From patchwork Tue Mar 21 17:59:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1759540 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=YCOPx14t; dkim-atps=neutral Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Pgzrl27Q7z247m for ; Wed, 22 Mar 2023 04:59:35 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 03718418FF; Tue, 21 Mar 2023 17:59:29 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 03718418FF Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=YCOPx14t X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEPsI57385Q1; Tue, 21 Mar 2023 17:59:26 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp4.osuosl.org (Postfix) with ESMTPS id ADC1A4190D; Tue, 21 Mar 2023 17:59:24 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org ADC1A4190D Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 4E076C008E; Tue, 21 Mar 2023 17:59:22 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 31F15C0091 for ; Tue, 21 Mar 2023 17:59:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 0A5D141899 for ; Tue, 21 Mar 2023 17:59:20 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 0A5D141899 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_y8rzvBSu4U for ; Tue, 21 Mar 2023 17:59:17 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org C2C2241703 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id C2C2241703 for ; Tue, 21 Mar 2023 17:59:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1679421555; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7d2qpwuixI0WI33JTvN9i3wNGZlshaQneZ7PFhQokIU=; b=YCOPx14tUkIwRlIgvnMn4tfcJ6n0kHfyE6LWznEgx+w1ElBZ554vyVAwiguPRqaPz33HbR qS5BtVNY3v6Uhkr0Y+uPcED9X+7Hjvt0j3KIjog56kE1mGj3hDXa0ZOxOCwOj+SZuwxFRu MiVCCn09VPp5n6k+B6YpaQ/zKT/LEMk= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-353-L_sVw3lmO-ujVunIEOvmxQ-1; Tue, 21 Mar 2023 13:59:12 -0400 X-MC-Unique: L_sVw3lmO-ujVunIEOvmxQ-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id AF261855304 for ; Tue, 21 Mar 2023 17:59:11 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-0-12.rdu2.redhat.com [10.22.0.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2590E42C827 for ; Tue, 21 Mar 2023 17:59:10 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Tue, 21 Mar 2023 13:59:06 -0400 Message-Id: <20230321175909.3794119-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 1/4] northd: Break ACLs into two stages. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Prior to this commit, ACLs were evaluated and acted on in a single stage. With this commit, evaluation of ACLs and acting on an ACL's decision are separated into two stages. The acl_eval stage checks the ACL match and will set a bit to indicate the verdict of the ACL. The acl_action stage then checks the relevant bits to determine how to proceed. If no ACLs are matched, then the default ACL action is taken. A couple of notes about updated tests: - For test cases where I just had to increment a table number, I changed the check so the table numbers are masked. This should prevent similar changes from being needed later. - The port security test changes may seem odd. The issue here is that the ls_out_apply_port_sec table number changed from 9 to 10. This means that this table's flows now sort to a lower position than before. This is why the check had to change for this test. Signed-off-by: Mark Michelson --- northd/northd.c | 669 ++++++++++++----------- northd/ovn-northd.8.xml | 312 +++++++---- tests/ovn-controller.at | 144 ++--- tests/ovn-northd.at | 1134 ++++++++++++++++++++++----------------- tests/ovn.at | 81 +-- tests/system-ovn.at | 2 +- 6 files changed, 1323 insertions(+), 1019 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 5f0b436c2..6cdeb100d 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -119,37 +119,42 @@ enum ovn_stage { PIPELINE_STAGE(SWITCH, IN, PRE_LB, 5, "ls_in_pre_lb") \ PIPELINE_STAGE(SWITCH, IN, PRE_STATEFUL, 6, "ls_in_pre_stateful") \ PIPELINE_STAGE(SWITCH, IN, ACL_HINT, 7, "ls_in_acl_hint") \ - PIPELINE_STAGE(SWITCH, IN, ACL, 8, "ls_in_acl") \ - PIPELINE_STAGE(SWITCH, IN, QOS_MARK, 9, "ls_in_qos_mark") \ - PIPELINE_STAGE(SWITCH, IN, QOS_METER, 10, "ls_in_qos_meter") \ - PIPELINE_STAGE(SWITCH, IN, LB_AFF_CHECK, 11, "ls_in_lb_aff_check") \ - PIPELINE_STAGE(SWITCH, IN, LB, 12, "ls_in_lb") \ - PIPELINE_STAGE(SWITCH, IN, LB_AFF_LEARN, 13, "ls_in_lb_aff_learn") \ - PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 14, "ls_in_pre_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 15, "ls_in_nat_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 16, "ls_in_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB, 17, "ls_in_acl_after_lb") \ - PIPELINE_STAGE(SWITCH, IN, STATEFUL, 18, "ls_in_stateful") \ - PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 19, "ls_in_arp_rsp") \ - PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 20, "ls_in_dhcp_options") \ - PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 21, "ls_in_dhcp_response") \ - PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 22, "ls_in_dns_lookup") \ - PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 23, "ls_in_dns_response") \ - PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 24, "ls_in_external_port") \ - PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 25, "ls_in_l2_lkup") \ - PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 26, "ls_in_l2_unknown") \ + PIPELINE_STAGE(SWITCH, IN, ACL_EVAL, 8, "ls_in_acl_eval") \ + PIPELINE_STAGE(SWITCH, IN, ACL_ACTION, 9, "ls_in_acl_action") \ + PIPELINE_STAGE(SWITCH, IN, QOS_MARK, 10, "ls_in_qos_mark") \ + PIPELINE_STAGE(SWITCH, IN, QOS_METER, 11, "ls_in_qos_meter") \ + PIPELINE_STAGE(SWITCH, IN, LB_AFF_CHECK, 12, "ls_in_lb_aff_check") \ + PIPELINE_STAGE(SWITCH, IN, LB, 13, "ls_in_lb") \ + PIPELINE_STAGE(SWITCH, IN, LB_AFF_LEARN, 14, "ls_in_lb_aff_learn") \ + PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 15, "ls_in_pre_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 16, "ls_in_nat_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 17, "ls_in_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_EVAL, 18, \ + "ls_in_acl_after_lb_eval") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_ACTION, 19, \ + "ls_in_acl_after_lb_action") \ + PIPELINE_STAGE(SWITCH, IN, STATEFUL, 20, "ls_in_stateful") \ + PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 21, "ls_in_arp_rsp") \ + PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 22, "ls_in_dhcp_options") \ + PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 23, "ls_in_dhcp_response") \ + PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 24, "ls_in_dns_lookup") \ + PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 25, "ls_in_dns_response") \ + PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 26, "ls_in_external_port") \ + PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 27, "ls_in_l2_lkup") \ + PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 28, "ls_in_l2_unknown") \ \ /* Logical switch egress stages. */ \ PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 0, "ls_out_pre_acl") \ PIPELINE_STAGE(SWITCH, OUT, PRE_LB, 1, "ls_out_pre_lb") \ PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") \ PIPELINE_STAGE(SWITCH, OUT, ACL_HINT, 3, "ls_out_acl_hint") \ - PIPELINE_STAGE(SWITCH, OUT, ACL, 4, "ls_out_acl") \ - PIPELINE_STAGE(SWITCH, OUT, QOS_MARK, 5, "ls_out_qos_mark") \ - PIPELINE_STAGE(SWITCH, OUT, QOS_METER, 6, "ls_out_qos_meter") \ - PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 7, "ls_out_stateful") \ - PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 8, "ls_out_check_port_sec") \ - PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 9, "ls_out_apply_port_sec") \ + PIPELINE_STAGE(SWITCH, OUT, ACL_EVAL, 4, "ls_out_acl_eval") \ + PIPELINE_STAGE(SWITCH, OUT, ACL_ACTION, 5, "ls_out_acl_action") \ + PIPELINE_STAGE(SWITCH, OUT, QOS_MARK, 6, "ls_out_qos_mark") \ + PIPELINE_STAGE(SWITCH, OUT, QOS_METER, 7, "ls_out_qos_meter") \ + PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 8, "ls_out_stateful") \ + PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 9, "ls_out_check_port_sec") \ + PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 10, "ls_out_apply_port_sec") \ \ /* Logical router ingress stages. */ \ PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") \ @@ -233,6 +238,11 @@ enum ovn_stage { #define REG_LB_AFF_BACKEND_IP4 "reg4" #define REG_LB_AFF_MATCH_PORT "reg8[0..15]" +/* Registers for ACL evaluation */ +#define REGBIT_ACL_VERDICT_ALLOW "reg8[16]" +#define REGBIT_ACL_VERDICT_DROP "reg8[17]" +#define REGBIT_ACL_VERDICT_REJECT "reg8[18]" + /* Indicate that this packet has been recirculated using egress * loopback. This allows certain checks to be bypassed, such as a * logical router dropping packets with source IP address equals @@ -6332,54 +6342,11 @@ build_acl_log(struct ds *actions, const struct nbrec_acl *acl, ds_put_cstr(actions, "); "); } -static void -build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows, - enum ovn_stage stage, struct nbrec_acl *acl, - struct ds *extra_match, struct ds *extra_actions, - const struct ovsdb_idl_row *stage_hint, - const struct shash *meter_groups) -{ - struct ds match = DS_EMPTY_INITIALIZER; - struct ds actions = DS_EMPTY_INITIALIZER; - bool ingress = (ovn_stage_get_pipeline(stage) == P_IN); - - char *next_action = - xasprintf("next(pipeline=%s,table=%d);", - ingress ? "egress": "ingress", - ingress ? ovn_stage_get_table(S_SWITCH_OUT_QOS_MARK) - : ovn_stage_get_table(S_SWITCH_IN_L2_LKUP)); - - build_acl_log(&actions, acl, meter_groups); - if (extra_match->length > 0) { - ds_put_format(&match, "(%s) && ", extra_match->string); - } - ds_put_cstr(&match, acl->match); - - if (extra_actions->length > 0) { - ds_put_format(&actions, "%s ", extra_actions->string); - } - - ds_put_format(&actions, "reg0 = 0; " - "reject { " - "/* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ " - "outport <-> inport; %s };", next_action); - ovn_lflow_add_with_hint__(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(&match), ds_cstr(&actions), NULL, - copp_meter_get(COPP_REJECT, od->nbs->copp, - meter_groups), - stage_hint); - - free(next_action); - ds_destroy(&match); - ds_destroy(&actions); -} - static void consider_acl(struct hmap *lflows, struct ovn_datapath *od, - struct nbrec_acl *acl, bool has_stateful, bool ct_masked_mark, - const struct shash *meter_groups, struct ds *match, - struct ds *actions) + const struct nbrec_acl *acl, bool has_stateful, + bool ct_masked_mark, const struct shash *meter_groups, + struct ds *match, struct ds *actions) { const char *ct_blocked_match = ct_masked_mark ? "ct_mark.blocked" @@ -6388,210 +6355,135 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, enum ovn_stage stage; if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { - stage = S_SWITCH_IN_ACL_AFTER_LB; + stage = S_SWITCH_IN_ACL_AFTER_LB_EVAL; } else if (ingress) { - stage = S_SWITCH_IN_ACL; + stage = S_SWITCH_IN_ACL_EVAL; } else { - stage = S_SWITCH_OUT_ACL; + stage = S_SWITCH_OUT_ACL_EVAL; } - if (!strcmp(acl->action, "allow-stateless")) { - ds_clear(actions); - build_acl_log(actions, acl, meter_groups); + static const char *allow = REGBIT_ACL_VERDICT_ALLOW " = 1; "; + static const char *drop = REGBIT_ACL_VERDICT_DROP " = 1; "; + static const char *reject = REGBIT_ACL_VERDICT_REJECT " = 1; "; + + const char *verdict; + if (!strcmp(acl->action, "drop")) { + verdict = drop; + } else if (!strcmp(acl->action, "reject")) { + verdict = reject; + } else { + verdict = allow; + } + + ds_clear(actions); + /* All ACLs will have the same actions as a basis. */ + build_acl_log(actions, acl, meter_groups); + ds_put_cstr(actions, verdict); + size_t log_verdict_len = actions->length; + uint16_t priority = acl->priority + OVN_ACL_PRI_OFFSET; + + if (!has_stateful || !strcmp(acl->action, "allow-stateless")) { ds_put_cstr(actions, "next;"); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, + ovn_lflow_add_with_hint(lflows, od, stage, priority, acl->match, ds_cstr(actions), &acl->header_); - } else if (!strcmp(acl->action, "allow") + return; + } + + if (!strcmp(acl->action, "allow") || !strcmp(acl->action, "allow-related")) { /* If there are any stateful flows, we must even commit "allow" * actions. This is because, while the initiater's * direction may not have any stateful rules, the server's * may and then its return traffic would not have an * associated conntrack entry and would return "+invalid". */ - if (!has_stateful) { - ds_clear(actions); - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, "next;"); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - acl->match, ds_cstr(actions), - &acl->header_); - } else { - /* Commit the connection tracking entry if it's a new - * connection that matches this ACL. After this commit, - * the reply traffic is allowed by a flow we create at - * priority 65535, defined earlier. - * - * It's also possible that a known connection was marked for - * deletion after a policy was deleted, but the policy was - * re-added while that connection is still known. We catch - * that case here and un-set ct_mark.blocked (which will be done - * by ct_commit in the "stateful" stage) to indicate that the - * connection should be allowed to resume. - */ - ds_clear(match); - ds_clear(actions); - ds_put_format(match, REGBIT_ACL_HINT_ALLOW_NEW " == 1 && (%s)", - acl->match); - ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); - if (acl->label) { - ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " - REG_LABEL" = %"PRId64"; ", acl->label); - } - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, "next;"); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(match), - ds_cstr(actions), - &acl->header_); - - /* Match on traffic in the request direction for an established - * connection tracking entry that has not been marked for - * deletion. We use this to ensure that this - * connection is still allowed by the currently defined - * policy. Match untracked packets too. - * Commit the connection only if the ACL has a label. This is done - * to update the connection tracking entry label in case the ACL - * allowing the connection changes. */ - ds_clear(match); - ds_clear(actions); - ds_put_format(match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)", - acl->match); - if (acl->label) { - ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); - ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " - REG_LABEL" = %"PRId64"; ", acl->label); - } - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, "next;"); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(match), ds_cstr(actions), - &acl->header_); - - /* Related and reply traffic are universally allowed by priority - * 65532 flows created in build_acls(). If logging is enabled on - * the ACL, then we need to ensure that the related and reply - * traffic is logged, so we install a slightly higher-priority - * flow that matches the ACL, allows the traffic, and logs it. - * - * Note: Matching the ct_label.label may prevent OVS flow HW - * offloading to work for some NICs because masked-access of - * ct_label is not supported on those NICs due to HW - * limitations. In such case the user may choose to avoid using the - * "log-related" option. - */ - bool log_related = smap_get_bool(&acl->options, "log-related", - false); - if (acl->log && acl->label && log_related) { - /* Related/reply flows need to be set on the opposite pipeline - * from where the ACL itself is set. - */ - enum ovn_stage log_related_stage = ingress ? - S_SWITCH_OUT_ACL : - S_SWITCH_IN_ACL; - ds_clear(match); - ds_clear(actions); - - ds_put_format(match, "ct.est && !ct.rel && !ct.new%s && " - "ct.rpl && %s == 0 && " - "ct_label.label == %" PRId64, - use_ct_inv_match ? " && !ct.inv" : "", - ct_blocked_match, acl->label); - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, "next;"); - ovn_lflow_add_with_hint(lflows, od, log_related_stage, - UINT16_MAX - 2, - ds_cstr(match), ds_cstr(actions), - &acl->header_); + /* Commit the connection tracking entry if it's a new + * connection that matches this ACL. After this commit, + * the reply traffic is allowed by a flow we create at + * priority 65535, defined earlier. + * + * It's also possible that a known connection was marked for + * deletion after a policy was deleted, but the policy was + * re-added while that connection is still known. We catch + * that case here and un-set ct_mark.blocked (which will be done + * by ct_commit in the "stateful" stage) to indicate that the + * connection should be allowed to resume. + */ + ds_clear(match); + ds_put_format(match, REGBIT_ACL_HINT_ALLOW_NEW " == 1 && (%s)", + acl->match); - ds_clear(match); - ds_put_format(match, "!ct.est && ct.rel && !ct.new%s && " - "%s == 0 && " - "ct_label.label == %" PRId64, - use_ct_inv_match ? " && !ct.inv" : "", - ct_blocked_match, acl->label); - ovn_lflow_add_with_hint(lflows, od, log_related_stage, - UINT16_MAX - 2, - ds_cstr(match), ds_cstr(actions), - &acl->header_); - } + ds_truncate(actions, log_verdict_len); + ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); + if (acl->label) { + ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " + REG_LABEL" = %"PRId64"; ", acl->label); + } + ds_put_cstr(actions, "next;"); + ovn_lflow_add_with_hint(lflows, od, stage, priority, + ds_cstr(match), ds_cstr(actions), + &acl->header_); + /* Match on traffic in the request direction for an established + * connection tracking entry that has not been marked for + * deletion. We use this to ensure that this + * connection is still allowed by the currently defined + * policy. Match untracked packets too. + * Commit the connection only if the ACL has a label. This is done + * to update the connection tracking entry label in case the ACL + * allowing the connection changes. */ + ds_clear(match); + ds_truncate(actions, log_verdict_len); + ds_put_format(match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)", + acl->match); + if (acl->label) { + ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); + ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " + REG_LABEL" = %"PRId64"; ", acl->label); } + ds_put_cstr(actions, "next;"); + ovn_lflow_add_with_hint(lflows, od, stage, priority, + ds_cstr(match), ds_cstr(actions), + &acl->header_); } else if (!strcmp(acl->action, "drop") || !strcmp(acl->action, "reject")) { /* The implementation of "drop" differs if stateful ACLs are in * use for this datapath. In that case, the actions differ * depending on whether the connection