)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((14 - $i)) ]) fi done @@ -1156,11 +1164,11 @@ for i in $(seq 10); do check ovn-nbctl add address_set as1 addresses 10.0.0.$i,10.0.1.$i check ovn-nbctl --wait=hv sync if test "$i" = 3; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=conjunction,1/2) @@ -1172,7 +1180,7 @@ priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,tp_dst=222 actions=conjun priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,tp_dst=333 actions=conjunction,2/2) ]) fi - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$(($i * 2 + 4)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i * 2 + 4)) ]) done @@ -1188,11 +1196,11 @@ reprocess_count_old=$(read_counter consider_logical_flow) check ovn-nbctl add address_set as1 addresses 10.0.0.21,10.0.0.22 -- \ remove address_set as1 addresses 10.0.0.10 check ovn-nbctl --wait=hv sync -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c 10\.0\.0\.21], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c 10\.0\.0\.21], [0], [1 ]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c 10\.0\.0\.22], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c 10\.0\.0\.22], [0], [1 ]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10\.0\.0\.10], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10\.0\.0\.10], [1], [ignore]) reprocess_count_new=$(read_counter consider_logical_flow) AT_CHECK([echo $(($reprocess_count_new - $reprocess_count_old))], [0], [0 @@ -1204,9 +1212,9 @@ reprocess_count_old=$(read_counter consider_logical_flow) check ovn-nbctl remove address_set as1 addresses 10.0.0.21,10.0.0.22 -- \ add address_set as1 addresses 10.0.0.10 check ovn-nbctl --wait=hv sync -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10\.0\.0\.21], [1], [ignore]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10\.0\.0\.22], [1], [ignore]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c 10\.0\.0\.10], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10\.0\.0\.21], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10\.0\.0\.22], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c 10\.0\.0\.10], [0], [1 ]) reprocess_count_new=$(read_counter consider_logical_flow) @@ -1219,9 +1227,9 @@ reprocess_count_old=$(read_counter consider_logical_flow) check ovn-nbctl add address_set as1 addresses 10.0.0.21 -- \ remove address_set as1 addresses 10.0.0.10 check ovn-nbctl --wait=hv sync -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c 10\.0\.0\.21], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c 10\.0\.0\.21], [0], [1 ]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10\.0\.0\.10], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10\.0\.0\.10], [1], [ignore]) reprocess_count_new=$(read_counter consider_logical_flow) AT_CHECK([echo $(($reprocess_count_new - $reprocess_count_old))], [0], [0 @@ -1233,12 +1241,12 @@ reprocess_count_old=$(read_counter consider_logical_flow) check ovn-nbctl add address_set as1 addresses 10.0.0.22,10.0.0.23 -- \ remove address_set as1 addresses 10.0.0.9,10.0.0.8 check ovn-nbctl --wait=hv sync -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c 10\.0\.0\.22], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c 10\.0\.0\.22], [0], [1 ]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c 10\.0\.0\.23], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c 10\.0\.0\.23], [0], [1 ]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10\.0\.0\.8], [1], [ignore]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10\.0\.0\.9], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10\.0\.0\.8], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10\.0\.0\.9], [1], [ignore]) reprocess_count_new=$(read_counter consider_logical_flow) AT_CHECK([echo $(($reprocess_count_new - $reprocess_count_old))], [0], [0 @@ -1268,6 +1276,10 @@ check ovn-nbctl lsp-add ls1 ls1-lp1 \ wait_for_ports_up ovn-appctl -t ovn-controller vlog/set file:dbg +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) +acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) + dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1288,22 +1300,22 @@ for i in $(seq 10); do add address_set as2 addresses 10.0.0.$j check ovn-nbctl --wait=hv sync if test "$i" = 1; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) else # (1 conj_id + nw_src * i + nw_dst * i) = 1 + i*2 flows - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$(($i*2 + 1)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i*2 + 1)) ]) fi if test "$i" = 3; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=conjunction,1/2) @@ -1327,15 +1339,15 @@ for i in $(seq 10); do remove address_set as2 addresses 10.0.0.$j check ovn-nbctl --wait=hv sync if test "$i" = 10; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep "priority=1100"], [1], [ignore]) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100"], [1], [ignore]) elif test "$i" = 9; then # no conjunction left - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.15 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.15 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) else - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$((21 - $i*2)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((21 - $i*2)) ]) fi done @@ -1356,14 +1368,14 @@ for i in $(seq 2 10); do check ovn-nbctl add address_set as1 addresses 10.0.0.$i check ovn-nbctl --wait=hv sync if test "$i" = 3; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) fi - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$i + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i ]) done @@ -1382,16 +1394,16 @@ for i in $(seq 10); do check ovn-nbctl remove address_set as1 addresses 10.0.0.$i check ovn-nbctl --wait=hv sync if test "$i" = 9; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) elif test "$i" = 10; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep "priority=1100"], [1], [ignore]) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100"], [1], [ignore]) else # 2 dst + (10 - i) src + 1 conj_id - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$((10 - $i + 3)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((10 - $i + 3)) ]) fi done @@ -1423,6 +1435,10 @@ check ovn-nbctl lsp-add ls1 ls1-lp1 \ wait_for_ports_up ovn-appctl -t ovn-controller vlog/set file:dbg +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) +acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) + dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1445,27 +1461,27 @@ for i in $(seq 10); do add address_set as2 addresses 10.0.0.$j check ovn-nbctl --wait=hv sync if test "$i" = 1; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) else - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$(($i*2)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i*2)) ]) fi if test "$i" = 3; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) fi done @@ -1483,9 +1499,9 @@ for i in $(seq 10); do remove address_set as2 addresses 10.0.0.$j check ovn-nbctl --wait=hv sync if test "$i" = 10; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep "priority=1100"], [1], [ignore]) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100"], [1], [ignore]) else - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$((20 - $i*2)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((20 - $i*2)) ]) fi done @@ -1519,6 +1535,10 @@ check ovn-nbctl lsp-add ls1 ls1-lp1 \ wait_for_ports_up ovn-appctl -t ovn-controller vlog/set file:dbg +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) +acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) + dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1541,30 +1561,30 @@ for i in $(seq 10); do add address_set as2 addresses 10.0.0.$j check ovn-nbctl --wait=hv sync if test "$i" = 1; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) elif test "$i" -lt 6; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$(($i*2)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i*2)) ]) else - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$((5 + $i)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((5 + $i)) ]) fi if test "$i" = 3; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) fi done @@ -1582,12 +1602,12 @@ for i in $(seq 10); do remove address_set as2 addresses 10.0.0.