From patchwork Fri Jun 4 16:54:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lorenzo Bianconi X-Patchwork-Id: 1487945 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=NUxSJgwn; dkim-atps=neutral Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FxTQk3vPBz9sSn for ; Sat, 5 Jun 2021 02:55:10 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 90C9683E92; Fri, 4 Jun 2021 16:55:08 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CJySyylzAJkv; Fri, 4 Jun 2021 16:55:05 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTP id 1B78183DB6; Fri, 4 Jun 2021 16:55:04 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id D4EE1C000E; Fri, 4 Jun 2021 16:55:03 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 70E4BC0001 for ; Fri, 4 Jun 2021 16:55:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 484514159C for ; Fri, 4 Jun 2021 16:55:02 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cbg_eICbKOoN for ; Fri, 4 Jun 2021 16:54:58 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id 3016D4159B for ; Fri, 4 Jun 2021 16:54:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1622825696; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IZ2GZps8vclwsn4csmw6CV4eu+IxyKQAUoPVjhvcYy4=; b=NUxSJgwnjAE09F4mVkkygy2Wj0RyAbzIsBaLoSonpDGLApJykSK0YLWduPKK5p/7IizCIq aQpYL1zhvSuXz/otsui2uBDbF9DIGHLZaN2m14hlxEpFz1sGzDRoqqrrNIjS//XNNPBYIC aQ5W83BYQD+TZLECavCtpuvwUsVfimk= Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-414-aLzXiLxSPEaLlh-ncs3XUw-1; Fri, 04 Jun 2021 12:54:55 -0400 X-MC-Unique: aLzXiLxSPEaLlh-ncs3XUw-1 Received: by mail-ej1-f72.google.com with SMTP id b8-20020a170906d108b02903fa10388224so3698065ejz.18 for ; Fri, 04 Jun 2021 09:54:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=IZ2GZps8vclwsn4csmw6CV4eu+IxyKQAUoPVjhvcYy4=; b=FG4w95aWSnreujyZ68h9i08qpdtz65o515pjAeO2f2JHAsPVfuqgxVX/PAmSyJl6e3 5BdHqgB6xhbrmmfCZ26DPSlYL/dRH/6Grt5tUx3LfmN0El7t18q3trdzER3KSYdOzTnp AveYKkCXdwrbLMHcMC5nxbTCY9aRnHMehMGk4lyROd7LtloEBdBmPhZKiA6EywmPBrUR 9sWz2QB38ynSZbaUka4x9E1F3gBaIF+K58a0mNTt6jV1JE+2Bldou1xy0hJ8fzzAd8JJ gwpoqTk0PIF388Bb2M7moBOpN4bxs2hNCgx6aybIHhPaaa9aqOoNSD3k/Lnwt4uLxzeO s6fQ== X-Gm-Message-State: AOAM530WWZyUsMctcU+nH/FA8CiFHYyKjS7I/+BPLZHqQ9lsYQs1tjDr lVQANF2bZR6HL4pbMnXu5wbE5fb/nbbCQkr3pO7kZE/PkX7mVB3X/VM74jY9NdC/PT+lZy6cHZ1 HsB75cmPHy/h6D/oSZlwcLFkOxRsHVxGnThqqUe5waBx6IY//zM+91msBbt4vjbhpHPZFAdIwm9 I= X-Received: by 2002:a05:6402:5a:: with SMTP id f26mr5714293edu.306.1622825693699; Fri, 04 Jun 2021 09:54:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzxEKzM3BfUY8qIXyHXyHUKQwmeR9OsMuZKhWF976OhXAQqHvXq+c+Bg49Vz1+TczJaC0q6QA== X-Received: by 2002:a05:6402:5a:: with SMTP id f26mr5714271edu.306.1622825693481; Fri, 04 Jun 2021 09:54:53 -0700 (PDT) Received: from lore-desk.redhat.com (net-93-151-202-25.cust.vodafonedsl.it. [93.151.202.25]) by smtp.gmail.com with ESMTPSA id fv13sm1053348ejc.33.2021.06.04.09.54.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jun 2021 09:54:53 -0700 (PDT) From: Lorenzo Bianconi To: dev@openvswitch.org Date: Fri, 4 Jun 2021 18:54:48 +0200 Message-Id: X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lorenzo.bianconi@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: dceara@redhat.com Subject: [ovs-dev] [PATCH ovn] northd: do not centralized traffic for unclaimed virtual ports X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Add a rule to drop traffic from a distributed NAT if the virtual port has not claimed yet becaused otherwise the traffic will be centralized misconfiguring the TOR switch. https://bugzilla.redhat.com/show_bug.cgi?id=1952961 Signed-off-by: Lorenzo Bianconi --- northd/ovn-northd.c | 23 ++++++++++++++++++----- tests/ovn.at | 26 ++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 