From patchwork Fri Jan 13 12:44:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abhiram Sangana X-Patchwork-Id: 1725938 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256 header.s=proofpoint20171006 header.b=VCgft02s; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256 header.s=selector1 header.b=lJnK6pqS; dkim-atps=neutral Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Nth2Q48zLz23dq for ; Fri, 13 Jan 2023 23:44:46 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id C8DB58216D; Fri, 13 Jan 2023 12:44:44 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org C8DB58216D Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256 header.s=proofpoint20171006 header.b=VCgft02s; dkim=fail reason="signature verification failed" (2048-bit key, unprotected) header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256 header.s=selector1 header.b=lJnK6pqS X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ASwrRsSKzusn; Fri, 13 Jan 2023 12:44:42 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id 32EEE81EF2; Fri, 13 Jan 2023 12:44:41 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 32EEE81EF2 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id EE755C0033; Fri, 13 Jan 2023 12:44:40 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 59D66C002D for ; Fri, 13 Jan 2023 12:44:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 1473260C2A for ; Fri, 13 Jan 2023 12:44:40 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 1473260C2A Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256 header.s=proofpoint20171006 header.b=VCgft02s; dkim=pass (2048-bit key, unprotected) header.d=nutanix.com header.i=@nutanix.com header.a=rsa-sha256 header.s=selector1 header.b=lJnK6pqS X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uTuQ_gtcyrer for ; Fri, 13 Jan 2023 12:44:37 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 11DB060B8C Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp3.osuosl.org (Postfix) with ESMTPS id 11DB060B8C for ; Fri, 13 Jan 2023 12:44:36 +0000 (UTC) Received: from pps.filterd (m0127841.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 30DCS8TC008013 for ; Fri, 13 Jan 2023 04:44:35 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : content-transfer-encoding : content-type : mime-version; s=proofpoint20171006; bh=q1cWpSdOGpttbqpXnBkLsyfBXU5enfc/9UqxIicwveY=; b=VCgft02sfHedKjptag4+KJknnJjFVGaRwMRjiM9O6LfIdbjb58lL73MU2wXntvIATipQ 8D1VszruxtAbjPr1R0yndf2UsDwxD6lHMndddGRzyU41RGj1KvNt8dWAkgPjjKyw6cow E76t/hEdxHhY6RKuKI1Nu+C6ZTINVI07hZc6zYJup8rDLyr/gfm/jz7D1w2UL9uskbGv BrE1gT0/p3UgQHikF0Po5o+1ARZ8OBmqMH1YiB2Sk6qegVEdXnQG3e3twa05xxbAt/0/ k+qWCTOX1kAIxmHuyzh/UC33G+iscfP38pXiT+fy97ArOAP8KDOBmyN5rgot359v3cw0 vA== Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam04lp2169.outbound.protection.outlook.com [104.47.73.169]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 3n1kq2wf0y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 13 Jan 2023 04:44:35 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=F+sTjASZ7mD+9XL/TAy5UvaYtKvfTOVSMBjFIyNWxw1Yi8FRa95mwd71Jpu1NTbMFsQe35MiluZZkn+FBb0Tcgcu7D3JJKCyk1NGiqi/zp/JXfe/FXlorJ171Z5x3yrbLdLTd/ePjakoA8T2vahs48LeYFMjauck7gTGpINbCd/UcsFxC4AlmrHbxb674Q27tYZqHbWqvSNseZwMvBilY2e7qZMpdkfdrM261VDqKEysWXywFAMhpQL74eLd1K2xNFqpwhRzRtgR/t5UfdYMih08CcrFNl/QqIMfq2diOsbM5nSRZEz+azmKuPKX8SMfjtQFicF0eOAdAxTmJL2Z/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=q1cWpSdOGpttbqpXnBkLsyfBXU5enfc/9UqxIicwveY=; b=A57FBYBfY+ps0CiDboO0oMw17fkO2/g5LGTQo8q517Fib1TdE6F96047Y3/sTJI76KdFBUSXPl3hI/Bb5mRQaC9kIaXzkqceLkYnabkIQiUj0EXVLlKgfU0F57MhR/E7/tWB7oVwRHWlx3lKD3lBgfHH//MS3O239Zv1SxdkslAxLhjnt8IBcyvqM4QoMfh1ClUnMPlQkhCGOnAkAN1TjZlaTkOOJQObNIWxght8v1T/Eig/w7wWVftfUpIGPakHT9aAT5lgwjEFgJzQ4IDrlJ5hCiEwFRTleIqHfKFyKwXaE2WFMHcoNV0e5vFgG9FiXaSlCxMHaFFnb76yo7GPmg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q1cWpSdOGpttbqpXnBkLsyfBXU5enfc/9UqxIicwveY=; b=lJnK6pqSDhxmosV3LQOrHsnDjBtSTvJ8XDx1Uv1MdflrZZTNQXl14CXEYwoeAPgp6CuF52R4HJbUbq3tOoY3LH/5vzIGXT+ajn9y5C6LRcm2hsZFBqxi6zwt1K0bqhkaO21woqDT6cFZvOzz9/bXRpSX/1f1ozyV8o1HhOE1Z8Xm/RcAcYbYv3KT8xIxGkBu9B00huAS8Hmbhusan20ORoKE9upsx3438+et+a8ReRQ434Cjt0s9KzIw+KOHlUEQ8fsW0lGRILNVLWFbiC+v/yUE4hrcrJmTi48ajJ+XfakR9/L/UEJ6KtOlP3vWtHZXPnQTrxsvw0t3I67n0bx2Gg== Received: from PH0PR02MB7542.namprd02.prod.outlook.com (2603:10b6:510:51::5) by BN0PR02MB8047.namprd02.prod.outlook.com (2603:10b6:408:16f::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.19; Fri, 