was previously committed * to the connection tracker with ct_commit. */ - if (has_stateful) { - /* If the packet is not tracked or not part of an established - * connection, then we can simply reject/drop it. */ - ds_clear(match); - ds_clear(actions); - ds_put_cstr(match, REGBIT_ACL_HINT_DROP " == 1"); - if (!strcmp(acl->action, "reject")) { - build_reject_acl_rules(od, lflows, stage, acl, match, - actions, &acl->header_, meter_groups); - } else { - ds_put_format(match, " && (%s)", acl->match); - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, debug_implicit_drop_action()); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(match), ds_cstr(actions), - &acl->header_); - } - /* For an existing connection without ct_mark.blocked set, we've - * encountered a policy change. ACLs previously allowed - * this connection and we committed the connection tracking - * entry. Current policy says that we should drop this - * connection. First, we set ct_mark.blocked to indicate - * that this connection is set for deletion. By not - * specifying "next;", we implicitly drop the packet after - * updating conntrack state. We would normally defer - * ct_commit() to the "stateful" stage, but since we're - * rejecting/dropping the packet, we go ahead and do it here. - */ - ds_clear(match); - ds_clear(actions); - ds_put_cstr(match, REGBIT_ACL_HINT_BLOCK " == 1"); - ds_put_format(actions, "ct_commit { %s = 1; }; ", - ct_blocked_match); - if (!strcmp(acl->action, "reject")) { - build_reject_acl_rules(od, lflows, stage, acl, match, - actions, &acl->header_, meter_groups); - } else { - ds_put_format(match, " && (%s)", acl->match); - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, debug_implicit_drop_action()); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(match), ds_cstr(actions), - &acl->header_); - } - } else { - /* There are no stateful ACLs in use on this datapath, - * so a "reject/drop" ACL is simply the "reject/drop" - * logical flow action in all cases. */ - ds_clear(match); - ds_clear(actions); - if (!strcmp(acl->action, "reject")) { - build_reject_acl_rules(od, lflows, stage, acl, match, - actions, &acl->header_, meter_groups); - } else { - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, debug_implicit_drop_action()); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - acl->match, ds_cstr(actions), - &acl->header_); - } - } + /* If the packet is not tracked or not part of an established + * connection, then we can simply reject/drop it. */ + ds_clear(match); + ds_put_cstr(match, REGBIT_ACL_HINT_DROP " == 1"); + ds_put_format(match, " && (%s)", acl->match); + + ds_truncate(actions, log_verdict_len); + ds_put_cstr(actions, "next;"); + ovn_lflow_add_with_hint(lflows, od, stage, priority, + ds_cstr(match), ds_cstr(actions), + &acl->header_); + /* For an existing connection without ct_mark.blocked set, we've + * encountered a policy change. ACLs previously allowed + * this connection and we committed the connection tracking + * entry. Current policy says that we should drop this + * connection. First, we set ct_mark.blocked to indicate + * that this connection is set for deletion. By not + * specifying "next;", we implicitly drop the packet after + * updating conntrack state. We would normally defer + * ct_commit() to the "stateful" stage, but since we're + * rejecting/dropping the packet, we go ahead and do it here. + */ + ds_clear(match); + ds_put_cstr(match, REGBIT_ACL_HINT_BLOCK " == 1"); + ds_put_format(match, " && (%s)", acl->match); + + ds_truncate(actions, log_verdict_len); + ds_put_format(actions, "ct_commit { %s = 1; }; next;", + ct_blocked_match); + ovn_lflow_add_with_hint(lflows, od, stage, priority, + ds_cstr(match), ds_cstr(actions), + &acl->header_); } } @@ -6728,13 +6620,145 @@ build_port_group_lswitches(struct northd_input *input_data, } } +static void +build_acl_action_lflows(struct ovn_datapath *od, struct hmap *lflows, + const char *default_acl_action, + const struct shash *meter_groups, + struct ds *actions) +{ + enum ovn_stage stages [] = { + S_SWITCH_IN_ACL_ACTION, + S_SWITCH_IN_ACL_AFTER_LB_ACTION, + S_SWITCH_OUT_ACL_ACTION, + }; + + ds_clear(actions); + ds_put_cstr(actions, REGBIT_ACL_VERDICT_ALLOW " = 0; " + REGBIT_ACL_VERDICT_DROP " = 0; " + REGBIT_ACL_VERDICT_REJECT " = 0; "); + size_t verdict_len = actions->length; + + for (size_t i = 0; i < ARRAY_SIZE(stages); i++) { + enum ovn_stage stage = stages[i]; + if (!od->has_acls) { + ovn_lflow_add(lflows, od, stage, 0, "1", "next;"); + continue; + } + ds_truncate(actions, verdict_len); + ds_put_cstr(actions, "next;"); + ovn_lflow_add(lflows, od, stage, 1000, + REGBIT_ACL_VERDICT_ALLOW " == 1", ds_cstr(actions)); + ds_truncate(actions, verdict_len); + ds_put_cstr(actions, debug_implicit_drop_action()); + ovn_lflow_add(lflows, od, stage, 1000, + REGBIT_ACL_VERDICT_DROP " == 1", + ds_cstr(actions)); + bool ingress = ovn_stage_get_pipeline(stage) == P_IN; + char *next_action = + xasprintf("next(pipeline=%s,table=%d);", + ingress ? "egress": "ingress", + ingress ? ovn_stage_get_table(S_SWITCH_OUT_QOS_MARK) + : ovn_stage_get_table(S_SWITCH_IN_L2_LKUP)); + + ds_truncate(actions, verdict_len); + ds_put_format( + actions, "reg0 = 0; " + "reject { " + "/* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ " + "outport <-> inport; %s };", next_action); + + ovn_lflow_metered(lflows, od, stage, 1000, + REGBIT_ACL_VERDICT_REJECT " == 1", ds_cstr(actions), + copp_meter_get(COPP_REJECT, od->nbs->copp, + meter_groups)); + + ds_truncate(actions, verdict_len); + ds_put_cstr(actions, default_acl_action); + ovn_lflow_add(lflows, od, stage, 0, "1", ds_cstr(actions)); + } +} + +static void +build_acl_log_related_flows(struct ovn_datapath *od, struct hmap *lflows, + const struct nbrec_acl *acl, bool has_stateful, + bool ct_masked_mark, + const struct shash *meter_groups, + struct ds *match, struct ds *actions) +{ + /* Related and reply traffic are universally allowed by priority + * 65532 flows created in build_acls(). If logging is enabled on + * the ACL, then we need to ensure that the related and reply + * traffic is logged, so we install a slightly higher-priority + * flow that matches the ACL, allows the traffic, and logs it. + * + * Note: Matching the ct_label.label may prevent OVS flow HW + * offloading to work for some NICs because masked-access of + * ct_label is not supported on those NICs due to HW + * limitations. In such case the user may choose to avoid using the + * "log-related" option. + */ + const char *ct_blocked_match = ct_masked_mark + ? "ct_mark.blocked" + : "ct_label.blocked"; + bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; + bool log_related = smap_get_bool(&acl->options, "log-related", + false); + + if (!strcmp(acl->action, "allow-stateless") || !has_stateful) { + /* Not stateful */ + return; + } + + if (strcmp(acl->action, "allow") && strcmp(acl->action, "allow-related")) { + /* Not an allow ACL */ + return; + } + + if (!acl->log || !acl->label || !log_related) { + /* Missing requirements for logging related ACLs */ + return; + } + + ds_clear(actions); + build_acl_log(actions, acl, meter_groups); + ds_put_cstr(actions, REGBIT_ACL_VERDICT_ALLOW" = 1; next;"); + /* Related/reply flows need to be set on the opposite pipeline + * from where the ACL itself is set. + */ + enum ovn_stage log_related_stage = ingress ? + S_SWITCH_OUT_ACL_EVAL : + S_SWITCH_IN_ACL_EVAL; + ds_clear(match); + ds_put_format(match, "ct.est && !ct.rel && !ct.new%s && " + "ct.rpl && %s == 0 && " + "ct_label.label == %" PRId64, + use_ct_inv_match ? " && !ct.inv" : "", + ct_blocked_match, acl->label); + ovn_lflow_add_with_hint(lflows, od, log_related_stage, + UINT16_MAX - 2, + ds_cstr(match), ds_cstr(actions), + &acl->header_); + + ds_clear(match); + ds_put_format(match, "!ct.est && ct.rel && !ct.new%s && " + "%s == 0 && " + "ct_label.label == %" PRId64, + use_ct_inv_match ? " && !ct.inv" : "", + ct_blocked_match, acl->label); + ovn_lflow_add_with_hint(lflows, od, log_related_stage, + UINT16_MAX - 2, + ds_cstr(match), ds_cstr(actions), + &acl->header_); +} + static void build_acls(struct ovn_datapath *od, const struct chassis_features *features, struct hmap *lflows, const struct hmap *port_groups, const struct shash *meter_groups) { - const char *default_acl_action = default_acl_drop ? debug_drop_action() : - "next;"; + const char *default_acl_action = default_acl_drop ? + debug_implicit_drop_action() : + "next;"; bool has_stateful = od->has_stateful_acl || od->has_lb_vip; const char *ct_blocked_match = features->ct_no_masked_label ? "ct_mark.blocked" @@ -6751,22 +6775,21 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, * are any stateful ACLs in this datapath. */ if (!od->has_acls) { if (!od->has_lb_vip) { - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "1", + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX, "1", "next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "1", + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX, "1", "next;"); } else { - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", "next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 0, "1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 0, "1", "next;"); } - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB, 0, "1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB_EVAL, 0, "1", + "next;"); } else { - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", - default_acl_action); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", - default_acl_action); - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB, 0, "1", - default_acl_action); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 0, "1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 0, "1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB_EVAL, 0, "1", + "next;"); } @@ -6795,20 +6818,22 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, * uses "next;". */ ds_clear(&match); ds_put_format(&match, "ip && ct.est && %s == 1", ct_blocked_match); - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1, ds_cstr(&match), - REGBIT_CONNTRACK_COMMIT" = 1; next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, + REGBIT_CONNTRACK_COMMIT" = 1; " + REGBIT_ACL_VERDICT_ALLOW" = 1; next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1, ds_cstr(&match), - REGBIT_CONNTRACK_COMMIT" = 1; next;"); + REGBIT_CONNTRACK_COMMIT" = 1; " + REGBIT_ACL_VERDICT_ALLOW" = 1; next;"); - default_acl_action = default_acl_drop - ? debug_drop_action() + const char *next_action = default_acl_drop + ? "next;" : REGBIT_CONNTRACK_COMMIT" = 1; next;"; - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, "ip && !ct.est", - default_acl_action); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, "ip && !ct.est", - default_acl_action); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1, "ip && !ct.est", + next_action); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1, "ip && !ct.est", + next_action); /* Ingress and Egress ACL Table (Priority 65532). * @@ -6821,10 +6846,10 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, ds_put_format(&match, "%s(ct.est && ct.rpl && %s == 1)", use_ct_inv_match ? "ct.inv || " : "", ct_blocked_match); - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3, - ds_cstr(&match), debug_drop_action()); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, - ds_cstr(&match), debug_drop_action()); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3, + ds_cstr(&match), REGBIT_ACL_VERDICT_DROP " = 1; next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX - 3, + ds_cstr(&match), REGBIT_ACL_VERDICT_DROP " = 1; next;"); /* Ingress and Egress ACL Table (Priority 65535 - 3). * @@ -6840,12 +6865,14 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, "ct.rpl && %s == 0", use_ct_inv_match ? " && !ct.inv" : "", ct_blocked_match); - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3, + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3, ds_cstr(&match), REGBIT_ACL_HINT_DROP" = 0; " REGBIT_ACL_HINT_BLOCK" = 0; " - REGBIT_ACL_HINT_ALLOW_REL" = 1; next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, - ds_cstr(&match), "next;"); + REGBIT_ACL_HINT_ALLOW_REL" = 1; " + REGBIT_ACL_VERDICT_ALLOW" = 1; next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX - 3, + ds_cstr(&match), + REGBIT_ACL_VERDICT_ALLOW " = 1; next;"); /* Ingress and Egress ACL Table (Priority 65535). * @@ -6861,37 +6888,47 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, * that's generated from a non-listening UDP port. */ const char *ct_in_acl_action = features->ct_lb_related - ? REGBIT_ACL_HINT_ALLOW_REL" = 1; ct_commit_nat;" - : REGBIT_ACL_HINT_ALLOW_REL" = 1; next;"; - const char *ct_out_acl_action = features->ct_lb_related - ? "ct_commit_nat;" - : "next;"; + ? REGBIT_ACL_HINT_ALLOW_REL" = 1; " + REGBIT_ACL_VERDICT_ALLOW" = 1; ct_commit_nat;" + : REGBIT_ACL_HINT_ALLOW_REL" = 1; " + REGBIT_ACL_VERDICT_ALLOW" = 1; next;"; + const char *ct_out_acl_action = + features->ct_lb_related + ? REGBIT_ACL_VERDICT_ALLOW" = 1; ct_commit_nat;" + : REGBIT_ACL_VERDICT_ALLOW" = 1; next;"; ds_clear(&match); ds_put_format(&match, "!ct.est && ct.rel && !ct.new%s && %s == 0", use_ct_inv_match ? " && !ct.inv" : "", ct_blocked_match); - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3, + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3, ds_cstr(&match), ct_in_acl_action); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX - 3, ds_cstr(&match), ct_out_acl_action); /* Ingress and Egress ACL Table (Priority 65532). * * Not to do conntrack on ND packets. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3, - "nd || nd_ra || nd_rs || mldv1 || mldv2", "next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, - "nd || nd_ra || nd_rs || mldv1 || mldv2", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3, + "nd || nd_ra || nd_rs || mldv1 || mldv2", + REGBIT_ACL_VERDICT_ALLOW " = 1; next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX - 3, + "nd || nd_ra || nd_rs || mldv1 || mldv2", + REGBIT_ACL_VERDICT_ALLOW " = 1; next;"); /* Reply and related traffic matched by an "allow-related" ACL * should be allowed in the ls_in_acl_after_lb stage too. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB, UINT16_MAX - 3, - REGBIT_ACL_HINT_ALLOW_REL" == 1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB_EVAL, + UINT16_MAX - 3, + REGBIT_ACL_HINT_ALLOW_REL" == 1", + REGBIT_ACL_VERDICT_ALLOW " = 1; next;"); } /* Ingress or Egress ACL Table (Various priorities). */ for (size_t i = 0; i < od->nbs->n_acls; i++) { struct nbrec_acl *acl = od->nbs->acls[i]; + build_acl_log_related_flows(od, lflows, acl, has_stateful, + features->ct_no_masked_label, + meter_groups, &match, &actions); consider_acl(lflows, od, acl, has_stateful, features->ct_no_masked_label, meter_groups, &match, &actions); @@ -6900,7 +6937,11 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, HMAP_FOR_EACH (pg, key_node, port_groups) { if (ovn_port_group_ls_find(pg, &od->nbs->header_.uuid)) { for (size_t i = 0; i < pg->nb_pg->n_acls; i++) { - consider_acl(lflows, od, pg->nb_pg->acls[i], has_stateful, + const struct nbrec_acl *acl = pg->nb_pg->acls[i]; + build_acl_log_related_flows(od, lflows, acl, has_stateful, + features->ct_no_masked_label, + meter_groups, &match, &actions); + consider_acl(lflows, od, acl, has_stateful, features->ct_no_masked_label, meter_groups, &match, &actions); } @@ -6924,14 +6965,16 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, &od->nbs->ports[i]->dhcpv4_options->options, "lease_time"); if (server_id && server_mac && lease_time) { const char *dhcp_actions = - has_stateful ? "ct_commit; next;" : "next;"; + has_stateful ? REGBIT_ACL_VERDICT_ALLOW" = 1; " + "ct_commit; next;" + : REGBIT_ACL_VERDICT_ALLOW" = 1; next;"; ds_clear(&match); ds_put_format(&match, "outport == \"%s\" && eth.src == %s " "&& ip4.src == %s && udp && udp.src == 67 " "&& udp.dst == 68", od->nbs->ports[i]->name, server_mac, server_id); ovn_lflow_add_with_lport_and_hint( - lflows, od, S_SWITCH_OUT_ACL, 34000, ds_cstr(&match), + lflows, od, S_SWITCH_OUT_ACL_EVAL, 34000, ds_cstr(&match), dhcp_actions, od->nbs->ports[i]->name, &od->nbs->ports[i]->dhcpv4_options->header_); } @@ -6950,15 +6993,17 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, char server_ip[INET6_ADDRSTRLEN + 1]; ipv6_string_mapped(server_ip, &lla); - const char *dhcp6_actions = has_stateful ? "ct_commit; next;" : - "next;"; + const char *dhcp6_actions = + has_stateful ? REGBIT_ACL_VERDICT_ALLOW" = 1; " + "ct_commit; next;" + : REGBIT_ACL_VERDICT_ALLOW" = 1; next;"; ds_clear(&match); ds_put_format(&match, "outport == \"%s\" && eth.src == %s " "&& ip6.src == %s && udp && udp.src == 547 " "&& udp.dst == 546", od->nbs->ports[i]->name, server_mac, server_ip); ovn_lflow_add_with_lport_and_hint( - lflows, od, S_SWITCH_OUT_ACL, 34000, ds_cstr(&match), + lflows, od, S_SWITCH_OUT_ACL_EVAL, 34000, ds_cstr(&match), dhcp6_actions, od->nbs->ports[i]->name, &od->nbs->ports[i]->dhcpv6_options->header_); } @@ -6969,24 +7014,32 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, * if the CMS has configured DNS records for the datapath. */ if (ls_has_dns_records(od->nbs)) { - const char *dns_actions = has_stateful ? "ct_commit; next;" : "next;"; + const char *dns_actions = + has_stateful ? REGBIT_ACL_VERDICT_ALLOW" = 1; " + "ct_commit; next;" + : REGBIT_ACL_VERDICT_ALLOW" = 1; next;"; ovn_lflow_add( - lflows, od, S_SWITCH_OUT_ACL, 34000, "udp.src == 53", + lflows, od, S_SWITCH_OUT_ACL_EVAL, 34000, "udp.src == 53", dns_actions); } if (od->has_acls || od->has_lb_vip) { /* Add a 34000 priority flow to advance the service monitor reply * packets to skip applying ingress ACLs. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 34000, - "eth.dst == $svc_monitor_mac", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 34000, + "eth.dst == $svc_monitor_mac", + REGBIT_ACL_VERDICT_ALLOW" = 1; next;"); /* Add a 34000 priority flow to advance the service monitor packets * generated by ovn-controller to skip applying egress ACLs. */ - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 34000, - "eth.src == $svc_monitor_mac", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 34000, + "eth.src == $svc_monitor_mac", + REGBIT_ACL_VERDICT_ALLOW" = 1; next;"); } + build_acl_action_lflows(od, lflows, default_acl_action, meter_groups, + &actions); + ds_destroy(&match); ds_destroy(&actions); } diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 5d513e65a..736f5663f 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -684,7 +684,7 @@ -