5 deletions(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 9652ce252..539b8f8b0 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -11666,6 +11666,7 @@ lrouter_check_nat_entry(struct ovn_datapath *od, const struct nbrec_nat *nat, static void build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows, + struct hmap *ports, struct shash *meter_groups, struct hmap *lbs, struct ds *match, struct ds *actions) @@ -11773,10 +11774,21 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, ds_clear(match); ds_clear(actions); ds_put_format(match, - "ip%s.src == %s && outport == %s && " - "is_chassis_resident(\"%s\")", + "ip%s.src == %s && outport == %s", is_v6 ? "6" : "4", nat->logical_ip, - od->l3dgw_port->json_key, nat->logical_port); + od->l3dgw_port->json_key); + /* Add a rule to drop traffic from a distributed NAT if + * the virtual port has not claimed yet becaused otherwise + * the traffic will be centralized misconfiguring the TOR switch. + */ + struct ovn_port *op = ovn_port_find(ports, nat->logical_port); + if (op && op->nbsp && !strcmp(op->nbsp->type, "virtual")) { + ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_GW_REDIRECT, + 80, ds_cstr(match), "drop;", + &nat->header_); + } + ds_put_format(match, " && is_chassis_resident(\"%s\")", + nat->logical_port); ds_put_format(actions, "eth.src = %s; %s = %s; next;", nat->external_mac, is_v6 ? REG_SRC_IPV6 : REG_SRC_IPV4, @@ -11935,8 +11947,9 @@ build_lswitch_and_lrouter_iterate_by_od(struct ovn_datapath *od, &lsi->actions); build_misc_local_traffic_drop_flows_for_lrouter(od, lsi->lflows); build_lrouter_arp_nd_for_datapath(od, lsi->lflows); - build_lrouter_nat_defrag_and_lb(od, lsi->lflows, lsi->meter_groups, - lsi->lbs, &lsi->match, &lsi->actions); + build_lrouter_nat_defrag_and_lb(od, lsi->lflows, lsi->ports, + lsi->meter_groups, lsi->lbs, &lsi->match, + &lsi->actions); } /* Helper function to combine all lflow generation which is iterated by port. diff --git a/tests/ovn.at b/tests/ovn.at index f26894ce4..7731c915e 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -17165,6 +17165,16 @@ send_arp_reply() { as hv$hv ovs-appctl netdev-dummy/receive hv${hv}-vif$inport $request } +send_icmp_packet() { + local inport=$1 hv=$2 eth_src=$3 eth_dst=$4 ipv4_src=$5 ipv4_dst=$6 ip_chksum=$7 data=$8 + shift 8 + + local ip_ttl=ff + local ip_len=001c + local packet=${eth_dst}${eth_src}08004500${ip_len}00004000${ip_ttl}01${ip_chksum}${ipv4_src}${ipv4_dst}${data} + as hv$hv ovs-appctl netdev-dummy/receive hv${hv}-vif$inport $packet +} + net_add n1 sim_add hv1 @@ -17377,6 +17387,22 @@ logical_port=sw0-vir) = x]) wait_row_count nb:Logical_Switch_Port 1 up=false name=sw0-vir check ovn-nbctl --wait=hv sync + +# verify the traffic from virtual port is discarded if the port is not claimed +AT_CHECK([grep lr_in_gw_redirect lr0-flows2 | grep "ip4.src == 10.0.0.10"], [0], [dnl + table=17(lr_in_gw_redirect ), priority=100 , match=(ip4.src == 10.0.0.10 && outport == "lr0-public" && is_chassis_resident("sw0-vir")), action=(eth.src = 10:54:00:00:00:10; reg1 = 172.168.0.50; next;) + table=17(lr_in_gw_redirect ), priority=80 , match=(ip4.src == 10.0.0.10 && outport == "lr0-public"), action=(drop;) +]) + +eth_src=505400000003 +eth_dst=00000000ff01 +ip_src=$(ip_to_hex 10 0 0 10) +ip_dst=$(ip_to_hex 172 168 0 101) +send_icmp_packet 1 1 $eth_src $eth_dst $ip_src $ip_dst c4c9 0000000000000000000000 +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | awk '/table=25, n_packets=1, n_bytes=45/{print $7" "$8}'],[0],[dnl +priority=80,ip,reg15=0x3,metadata=0x3,nw_src=10.0.0.10 actions=drop +]) + # hv1 should remove the flow for the ACL with is_chassis_redirect check for sw0-vir. check_virtual_offlows_not_present hv1