13 Jan 2023 12:44:31 +0000 Received: from PH0PR02MB7542.namprd02.prod.outlook.com ([fe80::1d9e:8f61:3068:b567]) by PH0PR02MB7542.namprd02.prod.outlook.com ([fe80::1d9e:8f61:3068:b567%3]) with mapi id 15.20.5986.018; Fri, 13 Jan 2023 12:44:31 +0000 From: Abhiram Sangana To: dev@openvswitch.org Date: Fri, 13 Jan 2023 12:44:23 +0000 Message-Id: <20230113124423.242017-1-sangana.abhiram@nutanix.com> X-Mailer: git-send-email 2.22.3 X-ClientProxiedBy: SJ0PR03CA0037.namprd03.prod.outlook.com (2603:10b6:a03:33e::12) To PH0PR02MB7542.namprd02.prod.outlook.com (2603:10b6:510:51::5) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH0PR02MB7542:EE_|BN0PR02MB8047:EE_ X-MS-Office365-Filtering-Correlation-Id: 550d407a-68c9-48c7-bd25-08daf563ea6e x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: tPCfXamWB9KfMIRqp6Ih4b67mXc0AZ/4F0mFPuVUmigk2huWzHSzX7qOJuqsUdG5W8Vgo56+waksUoKyRGLCau9jSCzb5U7RJ4VorqvphvciKI55jUzDBN1CLLUV6AKxKoutsmVikjHn+XEv02XsxKh5saSZ1pTPUWhXmcNisgohT8Q09G9lmQ3jKlhR9suzeOLidLbgNqqZD6Zu5CLAfRvIhcvTl+QqKqVeemS+PHGd4lHFRNpcJ8JnRdu5hFCfk85IB+JbjYfUWya8SF7O7VGtNG5PpAd82kKbFILsp5MrGI0xKwXWkBQX8utCtyK8yyULKZVoPMY6mP/GOdx4oxgUfJXrRg5aMbEfehJ7EikjWG8Mpf/xNtGAFuL9Zbxk+WiwAOOUXshFeclj2k0ubbCS4W+UZ5CqzmqShLLuFMRDVDLoF4XZRp6qlwhgUFaq1IWKnhsf/Cagh1dF1pTCoN0NCfdcqZwW59KuNHO3ZOhLvWDM+24IvnxHtkCushjyKx8CgMzpNT5l/73dwImF4vFFGGlBtx065DTq6k/uhlcoHqRgoHLoaYB8kSHorjNi+HcYO4QRxH0U42soWCWAv/CkaVUR4roeGL5vVV9Yv2NJQjwd3sjtMAdZFomDTmfA9Hf3qkG8nQ1//ZF0mYCMVOVN+eGNqLB5lR9tw1rLmlA0aWkOEEDHiLIPKCH2vsBv5N/5u0PjcXYALAqSv2X7rOm0b4Di4UKBXg8pc1p9zrE= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR02MB7542.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(39860400002)(346002)(136003)(366004)(376002)(396003)(451199015)(8936002)(5660300002)(41300700001)(4326008)(316002)(2906002)(66946007)(66556008)(6916009)(66476007)(8676002)(478600001)(6486002)(52116002)(38350700002)(38100700002)(186003)(107886003)(26005)(6512007)(6506007)(36756003)(6666004)(66574015)(1076003)(30864003)(86362001)(2616005)(83380400001)(21314003)(579004); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: WYZqkI7GphG4PhMiSug/sr5Co7piAqIWAbXAMKigF82KGJNFF8Dk/1yRaYgArKn66QBN6S4pFEii1F1y0ZIgtGcZEZ5VPORoT8k5wErgLuoIIDwDnepoLm4eOhxXbylbnmX8VNubfnMl5dLRw6k7I+Z0OhFnL3uTd98YyiZAcQmlbUdV/ky1U/+8GsPy/Thb/G70NbTsz7WClIDhHuq/VMv7B/Okzzd6Fb1sJZ3B9UbOIqkkA2WsB9chhsweb7yYZCSTh71jkbzLEbOmDi0SPwnouzYczwgPb8P8OrJXusTh4Gh0FDJI7ToiwHni4TZeG5nnO8pq3AV4IhTESAb6W8uhqvtWDsNKguntmw7SC+KmZuQleexsck7ZKIlqe1FRoNSPdvGSncbw0KB35ZCd48n8SkR8G5JJSN4GHLk9LKxBLV/N6UpaKLXBGOKX3cx6DyHDfOnitk01vLLG+lQzFweKar5ETCu/h9SIcC/EZ/t/DOeHPw2tmeszaiuRxeAMTnzRPR7aziqASMWSuy7NPinbHSfo+m3ukDlAkdZnL42I9mHpTGzRO+fOyJwQ8TwnEPfhUydXB5Lqonw2INOS6z0WzN/Z/IVjoMCq0jXxDoQCdhuQRcI/big86JAF/CKyhd56XfVOsxsBeqn4/JQEdopJCrN8Bo0jdTaMAPDigp9t0K6Bm9DpHNjLW+RVUD+x/YFApUkv8u3sDRvjRJX1p7OlatlXd2LXRgdERa/kgLSLCK5LUiPI2KIIc6neqnhUWSolUz8iBNaUu24MkicWDHYW0FeTIfLzkKsOf9qQFCBkQbGtxM7PXRtqgyF6GbEOnEKhFs9wiUJGSV63of+/zeK8MnDPplZ3E0+P1/62QBE1JfTZ2y7sbQTqfFnqhRyv0C8fjgQyKTKnIAQoKySs/8q+HsqP2uHDu28qZv25HqdkxwYAOP9O62BZeICi4WKktElfiVQji0bGNYo3zV3308N1LPr5B5v4BWMJunyEG7fC+UtHbCbBn3ysNWm49WsAD/sexKkwAujoKOc3gICLutFYMZNwM3IHyJqedw8+ERRouvDjaKHCPqofIum9fOp+lyRpTZhRZYDd658wpfEmX32qwbxmvYa7BtDJwsz+e+xPeYTZkPr6/ZmLxwP/mBccL5yC/ElpC4NhfGnsrjV5D4BHc3RBW40uSit0JF5Rs/LVBHNDXUMAIJ1xP3zi+ZpwqKmK3AtZ+GL6dVf0XBl+sgoakWTPtDYokcVSdr5lh/72ACJ/cEBKihdqmMZtk/FbnRQeAcuhuACqv31OzGvs3IljNOKM+Dq5TmcXmYZfLxwxan1nnzR4Osg9LB57gJJm8Q4zi2dozxg3HCwN2slAiMcHJvyO1WlWLq4wzeCykej98rbJ4dcL52pP5nc8CK3/qMCxmPGMdKmuw1bAlAZPXRb0tNENfIcu1qZJggLst28DqgPzHJ2ha2CqrsrlpgvX5+/zaxayDaGYuW0tPDVuvi1YN9KVWpg+6eHMVkpr3+60OaC4liX7w9c+HafaXjVhbmQoFn8ZSL/SKJ2+rFxJvHEeHFB2BWBKv6pbanSiKVkmD2xVzcMXGybfEkaUhkQ+I/tWy2eH5cuttcI47cqgpw== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 550d407a-68c9-48c7-bd25-08daf563ea6e X-MS-Exchange-CrossTenant-AuthSource: PH0PR02MB7542.