$j check ovn-nbctl --wait=hv sync if test "$i" = 10; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep "priority=1100"], [1], [ignore]) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100"], [1], [ignore]) elif test "$i" -lt 6; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$((15 - $i)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((15 - $i)) ]) else - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$((10 - ($i - 5)*2)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((10 - ($i - 5)*2)) ]) fi done @@ -1622,6 +1642,10 @@ check ovn-nbctl lsp-add ls1 ls1-lp1 \ wait_for_ports_up ovn-appctl -t ovn-controller vlog/set file:dbg +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) +acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) + dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1639,22 +1663,22 @@ for i in $(seq 10); do check ovn-nbctl add address_set as1 addresses 10.0.0.$i check ovn-nbctl --wait=hv sync if test "$i" = 1; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) else # (1 conj_id + nw_src * i + nw_dst * i) = 1 + i*2 flows - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$(($i*2 + 1)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i*2 + 1)) ]) fi if test "$i" = 3; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1676,15 +1700,15 @@ for i in $(seq 10); do check ovn-nbctl remove address_set as1 addresses 10.0.0.$i check ovn-nbctl --wait=hv sync if test "$i" = 10; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep "priority=1100"], [1], [ignore]) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100"], [1], [ignore]) elif test "$i" = 9; then # no conjunction left - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) else - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$((21 - $i*2)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((21 - $i*2)) ]) fi done @@ -1700,11 +1724,11 @@ for i in $(seq 10); do check ovn-nbctl add address_set as1 addresses 10.0.0.$i,10.0.1.$i check ovn-nbctl --wait=hv sync if test "$i" = 3; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1719,7 +1743,7 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=co priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=conjunction,2/2) ]) fi - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$(($i * 4 + 1)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$(($i * 4 + 1)) ]) done @@ -1740,11 +1764,11 @@ check ovn-nbctl --wait=hv sync reprocess_count_old=$(read_counter consider_logical_flow) check ovn-nbctl add address_set as1 addresses 10.0.0.4,10.0.0.5 check ovn-nbctl --wait=hv sync -AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ +AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1764,11 +1788,11 @@ AT_CHECK([echo $(($reprocess_count_new - $reprocess_count_old))], [0], [1 # Delete 2 IPs reprocess_count_old=$(read_counter consider_logical_flow) check ovn-nbctl --wait=hv remove address_set as1 addresses 10.0.0.4,10.0.0.5 -AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ +AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1805,6 +1829,10 @@ check ovn-nbctl lsp-add ls1 ls1-lp1 \ wait_for_ports_up ovn-appctl -t ovn-controller vlog/set file:dbg +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) +acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) + dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1822,12 +1850,12 @@ check ovn-nbctl acl-add ls1 to-lport 100 'outport == "ls1-lp1" && ip4.src == $as check ovn-nbctl acl-add ls1 to-lport 100 'outport == "ls1-lp1" && ip4.src == $as2 && tcp && tcp.dst == {201, 202}' drop check ovn-nbctl --wait=hv sync -AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ +AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1847,12 +1875,12 @@ reprocess_count_old=$(read_counter consider_logical_flow) check ovn-nbctl add address_set as1 addresses 10.0.0.14,10.0.0.33 -- \ add address_set as2 addresses 10.0.0.24,10.0.0.33 check ovn-nbctl --wait=hv sync -AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ +AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1878,12 +1906,12 @@ reprocess_count_old=$(read_counter consider_logical_flow) check ovn-nbctl remove address_set as1 addresses 10.0.0.14,10.0.0.33 -- \ remove address_set as2 addresses 10.0.0.24,10.0.0.33 check ovn-nbctl --wait=hv sync -AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ +AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1926,6 +1954,10 @@ check ovn-nbctl lsp-add ls1 ls1-lp1 \ wait_for_ports_up ovn-appctl -t ovn-controller vlog/set file:dbg +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) +acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) + dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -1943,14 +1975,14 @@ for i in $(seq 5); do check ovn-nbctl add address_set as1 addresses "aa\:aa\:aa\:aa\:aa\:0$i" check ovn-nbctl --wait=hv sync if test "$i" = 3; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:01 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:02 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:03 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:01 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:02 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:03 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) fi - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$i + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i ]) done @@ -1964,17 +1996,17 @@ reprocess_count_old=$(read_counter consider_logical_flow) for i in $(seq 5); do check ovn-nbctl remove address_set as1 addresses "aa\:aa\:aa\:aa\:aa\:0$i" check ovn-nbctl --wait=hv sync - ovs-ofctl dump-flows br-int table=46 | grep "priority=1100" + ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100" if test "$i" = 4; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:05 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:05 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) fi if test "$i" = 5; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep "priority=1100"], [1], [ignore]) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100"], [1], [ignore]) else - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$((5 - $i)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((5 - $i)) ]) fi done @@ -2007,6 +2039,10 @@ check ovn-nbctl lsp-add ls1 ls1-lp1 \ wait_for_ports_up ovn-appctl -t ovn-controller vlog/set file:dbg +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) +acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) + dp_key=$(printf "%x" $(fetch_column datapath tunnel_key external_ids:name=ls1)) port_key=$(printf "%x" $(fetch_column port_binding tunnel_key logical_port=ls1-lp1)) @@ -2024,14 +2060,14 @@ for i in $(seq 5); do check ovn-nbctl add address_set as1 addresses "ff\:\:0$i" check ovn-nbctl --wait=hv sync if test "$i" = 3; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) fi - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$i + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$i ]) done @@ -2046,15 +2082,15 @@ for i in $(seq 5); do check ovn-nbctl remove address_set as1 addresses "ff\:\:0$i" check ovn-nbctl --wait=hv sync if test "$i" = 4; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46,reg15=0x$port_key | \ + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::5 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,47) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::5 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$acl_action) ]) fi if test "$i" = 5; then - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep "priority=1100"], [1], [ignore]) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep "priority=1100"], [1], [ignore]) else - AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [$((5 - $i)) + AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [$((5 - $i)) ]) fi done @@ -2086,10 +2122,14 @@ check ovn-nbctl lsp-add ls1 ls1-lp1 \ wait_for_ports_up ovn-appctl -t ovn-controller vlog/set file:dbg +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) +acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) + ovn-nbctl create address_set name=as1 addresses=8.8.8.8 check ovn-nbctl acl-add ls1 to-lport 100 'outport == "ls1-lp1" && ip4.src == $as1' drop check ovn-nbctl --wait=hv sync -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100"], [0], [1 +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100"], [0], [1 ]) # pause ovn-northd @@ -2104,13 +2144,13 @@ check as northd ovn-appctl -t ovn-northd pause # undefined. This test runs the scenario ten times to make sure different # orders are covered and handled properly. -flow_count=$(ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100") +flow_count=$(ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100") for i in $(seq 10); do # Delete and recreate the SB address set with same name and an extra IP. addrs_=$(fetch_column address_set addresses name=as1) addrs=${addrs_// /,} AT_CHECK([ovn-sbctl destroy address_set as1 -- create address_set name=as1 addresses=$addrs,1.1.1.