Ingress table 8: from-lport ACLs before LB

+

Ingress table 8: from-lport ACL evaluation before LB

Logical flows in this table closely reproduce those in the @@ -697,55 +697,65 @@

  • - allow ACLs translate into logical flows with - the next; action. If there are any stateful ACLs - on this datapath, then allow ACLs translate to - ct_commit; next; (which acts as a hint for the next tables - to commit the connection to conntrack). In case the ACL - has a label then reg3 is loaded with the label value and + This table is responsible for evaluating ACLs, and setting a register + bit to indicate whether the ACL decided to allow, drop, or reject the + traffic. The allow bit is reg8[16]. The drop bit is + reg8[17]. All flows in this table will advance the packet + to the next table, where the bits from before are evaluated to + determine what to do with the packet. Any flows in this table that + intend for the packet to pass will set reg8[16] to 1, + even if an ACL with an allow-type action was not matched. This lets the + next table know to allow the traffic to pass. These bits will be + referred to as the "allow", "drop", and "reject" bits in the upcoming + paragraphs. +
    • +
  • + allow ACLs translate into logical flows that set the allow + bit to 1 and advance the packet to the next table. If there are any + stateful ACLs on this datapath, then allow ACLs set the + allow bit to one and in addition perform ct_commit; (which + acts as a hint for future tables to commit the connection to + conntrack). In case the ACL has a label then + reg3 is loaded with the label value and reg0[13] bit is set to 1 (which acts as a hint for the next tables to commit the label to conntrack).
  • - allow-related ACLs translate into logical - flows with the ct_commit(ct_label=0/1); next; actions - for new connections and reg0[1] = 1; next; for existing - connections. In case the ACL has a label then - reg3 is loaded with the label value and + allow-related ACLs translate into logical flows that set + the allow bit and additionally have ct_commit(ct_label=0/1); + next; actions for new connections and reg0[1] = 1; + next; for existing connections. In case the ACL + has a label then reg3 is loaded with the label value and reg0[13] bit is set to 1 (which acts as a hint for the next tables to commit the label to conntrack).
  • - allow-stateless ACLs translate into logical - flows with the next; action. + allow-stateless ACLs translate into logical flows that set + the allow bit and advance to the next table.
  • - reject ACLs translate into logical - flows with the - tcp_reset { output <-> inport; - next(pipeline=egress,table=5);} - action for TCP connections,icmp4/icmp6 action - for UDP connections, and sctp_abort {output <-%gt; inport; - next(pipeline=egress,table=5);} action for SCTP associations. + reject ACLs translate into logical flows with that set the + reject bit and advance to the next table.
  • - Other ACLs translate to drop; for new or untracked - connections and ct_commit(ct_label=1/1); for known - connections. Setting ct_label marks a connection - as one that was previously allowed, but should no longer be - allowed due to a policy change. + Other ACLs set the drop bit and advance to the next table for new or + untracked connections. For known connections, they set the drop bit, + as well as running the ct_commit(ct_label=1/1); action. + Setting ct_label marks a connection as one that was + previously allowed, but should no longer be allowed due to a policy + change.

- This table contains a priority-65535 flow to advance to the next table - if the logical switch has no ACLs configured, otherwise a - priority-0 flow to advance to the next table so that ACLs allow - packets by default if column of is false or not set. Otherwise - the flow action is set to drop; to implement a default - drop behavior. + This table contains a priority-65535 flow to set the allow bit and + advance to the next table if the logical switch has no + ACLs configured, otherwise a priority-0 flow to advance to the next + table is added. This flow does not set the allow bit, so that the next + table can decide whether to allow or drop the packet based on the value + of the column of the table.

@@ -767,24 +777,17 @@

  • - If column of is true, a priority-1 - flow that drops IP traffic that is not part of established - sessions. -
    • - -
  • - A priority-1 flow that sets the hint to commit IP traffic to the - connection tracker (with action reg0[1] = 1; next;). This - is needed for the default allow policy because, while the initiator's - direction may not have any stateful rules, the server's may and then - its return traffic would not be known and marked as invalid. + A priority-1 flow that sets the allow bit and sets the hint to commit + IP traffic to the connection tracker (with action reg0[1] = 1; + next;). This is needed for the default allow policy because, + while the initiator's direction may not have any stateful rules, the + server's may and then its return traffic would not be known and marked + as invalid.
  • - A priority-65532 flow that allows any traffic in the reply - direction for a connection that has been committed to the + A priority-65532 flow that sets the allow bit for any traffic in the + reply direction for a connection that has been committed to the connection tracker (i.e., established flows), as long as the committed flow does not have ct_mark.blocked set. We only handle traffic in the reply direction here because @@ -801,9 +804,9 @@
  • - A priority-65532 flow that allows any traffic that is considered - related to a committed flow in the connection tracker (e.g., an - ICMP Port Unreachable from a non-listening UDP port), as long + A priority-65532 flow that sets the allow bit for any traffic that is + considered related to a committed flow in the connection tracker (e.g., + an ICMP Port Unreachable from a non-listening UDP port), as long as the committed flow does not have ct_mark.blocked set. This flow also applies NAT to the related traffic so that ICMP headers and the inner packet have correct addresses. @@ -813,22 +816,22 @@
  • - A priority-65532 flow that drops all traffic marked by the - connection tracker as invalid. + A priority-65532 flow that sets the drop bit for all traffic marked by + the connection tracker as invalid.
  • - A priority-65532 flow that drops all traffic in the reply direction - with ct_mark.blocked set meaning that the connection - should no longer be allowed due to a policy change. Packets + A priority-65532 flow that sets the drop bit for all traffic in the + reply direction with ct_mark.blocked set meaning that the + connection should no longer be allowed due to a policy change. Packets in the request direction are skipped here to let a newly created ACL re-allow this connection.
  • - A priority-65532 flow that allows IPv6 Neighbor solicitation, - Neighbor discover, Router solicitation, Router advertisement and MLD - packets. + A priority-65532 flow that sets the allow bit for IPv6 Neighbor + solicitation, Neighbor discover, Router solicitation, Router + advertisement and MLD packets.
    • @@ -842,7 +845,7 @@ A priority 34000 logical flow is added for each logical switch datapath with the match eth.dst = E to allow the service monitor reply packet destined to ovn-controller - with the action next, where E is the + that sets the allow bit, where E is the service monitor mac defined in the column of -

    Ingress Table 9: from-lport QoS Marking

    +

    Ingress Table 9: from-lport ACL action

    + +

    + Logical flows in this table decide how to proceed based on the values of + the allow, drop, and reject bits that may have been set in the previous + table. +

    + +
      +
    • + If no ACLs are configured, then a priority 0 flow is installed that + matches everything and advances to the next table. +
      • + +
    • + A priority 1000 flow is installed that will advance the packet to the + next table if the allow bit is set. +
      • + +
    • + A priority 1000 flow is installed that will run the drop; + action if the drop bit is set. +
      • + +
    • + A priority 1000 flow is installed that will run the tcp_reset + { output <-> inport; next(pipeline=egress,table=5);} + action for TCP connections,icmp4/icmp6 action + for UDP connections, and sctp_abort {output <-%gt; inport; + next(pipeline=egress,table=5);} action for SCTP associations. +
      • +
    + +

    Ingress Table 10: from-lport QoS Marking

    Logical flows in this table closely reproduce those in the @@ -872,7 +908,7 @@ -

    Ingress Table 10: from-lport QoS Meter

    +

    Ingress Table 11: from-lport QoS Meter

    Logical flows in this table closely reproduce those in the @@ -894,7 +930,7 @@ -

    Ingress Table 11: Load balancing affinity check

    +

    Ingress Table 12: Load balancing affinity check

    Load balancing affinity check table contains the following @@ -922,7 +958,7 @@ -

    Ingress Table 12: LB

    +

    Ingress Table 13: LB

    • @@ -1002,7 +1038,7 @@
    -

    Ingress Table 13: Load balancing affinity learn

    +

    Ingress Table 14: Load balancing affinity learn

    Load balancing affinity learn table contains the following @@ -1033,7 +1069,7 @@ -

    Ingress Table 14: Pre-Hairpin

    +

    Ingress Table 15: Pre-Hairpin

    • If the logical switch has load balancer(s) configured, then a @@ -1051,7 +1087,7 @@
    -

    Ingress Table 15: Nat-Hairpin

    +

    Ingress Table 16: Nat-Hairpin

    • If the logical switch has load balancer(s) configured, then a @@ -1086,7 +1122,7 @@
    -

    Ingress Table 16: Hairpin

    +

    Ingress Table 17: Hairpin

    • @@ -1120,56 +1156,57 @@

    -

    Ingress table 17: from-lport ACLs after LB

    +

    Ingress table 18: from-lport ACL evaluation after LB

    Logical flows in this table closely reproduce those in the - ACL table in the OVN_Northbound database + ACL eval table in the OVN_Northbound database for the from-lport direction with the option apply-after-lb set to true. The priority values from the ACL table have a limited range and have 1000 added to them to leave room for OVN default - flows at both higher and lower priorities. + flows at both higher and lower priorities. The flows in this table + indicate the ACL verdict by setting reg8[16] for + allow-type ACLs, reg8[17] for drop + ACLs, and reg8[17] for reject ACLs, and then + advancing the packet to the next table. These will be reffered to as the + allow bit, drop bit, and reject bit throughout the documentation for this + table and the next one.

    • allow apply-after-lb ACLs translate into logical flows - with the next; action. If there are any stateful ACLs + that set the allow bit. If there are any stateful ACLs (including both before-lb and after-lb ACLs) - on this datapath, then allow ACLs translate to - ct_commit; next; (which acts as a hint for the next tables - to commit the connection to conntrack). In case the ACL - has a label then reg3 is loaded with the label value and - reg0[13] bit is set to 1 (which acts as a hint for the - next tables to commit the label to conntrack). + on this datapath, then allow ACLs also run + ct_commit; next; (which acts as a hint for an upcoming + table to commit the connection to conntrack). In case the + ACL has a label then reg3 is loaded with the + label value and reg0[13] bit is set to 1 (which acts as a + hint for the next tables to commit the label to conntrack).
    • allow-related apply-after-lb ACLs translate into logical - flows with the ct_commit(ct_label=0/1); next; actions - for new connections and reg0[1] = 1; next; for existing - connections. In case the ACL has a label then - reg3 is loaded with the label value and + flows that set the allow bit and run the ct_commit(ct_label=0/1); + next; actions for new connections and reg0[1] = 1; + next; for existing connections. In case the ACL + has a label then reg3 is loaded with the label value and reg0[13] bit is set to 1 (which acts as a hint for the next tables to commit the label to conntrack).
    • allow-stateless apply-after-lb ACLs translate into logical - flows with the next; action. + flows that set the allow bit and advance to the next table.
    • reject apply-after-lb ACLs translate into logical - flows with the - tcp_reset { output <-> inport; - next(pipeline=egress,table=5);} - action for TCP connections,icmp4/icmp6 action - for UDP connections, and sctp_abort {output <-%gt; inport; - next(pipeline=egress,table=5);} action for SCTP associations. + flows that set the reject bit and advance to the next table.
    • - Other apply-after-lb ACLs translate to drop; for new - or untracked connections and ct_commit(ct_label=1/1); for - known connections. Setting ct_label marks a connection + Other apply-after-lb ACLs set the drop bit for new or untracked + connections and ct_commit(ct_label=1/1); for known + connections. Setting ct_label marks a connection as one that was previously allowed, but should no longer be allowed due to a policy change.
      • @@ -1179,8 +1216,8 @@
    • One priority-65532 flow matching packets with reg0[17] set (either replies to existing sessions or traffic related to - existing sessions) and allows these by advancing to the next - table. + existing sessions) and allows these by setting the allow bit and + advancing to the next table.
    @@ -1191,7 +1228,40 @@ -

    Ingress Table 18: Stateful

    +

    Ingress Table 19: from-lport ACL action after LB

    + +

    + Logical flows in this table decide how to proceed based on the values of + the allow, drop, and reject bits that may have been set in the previous + table. +

    + +
      +
    • + If no ACLs are configured, then a priority 0 flow is installed that + matches everything and advances to the next table. +
      • + +
    • + A priority 1000 flow is installed that will advance the packet to the + next table if the allow bit is set. +
      • + +
    • + A priority 1000 flow is installed that will run the drop; + action if the drop bit is set. +
      • + +
    • + A priority 1000 flow is installed that will run the tcp_reset + { output <-> inport; next(pipeline=egress,table=5);} + action for TCP connections,icmp4/icmp6 action + for UDP connections, and sctp_abort {output <-%gt; inport; + next(pipeline=egress,table=5);} action for SCTP associations. +
      • +
    + +

    Ingress Table 20: Stateful

    • @@ -1214,7 +1284,7 @@
    -

    Ingress Table 19: ARP/ND responder

    +

    Ingress Table 21: ARP/ND responder

    This table implements ARP/ND responder in a logical switch for known @@ -1540,7 +1610,7 @@ output; -

    Ingress Table 20: DHCP option processing

    +

    Ingress Table 22: DHCP option processing

    This table adds the DHCPv4 options to a DHCPv4 packet from the @@ -1601,7 +1671,7 @@ next; -

    Ingress Table 21: DHCP responses

    +

    Ingress Table 23: DHCP responses

    This table implements DHCP responder for the DHCP replies generated by @@ -1682,7 +1752,7 @@ output; -

    Ingress Table 22 DNS Lookup

    +

    Ingress Table 24 DNS Lookup

    This table looks up and resolves the DNS names to the corresponding @@ -1711,7 +1781,7 @@ reg0[4] = dns_lookup(); next; -

    Ingress Table 23 DNS Responses

    +

    Ingress Table 25 DNS Responses

    This table implements DNS responder for the DNS replies generated by @@ -1746,7 +1816,7 @@ output; -

    Ingress table 24 External ports

    +

    Ingress table 26 External ports

    Traffic from the external logical ports enter the ingress @@ -1789,7 +1859,7 @@ output; -

    Ingress Table 25 Destination Lookup

    +

    Ingress Table 27 Destination Lookup

    This table implements switching behavior. It contains these logical @@ -1958,7 +2028,7 @@ output; -

    Ingress Table 26 Destination unknown

    +

    Ingress Table 28 Destination unknown

    This table handles the packets whose destination was not found or @@ -2108,11 +2178,15 @@ output; This is similar to ingress table ACL hints.

    -

    Egress Table 4: to-lport ACLs

    +

    Egress Table 4: to-lport ACL evaluation

    - This is similar to ingress table ACLs except for - to-lport ACLs. + This is similar to ingress table ACL eval except for + to-lport ACLs. As a reminder, these flows use the + following register bits to indicate their verdicts. + Allow-type ACLs set reg8[16], drop + ACLs set reg8[17], and reject ACLs set + reg8[18].

    @@ -2123,14 +2197,16 @@ output; A priority 34000 logical flow is added for each logical port which has DHCPv4 options defined to allow the DHCPv4 reply packet and which has DHCPv6 options defined to allow the DHCPv6 reply packet from the - Ingress Table 18: DHCP responses. + Ingress Table 18: DHCP responses. This is indicated by + setting the allow bit.