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jan 2023 12:44:31.1758 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: SekZiQPKWgPAOUVtltaKtEjMvhAX4bT3AZSMvCl3qNQcwkEWDlYRuRG6Lj58mc5dc+lwKxxt7ihY9YevlEs2gn8+aqnTQxUO6ID4t07A4xc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR02MB8047 X-Proofpoint-GUID: X2HSlBQi8PLb3GBs2Aw8gwPEBdojiRd4 X-Proofpoint-ORIG-GUID: X2HSlBQi8PLb3GBs2Aw8gwPEBdojiRd4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.923,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-01-13_05,2023-01-13_01,2022-06-22_01 X-Proofpoint-Spam-Reason: safe Subject: [ovs-dev] [PATCH ovn] northd, controller: Commit flows dropped by ACLs to conntrack X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This patch commits connections dropped/rejected by ACLs with label (introduced in 0e0228be (northd: Add ACL label)) to the connection tracking table. The dropped connections are committed in a separate conntrack zone so that they can be managed independently and do not interact with the connection tracking state of allowed connections. Each logical switch is assigned a new conntrack zone for committing dropped flows. The zone is loaded into register MFF_LOG_ACL_DROP_ZONE. A new lflow action "ct_commit_drop" is introduced that commits flows to connection tracking table in a zone identified by MFF_LOG_ACL_DROP_ZONE register. An ACL with "drop" or "reject" action and non-empty label translates to include "ct_commit_drop" in its actions instead of simply dropping/rejecting the packet. This provides a new approach to identify connections dropped by ACLs besides the existing ACL logging and drop sampling approaches. Signed-off-by: Abhiram Sangana --- controller/ovn-controller.c | 14 +++-- controller/physical.c | 32 ++++++++++- include/ovn/actions.h | 1 + include/ovn/logical-fields.h | 1 + lib/actions.c | 65 ++++++++++++++++++++++ lib/ovn-util.c | 4 +- lib/ovn-util.h | 2 +- northd/northd.c | 19 ++++++- northd/ovn-northd.8.xml | 18 ++++++- ovn-nb.xml | 8 ++- ovn-sb.xml | 22 ++++++++ tests/ovn-nbctl.at | 10 ++-- tests/ovn-northd.at | 102 +++++++++++++++++++++-------------- tests/ovn.at | 90 ++++++++++++++++++++++++++++++- utilities/ovn-nbctl.c | 7 --- 15 files changed, 323 insertions(+), 72 deletions(-) diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c index 351cf1c5b..c19b56838 100644 --- a/controller/ovn-controller.c +++ b/controller/ovn-controller.c @@ -734,8 +734,8 @@ update_ct_zones(const struct shash *binding_lports, HMAP_FOR_EACH (ld, hmap_node, local_datapaths) { /* XXX Add method to limit zone assignment to logical router * datapaths with NAT */ - char *dnat = alloc_nat_zone_key(&ld->datapath->header_.uuid, "dnat"); - char *snat = alloc_nat_zone_key(&ld->datapath->header_.uuid, "snat"); + char *dnat = alloc_ct_zone_key(&ld->datapath->header_.uuid, "dnat"); + char *snat = alloc_ct_zone_key(&ld->datapath->header_.uuid, "snat"); sset_add(&all_users, dnat); sset_add(&all_users, snat); @@ -745,6 +745,14 @@ update_ct_zones(const struct shash *binding_lports, } free(dnat); free(snat); + + /* Zone for committing connections dropped by ACLs with labels. */ + if (ld->is_switch) { + char *drop = alloc_ct_zone_key( + &ld->datapath->header_.uuid, "drop"); + sset_add(&all_users, drop); + free(drop); + } } /* Delete zones that do not exist in above sset. */ @@ -2415,7 +2423,7 @@ ct_zones_datapath_binding_handler(struct engine_node *node, void *data) /* Check if the requested snat zone has changed for the datapath * or not. If so, then fall back to full recompute of * ct_zone engine. */ - char *snat_dp_zone_key = alloc_nat_zone_key(&dp->header_.uuid, "snat"); + char *snat_dp_zone_key = alloc_ct_zone_key(&dp->header_.uuid, "snat"); struct simap_node *simap_node = simap_find(&ct_zones_data->current, snat_dp_zone_key); free(snat_dp_zone_key); diff --git a/controller/physical.c b/controller/physical.c index 4dcf44e01..3c573c492 100644 --- a/controller/physical.c +++ b/controller/physical.c @@ -60,6 +60,7 @@ struct zone_ids { int ct; /* MFF_LOG_CT_ZONE. */ int dnat; /* MFF_LOG_DNAT_ZONE. */ int snat; /* MFF_LOG_SNAT_ZONE. */ + int drop; /* MFF_LOG_ACL_DROP_ZONE. */ }; struct tunnel { @@ -204,14 +205,18 @@ get_zone_ids(const struct sbrec_port_binding *binding, const struct uuid *key = &binding->datapath->header_.uuid; - char *dnat = alloc_nat_zone_key(key, "dnat"); + char *dnat = alloc_ct_zone_key(key, "dnat"); zone_ids.dnat = simap_get(ct_zones, dnat); free(dnat); - char *snat = alloc_nat_zone_key(key, "snat"); + char *snat = alloc_ct_zone_key(key, "snat"); zone_ids.snat = simap_get(ct_zones, snat); free(snat); + char *drop = alloc_ct_zone_key(key, "drop"); + zone_ids.drop = simap_get(ct_zones, drop); + free(drop); + return zone_ids; } @@ -830,6 +835,9 @@ put_zones_ofpacts(const struct zone_ids *zone_ids, struct ofpbuf *ofpacts_p) if (zone_ids->snat) { put_load(zone_ids->snat, MFF_LOG_SNAT_ZONE, 0, 32, ofpacts_p); } + if (zone_ids->drop) { + put_load(zone_ids->drop, MFF_LOG_ACL_DROP_ZONE, 0, 