$i], [0], [ignore]) - OVS_WAIT_UNTIL([test $(as hv1 ovs-ofctl dump-flows br-int table=46 | grep -c "priority=1100") = "$(($i + 1))"]) + OVS_WAIT_UNTIL([test $(as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | grep -c "priority=1100") = "$(($i + 1))"]) done OVN_CLEANUP([hv1]) diff --git a/tests/ovn.at b/tests/ovn.at index 0af60f893..57108cb62 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -13492,6 +13492,10 @@ ovn-nbctl lsp-set-options ln-outside network_name=phys wait_for_ports_up check ovn-nbctl --wait=hv sync +# Get the OF table numbers +l2_lkup=$(ovn-debug lflow-stage-to-oftable ls_in_l2_lkup) +arp_rsp=$(ovn-debug lflow-stage-to-oftable ls_in_arp_rsp) + echo "---------NB dump-----" ovn-nbctl show echo "---------------------" @@ -13587,15 +13591,15 @@ sleep 10 as gw1 ovs-ofctl dump-flows br-int -OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=35 | \ +OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=$l2_lkup | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[1 ]]) -OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=35 | \ +OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=$l2_lkup | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[0 ]]) # make sure ARP responder flows for outside router port reside on gw1 too through ls_in_arp_rsp table -OVS_WAIT_UNTIL([test `as gw1 ovs-ofctl dump-flows br-int table=29 | \ +OVS_WAIT_UNTIL([test `as gw1 ovs-ofctl dump-flows br-int table=$arp_rsp | \ grep arp_tpa=192.168.0.101 | wc -l` -ge 1]) # check that the chassis redirect port has been claimed by the gw1 chassis @@ -13677,10 +13681,10 @@ AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-hv1-0],[0], ]]) # make sure that flows for handling the outside router port reside on gw2 now -OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=35 | \ +OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=$l2_lkup | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[1 ]]) -OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=35 | \ +OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=$l2_lkup | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[0 ]]) @@ -13692,10 +13696,10 @@ as main ovs-vsctl del-port n1 $port bfd_dump # make sure that flows for handling the outside router port reside on gw1 now -OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=35 | \ +OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=$l2_lkup | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[1 ]]) -OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=35 | \ +OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=$l2_lkup | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[0 ]]) @@ -13809,15 +13813,15 @@ grep active_backup | grep members:$hv2_gw1_ofport,$hv2_gw2_ofport \ ]) # make sure that flows for handling the outside router port reside on gw1 -OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=35 | \ +OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=$l2_lkup | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[1 ]]) -OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=35 | \ +OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=$l2_lkup | \ grep "dl_dst:00:00:02:01:02:04" | wc -l], [0], [[0 ]]) # make sure ARP responder flows for outside router port reside on gw1 too -OVS_WAIT_UNTIL([test `as gw1 ovs-ofctl dump-flows br-int table=29 | \ +OVS_WAIT_UNTIL([test `as gw1 ovs-ofctl dump-flows br-int table=$arp_rsp | \ grep arp_tpa=192.168.0.101 | wc -l` -ge 1 ]) # check that the chassis redirect port has been claimed by the gw1 chassis @@ -13881,10 +13885,10 @@ AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-hv1-0],[0], ]]) # make sure that flows for handling the outside router port reside on gw2 now -OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=35 | \ +OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=$l2_lkup | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[1 ]]) -OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=35 | \ +OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=$l2_lkup | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[0 ]]) @@ -13896,10 +13900,10 @@ as main ovs-vsctl del-port n1 $port bfd_dump # make sure that flows for handling the outside router port reside on gw2 now -OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=35 | \ +OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=$l2_lkup | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[1 ]]) -OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=35 | \ +OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=$l2_lkup | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[0 ]]) @@ -17003,6 +17007,9 @@ OVN_POPULATE_ARP wait_for_ports_up ovn-nbctl --wait=hv sync +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) + # Wait for pinctrl thread to be connected OVS_WAIT_UNTIL([grep pinctrl hv1/ovn-controller.log | grep -c connected]) OVS_WAIT_UNTIL([grep pinctrl hv2/ovn-controller.log | grep -c connected]) @@ -17028,18 +17035,18 @@ send_icmp6_packet 1 1 $eth_src $eth_dst $ipv6_src $ipv6_dst # Get total number of ipv4 packets that received on ovs # sender side -OVS_WAIT_UNTIL([test 1 = `as hv1 ovs-ofctl dump-flows br-int table=46 | grep priority=2002 | grep ip,metadata=0x1 | grep -c n_packets=1`]) +OVS_WAIT_UNTIL([test 1 = `as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | grep priority=2002 | grep ip,metadata=0x1 | grep -c n_packets=1`]) # receiver side -OVS_WAIT_UNTIL([test 1 = `as hv2 ovs-ofctl dump-flows br-int table=46 | grep priority=2002 | grep ip,metadata=0x1 | grep -c n_packets=1`]) +OVS_WAIT_UNTIL([test 1 = `as hv2 ovs-ofctl dump-flows br-int table=$acl_eval | grep priority=2002 | grep ip,metadata=0x1 | grep -c n_packets=1`]) # Get total number of ipv6 packets that received on ovs # sender side -OVS_WAIT_UNTIL([test 1 = `as hv1 ovs-ofctl dump-flows br-int table=46 | grep priority=2002 | grep ipv6,metadata=0x1 | grep -c n_packets=1`]) +OVS_WAIT_UNTIL([test 1 = `as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | grep priority=2002 | grep ipv6,metadata=0x1 | grep -c n_packets=1`]) # receiver side -OVS_WAIT_UNTIL([test 1 = `as hv2 ovs-ofctl dump-flows br-int table=46 | grep priority=2002 | grep ipv6,metadata=0x1 | grep -c n_packets=1`]) +OVS_WAIT_UNTIL([test 1 = `as hv2 ovs-ofctl dump-flows br-int table=$acl_eval | grep priority=2002 | grep ipv6,metadata=0x1 | grep -c n_packets=1`]) OVN_CLEANUP([hv1], [hv2]) AT_CLEANUP @@ -18661,6 +18668,10 @@ check ovn-nbctl acl-add ls1 to-lport 3 '(ip4.src==10.0.0.1 || ip4.src==10.0.0.42 wait_for_ports_up check ovn-nbctl --wait=hv sync +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) +acl_action=$(ovn-debug lflow-stage-to-oftable ls_out_acl_action) + ovn-sbctl dump-flows > sbflows AT_CAPTURE_FILE([sbflows]) @@ -18723,17 +18734,17 @@ check ovn-nbctl acl-add ls1 to-lport 3 'ip4.src==10.0.0.1' allow check ovn-nbctl --wait=hv sync # Check OVS flows, the less restrictive flows should have been installed. -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=46 | ofctl_strip_all | +AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_strip_all | grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=46, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) # Traffic 10.0.0.1, 10.0.0.2 -> 10.0.0.3, 10.0.0.4 should be allowed. @@ -18768,17 +18779,17 @@ check ovn-nbctl acl-del ls1 to-lport 3 'ip4.src==10.0.0.1 || ip4.src==10.0.0.1' check ovn-nbctl --wait=hv sync # Check OVS flows, the second less restrictive allow ACL should have been installed. -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=46 | ofctl_strip_all | \ +AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_strip_all | \ grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=46, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) # Remove the less restrictive allow ACL. @@ -18786,17 +18797,17 @@ check ovn-nbctl acl-del ls1 to-lport 3 'ip4.src==10.0.0.1' check ovn-nbctl --wait=hv sync # Check OVS flows, the 10.0.0.1 conjunction should have been reinstalled. -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=46 | ofctl_strip_all | \ +AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_strip_all | \ grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=46, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=conjunction(),conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=conjunction(),conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) # Traffic 10.0.0.1, 10.0.0.2 -> 10.0.0.3, 10.0.0.4 should be allowed. @@ -18826,17 +18837,17 @@ check ovn-nbctl acl-add ls1 to-lport 3 'ip4.src==10.0.0.1' allow check ovn-nbctl --wait=hv sync # Check OVS flows, the less restrictive flows should have been installed. -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=46 | ofctl_strip_all | \ +AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_strip_all | \ grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=46, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) # Add another ACL that overlaps with the existing less restrictive ones. @@ -18847,20 +18858,20 @@ check ovn-nbctl --wait=hv sync # with an additional conjunction action. # # New non-conjunctive flows should be added to match on 'udp'. -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=46 | ofctl_strip_all | \ +AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_strip_all | \ grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=46, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction(),conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction(),conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction(),conjunction() - table=46, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() - table=46, priority=1003,udp,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) - table=46, priority=1003,udp6,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction(),conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction(),conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction(),conjunction() + table=$acl_eval, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() + table=$acl_eval, priority=1003,udp,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1003,udp6,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) ]) OVN_CLEANUP([hv1]) @@ -18915,17 +18926,21 @@ check ovn-nbctl acl-add pg1 to-lport 100 'outport == @pg1 && ip4.src == $as2' al wait_for_ports_up check ovn-nbctl --wait=hv sync -ovs-ofctl dump-flows br-int table=46 -AT_CHECK([test `ovs-ofctl dump-flows br-int table=46 | grep -c conj_id` = 2]) + +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) + +ovs-ofctl dump-flows br-int table=$acl_eval +AT_CHECK([test `ovs-ofctl dump-flows br-int table=$acl_eval | grep -c conj_id` = 2]) echo ------- # Add another address in as1, so that the 1st ACL will now generate 2 conjunctions. ovn-nbctl set address_set as1 addresses="10.0.0.1,10.0.0.2" check ovn-nbctl --wait=hv sync -ovs-ofctl dump-flows br-int table=46 +ovs-ofctl dump-flows br-int table=$acl_eval # There should be 3 conjunctions in total (2 from 1st ACL + 1 from 2nd ACL) -AT_CHECK([test `ovs-ofctl dump-flows br-int table=46 | grep -c conj_id` = 3]) +AT_CHECK([test `ovs-ofctl dump-flows br-int table=$acl_eval | grep -c conj_id` = 3]) OVN_CLEANUP([hv1]) AT_CLEANUP @@ -19662,17 +19677,17 @@ ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys AT_CHECK([ovn-sbctl dump-flows ls1 | grep "offerip = 10.0.0.6" | \ wc -l], [0], [0 ]) -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=26 | \ +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | \ grep controller | grep "0a.00.00.06" | wc -l], [0], [0 ]) -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=26 | \ +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | \ grep controller | grep "0a.00.00.06" | wc -l], [0], [0 ]) -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep table=26 | \ +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | \ grep controller | grep tp_src=546 | grep \ "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0 ]) -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | grep table=26 | \ +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int | \ grep controller | grep tp_src=546 | grep \ "ae.70.00.00.00.00.00.00.00.00.00.00.00.00.00.06" | wc -l], [0], [0 ]) @@ -20241,7 +20256,7 @@ wait_for_ports_up ls1-lp_ext1 # There should be a flow in hv2 to drop traffic from ls1-lp_ext1 destined # to router mac. AT_CHECK([as hv2 ovs-ofctl dump-flows br-int \ -table=34,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \ +table=$(ovn-debug lflow-stage-to-oftable ls_in_external_port),dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \ grep -c "actions=drop"], [0], [1 ]) # Stop ovn-controllers on hv1 and hv3. @@ -21817,6 +21832,10 @@ OVN_POPULATE_ARP wait_for_ports_up ovn-nbctl --wait=hv sync +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) +ip_input=$(ovn-debug lflow-stage-to-oftable lr_in_ip_input) + # Check that logical flows are added for sw0-vir/sw0vir6 in lsp_in_arp_rsp pipeline # with bind_vport action. @@ -21866,22 +21885,22 @@ check_virtual_offlows_present() { lr0_dp_key=$(printf "%x" $(fetch_column Datapath_Binding tunnel_key external_ids:name=lr0)) lr0_public_dp_key=$(printf "%x" $(fetch_column Port_Binding tunnel_key logical_port=lr0-public)) - AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=46,ip | ofctl_strip_all | grep "priority=2000"], [0], [dnl - table=46, priority=2000,ip,metadata=0x$sw0_dp_key actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,47) + AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=$acl_eval,ip | ofctl_strip_all | grep "priority=2000"], [0], [dnl + table=$acl_eval, priority=2000,ip,metadata=0x$sw0_dp_key actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_out_acl_action)) ]) - AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=11 | ofctl_strip_all | \ + AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=$ip_input | ofctl_strip_all | \ grep "priority=92" | grep 172.168.0.50], [0], [dnl - table=11, priority=92,arp,reg14=0x$lr0_public_dp_key,metadata=0x$lr0_dp_key,arp_tpa=172.168.0.50,arp_op=1 actions=move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],mod_dl_src:10:54:00:00:00:10,load:0x2->NXM_OF_ARP_OP[[]],move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],load:0x105400000010->NXM_NX_ARP_SHA[[]],push:NXM_OF_ARP_SPA[[]],push:NXM_OF_ARP_TPA[[]],pop:NXM_OF_ARP_SPA[[]],pop:NXM_OF_ARP_TPA[[]],move:NXM_NX_REG14[[]]->NXM_NX_REG15[[]],load:0x1->NXM_NX_REG10[[0]],resubmit(,OFTABLE_OUTPUT_LARGE_PKT_DETECT) + table=$ip_input, priority=92,arp,reg14=0x$lr0_public_dp_key,metadata=0x$lr0_dp_key,arp_tpa=172.168.0.50,arp_op=1 actions=move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],mod_dl_src:10:54:00:00:00:10,load:0x2->NXM_OF_ARP_OP[[]],move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],load:0x105400000010->NXM_NX_ARP_SHA[[]],push:NXM_OF_ARP_SPA[[]],push:NXM_OF_ARP_TPA[[]],pop:NXM_OF_ARP_SPA[[]],pop:NXM_OF_ARP_TPA[[]],move:NXM_NX_REG14[[]]->NXM_NX_REG15[[]],load:0x1->NXM_NX_REG10[[0]],resubmit(,OFTABLE_OUTPUT_LARGE_PKT_DETECT) ]) } check_virtual_offlows_not_present() { hv=$1 - AT_CHECK([as $hv ovs-ofctl dump-flows br-int table=46,ip | ofctl_strip_all | grep "priority=2000"], [1], [dnl + AT_CHECK([as $hv ovs-ofctl dump-flows br-int table=$acl_eval,ip | ofctl_strip_all | grep "priority=2000"], [1], [dnl ]) - AT_CHECK([as $hv ovs-ofctl dump-flows br-int table=11 | ofctl_strip_all | \ + AT_CHECK([as $hv ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_strip_all | \ grep "priority=92" | grep 172.168.0.50], [1], [dnl ]) } @@ -21945,7 +21964,7 @@ eth_dst=00000000ff01 ip_src=$(ip_to_hex 10 0 0 10) ip_dst=$(ip_to_hex 172 168 0 101) send_icmp_packet 1 1 $eth_src $eth_dst $ip_src $ip_dst c4c9 0000000000000000000000 -AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int metadata=0x$lr0_dp_key | awk '/table=28, n_packets=1, n_bytes=45/{print $7" "$8}'],[0],[dnl +AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$(ovn-debug lflow-stage-to-oftable lr_in_gw_redirect),metadata=0x$lr0_dp_key | awk '/n_packets=1, n_bytes=45/{print $7" "$8}'],[0],[dnl priority=80,ip,reg15=0x$lr0_public_dp_key,metadata=0x$lr0_dp_key,nw_src=10.0.0.10 actions=drop ]) @@ -24552,6 +24571,9 @@ OVN_POPULATE_ARP wait_for_ports_up ovn-nbctl --wait=hv sync +# Get the OF table numbers +learn_neigh=$(ovn-debug lflow-stage-to-oftable lr_in_learn_neighbor) + as hv1 ovs-appctl -t ovn-controller vlog/set dbg # From sw0-p1 send GARP for 10.0.0.30. @@ -24582,7 +24604,7 @@ grep table_id=10 | wc -l`]) AT_CHECK([test 1 = `cat hv1/ovn-controller.log | grep "pinctrl received packet-in" | \ grep opcode=PUT_ARP | grep OF_Table_ID=10 | wc -l`]) -AT_CHECK([test 1 = `as hv1 ovs-ofctl dump-flows br-int table=10 | grep arp | \ +AT_CHECK([test 1 = `as hv1 ovs-ofctl dump-flows br-int table=$learn_neigh | grep arp | \ grep controller | grep -v n_packets=0 | wc -l`]) # Wait for an entry in table=OFTABLE_MAC_LOOKUP @@ -24600,7 +24622,7 @@ OVS_WAIT_UNTIL([test 1 = `as hv1 ovs-ofctl dump-flows br-int table=OFTABLE_MAC_L # count should be 1 only. AT_CHECK([test 1 = `cat hv1/ovn-controller.log | grep NXT_PACKET_IN2 | \ grep table_id=10 | wc -l`]) -AT_CHECK([test 1 = `as hv1 ovs-ofctl dump-flows br-int table=10 | grep arp | \ +AT_CHECK([test 1 = `as hv1 ovs-ofctl dump-flows br-int table=$learn_neigh | grep arp | \ grep controller | grep -v n_packets=0 | wc -l`]) # Now send garp packet with different mac. @@ -28166,11 +28188,14 @@ check ovn-nbctl set logical_router_policy $pol4 options:pkt_mark=4 check ovn-nbctl set logical_router_policy $pol5 options:pkt_mark=4294967295 check ovn-nbctl --wait=hv sync +# Get the OF table numbers +lr_policy=$(ovn-debug lflow-stage-to-oftable lr_in_policy) + ovn-sbctl dump-flows > sbflows AT_CAPTURE_FILE([sbflows]) AT_CAPTURE_FILE([offlows]) OVS_WAIT_UNTIL([ - as hv1 ovs-ofctl dump-flows br-int table=23 > offlows + as hv1 ovs-ofctl dump-flows br-int table=$lr_policy > offlows test $(grep -c "load:0x64->NXM_NX_PKT_MARK" offlows) = 1 && \ test $(grep -c "load:0x3->NXM_NX_PKT_MARK" offlows) = 1 && \ test $(grep -c "load:0x4->NXM_NX_PKT_MARK" offlows) = 1 && \ @@ -28268,12 +28293,12 @@ send_ipv4_pkt hv1 hv1-vif1 505400000003 00000000ff01 \ c3ad 83dc OVS_WAIT_UNTIL([ - test 1 -eq $(as hv1 ovs-ofctl dump-flows br-int table=23 | \ + test 1 -eq $(as hv1 ovs-ofctl dump-flows br-int table=$lr_policy | \ grep "load:0x2->NXM_NX_PKT_MARK" -c) ]) AT_CHECK([ - test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=23 | \ + test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=$lr_policy | \ grep "load:0x64->NXM_NX_PKT_MARK" -c) ]) @@ -28964,25 +28989,29 @@ check ovn-nbctl --ecmp-symmetric-reply --policy="src-ip" lr-route-add GW 10.0.0. wait_for_ports_up check ovn-nbctl --wait=hv sync +# Get the OF table numbers +ecmp_stateful=$(ovn-debug lflow-stage-to-oftable lr_in_ecmp_stateful) +arp_resolve=$(ovn-debug lflow-stage-to-oftable lr_in_arp_resolve) + # Ensure ECMP symmetric reply flows are not present on any hypervisor. AT_CHECK([ - test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=17 | \ + test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=$ecmp_stateful | \ grep "priority=100" | \ grep "ct(commit,zone=NXM_NX_REG11\\[[0..15\\]],exec(move:NXM_OF_ETH_SRC\\[[\\]]->NXM_NX_CT_LABEL\\[[32..79\\]],load:0x[[0-9]]->NXM_NX_CT_LABEL\\[[80..95\\]]))" -c) ]) AT_CHECK([ - test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=25 | \ + test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=$arp_resolve | \ grep "priority=200" | \ grep "actions=move:NXM_NX_CT_LABEL\\[[32..79\\]]->NXM_OF_ETH_DST\\[[\\]]" -c) ]) AT_CHECK([ - test 0 -eq $(as hv2 ovs-ofctl dump-flows br-int table=17 | \ + test 0 -eq $(as hv2 ovs-ofctl dump-flows br-int table=$ecmp_stateful | \ grep "priority=100" | \ grep "ct(commit,zone=NXM_NX_REG11\\[[0..15\\]],exec(move:NXM_OF_ETH_SRC\\[[\\]]->NXM_NX_CT_LABEL\\[[32..79\\]],load:0x[[0-9]]->NXM_NX_CT_LABEL\\[[80..95\\]]))" -c) ]) AT_CHECK([ - test 0 -eq $(as hv2 ovs-ofctl dump-flows br-int table=25 | \ + test 0 -eq $(as hv2 ovs-ofctl dump-flows br-int table=$arp_resolve | \ grep "priority=200" | \ grep "actions=move:NXM_NX_CT_LABEL\\[[32..79\\]]->NXM_OF_ETH_DST\\[[\\]]" -c) ]) @@ -29000,11 +29029,11 @@ AT_CAPTURE_FILE([hv2flows]) AT_CHECK([ for hv in 1 2; do - grep table=17 hv${hv}flows | \ + grep table=$ecmp_stateful hv${hv}flows | \ grep "priority=100" | \ grep -c "ct(commit,zone=NXM_NX_REG11\\[[0..15\\]],.*exec(move:NXM_OF_ETH_SRC\\[[\\]]->NXM_NX_CT_LABEL\\[[32..79\\]],load:0x[[0-9]]->NXM_NX_CT_MARK\\[[16..31\\]]))" - grep table=25 hv${hv}flows | \ + grep table=$arp_resolve hv${hv}flows | \ grep "priority=200" | \ grep -c "move:NXM_NX_CT_LABEL\\[[\\]]->NXM_NX_XXREG1\\[[\\]],move:NXM_NX_XXREG1\\[[32..79\\]]->NXM_OF_ETH_DST" done; :], [0], [dnl @@ -29090,25 +29119,29 @@ check ovn-nbctl --ecmp-symmetric-reply --policy="src-ip" lr-route-add GW 1001::/ wait_for_ports_up check ovn-nbctl --wait=hv sync +# Get the OF table numbers +ecmp_stateful=$(ovn-debug lflow-stage-to-oftable lr_in_ecmp_stateful) +arp_resolve=$(ovn-debug lflow-stage-to-oftable lr_in_arp_resolve) + # Ensure ECMP symmetric reply flows are not present on any hypervisor. AT_CHECK([ - test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=17 | \ + test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=$ecmp_stateful | \ grep "priority=100" | \ grep "ct(commit,zone=NXM_NX_REG11\\[[0..15\\]],exec(move:NXM_OF_ETH_SRC\\[[\\]]->NXM_NX_CT_LABEL\\[[32..79\\]],load:0x[[0-9]]->NXM_NX_CT_LABEL\\[[80..95\\]]))" -c) ]) AT_CHECK([ - test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=25 | \ + test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=$arp_resolve | \ grep "priority=200" | \ grep "actions=move:NXM_NX_CT_LABEL\\[[32..79\\]]->NXM_OF_ETH_DST\\[[\\]]" -c) ]) AT_CHECK([ - test 0 -eq $(as hv2 ovs-ofctl dump-flows br-int table=17 | \ + test 0 -eq $(as hv2 ovs-ofctl dump-flows br-int table=$ecmp_stateful | \ grep "priority=100" | \ grep "ct(commit,zone=NXM_NX_REG11\\[[0..15\\]],exec(move:NXM_OF_ETH_SRC\\[[\\]]->NXM_NX_CT_LABEL\\[[32..79\\]],load:0x[[0-9]]->NXM_NX_CT_MARK\\[[16..31\\]]))" -c) ]) AT_CHECK([ - test 0 -eq $(as hv2 ovs-ofctl dump-flows br-int table=25 | \ + test 0 -eq $(as hv2 ovs-ofctl dump-flows br-int table=$arp_resolve | \ grep "priority=200" | \ grep "actions=move:NXM_NX_CT_LABEL\\[[\\]]->NXM_OF_ETH_DST\\[[\\]]" -c) ]) @@ -29125,11 +29158,11 @@ AT_CAPTURE_FILE([hv2flows]) AT_CHECK([ for hv in 1 2; do - grep table=17 hv${hv}flows | \ + grep table=$ecmp_stateful hv${hv}flows | \ grep "priority=100" | \ grep -c "ct(commit,zone=NXM_NX_REG11\\[[0..15\\]],.*exec(move:NXM_OF_ETH_SRC\\[[\\]]->NXM_NX_CT_LABEL\\[[32..79\\]],load:0x[[0-9]]->NXM_NX_CT_MARK\\[[16..31\\]]))" - grep table=25 hv${hv}flows | \ + grep table=$arp_resolve hv${hv}flows | \ grep "priority=200" | \ grep -c "move:NXM_NX_CT_LABEL\\[[\\]]->NXM_NX_XXREG1\\[[\\]],move:NXM_NX_XXREG1\\[[32..79\\]]->NXM_OF_ETH_DST" done; :], [0], [dnl @@ -29577,6 +29610,9 @@ OVN_POPULATE_ARP wait_for_ports_up ovn-nbctl --wait=hv sync +# Get the OF table numbers +arp_resolve=$(ovn-debug lflow-stage-to-oftable lr_in_arp_resolve) + sw_key=$(ovn-sbctl --bare --columns tunnel_key list datapath_binding r1) echo sw_key: $sw_key @@ -29596,7 +29632,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep "actions=controller" | grep ]) # The packet should have been dropped in the lr_in_ip_input stage. -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=11, n_packets=1,.