From patchwork Thu May 18 18:48:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1783481 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=c13TVzcJ; dkim-atps=neutral Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QMfCC4Dx0z20dX for ; Fri, 19 May 2023 04:49:11 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 383006FFD6; Thu, 18 May 2023 18:49:08 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 383006FFD6 Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=c13TVzcJ X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8JrDgKQoZB4T; Thu, 18 May 2023 18:49:00 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp3.osuosl.org (Postfix) with ESMTPS id 694BC6FFBF; Thu, 18 May 2023 18:48:58 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 694BC6FFBF Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id EC0EEC009B; Thu, 18 May 2023 18:48:55 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id D568DC008A for ; Thu, 18 May 2023 18:48:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id A657C416AD for ; Thu, 18 May 2023 18:48:52 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org A657C416AD Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=c13TVzcJ X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VwYx3F6mXgWL for ; Thu, 18 May 2023 18:48:49 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 312CF415F2 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id 312CF415F2 for ; Thu, 18 May 2023 18:48:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1684435728; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pS8heXo0C9vYthiTh2RLOa2cSJ+iDHjExWP5AwZtOyo=; b=c13TVzcJI4BmCX4JQ2+ya2ABpZXY4JkndFehFSJJQ0wbzlQpPndn8Y8+Hikx3yTT5ekVIg bB4MOCQ92hYaJepa3ofPhDeYiCzUYYbsEjyavB1kevNKQRUrBgkWuaQsHS2ntVU602nu/B 1gVvJdi5ybBZx2FxwMr6zAbDGeCs9AA= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-554-c8rPdvd3NSavRJw10iSYsA-1; Thu, 18 May 2023 14:48:45 -0400 X-MC-Unique: c8rPdvd3NSavRJw10iSYsA-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C0DEF101A553 for ; Thu, 18 May 2023 18:48:44 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.22.48.14]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2EEED2166B31 for ; Thu, 18 May 2023 18:48:43 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Thu, 18 May 2023 14:48:39 -0400 Message-Id: <20230518184842.1681582-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 1/4] northd: Break ACLs into two stages. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Prior to this commit, ACLs were evaluated and acted on in a single stage. With this commit, evaluation of ACLs and acting on an ACL's decision are separated into two stages. The acl_eval stage checks the ACL match and will set a bit to indicate the verdict of the ACL. The acl_action stage then checks the relevant bits to determine how to proceed. If no ACLs are matched, then the default ACL action is taken. A couple of notes about updated tests: - For test cases where I just had to increment a table number, I changed the check so the table numbers are masked. This should prevent similar changes from being needed later. - The port security test changes may seem odd. The issue here is that the ls_out_apply_port_sec table number changed from 9 to 10. This means that this table's flows now sort to a lower position than before. This is why the check had to change for this test. Signed-off-by: Mark Michelson Reviewed-by: Ales Musil --- northd/northd.c | 669 +++++++++++---------- northd/ovn-northd.8.xml | 312 ++++++---- tests/ovn-controller.at | 144 ++--- tests/ovn-northd.at | 1254 ++++++++++++++++++++++----------------- tests/ovn.at | 114 ++-- tests/system-ovn.at | 2 +- 6 files changed, 1399 insertions(+), 1096 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 2f96d15a4..c7969e0ba 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -122,37 +122,42 @@ enum ovn_stage { PIPELINE_STAGE(SWITCH, IN, PRE_LB, 5, "ls_in_pre_lb") \ PIPELINE_STAGE(SWITCH, IN, PRE_STATEFUL, 6, "ls_in_pre_stateful") \ PIPELINE_STAGE(SWITCH, IN, ACL_HINT, 7, "ls_in_acl_hint") \ - PIPELINE_STAGE(SWITCH, IN, ACL, 8, "ls_in_acl") \ - PIPELINE_STAGE(SWITCH, IN, QOS_MARK, 9, "ls_in_qos_mark") \ - PIPELINE_STAGE(SWITCH, IN, QOS_METER, 10, "ls_in_qos_meter") \ - PIPELINE_STAGE(SWITCH, IN, LB_AFF_CHECK, 11, "ls_in_lb_aff_check") \ - PIPELINE_STAGE(SWITCH, IN, LB, 12, "ls_in_lb") \ - PIPELINE_STAGE(SWITCH, IN, LB_AFF_LEARN, 13, "ls_in_lb_aff_learn") \ - PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 14, "ls_in_pre_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 15, "ls_in_nat_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 16, "ls_in_hairpin") \ - PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB, 17, "ls_in_acl_after_lb") \ - PIPELINE_STAGE(SWITCH, IN, STATEFUL, 18, "ls_in_stateful") \ - PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 19, "ls_in_arp_rsp") \ - PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 20, "ls_in_dhcp_options") \ - PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 21, "ls_in_dhcp_response") \ - PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 22, "ls_in_dns_lookup") \ - PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 23, "ls_in_dns_response") \ - PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 24, "ls_in_external_port") \ - PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 25, "ls_in_l2_lkup") \ - PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 26, "ls_in_l2_unknown") \ + PIPELINE_STAGE(SWITCH, IN, ACL_EVAL, 8, "ls_in_acl_eval") \ + PIPELINE_STAGE(SWITCH, IN, ACL_ACTION, 9, "ls_in_acl_action") \ + PIPELINE_STAGE(SWITCH, IN, QOS_MARK, 10, "ls_in_qos_mark") \ + PIPELINE_STAGE(SWITCH, IN, QOS_METER, 11, "ls_in_qos_meter") \ + PIPELINE_STAGE(SWITCH, IN, LB_AFF_CHECK, 12, "ls_in_lb_aff_check") \ + PIPELINE_STAGE(SWITCH, IN, LB, 13, "ls_in_lb") \ + PIPELINE_STAGE(SWITCH, IN, LB_AFF_LEARN, 14, "ls_in_lb_aff_learn") \ + PIPELINE_STAGE(SWITCH, IN, PRE_HAIRPIN, 15, "ls_in_pre_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, NAT_HAIRPIN, 16, "ls_in_nat_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, HAIRPIN, 17, "ls_in_hairpin") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_EVAL, 18, \ + "ls_in_acl_after_lb_eval") \ + PIPELINE_STAGE(SWITCH, IN, ACL_AFTER_LB_ACTION, 19, \ + "ls_in_acl_after_lb_action") \ + PIPELINE_STAGE(SWITCH, IN, STATEFUL, 20, "ls_in_stateful") \ + PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 21, "ls_in_arp_rsp") \ + PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 22, "ls_in_dhcp_options") \ + PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 23, "ls_in_dhcp_response") \ + PIPELINE_STAGE(SWITCH, IN, DNS_LOOKUP, 24, "ls_in_dns_lookup") \ + PIPELINE_STAGE(SWITCH, IN, DNS_RESPONSE, 25, "ls_in_dns_response") \ + PIPELINE_STAGE(SWITCH, IN, EXTERNAL_PORT, 26, "ls_in_external_port") \ + PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 27, "ls_in_l2_lkup") \ + PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 28, "ls_in_l2_unknown") \ \ /* Logical switch egress stages. */ \ PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 0, "ls_out_pre_acl") \ PIPELINE_STAGE(SWITCH, OUT, PRE_LB, 1, "ls_out_pre_lb") \ PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") \ PIPELINE_STAGE(SWITCH, OUT, ACL_HINT, 3, "ls_out_acl_hint") \ - PIPELINE_STAGE(SWITCH, OUT, ACL, 4, "ls_out_acl") \ - PIPELINE_STAGE(SWITCH, OUT, QOS_MARK, 5, "ls_out_qos_mark") \ - PIPELINE_STAGE(SWITCH, OUT, QOS_METER, 6, "ls_out_qos_meter") \ - PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 7, "ls_out_stateful") \ - PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 8, "ls_out_check_port_sec") \ - PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 9, "ls_out_apply_port_sec") \ + PIPELINE_STAGE(SWITCH, OUT, ACL_EVAL, 4, "ls_out_acl_eval") \ + PIPELINE_STAGE(SWITCH, OUT, ACL_ACTION, 5, "ls_out_acl_action") \ + PIPELINE_STAGE(SWITCH, OUT, QOS_MARK, 6, "ls_out_qos_mark") \ + PIPELINE_STAGE(SWITCH, OUT, QOS_METER, 7, "ls_out_qos_meter") \ + PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 8, "ls_out_stateful") \ + PIPELINE_STAGE(SWITCH, OUT, CHECK_PORT_SEC, 9, "ls_out_check_port_sec") \ + PIPELINE_STAGE(SWITCH, OUT, APPLY_PORT_SEC, 10, "ls_out_apply_port_sec") \ \ /* Logical router ingress stages. */ \ PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") \ @@ -236,6 +241,11 @@ enum ovn_stage { #define REG_LB_AFF_BACKEND_IP4 "reg4" #define REG_LB_AFF_MATCH_PORT "reg8[0..15]" +/* Registers for ACL evaluation */ +#define REGBIT_ACL_VERDICT_ALLOW "reg8[16]" +#define REGBIT_ACL_VERDICT_DROP "reg8[17]" +#define REGBIT_ACL_VERDICT_REJECT "reg8[18]" + /* Indicate that this packet has been recirculated using egress * loopback. This allows certain checks to be bypassed, such as a * logical router dropping packets with source IP address equals @@ -6364,54 +6374,11 @@ build_acl_log(struct ds *actions, const struct nbrec_acl *acl, ds_put_cstr(actions, "); "); } -static void -build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows, - enum ovn_stage stage, struct nbrec_acl *acl, - struct ds *extra_match, struct ds *extra_actions, - const struct ovsdb_idl_row *stage_hint, - const struct shash *meter_groups) -{ - struct ds match = DS_EMPTY_INITIALIZER; - struct ds actions = DS_EMPTY_INITIALIZER; - bool ingress = (ovn_stage_get_pipeline(stage) == P_IN); - - char *next_action = - xasprintf("next(pipeline=%s,table=%d);", - ingress ? "egress": "ingress", - ingress ? ovn_stage_get_table(S_SWITCH_OUT_QOS_MARK) - : ovn_stage_get_table(S_SWITCH_IN_L2_LKUP)); - - build_acl_log(&actions, acl, meter_groups); - if (extra_match->length > 0) { - ds_put_format(&match, "(%s) && ", extra_match->string); - } - ds_put_cstr(&match, acl->match); - - if (extra_actions->length > 0) { - ds_put_format(&actions, "%s ", extra_actions->string); - } - - ds_put_format(&actions, "reg0 = 0; " - "reject { " - "/* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ " - "outport <-> inport; %s };", next_action); - ovn_lflow_add_with_hint__(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(&match), ds_cstr(&actions), NULL, - copp_meter_get(COPP_REJECT, od->nbs->copp, - meter_groups), - stage_hint); - - free(next_action); - ds_destroy(&match); - ds_destroy(&actions); -} - static void consider_acl(struct hmap *lflows, struct ovn_datapath *od, - struct nbrec_acl *acl, bool has_stateful, bool ct_masked_mark, - const struct shash *meter_groups, struct ds *match, - struct ds *actions) + const struct nbrec_acl *acl, bool has_stateful, + bool ct_masked_mark, const struct shash *meter_groups, + struct ds *match, struct ds *actions) { const char *ct_blocked_match = ct_masked_mark ? "ct_mark.blocked" @@ -6420,210 +6387,131 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, enum ovn_stage stage; if (ingress && smap_get_bool(&acl->options, "apply-after-lb", false)) { - stage = S_SWITCH_IN_ACL_AFTER_LB; + stage = S_SWITCH_IN_ACL_AFTER_LB_EVAL; } else if (ingress) { - stage = S_SWITCH_IN_ACL; + stage = S_SWITCH_IN_ACL_EVAL; } else { - stage = S_SWITCH_OUT_ACL; + stage = S_SWITCH_OUT_ACL_EVAL; } - if (!strcmp(acl->action, "allow-stateless")) { - ds_clear(actions); - build_acl_log(actions, acl, meter_groups); + const char *verdict; + if (!strcmp(acl->action, "drop")) { + verdict = REGBIT_ACL_VERDICT_DROP " = 1; "; + } else if (!strcmp(acl->action, "reject")) { + verdict = REGBIT_ACL_VERDICT_REJECT " = 1; "; + } else { + verdict = REGBIT_ACL_VERDICT_ALLOW " = 1; "; + } + + ds_clear(actions); + /* All ACLs will have the same actions as a basis. */ + build_acl_log(actions, acl, meter_groups); + ds_put_cstr(actions, verdict); + size_t log_verdict_len = actions->length; + uint16_t priority = acl->priority + OVN_ACL_PRI_OFFSET; + + if (!has_stateful || !strcmp(acl->action, "allow-stateless")) { ds_put_cstr(actions, "next;"); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, + ovn_lflow_add_with_hint(lflows, od, stage, priority, acl->match, ds_cstr(actions), &acl->header_); - } else if (!strcmp(acl->action, "allow") + return; + } + + if (!strcmp(acl->action, "allow") || !strcmp(acl->action, "allow-related")) { /* If there are any stateful flows, we must even commit "allow" * actions. This is because, while the initiater's * direction may not have any stateful rules, the server's * may and then its return traffic would not have an * associated conntrack entry and would return "+invalid". */ - if (!has_stateful) { - ds_clear(actions); - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, "next;"); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - acl->match, ds_cstr(actions), - &acl->header_); - } else { - /* Commit the connection tracking entry if it's a new - * connection that matches this ACL. After this commit, - * the reply traffic is allowed by a flow we create at - * priority 65535, defined earlier. - * - * It's also possible that a known connection was marked for - * deletion after a policy was deleted, but the policy was - * re-added while that connection is still known. We catch - * that case here and un-set ct_mark.blocked (which will be done - * by ct_commit in the "stateful" stage) to indicate that the - * connection should be allowed to resume. - */ - ds_clear(match); - ds_clear(actions); - ds_put_format(match, REGBIT_ACL_HINT_ALLOW_NEW " == 1 && (%s)", - acl->match); - ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); - if (acl->label) { - ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " - REG_LABEL" = %"PRId64"; ", acl->label); - } - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, "next;"); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(match), - ds_cstr(actions), - &acl->header_); - - /* Match on traffic in the request direction for an established - * connection tracking entry that has not been marked for - * deletion. We use this to ensure that this - * connection is still allowed by the currently defined - * policy. Match untracked packets too. - * Commit the connection only if the ACL has a label. This is done - * to update the connection tracking entry label in case the ACL - * allowing the connection changes. */ - ds_clear(match); - ds_clear(actions); - ds_put_format(match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)", - acl->match); - if (acl->label) { - ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); - ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " - REG_LABEL" = %"PRId64"; ", acl->label); - } - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, "next;"); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(match), ds_cstr(actions), - &acl->header_); - - /* Related and reply traffic are universally allowed by priority - * 65532 flows created in build_acls(). If logging is enabled on - * the ACL, then we need to ensure that the related and reply - * traffic is logged, so we install a slightly higher-priority - * flow that matches the ACL, allows the traffic, and logs it. - * - * Note: Matching the ct_label.label may prevent OVS flow HW - * offloading to work for some NICs because masked-access of - * ct_label is not supported on those NICs due to HW - * limitations. In such case the user may choose to avoid using the - * "log-related" option. - */ - bool log_related = smap_get_bool(&acl->options, "log-related", - false); - if (acl->log && acl->label && log_related) { - /* Related/reply flows need to be set on the opposite pipeline - * from where the ACL itself is set. - */ - enum ovn_stage log_related_stage = ingress ? - S_SWITCH_OUT_ACL : - S_SWITCH_IN_ACL; - ds_clear(match); - ds_clear(actions); - - ds_put_format(match, "ct.est && !ct.rel && !ct.new%s && " - "ct.rpl && %s == 0 && " - "ct_label.label == %" PRId64, - use_ct_inv_match ? " && !ct.inv" : "", - ct_blocked_match, acl->label); - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, "next;"); - ovn_lflow_add_with_hint(lflows, od, log_related_stage, - UINT16_MAX - 2, - ds_cstr(match), ds_cstr(actions), - &acl->header_); + /* Commit the connection tracking entry if it's a new + * connection that matches this ACL. After this commit, + * the reply traffic is allowed by a flow we create at + * priority 65535, defined earlier. + * + * It's also possible that a known connection was marked for + * deletion after a policy was deleted, but the policy was + * re-added while that connection is still known. We catch + * that case here and un-set ct_mark.blocked (which will be done + * by ct_commit in the "stateful" stage) to indicate that the + * connection should be allowed to resume. + */ + ds_clear(match); + ds_put_format(match, REGBIT_ACL_HINT_ALLOW_NEW " == 1 && (%s)", + acl->match); - ds_clear(match); - ds_put_format(match, "!ct.est && ct.rel && !ct.new%s && " - "%s == 0 && " - "ct_label.label == %" PRId64, - use_ct_inv_match ? " && !ct.inv" : "", - ct_blocked_match, acl->label); - ovn_lflow_add_with_hint(lflows, od, log_related_stage, - UINT16_MAX - 2, - ds_cstr(match), ds_cstr(actions), - &acl->header_); - } + ds_truncate(actions, log_verdict_len); + ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); + if (acl->label) { + ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " + REG_LABEL" = %"PRId64"; ", acl->label); + } + ds_put_cstr(actions, "next;"); + ovn_lflow_add_with_hint(lflows, od, stage, priority, + ds_cstr(match), ds_cstr(actions), + &acl->header_); + /* Match on traffic in the request direction for an established + * connection tracking entry that has not been marked for + * deletion. We use this to ensure that this + * connection is still allowed by the currently defined + * policy. Match untracked packets too. + * Commit the connection only if the ACL has a label. This is done + * to update the connection tracking entry label in case the ACL + * allowing the connection changes. */ + ds_clear(match); + ds_truncate(actions, log_verdict_len); + ds_put_format(match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)", + acl->match); + if (acl->label) { + ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; "); + ds_put_format(actions, REGBIT_ACL_LABEL" = 1; " + REG_LABEL" = %"PRId64"; ", acl->label); } + ds_put_cstr(actions, "next;"); + ovn_lflow_add_with_hint(lflows, od, stage, priority, + ds_cstr(match), ds_cstr(actions), + &acl->header_); } else if (!strcmp(acl->action, "drop") || !strcmp(acl->action, "reject")) { /* The implementation of "drop" differs if stateful ACLs are in * use for this datapath. In that case, the actions differ * depending on whether the connection was previously committed * to the connection tracker with ct_commit. */ - if (has_stateful) { - /* If the packet is not tracked or not part of an established - * connection, then we can simply reject/drop it. */ - ds_clear(match); - ds_clear(actions); - ds_put_cstr(match, REGBIT_ACL_HINT_DROP " == 1"); - if (!strcmp(acl->action, "reject")) { - build_reject_acl_rules(od, lflows, stage, acl, match, - actions, &acl->header_, meter_groups); - } else { - ds_put_format(match, " && (%s)", acl->match); - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, debug_implicit_drop_action()); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(match), ds_cstr(actions), - &acl->header_); - } - /* For an existing connection without ct_mark.blocked set, we've - * encountered a policy change. ACLs previously allowed - * this connection and we committed the connection tracking - * entry. Current policy says that we should drop this - * connection. First, we set ct_mark.blocked to indicate - * that this connection is set for deletion. By not - * specifying "next;", we implicitly drop the packet after - * updating conntrack state. We would normally defer - * ct_commit() to the "stateful" stage, but since we're - * rejecting/dropping the packet, we go ahead and do it here. - */ - ds_clear(match); - ds_clear(actions); - ds_put_cstr(match, REGBIT_ACL_HINT_BLOCK " == 1"); - ds_put_format(actions, "ct_commit { %s = 1; }; ", - ct_blocked_match); - if (!strcmp(acl->action, "reject")) { - build_reject_acl_rules(od, lflows, stage, acl, match, - actions, &acl->header_, meter_groups); - } else { - ds_put_format(match, " && (%s)", acl->match); - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, debug_implicit_drop_action()); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - ds_cstr(match), ds_cstr(actions), - &acl->header_); - } - } else { - /* There are no stateful ACLs in use on this datapath, - * so a "reject/drop" ACL is simply the "reject/drop" - * logical flow action in all cases. */ - ds_clear(match); - ds_clear(actions); - if (!strcmp(acl->action, "reject")) { - build_reject_acl_rules(od, lflows, stage, acl, match, - actions, &acl->header_, meter_groups); - } else { - build_acl_log(actions, acl, meter_groups); - ds_put_cstr(actions, debug_implicit_drop_action()); - ovn_lflow_add_with_hint(lflows, od, stage, - acl->priority + OVN_ACL_PRI_OFFSET, - acl->match, ds_cstr(actions), - &acl->header_); - } - } + /* If the packet is not tracked or not part of an established + * connection, then we can simply reject/drop it. */ + ds_clear(match); + ds_put_cstr(match, REGBIT_ACL_HINT_DROP " == 1"); + ds_put_format(match, " && (%s)", acl->match); + + ds_truncate(actions, log_verdict_len); + ds_put_cstr(actions, "next;"); + ovn_lflow_add_with_hint(lflows, od, stage, priority, + ds_cstr(match), ds_cstr(actions), + &acl->header_); + /* For an existing connection without ct_mark.blocked set, we've + * encountered a policy change. ACLs previously allowed + * this connection and we committed the connection tracking + * entry. Current policy says that we should drop this + * connection. First, we set ct_mark.blocked to indicate + * that this connection is set for deletion. By not + * specifying "next;", we implicitly drop the packet after + * updating conntrack state. We would normally defer + * ct_commit() to the "stateful" stage, but since we're + * rejecting/dropping the packet, we go ahead and do it here. + */ + ds_clear(match); + ds_put_cstr(match, REGBIT_ACL_HINT_BLOCK " == 1"); + ds_put_format(match, " && (%s)", acl->match); + + ds_truncate(actions, log_verdict_len); + ds_put_format(actions, "ct_commit { %s = 1; }; next;", + ct_blocked_match); + ovn_lflow_add_with_hint(lflows, od, stage, priority, + ds_cstr(match), ds_cstr(actions), + &acl->header_); } } @@ -6764,13 +6652,143 @@ build_port_group_lswitches( #define IPV6_CT_OMIT_MATCH "nd || nd_ra || nd_rs || mldv1 || mldv2" +static void +build_acl_action_lflows(struct ovn_datapath *od, struct hmap *lflows, + const char *default_acl_action, + const struct shash *meter_groups, + struct ds *actions) +{ + enum ovn_stage stages [] = { + S_SWITCH_IN_ACL_ACTION, + S_SWITCH_IN_ACL_AFTER_LB_ACTION, + S_SWITCH_OUT_ACL_ACTION, + }; + + ds_clear(actions); + ds_put_cstr(actions, REGBIT_ACL_VERDICT_ALLOW " = 0; " + REGBIT_ACL_VERDICT_DROP " = 0; " + REGBIT_ACL_VERDICT_REJECT " = 0; "); + size_t verdict_len = actions->length; + + for (size_t i = 0; i < ARRAY_SIZE(stages); i++) { + enum ovn_stage stage = stages[i]; + if (!od->has_acls) { + ovn_lflow_add(lflows, od, stage, 0, "1", "next;"); + continue; + } + ds_truncate(actions, verdict_len); + ds_put_cstr(actions, "next;"); + ovn_lflow_add(lflows, od, stage, 1000, + REGBIT_ACL_VERDICT_ALLOW " == 1", ds_cstr(actions)); + ds_truncate(actions, verdict_len); + ds_put_cstr(actions, debug_implicit_drop_action()); + ovn_lflow_add(lflows, od, stage, 1000, + REGBIT_ACL_VERDICT_DROP " == 1", + ds_cstr(actions)); + bool ingress = ovn_stage_get_pipeline(stage) == P_IN; + + ds_truncate(actions, verdict_len); + ds_put_format( + actions, "reg0 = 0; " + "reject { " + "/* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ " + "outport <-> inport; next(pipeline=%s,table=%d); };", + ingress ? "egress" : "ingress", + ingress ? ovn_stage_get_table(S_SWITCH_OUT_QOS_MARK) + : ovn_stage_get_table(S_SWITCH_IN_L2_LKUP)); + + ovn_lflow_metered(lflows, od, stage, 1000, + REGBIT_ACL_VERDICT_REJECT " == 1", ds_cstr(actions), + copp_meter_get(COPP_REJECT, od->nbs->copp, + meter_groups)); + + ds_truncate(actions, verdict_len); + ds_put_cstr(actions, default_acl_action); + ovn_lflow_add(lflows, od, stage, 0, "1", ds_cstr(actions)); + } +} + +static void +build_acl_log_related_flows(struct ovn_datapath *od, struct hmap *lflows, + const struct nbrec_acl *acl, bool has_stateful, + bool ct_masked_mark, + const struct shash *meter_groups, + struct ds *match, struct ds *actions) +{ + /* Related and reply traffic are universally allowed by priority + * 65532 flows created in build_acls(). If logging is enabled on + * the ACL, then we need to ensure that the related and reply + * traffic is logged, so we install a slightly higher-priority + * flow that matches the ACL, allows the traffic, and logs it. + * + * Note: Matching the ct_label.label may prevent OVS flow HW + * offloading to work for some NICs because masked-access of + * ct_label is not supported on those NICs due to HW + * limitations. In such case the user may choose to avoid using the + * "log-related" option. + */ + const char *ct_blocked_match = ct_masked_mark + ? "ct_mark.blocked" + : "ct_label.blocked"; + bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; + bool log_related = smap_get_bool(&acl->options, "log-related", + false); + + if (!strcmp(acl->action, "allow-stateless") || !has_stateful) { + /* Not stateful */ + return; + } + + if (strcmp(acl->action, "allow") && strcmp(acl->action, "allow-related")) { + /* Not an allow ACL */ + return; + } + + if (!acl->log || !acl->label || !log_related) { + /* Missing requirements for logging related ACLs */ + return; + } + + ds_clear(actions); + build_acl_log(actions, acl, meter_groups); + ds_put_cstr(actions, REGBIT_ACL_VERDICT_ALLOW" = 1; next;"); + /* Related/reply flows need to be set on the opposite pipeline + * from where the ACL itself is set. + */ + enum ovn_stage log_related_stage = ingress ? + S_SWITCH_OUT_ACL_EVAL : + S_SWITCH_IN_ACL_EVAL; + ds_clear(match); + ds_put_format(match, "ct.est && !ct.rel && !ct.new%s && " + "ct.rpl && %s == 0 && " + "ct_label.label == %" PRId64, + use_ct_inv_match ? " && !ct.inv" : "", + ct_blocked_match, acl->label); + ovn_lflow_add_with_hint(lflows, od, log_related_stage, + UINT16_MAX - 2, + ds_cstr(match), ds_cstr(actions), + &acl->header_); + + ds_clear(match); + ds_put_format(match, "!ct.est && ct.rel && !ct.new%s && " + "%s == 0 && " + "ct_label.label == %" PRId64, + use_ct_inv_match ? " && !ct.inv" : "", + ct_blocked_match, acl->label); + ovn_lflow_add_with_hint(lflows, od, log_related_stage, + UINT16_MAX - 2, + ds_cstr(match), ds_cstr(actions), + &acl->header_); +} + static void build_acls(struct ovn_datapath *od, const struct chassis_features *features, struct hmap *lflows, const struct hmap *port_groups, const struct shash *meter_groups) { - const char *default_acl_action = default_acl_drop ? debug_drop_action() : - "next;"; + const char *default_acl_action = default_acl_drop + ? debug_implicit_drop_action() + : "next;"; bool has_stateful = od->has_stateful_acl || od->has_lb_vip; const char *ct_blocked_match = features->ct_no_masked_label ? "ct_mark.blocked" @@ -6787,22 +6805,21 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, * are any stateful ACLs in this datapath. */ if (!od->has_acls) { if (!od->has_lb_vip) { - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "1", + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX, "1", "next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "1", + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX, "1", "next;"); } else { - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", "next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 0, "1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 0, "1", "next;"); } - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB, 0, "1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB_EVAL, 0, "1", + "next;"); } else { - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", - default_acl_action); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", - default_acl_action); - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB, 0, "1", - default_acl_action); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 0, "1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 0, "1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB_EVAL, 0, "1", + "next;"); } @@ -6831,20 +6848,22 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, * uses "next;". */ ds_clear(&match); ds_put_format(&match, "ip && ct.est && %s == 1", ct_blocked_match); - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1, ds_cstr(&match), - REGBIT_CONNTRACK_COMMIT" = 1; next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, + REGBIT_CONNTRACK_COMMIT" = 1; " + REGBIT_ACL_VERDICT_ALLOW" = 1; next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1, ds_cstr(&match), - REGBIT_CONNTRACK_COMMIT" = 1; next;"); + REGBIT_CONNTRACK_COMMIT" = 1; " + REGBIT_ACL_VERDICT_ALLOW" = 1; next;"); - default_acl_action = default_acl_drop - ? debug_drop_action() + const char *next_action = default_acl_drop + ? "next;" : REGBIT_CONNTRACK_COMMIT" = 1; next;"; - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, "ip && !ct.est", - default_acl_action); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, "ip && !ct.est", - default_acl_action); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1, "ip && !ct.est", + next_action); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1, "ip && !ct.est", + next_action); /* Ingress and Egress ACL Table (Priority 65532). * @@ -6857,10 +6876,10 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, ds_put_format(&match, "%s(ct.est && ct.rpl && %s == 1)", use_ct_inv_match ? "ct.inv || " : "", ct_blocked_match); - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3, - ds_cstr(&match), debug_drop_action()); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, - ds_cstr(&match), debug_drop_action()); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3, + ds_cstr(&match), REGBIT_ACL_VERDICT_DROP " = 1; next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX - 3, + ds_cstr(&match), REGBIT_ACL_VERDICT_DROP " = 1; next;"); /* Ingress and Egress ACL Table (Priority 65535 - 3). * @@ -6876,12 +6895,14 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, "ct.rpl && %s == 0", use_ct_inv_match ? " && !ct.inv" : "", ct_blocked_match); - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3, + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3, ds_cstr(&match), REGBIT_ACL_HINT_DROP" = 0; " REGBIT_ACL_HINT_BLOCK" = 0; " - REGBIT_ACL_HINT_ALLOW_REL" = 1; next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, - ds_cstr(&match), "next;"); + REGBIT_ACL_HINT_ALLOW_REL" = 1; " + REGBIT_ACL_VERDICT_ALLOW" = 1; next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX - 3, + ds_cstr(&match), + REGBIT_ACL_VERDICT_ALLOW " = 1; next;"); /* Ingress and Egress ACL Table (Priority 65535). * @@ -6897,24 +6918,28 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, * that's generated from a non-listening UDP port. */ const char *ct_in_acl_action = features->ct_lb_related - ? REGBIT_ACL_HINT_ALLOW_REL" = 1; ct_commit_nat;" - : REGBIT_ACL_HINT_ALLOW_REL" = 1; next;"; - const char *ct_out_acl_action = features->ct_lb_related - ? "ct_commit_nat;" - : "next;"; + ? REGBIT_ACL_HINT_ALLOW_REL" = 1; " + REGBIT_ACL_VERDICT_ALLOW" = 1; ct_commit_nat;" + : REGBIT_ACL_HINT_ALLOW_REL" = 1; " + REGBIT_ACL_VERDICT_ALLOW" = 1; next;"; + const char *ct_out_acl_action = + features->ct_lb_related + ? REGBIT_ACL_VERDICT_ALLOW" = 1; ct_commit_nat;" + : REGBIT_ACL_VERDICT_ALLOW" = 1; next;"; ds_clear(&match); ds_put_format(&match, "!ct.est && ct.rel && !ct.new%s && %s == 0", use_ct_inv_match ? " && !ct.inv" : "", ct_blocked_match); - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3, + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3, ds_cstr(&match), ct_in_acl_action); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX - 3, ds_cstr(&match), ct_out_acl_action); - /* Reply and related traffic matched by an "allow-related" ACL * should be allowed in the ls_in_acl_after_lb stage too. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB, UINT16_MAX - 3, - REGBIT_ACL_HINT_ALLOW_REL" == 1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB_EVAL, + UINT16_MAX - 3, + REGBIT_ACL_HINT_ALLOW_REL" == 1", + REGBIT_ACL_VERDICT_ALLOW " = 1; next;"); } /* Ingress and Egress ACL Table (Priority 65532). @@ -6924,16 +6949,22 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, * Also, don't send them to conntrack because session tracking * for these protocols is not working properly: * https://bugzilla.kernel.org/show_bug.cgi?id=11797. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3, - IPV6_CT_OMIT_MATCH, "next;"); - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, - IPV6_CT_OMIT_MATCH, "next;"); - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB, UINT16_MAX - 3, - IPV6_CT_OMIT_MATCH, "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3, + IPV6_CT_OMIT_MATCH, + REGBIT_ACL_VERDICT_ALLOW " = 1; next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX - 3, + IPV6_CT_OMIT_MATCH, + REGBIT_ACL_VERDICT_ALLOW " = 1; next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB_EVAL, UINT16_MAX - 3, + IPV6_CT_OMIT_MATCH, + REGBIT_ACL_VERDICT_ALLOW " = 1; next;"); /* Ingress or Egress ACL Table (Various priorities). */ for (size_t i = 0; i < od->nbs->n_acls; i++) { struct nbrec_acl *acl = od->nbs->acls[i]; + build_acl_log_related_flows(od, lflows, acl, has_stateful, + features->ct_no_masked_label, + meter_groups, &match, &actions); consider_acl(lflows, od, acl, has_stateful, features->ct_no_masked_label, meter_groups, &match, &actions); @@ -6942,7 +6973,11 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, HMAP_FOR_EACH (pg, key_node, port_groups) { if (ovn_port_group_ls_find(pg, &od->nbs->header_.uuid)) { for (size_t i = 0; i < pg->nb_pg->n_acls; i++) { - consider_acl(lflows, od, pg->nb_pg->acls[i], has_stateful, + const struct nbrec_acl *acl = pg->nb_pg->acls[i]; + build_acl_log_related_flows(od, lflows, acl, has_stateful, + features->ct_no_masked_label, + meter_groups, &match, &actions); + consider_acl(lflows, od, acl, has_stateful, features->ct_no_masked_label, meter_groups, &match, &actions); } @@ -6966,14 +7001,16 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, &od->nbs->ports[i]->dhcpv4_options->options, "lease_time"); if (server_id && server_mac && lease_time) { const char *dhcp_actions = - has_stateful ? "ct_commit; next;" : "next;"; + has_stateful ? REGBIT_ACL_VERDICT_ALLOW" = 1; " + "ct_commit; next;" + : REGBIT_ACL_VERDICT_ALLOW" = 1; next;"; ds_clear(&match); ds_put_format(&match, "outport == \"%s\" && eth.src == %s " "&& ip4.src == %s && udp && udp.src == 67 " "&& udp.dst == 68", od->nbs->ports[i]->name, server_mac, server_id); ovn_lflow_add_with_lport_and_hint( - lflows, od, S_SWITCH_OUT_ACL, 34000, ds_cstr(&match), + lflows, od, S_SWITCH_OUT_ACL_EVAL, 34000, ds_cstr(&match), dhcp_actions, od->nbs->ports[i]->name, &od->nbs->ports[i]->dhcpv4_options->header_); } @@ -6992,15 +7029,17 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, char server_ip[INET6_ADDRSTRLEN + 1]; ipv6_string_mapped(server_ip, &lla); - const char *dhcp6_actions = has_stateful ? "ct_commit; next;" : - "next;"; + const char *dhcp6_actions = + has_stateful ? REGBIT_ACL_VERDICT_ALLOW" = 1; " + "ct_commit; next;" + : REGBIT_ACL_VERDICT_ALLOW" = 1; next;"; ds_clear(&match); ds_put_format(&match, "outport == \"%s\" && eth.src == %s " "&& ip6.src == %s && udp && udp.src == 547 " "&& udp.dst == 546", od->nbs->ports[i]->name, server_mac, server_ip); ovn_lflow_add_with_lport_and_hint( - lflows, od, S_SWITCH_OUT_ACL, 34000, ds_cstr(&match), + lflows, od, S_SWITCH_OUT_ACL_EVAL, 34000, ds_cstr(&match), dhcp6_actions, od->nbs->ports[i]->name, &od->nbs->ports[i]->dhcpv6_options->header_); } @@ -7011,24 +7050,32 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, * if the CMS has configured DNS records for the datapath. */ if (ls_has_dns_records(od->nbs)) { - const char *dns_actions = has_stateful ? "ct_commit; next;" : "next;"; + const char *dns_actions = + has_stateful ? REGBIT_ACL_VERDICT_ALLOW" = 1; " + "ct_commit; next;" + : REGBIT_ACL_VERDICT_ALLOW" = 1; next;"; ovn_lflow_add( - lflows, od, S_SWITCH_OUT_ACL, 34000, "udp.src == 53", + lflows, od, S_SWITCH_OUT_ACL_EVAL, 34000, "udp.src == 53", dns_actions); } if (od->has_acls || od->has_lb_vip) { /* Add a 34000 priority flow to advance the service monitor reply * packets to skip applying ingress ACLs. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 34000, - "eth.dst == $svc_monitor_mac", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 34000, + "eth.dst == $svc_monitor_mac", + REGBIT_ACL_VERDICT_ALLOW" = 1; next;"); /* Add a 34000 priority flow to advance the service monitor packets * generated by ovn-controller to skip applying egress ACLs. */ - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 34000, - "eth.src == $svc_monitor_mac", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 34000, + "eth.src == $svc_monitor_mac", + REGBIT_ACL_VERDICT_ALLOW" = 1; next;"); } + build_acl_action_lflows(od, lflows, default_acl_action, meter_groups, + &actions); + ds_destroy(&match); ds_destroy(&actions); } diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 7da912da3..40c5ec95b 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -684,7 +684,7 @@ -