32, ofpacts_p); + } } } @@ -896,6 +904,26 @@ put_local_common_flows(uint32_t dp_key, pb->header_.uuid.parts[0], &match, ofpacts_p, &pb->header_.uuid); + if (zone_ids->drop) { + /* Table 39, Priority 1. + * ======================= + * + * Clear the logical registers (for consistent behavior with packets + * that get tunneled) except MFF_LOG_ACL_DROP_ZONE. */ + match_init_catchall(&match); + ofpbuf_clear(ofpacts_p); + match_set_metadata(&match, htonll(dp_key)); + for (int i = 0; i < MFF_N_LOG_REGS; i++) { + if ((MFF_REG0 + i) != MFF_LOG_ACL_DROP_ZONE) { + put_load(0, MFF_REG0 + i, 0, 32, ofpacts_p); + } + } + put_resubmit(OFTABLE_LOG_EGRESS_PIPELINE, ofpacts_p); + ofctrl_add_flow(flow_table, OFTABLE_CHECK_LOOPBACK, 1, + pb->datapath->header_.uuid.parts[0], &match, + ofpacts_p, &pb->datapath->header_.uuid); + } + /* Table 39, Priority 100. * ======================= * diff --git a/include/ovn/actions.h b/include/ovn/actions.h index 6ca08b3c6..c7a6785d3 100644 --- a/include/ovn/actions.h +++ b/include/ovn/actions.h @@ -125,6 +125,7 @@ struct ovn_extend_table; OVNACT(COMMIT_LB_AFF, ovnact_commit_lb_aff) \ OVNACT(CHK_LB_AFF, ovnact_result) \ OVNACT(SAMPLE, ovnact_sample) \ + OVNACT(CT_COMMIT_DROP, ovnact_nest) \ /* enum ovnact_type, with a member OVNACT_ for each action. */ enum OVS_PACKED_ENUM ovnact_type { diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h index a7b64ef67..c7ea9e0ce 100644 --- a/include/ovn/logical-fields.h +++ b/include/ovn/logical-fields.h @@ -47,6 +47,7 @@ enum ovn_controller_event { #define MFF_LOG_REG0 MFF_REG0 #define MFF_LOG_LB_ORIG_DIP_IPV4 MFF_REG1 #define MFF_LOG_LB_ORIG_TP_DPORT MFF_REG2 +#define MFF_LOG_ACL_DROP_ZONE MFF_REG9 #define MFF_LOG_XXREG0 MFF_XXREG0 #define MFF_LOG_LB_ORIG_DIP_IPV6 MFF_XXREG1 diff --git a/lib/actions.c b/lib/actions.c index 2da5a696b..d86b1efbc 100644 --- a/lib/actions.c +++ b/lib/actions.c @@ -5210,6 +5210,69 @@ encode_CHK_LB_AFF(const struct ovnact_result *res, MLF_USE_LB_AFF_SESSION_BIT, ofpacts); } +static void +parse_ct_commit_drop(struct action_context *ctx) +{ + if (ctx->lexer->token.type == LEX_T_LCURLY) { + parse_nested_action(ctx, OVNACT_CT_COMMIT_DROP, "ip", + WR_CT_COMMIT); + } else { + /* Add an empty nested action to allow for "ct_commit_drop;" syntax */ + add_prerequisite(ctx, "ip"); + struct ovnact_nest *on = ovnact_put(ctx->ovnacts, + OVNACT_CT_COMMIT_DROP, + OVNACT_ALIGN(sizeof *on)); + on->nested_len = 0; + on->nested = NULL; + } +} + +static void +format_CT_COMMIT_DROP(const struct ovnact_nest *on, struct ds *s) +{ + if (on->nested_len) { + format_nested_action(on, "ct_commit_drop", s); + } else { + ds_put_cstr(s, "ct_commit_drop;"); + } +} + +static void +encode_CT_COMMIT_DROP(const struct ovnact_nest *on, + const struct ovnact_encode_params *ep OVS_UNUSED, + struct ofpbuf *ofpacts) +{ + struct ofpact_conntrack *ct = ofpact_put_CT(ofpacts); + ct->flags = NX_CT_F_COMMIT; + ct->recirc_table = NX_CT_RECIRC_NONE; + ct->zone_src.field = mf_from_id(MFF_LOG_ACL_DROP_ZONE); + ct->zone_src.ofs = 0; + ct->zone_src.n_bits = 16; + + /* If the datapath supports all-zero SNAT then use it to avoid tuple + * collisions at commit time between NATed and firewalled-only sessions. + */ + if (ovs_feature_is_supported(OVS_CT_ZERO_SNAT_SUPPORT)) { + size_t nat_offset = ofpacts->size; + ofpbuf_pull(ofpacts, nat_offset); + + struct ofpact_nat *nat = ofpact_put_NAT(ofpacts); + nat->flags = 0; + nat->range_af = AF_UNSPEC; + nat->flags |= NX_NAT_F_SRC; + ofpacts->header = ofpbuf_push_uninit(ofpacts, nat_offset); + ct = ofpacts->header; + } + + size_t set_field_offset = ofpacts->size; + ofpbuf_pull(ofpacts, set_field_offset); + + ovnacts_encode(on->nested, on->nested_len, ep, ofpacts); + ofpacts->header = ofpbuf_push_uninit(ofpacts, set_field_offset); + ct = ofpacts->header; + ofpact_finish(ofpacts, &ct->ofpact); +} + /* Parses an assignment or exchange or put_dhcp_opts action. */ static void parse_set_action(struct action_context *ctx) @@ -5415,6 +5478,8 @@ parse_action(struct action_context *ctx) parse_commit_lb_aff(ctx, ovnact_put_COMMIT_LB_AFF(ctx->ovnacts)); } else if (lexer_match_id(ctx->lexer, "sample")) { parse_sample(ctx); + } else if (lexer_match_id(ctx->lexer, "ct_commit_drop")) { + parse_ct_commit_drop(ctx); } else { lexer_syntax_error(ctx->lexer, "expecting action"); } diff --git a/lib/ovn-util.c b/lib/ovn-util.c index f3665b89f..646aff6ef 100644 --- a/lib/ovn-util.c +++ b/lib/ovn-util.c @@ -443,12 +443,12 @@ split_addresses(const char *addresses, struct svec *ipv4_addrs, destroy_lport_addresses(&laddrs); } -/* Allocates a key for NAT conntrack zone allocation for a provided +/* Allocates a key for conntrack zone allocation for a provided * 'key' record and a 'type'. * * It is the caller's responsibility to free the allocated memory. */ char * -alloc_nat_zone_key(const struct uuid *key, const char *type) +alloc_ct_zone_key(const struct uuid *key, const char *type) { return xasprintf(UUID_FMT"_%s", UUID_ARGS(key), type); } diff --git a/lib/ovn-util.h b/lib/ovn-util.h index cd19919cb..170685872 100644 --- a/lib/ovn-util.h +++ b/lib/ovn-util.h @@ -92,7 +92,7 @@ const char *find_lport_address(const struct lport_addresses *laddrs, void split_addresses(const char *addresses, struct svec *ipv4_addrs, struct svec *ipv6_addrs); -char *alloc_nat_zone_key(const struct uuid *key, const char *type); +char *alloc_ct_zone_key(const struct uuid *key, const char *type); const char *default_nb_db(void); const char *default_sb_db(void); diff --git a/northd/northd.c b/northd/northd.c index 4751feab4..10a905e51 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -310,7 +310,7 @@ enum ovn_stage { * +----+----------------------------------------------+---+-----------------------------------+ * | R8 | LB_AFF_MATCH_PORT | * +----+----------------------------------------------+ - * | R9 | UNUSED | + * | R9 | ACL DROP CT ZONE | * +----+----------------------------------------------+ * * Logical Router pipeline: @@ -6463,6 +6463,14 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, ds_clear(match); ds_clear(actions); ds_put_cstr(match, REGBIT_ACL_HINT_DROP " == 1"); + /* If the ACL has a label, we commit the packet in + * a separate zone for debugging purposes before + * rejecting/dropping it. */ + if (acl->label) { + ds_put_format(actions, "ct_commit_drop { " + "ct_label.label = %"PRId64"; }; ", + acl->label); + } if (!strcmp(acl->action, "reject")) { build_reject_acl_rules(od, lflows, stage, acl, match, actions, &acl->header_, meter_groups); @@ -6489,8 +6497,15 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, ds_clear(match); ds_clear(actions); ds_put_cstr(match, REGBIT_ACL_HINT_BLOCK " == 1"); - ds_put_format(actions, "ct_commit { %s = 1; }; ", + ds_put_format(actions, "ct_commit { %s = 1; ", ct_blocked_match); + /* Update ct_label.label to reflect the new policy matching + * the connection. */ + if (acl->label) { + ds_put_format(actions, "ct_label.label = %"PRId64"; ", + acl->label); + } + ds_put_cstr(actions, "}; "); if (!strcmp(acl->action, "reject")) { build_reject_acl_rules(od, lflows, stage, acl, match, actions, &acl->header_, meter_groups); diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 25a742c90..bcd07463d 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -727,13 +727,20 @@ action for TCP connections,icmp4/icmp6 action for UDP connections, and sctp_abort {output <-%gt; inport; next(pipeline=egress,table=5);} action for SCTP associations. + Additionally, if the ACL has a label, the translated + action includes ct_commit_drop(ct_label.label=label).
  • Other ACLs translate to drop; for new or untracked connections and ct_commit(ct_label=1/1); for known connections. Setting ct_label marks a connection as one that was previously allowed, but should no longer be - allowed due to a policy change. + allowed due to a policy change. If the ACLs have label, + then they instead translate to + ct_commit_drop(ct_label.label=label) for new and + untracked connections and + ct_commit(ct_label.blocked=1; ct_label.label=label); + for known connections.
    • @@ -1077,13 +1084,20 @@ action for TCP connections,icmp4/icmp6 action for UDP connections, and sctp_abort {output <-%gt; inport; next(pipeline=egress,table=5);} action for SCTP associations. + Additionally, if the ACL has a label, the translated + action includes ct_commit_drop(ct_label.label=label).
  • Other apply-after-lb ACLs translate to drop; for new or untracked connections and ct_commit(ct_label=1/1); for known connections. Setting ct_label marks a connection as one that was previously allowed, but should no longer be - allowed due to a policy change. + allowed due to a policy change. If the ACLs have label, + then they instead translate to + ct_commit_drop(ct_label.label=label) for new and + untracked connections and + ct_commit(ct_label.blocked=1; ct_label.label=label); + for known connections.