* priority=60,ip,metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=$(ovn-debug lflow-stage-to-oftable lr_in_ip_input), n_packets=1,.* priority=60,ip,metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl 1 ]) @@ -29626,7 +29662,7 @@ if test X"$1" = X"DGP"; then else prio=2 fi -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=25, n_packets=1,.* priority=$prio,ip,$inport.*$outport.*metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=$arp_resolve, n_packets=1,.* priority=$prio,ip,$inport.*$outport.*metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl 1 ]) @@ -29645,13 +29681,13 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep "actions=controller" | grep if test X"$1" = X"DGP"; then # The packet dst should be resolved once for E/W centralized NAT purpose. - AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=25, n_packets=1,.* priority=100,reg0=0xa000101,reg15=.*metadata=0x${sw_key} actions=mod_dl_dst:00:00:00:00:01:01,resubmit" -c], [0], [dnl + AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=$arp_resolve, n_packets=1,.* priority=100,reg0=0xa000101,reg15=.*metadata=0x${sw_key} actions=mod_dl_dst:00:00:00:00:01:01,resubmit" -c], [0], [dnl 1 ]) fi # The packet should've been finally dropped in the lr_in_arp_resolve stage. -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=25, n_packets=2,.* priority=$prio,ip,$inport.*$outport.*metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=$arp_resolve, n_packets=2,.* priority=$prio,ip,$inport.*$outport.*metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl 1 ]) OVN_CLEANUP([hv1]) @@ -31430,47 +31466,50 @@ ovn-nbctl --wait=hv pg-set-ports pg1 sw0-p1 sw0-p2 sw0-p3 sw0-p4 AT_CHECK([kill -0 $(cat hv1/ovn-controller.pid)]) check ovn-nbctl --wait=hv sync +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) + # Check OVS flows are installed properly. -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=46 | ofctl_strip_all | \ +AT_CHECK_UNQUOTED([as hv1 ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_strip_all | \ grep "priority=2002" | grep conjunction | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/reg15=0x[[1-9]]/reg15=0xN/g' | sort], [0], [dnl - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x10/0xfff0 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x100/0xff00 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x1000/0xf000 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x2/0xfffe actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x20/0xffe0 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x200/0xfe00 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x2000/0xe000 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x4/0xfffc actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x40/0xffc0 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x400/0xfc00 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x4000/0xc000 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x8/0xfff8 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x80/0xff80 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x800/0xf800 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x8000/0x8000 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=1 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,reg15=0xN,metadata=0x1,nw_src=192.168.47.4 actions=conjunction() - table=46, priority=2002,udp,reg0=0x100/0x100,reg15=0xN,metadata=0x1,nw_src=192.168.47.4 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x10/0xfff0 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x100/0xff00 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x1000/0xf000 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x2/0xfffe actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x20/0xffe0 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x200/0xfe00 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x2000/0xe000 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x4/0xfffc actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x40/0xffc0 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x400/0xfc00 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x4000/0xc000 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x8/0xfff8 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x80/0xff80 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x800/0xf800 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x8000/0x8000 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=1 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,reg15=0xN,metadata=0x1,nw_src=192.168.47.4 actions=conjunction() - table=46, priority=2002,udp,reg0=0x80/0x80,reg15=0xN,metadata=0x1,nw_src=192.168.47.4 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x10/0xfff0 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x100/0xff00 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x1000/0xf000 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x2/0xfffe actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x20/0xffe0 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x200/0xfe00 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x2000/0xe000 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x4/0xfffc actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x40/0xffc0 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x400/0xfc00 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x4000/0xc000 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x8/0xfff8 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x80/0xff80 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x800/0xf800 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x8000/0x8000 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,metadata=0x1,nw_src=192.168.47.4,tp_dst=1 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,reg15=0xN,metadata=0x1,nw_src=192.168.47.4 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x100/0x100,reg15=0xN,metadata=0x1,nw_src=192.168.47.4 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x10/0xfff0 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x100/0xff00 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x1000/0xf000 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x2/0xfffe actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x20/0xffe0 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x200/0xfe00 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x2000/0xe000 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x4/0xfffc actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x40/0xffc0 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x400/0xfc00 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x4000/0xc000 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x8/0xfff8 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x80/0xff80 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x800/0xf800 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=0x8000/0x8000 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,metadata=0x1,nw_src=192.168.47.4,tp_dst=1 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,reg15=0xN,metadata=0x1,nw_src=192.168.47.4 actions=conjunction() + table=$acl_eval, priority=2002,udp,reg0=0x80/0x80,reg15=0xN,metadata=0x1,nw_src=192.168.47.4 actions=conjunction() ]) OVN_CLEANUP([hv1]) @@ -32645,7 +32684,11 @@ ovs-vsctl add-port br-int lsp0-0 -- set interface lsp0-0 external_ids:iface-id=l ovs-vsctl add-port br-int lsp0-1 -- set interface lsp0-1 external_ids:iface-id=lsp0-1 check ovn-nbctl --wait=hv sync -AT_CHECK([test $(ovs-ofctl dump-flows br-int table=46 | grep conjunction | wc -l) == 22]) + +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) + +AT_CHECK([test $(ovs-ofctl dump-flows br-int table=$acl_eval | grep conjunction | wc -l) == 22]) # Save the current lflow_run counter lflow_run=$(ovn-appctl -t ovn-controller coverage/read-counter lflow_run) @@ -32655,7 +32698,7 @@ lflow_run=$(ovn-appctl -t ovn-controller coverage/read-counter lflow_run) # 1. Remove half of the ports from pg1. The excepted conjunction flows should be: # 2 + 10 = 12 