  • A priority 34000 logical flow is added for each logical switch datapath configured with DNS records with the match udp.dst = 53 to allow the DNS reply packet from the - Ingress Table 20: DNS responses. + Ingress Table 20: DNS responses. This is indicated by + setting the allow bit.
  • @@ -2141,32 +2217,38 @@ output; service monitor mac defined in the column of table. + db="OVN_Northbound"/> table. This is indicated by setting the allow + bit.
    • -

    Egress Table 5: to-lport QoS Marking

    +

    Egress Table 5: to-lport ACL action

    +

    + This is similar to ingress table ACL action. +

    + +

    Egress Table 6: to-lport QoS Marking

    This is similar to ingress table QoS marking except they apply to to-lport QoS rules.

    -

    Egress Table 6: to-lport QoS Meter

    +

    Egress Table 7: to-lport QoS Meter

    This is similar to ingress table QoS meter except they apply to to-lport QoS rules.

    -

    Egress Table 7: Stateful

    +

    Egress Table 8: Stateful

    This is similar to ingress table Stateful except that there are no rules added for load balancing new connections.

    -

    Egress Table 8: Egress Port Security - check

    +

    Egress Table 9: Egress Port Security - check

    This is similar to the port security logic in table @@ -2195,7 +2277,7 @@ output; -