Ingress table 8: from-lport ACLs before LB

+

Ingress table 8: from-lport ACL evaluation before LB

Logical flows in this table closely reproduce those in the @@ -697,61 +697,71 @@

  • - allow ACLs translate into logical flows with - the next; action. If there are any stateful ACLs - on this datapath, then allow ACLs translate to - ct_commit; next; (which acts as a hint for the next tables - to commit the connection to conntrack). In case the ACL - has a label then reg3 is loaded with the label value and + This table is responsible for evaluating ACLs, and setting a register + bit to indicate whether the ACL decided to allow, drop, or reject the + traffic. The allow bit is reg8[16]. The drop bit is + reg8[17]. All flows in this table will advance the packet + to the next table, where the bits from before are evaluated to + determine what to do with the packet. Any flows in this table that + intend for the packet to pass will set reg8[16] to 1, + even if an ACL with an allow-type action was not matched. This lets the + next table know to allow the traffic to pass. These bits will be + referred to as the "allow", "drop", and "reject" bits in the upcoming + paragraphs. +
    • +
  • + allow ACLs translate into logical flows that set the allow + bit to 1 and advance the packet to the next table. If there are any + stateful ACLs on this datapath, then allow ACLs set the + allow bit to one and in addition perform ct_commit; (which + acts as a hint for future tables to commit the connection to + conntrack). In case the ACL has a label then + reg3 is loaded with the label value and reg0[13] bit is set to 1 (which acts as a hint for the next tables to commit the label to conntrack).
  • - allow-related ACLs translate into logical - flows with the ct_commit(ct_label=0/1); next; actions - for new connections and reg0[1] = 1; next; for existing - connections. In case the ACL has a label then - reg3 is loaded with the label value and + allow-related ACLs translate into logical flows that set + the allow bit and additionally have ct_commit(ct_label=0/1); + next; actions for new connections and reg0[1] = 1; + next; for existing connections. In case the ACL + has a label then reg3 is loaded with the label value and reg0[13] bit is set to 1 (which acts as a hint for the next tables to commit the label to conntrack).
  • - allow-stateless ACLs translate into logical - flows with the next; action. + allow-stateless ACLs translate into logical flows that set + the allow bit and advance to the next table.
  • - reject ACLs translate into logical - flows with the - tcp_reset { output <-> inport; - next(pipeline=egress,table=5);} - action for TCP connections,icmp4/icmp6 action - for UDP connections, and sctp_abort {output <-%gt; inport; - next(pipeline=egress,table=5);} action for SCTP associations. + reject ACLs translate into logical flows with that set the + reject bit and advance to the next table.
  • - Other ACLs translate to drop; for new or untracked - connections and ct_commit(ct_label=1/1); for known - connections. Setting ct_label marks a connection - as one that was previously allowed, but should no longer be - allowed due to a policy change. + Other ACLs set the drop bit and advance to the next table for new or + untracked connections. For known connections, they set the drop bit, + as well as running the ct_commit(ct_label=1/1); action. + Setting ct_label marks a connection as one that was + previously allowed, but should no longer be allowed due to a policy + change.

- This table contains a priority-65535 flow to advance to the next table - if the logical switch has no ACLs configured, otherwise a - priority-0 flow to advance to the next table so that ACLs allow - packets by default if column of is false or not set. Otherwise - the flow action is set to drop; to implement a default - drop behavior. + This table contains a priority-65535 flow to set the allow bit and + advance to the next table if the logical switch has no + ACLs configured, otherwise a priority-0 flow to advance to the next + table is added. This flow does not set the allow bit, so that the next + table can decide whether to allow or drop the packet based on the value + of the column of the table.

- A priority-65532 flow is added to allow IPv6 Neighbor solicitation, - Neighbor discover, Router solicitation, Router advertisement and MLD - packets regardless of other ACLs defined. + A priority-65532 flow is added that sets the allow bit for + IPv6 Neighbor solicitation, Neighbor discover, Router solicitation, + Router advertisement and MLD packets regardless of other ACLs defined.

@@ -773,24 +783,17 @@

  • - If column of is true, a priority-1 - flow that drops IP traffic that is not part of established - sessions. -
    • - -
  • - A priority-1 flow that sets the hint to commit IP traffic to the - connection tracker (with action reg0[1] = 1; next;). This - is needed for the default allow policy because, while the initiator's - direction may not have any stateful rules, the server's may and then - its return traffic would not be known and marked as invalid. + A priority-1 flow that sets the allow bit and sets the hint to commit + IP traffic to the connection tracker (with action reg0[1] = 1; + next;). This is needed for the default allow policy because, + while the initiator's direction may not have any stateful rules, the + server's may and then its return traffic would not be known and marked + as invalid.
  • - A priority-65532 flow that allows any traffic in the reply - direction for a connection that has been committed to the + A priority-65532 flow that sets the allow bit for any traffic in the + reply direction for a connection that has been committed to the connection tracker (i.e., established flows), as long as the committed flow does not have ct_mark.blocked set. We only handle traffic in the reply direction here because @@ -807,9 +810,9 @@
  • - A priority-65532 flow that allows any traffic that is considered - related to a committed flow in the connection tracker (e.g., an - ICMP Port Unreachable from a non-listening UDP port), as long + A priority-65532 flow that sets the allow bit for any traffic that is + considered related to a committed flow in the connection tracker (e.g., + an ICMP Port Unreachable from a non-listening UDP port), as long as the committed flow does not have ct_mark.blocked set. This flow also applies NAT to the related traffic so that ICMP headers and the inner packet have correct addresses. @@ -819,14 +822,14 @@
  • - A priority-65532 flow that drops all traffic marked by the - connection tracker as invalid. + A priority-65532 flow that sets the drop bit for all traffic marked by + the connection tracker as invalid.
  • - A priority-65532 flow that drops all traffic in the reply direction - with ct_mark.blocked set meaning that the connection - should no longer be allowed due to a policy change. Packets + A priority-65532 flow that sets the drop bit for all traffic in the + reply direction with ct_mark.blocked set meaning that the + connection should no longer be allowed due to a policy change. Packets in the request direction are skipped here to let a newly created ACL re-allow this connection.
    • @@ -842,7 +845,7 @@ A priority 34000 logical flow is added for each logical switch datapath with the match eth.dst = E to allow the service monitor reply packet destined to ovn-controller - with the action next, where E is the + that sets the allow bit, where E is the service monitor mac defined in the column of -

    Ingress Table 9: from-lport QoS Marking

    +

    Ingress Table 9: from-lport ACL action

    + +

    + Logical flows in this table decide how to proceed based on the values of + the allow, drop, and reject bits that may have been set in the previous + table. +

    + +
      +
    • + If no ACLs are configured, then a priority 0 flow is installed that + matches everything and advances to the next table. +
      • + +
    • + A priority 1000 flow is installed that will advance the packet to the + next table if the allow bit is set. +
      • + +
    • + A priority 1000 flow is installed that will run the drop; + action if the drop bit is set. +
      • + +
    • + A priority 1000 flow is installed that will run the tcp_reset + { output <-> inport; next(pipeline=egress,table=5);} + action for TCP connections,icmp4/icmp6 action + for UDP connections, and sctp_abort {output <-%gt; inport; + next(pipeline=egress,table=5);} action for SCTP associations. +
      • +
    + +

    Ingress Table 10: from-lport QoS Marking

    Logical flows in this table closely reproduce those in the @@ -872,7 +908,7 @@ -

    Ingress Table 10: from-lport QoS Meter

    +

    Ingress Table 11: from-lport QoS Meter

    Logical flows in this table closely reproduce those in the @@ -894,7 +930,7 @@ -

    Ingress Table 11: Load balancing affinity check

    +

    Ingress Table 12: Load balancing affinity check

    Load balancing affinity check table contains the following @@ -922,7 +958,7 @@ -

    Ingress Table 12: LB

    +

    Ingress Table 13: LB

    • @@ -1002,7 +1038,7 @@
    -

    Ingress Table 13: Load balancing affinity learn

    +

    Ingress Table 14: Load balancing affinity learn

    Load balancing affinity learn table contains the following @@ -1033,7 +1069,7 @@ -

    Ingress Table 14: Pre-Hairpin

    +

    Ingress Table 15: Pre-Hairpin

    • If the logical switch has load balancer(s) configured, then a @@ -1051,7 +1087,7 @@
    -

    Ingress Table 15: Nat-Hairpin

    +

    Ingress Table 16: Nat-Hairpin

    • If the logical switch has load balancer(s) configured, then a @@ -1086,7 +1122,7 @@
    -

    Ingress Table 16: Hairpin

    +

    Ingress Table 17: Hairpin

    • @@ -1120,56 +1156,57 @@

    -

    Ingress table 17: from-lport ACLs after LB

    +

    Ingress table 18: from-lport ACL evaluation after LB

    Logical flows in this table closely reproduce those in the - ACL table in the OVN_Northbound database + ACL eval table in the OVN_Northbound database for the from-lport direction with the option apply-after-lb set to true. The priority values from the ACL table have a limited range and have 1000 added to them to leave room for OVN default - flows at both higher and lower priorities. + flows at both higher and lower priorities. The flows in this table + indicate the ACL verdict by setting reg8[16] for + allow-type ACLs, reg8[17] for drop + ACLs, and reg8[17] for reject ACLs, and then + advancing the packet to the next table. These will be reffered to as the + allow bit, drop bit, and reject bit throughout the documentation for this + table and the next one.