    • diff --git a/ovn-nb.xml b/ovn-nb.xml index 1ba19e5f5..61389da8a 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -2093,12 +2093,10 @@ or

    Associates an identifier with the ACL. The same value will be written to corresponding connection - tracker entry. The value should be a valid 32-bit unsigned integer. - This value can help in debugging from connection tracker side. + tracking entry. The value should be a valid 32-bit unsigned integer. + This value can help in debugging from connection tracking side. For example, through this "label" we can backtrack to the ACL rule - which is causing a "leaked" connection. Connection tracker entries are - created only for allowed connections so the label is valid only - for allow and allow-related actions. + which is causing a "leaked" connection.

    diff --git a/ovn-sb.xml b/ovn-sb.xml index a77f8f4ef..f01f9a927 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -1408,6 +1408,28 @@

    +
    ct_commit_drop { };
    +
    ct_commit_drop { ct_mark=value[/mask]; };
    +
    ct_commit_drop { ct_label=value[/mask]; };
    +
    ct_commit_drop { ct_mark=value[/mask]; ct_label=value[/mask]; };
    +
    +

    + Commit the flow to a connection tracking entry in the + logical switch DROP zone. This action is identical to + ct_commit besides the connection tracking entry + the flow is committed to. +

    + +

    + This action is useful to commit connection tracking state for + packets before they are dropped for debugging purposes. + Committing the packets in a separate zone ensures that connection + tracking state of dropped connections doesn't interact with the + state of allowed connections and allows the DROP zone to be + managed separately. +

    +
    +
    ct_dnat;
    ct_dnat(IP);
    diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index 8885ac9fc..b5a177563 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -222,17 +222,14 @@ ovn_nbctl_test_acl() { AT_CHECK([ovn-nbctl $2 acl-add $1 from-lport 200 ip drop]) AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 100 ip drop]) AT_CHECK([ovn-nbctl $2 --label=1234 acl-add $1 from-lport 70 icmp allow-related]) - AT_CHECK([ovn-nbctl $2 --label=1235 acl-add $1 to-lport 70 icmp allow-related]) + AT_CHECK([ovn-nbctl $2 --label=1235 acl-add $1 to-lport 70 icmp reject]) + AT_CHECK([ovn-nbctl $2 --label=1234 acl-add $1 to-lport 50 ip drop]) dnl Add duplicated ACL AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 100 ip drop], [1], [], [stderr]) AT_CHECK([grep 'already existed' stderr], [0], [ignore]) AT_CHECK([ovn-nbctl $2 --may-exist acl-add $1 to-lport 100 ip drop]) - dnl Add invalid ACL label - AT_CHECK([ovn-nbctl $2 --label=1234 acl-add $1 to-lport 50 ip drop], [1], [], [stderr]) - AT_CHECK([grep 'can only be set with actions' stderr], [0], [ignore]) - AT_CHECK([ovn-nbctl $2 --label=abcd acl-add $1 to-lport 50 ip allow-related], [1], [], [stderr]) AT_CHECK([grep 'label must in range 0...4294967295' stderr], [0], [ignore]) @@ -250,7 +247,8 @@ from-lport 70 (icmp) allow-related label=1234 to-lport 500 (udp) drop log(name=test,severity=info) to-lport 300 (tcp) drop to-lport 100 (ip) drop - to-lport 70 (icmp) allow-related label=1235 + to-lport 70 (icmp) reject label=1235 + to-lport 50 (ip) drop label=1234 ]) dnl Delete in one direction. diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 56c1e6c2e..7b319be9d 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -4250,87 +4250,109 @@ check ovn-nbctl ls-add sw0 check ovn-nbctl lsp-add sw0 sw0p1 check ovn-nbctl --wait=sb --label=1234 acl-add sw0 to-lport 1002 tcp allow-related +check ovn-nbctl --wait=sb --label=2345 acl-add sw0 to-lport 1001 ip drop check ovn-nbctl --wait=sb --label=1234 acl-add sw0 from-lport 1002 tcp allow-related +check ovn-nbctl --wait=sb --label=2345 acl-add sw0 from-lport 1001 ip reject ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) +AT_CHECK([grep -w "ls_in_acl" sw0flows | grep -e 2002 -e 2001 | sort | sed 's/table=[[0-9]]*\s*/table=??/'], [0], [dnl + table=??(ls_in_acl ), priority=2001 , match=((reg0[[10]] == 1) && ip), action=(ct_commit { ct_mark.blocked = 1; ct_label.label = 2345; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) + table=??(ls_in_acl ), priority=2001 , match=((reg0[[9]] == 1) && ip), action=(ct_commit_drop { ct_label.label = 2345; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) + table=??(ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) ]) -AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl +AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=[[0-9]]*\s*/table=??/'], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 2002 | sort], [0], [dnl - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) +AT_CHECK([grep -w "ls_out_acl" sw0flows | grep -e 2002 -e 2001 | sort | sed 's/table=[[0-9]]*\s*/table=??/'], [0], [dnl + table=??(ls_out_acl ), priority=2001 , match=(reg0[[10]] == 1 && (ip)), action=(ct_commit { ct_mark.blocked = 1; ct_label.label = 2345; }; /* drop */) + table=??(ls_out_acl ), priority=2001 , match=(reg0[[9]] == 1 && (ip)), action=(ct_commit_drop { ct_label.label = 2345; }; /* drop */) + table=??(ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) ]) -AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_out_stateful" sw0flows | sort | sed 's/table=[[0-9]]*\s*/table=??