    Egress Table 9: Egress Port Security - Apply

    +

    Egress Table 10: Egress Port Security - Apply

    This is similar to the ingress port security logic in ingress table diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index 597aed00b..c77a22caf 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -914,9 +914,9 @@ for i in $(seq 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=drop +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$i @@ -936,7 +936,7 @@ for i in $(seq 10); do if test "$i" = 9; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi if test "$i" = 10; then @@ -962,12 +962,12 @@ for i in $(seq 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.1 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$(($i * 2)) @@ -1087,9 +1087,9 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=111 actions=drop -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=222 actions=drop -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=333 actions=drop +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else # (1 conj_id flow + 3 tp_dst flows) = 4 extra flows @@ -1101,8 +1101,8 @@ priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=33 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=conjunction,1/2) @@ -1129,9 +1129,9 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=111 actions=drop -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=222 actions=drop -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=333 actions=drop +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$((14 - $i)) @@ -1153,8 +1153,8 @@ for i in $(seq 10); do AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=conjunction,1/2) @@ -1284,7 +1284,7 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else # (1 conj_id + nw_src * i + nw_dst * i) = 1 + i*2 flows @@ -1296,8 +1296,8 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10. AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=conjunction,1/2) @@ -1326,7 +1326,7 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.15 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.15 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$((21 - $i*2)) @@ -1352,9 +1352,9 @@ for i in $(seq 2 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2,nw_dst=10.0.0.6 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3,nw_dst=10.0.0.6 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$i @@ -1378,8 +1378,8 @@ for i in $(seq 10); do if test "$i" = 9; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.6 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.7 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) elif test "$i" = 10; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep "priority=1100"], [1], [ignore]) @@ -1441,8 +1441,8 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$(($i*2)) @@ -1454,12 +1454,12 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=dr grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi done @@ -1537,8 +1537,8 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) elif test "$i" -lt 6; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$(($i*2)) @@ -1553,12 +1553,12 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=dr grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.7 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.8 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi done @@ -1635,7 +1635,7 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.1 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else # (1 conj_id + nw_src * i + nw_dst * i) = 1 + i*2 flows @@ -1647,8 +1647,8 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10. AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1675,7 +1675,7 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.10 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$((21 - $i*2)) @@ -1697,8 +1697,8 @@ for i in $(seq 10); do AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1737,8 +1737,8 @@ check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1761,8 +1761,8 @@ check ovn-nbctl --wait=hv remove address_set as1 addresses 10.0.0.4,10.0.0.5 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1819,9 +1819,9 @@ check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1844,9 +1844,9 @@ check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1875,9 +1875,9 @@ check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1939,9 +1939,9 @@ for i in $(seq 5); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:01 actions=drop -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:02 actions=drop -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:03 actions=drop +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:01 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:02 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:03 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$i @@ -1962,7 +1962,7 @@ for i in $(seq 5); do if test "$i" = 4; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:05 actions=drop +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:05 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi if test "$i" = 5; then @@ -2020,9 +2020,9 @@ for i in $(seq 5); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::1 actions=drop -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::2 actions=drop -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::3 actions=drop +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$i @@ -2042,7 +2042,7 @@ for i in $(seq 5); do if test "$i" = 4; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::5 actions=drop +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::5 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi if test "$i" = 5; then diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index ef29233db..45e2057e5 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -1446,7 +1446,7 @@ ovn-sbctl set service_monitor $sm_sw1_p1 status=offline AT_CAPTURE_FILE([sbflows12]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows12 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" | grep priority=120 | grep ls_in_lb | sed 's/table=..//'], [0], [dnl - (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=5);};) + (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=6);};) ]) AT_CLEANUP @@ -2165,10 +2165,10 @@ AT_CAPTURE_FILE([sw1flows]) AT_CHECK( [grep -E 'ls_(in|out)_acl' sw0flows sw1flows | grep pg0 | sort], [0], [dnl -sw0flows: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw0flows: table=8 (ls_in_acl ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) -sw1flows: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows: table=8 (ls_in_acl ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) +sw0flows: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) +sw0flows: table=8 (ls_in_acl_eval ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg8[[18]] = 1; next;) +sw1flows: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) +sw1flows: table=8 (ls_in_acl_eval ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg8[[18]] = 1; next;) ]) AS_BOX([2]) @@ -2181,10 +2181,10 @@ ovn-sbctl dump-flows sw1 > sw1flows2 AT_CAPTURE_FILE([sw1flows2]) AT_CHECK([grep "ls_out_acl" sw0flows2 sw1flows2 | grep pg0 | sort], [0], [dnl -sw0flows2: table=4 (ls_out_acl ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw0flows2: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows2: table=4 (ls_out_acl ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows2: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) +sw0flows2: table=4 (ls_out_acl_eval ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg8[[18]] = 1; next;) +sw0flows2: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) +sw1flows2: table=4 (ls_out_acl_eval ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg8[[18]] = 1; next;) +sw1flows2: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) ]) AS_BOX([3]) @@ -2197,19 +2197,20 @@ ovn-sbctl dump-flows sw1 > sw1flows3 AT_CAPTURE_FILE([sw1flows3]) AT_CHECK([grep "ls_out_acl" sw0flows3 sw1flows3 | grep pg0 | sort], [0], [dnl -sw0flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) -sw0flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;) -sw0flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw0flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw0flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw0flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) -sw1flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;) -sw1flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) +sw0flows3: table=4 (ls_out_acl_eval ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) +sw0flows3: table=4 (ls_out_acl_eval ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; next;) +sw0flows3: table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[10]] == 1 && (outport == @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) +sw0flows3: table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[9]] == 1 && (outport == @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; next;) +sw0flows3: table=4 (ls_out_acl_eval ), priority=2003 , match=(reg0[[10]] == 1 && (outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) +sw0flows3: table=4 (ls_out_acl_eval ), priority=2003 , match=(reg0[[9]] == 1 && (outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;) +sw1flows3: table=4 (ls_out_acl_eval ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) +sw1flows3: table=4 (ls_out_acl_eval ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; next;) +sw1flows3: table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[10]] == 1 && (outport == @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) +sw1flows3: table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[9]] == 1 && (outport == @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; next;) +sw1flows3: table=4 (ls_out_acl_eval ), priority=2003 , match=(reg0[[10]] == 1 && (outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) +sw1flows3: table=4 (ls_out_acl_eval ), priority=2003 , match=(reg0[[9]] == 1 && (outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;) ]) + AT_CLEANUP ]) @@ -2458,11 +2459,11 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e table=3 (ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) - table=4 (ls_out_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[[9]] = 1; next;) @@ -2470,11 +2471,11 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e table=7 (ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) - table=8 (ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) ]) AS_BOX([Check match ct_state with load balancer]) @@ -2484,9 +2485,9 @@ check ovn-nbctl --wait=sb \ -- lb-add lb "10.0.0.1" "10.0.0.2" \ -- ls-lb-add ls lb -AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl -e ls_out_acl | sort], [0], [dnl - table=17(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=17(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) +AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl_eval -e ls_out_acl_eval -e ls_in_acl_after_lb_eval | sort], [0], [dnl + table=18(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=18(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) table=3 (ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -2495,16 +2496,16 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e table=3 (ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) - table=4 (ls_out_acl ), priority=0 , match=(1), action=(next;) - table=4 (ls_out_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(next;) - table=4 (ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=4 (ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=7 (ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -2513,27 +2514,27 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e table=7 (ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) - table=8 (ls_in_acl ), priority=0 , match=(1), action=(next;) - table=8 (ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=8 (ls_in_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg0[[1]] = 1; next;) - table=8 (ls_in_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(next;) - table=8 (ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=8 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=8 (ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) ovn-nbctl --wait=sb clear logical_switch ls acls ovn-nbctl --wait=sb clear logical_switch ls load_balancer -AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl -e ls_out_acl | sort], [0], [dnl - table=17(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) +AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl_eval -e ls_out_acl_eval -e ls_in_acl_after_lb_eval | sort], [0], [dnl + table=18(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=3 (ls_out_acl_hint ), priority=65535, match=(1), action=(next;) - table=4 (ls_out_acl ), priority=65535, match=(1), action=(next;) + table=4 (ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=7 (ls_in_acl_hint ), priority=65535, match=(1), action=(next;) - table=8 (ls_in_acl ), priority=65535, match=(1), action=(next;) + table=8 (ls_in_acl_eval ), priority=65535, match=(1), action=(next;) ]) @@ -4163,10 +4164,10 @@ check_stateful_flows() { AT_CHECK([grep "ls_out_lb" sw0flows | sort], [0], []) - AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + AT_CHECK([grep "ls_out_stateful" sw0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) } @@ -4226,10 +4227,10 @@ AT_CHECK([grep "ls_out_pre_stateful" sw0flows | sort], [0], [dnl table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) ]) -AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_out_stateful" sw0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) AT_CLEANUP @@ -4248,9 +4249,9 @@ check ovn-nbctl --wait=sb --label=1234 acl-add sw0 from-lport 1002 tcp allow-rel ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) +AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) @@ -4258,14 +4259,14 @@ AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 2002 | sort], [0], [dnl - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) +AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | sort], [0], [dnl + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) ]) -AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_out_stateful" sw0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) # Add new ACL without label @@ -4275,11 +4276,11 @@ check ovn-nbctl --wait=sb acl-add sw0 from-lport 1002 udp allow-related ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) @@ -4287,16 +4288,16 @@ AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 2002 | sort], [0], [dnl - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | sort], [0], [dnl + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) -AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_out_stateful" sw0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) # Delete new ACL with label @@ -4306,9 +4307,9 @@ check ovn-nbctl --wait=sb acl-del sw0 from-lport 1002 tcp ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) @@ -4316,14 +4317,14 @@ AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 2002 | sort], [0], [dnl - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | sort], [0], [dnl + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) -AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_out_stateful" sw0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) AT_CLEANUP ]) @@ -4340,18 +4341,18 @@ check ovn-nbctl --wait=sb acl-add sw0 to-lport 1002 ip allow-related ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) # Disable ct.inv usage. @@ -4360,18 +4361,18 @@ check ovn-nbctl --wait=sb set NB_Global . options:use_ct_inv_match=false ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=? (ls_in_acl ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_in_acl_eval ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=? (ls_out_acl ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_out_acl_eval ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep -c "ct.inv" sw0flows], [1], [dnl @@ -4384,18 +4385,18 @@ check ovn-nbctl --wait=sb set NB_Global . options:use_ct_inv_match=true ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep -c "ct.inv" sw0flows], [0], [dnl @@ -6434,7 +6435,7 @@ set_acl_options() { } record_log_flows() { - ovn-sbctl lflow-list sw0 | grep -E 'ls_(out|in)_acl.*, priority=65533' | sed 's/table=../table=??/' | sort > log_flows + ovn-sbctl lflow-list sw0 | grep -E 'ls_(out|in)_acl_eval.*, priority=65533' | sed 's/table=../table=??/' | sort > log_flows } check_log_flows_count() { @@ -6444,9 +6445,9 @@ check_log_flows_count() { echo $table if test -f log_flows; then - count=$(grep -c -E ls_${table}_acl log_flows) + count=$(grep -c -E ls_${table}_acl_eval log_flows) else - count=$(ovn-sbctl lflow-list sw0 | grep -c -E "ls_$table_acl.*, priority=65533") + count=$(ovn-sbctl lflow-list sw0 | grep -c -E "ls_$table_acl_eval.*, priority=65533") fi check test "$count" -eq "$expected" @@ -6490,10 +6491,10 @@ check_log_flows_count 0 in # Now ensure the flows are what we expect them to be for the ACLs we created AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_out_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) + table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6511,10 +6512,10 @@ check_log_flows_count 0 in # And the log flows will remain the same since the stateless ACL will not be represented. AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_out_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) + table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6533,8 +6534,8 @@ check_log_flows_count 0 in # And make sure only the allow ACL has the log flows installed AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_out_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) + table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6550,8 +6551,8 @@ check_log_flows_count 0 in # And make sure only the allow ACL has the log flows installed AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_out_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) + table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6595,10 +6596,10 @@ check_log_flows_count 0 out # Now ensure the flows are what we expect them to be for the ACLs we created AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_in_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) + table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6616,10 +6617,10 @@ check_log_flows_count 0 out # And the log flows will remain the same since the stateless ACL will not be represented. AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_in_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) + table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6638,8 +6639,8 @@ check_log_flows_count 0 out # And make sure only the allow ACL has the log flows installed AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_in_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) + table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6655,8 +6656,8 @@ check_log_flows_count 0 out # And make sure only the allow ACL has the log flows installed AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_in_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) + table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6738,25 +6739,25 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows ls > lsflows AT_CAPTURE_FILE([lsflows]) -AT_CHECK([grep -e "ls_in_acl" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=2001 , match=(reg0[[10]] == 1 && (ip4)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) - table=??(ls_in_acl ), priority=2001 , match=(reg0[[9]] == 1 && (ip4)), action=(/* drop */) - table=??(ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(next;) - table=??(ls_in_acl ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(next;) - table=??(ls_in_acl ), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) - table=??(ls_in_acl ), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(/* drop */) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) +AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[10]] == 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) + table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[9]] == 1 && (ip4)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) + table=??(ls_in_acl_eval ), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -6792,25 +6793,25 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows ls > lsflows AT_CAPTURE_FILE([lsflows]) -AT_CHECK([grep -e "ls_in_acl" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=2001 , match=(reg0[[10]] == 1 && (ip4)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) - table=??(ls_in_acl_after_lb ), priority=2001 , match=(reg0[[9]] == 1 && (ip4)), action=(/* drop */) - table=??(ls_in_acl_after_lb ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl_after_lb ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(next;) - table=??(ls_in_acl_after_lb ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl_after_lb ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(next;) - table=??(ls_in_acl_after_lb ), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) - table=??(ls_in_acl_after_lb ), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(/* drop */) - table=??(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) +AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=2001 , match=(reg0[[10]] == 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) + table=??(ls_in_acl_after_lb_eval), priority=2001 , match=(reg0[[9]] == 1 && (ip4)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=2002 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=2002 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) + table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -6846,25 +6847,25 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows ls > lsflows AT_CAPTURE_FILE([lsflows]) -AT_CHECK([grep -e "ls_in_acl" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(next;) - table=??(ls_in_acl ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=2001 , match=(reg0[[10]] == 1 && (ip4)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) - table=??(ls_in_acl_after_lb ), priority=2001 , match=(reg0[[9]] == 1 && (ip4)), action=(/* drop */) - table=??(ls_in_acl_after_lb ), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) - table=??(ls_in_acl_after_lb ), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(/* drop */) - table=??(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) +AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=2001 , match=(reg0[[10]] == 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) + table=??(ls_in_acl_after_lb_eval), priority=2001 , match=(reg0[[9]] == 1 && (ip4)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) + table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7155,12 +7156,15 @@ flow="inport == \"lsp1\" && eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00: AS_BOX([No ACL, default_acl_drop not set]) check ovn-nbctl --wait=sb sync AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=65535, match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7174,12 +7178,15 @@ output("lsp2"); AS_BOX([No ACL, default_acl_drop false]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=65535, match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7193,12 +7200,15 @@ output("lsp2"); AS_BOX([No ACL, default_acl_drop true]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=65535, match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7216,15 +7226,27 @@ check ovn-nbctl acl-add ls from-lport 1 "ip4 && tcp" allow AS_BOX([from-lport ACL, default_acl_drop not set]) check ovn-nbctl --wait=sb remove NB_Global . options default_acl_drop AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7238,15 +7260,27 @@ output("lsp2"); AS_BOX([from-lport ACL, default_acl_drop false]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7260,15 +7294,27 @@ output("lsp2"); AS_BOX([from-lport ACL, default_acl_drop true]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7282,18 +7328,26 @@ AS_BOX([from-lport ACL allow-related, default_acl_drop true]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb acl-add ls from-lport 1 "ip4 && tcp" allow-related AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(drop;) - table=??(ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7307,14 +7361,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_out_acl ), priority=1 , match=(ip && !ct.est), action=(drop;) - table=??(ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=??(ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7342,15 +7400,27 @@ check ovn-nbctl --apply-after-lb acl-add ls from-lport 1 "ip4 && tcp" allow AS_BOX([from-lport --apply-after-lb ACL, default_acl_drop not set]) check ovn-nbctl --wait=sb remove NB_Global . options default_acl_drop AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=1001 , match=(ip4 && tcp), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7364,15 +7434,27 @@ output("lsp2"); AS_BOX([from-lport --apply-after-lb ACL, default_acl_drop false]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=1001 , match=(ip4 && tcp), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7386,15 +7468,27 @@ output("lsp2"); AS_BOX([from-lport --apply-after-lb ACL, default_acl_drop true]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl_after_lb ), priority=1001 , match=(ip4 && tcp), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7408,18 +7502,26 @@ AS_BOX([from-lport --apply-after-lb ACL allow-related, default_acl_drop true]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --apply-after-lb acl-add ls from-lport 1 "ip4 && tcp" allow-related AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(drop;) - table=??(ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl_after_lb ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl_after_lb ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7433,14 +7535,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_out_acl ), priority=1 , match=(ip && !ct.est), action=(drop;) - table=??(ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=??(ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7468,15 +7574,27 @@ check ovn-nbctl acl-add ls to-lport 1 "ip4 && tcp" allow AS_BOX([to-lport ACL, default_acl_drop not set]) check ovn-nbctl --wait=sb remove NB_Global . options default_acl_drop AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7490,15 +7608,27 @@ output("lsp2"); AS_BOX([to-lport ACL, default_acl_drop false]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7512,15 +7642,27 @@ output("lsp2"); AS_BOX([to-lport ACL, default_acl_drop true]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_out_acl ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7534,16 +7676,24 @@ AS_BOX([to-lport ACL allow-related, default_acl_drop true]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb acl-add ls to-lport 1 "ip4 && tcp" allow-related AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(drop;) - table=??(ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7557,16 +7707,20 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_out_acl ), priority=1 , match=(ip && !ct.est), action=(drop;) - table=??(ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_out_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) - table=??(ls_out_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=??(ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7719,6 +7873,8 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) @@ -7726,8 +7882,6 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1 "00:00:00:00:00:01" @@ -7744,6 +7898,8 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) @@ -7753,8 +7909,6 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl lsp-set-port-security sw0p1 "00:00:00:00:00:01 10.0.0.3 1000::3" @@ -7770,6 +7924,8 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) @@ -7779,8 +7935,6 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) # Disable sw0p1 @@ -7797,6 +7951,8 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(drop;) @@ -7807,8 +7963,6 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"), action=(drop;) table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl --wait=sb lsp-set-options sw0p2 qdisc_queue_id=10 @@ -7824,6 +7978,8 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(drop;) @@ -7834,8 +7990,6 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"), action=(drop;) table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl set logical_switch_port sw0p1 enabled=true @@ -7850,10 +8004,13 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_check_port_sec), priority=70 , match=(inport == "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) - table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=17);) table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=100 , match=(outport == "localnetport"), action=(set_queue(10); output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) @@ -7863,9 +8020,6 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=??(ls_out_apply_port_sec), priority=100 , match=(outport == "localnetport"), action=(set_queue(10); output;) - table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) AT_CLEANUP @@ -7891,7 +8045,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl table=7 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && reg0 == 66.66.66.66), action=(ct_lb_mark(backends=42.42.42.2);) table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;) table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) - table=12(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);) + table=13(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);) table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) ]) @@ -7903,7 +8057,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl table=7 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && reg0 == 66.66.66.66), action=(ct_lb(backends=42.42.42.2);) table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb;) table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb;) - table=12(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb(backends=42.42.42.2);) + table=13(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb(backends=42.42.42.2);) table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb;) ]) @@ -7931,7 +8085,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl table=7 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && reg0 == 66.66.66.66), action=(ct_lb_mark(backends=42.42.42.2);) table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;) table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) - table=12(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);) + table=13(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);) table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) ]) @@ -7956,18 +8110,18 @@ AT_CHECK([ovn-sbctl lflow-list | grep 'ls.*acl.*blocked' ], [0], [dnl table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) ]) AS_BOX([Chassis registered that doesn't support ct_mark.blocked - use ct_label.blocked]) @@ -7978,18 +8132,18 @@ AT_CHECK([ovn-sbctl lflow-list | grep 'ls.*acl.*blocked' ], [0], [dnl table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_label.blocked == 1), action=(reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_label.blocked == 0), action=(reg0[[10]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;) - table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_label.blocked == 1), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_label.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_label.blocked == 1), action=(reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_label.blocked == 0), action=(reg0[[10]] = 1; next;) - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;) - table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est && ct_label.blocked == 1), action=(reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_label.