From patchwork Tue Jun 8 20:33:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ihar Hrachyshka X-Patchwork-Id: 1489629 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Lk104c8C; dkim-atps=neutral Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4G025511V7z9s24 for ; Wed, 9 Jun 2021 06:33:44 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id BDB16605C2; Tue, 8 Jun 2021 20:33:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aKFhRLhr-log; Tue, 8 Jun 2021 20:33:39 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTP id 0F59A608AB; Tue, 8 Jun 2021 20:33:38 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id D759CC000B; Tue, 8 Jun 2021 20:33:37 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id E359FC0001 for ; Tue, 8 Jun 2021 20:33:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id BB7B34021E for ; Tue, 8 Jun 2021 20:33:36 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYxZd2BfySde for ; Tue, 8 Jun 2021 20:33:32 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id 4E1D14021B for ; Tue, 8 Jun 2021 20:33:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1623184411; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wQnEZXLaz36+2+WmBHSpxEs5YMgTJtw78bFs9sbvxaI=; b=Lk104c8CYc4sDyZQxJKwxmakm3UvxcLAnvCW2Am5I7b4UYXUsptYTpnXX4TccThn9AygE/ HGFwzstcG6pfCUde8uOHDhmrV+0fC2P5pZOYqDUJw8QbWgSi+3RSGpO1PonigxjUGWhWwn O9ttUvFEkxjvvlhbpHrBkWKsClNLTIA= Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-526-eicskOfEP6mG4n5moYcYbA-1; Tue, 08 Jun 2021 16:33:29 -0400 X-MC-Unique: eicskOfEP6mG4n5moYcYbA-1 Received: by mail-qv1-f70.google.com with SMTP id h10-20020a0cab0a0000b029020282c64ecfso16409971qvb.19 for ; Tue, 08 Jun 2021 13:33:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=wQnEZXLaz36+2+WmBHSpxEs5YMgTJtw78bFs9sbvxaI=; b=qiYsPCqgKoB9xuEv7J56ddhcg6ZLNyrkltBg17FoqFm2Yt3tSXlij8lHEsUNjJ3VMY fUiT9zaGa8TeE+P15PxfWEjJBOYNrH0e9EYnSy8xWODLJpTn+L6zcBa4SyAxvihROYFB OwumiNAfLTw+EDioqIolXmsJMqcB3atQ2Zu5oybEpp0n/5KPq0UP8pv6G7U87lCBAwyd S1KhGhQkjaK4EYDzD/gSSjQ4da6HLuVsctzWv4TsC7xcVnnkTfolCfacsLOpY5rgcKUC f3y8IrpK4ghuLuJTVsTx98M5h3BActoxcc903XabXhwWiX2CCM1FD0PnAcrOUQc/yyUx P2Kg== X-Gm-Message-State: AOAM530692NHE0teDmalQqSc8QY3MRAMuI6Xd972pQcyFkG1YbTbVXo2 /0zGxsxEdrWq3vFscoasfU8L/bw6krOL7meSwf3SkpbyO9TvsCWPTiko9UtPHdgIoijkNqa0sQO jbp5sovIXuX0kIrzhA2P2QRYY3Yta6GZgUGAO/+8YVwG+Zg1xRIsJVKxFPcOOOco6 X-Received: by 2002:a37:cc6:: with SMTP id 189mr16695400qkm.261.1623184408664; Tue, 08 Jun 2021 13:33:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzPV9uGCO9FdoLN8InmhA9lblez6f4V/ikH6Cpe2EJLXP3PGkI9TuwdX3QJkMo9yWuLVZx7XA== X-Received: by 2002:a37:cc6:: with SMTP id 189mr16695371qkm.261.1623184408252; Tue, 08 Jun 2021 13:33:28 -0700 (PDT) Received: from localhost.localdomain (cpe-172-73-180-250.carolina.res.rr.com. [172.73.180.250]) by smtp.googlemail.com with ESMTPSA id k139sm7842437qke.96.2021.06.08.13.33.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Jun 2021 13:33:27 -0700 (PDT) From: Ihar Hrachyshka To: dev@openvswitch.org Date: Tue, 8 Jun 2021 16:33:17 -0400 Message-Id: <20210608203317.1032014-1-ihrachys@redhat.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=ihrachys@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn] Document priority behavior for allow-stateless ACLs X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" It's complex and probably impossible to split returning traffic for allow-related ACLs from stateless traffic, we don't fully implement ACL priority for allow-stateless rules. Meaning, allow-stateless rules always take precedence over stateful rules regardless of their relative priority order. This patch documents this behavior and covers it with explicit test cases. Signed-off-by: Ihar Hrachyshka --- northd/ovn-northd.c | 1 + northd/ovn_northd.dl | 1 + ovn-nb.xml | 7 +++++ tests/ovn-northd.at | 66 +++++++++++++++++++++++++++++++++++++++++--- 4 files changed, 71 insertions(+), 4 deletions(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 9652ce252..d872f6a3c 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -5063,6 +5063,7 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *port_groups, 110, lflows); } + /* stateless filters always take precedence over stateful ACLs. */ build_stateless_filters(od, port_groups, lflows); /* Ingress and Egress Pre-ACL Table (Priority 110). diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl index cb8418540..3afa80a3b 100644 --- a/northd/ovn_northd.dl +++ b/northd/ovn_northd.dl @@ -1841,6 +1841,7 @@ for (&Switch(._uuid =ls_uuid)) { .external_ids = map_empty()) } +/* stateless filters always take precedence over stateful ACLs. */ for (&SwitchACL(.sw = sw@&Switch{._uuid = ls_uuid}, .acl = &acl, .has_fair_meter = fair_meter)) { if (sw.has_stateful_acl) { if (acl.action == "allow-stateless") { diff --git a/ovn-nb.xml b/ovn-nb.xml index 47f25eac1..91b5e303a 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -1761,6 +1761,13 @@ Return traffic from an allow-related flow is always allowed and cannot be changed through an ACL.