check ovn-nbctl --wait=hv pg-set-ports pg1 $(for i in 0 1 2 3 4; do for j in 0 1; do echo lsp${i}-${j}; done; done) -AT_CHECK([test $(ovs-ofctl dump-flows br-int table=46 | grep conjunction | wc -l) == 12]) +AT_CHECK([test $(ovs-ofctl dump-flows br-int table=$acl_eval | grep conjunction | wc -l) == 12]) # 2. Unbind lsp0-0. The there shouldn't be any conjunction flows because the # port group const set should have only one member (lsp0-1). And the total @@ -32663,25 +32706,25 @@ AT_CHECK([test $(ovs-ofctl dump-flows br-int table=46 | grep conjunction | wc -l # 10. ovs-vsctl del-port br-int lsp0-0 check ovn-nbctl --wait=hv sync -AT_CHECK([test $(ovs-ofctl dump-flows br-int table=46 | grep conjunction | wc -l) == 0]) -AT_CHECK([test $(ovs-ofctl dump-flows br-int table=46 | grep 192.168 | wc -l) == 10]) +AT_CHECK([test $(ovs-ofctl dump-flows br-int table=$acl_eval | grep conjunction | wc -l) == 0]) +AT_CHECK([test $(ovs-ofctl dump-flows br-int table=$acl_eval | grep 192.168 | wc -l) == 10]) # 3. Rebind lsp0-0. The expected conjunction flows are back to 12. ovs-vsctl add-port br-int lsp0-0 -- set interface lsp0-0 external_ids:iface-id=lsp0-0 check ovn-nbctl --wait=hv sync -AT_CHECK([test $(ovs-ofctl dump-flows br-int table=46 | grep conjunction | wc -l) == 12]) +AT_CHECK([test $(ovs-ofctl dump-flows br-int table=$acl_eval | grep conjunction | wc -l) == 12]) # 4. Bind a lsp (lsp9-0) that doesn't belong to pg1, should not see any change. ovs-vsctl add-port br-int lsp9-0 -- set interface lsp9-0 external_ids:iface-id=lsp9-0 check ovn-nbctl --wait=hv sync -AT_CHECK([test $(ovs-ofctl dump-flows br-int table=46 | grep conjunction | wc -l) == 12]) +AT_CHECK([test $(ovs-ofctl dump-flows br-int table=$acl_eval | grep conjunction | wc -l) == 12]) # 5. Bind another 2 lsps (lsp1-0 lsp1-1) that belong to pg1 and on a different # LS (ls1), should see conjunction flows doubled (12 x 2 = 24) ovs-vsctl add-port br-int lsp1-0 -- set interface lsp1-0 external_ids:iface-id=lsp1-0 ovs-vsctl add-port br-int lsp1-1 -- set interface lsp1-1 external_ids:iface-id=lsp1-1 check ovn-nbctl --wait=hv sync -AT_CHECK([test $(ovs-ofctl dump-flows br-int table=46 | grep conjunction | wc -l) == 24]) +AT_CHECK([test $(ovs-ofctl dump-flows br-int table=$acl_eval | grep conjunction | wc -l) == 24]) # 6. Simulate a SB port-group "del and add" notification to ovn-controller in the # same IDL iteration. ovn-controller should still program the same flows. In @@ -32706,7 +32749,7 @@ for i in $(seq 1 10); do check ovn-nbctl --wait=hv sync # Finally check flow count is the same as before. - AT_CHECK([test $(ovs-ofctl dump-flows br-int table=46 | grep conjunction | wc -l) == 24]) + AT_CHECK([test $(ovs-ofctl dump-flows br-int table=$acl_eval | grep conjunction | wc -l) == 24]) done # Make sure all the above was performed with I-P (no recompute) @@ -32751,15 +32794,18 @@ check ovs-vsctl add-port br-int vm1 \ wait_for_ports_up check ovn-nbctl --wait=hv sync +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_in_acl_eval) + dp_key=$(fetch_column Datapath_Binding tunnel_key external_ids:name=ls) rtr_port_key=$(fetch_column Port_Binding tunnel_key logical_port=ls_lr) -ovs-ofctl dump-flows br-int table=16 | grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42" +ovs-ofctl dump-flows br-int table=$acl_eval | grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42" # Check that ovn-controller adds a flow to drop packets with dest IP # 42.42.42.42 coming from the router port. -AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=16 | ofctl_strip_all | \ +AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=$acl_eval | ofctl_strip_all | \ grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42"], [0], [dnl - table=16, priority=1001,ip,reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,17) + table=$acl_eval, priority=1001,ip,reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,$(ovn-debug lflow-stage-to-oftable ls_in_acl_action)) ]) OVN_CLEANUP([hv1]) @@ -33114,8 +33160,12 @@ check ovn-nbctl acl-add lsw0 to-lport 1002 'outport == "lp2" && ip4.src == 10.0. # The first ACL should be programmed, but the second one shouldn't. check ovn-nbctl --wait=hv sync -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10.0.0.111], [0], [ignore]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10.0.0.122], [1], [ignore]) + +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) + +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10.0.0.111], [0], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10.0.0.122], [1], [ignore]) # Now create the lport lp2. check ovn-nbctl lsp-add lsw0 lp2 \ @@ -33123,12 +33173,12 @@ check ovn-nbctl lsp-add lsw0 lp2 \ check ovn-nbctl --wait=hv sync # Now the second ACL should be programmed. -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10.0.0.122], [0], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10.0.0.122], [0], [ignore]) # Remove the lport lp2 again, the OVS flow for the second ACL should be # removed. check ovn-nbctl --wait=hv lsp-del lp2 -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10.0.0.122], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10.0.0.122], [1], [ignore]) # Test similar scenario but when the referenced lport is not bound locally. @@ -33142,8 +33192,8 @@ check ovn-nbctl acl-add lsw0 to-lport 1002 'inport == "lp4" && ip4.dst == 10.0.0 # The ACL for lp3 should be programmed, but the one for lp4 shouldn't. check ovn-nbctl --wait=hv sync -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10.0.0.133], [0], [ignore]) -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10.0.0.144], [1], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10.0.0.133], [0], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10.0.0.144], [1], [ignore]) # Now create the lport lp4. check ovn-nbctl lsp-add lsw0 lp4 \ @@ -33151,7 +33201,7 @@ check ovn-nbctl lsp-add lsw0 lp4 \ # Now the ACL for lp4 should be programmed. check ovn-nbctl --wait=hv sync -AT_CHECK([ovs-ofctl dump-flows br-int table=46 | grep 10.0.0.144], [0], [ignore]) +AT_CHECK([ovs-ofctl dump-flows br-int table=$acl_eval | grep 10.0.0.144], [0], [ignore]) OVN_CLEANUP([hv1]) AT_CLEANUP @@ -33513,16 +33563,19 @@ done check ovn-nbctl --wait=hv sync +# Get the OF table numbers +arp_rsp=$(ovn-debug lflow-stage-to-oftable ls_in_arp_rsp) + # hv0 should see flows for lsp1 but not lsp2 -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [0], [ignore]) -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=29 | grep 10.0.2.2], [1]) +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=$arp_rsp | grep 10.0.1.2], [0], [ignore]) +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=$arp_rsp | grep 10.0.2.2], [1]) # hv2 should see flows for lsp2 but not lsp1 -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.2.2], [0], [ignore]) -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [1]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=$arp_rsp | grep 10.0.2.2], [0], [ignore]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=$arp_rsp | grep 10.0.1.2], [1]) # Change lrp_lr_ls1 to a regular lrp, hv2 should see flows for lsp1 check ovn-nbctl --wait=hv lrp-del-gateway-chassis lrp_lr_ls1 hv1 -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [0], [ignore]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=$arp_rsp | grep 10.0.1.2], [0], [ignore]) # Change it back, and trigger recompute to make sure extra flows are removed # from hv2 (recompute is needed because currently I-P adds local datapaths but @@ -33530,11 +33583,11 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [0], [ig check ovn-nbctl --wait=hv lrp-set-gateway-chassis lrp_lr_ls1 hv1 1 as hv2 check ovn-appctl -t ovn-controller recompute ovn-nbctl --wait=hv sync -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [1]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=$arp_rsp | grep 10.0.1.2], [1]) # Enable dnat_and_snat on lr, and now hv2 should see flows for lsp1. AT_CHECK([ovn-nbctl --wait=hv --gateway-port=lrp_lr_ls1 lr-nat-add lr dnat_and_snat 192.168.0.1 10.0.1.3 lsp1 