    • allow apply-after-lb ACLs translate into logical flows - with the next; action. If there are any stateful ACLs + that set the allow bit. If there are any stateful ACLs (including both before-lb and after-lb ACLs) - on this datapath, then allow ACLs translate to - ct_commit; next; (which acts as a hint for the next tables - to commit the connection to conntrack). In case the ACL - has a label then reg3 is loaded with the label value and - reg0[13] bit is set to 1 (which acts as a hint for the - next tables to commit the label to conntrack). + on this datapath, then allow ACLs also run + ct_commit; next; (which acts as a hint for an upcoming + table to commit the connection to conntrack). In case the + ACL has a label then reg3 is loaded with the + label value and reg0[13] bit is set to 1 (which acts as a + hint for the next tables to commit the label to conntrack).
    • allow-related apply-after-lb ACLs translate into logical - flows with the ct_commit(ct_label=0/1); next; actions - for new connections and reg0[1] = 1; next; for existing - connections. In case the ACL has a label then - reg3 is loaded with the label value and + flows that set the allow bit and run the ct_commit(ct_label=0/1); + next; actions for new connections and reg0[1] = 1; + next; for existing connections. In case the ACL + has a label then reg3 is loaded with the label value and reg0[13] bit is set to 1 (which acts as a hint for the next tables to commit the label to conntrack).
    • allow-stateless apply-after-lb ACLs translate into logical - flows with the next; action. + flows that set the allow bit and advance to the next table.
    • reject apply-after-lb ACLs translate into logical - flows with the - tcp_reset { output <-> inport; - next(pipeline=egress,table=5);} - action for TCP connections,icmp4/icmp6 action - for UDP connections, and sctp_abort {output <-%gt; inport; - next(pipeline=egress,table=5);} action for SCTP associations. + flows that set the reject bit and advance to the next table.
    • - Other apply-after-lb ACLs translate to drop; for new - or untracked connections and ct_commit(ct_label=1/1); for - known connections. Setting ct_label marks a connection + Other apply-after-lb ACLs set the drop bit for new or untracked + connections and ct_commit(ct_label=1/1); for known + connections. Setting ct_label marks a connection as one that was previously allowed, but should no longer be allowed due to a policy change.
      • @@ -1179,8 +1216,8 @@
    • One priority-65532 flow matching packets with reg0[17] set (either replies to existing sessions or traffic related to - existing sessions) and allows these by advancing to the next - table. + existing sessions) and allows these by setting the allow bit and + advancing to the next table.
    @@ -1191,7 +1228,40 @@ -

    Ingress Table 18: Stateful

    +

    Ingress Table 19: from-lport ACL action after LB

    + +

    + Logical flows in this table decide how to proceed based on the values of + the allow, drop, and reject bits that may have been set in the previous + table. +

    + +
      +
    • + If no ACLs are configured, then a priority 0 flow is installed that + matches everything and advances to the next table. +
      • + +
    • + A priority 1000 flow is installed that will advance the packet to the + next table if the allow bit is set. +
      • + +
    • + A priority 1000 flow is installed that will run the drop; + action if the drop bit is set. +
      • + +
    • + A priority 1000 flow is installed that will run the tcp_reset + { output <-> inport; next(pipeline=egress,table=5);} + action for TCP connections,icmp4/icmp6 action + for UDP connections, and sctp_abort {output <-%gt; inport; + next(pipeline=egress,table=5);} action for SCTP associations. +
      • +
    + +

    Ingress Table 20: Stateful

    • @@ -1214,7 +1284,7 @@
    -

    Ingress Table 19: ARP/ND responder

    +

    Ingress Table 21: ARP/ND responder

    This table implements ARP/ND responder in a logical switch for known @@ -1541,7 +1611,7 @@ output; -

    Ingress Table 20: DHCP option processing

    +

    Ingress Table 22: DHCP option processing

    This table adds the DHCPv4 options to a DHCPv4 packet from the @@ -1602,7 +1672,7 @@ next; -

    Ingress Table 21: DHCP responses

    +

    Ingress Table 23: DHCP responses

    This table implements DHCP responder for the DHCP replies generated by @@ -1683,7 +1753,7 @@ output; -

    Ingress Table 22 DNS Lookup

    +

    Ingress Table 24 DNS Lookup

    This table looks up and resolves the DNS names to the corresponding @@ -1712,7 +1782,7 @@ reg0[4] = dns_lookup(); next; -

    Ingress Table 23 DNS Responses

    +

    Ingress Table 25 DNS Responses

    This table implements DNS responder for the DNS replies generated by @@ -1747,7 +1817,7 @@ output; -

    Ingress table 24 External ports

    +

    Ingress table 26 External ports

    Traffic from the external logical ports enter the ingress @@ -1790,7 +1860,7 @@ output; -

    Ingress Table 25 Destination Lookup

    +

    Ingress Table 27 Destination Lookup

    This table implements switching behavior. It contains these logical @@ -1966,7 +2036,7 @@ output; -

    Ingress Table 26 Destination unknown

    +

    Ingress Table 28 Destination unknown

    This table handles the packets whose destination was not found or @@ -2116,11 +2186,15 @@ output; This is similar to ingress table ACL hints.

    -

    Egress Table 4: to-lport ACLs

    +

    Egress Table 4: to-lport ACL evaluation

    - This is similar to ingress table ACLs except for - to-lport ACLs. + This is similar to ingress table ACL eval except for + to-lport ACLs. As a reminder, these flows use the + following register bits to indicate their verdicts. + Allow-type ACLs set reg8[16], drop + ACLs set reg8[17], and reject ACLs set + reg8[18].

    @@ -2137,14 +2211,16 @@ output; A priority 34000 logical flow is added for each logical port which has DHCPv4 options defined to allow the DHCPv4 reply packet and which has DHCPv6 options defined to allow the DHCPv6 reply packet from the - Ingress Table 18: DHCP responses. + Ingress Table 18: DHCP responses. This is indicated by + setting the allow bit.

  • A priority 34000 logical flow is added for each logical switch datapath configured with DNS records with the match udp.dst = 53 to allow the DNS reply packet from the - Ingress Table 20: DNS responses. + Ingress Table 20: DNS responses. This is indicated by + setting the allow bit.
  • @@ -2155,32 +2231,38 @@ output; service monitor mac defined in the column of table. + db="OVN_Northbound"/> table. This is indicated by setting the allow + bit.
    • -

    Egress Table 5: to-lport QoS Marking

    +

    Egress Table 5: to-lport ACL action

    +

    + This is similar to ingress table ACL action. +

    + +

    Egress Table 6: to-lport QoS Marking

    This is similar to ingress table QoS marking except they apply to to-lport QoS rules.

    -

    Egress Table 6: to-lport QoS Meter

    +

    Egress Table 7: to-lport QoS Meter

    This is similar to ingress table QoS meter except they apply to to-lport QoS rules.

    -

    Egress Table 7: Stateful

    +

    Egress Table 8: Stateful

    This is similar to ingress table Stateful except that there are no rules added for load balancing new connections.

    -

    Egress Table 8: Egress Port Security - check

    +

    Egress Table 9: Egress Port Security - check

    This is similar to the port security logic in table @@ -2209,7 +2291,7 @@ output; -