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) ]) AS_BOX([Chassis upgrades and supports ct_mark.blocked - use ct_mark.blocked]) @@ -8000,18 +8154,18 @@ AT_CHECK([ovn-sbctl lflow-list | grep 'ls.*acl.*blocked' ], [0], [dnl table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) ]) AT_CLEANUP @@ -8093,11 +8247,11 @@ ovn-sbctl dump-flows S1 > S1flows AT_CAPTURE_FILE([S0flows]) AT_CAPTURE_FILE([S1flows]) -AT_CHECK([grep "ls_in_lb " S0flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb " S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) ]) -AT_CHECK([grep "ls_in_lb " S1flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb " S1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) ]) ovn-nbctl --wait=sb set NB_Global . options:install_ls_lb_from_router=true @@ -8108,15 +8262,15 @@ ovn-sbctl dump-flows S1 > S1flows AT_CAPTURE_FILE([S0flows]) AT_CAPTURE_FILE([S1flows]) -AT_CHECK([grep "ls_in_lb " S0flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=12(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) - table=12(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) +AT_CHECK([grep "ls_in_lb " S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) ]) -AT_CHECK([grep "ls_in_lb " S1flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=12(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) - table=12(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) +AT_CHECK([grep "ls_in_lb " S1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) ]) ovn-sbctl get datapath S0 _uuid > dp_uuids @@ -8135,11 +8289,11 @@ ovn-sbctl dump-flows S1 > S1flows AT_CAPTURE_FILE([S0flows]) AT_CAPTURE_FILE([S1flows]) -AT_CHECK([grep "ls_in_lb " S0flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb " S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) ]) -AT_CHECK([grep "ls_in_lb " S1flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb " S1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) ]) check_column "" sb:load_balancer datapaths name=lb0 @@ -8219,18 +8373,18 @@ ovn-sbctl dump-flows R1 > R1flows AT_CAPTURE_FILE([S0flows]) AT_CAPTURE_FILE([R1flows]) -AT_CHECK([grep "ls_in_lb_aff_check" S0flows | sort], [0], [dnl - table=11(ls_in_lb_aff_check ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb_aff_check" S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb_aff_check ), priority=0 , match=(1), action=(next;) ]) -AT_CHECK([grep "ls_in_lb_aff_learn" S0flows | sort], [0], [dnl - table=13(ls_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb_aff_learn" S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) ]) -AT_CHECK([grep "lr_in_lb_aff_check" R1flows | sort], [0], [dnl - table=6 (lr_in_lb_aff_check ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "lr_in_lb_aff_check" R1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_lb_aff_check ), priority=0 , match=(1), action=(next;) ]) -AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | sort], [0], [dnl - table=8 (lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) ]) ovn-nbctl --wait=sb set load_balancer lb0 options:affinity_timeout=60 @@ -8239,44 +8393,44 @@ AS_BOX([Test LS flows]) ovn-sbctl dump-flows S0 > S0flows AT_CAPTURE_FILE([S0flows]) -AT_CHECK([grep "ls_in_lb_aff_check" S0flows | sort], [0], [dnl - table=11(ls_in_lb_aff_check ), priority=0 , match=(1), action=(next;) - table=11(ls_in_lb_aff_check ), priority=100 , match=(ct.new && ip4 && reg1 == 172.16.0.10 && reg2[[0..15]] == 80), action=(reg9[[6]] = chk_lb_aff(); next;) +AT_CHECK([grep "ls_in_lb_aff_check" S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb_aff_check ), priority=0 , match=(1), action=(next;) + table=??(ls_in_lb_aff_check ), priority=100 , match=(ct.new && ip4 && reg1 == 172.16.0.10 && reg2[[0..15]] == 80), action=(reg9[[6]] = chk_lb_aff(); next;) ]) -AT_CHECK([grep "ls_in_lb " S0flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=12(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) - table=12(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.2:80);) - table=12(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=20.0.0.2:80);) +AT_CHECK([grep "ls_in_lb " S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) + table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=20.0.0.2:80);) ]) -AT_CHECK([grep "ls_in_lb_aff_learn" S0flows | sort], [0], [dnl - table=13(ls_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) - table=13(ls_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg1 == 172.16.0.10 && reg2[[0..15]] == 80 && ip4.dst == 10.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "10.0.0.2:80", proto = tcp, timeout = 60); /* drop */) - table=13(ls_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg1 == 172.16.0.10 && reg2[[0..15]] == 80 && ip4.dst == 20.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "20.0.0.2:80", proto = tcp, timeout = 60); /* drop */) +AT_CHECK([grep "ls_in_lb_aff_learn" S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) + table=??(ls_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg1 == 172.16.0.10 && reg2[[0..15]] == 80 && ip4.dst == 10.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "10.0.0.2:80", proto = tcp, timeout = 60); /* drop */) + table=??(ls_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg1 == 172.16.0.10 && reg2[[0..15]] == 80 && ip4.dst == 20.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "20.0.0.2:80", proto = tcp, timeout = 60); /* drop */) ]) AS_BOX([Test LR flows]) ovn-sbctl dump-flows R1 > R1flows AT_CAPTURE_FILE([R1flows]) -AT_CHECK([grep "lr_in_lb_aff_check" R1flows | sort], [0], [dnl - table=6 (lr_in_lb_aff_check ), priority=0 , match=(1), action=(next;) - table=6 (lr_in_lb_aff_check ), priority=100 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80), action=(reg9[[6]] = chk_lb_aff(); next;) +AT_CHECK([grep "lr_in_lb_aff_check" R1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_lb_aff_check ), priority=0 , match=(1), action=(next;) + table=??(lr_in_lb_aff_check ), priority=100 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80), action=(reg9[[6]] = chk_lb_aff(); next;) ]) -AT_CHECK([grep "lr_in_dnat " R1flows | sort], [0], [dnl - table=7 (lr_in_dnat ), priority=0 , match=(1), action=(next;) - table=7 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(next;) - table=7 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80), action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) - table=7 (lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=10.0.0.2:80);) - table=7 (lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=20.0.0.2:80);) - table=7 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) +AT_CHECK([grep "lr_in_dnat " R1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) + table=??(lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(next;) + table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80), action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) + table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=10.0.0.2:80);) + table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=20.0.0.2:80);) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) -AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | sort], [0], [dnl - table=8 (lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) - table=8 (lr_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg0 == 172.16.0.10 && reg9[[16..31]] == 80 && ip4.dst == 10.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "10.0.0.2:80", proto = tcp, timeout = 60); /* drop */) - table=8 (lr_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg0 == 172.16.0.10 && reg9[[16..31]] == 80 && ip4.dst == 20.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "20.0.0.2:80", proto = tcp, timeout = 60); /* drop */) +AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) + table=??(lr_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg0 == 172.16.0.10 && reg9[[16..31]] == 80 && ip4.dst == 10.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "10.0.0.2:80", proto = tcp, timeout = 60); /* drop */) + table=??(lr_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg0 == 172.16.0.10 && reg9[[16..31]] == 80 && ip4.dst == 20.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "20.0.0.2:80", proto = tcp, timeout = 60); /* drop */) ]) AS_BOX([Test LR flows - skip_snat=true]) @@ -8285,15 +8439,15 @@ check ovn-nbctl --wait=sb set load_balancer lb0 options:skip_snat=true ovn-sbctl dump-flows R1 > R1flows_skip_snat AT_CAPTURE_FILE([R1flows_skip_snat]) -AT_CHECK([grep "lr_in_dnat " R1flows_skip_snat | sort], [0], [dnl - table=7 (lr_in_dnat ), priority=0 , match=(1), action=(next;) - table=7 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=7 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; skip_snat);) - table=7 (lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; skip_snat);) - table=7 (lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);) - table=7 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) +AT_CHECK([grep "lr_in_dnat " R1flows_skip_snat | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) + table=??(lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; skip_snat);) + table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; skip_snat);) + table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) check ovn-nbctl remove load_balancer lb0 options skip_snat @@ -8304,15 +8458,15 @@ check ovn-nbctl --wait=sb set logical_router R1 options:lb_force_snat_ip="172.16 ovn-sbctl dump-flows R1 > R1flows_force_snat AT_CAPTURE_FILE([R1flows_force_snat]) -AT_CHECK([grep "lr_in_dnat " R1flows_force_snat | sort], [0], [dnl - table=7 (lr_in_dnat ), priority=0 , match=(1), action=(next;) - table=7 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) - table=7 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; force_snat);) - table=7 (lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; force_snat);) - table=7 (lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; force_snat);) - table=7 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) +AT_CHECK([grep "lr_in_dnat " R1flows_force_snat | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) + table=??(lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.16.0.10 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; force_snat);) + table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; force_snat);) + table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; force_snat);) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CLEANUP @@ -8474,8 +8628,10 @@ check ovn-nbctl --wait=sb \ -- acl-add S1 from-lport 100 'inport=p1 && ip4' allow-stateless AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) ]) @@ -8487,8 +8643,10 @@ check ovn-nbctl --wait=sb \ -- acl-add S1 from-lport 2 "udp" allow-related AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) ]) @@ -8500,8 +8658,10 @@ check ovn-nbctl --wait=sb \ -- ls-lb-add S1 lb AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) ]) @@ -8511,8 +8671,10 @@ check ovn-nbctl --wait=sb \ -- acl-add S1 from-lport 100 'inport=p1 && ip4' allow-stateless AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) ]) @@ -8523,8 +8685,10 @@ check ovn-nbctl --wait=sb \ -- acl-add S1 from-lport 2 "udp" allow-related AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) ]) @@ -8597,15 +8761,15 @@ AT_CHECK([grep -e "lr_in_defrag" -e "lr_in_dnat" lflows0], [0], [dnl ]) AT_CHECK([grep -e "ls_in_acl" -e "ls_out_acl" lflows0 | grep "priority=65532"], [0], [dnl - table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=?(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) + table=? (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=?(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) ]) @@ -8639,15 +8803,15 @@ AT_CHECK([ovn-sbctl lflow-list | grep lr_in_dnat], [0], [dnl check ovn-nbctl remove load_balancer lb-test options skip_snat AT_CHECK([grep -e "ls_in_acl" -e "ls_out_acl" lflows1 | grep "priority=65532"], [0], [dnl - table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;) - table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;) - table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=?(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) + table=? (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=?(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) ]) AS_BOX([Chassis upgrades and supports CT related]) @@ -8669,15 +8833,15 @@ AT_CHECK([grep -e "lr_in_defrag" -e "lr_in_dnat" lflows2], [0], [dnl ]) AT_CHECK([grep -e "ls_in_acl" -e "ls_out_acl" lflows2 | grep "priority=65532"], [0], [dnl - table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=?(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) + table=? (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=?(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) ]) AT_CLEANUP diff --git a/tests/ovn.at b/tests/ovn.at index c2883ffca..ebac5fc54 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -16259,8 +16259,8 @@ ovn-nbctl --wait=hv sync ovn-sbctl dump-flows sw0 > sw0-flows AT_CAPTURE_FILE([sw0-flows]) -AT_CHECK([grep -E 'ls_(in|out)_acl' sw0-flows |grep reject| sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_out_acl ), priority=2002 , match=(ip), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) +AT_CHECK([grep -E 'ls_out_acl' sw0-flows | grep reject | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) ]) @@ -17856,15 +17856,15 @@ check ovn-nbctl acl-add ls1 to-lport 3 'ip4.src==10.0.0.1' allow check ovn-nbctl --wait=hv sync # Check OVS flows, the less restrictive flows should have been installed. -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \ +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,45) + table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -17905,11 +17905,11 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \ grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,45) + table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -17923,8 +17923,8 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \ grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=conjunction(),conjunction() @@ -17963,11 +17963,11 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \ grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,45) + table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -17984,16 +17984,16 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \ grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction(),conjunction() - table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,45) + table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() - table=44, priority=1003,udp,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,udp6,metadata=0x1 actions=resubmit(,45) + table=44, priority=1003,udp,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,udp6,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) ]) OVN_CLEANUP([hv1]) @@ -19380,7 +19380,7 @@ wait_for_ports_up ls1-lp_ext1 # There should be a flow in hv2 to drop traffic from ls1-lp_ext1 destined # to router mac. AT_CHECK([as hv2 ovs-ofctl dump-flows br-int \ -table=32,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \ +table=34,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \ grep -c "actions=drop"], [0], [1 ]) # Stop ovn-controllers on hv1 and hv3. @@ -21003,7 +21003,7 @@ check_virtual_offlows_present() { lr0_public_dp_key=$(printf "%x" $(fetch_column Port_Binding tunnel_key logical_port=lr0-public)) AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=44,ip | ofctl_strip_all | grep "priority=2000"], [0], [dnl - table=44, priority=2000,ip,metadata=0x$sw0_dp_key actions=resubmit(,45) + table=44, priority=2000,ip,metadata=0x$sw0_dp_key actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) ]) AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=11 | ofctl_strip_all | \ @@ -21041,7 +21041,7 @@ check_row_count Port_Binding 1 logical_port=sw0-vir virtual_parent=sw0-p1 wait_for_ports_up sw0-vir check ovn-nbctl --wait=hv sync AT_CHECK([test 2 = `cat hv1/ovn-controller.log | grep "pinctrl received packet-in" | \ -grep opcode=BIND_VPORT | grep OF_Table_ID=27 | wc -l`]) +grep opcode=BIND_VPORT | grep OF_Table_ID=29 | wc -l`]) wait_row_count Port_Binding 1 logical_port=sw0-vir6 chassis=$hv1_ch_uuid check_row_count Port_Binding 1 logical_port=sw0-vir6 virtual_parent=sw0-p1 @@ -28377,7 +28377,11 @@ check ovn-nbctl acl-add ls1 from-lport 1 '1' drop check ovn-nbctl --wait=hv sync AT_CHECK([test "$expr_cnt" = "$(get_cache_count cache-expr)"], [0], []) -AT_CHECK([test "$(($matches_cnt + 1))" = "$(get_cache_count cache-matches)"], [0], []) +# Changing from having no ACLs to having ACLs adds 9 logical flows, 3 in each +# of ls_in_acl_action, ls_in_acl_after_lb_action, and ls_out_acl_action, plus the +# logical flow representing the ACL itself. This is where the 10 comes from in +# the calculation below. +AT_CHECK([test "$(($matches_cnt + 10))" = "$(get_cache_count cache-matches)"], [0], []) AS_BOX([Check expr caching for is_chassis_resident() matches]) expr_cnt=$(get_cache_count cache-expr) @@ -31629,9 +31633,10 @@ check ovn-nbctl --wait=hv sync dp_key=$(fetch_column Datapath_Binding tunnel_key external_ids:name=ls) rtr_port_key=$(fetch_column Port_Binding tunnel_key logical_port=ls_lr) +ovs-ofctl dump-flows br-int table=16 | grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[49],resubmit(,17)" # Check that ovn-controller adds a flow to drop packets with dest IP # 42.42.42.42 coming from the router port. -AT_CHECK([ovs-ofctl dump-flows br-int table=16 | grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=drop" -c], [0], [dnl +AT_CHECK([ovs-ofctl dump-flows br-int table=16 | grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4\[\[49\]\],resubmit(,17)" -c], [0], [dnl 1 ]) @@ -32379,15 +32384,15 @@ done check ovn-nbctl --wait=hv sync # hv0 should see flows for lsp1 but not lsp2 -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=27 | grep 10.0.1.2], [0], [ignore]) -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=27 | grep 10.0.2.2], [1]) +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [0], [ignore]) +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=29 | grep 10.0.2.2], [1]) # hv2 should see flows for lsp2 but not lsp1 -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=27 | grep 10.0.2.2], [0], [ignore]) -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=27 | grep 10.0.1.2], [1]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.2.2], [0], [ignore]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [1]) # Change lrp_lr_ls1 to a regular lrp, hv2 should see flows for lsp1 check ovn-nbctl --wait=hv lrp-del-gateway-chassis lrp_lr_ls1 hv1 -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=27 | grep 10.0.1.2], [0], [ignore]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [0], [ignore]) # Change it back, and trigger recompute to make sure extra flows are removed # from hv2 (recompute is needed because currently I-P adds local datapaths but @@ -32395,11 +32400,11 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=27 | grep 10.0.1.2], [0], [ig check ovn-nbctl --wait=hv lrp-set-gateway-chassis lrp_lr_ls1 hv1 1 as hv2 check ovn-appctl -t ovn-controller recompute ovn-nbctl --wait=hv sync -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=27 | grep 10.0.1.2], [1]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [1]) # Enable dnat_and_snat on lr, and now hv2 should see flows for lsp1. AT_CHECK([ovn-nbctl --wait=hv --gateway-port=lrp_lr_ls1 lr-nat-add lr dnat_and_snat 192.168.0.1 10.0.1.3 lsp1 f0:00:00:00:00:03]) -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=27 | grep 10.0.1.2], [0], [ignore]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [0], [ignore]) OVN_CLEANUP([hv1],[hv2]) AT_CLEANUP @@ -34413,14 +34418,14 @@ lsp2=0x$(fetch_column Port_Binding tunnel_key logical_port=lsp2) dnl Ensure the ACL is translated to OpenFlows expanding pg1. as hv1 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=16, priority=1001,ip,reg14=$lsp1,metadata=0x1,nw_src=42.42.42.42 actions=resubmit(,17) - table=16, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=resubmit(,17) + table=16, priority=1001,ip,reg14=$lsp1,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) + table=16, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) ]) dnl Remove a port from pg1 and expect OpenFlows to be correctly updated. check ovn-nbctl --wait=hv pg-set-ports pg1 lsp2 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=16, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=resubmit(,17) + table=16, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) ]) dnl Change the Chassis_Template_Var mapping to use the address set. @@ -34429,14 +34434,14 @@ check ovn-nbctl --wait=hv set Chassis_Template_Var hv1 variables:CONDITION='ip4. dnl Ensure the ACL is translated to OpenFlows expanding as1. as hv1 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=resubmit(,17) - table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.2 actions=resubmit(,17) + table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) + table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) ]) dnl Remove an IP from AS1 and expect OpenFlows to be correctly updated. check ovn-nbctl set address_set as1 addresses=\"1.1.1.1\" AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=resubmit(,17) + table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) ]) dnl Remove the mapping and expect OpenFlows to be removed. diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 8afb4db56..5e593461a 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -8550,7 +8550,7 @@ ovn-sbctl list ip_multicast wait_igmp_flows_installed() { - OVS_WAIT_UNTIL([ovs-ofctl dump-flows br-int table=33 | \ + OVS_WAIT_UNTIL([ovs-ofctl dump-flows br-int table=35 | \ grep 'priority=90' | grep "nw_dst=$1"]) } From patchwork Tue Mar 21 17:59:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1759538 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=VyhVhg9c; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Pgzrd5Chdz247m for ; Wed, 22 Mar 2023 04:59:29 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 30F194173A; Tue, 21 Mar 2023 17:59:27 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 30F194173A Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=VyhVhg9c X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CMVRO0MJLRKp; Tue, 21 Mar 2023 17:59:21 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id A833D40C2A; Tue, 21 Mar 2023 17:59:20 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org A833D40C2A Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 82294C0032; Tue, 21 Mar 2023 17:59:18 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 63154C0032 for ; Tue, 21 Mar 2023 17:59:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 3D80041899 for ; Tue, 21 Mar 2023 17:59:17 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 3D80041899 Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=VyhVhg9c X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vrkzwvYGGesT for ; Tue, 21 Mar 2023 17:59:15 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org C070B41877 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id C070B41877 for ; Tue, 21 Mar 2023 17:59:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1679421553; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xRCzhyBkNtYKKNYxpLVOp/6KgzzmOerKIbw1sx3ZP2E=; b=VyhVhg9c6/e/nu5gf1HJwM4Ge3BTgJtdb5FTxjM7DY8/oZ8fadK7BdOzQ+CDeNtbYy7nCa wd+DXmLAwcga3RBpmgreessoIBvrm/R+VOUprzRmOhuG2Z7BIqCdKQQqOGjnDYnadUgZ4v FTb/JmDdMKDl4RkLIq3RHoV74YUzPKE= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-453-RBdpagMPP_aZRJ8PQN1_jA-1; Tue, 21 Mar 2023 13:59:12 -0400 X-MC-Unique: RBdpagMPP_aZRJ8PQN1_jA-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 407F385530C for ; Tue, 21 Mar 2023 17:59:12 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-0-12.rdu2.redhat.com [10.22.0.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id E73A242C827 for ; Tue, 21 Mar 2023 17:59:11 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Tue, 21 Mar 2023 13:59:07 -0400 Message-Id: <20230321175909.3794119-2-mmichels@redhat.com> In-Reply-To: <20230321175909.3794119-1-mmichels@redhat.com> References: <20230321175909.3794119-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 2/4] northd: Add tiered ACL support. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" With this commit, ACLs can now be arranged in hierarchical tiers. A tier number can be assigned to an ACL. When evaluating ACLs, we first will consider ACLs at tier 0. If no matching ACL is found, then we move to tier 1. This continues until a matching ACL is found, or we reach the maximum tier. If no match is found, then the default acl action is applied. Signed-off-by: Mark Michelson --- northd/northd.c | 96 +++++++++++++++++++------- northd/northd.h | 1 + ovn-nb.ovsschema | 5 +- ovn-nb.xml | 20 ++++++ tests/ovn-northd.at | 162 +++++++++++++++++++++++++++++++++++++++----- tests/system-ovn.at | 107 +++++++++++++++++++++++++++++ 6 files changed, 347 insertions(+), 44 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 6cdeb100d..75d3c869a 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -242,6 +242,7 @@ enum ovn_stage { #define REGBIT_ACL_VERDICT_ALLOW "reg8[16]" #define REGBIT_ACL_VERDICT_DROP "reg8[17]" #define REGBIT_ACL_VERDICT_REJECT "reg8[18]" +#define REG_ACL_TIER "reg8[30..31]" /* Indicate that this packet has been recirculated using egress * loopback. This allows certain checks to be bypassed, such as a @@ -5630,36 +5631,51 @@ ovn_ls_port_group_destroy(struct hmap *nb_pgs) hmap_destroy(nb_pgs); } +static bool +od_set_acl_flags(struct ovn_datapath *od, struct nbrec_acl **acls, + size_t n_acls) +{ + /* A true return indicates that there are no possible ACL flags + * left to set on od. A false return indicates that further ACLs + * should be explored in case more flags need to be set on od + */ + if (!n_acls) { + return false; + } + + od->has_acls = true; + for (size_t i = 0; i < n_acls; i++) { + const struct nbrec_acl *acl = acls[i]; + if (acl->tier > od->max_acl_tier) { + od->max_acl_tier = acl->tier; + } + if (!od->has_stateful_acl && !strcmp(acl->action, "allow-related")) { + od->has_stateful_acl = true; + } + if (od->has_stateful_acl && + od->max_acl_tier == nbrec_acl_col_tier.type.value.integer.max) { + return true; + } + } + + return false; +} + static void ls_get_acl_flags(struct ovn_datapath *od) { od->has_acls = false; od->has_stateful_acl = false; + od->max_acl_tier = 0; - if (od->nbs->n_acls) { - od->has_acls = true; - - for (size_t i = 0; i < od->nbs->n_acls; i++) { - struct nbrec_acl *acl = od->nbs->acls[i]; - if (!strcmp(acl->action, "allow-related")) { - od->has_stateful_acl = true; - return; - } - } + if (od_set_acl_flags(od, od->nbs->acls, od->nbs->n_acls)) { + return; } struct ovn_ls_port_group *ls_pg; HMAP_FOR_EACH (ls_pg, key_node, &od->nb_pgs) { - if (ls_pg->nb_pg->n_acls) { - od->has_acls = true; - - for (size_t i = 0; i < ls_pg->nb_pg->n_acls; i++) { - struct nbrec_acl *acl = ls_pg->nb_pg->acls[i]; - if (!strcmp(acl->action, "allow-related")) { - od->has_stateful_acl = true; - return; - } - } + if (od_set_acl_flags(od, ls_pg->nb_pg->acls, ls_pg->nb_pg->n_acls)) { + return; } } } @@ -6382,10 +6398,19 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, size_t log_verdict_len = actions->length; uint16_t priority = acl->priority + OVN_ACL_PRI_OFFSET; + /* All ACLS will start by matching on their respective tier. */ + size_t match_tier_len = 0; + ds_clear(match); + if (od->max_acl_tier) { + ds_put_format(match, REG_ACL_TIER " == %"PRId64" && ", acl->tier); + match_tier_len = match->length; + } + if (!has_stateful || !strcmp(acl->action, "allow-stateless")) { ds_put_cstr(actions, "next;"); + ds_put_format(match, "(%s)", acl->match); ovn_lflow_add_with_hint(lflows, od, stage, priority, - acl->match, ds_cstr(actions), + ds_cstr(match), ds_cstr(actions), &acl->header_); return; } @@ -6410,7 +6435,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, * by ct_commit in the "stateful" stage) to indicate that the * connection should be allowed to resume. */ - ds_clear(match); + ds_truncate(match, match_tier_len); ds_put_format(match, REGBIT_ACL_HINT_ALLOW_NEW " == 1 && (%s)", acl->match); @@ -6433,7 +6458,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, * Commit the connection only if the ACL has a label. This is done * to update the connection tracking entry label in case the ACL * allowing the connection changes. */ - ds_clear(match); + ds_truncate(match, match_tier_len); ds_truncate(actions, log_verdict_len); ds_put_format(match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)", acl->match); @@ -6454,7 +6479,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, * to the connection tracker with ct_commit. */ /* If the packet is not tracked or not part of an established * connection, then we can simply reject/drop it. */ - ds_clear(match); + ds_truncate(match, match_tier_len); ds_put_cstr(match, REGBIT_ACL_HINT_DROP " == 1"); ds_put_format(match, " && (%s)", acl->match); @@ -6474,7 +6499,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, * ct_commit() to the "stateful" stage, but since we're * rejecting/dropping the packet, we go ahead and do it here. */ - ds_clear(match); + ds_truncate(match, match_tier_len); ds_put_cstr(match, REGBIT_ACL_HINT_BLOCK " == 1"); ds_put_format(match, " && (%s)", acl->match); @@ -6624,6 +6649,7 @@ static void build_acl_action_lflows(struct ovn_datapath *od, struct hmap *lflows, const char *default_acl_action, const struct shash *meter_groups, + struct ds *match, struct ds *actions) { enum ovn_stage stages [] = { @@ -6636,6 +6662,10 @@ build_acl_action_lflows(struct ovn_datapath *od, struct hmap *lflows, ds_put_cstr(actions, REGBIT_ACL_VERDICT_ALLOW " = 0; " REGBIT_ACL_VERDICT_DROP " = 0; " REGBIT_ACL_VERDICT_REJECT " = 0; "); + if (od->max_acl_tier) { + ds_put_cstr(actions, REG_ACL_TIER " = 0; "); + } + size_t verdict_len = actions->length; for (size_t i = 0; i < ARRAY_SIZE(stages); i++) { @@ -6675,6 +6705,20 @@ build_acl_action_lflows(struct ovn_datapath *od, struct hmap *lflows, ds_truncate(actions, verdict_len); ds_put_cstr(actions, default_acl_action); ovn_lflow_add(lflows, od, stage, 0, "1", ds_cstr(actions)); + + struct ds tier_actions = DS_EMPTY_INITIALIZER; + for (size_t j = 0; j < od->max_acl_tier; j++) { + ds_clear(match); + ds_put_format(match, REG_ACL_TIER " == %"PRIuSIZE, j); + ds_clear(&tier_actions); + ds_put_format(&tier_actions, REG_ACL_TIER " = %"PRIuSIZE"; " + "next(pipeline=%s,table=%"PRIu8");", + j + 1, ingress ? "ingress" : "egress", + ovn_stage_get_table(stage) - 1); + ovn_lflow_add(lflows, od, stage, 500, ds_cstr(match), + ds_cstr(&tier_actions)); + } + ds_destroy(&tier_actions); } } @@ -7038,7 +7082,7 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, } build_acl_action_lflows(od, lflows, default_acl_action, meter_groups, - &actions); + &match, &actions); ds_destroy(&match); ds_destroy(&actions); diff --git a/northd/northd.h b/northd/northd.h index 4d9055296..8e7a89b24 100644 --- a/northd/northd.h +++ b/northd/northd.h @@ -213,6 +213,7 @@ struct ovn_datapath { bool has_lb_vip; bool has_unknown; bool has_acls; + uint64_t max_acl_tier; bool has_vtep_lports; /* IPAM data. */ diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index 4836a219f..f12d39542 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", "version": "7.0.0", - "cksum": "94023179 33468", + "cksum": "3195094080 33650", "tables": { "NB_Global": { "columns": { @@ -272,6 +272,9 @@ "label": {"type": {"key": {"type": "integer", "minInteger": 0, "maxInteger": 4294967295}}}, + "tier": {"type": {"key": {"type": "integer", + "minInteger": 0, + "maxInteger": 3}}}, "options": { "type": {"key": "string", "value": "string", diff --git a/ovn-nb.xml b/ovn-nb.xml index 387185033..105168276 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -2232,6 +2232,26 @@ or + +