/'], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) -# Add new ACL without label +# Add ACLs without labels check ovn-nbctl --wait=sb acl-add sw0 to-lport 1002 udp allow-related +check ovn-nbctl --wait=sb acl-add sw0 to-lport 1001 ip6 drop check ovn-nbctl --wait=sb acl-add sw0 from-lport 1002 udp allow-related +check ovn-nbctl --wait=sb acl-add sw0 from-lport 1001 ip6 reject ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) -]) -AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl +AT_CHECK([grep -w "ls_in_acl" sw0flows | grep -e 2002 -e 2001 | sort | sed 's/table=[[0-9]]*\s*/table=??/'], [0], [dnl + table=??(ls_in_acl ), priority=2001 , match=((reg0[[10]] == 1) && ip), action=(ct_commit { ct_mark.blocked = 1; ct_label.label = 2345; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) + table=??(ls_in_acl ), priority=2001 , match=((reg0[[10]] == 1) && ip6), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) + table=??(ls_in_acl ), priority=2001 , match=((reg0[[9]] == 1) && ip), action=(ct_commit_drop { ct_label.label = 2345; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) + table=??(ls_in_acl ), priority=2001 , match=((reg0[[9]] == 1) && ip6), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) + table=??(ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) + table=??(ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +]) +AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=[[0-9]]*\s*/table=??/'], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 2002 | sort], [0], [dnl - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_out_acl" sw0flows | grep -e 2002 -e 2001 | sort | sed 's/table=[[0-9]]*\s*/table=??/'], [0], [dnl + table=??(ls_out_acl ), priority=2001 , match=(reg0[[10]] == 1 && (ip)), action=(ct_commit { ct_mark.blocked = 1; ct_label.label = 2345; }; /* drop */) + table=??(ls_out_acl ), priority=2001 , match=(reg0[[10]] == 1 && (ip6)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) + table=??(ls_out_acl ), priority=2001 , match=(reg0[[9]] == 1 && (ip)), action=(ct_commit_drop { ct_label.label = 2345; }; /* drop */) + table=??(ls_out_acl ), priority=2001 , match=(reg0[[9]] == 1 && (ip6)), action=(/* drop */) + table=??(ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) + table=??(ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=??(ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) ]) -AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_out_stateful" sw0flows | sort | sed 's/table=[[0-9]]*\s*/table=??/'], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) -# Delete new ACL with label +# Delete ACLs with labels check ovn-nbctl --wait=sb acl-del sw0 to-lport 1002 tcp +check ovn-nbctl --wait=sb acl-del sw0 to-lport 1001 ip check ovn-nbctl --wait=sb acl-del sw0 from-lport 1002 tcp +check ovn-nbctl --wait=sb acl-del sw0 from-lport 1001 ip ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_in_acl" sw0flows | grep -e 2002 -e 2001 | sort | sed 's/table=[[0-9]]*\s*/table=??/'], [0], [dnl + table=??(ls_in_acl ), priority=2001 , match=((reg0[[10]] == 1) && ip6), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) + table=??(ls_in_acl ), priority=2001 , match=((reg0[[9]] == 1) && ip6), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) + table=??(ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) + table=??(ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) ]) -AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl +AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=[[0-9]]*\s*/table=??/'], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 2002 | sort], [0], [dnl - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_out_acl" sw0flows | grep -e 2002 -e 2001 | sort | sed 's/table=[[0-9]]*\s*/table=??/'], [0], [dnl + table=??(ls_out_acl ), priority=2001 , match=(reg0[[10]] == 1 && (ip6)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) + table=??(ls_out_acl ), priority=2001 , match=(reg0[[9]] == 1 && (ip6)), action=(/* drop */) + table=??(ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) + table=??(ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) ]) -AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_out_stateful" sw0flows | sort | sed 's/table=[[0-9]]*\s*/table=??/'], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) AT_CLEANUP ]) diff --git a/tests/ovn.at b/tests/ovn.at index c537cba54..ad14a843a 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -1319,6 +1319,58 @@ ct_label = 0xcafe ct_label.blocked = 1/1 Field ct_label.blocked is not modifiable. +# ct_commit_drop +ct_commit_drop; + encodes as ct(commit,zone=NXM_NX_REG9[0..15]) + has prereqs ip +ct_commit_drop { }; + formats as ct_commit_drop; + encodes as ct(commit,zone=NXM_NX_REG9[0..15]) + has prereqs ip +ct_commit_drop { ct_mark=1; }; + formats as ct_commit_drop { ct_mark = 1; }; + encodes as ct(commit,zone=NXM_NX_REG9[0..15],exec(set_field:0x1->ct_mark)) + has prereqs ip +ct_commit_drop { ct_mark=1/1; }; + formats as ct_commit_drop { ct_mark = 1/1; }; + encodes as ct(commit,zone=NXM_NX_REG9[0..15],exec(set_field:0x1/0x1->ct_mark)) + has prereqs ip +ct_commit_drop { ct_label=1; }; + formats as ct_commit_drop { ct_label = 1; }; + encodes as ct(commit,zone=NXM_NX_REG9[0..15],exec(set_field:0x1->ct_label)) + has prereqs ip +ct_commit_drop { ct_label=1/1; }; + formats as