    Egress Table 9: Egress Port Security - Apply

    +

    Egress Table 10: Egress Port Security - Apply

    This is similar to the ingress port security logic in ingress table diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index 137724723..64d6a9336 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -919,9 +919,9 @@ for i in $(seq 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=drop +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$i @@ -941,7 +941,7 @@ for i in $(seq 10); do if test "$i" = 9; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi if test "$i" = 10; then @@ -967,12 +967,12 @@ for i in $(seq 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.1 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.1.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$(($i * 2)) @@ -1092,9 +1092,9 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=111 actions=drop -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=222 actions=drop -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=333 actions=drop +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else # (1 conj_id flow + 3 tp_dst flows) = 4 extra flows @@ -1106,8 +1106,8 @@ priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,tp_dst=33 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=conjunction,1/2) @@ -1134,9 +1134,9 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=111 actions=drop -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=222 actions=drop -priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=333 actions=drop +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=111 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=222 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,tp_dst=333 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$((14 - $i)) @@ -1158,8 +1158,8 @@ for i in $(seq 10); do AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=conjunction,1/2) @@ -1289,7 +1289,7 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else # (1 conj_id + nw_src * i + nw_dst * i) = 1 + i*2 flows @@ -1301,8 +1301,8 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10. AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=conjunction,1/2) @@ -1331,7 +1331,7 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.15 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.15 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$((21 - $i*2)) @@ -1357,9 +1357,9 @@ for i in $(seq 2 10); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2,nw_dst=10.0.0.6 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3,nw_dst=10.0.0.6 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$i @@ -1383,8 +1383,8 @@ for i in $(seq 10); do if test "$i" = 9; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.6 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.7 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) elif test "$i" = 10; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep "priority=1100"], [1], [ignore]) @@ -1446,8 +1446,8 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$(($i*2)) @@ -1459,12 +1459,12 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=dr grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi done @@ -1542,8 +1542,8 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) elif test "$i" -lt 6; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$(($i*2)) @@ -1558,12 +1558,12 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=dr grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.7 actions=drop -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.8 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.6 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.7 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.8 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi done @@ -1640,7 +1640,7 @@ for i in $(seq 10); do if test "$i" = 1; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.1 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else # (1 conj_id + nw_src * i + nw_dst * i) = 1 + i*2 flows @@ -1652,8 +1652,8 @@ priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.1,nw_dst=10. AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1680,7 +1680,7 @@ for i in $(seq 10); do # no conjunction left AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.10 actions=drop +priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.10,nw_dst=10.0.0.10 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) else AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$((21 - $i*2)) @@ -1702,8 +1702,8 @@ for i in $(seq 10); do AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1742,8 +1742,8 @@ check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1766,8 +1766,8 @@ check ovn-nbctl --wait=hv remove address_set as1 addresses 10.0.0.4,10.0.0.5 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.*,/conjunction,/' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.1 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.2 actions=conjunction,1/2) priority=1100,ip,reg15=0x$port_key,metadata=0x$dp_key,nw_dst=10.0.0.3 actions=conjunction,1/2) @@ -1824,9 +1824,9 @@ check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1849,9 +1849,9 @@ check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1880,9 +1880,9 @@ check ovn-nbctl --wait=hv sync AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | \ sed -r 's/conjunction.[[0-9]]*,/conjunction,/g' | \ - sed -r 's/conj_id=.*,/conj_id=,/' | sort], [0], [dnl -priority=1100,conj_id=,metadata=0x$dp_key actions=drop -priority=1100,conj_id=,metadata=0x$dp_key actions=drop + sed -r 's/conj_id=.*,metadata/conj_id=,metadata/' | sort], [0], [dnl +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,conj_id=,metadata=0x$dp_key actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.11 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.12 actions=conjunction,1/2) priority=1100,tcp,reg15=0x$port_key,metadata=0x$dp_key,nw_src=10.0.0.13 actions=conjunction,1/2) @@ -1944,9 +1944,9 @@ for i in $(seq 5); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:01 actions=drop -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:02 actions=drop -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:03 actions=drop +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:01 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:02 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:03 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$i @@ -1967,7 +1967,7 @@ for i in $(seq 5); do if test "$i" = 4; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:05 actions=drop +priority=1100,reg15=0x$port_key,metadata=0x$dp_key,dl_src=aa:aa:aa:aa:aa:05 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi if test "$i" = 5; then @@ -2025,9 +2025,9 @@ for i in $(seq 5); do if test "$i" = 3; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}' | sort], [0], [dnl -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::1 actions=drop -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::2 actions=drop -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::3 actions=drop +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::1 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::2 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::3 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44 | grep -c "priority=1100"], [0], [$i @@ -2047,7 +2047,7 @@ for i in $(seq 5); do if test "$i" = 4; then AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int table=44,reg15=0x$port_key | \ grep -v reply | awk '{print $7, $8}'], [0], [dnl -priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::5 actions=drop +priority=1100,ipv6,reg15=0x$port_key,metadata=0x$dp_key,ipv6_src=ff::5 actions=load:0x1->OXM_OF_PKT_REG4[[49]],resubmit(,45) ]) fi if test "$i" = 5; then diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index c52f86490..1c9958c6b 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -1442,7 +1442,7 @@ ovn-sbctl set service_monitor $sm_sw1_p1 status=offline AT_CAPTURE_FILE([sbflows12]) OVS_WAIT_FOR_OUTPUT( [ovn-sbctl dump-flows sw0 | tee sbflows12 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" | grep priority=120 | grep ls_in_lb | sed 's/table=..//'], [0], [dnl - (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=5);};) + (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=6);};) ]) AT_CLEANUP @@ -2161,10 +2161,10 @@ AT_CAPTURE_FILE([sw1flows]) AT_CHECK( [grep -E 'ls_(in|out)_acl' sw0flows sw1flows | grep pg0 | sort], [0], [dnl -sw0flows: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw0flows: table=8 (ls_in_acl ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) -sw1flows: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows: table=8 (ls_in_acl ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=5); };) +sw0flows: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) +sw0flows: table=8 (ls_in_acl_eval ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg8[[18]] = 1; next;) +sw1flows: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) +sw1flows: table=8 (ls_in_acl_eval ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg8[[18]] = 1; next;) ]) AS_BOX([2]) @@ -2177,10 +2177,10 @@ ovn-sbctl dump-flows sw1 > sw1flows2 AT_CAPTURE_FILE([sw1flows2]) AT_CHECK([grep "ls_out_acl" sw0flows2 sw1flows2 | grep pg0 | sort], [0], [dnl -sw0flows2: table=4 (ls_out_acl ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw0flows2: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows2: table=4 (ls_out_acl ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows2: table=4 (ls_out_acl ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) +sw0flows2: table=4 (ls_out_acl_eval ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg8[[18]] = 1; next;) +sw0flows2: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) +sw1flows2: table=4 (ls_out_acl_eval ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg8[[18]] = 1; next;) +sw1flows2: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) ]) AS_BOX([3]) @@ -2193,19 +2193,20 @@ ovn-sbctl dump-flows sw1 > sw1flows3 AT_CAPTURE_FILE([sw1flows3]) AT_CHECK([grep "ls_out_acl" sw0flows3 sw1flows3 | grep pg0 | sort], [0], [dnl -sw0flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) -sw0flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;) -sw0flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw0flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw0flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw0flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;) -sw1flows3: table=4 (ls_out_acl ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;) -sw1flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows3: table=4 (ls_out_acl ), priority=2002 , match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), action=(ct_commit { ct_mark.blocked = 1; }; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) -sw1flows3: table=4 (ls_out_acl ), priority=2003 , match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) +sw0flows3: table=4 (ls_out_acl_eval ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) +sw0flows3: table=4 (ls_out_acl_eval ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; next;) +sw0flows3: table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[10]] == 1 && (outport == @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) +sw0flows3: table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[9]] == 1 && (outport == @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; next;) +sw0flows3: table=4 (ls_out_acl_eval ), priority=2003 , match=(reg0[[10]] == 1 && (outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) +sw0flows3: table=4 (ls_out_acl_eval ), priority=2003 , match=(reg0[[9]] == 1 && (outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;) +sw1flows3: table=4 (ls_out_acl_eval ), priority=2001 , match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) +sw1flows3: table=4 (ls_out_acl_eval ), priority=2001 , match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(reg8[[16]] = 1; next;) +sw1flows3: table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[10]] == 1 && (outport == @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) +sw1flows3: table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[9]] == 1 && (outport == @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; next;) +sw1flows3: table=4 (ls_out_acl_eval ), priority=2003 , match=(reg0[[10]] == 1 && (outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) +sw1flows3: table=4 (ls_out_acl_eval ), priority=2003 , match=(reg0[[9]] == 1 && (outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;) ]) + AT_CLEANUP ]) @@ -2454,11 +2455,11 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e table=3 (ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) - table=4 (ls_out_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[[9]] = 1; next;) @@ -2466,11 +2467,11 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e table=7 (ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) - table=8 (ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) ]) AS_BOX([Check match ct_state with load balancer]) @@ -2480,10 +2481,10 @@ check ovn-nbctl --wait=sb \ -- lb-add lb "10.0.0.1" "10.0.0.2" \ -- ls-lb-add ls lb -AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl -e ls_out_acl | sort], [0], [dnl - table=17(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=17(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=17(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) +AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl_eval -e ls_out_acl_eval -e ls_in_acl_after_lb_eval | sort], [0], [dnl + table=18(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=18(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=18(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) table=3 (ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -2492,16 +2493,16 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e table=3 (ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) - table=4 (ls_out_acl ), priority=0 , match=(1), action=(next;) - table=4 (ls_out_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(next;) - table=4 (ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=4 (ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=7 (ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -2510,30 +2511,30 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e table=7 (ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[[8]] = 1; reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) - table=8 (ls_in_acl ), priority=0 , match=(1), action=(next;) - table=8 (ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=8 (ls_in_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg0[[1]] = 1; next;) - table=8 (ls_in_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(next;) - table=8 (ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=8 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=8 (ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (ip)), action=(reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) ovn-nbctl --wait=sb clear logical_switch ls acls ovn-nbctl --wait=sb clear logical_switch ls load_balancer -AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl -e ls_out_acl | sort], [0], [dnl - table=17(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=17(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint -e ls_in_acl_eval -e ls_out_acl_eval -e ls_in_acl_after_lb_eval | sort], [0], [dnl + table=18(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=18(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=3 (ls_out_acl_hint ), priority=65535, match=(1), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=4 (ls_out_acl ), priority=65535, match=(1), action=(next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=7 (ls_in_acl_hint ), priority=65535, match=(1), action=(next;) - table=8 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=8 (ls_in_acl ), priority=65535, match=(1), action=(next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65535, match=(1), action=(next;) ]) @@ -4255,10 +4256,10 @@ check_stateful_flows() { AT_CHECK([grep "ls_out_lb" sw0flows | sort], [0], []) - AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) + AT_CHECK([grep "ls_out_stateful" sw0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) } @@ -4318,19 +4319,19 @@ AT_CHECK([grep "ls_out_pre_stateful" sw0flows | sort], [0], [dnl table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) ]) -AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_out_stateful" sw0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) # LB with event=false and reject=false AT_CHECK([ovn-nbctl create load_balancer name=lb1 options:reject=false options:event=false vips:\"10.0.0.20\"=\"\" protocol=tcp], [0], [ignore]) check ovn-nbctl --wait=sb ls-lb-add sw0 lb1 -AT_CHECK([ovn-sbctl dump-flows sw0 | grep "ls_in_lb " | sort ], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=12(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.20), action=(drop;) +AT_CHECK([ovn-sbctl dump-flows sw0 | grep "ls_in_lb " | sed 's/table=../table=??/' | sort ], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.20), action=(drop;) ]) AT_CLEANUP @@ -4349,9 +4350,9 @@ check ovn-nbctl --wait=sb --label=1234 acl-add sw0 from-lport 1002 tcp allow-rel ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) +AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) @@ -4359,14 +4360,14 @@ AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 2002 | sort], [0], [dnl - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) +AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | sort], [0], [dnl + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) ]) -AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_out_stateful" sw0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) # Add new ACL without label @@ -4376,11 +4377,11 @@ check ovn-nbctl --wait=sb acl-add sw0 from-lport 1002 udp allow-related ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) @@ -4388,16 +4389,16 @@ AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 2002 | sort], [0], [dnl - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | sort], [0], [dnl + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; next;) + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) -AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_out_stateful" sw0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) # Delete new ACL with label @@ -4407,9 +4408,9 @@ check ovn-nbctl --wait=sb acl-del sw0 from-lport 1002 tcp ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=? (ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=? (ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;) @@ -4417,14 +4418,14 @@ AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'], [ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 2002 | sort], [0], [dnl - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg0[[1]] = 1; next;) - table=4 (ls_out_acl ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(next;) +AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | sort], [0], [dnl + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (udp)), action=(reg8[[16]] = 1; next;) ]) -AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl - table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) - table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) +AT_CHECK([grep "ls_out_stateful" sw0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) + table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) AT_CLEANUP ]) @@ -4441,18 +4442,18 @@ check ovn-nbctl --wait=sb acl-add sw0 to-lport 1002 ip allow-related ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) # Disable ct.inv usage. @@ -4461,18 +4462,18 @@ check ovn-nbctl --wait=sb set NB_Global . options:use_ct_inv_match=false ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=? (ls_in_acl ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_in_acl_eval ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=? (ls_out_acl ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_out_acl_eval ), priority=65532, match=((ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep -c "ct.inv" sw0flows], [1], [dnl @@ -4485,18 +4486,18 @@ check ovn-nbctl --wait=sb set NB_Global . options:use_ct_inv_match=true ovn-sbctl dump-flows sw0 > sw0flows AT_CAPTURE_FILE([sw0flows]) -AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) -AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl - table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) +AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl + table=? (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) ]) AT_CHECK([grep -c "ct.inv" sw0flows], [0], [dnl @@ -6722,7 +6723,7 @@ set_acl_options() { } record_log_flows() { - ovn-sbctl lflow-list sw0 | grep -E 'ls_(out|in)_acl.*, priority=65533' | sed 's/table=../table=??/' | sort > log_flows + ovn-sbctl lflow-list sw0 | grep -E 'ls_(out|in)_acl_eval.*, priority=65533' | sed 's/table=../table=??/' | sort > log_flows } check_log_flows_count() { @@ -6732,9 +6733,9 @@ check_log_flows_count() { echo $table if test -f log_flows; then - count=$(grep -c -E ls_${table}_acl log_flows) + count=$(grep -c -E ls_${table}_acl_eval log_flows) else - count=$(ovn-sbctl lflow-list sw0 | grep -c -E "ls_$table_acl.*, priority=65533") + count=$(ovn-sbctl lflow-list sw0 | grep -c -E "ls_$table_acl_eval.*, priority=65533") fi check test "$count" -eq "$expected" @@ -6778,10 +6779,10 @@ check_log_flows_count 0 in # Now ensure the flows are what we expect them to be for the ACLs we created AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_out_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) + table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6799,10 +6800,10 @@ check_log_flows_count 0 in # And the log flows will remain the same since the stateless ACL will not be represented. AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_out_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) + table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6821,8 +6822,8 @@ check_log_flows_count 0 in # And make sure only the allow ACL has the log flows installed AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_out_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) + table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6838,8 +6839,8 @@ check_log_flows_count 0 in # And make sure only the allow ACL has the log flows installed AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_out_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_out_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) + table=??(ls_out_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6883,10 +6884,10 @@ check_log_flows_count 0 out # Now ensure the flows are what we expect them to be for the ACLs we created AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_in_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) + table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6904,10 +6905,10 @@ check_log_flows_count 0 out # And the log flows will remain the same since the stateless ACL will not be represented. AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_in_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); next;) + table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 2), action=(log(name="allow_related_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6926,8 +6927,8 @@ check_log_flows_count 0 out # And make sure only the allow ACL has the log flows installed AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_in_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) + table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -6943,8 +6944,8 @@ check_log_flows_count 0 out # And make sure only the allow ACL has the log flows installed AT_CHECK([cat log_flows], [0], [dnl - table=??(ls_in_acl ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) - table=??(ls_in_acl ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); next;) + table=??(ls_in_acl_eval ), priority=65533, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65533, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0 && ct_label.label == 1), action=(log(name="allow_acl", severity=info, verdict=allow); reg8[[16]] = 1; next;) ]) rm log_flows @@ -7027,26 +7028,26 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows ls > lsflows AT_CAPTURE_FILE([lsflows]) -AT_CHECK([grep -e "ls_in_acl" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=2001 , match=(reg0[[10]] == 1 && (ip4)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) - table=??(ls_in_acl ), priority=2001 , match=(reg0[[9]] == 1 && (ip4)), action=(/* drop */) - table=??(ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(next;) - table=??(ls_in_acl ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(next;) - table=??(ls_in_acl ), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) - table=??(ls_in_acl ), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(/* drop */) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) +AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[10]] == 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) + table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[9]] == 1 && (ip4)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) + table=??(ls_in_acl_eval ), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7082,26 +7083,26 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows ls > lsflows AT_CAPTURE_FILE([lsflows]) -AT_CHECK([grep -e "ls_in_acl" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=2001 , match=(reg0[[10]] == 1 && (ip4)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) - table=??(ls_in_acl_after_lb ), priority=2001 , match=(reg0[[9]] == 1 && (ip4)), action=(/* drop */) - table=??