f0:00:00:00:00:03]) -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [0], [ignore]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=$arp_rsp | grep 10.0.1.2], [0], [ignore]) OVN_CLEANUP([hv1],[hv2]) AT_CLEANUP @@ -35617,6 +35670,10 @@ check ovs-vsctl add-port br-int p2 -- set interface p2 external_ids:iface-id=lsp wait_for_ports_up ovn-nbctl --wait=hv sync +# Get the OF table numbers +acl_eval=$(ovn-debug lflow-stage-to-oftable ls_in_acl_eval) +acl_action=$(ovn-debug lflow-stage-to-oftable ls_in_acl_action) + dnl Ensure the ACL is not translated to OpenFlow. as hv1 AT_CHECK([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42'], [1], []) @@ -35630,14 +35687,14 @@ lsp2=0x$(fetch_column Port_Binding tunnel_key logical_port=lsp2) dnl Ensure the ACL is translated to OpenFlows expanding pg1. as hv1 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=16, priority=1001,ip,reg14=$lsp1,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) - table=16, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) + table=$acl_eval, priority=1001,ip,reg14=$lsp1,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) ]) dnl Remove a port from pg1 and expect OpenFlows to be correctly updated. check ovn-nbctl --wait=hv pg-set-ports pg1 lsp2 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=16, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) + table=$acl_eval, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) ]) dnl Change the Chassis_Template_Var mapping to use the address set. @@ -35646,14 +35703,14 @@ check ovn-nbctl --wait=hv set Chassis_Template_Var hv1 variables:CONDITION='ip4. dnl Ensure the ACL is translated to OpenFlows expanding as1. as hv1 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) - table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) + table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) + table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) ]) dnl Remove an IP from AS1 and expect OpenFlows to be correctly updated. check ovn-nbctl --wait=hv set address_set as1 addresses=\"1.1.1.1\" AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) + table=$acl_eval, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,$acl_action) ]) dnl Remove the mapping and expect OpenFlows to be removed. diff --git a/tests/system-ovn-kmod.at b/tests/system-ovn-kmod.at index 14fe4ecec..41d548201 100644 --- a/tests/system-ovn-kmod.at +++ b/tests/system-ovn-kmod.at @@ -112,6 +112,10 @@ NETNS_DAEMONIZE([bar1], [nc -l -k 192.168.2.2 80], [nc-bar1.pid]) # Wait for ovn-controller to catch up. ovn-nbctl --wait=hv sync + +# Get the OF table numbers +dnat=$(ovn-debug lflow-stage-to-oftable lr_in_dnat) + OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-groups br-int | \ grep 'nat(dst=192.168.2.2:80)']) @@ -151,8 +155,8 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_LB_AFFINITY --n ]) check_affinity_flows () { -n1=$(ovs-ofctl dump-flows br-int table=15 |awk '/priority=150,ct_state=\+new\+trk,ip,reg4=0xc0a80102,.*nw_dst=172.16.1.100/{print substr($4,11,length($4)-11)}') -n2=$(ovs-ofctl dump-flows br-int table=15 |awk '/priority=150,ct_state=\+new\+trk,ip,reg4=0xc0a80202,.*nw_dst=172.16.1.100/{print substr($4,11,length($4)-11)}') +n1=$(ovs-ofctl dump-flows br-int table=$dnat |awk '/priority=150,ct_state=\+new\+trk,ip,reg4=0xc0a80102,.*nw_dst=172.16.1.100/{print substr($4,11,length($4)-11)}') +n2=$(ovs-ofctl dump-flows br-int table=$dnat |awk '/priority=150,ct_state=\+new\+trk,ip,reg4=0xc0a80202,.*nw_dst=172.16.1.100/{print substr($4,11,length($4)-11)}') [[ $n1 -gt 0 -a $n2 -eq 0 ]] || [[ $n1 -eq 0 -a $n2 -gt 0 ]] echo $? } @@ -404,6 +408,10 @@ ovn-nbctl lr-lb-add R2 lb10-no-aff # Wait for ovn-controller to catch up. ovn-nbctl --wait=hv sync + +# Get the OF table numbers +dnat=$(ovn-debug lflow-stage-to-oftable lr_in_dnat) + OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-groups br-int | \ grep 'nat(dst=\[[fd11::2\]]:80)']) @@ -448,8 +456,8 @@ AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_LB_AFFINITY --n ]) check_affinity_flows () { -n1=$(ovs-ofctl dump-flows br-int table=15 |awk '/priority=150,ct_state=\+new\+trk,ipv6,reg4=0xfd110000,.*ipv6_dst=fd30::1\s/{print substr($4,11,length($4)-11)}') -n2=$(ovs-ofctl dump-flows br-int table=15 |awk '/priority=150,ct_state=\+new\+trk,ipv6,reg4=0xfd120000,.*ipv6_dst=fd30::1\s/{print substr($4,11,length($4)-11)}') +n1=$(ovs-ofctl dump-flows br-int table=$dnat |awk '/priority=150,ct_state=\+new\+trk,ipv6,reg4=0xfd110000,.*ipv6_dst=fd30::1\s/{print substr($4,11,length($4)-11)}') +n2=$(ovs-ofctl dump-flows br-int table=$dnat |awk '/priority=150,ct_state=\+new\+trk,ipv6,reg4=0xfd120000,.*ipv6_dst=fd30::1\s/{print substr($4,11,length($4)-11)}') [[ $n1 -gt 0 -a $n2 -eq 0 ]] || [[ $n1 -eq 0 -a $n2 -gt 0 ]] echo $? } diff --git a/tests/system-ovn.at b/tests/system-ovn.at index c22c7882f..e1373f185 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -2168,6 +2168,10 @@ ovn-nbctl -- --id=@nat create nat type="snat" logical_ip=192.168.2.2 \ # Wait for ovn-controller to catch up. ovn-nbctl --wait=hv sync + +# Get the OF table numbers +snat=$(ovn-debug lflow-stage-to-oftable lr_out_snat) + OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-groups br-int | \ grep 'nat(dst=192.168.2.2:80)']) @@ -2204,7 +2208,7 @@ tcp,orig=(src=172.16.1.2,dst=30.0.0.2,sport=,dport=),reply=(sr ]) check_est_flows () { - n=$(ovs-ofctl dump-flows br-int table=13 | grep \ + n=$(ovs-ofctl dump-flows br-int table=$(ovn-debug lflow-stage-to-oftable lr_in_defrag) | grep \ "priority=100,tcp,metadata=0x2,nw_dst=30.0.0.2" | grep nat | sed -n 's/.*n_packets=\([[0-9]]\{1,\}\).*/\1/p') @@ -2230,7 +2234,7 @@ ovn-nbctl set load_balancer $uuid vips:'"30.0.0.2:8000"'='"192.168.1.2:80,192.16 ovn-nbctl list load_balancer ovn-sbctl dump-flows R2 -OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-flows br-int table=45 | \ +OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-flows br-int table=$snat | \ grep 'nat(src=20.0.0.2)']) check ovs-appctl dpctl/flush-conntrack @@ -2269,7 +2273,7 @@ ovn-nbctl set load_balancer $uuid vips:'"30.0.0.2:8000"'='"192.168.1.2:80,192.16 ovn-nbctl list load_balancer ovn-sbctl dump-flows R2 -OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-flows br-int table=45 | \ +OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-flows br-int table=$snat | \ grep 'nat(src=20.0.0.2)']) rm -f wget*.log @@ -5055,7 +5059,7 @@ OVS_WAIT_UNTIL([ ]) OVS_WAIT_UNTIL([ - n_pkt=$(ovs-ofctl dump-flows br-int table=46 | grep -v n_packets=0 | \ + n_pkt=$(ovs-ofctl dump-flows br-int table=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) | grep -v n_packets=0 | \ grep controller | grep tp_dst=84 -c) test $n_pkt -eq 1 ]) @@ -5302,7 +5306,7 @@ OVS_WAIT_UNTIL([ ]) OVS_WAIT_UNTIL([ - n_pkt=$(ovs-ofctl dump-flows br-int table=46 | grep -v n_packets=0 | \ + n_pkt=$(ovs-ofctl dump-flows br-int table=$(ovn-debug lflow-stage-to-oftable ls_out_acl_eval) | grep -v n_packets=0 | \ grep controller | grep tp_dst=84 -c) test $n_pkt -eq 1 ]) @@ -8818,7 +8822,7 @@ ovn-sbctl list ip_multicast wait_igmp_flows_installed() { - OVS_WAIT_UNTIL([ovs-ofctl dump-flows br-int table=35 | \ + OVS_WAIT_UNTIL([ovs-ofctl dump-flows br-int table=$(ovn-debug lflow-stage-to-oftable ls_in_l2_lkup) | \ grep 'priority=90' | grep "nw_dst=$1"]) } @@ -12029,7 +12033,7 @@ sctp,orig=(src=172.16.1.2,dst=30.0.0.2,sport=,dport=),reply=(s ]) check_est_flows () { - n=$(ovs-ofctl dump-flows br-int table=15 | grep "+est" \ + n=$(ovs-ofctl dump-flows br-int table=$(ovn-debug lflow-stage-to-oftable lr_in_dnat) | grep "+est" \ | grep "ct_mark=$1" | sed -n 's/.*n_packets=\([[0-9]]\{1,\}\).*/\1/p') echo "n_packets=$n" @@ -12055,7 +12059,7 @@ ovn-nbctl set load_balancer $uuid vips:'"30.0.0.2:8000"'='"192.168.1.2:12345,192 ovn-nbctl list load_balancer ovn-sbctl dump-flows R2 -OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-flows br-int table=45 | grep 'nat(src=20.0.0.2)']) +OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-flows br-int table=$(ovn-debug lflow-stage-to-oftable lr_out_snat) | grep 'nat(src=20.0.0.2)']) dnl Test load-balancing that includes L4 ports in NAT. for i in `seq 1 20`; do