ct_commit_drop { ct_label = 1/1; }; + encodes as ct(commit,zone=NXM_NX_REG9[0..15],exec(set_field:0x1/0x1->ct_label)) + has prereqs ip +ct_commit_drop { ct_mark=1; ct_label=2; }; + formats as ct_commit_drop { ct_mark = 1; ct_label = 2; }; + encodes as ct(commit,zone=NXM_NX_REG9[0..15],exec(set_field:0x1->ct_mark,set_field:0x2->ct_label)) + has prereqs ip + +ct_commit_drop { ct_label=0x01020304050607080910111213141516; }; + formats as ct_commit_drop { ct_label = 0x1020304050607080910111213141516; }; + encodes as ct(commit,zone=NXM_NX_REG9[0..15],exec(set_field:0x1020304050607080910111213141516->ct_label)) + has prereqs ip +ct_commit_drop { ct_label=0x1000000000000000000000000000000/0x1000000000000000000000000000000; }; + formats as ct_commit_drop { ct_label = 0x1000000000000000000000000000000/0x1000000000000000000000000000000; }; + encodes as ct(commit,zone=NXM_NX_REG9[0..15],exec(set_field:0x1000000000000000000000000000000/0x1000000000000000000000000000000->ct_label)) + has prereqs ip +ct_commit_drop { ct_label=18446744073709551615; }; + formats as ct_commit_drop { ct_label = 18446744073709551615; }; + encodes as ct(commit,zone=NXM_NX_REG9[0..15],exec(set_field:0xffffffffffffffff->ct_label)) + has prereqs ip +ct_commit_drop { ct_label[0..47] = 0x00000f040201; ct_label[48..63] = 0x0002; }; + formats as ct_commit_drop { ct_label[0..47] = 0xf040201; ct_label[48..63] = 0x2; }; + encodes as ct(commit,zone=NXM_NX_REG9[0..15],exec(set_field:0xf040201/0xffffffffffff->ct_label,set_field:0x2000000000000/0xffff000000000000->ct_label)) + has prereqs ip +ct_commit_drop { ct_label=18446744073709551616; }; + Decimal constants must be less than 2**64. +ct_commit_drop { ct_label=0x181716151413121110090807060504030201; }; + 141-bit constant is not compatible with 128-bit field ct_label. +ct_commit_drop { ip4.dst = 192.168.0.1; }; + Field ip4.dst is not modifiable. + # ct_dnat ct_dnat; encodes as ct(table=19,zone=NXM_NX_REG11[0..15],nat) @@ -33556,7 +33608,7 @@ ovn-nbctl lsp-add sw0 sw0-port1 -- lsp-set-addresses sw0-port1 "50:54:00:00:00:0 ovs-vsctl set interface p0 external-ids:iface-id=sw0-port0 ovs-vsctl set interface p1 external-ids:iface-id=sw0-port1 check ovn-nbctl --wait=hv sync -as hv1 ovs-ofctl dump-flows br-int | sed 's/cookie=0x.*, duration=.*, table/cookie=??, duration=??, table/' | sed 's/load:0x.->NXM_NX_REG1/load:0x?->NXM_NX_REG1/g' | sed 's/idle_age=[[0-9]], //g' | sort > offlows1 +as hv1 ovs-ofctl dump-flows br-int | sed 's/cookie=0x.*, duration=.*, table/cookie=??, duration=??, table/' | sed 's/load:0x.->NXM_NX_REG\([[19]]\)/load:0x?->NXM_NX_REG\1/g' | sed 's/idle_age=[[0-9]], //g' | sort > offlows1 ovs-vsctl set interface p0 external-ids:iface-id=foo0 ovs-vsctl set interface p1 external-ids:iface-id=foo1 @@ -33583,7 +33635,7 @@ sleep 0.5 # Restart SB AT_CHECK([kill -CONT $(cat ovn-sb/ovsdb-server.pid)]) check ovn-nbctl --wait=hv sync -as hv1 ovs-ofctl dump-flows br-int | sed 's/cookie=0x.*, duration=.*, table/cookie=??, duration=??, table/' | sed 's/load:0x.->NXM_NX_REG1/load:0x?->NXM_NX_REG1/g' | sed 's/idle_age=[[0-9]], //g' | sort > offlows2 +as hv1 ovs-ofctl dump-flows br-int | sed 's/cookie=0x.*, duration=.*, table/cookie=??, duration=??, table/' | sed 's/load:0x.->NXM_NX_REG\([[19]]\)/load:0x?->NXM_NX_REG\1/g' | sed 's/idle_age=[[0-9]], //g' | sort > offlows2 AT_CHECK([diff offlows1 offlows2]) ovn-nbctl ls-del sw0 @@ -34608,3 +34660,37 @@ check_packets OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn-controller - check logical_switch drop ct zone]) +ovn_start +net_add n1 +sim_add hv1 +as hv1 +ovs-vsctl add-br br-phys +ovn_attach n1 br-phys 192.168.0.1 + +check ovn-nbctl ls-add ls0 +check ovn-nbctl lsp-add ls0 lsp0 +check ovn-nbctl lsp-set-addresses lsp0 "00:00:00:00:00:02 10.0.0.2" + +ovs-vsctl -- add-port br-int vif0 -- set interface vif0 external-ids:iface-id=lsp0 + +# Wait for ovn-northd and ovn-controller to catch up. +wait_for_ports_up +check ovn-nbctl --wait=hv sync + +# logical_switch should have a CT zone for connections dropped by labeled ACLs +ls_uuid=$(fetch_column Datapath_Binding _uuid external_ids:name=ls0) +AT_CHECK([as hv1 ovn-appctl -t ovn-controller ct-zone-list | \ +grep ${ls_uuid}_drop -c], [0], [1 +]) + +# Check that register storing the drop ct zone is not cleared. +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=39 | grep -w 'priority=1' | ofctl_strip_all], [0], [dnl + table=39, priority=1,metadata=0x1 actions=load:0->NXM_NX_REG0[[]],load:0->NXM_NX_REG1[[]],load:0->NXM_NX_REG2[[]],load:0->NXM_NX_REG3[[]],load:0->NXM_NX_REG4[[]],load:0->NXM_NX_REG5[[]],load:0->NXM_NX_REG6[[]],load:0->NXM_NX_REG7[[]],load:0->NXM_NX_REG8[[]],resubmit(,40) +]) + +OVN_CLEANUP([hv1]) +AT_CLEANUP +]) diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index 9d4fb8c75..6062d8abd 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -2360,13 +2360,6 @@ nbctl_acl_add(struct ctl_context *ctx) /* Set the ACL label */ const char *label = shash_find_data(&ctx->options, "--label"); if (label) { - /* Ensure that the action is either allow or allow-related */ - if (strcmp(action, "allow") && strcmp(action, "allow-related")) { - ctl_error(ctx, "label can only be set with actions \"allow\" or " - "\"allow-related\""); - return; - } - int64_t label_value = 0; error = parse_acl_label(label, &label_value); if (error) {