(ls_in_acl_after_lb ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl_after_lb ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(next;) - table=??(ls_in_acl_after_lb ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl_after_lb ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(next;) - table=??(ls_in_acl_after_lb ), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) - table=??(ls_in_acl_after_lb ), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(/* drop */) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) +AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=2001 , match=(reg0[[10]] == 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) + table=??(ls_in_acl_after_lb_eval), priority=2001 , match=(reg0[[9]] == 1 && (ip4)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=2002 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=2002 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) + table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7137,26 +7138,26 @@ check ovn-nbctl --wait=sb sync ovn-sbctl dump-flows ls > lsflows AT_CAPTURE_FILE([lsflows]) -AT_CHECK([grep -e "ls_in_acl" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(next;) - table=??(ls_in_acl ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=2001 , match=(reg0[[10]] == 1 && (ip4)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) - table=??(ls_in_acl_after_lb ), priority=2001 , match=(reg0[[9]] == 1 && (ip4)), action=(/* drop */) - table=??(ls_in_acl_after_lb ), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */) - table=??(ls_in_acl_after_lb ), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(/* drop */) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) +AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" lsflows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=2001 , match=(reg0[[10]] == 1 && (ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) + table=??(ls_in_acl_after_lb_eval), priority=2001 , match=(reg0[[9]] == 1 && (ip4)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[10]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; }; next;) + table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[9]] == 1 && (ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 && icmp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7435,15 +7436,18 @@ flow="inport == \"lsp1\" && eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00: AS_BOX([No ACL, default_acl_drop not set]) check ovn-nbctl --wait=sb sync AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl ), priority=65535, match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_out_acl ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7457,15 +7461,18 @@ output("lsp2"); AS_BOX([No ACL, default_acl_drop false]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl ), priority=65535, match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_out_acl ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7479,15 +7486,18 @@ output("lsp2"); AS_BOX([No ACL, default_acl_drop true]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl ), priority=65535, match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_out_acl ), priority=65535, match=(1), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65535, match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7505,18 +7515,30 @@ check ovn-nbctl acl-add ls from-lport 1 "ip4 && tcp" allow AS_BOX([from-lport ACL, default_acl_drop not set]) check ovn-nbctl --wait=sb remove NB_Global . options default_acl_drop AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7530,18 +7552,30 @@ output("lsp2"); AS_BOX([from-lport ACL, default_acl_drop false]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7555,18 +7589,30 @@ output("lsp2"); AS_BOX([from-lport ACL, default_acl_drop true]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7580,19 +7626,27 @@ AS_BOX([from-lport ACL allow-related, default_acl_drop true]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb acl-add ls from-lport 1 "ip4 && tcp" allow-related AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(drop;) - table=??(ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7606,14 +7660,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_out_acl ), priority=1 , match=(ip && !ct.est), action=(drop;) - table=??(ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=??(ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7641,18 +7699,30 @@ check ovn-nbctl --apply-after-lb acl-add ls from-lport 1 "ip4 && tcp" allow AS_BOX([from-lport --apply-after-lb ACL, default_acl_drop not set]) check ovn-nbctl --wait=sb remove NB_Global . options default_acl_drop AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7666,18 +7736,30 @@ output("lsp2"); AS_BOX([from-lport --apply-after-lb ACL, default_acl_drop false]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7691,18 +7773,30 @@ output("lsp2"); AS_BOX([from-lport --apply-after-lb ACL, default_acl_drop true]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl_after_lb ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7716,19 +7810,27 @@ AS_BOX([from-lport --apply-after-lb ACL allow-related, default_acl_drop true]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb --apply-after-lb acl-add ls from-lport 1 "ip4 && tcp" allow-related AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(drop;) - table=??(ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl_after_lb ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl_after_lb ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7742,14 +7844,18 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_out_acl ), priority=1 , match=(ip && !ct.est), action=(drop;) - table=??(ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=??(ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7777,18 +7883,30 @@ check ovn-nbctl acl-add ls to-lport 1 "ip4 && tcp" allow AS_BOX([to-lport ACL, default_acl_drop not set]) check ovn-nbctl --wait=sb remove NB_Global . options default_acl_drop AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7802,18 +7920,30 @@ output("lsp2"); AS_BOX([to-lport ACL, default_acl_drop false]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7827,18 +7957,30 @@ output("lsp2"); AS_BOX([to-lport ACL, default_acl_drop true]) check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_out_acl ), priority=1001 , match=(ip4 && tcp), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) @@ -7852,17 +7994,25 @@ AS_BOX([to-lport ACL allow-related, default_acl_drop true]) check ovn-nbctl acl-del ls check ovn-nbctl --wait=sb acl-add ls to-lport 1 "ip4 && tcp" allow-related AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est), action=(drop;) - table=??(ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_in_acl ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(next;) - table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=??(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) + table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -7876,16 +8026,20 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast), action=(next;) table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;) - table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) - table=??(ls_out_acl ), priority=1 , match=(ip && !ct.est), action=(drop;) - table=??(ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) - table=??(ls_out_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg0[[1]] = 1; next;) - table=??(ls_out_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(next;) - table=??(ls_out_acl ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=??(ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=??(ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) + table=??(ls_out_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[16]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 && tcp)), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) table=??(ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) table=??(ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) @@ -8038,6 +8192,8 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) @@ -8045,8 +8201,6 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1 "00:00:00:00:00:01" @@ -8063,6 +8217,8 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) @@ -8072,8 +8228,6 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl lsp-set-port-security sw0p1 "00:00:00:00:00:01 10.0.0.3 1000::3" @@ -8089,6 +8243,8 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) @@ -8098,8 +8254,6 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) # Disable sw0p1 @@ -8116,6 +8270,8 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(drop;) @@ -8126,8 +8282,6 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"), action=(drop;) table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl --wait=sb lsp-set-options sw0p2 qdisc_queue_id=10 @@ -8143,6 +8297,9 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=110 , match=(outport == "localnetport" && inport == "sw0p2"), action=(set_queue(10); output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(drop;) @@ -8153,9 +8310,6 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"), action=(drop;) table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=??(ls_out_apply_port_sec), priority=110 , match=(outport == "localnetport" && inport == "sw0p2"), action=(set_queue(10); output;) - table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) check ovn-nbctl set logical_switch_port sw0p1 enabled=true @@ -8170,10 +8324,14 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) table=??(ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_check_port_sec), priority=70 , match=(inport == "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) - table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=17);) table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) + table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) + table=??(ls_out_apply_port_sec), priority=100 , match=(outport == "localnetport"), action=(set_queue(10); output;) + table=??(ls_out_apply_port_sec), priority=110 , match=(outport == "localnetport" && inport == "sw0p2"), action=(set_queue(10); output;) + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(handle_svc_check(inport);) table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) @@ -8183,10 +8341,6 @@ sort | sed 's/table=../table=??/' ], [0], [dnl table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(drop;) table=??(ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[[15]] = check_out_port_sec(); next;) table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[[15]] = 0; next;) - table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) - table=??(ls_out_apply_port_sec), priority=100 , match=(outport == "localnetport"), action=(set_queue(10); output;) - table=??(ls_out_apply_port_sec), priority=110 , match=(outport == "localnetport" && inport == "sw0p2"), action=(set_queue(10); output;) - table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), action=(drop;) ]) AT_CLEANUP @@ -8214,7 +8368,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl table=7 (lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;) table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) - table=12(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);) + table=13(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);) table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) ]) @@ -8228,7 +8382,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl table=7 (lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_label.natted), action=(next;) table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb;) table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb;) - table=12(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb(backends=42.42.42.2);) + table=13(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb(backends=42.42.42.2);) table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb;) ]) @@ -8262,7 +8416,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl table=7 (lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;) table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) - table=12(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);) + table=13(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);) table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;) ]) @@ -8287,18 +8441,18 @@ AT_CHECK([ovn-sbctl lflow-list | grep 'ls.*acl.*blocked' ], [0], [dnl table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) ]) AS_BOX([Chassis registered that doesn't support ct_mark.blocked - use ct_label.blocked]) @@ -8309,18 +8463,18 @@ AT_CHECK([ovn-sbctl lflow-list | grep 'ls.*acl.*blocked' ], [0], [dnl table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_label.blocked == 1), action=(reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_label.blocked == 0), action=(reg0[[10]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;) - table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_label.blocked == 1), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_label.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_label.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_label.blocked == 1), action=(reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_label.blocked == 0), action=(reg0[[10]] = 1; next;) - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;) - table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est && ct_label.blocked == 1), action=(reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_label.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) ]) AS_BOX([Chassis upgrades and supports ct_mark.blocked - use ct_mark.blocked]) @@ -8331,18 +8485,18 @@ AT_CHECK([ovn-sbctl lflow-list | grep 'ls.*acl.*blocked' ], [0], [dnl table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=8 (ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;) table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;) table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;) - table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=4 (ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) ]) AT_CLEANUP @@ -8424,11 +8578,11 @@ ovn-sbctl dump-flows S1 > S1flows AT_CAPTURE_FILE([S0flows]) AT_CAPTURE_FILE([S1flows]) -AT_CHECK([grep "ls_in_lb " S0flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb " S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) ]) -AT_CHECK([grep "ls_in_lb " S1flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb " S1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) ]) ovn-nbctl --wait=sb set NB_Global . options:install_ls_lb_from_router=true @@ -8439,15 +8593,15 @@ ovn-sbctl dump-flows S1 > S1flows AT_CAPTURE_FILE([S0flows]) AT_CAPTURE_FILE([S1flows]) -AT_CHECK([grep "ls_in_lb " S0flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=12(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) - table=12(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) +AT_CHECK([grep "ls_in_lb " S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) ]) -AT_CHECK([grep "ls_in_lb " S1flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=12(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) - table=12(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) +AT_CHECK([grep "ls_in_lb " S1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.11 && tcp.dst == 8080), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:8080);) ]) ovn-sbctl get datapath S0 _uuid > dp_uuids @@ -8466,11 +8620,11 @@ ovn-sbctl dump-flows S1 > S1flows AT_CAPTURE_FILE([S0flows]) AT_CAPTURE_FILE([S1flows]) -AT_CHECK([grep "ls_in_lb " S0flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb " S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) ]) -AT_CHECK([grep "ls_in_lb " S1flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb " S1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) ]) check_column "" sb:load_balancer datapaths name=lb0 @@ -8550,18 +8704,18 @@ ovn-sbctl dump-flows R1 > R1flows AT_CAPTURE_FILE([S0flows]) AT_CAPTURE_FILE([R1flows]) -AT_CHECK([grep "ls_in_lb_aff_check" S0flows | sort], [0], [dnl - table=11(ls_in_lb_aff_check ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb_aff_check" S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb_aff_check ), priority=0 , match=(1), action=(next;) ]) -AT_CHECK([grep "ls_in_lb_aff_learn" S0flows | sort], [0], [dnl - table=13(ls_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "ls_in_lb_aff_learn" S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) ]) -AT_CHECK([grep "lr_in_lb_aff_check" R1flows | sort], [0], [dnl - table=6 (lr_in_lb_aff_check ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "lr_in_lb_aff_check" R1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_lb_aff_check ), priority=0 , match=(1), action=(next;) ]) -AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | sort], [0], [dnl - table=8 (lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) +AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) ]) ovn-nbctl --wait=sb set load_balancer lb0 options:affinity_timeout=60 @@ -8570,46 +8724,46 @@ AS_BOX([Test LS flows]) ovn-sbctl dump-flows S0 > S0flows AT_CAPTURE_FILE([S0flows]) -AT_CHECK([grep "ls_in_lb_aff_check" S0flows | sort], [0], [dnl - table=11(ls_in_lb_aff_check ), priority=0 , match=(1), action=(next;) - table=11(ls_in_lb_aff_check ), priority=100 , match=(ct.new && ip4 && reg1 == 172.16.0.10 && reg2[[0..15]] == 80), action=(reg9[[6]] = chk_lb_aff(); next;) +AT_CHECK([grep "ls_in_lb_aff_check" S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb_aff_check ), priority=0 , match=(1), action=(next;) + table=??(ls_in_lb_aff_check ), priority=100 , match=(ct.new && ip4 && reg1 == 172.16.0.10 && reg2[[0..15]] == 80), action=(reg9[[6]] = chk_lb_aff(); next;) ]) -AT_CHECK([grep "ls_in_lb " S0flows | sort], [0], [dnl - table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) - table=12(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) - table=12(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.2:80);) - table=12(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=20.0.0.2:80);) +AT_CHECK([grep "ls_in_lb " S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) + table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.2:80);) + table=??(ls_in_lb ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10; reg2[[0..15]] = 80; ct_lb_mark(backends=20.0.0.2:80);) ]) -AT_CHECK([grep "ls_in_lb_aff_learn" S0flows | sort], [0], [dnl - table=13(ls_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) - table=13(ls_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg1 == 172.16.0.10 && reg2[[0..15]] == 80 && ip4.dst == 10.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "10.0.0.2:80", proto = tcp, timeout = 60); /* drop */) - table=13(ls_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg1 == 172.16.0.10 && reg2[[0..15]] == 80 && ip4.dst == 20.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "20.0.0.2:80", proto = tcp, timeout = 60); /* drop */) +AT_CHECK([grep "ls_in_lb_aff_learn" S0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) + table=??(ls_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg1 == 172.16.0.10 && reg2[[0..15]] == 80 && ip4.dst == 10.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "10.0.0.2:80", proto = tcp, timeout = 60); /* drop */) + table=??(ls_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg1 == 172.16.0.10 && reg2[[0..15]] == 80 && ip4.dst == 20.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "20.0.0.2:80", proto = tcp, timeout = 60); /* drop */) ]) AS_BOX([Test LR flows]) ovn-sbctl dump-flows R1 > R1flows AT_CAPTURE_FILE([R1flows]) -AT_CHECK([grep "lr_in_lb_aff_check" R1flows | sort], [0], [dnl - table=6 (lr_in_lb_aff_check ), priority=0 , match=(1), action=(next;) - table=6 (lr_in_lb_aff_check ), priority=100 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(reg0 = ip4.dst; reg9[[16..31]] = tcp.dst; reg9[[6]] = chk_lb_aff(); next;) +AT_CHECK([grep "lr_in_lb_aff_check" R1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_lb_aff_check ), priority=0 , match=(1), action=(next;) + table=??(lr_in_lb_aff_check ), priority=100 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(reg0 = ip4.dst; reg9[[16..31]] = tcp.dst; reg9[[6]] = chk_lb_aff(); next;) ]) -AT_CHECK([grep "lr_in_dnat " R1flows | sort], [0], [dnl - table=7 (lr_in_dnat ), priority=0 , match=(1), action=(next;) - table=7 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) - table=7 (lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=10.0.0.2:80);) - table=7 (lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=20.0.0.2:80);) - table=7 (lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=7 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) +AT_CHECK([grep "lr_in_dnat " R1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) + table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) + table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=10.0.0.2:80);) + table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=20.0.0.2:80);) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) -AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | sort], [0], [dnl - table=8 (lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) - table=8 (lr_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg0 == 172.16.0.10 && reg9[[16..31]] == 80 && ip4.dst == 10.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "10.0.0.2:80", proto = tcp, timeout = 60); /* drop */) - table=8 (lr_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg0 == 172.16.0.10 && reg9[[16..31]] == 80 && ip4.dst == 20.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "20.0.0.2:80", proto = tcp, timeout = 60); /* drop */) +AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) + table=??(lr_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg0 == 172.16.0.10 && reg9[[16..31]] == 80 && ip4.dst == 10.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "10.0.0.2:80", proto = tcp, timeout = 60); /* drop */) + table=??(lr_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg0 == 172.16.0.10 && reg9[[16..31]] == 80 && ip4.dst == 20.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "20.0.0.2:80", proto = tcp, timeout = 60); /* drop */) ]) AS_BOX([Test LR flows - skip_snat=true]) @@ -8618,17 +8772,17 @@ check ovn-nbctl --wait=sb set load_balancer lb0 options:skip_snat=true ovn-sbctl dump-flows R1 > R1flows_skip_snat AT_CAPTURE_FILE([R1flows_skip_snat]) -AT_CHECK([grep "lr_in_dnat " R1flows_skip_snat | sort], [0], [dnl - table=7 (lr_in_dnat ), priority=0 , match=(1), action=(next;) - table=7 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; skip_snat);) - table=7 (lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; skip_snat);) - table=7 (lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);) - table=7 (lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=7 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) +AT_CHECK([grep "lr_in_dnat " R1flows_skip_snat | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) + table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; skip_snat);) + table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; skip_snat);) + table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) check ovn-nbctl remove load_balancer lb0 options skip_snat @@ -8639,17 +8793,17 @@ check ovn-nbctl --wait=sb set logical_router R1 options:lb_force_snat_ip="172.16 ovn-sbctl dump-flows R1 > R1flows_force_snat AT_CAPTURE_FILE([R1flows_force_snat]) -AT_CHECK([grep "lr_in_dnat " R1flows_force_snat | sort], [0], [dnl - table=7 (lr_in_dnat ), priority=0 , match=(1), action=(next;) - table=7 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; force_snat);) - table=7 (lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; force_snat);) - table=7 (lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; force_snat);) - table=7 (lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=7 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) +AT_CHECK([grep "lr_in_dnat " R1flows_force_snat | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) + table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; force_snat);) + table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; force_snat);) + table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; force_snat);) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CLEANUP @@ -8811,8 +8965,10 @@ check ovn-nbctl --wait=sb \ -- acl-add S1 from-lport 100 'inport=p1 && ip4' allow-stateless AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) ]) @@ -8824,8 +8980,10 @@ check ovn-nbctl --wait=sb \ -- acl-add S1 from-lport 2 "udp" allow-related AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) ]) @@ -8837,8 +8995,10 @@ check ovn-nbctl --wait=sb \ -- ls-lb-add S1 lb AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) ]) @@ -8848,8 +9008,10 @@ check ovn-nbctl --wait=sb \ -- acl-add S1 from-lport 100 'inport=p1 && ip4' allow-stateless AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) ]) @@ -8860,8 +9022,10 @@ check ovn-nbctl --wait=sb \ -- acl-add S1 from-lport 2 "udp" allow-related AT_CHECK([ovn-sbctl dump-flows | grep "ls_in_acl" | grep "match=(1)" | sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_action ), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; next;) + table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) + table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) ]) @@ -8935,16 +9099,16 @@ AT_CHECK([grep -e "lr_in_defrag" -e "lr_in_dnat" lflows0], [0], [dnl ]) AT_CHECK([grep -e "ls_in_acl" -e "ls_out_acl" lflows0 | grep "priority=65532"], [0], [dnl - table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=?(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=?