    The hierarchical tier that this ACL belongs to.

    + +

    + ACLs can be assigned to numerical tiers. When evaluating ACLs, an + internal counter is used to determine which tier of ACLs should be + evaluated. Tier 0 ACLs are evaluated first. If no verdict can be + determined, then tier 1 ACLs are evaluated next. This continues + until the maximum tier value is reached. If all tiers of ACLs are + evaluated and no verdict is reached, then the option from table + is used to determine how to proceed. +

    + +

    + In this version of OVN, the maximum tier value for ACLs is 3, + meaning there are 4 tiers of ACLs allowed (0-3). +

    + +

    ACLs options. diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 45e2057e5..e30c6adbf 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -2165,10 +2165,10 @@ AT_CAPTURE_FILE([sw1flows]) AT_CHECK( [grep -E 'ls_(in|out)_acl' sw0flows sw1flows | grep pg0 | sort], [0], [dnl -sw0flows: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) -sw0flows: table=8 (ls_in_acl_eval ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg8[[18]] = 1; next;) -sw1flows: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) -sw1flows: table=8 (ls_in_acl_eval ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg8[[18]] = 1; next;) +sw0flows: table=4 (ls_out_acl_eval ), priority=2003 , match=((outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;) +sw0flows: table=8 (ls_in_acl_eval ), priority=2002 , match=((inport == @pg0 && ip4 && tcp && tcp.dst == 80)), action=(reg8[[18]] = 1; next;) +sw1flows: table=4 (ls_out_acl_eval ), priority=2003 , match=((outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;) +sw1flows: table=8 (ls_in_acl_eval ), priority=2002 , match=((inport == @pg0 && ip4 && tcp && tcp.dst == 80)), action=(reg8[[18]] = 1; next;) ]) AS_BOX([2]) @@ -2181,10 +2181,10 @@ ovn-sbctl dump-flows sw1 > sw1flows2 AT_CAPTURE_FILE([sw1flows2]) AT_CHECK([grep "ls_out_acl" sw0flows2 sw1flows2 | grep pg0 | sort], [0], [dnl -sw0flows2: table=4 (ls_out_acl_eval ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg8[[18]] = 1; next;) -sw0flows2: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) -sw1flows2: table=4 (ls_out_acl_eval ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg8[[18]] = 1; next;) -sw1flows2: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) +sw0flows2: table=4 (ls_out_acl_eval ), priority=2002 , match=((outport == @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; next;) +sw0flows2: table=4 (ls_out_acl_eval ), priority=2003 , match=((outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;) +sw1flows2: table=4 (ls_out_acl_eval ), priority=2002 , match=((outport == @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; next;) +sw1flows2: table=4 (ls_out_acl_eval ), priority=2003 , match=((outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;) ]) AS_BOX([3]) @@ -7236,7 +7236,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) @@ -7270,7 +7270,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) @@ -7304,7 +7304,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) @@ -7409,7 +7409,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) @@ -7443,7 +7443,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) @@ -7477,7 +7477,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) @@ -7593,7 +7593,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) @@ -7627,7 +7627,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) @@ -7661,7 +7661,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) @@ -8882,3 +8882,131 @@ mac_binding_timestamp: true AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([Tiered ACL logical flows]) +AT_KEYWORDS([acl]) + +ovn_start + +check ovn-nbctl ls-add ls +check ovn-nbctl lsp-add ls lsp +check ovn-nbctl pg-add pg lsp + +m4_define([ACL_FLOWS], [grep -w $1 lflows | grep "$2" | sed 's/table=../table=??/' | sed "s/\($1[[^)]]*\)/$1/" | sort]) + +acl_test() { + direction=$1 + options=$2 + thing=$3 + eval_stage=$4 + action_stage=$5 + eval_stage_table=$6 + + if test "$direction" = "from-lport" ; then + pipeline=ingress + else + pipeline=egress + fi + + # Baseline test. Ensure that no ACL evaluation or tier-related flows are + # installed. + ovn-sbctl lflow-list ls > lflows + AT_CHECK([ACL_FLOWS([$eval_stage], [priority=2000])], [0], []) + + AT_CHECK([ACL_FLOWS([$action_stage], [priority=500])], [0], []) + + # Add an untiered ACL. Ensure that the ACL appears in the eval stage, and + # that no tier-related flows appear in the action stage. + check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.addr == 80.111.111.112" drop + acl1_uuid=$(ovn-nbctl --bare --columns _uuid find ACL priority=1000) + + ovn-sbctl lflow-list ls > lflows + AT_CAPTURE_FILE([lflows]) + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=((ip4.addr == 80.111.111.112)), action=(reg8[[17]] = 1; next;) +]) + + AT_CHECK([ACL_FLOWS([$action_stage], [priority=500])], [0], []) + + # Explicitly name the tier on the ACL to be tier 0. This should have no + # effect on the logical flows. + check ovn-nbctl --wait=sb set ACL $acl1_uuid tier=0 + ovn-sbctl lflow-list ls > lflows + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=((ip4.addr == 80.111.111.112)), action=(reg8[[17]] = 1; next;) +]) + AT_CHECK([ACL_FLOWS([$action_stage], [priority=500])], [0], []) + + # Change the ACL to tier 1. Now we should see the tier as part of the ACL + # match, and we should see a flow in the action stage to bump the tier + # to 1 if there was no match on tier 0. + check ovn-nbctl --wait=sb set ACL $acl1_uuid tier=1 + ovn-sbctl lflow-list ls > lflows + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=(reg8[[30..31]] == 1 && (ip4.addr == 80.111.111.112)), action=(reg8[[17]] = 1; next;) +]) + + AT_CHECK_UNQUOTED([ACL_FLOWS([$action_stage], [priority=500])], [0], [dnl + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 0), action=(reg8[[30..31]] = 1; next(pipeline=$pipeline,table=$eval_stage_table);) +]) + + # Change the ACL to tier 3. Ensure the tier match on the ACL has been + # updated, and ensure we see three flows present for incrementing the + # tier value in the action stage. + check ovn-nbctl --wait=sb set ACL $acl1_uuid tier=3 + ovn-sbctl lflow-list ls > lflows + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=(reg8[[30..31]] == 3 && (ip4.addr == 80.111.111.112)), action=(reg8[[17]] = 1; next;) +]) + + AT_CHECK_UNQUOTED([ACL_FLOWS([$action_stage], [priority=500])], [0], [dnl + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 0), action=(reg8[[30..31]] = 1; next(pipeline=$pipeline,table=$eval_stage_table);) + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 1), action=(reg8[[30..31]] = 2; next(pipeline=$pipeline,table=$eval_stage_table);) + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 2), action=(reg8[[30..31]] = 3; next(pipeline=$pipeline,table=$eval_stage_table);) +]) + + # Add an untiered ACL. Ensure that it matches on tier 0, but otherwise, + # nothing else should have changed in the logical flows. + check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.addr == 83.104.105.116" allow + ovn-sbctl lflow-list ls > lflows + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=(reg8[[30..31]] == 0 && (ip4.addr == 83.104.105.116)), action=(reg8[[16]] = 1; next;) + table=??($eval_stage), priority=2000 , match=(reg8[[30..31]] == 3 && (ip4.addr == 80.111.111.112)), action=(reg8[[17]] = 1; next;) +]) + + AT_CHECK_UNQUOTED([ACL_FLOWS([$action_stage], [priority=500])], [0], [dnl + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 0), action=(reg8[[30..31]] = 1; next(pipeline=$pipeline,table=$eval_stage_table);) + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 1), action=(reg8[[30..31]] = 2; next(pipeline=$pipeline,table=$eval_stage_table);) + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 2), action=(reg8[[30..31]] = 3; next(pipeline=$pipeline,table=$eval_stage_table);) +]) + + # Remove the tier 3 ACL. The remaining ACL is untiered, and there are no + # other tiered ACLs. So we should go back to not checking the tier + # number in the ACL match, and there should be no tier-related flows + # in the action stage. + check ovn-nbctl --wait=sb acl-del $thing $direction 1000 "ip4.addr == 80.111.111.112" + ovn-sbctl lflow-list ls > lflows + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=((ip4.addr == 83.104.105.116)), action=(reg8[[16]] = 1; next;) +]) + + AT_CHECK([ACL_FLOWS([$action_stage], [priority=500])], [0], []) + + check ovn-nbctl --wait=sb acl-del $thing + ovn-sbctl lflow-list ls > lflows + + AT_CHECK([ACL_FLOWS([$eval_stage], [priority=2000])], [0], []) + + AT_CHECK([ACL_FLOWS([$action_stage], [priority=500])], [0], []) +} + +acl_test from-lport "" ls ls_in_acl_eval ls_in_acl_action 8 +acl_test from-lport "--apply-after-lb" ls ls_in_acl_after_lb_eval ls_in_acl_after_lb_action 18 +acl_test to-lport "" ls ls_out_acl_eval ls_out_acl_action 4 +acl_test from-lport "" pg ls_in_acl_eval ls_in_acl_action 8 +acl_test from-lport "--apply-after-lb" pg ls_in_acl_after_lb_eval ls_in_acl_after_lb_action 18 +acl_test to-lport "" pg ls_out_acl_eval ls_out_acl_action 4 + +AT_CLEANUP +]) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 5e593461a..0fde7244e 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -10714,3 +10714,110 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d /connection dropped.*/d"]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([Tiered ACLs]) +AT_KEYWORDS([acl]) + +ovn_start +OVS_TRAFFIC_VSWITCHD_START() +ADD_BR([br-int]) + +# Set external-ids in br-int needed for ovn-controller +check ovs-vsctl \ + -- set Open_vSwitch . external-ids:system-id=hv1 \ + -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ + -- set bridge br-int fail-mode=secure other-config:disable-in-band=true + +# Start ovn-controller +start_daemon ovn-controller + +check ovn-nbctl ls-add ls +check ovn-nbctl lsp-add ls lsp1 -- lsp-set-addresses lsp1 "00:00:00:00:00:01 10.0.0.1" +check ovn-nbctl lsp-add ls lsp2 -- lsp-set-addresses lsp2 "00:00:00:00:00:02 10.0.0.2" + +check ovn-nbctl pg-add pg lsp1 lsp2 + +ADD_NAMESPACES(lsp1) +ADD_VETH(lsp1, lsp1, br-int, "10.0.0.1/24", "00:00:00:00:00:01") +ADD_NAMESPACES(lsp2) +ADD_VETH(lsp2, lsp2, br-int, "10.0.0.2/24", "00:00:00:00:00:02") + +m4_define([PING_PCT], [grep -o "[[0-9]]\{1,3\}% packet loss"]) + +acl_test() { + direction=$1 + options=$2 + thing=$3 + + # First a baseline. If traffic isn't being allowed, then something is + # very wrong. + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +0% packet loss +]) + # Add an untiered drop ACL. This should cause pings to fail. + check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.dst == 10.0.0.2" drop + acl1_uuid=$(ovn-nbctl --bare --columns _uuid find ACL priority=1000) + + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +100% packet loss +]) + + # Change the tier to 3. Despite there being "holes" in tiers 0, 1, and 2, + # the ACL should still apply, and pings should fail. + check ovn-nbctl --wait=sb set ACL $acl1_uuid tier=3 + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +100% packet loss +]) + + # Add a tier-0 ACL that allows the traffic. The priority is only 4, but + # since it is a higher tier, the traffic should be allowed. + check ovn-nbctl --wait=sb $options acl-add $thing $direction 4 "ip4.dst == 10.0.0.2" allow + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +0% packet loss +]) + + # Removing the 0-tier ACL should make traffic go back to being dropped. + check ovn-nbctl --wait=sb acl-del $thing $direction 4 "ip4.dst == 10.0.0.2" + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +100% packet loss +]) + + # Removing all ACLs should make traffic go back to passing. + check ovn-nbctl --wait=sb acl-del $thing + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +0% packet loss +]) +} + +acl_test from-lport "" ls +acl_test from-lport "--apply-after-lb" ls +acl_test to-lport "" ls +acl_test from-lport "" pg +acl_test from-lport "--apply-after-lb" pg +acl_test to-lport "" pg + +OVS_APP_EXIT_AND_WAIT([ovn-controller]) + +as ovn-sb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as ovn-nb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as northd +OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE]) + +as +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d +/connection dropped.*/d"]) +AT_CLEANUP +]) From patchwork Tue Mar 21 17:59:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1759537 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=NBILNRWi; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4PgzrV1wpBz247m for ; Wed, 22 Mar 2023 04:59:22 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id F271F40C1E; Tue, 21 Mar 2023 17:59:19 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org F271F40C1E Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=NBILNRWi X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZeenIiAXUox; Tue, 21 Mar 2023 17:59:18 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id CE43940496; Tue, 21 Mar 2023 17:59:17 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org CE43940496 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9F738C0071; Tue, 21 Mar 2023 17:59:17 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id CDA8CC0032 for ; Tue, 21 Mar 2023 17:59:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 9C1E681E3E for ; Tue, 21 Mar 2023 17:59:16 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9C1E681E3E Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=NBILNRWi X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QrgYKpxB2fyR for ; Tue, 21 Mar 2023 17:59:15 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9416181E2D Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 9416181E2D for ; Tue, 21 Mar 2023 17:59:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1679421554; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9q+TTKsLXeN9oCkH0DAaBoYGpKJ1wG6Xg6rzbaQWjmc=; b=NBILNRWia13cPNjRVJSLCuLu/aKTQQK9GsdKIy0pNmLjargTkocHN01lTQWuC12/Ebf3Mq v+UZdfr1jyMj3glDHE9Loo1QHY0/LqmenqJ3V17wCDIWYgXlbkvRr4VerX2rmT6jMiZ0X7 K+HVVuK9oefHVcpZObp9qmfTTVwqo80= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-524-16qumCOlMAOJDlHgQyqeGw-1; Tue, 21 Mar 2023 13:59:13 -0400 X-MC-Unique: 16qumCOlMAOJDlHgQyqeGw-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C6AE1185A790 for ; Tue, 21 Mar 2023 17:59:12 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-0-12.rdu2.redhat.com [10.22.0.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7378B4619F5 for ; Tue, 21 Mar 2023 17:59:12 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Tue, 21 Mar 2023 13:59:08 -0400 Message-Id: <20230321175909.3794119-3-mmichels@redhat.com> In-Reply-To: <20230321175909.3794119-1-mmichels@redhat.com> References: <20230321175909.3794119-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 3/4] ovn-nbctl: Add tier ACL options. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This modifies the acl-add and acl-del commands so that an ACL tier can be specified when adding or deleting ACLs. For acl-add, if the tier is specified, then the ACL created by the command will have that tier set. For acl-del, if the tier is specified, then the tier will be one of the criteria used when deciding which ACLs to delete. Because the tier is not any more or less specific than the other criteria used for deleting ACLs, a bitmap approach is used to determine the final set of ACLs that should be deleted. Signed-off-by: Mark Michelson --- tests/ovn-nbctl.at | 81 ++++++++++++++++++++++++++ utilities/ovn-nbctl.c | 131 +++++++++++++++++++++++++++++------------- 2 files changed, 172 insertions(+), 40 deletions(-) diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index 2fffe1850..d21554f2b 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -2590,6 +2590,87 @@ ovn-nbctl: no row "foo1" in table Logical_Switch dnl --------------------------------------------------------------------- +OVN_NBCTL_TEST([acl_tiers], [ACL tier operations], [ +check ovn-nbctl ls-add ls +#check ovn-nbctl acl-add ls from-lport 1000 "ip" drop +#check_column 0 nb:ACL tier priority=1000 +# +#check ovn-nbctl acl-del ls +check ovn-nbctl --tier=3 acl-add ls from-lport 1000 "ip" drop +check_column 3 nb:ACL tier priority=1000 + +check ovn-nbctl --tier=3 acl-add ls from-lport 1001 "ip" drop +check_column 3 nb:ACL tier priority=1001 + +check ovn-nbctl --tier=2 acl-add ls from-lport 1002 "ip" drop +check_column 2 nb:ACL tier priority=1002 + +# Removing the tier 3 acls from ls should result in 1 ACL +# remaining. +check ovn-nbctl --tier=3 acl-del ls +check_row_count nb:ACL 1 +check_column 2 nb:ACL tier priority=1002 + +# Add two egress ACLs at tier 2. +check ovn-nbctl --tier=2 acl-add ls to-lport 1000 "ip" drop +check ovn-nbctl --tier=2 acl-add ls to-lport 1001 "ip" drop + +check_row_count nb:ACL 3 tier=2 + +# This should remove the egress tier 2 ACLs and leave the +# ingress tier 2 ACL +check ovn-nbctl --tier=2 acl-del ls to-lport +check_row_count nb:ACL 1 +check_column 2 nb:ACL tier priority=1002 +check_column from-lport nb:ACL direction priority=1002 + +# Re-add two ingress ACLs at tier 2. +check ovn-nbctl --tier=2 acl-add ls from-lport 1000 "ip" drop +check ovn-nbctl --tier=2 acl-add ls from-lport 1001 "ip" drop + +check_row_count nb:ACL 3 + +# Attempt to remove all tier 3 ACLs. All three ACLs are tier 2 +# so this shouldn't have any effect. +check ovn-nbctl --tier=3 acl-del ls +check_row_count nb:ACL 3 + +# Attempt to remove all ingress tier 3 ACLs. All three ACLs are tier +# 2, so this shouldn't have any effect. +check ovn-nbctl --tier=3 acl-del ls from-lport +check_row_count nb:ACL 3 + +# Attempt to remove the 1000 priority ACL but specify tier 3. Since +# all ACLs are tier 2, this should have no effect. +check ovn-nbctl --tier=3 acl-del ls from-lport 1000 "ip" +check_row_count nb:ACL 3 + +# Specifying the proper tier should result in all ACLs being deleted. +check ovn-nbctl --tier=2 acl-del ls +check_row_count nb:ACL 0 + +# Now let's experiment with identical ACLs at different tiers. +check ovn-nbctl --tier=1 acl-add ls from-lport 1000 "ip" drop +check ovn-nbctl --tier=2 acl-add ls from-lport 1000 "ip" drop +check ovn-nbctl --tier=3 acl-add ls from-lport 1000 "ip" drop +check_row_count nb:ACL 3 +check_row_count nb:ACL 1 tier=1 +check_row_count nb:ACL 1 tier=2 +check_row_count nb:ACL 1 tier=3 + +# Specifying tier 1 should result in only one ACL being deleted. +check ovn-nbctl --tier=1 acl-del ls from-lport 1000 "ip" +check_row_count nb:ACL 2 +check_row_count nb:ACL 1 tier=2 +check_row_count nb:ACL 1 tier=3 + +# Not specifying a tier should result in all ACLs being deleted. +check ovn-nbctl acl-del ls from-lport 1000 "ip" +check_row_count nb:ACL 0 +]) + +dnl --------------------------------------------------------------------- + AT_SETUP([ovn-nbctl - daemon retry connection]) OVN_NBCTL_TEST_START daemon AT_CHECK([kill `cat ovsdb-server.pid`]) diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index 45572fd30..d41ff9ad1 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -48,6 +48,7 @@ #include "unixctl.h" #include "util.h" #include "openvswitch/vlog.h" +#include "bitmap.h" VLOG_DEFINE_THIS_MODULE(nbctl); @@ -2100,6 +2101,8 @@ acl_cmp(const void *acl1_, const void *acl2_) return after_lb2 ? -1 : 1; } else if (acl1->priority != acl2->priority) { return acl1->priority > acl2->priority ? -1 : 1; + } else if (acl1->tier != acl2->tier) { + return acl1->tier > acl2->tier ? -1 : 1; } else { return strcmp(acl1->match, acl2->match); } @@ -2283,6 +2286,7 @@ nbctl_pre_acl(struct ctl_context *ctx) ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_priority); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_match); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_options); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_tier); } static void @@ -2390,6 +2394,16 @@ nbctl_acl_add(struct ctl_context *ctx) nbrec_acl_set_options(acl, &options); } + const char *tier_s = shash_find_data(&ctx->options, "--tier"); + if (tier_s) { + int64_t tier; + if (!str_to_long(tier_s, 10, &tier)) { + ctl_error(ctx, "Invalid tier %s", tier_s); + return; + } + nbrec_acl_set_tier(acl, tier); + } + /* Check if same acl already exists for the ls/portgroup */ size_t n_acls = pg ? pg->n_acls : ls->n_acls; struct nbrec_acl **acls = pg ? pg->acls : ls->acls; @@ -2418,6 +2432,10 @@ nbctl_acl_del(struct ctl_context *ctx) { const struct nbrec_logical_switch *ls = NULL; const struct nbrec_port_group *pg = NULL; + const char *tier_s = shash_find_data(&ctx->options, "--tier"); + int64_t tier; + unsigned long *bitmaps[3]; + size_t n_bitmaps = 0; char *error = acl_cmd_get_pg_or_ls(ctx, &ls, &pg); if (error) { @@ -2425,8 +2443,13 @@ nbctl_acl_del(struct ctl_context *ctx) return; } - if (ctx->argc == 2) { - /* If direction, priority, and match are not specified, delete + if (tier_s && !str_to_long(tier_s, 10, &tier)) { + ctl_error(ctx, "Invalid tier %s", tier_s); + return; + } + + if (ctx->argc == 2 && !tier_s) { + /* If direction, priority, tier, and match are not specified, delete * all ACLs. */ if (pg) { nbrec_port_group_verify_acls(pg); @@ -2438,55 +2461,83 @@ nbctl_acl_del(struct ctl_context *ctx) return; } - const char *direction; - error = parse_direction(ctx->argv[2], &direction); - if (error) { - ctx->error = error; - return; - } - size_t n_acls = pg ? pg->n_acls : ls->n_acls; struct nbrec_acl **acls = pg ? pg->acls : ls->acls; - /* If priority and match are not specified, delete all ACLs with the - * specified direction. */ - if (ctx->argc == 3) { + + if (tier_s) { + bitmaps[n_bitmaps] = bitmap_allocate(n_acls); for (size_t i = 0; i < n_acls; i++) { - if (!strcmp(direction, acls[i]->direction)) { - if (pg) { - nbrec_port_group_update_acls_delvalue(pg, acls[i]); - } else { - nbrec_logical_switch_update_acls_delvalue(ls, acls[i]); - } + if (acls[i]->tier == tier) { + bitmap_set1(bitmaps[n_bitmaps], i); } } - return; + n_bitmaps++; } - int64_t priority; - error = parse_priority(ctx->argv[3], &priority); - if (error) { - ctx->error = error; - return; - } + if (ctx->argc >= 3) { + const char *direction; + error = parse_direction(ctx->argv[2], &direction); + if (error) { + ctx->error = error; + goto cleanup; + } - if (ctx->argc == 4) { - ctl_error(ctx, "cannot specify priority without match"); - return; + /* If priority and match are not specified, delete all ACLs with the + * specified direction. */ + bitmaps[n_bitmaps] = bitmap_allocate(n_acls); + for (size_t i = 0; i < n_acls; i++) { + if (!strcmp(direction, acls[i]->direction)) { + bitmap_set1(bitmaps[n_bitmaps], i); + } + } + n_bitmaps++; } - /* Remove the matching rule. */ - for (size_t i = 0; i < n_acls; i++) { - struct nbrec_acl *acl = acls[i]; + if (ctx->argc >= 4) { + int64_t priority; + error = parse_priority(ctx->argv[3], &priority); + if (error) { + ctx->error = error; + goto cleanup; + } - if (priority == acl->priority && !strcmp(ctx->argv[4], acl->match) && - !strcmp(direction, acl->direction)) { - if (pg) { - nbrec_port_group_update_acls_delvalue(pg, acl); - } else { - nbrec_logical_switch_update_acls_delvalue(ls, acl); + if (ctx->argc == 4) { + ctl_error(ctx, "cannot specify priority without match"); + goto cleanup; + } + + /* Remove the matching rule. */ + bitmaps[n_bitmaps] = bitmap_allocate(n_acls); + for (size_t i = 0; i < n_acls; i++) { + struct nbrec_acl *acl = acls[i]; + + if (priority == acl->priority && + !strcmp(ctx->argv[4], acl->match)) { + bitmap_set1(bitmaps[n_bitmaps], i); } - return; } + n_bitmaps++; + } + + unsigned long *bitmap_result = bitmap_allocate1(n_acls); + for (size_t i = 0; i < n_bitmaps; i++) { + bitmap_result = bitmap_and(bitmap_result, bitmaps[i], n_acls); + } + + size_t index; + BITMAP_FOR_EACH_1 (index, n_acls, bitmap_result) { + if (pg) { + nbrec_port_group_update_acls_delvalue(pg, acls[index]); + } else { + nbrec_logical_switch_update_acls_delvalue(ls, acls[index]); + } + } + + free(bitmap_result); + +cleanup: + for (size_t i = 0; i < n_bitmaps; i++) { + free(bitmaps[i]); } } @@ -7658,9 +7709,9 @@ static const struct ctl_command_syntax nbctl_commands[] = { { "acl-add", 5, 6, "{SWITCH | PORTGROUP} DIRECTION PRIORITY MATCH ACTION", nbctl_pre_acl, nbctl_acl_add, NULL, "--log,--may-exist,--type=,--name=,--severity=,--meter=,--label=," - "--apply-after-lb", RW }, + "--apply-after-lb,--tier=", RW }, { "acl-del", 1, 4, "{SWITCH | PORTGROUP} [DIRECTION [PRIORITY MATCH]]", - nbctl_pre_acl, nbctl_acl_del, NULL, "--type=", RW }, + nbctl_pre_acl, nbctl_acl_del, NULL, "--type=,--tier=", RW }, { "acl-list", 1, 1, "{SWITCH | PORTGROUP}", nbctl_pre_acl_list, nbctl_acl_list, NULL, "--type=", RO }, From patchwork Tue Mar 21 17:59:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1759539 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Y/yjXOT6; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Pgzrh3qPQz247m for ; Wed, 22 Mar 2023 04:59:32 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id F129640C23; Tue, 21 Mar 2023 17:59:29 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org F129640C23 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Y/yjXOT6 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ShOnmZU5eBgv; Tue, 21 Mar 2023 17:59:26 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 66EAB4102E; Tue, 21 Mar 2023 17:59:22 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 66EAB4102E Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7EDA9C008D; Tue, 21 Mar 2023 17:59:21 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 409C9C0032 for ; Tue, 21 Mar 2023 17:59:18 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id BB6BD41877 for ; Tue, 21 Mar 2023 17:59:17 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org BB6BD41877 Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Y/yjXOT6 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aItBUm9cKE8L for ; Tue, 21 Mar 2023 17:59:16 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org F30024187C Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id F30024187C for ; Tue, 21 Mar 2023 17:59:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1679421554; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BvMjwHT41RUZM2s6/x90uukbSfHTMUKiCz5kG0vvsfA=; b=Y/yjXOT6JPYWDpGTFsk5KOErlGC3n6dQvRhUnfIEv1mxiezm+wrh1Lk86GKyeo5A2Xq2FO apz8MRSxiqsi0iM7a4VS/fdmeqkMTV1/FGjyNmZhnCuMkmnnbkYOcSdxMihbjryGVL1Su9 8l+A6pdidieeFAZcS3i2HrgyJMjNqoU= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-257-qFqzurZZNbGRNOMk3dVyXQ-1; Tue, 21 Mar 2023 13:59:13 -0400 X-MC-Unique: qFqzurZZNbGRNOMk3dVyXQ-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6845B185A7A2 for ; Tue, 21 Mar 2023 17:59:13 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-0-12.rdu2.redhat.com [10.22.0.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0B2934619F5 for ; Tue, 21 Mar 2023 17:59:12 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Tue, 21 Mar 2023 13:59:09 -0400 Message-Id: <20230321175909.3794119-4-mmichels@redhat.com> In-Reply-To: <20230321175909.3794119-1-mmichels@redhat.com> References: <20230321175909.3794119-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 4/4] acls: Add "pass" ACL action. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This allows for evaluating ACLs at the current tier to stop, and to start evaluating ACLs at the next tier. If not using tiers, or if we match on the final ACL tier, then a "pass" verdict results in the default ACL action being applied. Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2134138 Signed-off-by: Mark Michelson --- northd/northd.c | 9 ++++++++- ovn-nb.ovsschema | 4 ++-- ovn-nb.xml | 10 ++++++++++ tests/ovn-northd.at | 46 +++++++++++++++++++++++++++++++++++++++++++ tests/system-ovn.at | 41 ++++++++++++++++++++++++++++++++++---- utilities/ovn-nbctl.c | 2 +- 6 files changed, 104 insertions(+), 8 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 75d3c869a..5043d2383 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -6345,6 +6345,8 @@ build_acl_log(struct ds *actions, const struct nbrec_acl *acl, ds_put_cstr(actions, "verdict=drop, "); } else if (!strcmp(acl->action, "reject")) { ds_put_cstr(actions, "verdict=reject, "); + } else if (!strcmp(acl->action, "pass")) { + ds_put_cstr(actions, "verdict=pass, "); } else if (!strcmp(acl->action, "allow") || !strcmp(acl->action, "allow-related") || !strcmp(acl->action, "allow-stateless")) { @@ -6381,12 +6383,15 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, static const char *allow = REGBIT_ACL_VERDICT_ALLOW " = 1; "; static const char *drop = REGBIT_ACL_VERDICT_DROP " = 1; "; static const char *reject = REGBIT_ACL_VERDICT_REJECT " = 1; "; + static const char *pass = ""; const char *verdict; if (!strcmp(acl->action, "drop")) { verdict = drop; } else if (!strcmp(acl->action, "reject")) { verdict = reject; + } else if (!strcmp(acl->action, "pass")) { + verdict = pass; } else { verdict = allow; } @@ -6406,7 +6411,9 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, match_tier_len = match->length; } - if (!has_stateful || !strcmp(acl->action, "allow-stateless")) { + if (!has_stateful + || !strcmp(acl->action, "pass") + || !strcmp(acl->action, "allow-stateless")) { ds_put_cstr(actions, "next;"); ds_put_format(match, "(%s)", acl->match); ovn_lflow_add_with_hint(lflows, od, stage, priority, diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index f12d39542..e713cce46 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", "version": "7.0.0", - "cksum": "3195094080 33650", + "cksum": "2504399077 33658", "tables": { "NB_Global": { "columns": { @@ -260,7 +260,7 @@ "enum": ["set", ["allow", "allow-related", "allow-stateless", "drop", - "reject"]]}}}, + "reject", "pass"]]}}}, "log": {"type": "boolean"}, "severity": {"type": {"key": {"type": "string", "enum": ["set", diff --git a/ovn-nb.xml b/ovn-nb.xml index 105168276..705895fa5 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -2229,6 +2229,16 @@ or ICMPv4/ICMPv6 unreachable message for other IPv4/IPv6-based protocols. + +