+ +

+ allow-stateless flows always take precedence before + stateful ACLs, regardless of their priority. (Both + allow and allow-related ACLs can be + stateful.) +

diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 818ff7a20..4692775ad 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -2722,7 +2722,7 @@ ct_next(ct_state=new|trk) { # Allow stateless for TCP. for direction in from to; do - ovn-nbctl acl-add ls ${direction}-lport 1 tcp allow-stateless + ovn-nbctl acl-add ls ${direction}-lport 4 tcp allow-stateless done ovn-nbctl --wait=sb sync @@ -2778,7 +2778,7 @@ ct_lb { # Allow stateless for TCP. for direction in from to; do - ovn-nbctl acl-add ls ${direction}-lport 1 tcp allow-stateless + ovn-nbctl acl-add ls ${direction}-lport 4 tcp allow-stateless done ovn-nbctl --wait=sb sync @@ -2858,7 +2858,7 @@ ct_next(ct_state=new|trk) { # Allow stateless for TCP. for direction in from to; do - ovn-nbctl acl-add pg ${direction}-lport 1 tcp allow-stateless + ovn-nbctl acl-add pg ${direction}-lport 4 tcp allow-stateless done ovn-nbctl --wait=sb sync @@ -2914,7 +2914,7 @@ ct_lb { # Allow stateless for TCP. for direction in from to; do - ovn-nbctl acl-add pg ${direction}-lport 1 tcp allow-stateless + ovn-nbctl acl-add pg ${direction}-lport 4 tcp allow-stateless done ovn-nbctl --wait=sb sync @@ -2943,6 +2943,64 @@ ct_lb { AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- ACL allow-stateless overrides stateful rules with higher priority - Logical_Switch]) +ovn_start + +ovn-nbctl ls-add ls +ovn-nbctl lsp-add ls lsp1 +ovn-nbctl lsp-set-addresses lsp1 00:00:00:00:00:01 +ovn-nbctl lsp-add ls lsp2 +ovn-nbctl lsp-set-addresses lsp2 00:00:00:00:00:02 + +for direction in from to; do + ovn-nbctl acl-add ls ${direction}-lport 3 "tcp" allow-related + ovn-nbctl acl-add ls ${direction}-lport 3 "udp" allow +done +ovn-nbctl --wait=sb sync + +flow_eth='eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02' +flow_ip='ip.ttl==64 && ip4.src == 42.42.42.1 && ip4.dst == 66.66.66.66' +flow_tcp='tcp && tcp.dst == 80' +flow_udp='udp && udp.dst == 80' + +lsp1_inport=$(fetch_column Port_Binding tunnel_key logical_port=lsp1) + +# TCP packets should go to conntrack. +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}" +AT_CHECK_UNQUOTED([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl +# tcp,reg14=0x${lsp1_inport},vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0 +ct_next(ct_state=new|trk) { + ct_next(ct_state=new|trk) { + output("lsp2"); + }; +}; +]) + +# Allow stateless with *lower* priority. It always beats stateful rules. +for direction in from to; do + ovn-nbctl acl-add ls ${direction}-lport 1 tcp allow-stateless + ovn-nbctl acl-add ls ${direction}-lport 1 udp allow-stateless +done +ovn-nbctl --wait=sb sync + +# TCP packets should not go to conntrack anymore. +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}" +AT_CHECK_UNQUOTED([ovn-trace --minimal ls "${flow}"], [0], [dnl +# tcp,reg14=0x${lsp1_inport},vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0 +output("lsp2"); +]) + +# UDP packets should not go to conntrack anymore. +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_udp}" +AT_CHECK_UNQUOTED([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl +# udp,reg14=0x${lsp1_inport},vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80 +output("lsp2"); +]) + +AT_CLEANUP +]) + OVN_FOR_EACH_NORTHD([ AT_SETUP([ovn -- check BFD config propagation to SBDB]) AT_KEYWORDS([northd-bfd])