(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) + table=? (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=?(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=?(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) ]) @@ -8984,16 +9148,16 @@ AT_CHECK([ovn-sbctl lflow-list | grep lr_in_dnat], [0], [dnl check ovn-nbctl remove load_balancer lb-test options skip_snat AT_CHECK([grep -e "ls_in_acl" -e "ls_out_acl" lflows1 | grep "priority=65532"], [0], [dnl - table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;) - table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;) - table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=?(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=?(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) + table=? (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_label.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=?(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=?(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) ]) AS_BOX([Chassis upgrades and supports CT related]) @@ -9016,16 +9180,16 @@ AT_CHECK([grep -e "lr_in_defrag" -e "lr_in_dnat" lflows2], [0], [dnl ]) AT_CHECK([grep -e "ls_in_acl" -e "ls_out_acl" lflows2 | grep "priority=65532"], [0], [dnl - table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; ct_commit_nat;) - table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; next;) - table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;) - table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;) - table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(drop;) - table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=?(ls_in_acl_after_lb ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(next;) - table=?(ls_in_acl_after_lb ), priority=65532, match=(reg0[[17]] == 1), action=(next;) + table=? (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=? (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=?(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) + table=?(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), action=(reg8[[16]] = 1; next;) ]) AT_CLEANUP diff --git a/tests/ovn.at b/tests/ovn.at index 161fb000a..9e6e8a14a 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -13308,15 +13308,20 @@ grep active_backup | grep members:$hv2_gw1_ofport,$hv2_gw2_ofport \ ]) # make sure that flows for handling the outside router port reside on gw1 through ls_in_l2_lkup table -OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=33 | \ + +sleep 10 + +as gw1 ovs-ofctl dump-flows br-int + +OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=35 | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[1 ]]) -OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=33 | \ +OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=35 | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[0 ]]) # make sure ARP responder flows for outside router port reside on gw1 too through ls_in_arp_rsp table -OVS_WAIT_UNTIL([test `as gw1 ovs-ofctl dump-flows br-int table=27 | \ +OVS_WAIT_UNTIL([test `as gw1 ovs-ofctl dump-flows br-int table=29 | \ grep arp_tpa=192.168.0.101 | wc -l` -ge 1]) # check that the chassis redirect port has been claimed by the gw1 chassis @@ -13398,10 +13403,10 @@ AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-hv1-0],[0], ]]) # make sure that flows for handling the outside router port reside on gw2 now -OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=33 | \ +OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=35 | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[1 ]]) -OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=33 | \ +OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=35 | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[0 ]]) @@ -13413,10 +13418,10 @@ as main ovs-vsctl del-port n1 $port bfd_dump # make sure that flows for handling the outside router port reside on gw1 now -OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=33 | \ +OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=35 | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[1 ]]) -OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=33 | \ +OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=35 | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[0 ]]) @@ -13530,15 +13535,15 @@ grep active_backup | grep members:$hv2_gw1_ofport,$hv2_gw2_ofport \ ]) # make sure that flows for handling the outside router port reside on gw1 -OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=33 | \ +OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=35 | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[1 ]]) -OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=33 | \ +OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=35 | \ grep "dl_dst:00:00:02:01:02:04" | wc -l], [0], [[0 ]]) # make sure ARP responder flows for outside router port reside on gw1 too -OVS_WAIT_UNTIL([test `as gw1 ovs-ofctl dump-flows br-int table=27 | \ +OVS_WAIT_UNTIL([test `as gw1 ovs-ofctl dump-flows br-int table=29 | \ grep arp_tpa=192.168.0.101 | wc -l` -ge 1 ]) # check that the chassis redirect port has been claimed by the gw1 chassis @@ -13602,10 +13607,10 @@ AT_CHECK([ovs-vsctl --bare --columns bfd find Interface name=ovn-hv1-0],[0], ]]) # make sure that flows for handling the outside router port reside on gw2 now -OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=33 | \ +OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=35 | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[1 ]]) -OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=33 | \ +OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=35 | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[0 ]]) @@ -13617,10 +13622,10 @@ as main ovs-vsctl del-port n1 $port bfd_dump # make sure that flows for handling the outside router port reside on gw2 now -OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=33 | \ +OVS_WAIT_FOR_OUTPUT([as gw1 ovs-ofctl dump-flows br-int table=35 | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[1 ]]) -OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=33 | \ +OVS_WAIT_FOR_OUTPUT([as gw2 ovs-ofctl dump-flows br-int table=35 | \ grep "dl_dst=00:00:02:01:02:04" | wc -l], [0], [[0 ]]) @@ -16400,8 +16405,8 @@ ovn-nbctl --wait=hv sync ovn-sbctl dump-flows sw0 > sw0-flows AT_CAPTURE_FILE([sw0-flows]) -AT_CHECK([grep -E 'ls_(in|out)_acl' sw0-flows |grep reject| sed 's/table=../table=??/' | sort], [0], [dnl - table=??(ls_out_acl ), priority=2002 , match=(ip), action=(reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=25); };) +AT_CHECK([grep -E 'ls_out_acl' sw0-flows | grep reject | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) ]) @@ -18099,15 +18104,15 @@ check ovn-nbctl acl-add ls1 to-lport 3 'ip4.src==10.0.0.1' allow check ovn-nbctl --wait=hv sync # Check OVS flows, the less restrictive flows should have been installed. -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \ +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,45) + table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -18148,11 +18153,11 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \ grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,45) + table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -18166,8 +18171,8 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \ grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=conjunction(),conjunction() @@ -18206,11 +18211,11 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \ grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction() - table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,45) + table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction() table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() ]) @@ -18227,16 +18232,16 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=44 | ofctl_strip_all | \ grep "priority=1003" | \ sed 's/conjunction([[^)]]*)/conjunction()/g' | \ sed 's/conj_id=[[0-9]]*,/conj_id=xxx,/g' | sort], [0], [dnl - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,conj_id=xxx,ip,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.3 actions=conjunction(),conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_dst=10.0.0.4 actions=conjunction(),conjunction(),conjunction() - table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=resubmit(,45) + table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.2 actions=conjunction(),conjunction() table=44, priority=1003,ip,metadata=0x1,nw_src=10.0.0.42 actions=conjunction() - table=44, priority=1003,udp,metadata=0x1 actions=resubmit(,45) - table=44, priority=1003,udp6,metadata=0x1 actions=resubmit(,45) + table=44, priority=1003,udp,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) + table=44, priority=1003,udp6,metadata=0x1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) ]) OVN_CLEANUP([hv1]) @@ -19642,7 +19647,7 @@ wait_for_ports_up ls1-lp_ext1 # There should be a flow in hv2 to drop traffic from ls1-lp_ext1 destined # to router mac. AT_CHECK([as hv2 ovs-ofctl dump-flows br-int \ -table=32,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \ +table=34,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \ grep -c "actions=drop"], [0], [1 ]) # Stop ovn-controllers on hv1 and hv3. @@ -21265,7 +21270,7 @@ check_virtual_offlows_present() { lr0_public_dp_key=$(printf "%x" $(fetch_column Port_Binding tunnel_key logical_port=lr0-public)) AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=44,ip | ofctl_strip_all | grep "priority=2000"], [0], [dnl - table=44, priority=2000,ip,metadata=0x$sw0_dp_key actions=resubmit(,45) + table=44, priority=2000,ip,metadata=0x$sw0_dp_key actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,45) ]) AT_CHECK_UNQUOTED([as $hv ovs-ofctl dump-flows br-int table=11 | ofctl_strip_all | \ @@ -21303,7 +21308,7 @@ check_row_count Port_Binding 1 logical_port=sw0-vir virtual_parent=sw0-p1 wait_for_ports_up sw0-vir check ovn-nbctl --wait=hv sync AT_CHECK([test 2 = `cat hv1/ovn-controller.log | grep "pinctrl received packet-in" | \ -grep opcode=BIND_VPORT | grep OF_Table_ID=27 | wc -l`]) +grep opcode=BIND_VPORT | grep OF_Table_ID=29 | wc -l`]) wait_row_count Port_Binding 1 logical_port=sw0-vir6 chassis=$hv1_ch_uuid check_row_count Port_Binding 1 logical_port=sw0-vir6 virtual_parent=sw0-p1 @@ -28642,7 +28647,11 @@ check ovn-nbctl acl-add ls1 from-lport 1 '1' drop check ovn-nbctl --wait=hv sync AT_CHECK([test "$expr_cnt" = "$(get_cache_count cache-expr)"], [0], []) -AT_CHECK([test "$(($matches_cnt + 1))" = "$(get_cache_count cache-matches)"], [0], []) +# Changing from having no ACLs to having ACLs adds 9 logical flows, 3 in each +# of ls_in_acl_action, ls_in_acl_after_lb_action, and ls_out_acl_action, plus the +# logical flow representing the ACL itself. This is where the 10 comes from in +# the calculation below. +AT_CHECK([test "$(($matches_cnt + 10))" = "$(get_cache_count cache-matches)"], [0], []) AS_BOX([Check expr caching for is_chassis_resident() matches]) expr_cnt=$(get_cache_count cache-expr) @@ -32009,9 +32018,10 @@ check ovn-nbctl --wait=hv sync dp_key=$(fetch_column Datapath_Binding tunnel_key external_ids:name=ls) rtr_port_key=$(fetch_column Port_Binding tunnel_key logical_port=ls_lr) +ovs-ofctl dump-flows br-int table=16 | grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[49],resubmit(,17)" # Check that ovn-controller adds a flow to drop packets with dest IP # 42.42.42.42 coming from the router port. -AT_CHECK([ovs-ofctl dump-flows br-int table=16 | grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=drop" -c], [0], [dnl +AT_CHECK([ovs-ofctl dump-flows br-int table=16 | grep "reg14=0x${rtr_port_key},metadata=0x${dp_key},nw_dst=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4\[\[49\]\],resubmit(,17)" -c], [0], [dnl 1 ]) @@ -32767,15 +32777,15 @@ done check ovn-nbctl --wait=hv sync # hv0 should see flows for lsp1 but not lsp2 -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=27 | grep 10.0.1.2], [0], [ignore]) -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=27 | grep 10.0.2.2], [1]) +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [0], [ignore]) +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=29 | grep 10.0.2.2], [1]) # hv2 should see flows for lsp2 but not lsp1 -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=27 | grep 10.0.2.2], [0], [ignore]) -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=27 | grep 10.0.1.2], [1]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.2.2], [0], [ignore]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [1]) # Change lrp_lr_ls1 to a regular lrp, hv2 should see flows for lsp1 check ovn-nbctl --wait=hv lrp-del-gateway-chassis lrp_lr_ls1 hv1 -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=27 | grep 10.0.1.2], [0], [ignore]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [0], [ignore]) # Change it back, and trigger recompute to make sure extra flows are removed # from hv2 (recompute is needed because currently I-P adds local datapaths but @@ -32783,11 +32793,11 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=27 | grep 10.0.1.2], [0], [ig check ovn-nbctl --wait=hv lrp-set-gateway-chassis lrp_lr_ls1 hv1 1 as hv2 check ovn-appctl -t ovn-controller recompute ovn-nbctl --wait=hv sync -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=27 | grep 10.0.1.2], [1]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [1]) # Enable dnat_and_snat on lr, and now hv2 should see flows for lsp1. AT_CHECK([ovn-nbctl --wait=hv --gateway-port=lrp_lr_ls1 lr-nat-add lr dnat_and_snat 192.168.0.1 10.0.1.3 lsp1 f0:00:00:00:00:03]) -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=27 | grep 10.0.1.2], [0], [ignore]) +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=29 | grep 10.0.1.2], [0], [ignore]) OVN_CLEANUP([hv1],[hv2]) AT_CLEANUP @@ -34804,14 +34814,14 @@ lsp2=0x$(fetch_column Port_Binding tunnel_key logical_port=lsp2) dnl Ensure the ACL is translated to OpenFlows expanding pg1. as hv1 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=16, priority=1001,ip,reg14=$lsp1,metadata=0x1,nw_src=42.42.42.42 actions=resubmit(,17) - table=16, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=resubmit(,17) + table=16, priority=1001,ip,reg14=$lsp1,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) + table=16, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) ]) dnl Remove a port from pg1 and expect OpenFlows to be correctly updated. check ovn-nbctl --wait=hv pg-set-ports pg1 lsp2 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=16, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=resubmit(,17) + table=16, priority=1001,ip,reg14=$lsp2,metadata=0x1,nw_src=42.42.42.42 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) ]) dnl Change the Chassis_Template_Var mapping to use the address set. @@ -34820,14 +34830,14 @@ check ovn-nbctl --wait=hv set Chassis_Template_Var hv1 variables:CONDITION='ip4. dnl Ensure the ACL is translated to OpenFlows expanding as1. as hv1 AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=resubmit(,17) - table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.2 actions=resubmit(,17) + table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) + table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.2 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) ]) dnl Remove an IP from AS1 and expect OpenFlows to be correctly updated. check ovn-nbctl set address_set as1 addresses=\"1.1.1.1\" AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int | grep '42\.42\.42\.42' | ofctl_strip_all], [0], [dnl - table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=resubmit(,17) + table=16, priority=1001,ip,metadata=0x1,nw_src=42.42.42.42,nw_dst=1.1.1.1 actions=load:0x1->OXM_OF_PKT_REG4[[48]],resubmit(,17) ]) dnl Remove the mapping and expect OpenFlows to be removed. diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 8fe8e4d28..5ee044e19 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -8686,7 +8686,7 @@ ovn-sbctl list ip_multicast wait_igmp_flows_installed() { - OVS_WAIT_UNTIL([ovs-ofctl dump-flows br-int table=33 | \ + OVS_WAIT_UNTIL([ovs-ofctl dump-flows br-int table=35 | \ grep 'priority=90' | grep "nw_dst=$1"]) } From patchwork Thu May 18 18:48:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1783480 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Z7k5V5mX; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QMfC70dyxz20dX for ; Fri, 19 May 2023 04:49:07 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id BDE6B42B9C; Thu, 18 May 2023 18:49:04 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org BDE6B42B9C Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Z7k5V5mX X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WDPTMWQ2cODV; Thu, 18 May 2023 18:48:58 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id B9B8242B95; Thu, 18 May 2023 18:48:56 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org B9B8242B95 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id BF072C0098; Thu, 18 May 2023 18:48:54 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0D0E4C002A for ; Thu, 18 May 2023 18:48:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id CCAAA41CD9 for ; Thu, 18 May 2023 18:48:50 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org CCAAA41CD9 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8R1SiDottIws for ; Thu, 18 May 2023 18:48:48 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 788C040524 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 788C040524 for ; Thu, 18 May 2023 18:48:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1684435727; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Wl9UCMWm09mZFfbDIoZKHqhGo35Z7h1jWwAZxraNNKc=; b=Z7k5V5mXnoFSGoz6MwHGWUJ2G1/JbvMQWOyRgkiJ5/Mq2NkF0IsXAeDjWlmCS7le9DCjnv bPlDMSs8UGn2bbPwXQnyditeOaCS5OIP+hKWzzCyNyaocX2jbH3ngAKbFlhr0R2JbZwlkw V/tBlx1YayX7q2WQN2vzds9yExmCWFI= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-551-bW-9b-mdNBK4Irr0u-SnYQ-1; Thu, 18 May 2023 14:48:45 -0400 X-MC-Unique: bW-9b-mdNBK4Irr0u-SnYQ-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 51806101A5D1 for ; Thu, 18 May 2023 18:48:45 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.22.48.14]) by smtp.corp.redhat.com (Postfix) with ESMTP id 027612166B31 for ; Thu, 18 May 2023 18:48:44 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Thu, 18 May 2023 14:48:40 -0400 Message-Id: <20230518184842.1681582-2-mmichels@redhat.com> In-Reply-To: <20230518184842.1681582-1-mmichels@redhat.com> References: <20230518184842.1681582-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 2/4] northd: Add tiered ACL support. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" With this commit, ACLs can now be arranged in hierarchical tiers. A tier number can be assigned to an ACL. When evaluating ACLs, we first will consider ACLs at tier 0. If no matching ACL is found, then we move to tier 1. This continues until a matching ACL is found, or we reach the maximum tier. If no match is found, then the default acl action is applied. Signed-off-by: Mark Michelson Reviewed-by: Ales Musil --- northd/northd.c | 96 +++++++++++++++++------- northd/northd.h | 1 + northd/ovn-northd.8.xml | 35 +++++++++ ovn-nb.ovsschema | 7 +- ovn-nb.xml | 20 +++++ tests/ovn-northd.at | 161 +++++++++++++++++++++++++++++++++++----- tests/system-ovn.at | 108 +++++++++++++++++++++++++++ 7 files changed, 383 insertions(+), 45 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index c7969e0ba..212327b99 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -245,6 +245,7 @@ enum ovn_stage { #define REGBIT_ACL_VERDICT_ALLOW "reg8[16]" #define REGBIT_ACL_VERDICT_DROP "reg8[17]" #define REGBIT_ACL_VERDICT_REJECT "reg8[18]" +#define REG_ACL_TIER "reg8[30..31]" /* Indicate that this packet has been recirculated using egress * loopback. This allows certain checks to be bypassed, such as a @@ -5656,36 +5657,51 @@ ovn_ls_port_group_destroy(struct hmap *nb_pgs) hmap_destroy(nb_pgs); } +static bool +od_set_acl_flags(struct ovn_datapath *od, struct nbrec_acl **acls, + size_t n_acls) +{ + /* A true return indicates that there are no possible ACL flags + * left to set on od. A false return indicates that further ACLs + * should be explored in case more flags need to be set on od + */ + if (!n_acls) { + return false; + } + + od->has_acls = true; + for (size_t i = 0; i < n_acls; i++) { + const struct nbrec_acl *acl = acls[i]; + if (acl->tier > od->max_acl_tier) { + od->max_acl_tier = acl->tier; + } + if (!od->has_stateful_acl && !strcmp(acl->action, "allow-related")) { + od->has_stateful_acl = true; + } + if (od->has_stateful_acl && + od->max_acl_tier == nbrec_acl_col_tier.type.value.integer.max) { + return true; + } + } + + return false; +} + static void ls_get_acl_flags(struct ovn_datapath *od) { od->has_acls = false; od->has_stateful_acl = false; + od->max_acl_tier = 0; - if (od->nbs->n_acls) { - od->has_acls = true; - - for (size_t i = 0; i < od->nbs->n_acls; i++) { - struct nbrec_acl *acl = od->nbs->acls[i]; - if (!strcmp(acl->action, "allow-related")) { - od->has_stateful_acl = true; - return; - } - } + if (od_set_acl_flags(od, od->nbs->acls, od->nbs->n_acls)) { + return; } struct ovn_ls_port_group *ls_pg; HMAP_FOR_EACH (ls_pg, key_node, &od->nb_pgs) { - if (ls_pg->nb_pg->n_acls) { - od->has_acls = true; - - for (size_t i = 0; i < ls_pg->nb_pg->n_acls; i++) { - struct nbrec_acl *acl = ls_pg->nb_pg->acls[i]; - if (!strcmp(acl->action, "allow-related")) { - od->has_stateful_acl = true; - return; - } - } + if (od_set_acl_flags(od, ls_pg->nb_pg->acls, ls_pg->nb_pg->n_acls)) { + return; } } } @@ -6410,10 +6426,19 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, size_t log_verdict_len = actions->length; uint16_t priority = acl->priority + OVN_ACL_PRI_OFFSET; + /* All ACLS will start by matching on their respective tier. */ + size_t match_tier_len = 0; + ds_clear(match); + if (od->max_acl_tier) { + ds_put_format(match, REG_ACL_TIER " == %"PRId64" && ", acl->tier); + match_tier_len = match->length; + } + if (!has_stateful || !strcmp(acl->action, "allow-stateless")) { ds_put_cstr(actions, "next;"); + ds_put_format(match, "(%s)", acl->match); ovn_lflow_add_with_hint(lflows, od, stage, priority, - acl->match, ds_cstr(actions), + ds_cstr(match), ds_cstr(actions), &acl->header_); return; } @@ -6438,7 +6463,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, * by ct_commit in the "stateful" stage) to indicate that the * connection should be allowed to resume. */ - ds_clear(match); + ds_truncate(match, match_tier_len); ds_put_format(match, REGBIT_ACL_HINT_ALLOW_NEW " == 1 && (%s)", acl->match); @@ -6461,7 +6486,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, * Commit the connection only if the ACL has a label. This is done * to update the connection tracking entry label in case the ACL * allowing the connection changes. */ - ds_clear(match); + ds_truncate(match, match_tier_len); ds_truncate(actions, log_verdict_len); ds_put_format(match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)", acl->match); @@ -6482,7 +6507,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, * to the connection tracker with ct_commit. */ /* If the packet is not tracked or not part of an established * connection, then we can simply reject/drop it. */ - ds_clear(match); + ds_truncate(match, match_tier_len); ds_put_cstr(match, REGBIT_ACL_HINT_DROP " == 1"); ds_put_format(match, " && (%s)", acl->match); @@ -6502,7 +6527,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, * ct_commit() to the "stateful" stage, but since we're * rejecting/dropping the packet, we go ahead and do it here. */ - ds_clear(match); + ds_truncate(match, match_tier_len); ds_put_cstr(match, REGBIT_ACL_HINT_BLOCK " == 1"); ds_put_format(match, " && (%s)", acl->match); @@ -6656,6 +6681,7 @@ static void build_acl_action_lflows(struct ovn_datapath *od, struct hmap *lflows, const char *default_acl_action, const struct shash *meter_groups, + struct ds *match, struct ds *actions) { enum ovn_stage stages [] = { @@ -6668,6 +6694,10 @@ build_acl_action_lflows(struct ovn_datapath *od, struct hmap *lflows, ds_put_cstr(actions, REGBIT_ACL_VERDICT_ALLOW " = 0; " REGBIT_ACL_VERDICT_DROP " = 0; " REGBIT_ACL_VERDICT_REJECT " = 0; "); + if (od->max_acl_tier) { + ds_put_cstr(actions, REG_ACL_TIER " = 0; "); + } + size_t verdict_len = actions->length; for (size_t i = 0; i < ARRAY_SIZE(stages); i++) { @@ -6705,6 +6735,20 @@ build_acl_action_lflows(struct ovn_datapath *od, struct hmap *lflows, ds_truncate(actions, verdict_len); ds_put_cstr(actions, default_acl_action); ovn_lflow_add(lflows, od, stage, 0, "1", ds_cstr(actions)); + + struct ds tier_actions = DS_EMPTY_INITIALIZER; + for (size_t j = 0; j < od->max_acl_tier; j++) { + ds_clear(match); + ds_put_format(match, REG_ACL_TIER " == %"PRIuSIZE, j); + ds_clear(&tier_actions); + ds_put_format(&tier_actions, REG_ACL_TIER " = %"PRIuSIZE"; " + "next(pipeline=%s,table=%d);", + j + 1, ingress ? "ingress" : "egress", + ovn_stage_get_table(stage) - 1); + ovn_lflow_add(lflows, od, stage, 500, ds_cstr(match), + ds_cstr(&tier_actions)); + } + ds_destroy(&tier_actions); } } @@ -7074,7 +7118,7 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features, } build_acl_action_lflows(od, lflows, default_acl_action, meter_groups, - &actions); + &match, &actions); ds_destroy(&match); ds_destroy(&actions); diff --git a/northd/northd.h b/northd/northd.h index a503f4a66..ad6ccef5e 100644 --- a/northd/northd.h +++ b/northd/northd.h @@ -230,6 +230,7 @@ struct ovn_datapath { bool has_lb_vip; bool has_unknown; bool has_acls; + uint64_t max_acl_tier; bool has_vtep_lports; bool has_arp_proxy_port; diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 40c5ec95b..c0b7a69f2 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -709,6 +709,12 @@ referred to as the "allow", "drop", and "reject" bits in the upcoming paragraphs. +