  • + pass: Pass to the next ACL tier. If using multiple ACL + tiers, a match on this ACL will stop evaluating ACLs at the current + tier and move to the next one. If not using ACL tiers or if a + pass ACL is matched at the final tier, then the + + option from the table is used to + determine how to proceed. +
    • diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index e30c6adbf..abc923d34 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -9010,3 +9010,49 @@ acl_test to-lport "" pg ls_out_acl_eval ls_out_acl_action 4 AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ACL "pass" logical flows]) +AT_KEYWORDS([acl]) + +ovn_start +check ovn-nbctl ls-add ls +check ovn-nbctl lsp-add ls lsp +check ovn-nbctl pg-add pg lsp + +m4_define([ACL_FLOWS], [grep -w $1 lflows | grep "$2" | sed 's/table=../table=??/' | sed "s/\($1[[^)]]*\)/$1/" | sort]) + +acl_test() { + direction=$1 + options=$2 + thing=$3 + eval_stage=$4 + + # Baseline. Ensure no ACL eval flows are present. + ovn-sbctl lflow-list ls > lflows + AT_CHECK([ACL_FLOWS([$eval_stage], [priority=2000])], [0], []) + + # Add an ACL with the "pass" verdict. Ensure that it is in the logical flow + # table and that it simply moves to the next table without setting a specific + # verdict bit. + check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.addr == 80.111.111.112" pass + ovn-sbctl lflow-list ls > lflows + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=((ip4.addr == 80.111.111.112)), action=(next;) +]) + + # Remove the ACL with the "pass" verdict. Ensure that no eval flows are present. + check ovn-nbctl acl-del $thing + ovn-sbctl lflow-list ls > lflows + AT_CHECK([ACL_FLOWS([$eval_stage], [priority=2000])], [0], []) +} + +acl_test from-lport "" ls ls_in_acl_eval +acl_test from-lport "--apply-after-lb" ls ls_in_acl_after_lb_eval +acl_test to-lport "" ls ls_out_acl_eval +acl_test from-lport "" pg ls_in_acl_eval +acl_test from-lport "--apply-after-lb" pg ls_in_acl_after_lb_eval +acl_test to-lport "" pg ls_out_acl_eval + +AT_CLEANUP +]) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 0fde7244e..e31598112 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -10761,7 +10761,6 @@ acl_test() { # Add an untiered drop ACL. This should cause pings to fail. check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.dst == 10.0.0.2" drop acl1_uuid=$(ovn-nbctl --bare --columns _uuid find ACL priority=1000) - NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 100% packet loss @@ -10777,20 +10776,54 @@ acl_test() { # Add a tier-0 ACL that allows the traffic. The priority is only 4, but # since it is a higher tier, the traffic should be allowed. - check ovn-nbctl --wait=sb $options acl-add $thing $direction 4 "ip4.dst == 10.0.0.2" allow + check ovn-nbctl --wait=hv $options acl-add $thing $direction 4 "ip4.dst == 10.0.0.2" allow + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +0% packet loss +]) + + # Add a higher-priority tier-0 ACL that passes. This should cause the traffic + # to pass over the lower-priority tier-0 "allow" ACL, and move to the tier-3 + # ACL that drops the traffic. + check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.dst == 10.0.0.2" pass + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +100% packet loss +]) + + # Remove the "pass" ACL, and the "allow" rule should kick back in. + check ovn-nbctl --wait=sb --tier=0 acl-del $thing $direction 1000 "ip4.dst == 10.0.0.2" NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 0% packet loss ]) - # Removing the 0-tier ACL should make traffic go back to being dropped. + # Removing the remaining 0-tier ACL should make traffic go back to being dropped. check ovn-nbctl --wait=sb acl-del $thing $direction 4 "ip4.dst == 10.0.0.2" NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 100% packet loss ]) - # Removing all ACLs should make traffic go back to passing. + # Adding a higher-priority "pass" ACL at tier 3 should result in using the + # default ACL action. Currently, the default is to allow traffic, so the + # traffic should be allowed. + check ovn-nbctl --wait=sb --tier=3 $options acl-add $thing $direction 2000 "ip4.dst == 10.0.0.2" pass + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +0% packet loss +]) + + # Change the default ACL action to drop, and now the traffic should be dropped. + check ovn-nbctl set NB_Global . options:default_acl_drop=true + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +100% packet loss +]) + + # Removing all ACLs (and setting the default acl drop back to false) should + # make traffic go back to passing. + check ovn-nbctl clear NB_Global . options check ovn-nbctl --wait=sb acl-del $thing NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index d41ff9ad1..91fe197f9 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -2332,7 +2332,7 @@ nbctl_acl_add(struct ctl_context *ctx) /* Validate action. */ if (strcmp(action, "allow") && strcmp(action, "allow-related") && strcmp(action, "allow-stateless") && strcmp(action, "drop") - && strcmp(action, "reject")) { + && strcmp(action, "reject") && strcmp(action, "pass")) { ctl_error(ctx, "%s: action must be one of \"allow\", " "\"allow-related\", \"allow-stateless\", \"drop\", " "and \"reject\"", action);