  • + If the tier column has been configured on the ACL, then + OVN will also match the current tier counter against the configured + ACL tier. OVN keeps count of the current tier in + reg8[30..31]. +
  • allow ACLs translate into logical flows that set the allow bit to 1 and advance the packet to the next table. If there are any @@ -884,6 +890,13 @@ for UDP connections, and sctp_abort {output <-%gt; inport; next(pipeline=egress,table=5);} action for SCTP associations.
    • + +
  • + If any ACLs have tiers configured on them, then three priority 500 + flows are installed. If the current tier counter is 0, 1, or 2, then + the current tier counter is incremented by one and the packet is sent + back to the previous table for re-evaluation. +

    • Ingress Table 10: from-lport QoS Marking

    @@ -1174,6 +1187,13 @@ table and the next one.

    +

    + Like with ACLs that are evaluated before load balancers, if the ACL is + configured with a tier value, then the current tier counter, supplied + in reg8[30..31] is matched against the ACL's configured tier in addition + to the ACL's match. +

    +
    • allow apply-after-lb ACLs translate into logical flows @@ -1259,6 +1279,13 @@ for UDP connections, and sctp_abort {output <-%gt; inport; next(pipeline=egress,table=5);} action for SCTP associations.
      • + +
    • + If any ACLs have tiers configured on them, then three priority 500 + flows are installed. If the current tier counter is 0, 1, or 2, then + the current tier counter is incremented by one and the packet is sent + back to the previous table for re-evaluation. +

    Ingress Table 20: Stateful

    @@ -2197,6 +2224,14 @@ output; reg8[18].

    +

    + Also like with ingress ACLs, egress ACLs can have a configured + tier. If a tier is configured, then the current tier + counter is evaluated against the ACL's configured tier in addition + to the ACL's match. The current tier counter is stored in + reg8[30..31]. +

    +

    Similar to ingress table, a priority-65532 flow is added to allow IPv6 Neighbor solicitation, Neighbor discover, Router solicitation, Router diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index ff3026664..789275f37 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "7.0.2", - "cksum": "190109735 33605", + "version": "7.0.3", + "cksum": "3667000751 33787", "tables": { "NB_Global": { "columns": { @@ -272,6 +272,9 @@ "label": {"type": {"key": {"type": "integer", "minInteger": 0, "maxInteger": 4294967295}}}, + "tier": {"type": {"key": {"type": "integer", + "minInteger": 0, + "maxInteger": 3}}}, "options": { "type": {"key": "string", "value": "string", diff --git a/ovn-nb.xml b/ovn-nb.xml index d8114aa48..4a8279f6a 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -2284,6 +2284,26 @@ or + +

    The hierarchical tier that this ACL belongs to.

    + +

    + ACLs can be assigned to numerical tiers. When evaluating ACLs, an + internal counter is used to determine which tier of ACLs should be + evaluated. Tier 0 ACLs are evaluated first. If no verdict can be + determined, then tier 1 ACLs are evaluated next. This continues + until the maximum tier value is reached. If all tiers of ACLs are + evaluated and no verdict is reached, then the option from table + is used to determine how to proceed. +

    + +

    + In this version of OVN, the maximum tier value for ACLs is 3, + meaning there are 4 tiers of ACLs allowed (0-3). +

    + +

    ACLs options. diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 1c9958c6b..7d94cd6ac 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -2161,10 +2161,10 @@ AT_CAPTURE_FILE([sw1flows]) AT_CHECK( [grep -E 'ls_(in|out)_acl' sw0flows sw1flows | grep pg0 | sort], [0], [dnl -sw0flows: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) -sw0flows: table=8 (ls_in_acl_eval ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg8[[18]] = 1; next;) -sw1flows: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) -sw1flows: table=8 (ls_in_acl_eval ), priority=2002 , match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), action=(reg8[[18]] = 1; next;) +sw0flows: table=4 (ls_out_acl_eval ), priority=2003 , match=((outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;) +sw0flows: table=8 (ls_in_acl_eval ), priority=2002 , match=((inport == @pg0 && ip4 && tcp && tcp.dst == 80)), action=(reg8[[18]] = 1; next;) +sw1flows: table=4 (ls_out_acl_eval ), priority=2003 , match=((outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;) +sw1flows: table=8 (ls_in_acl_eval ), priority=2002 , match=((inport == @pg0 && ip4 && tcp && tcp.dst == 80)), action=(reg8[[18]] = 1; next;) ]) AS_BOX([2]) @@ -2177,10 +2177,10 @@ ovn-sbctl dump-flows sw1 > sw1flows2 AT_CAPTURE_FILE([sw1flows2]) AT_CHECK([grep "ls_out_acl" sw0flows2 sw1flows2 | grep pg0 | sort], [0], [dnl -sw0flows2: table=4 (ls_out_acl_eval ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg8[[18]] = 1; next;) -sw0flows2: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) -sw1flows2: table=4 (ls_out_acl_eval ), priority=2002 , match=(outport == @pg0 && ip4 && udp), action=(reg8[[18]] = 1; next;) -sw1flows2: table=4 (ls_out_acl_eval ), priority=2003 , match=(outport == @pg0 && ip6 && udp), action=(reg8[[18]] = 1; next;) +sw0flows2: table=4 (ls_out_acl_eval ), priority=2002 , match=((outport == @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; next;) +sw0flows2: table=4 (ls_out_acl_eval ), priority=2003 , match=((outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;) +sw1flows2: table=4 (ls_out_acl_eval ), priority=2002 , match=((outport == @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; next;) +sw1flows2: table=4 (ls_out_acl_eval ), priority=2003 , match=((outport == @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;) ]) AS_BOX([3]) @@ -7526,7 +7526,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) @@ -7563,7 +7563,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) @@ -7600,7 +7600,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) @@ -7708,7 +7708,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) @@ -7745,7 +7745,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) @@ -7782,7 +7782,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=egress,table=6); };) table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) - table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_in_acl_after_lb_eval), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;) table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) @@ -7904,7 +7904,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) @@ -7941,7 +7941,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) @@ -7978,7 +7978,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed 's/table=../table=??/ table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[17]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */) table=??(ls_out_acl_action ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=27); };) table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) - table=??(ls_out_acl_eval ), priority=1001 , match=(ip4 && tcp), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1001 , match=((ip4 && tcp)), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) @@ -9252,3 +9252,130 @@ AT_CHECK([fetch_column sb:Port_Binding options logical_port=public |grep -q 'qos AT_CLEANUP ]) + +AT_SETUP([Tiered ACL logical flows]) +AT_KEYWORDS([acl]) + +ovn_start + +check ovn-nbctl ls-add ls +check ovn-nbctl lsp-add ls lsp +check ovn-nbctl pg-add pg lsp + +m4_define([ACL_FLOWS], [grep -w $1 lflows | grep "$2" | sed 's/table=../table=??/' | sed "s/\($1[[^)]]*\)/$1/" | sort]) + +acl_test() { + direction=$1 + options=$2 + thing=$3 + eval_stage=$4 + action_stage=$5 + eval_stage_table=$6 + + if test "$direction" = "from-lport" ; then + pipeline=ingress + else + pipeline=egress + fi + + # Baseline test. Ensure that no ACL evaluation or tier-related flows are + # installed. + ovn-sbctl lflow-list ls > lflows + AT_CHECK([ACL_FLOWS([$eval_stage], [priority=2000])], [0], []) + + AT_CHECK([ACL_FLOWS([$action_stage], [priority=500])], [0], []) + + # Add an untiered ACL. Ensure that the ACL appears in the eval stage, and + # that no tier-related flows appear in the action stage. + check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.addr == 80.111.111.112" drop + acl1_uuid=$(ovn-nbctl --bare --columns _uuid find ACL priority=1000) + + ovn-sbctl lflow-list ls > lflows + AT_CAPTURE_FILE([lflows]) + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=((ip4.addr == 80.111.111.112)), action=(reg8[[17]] = 1; next;) +]) + + AT_CHECK([ACL_FLOWS([$action_stage], [priority=500])], [0], []) + + # Explicitly name the tier on the ACL to be tier 0. This should have no + # effect on the logical flows. + check ovn-nbctl --wait=sb set ACL $acl1_uuid tier=0 + ovn-sbctl lflow-list ls > lflows + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=((ip4.addr == 80.111.111.112)), action=(reg8[[17]] = 1; next;) +]) + AT_CHECK([ACL_FLOWS([$action_stage], [priority=500])], [0], []) + + # Change the ACL to tier 1. Now we should see the tier as part of the ACL + # match, and we should see a flow in the action stage to bump the tier + # to 1 if there was no match on tier 0. + check ovn-nbctl --wait=sb set ACL $acl1_uuid tier=1 + ovn-sbctl lflow-list ls > lflows + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=(reg8[[30..31]] == 1 && (ip4.addr == 80.111.111.112)), action=(reg8[[17]] = 1; next;) +]) + + AT_CHECK_UNQUOTED([ACL_FLOWS([$action_stage], [priority=500])], [0], [dnl + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 0), action=(reg8[[30..31]] = 1; next(pipeline=$pipeline,table=$eval_stage_table);) +]) + + # Change the ACL to tier 3. Ensure the tier match on the ACL has been + # updated, and ensure we see three flows present for incrementing the + # tier value in the action stage. + check ovn-nbctl --wait=sb set ACL $acl1_uuid tier=3 + ovn-sbctl lflow-list ls > lflows + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=(reg8[[30..31]] == 3 && (ip4.addr == 80.111.111.112)), action=(reg8[[17]] = 1; next;) +]) + + AT_CHECK_UNQUOTED([ACL_FLOWS([$action_stage], [priority=500])], [0], [dnl + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 0), action=(reg8[[30..31]] = 1; next(pipeline=$pipeline,table=$eval_stage_table);) + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 1), action=(reg8[[30..31]] = 2; next(pipeline=$pipeline,table=$eval_stage_table);) + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 2), action=(reg8[[30..31]] = 3; next(pipeline=$pipeline,table=$eval_stage_table);) +]) + + # Add an untiered ACL. Ensure that it matches on tier 0, but otherwise, + # nothing else should have changed in the logical flows. + check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.addr == 83.104.105.116" allow + ovn-sbctl lflow-list ls > lflows + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=(reg8[[30..31]] == 0 && (ip4.addr == 83.104.105.116)), action=(reg8[[16]] = 1; next;) + table=??($eval_stage), priority=2000 , match=(reg8[[30..31]] == 3 && (ip4.addr == 80.111.111.112)), action=(reg8[[17]] = 1; next;) +]) + + AT_CHECK_UNQUOTED([ACL_FLOWS([$action_stage], [priority=500])], [0], [dnl + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 0), action=(reg8[[30..31]] = 1; next(pipeline=$pipeline,table=$eval_stage_table);) + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 1), action=(reg8[[30..31]] = 2; next(pipeline=$pipeline,table=$eval_stage_table);) + table=??($action_stage), priority=500 , match=(reg8[[30..31]] == 2), action=(reg8[[30..31]] = 3; next(pipeline=$pipeline,table=$eval_stage_table);) +]) + + # Remove the tier 3 ACL. The remaining ACL is untiered, and there are no + # other tiered ACLs. So we should go back to not checking the tier + # number in the ACL match, and there should be no tier-related flows + # in the action stage. + check ovn-nbctl --wait=sb acl-del $thing $direction 1000 "ip4.addr == 80.111.111.112" + ovn-sbctl lflow-list ls > lflows + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=((ip4.addr == 83.104.105.116)), action=(reg8[[16]] = 1; next;) +]) + + AT_CHECK([ACL_FLOWS([$action_stage], [priority=500])], [0], []) + + check ovn-nbctl --wait=sb acl-del $thing + ovn-sbctl lflow-list ls > lflows + + AT_CHECK([ACL_FLOWS([$eval_stage], [priority=2000])], [0], []) + + AT_CHECK([ACL_FLOWS([$action_stage], [priority=500])], [0], []) +} + +acl_test from-lport "" ls ls_in_acl_eval ls_in_acl_action 8 +acl_test from-lport "--apply-after-lb" ls ls_in_acl_after_lb_eval ls_in_acl_after_lb_action 18 +acl_test to-lport "" ls ls_out_acl_eval ls_out_acl_action 4 +acl_test from-lport "" pg ls_in_acl_eval ls_in_acl_action 8 +acl_test from-lport "--apply-after-lb" pg ls_in_acl_after_lb_eval ls_in_acl_after_lb_action 18 +acl_test to-lport "" pg ls_out_acl_eval ls_out_acl_action 4 + +AT_CLEANUP +]) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 5ee044e19..b9288c24f 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -11315,3 +11315,111 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d /connection dropped.*/d"]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([Tiered ACLs]) +AT_KEYWORDS([acl]) + +ovn_start +OVS_TRAFFIC_VSWITCHD_START() +ADD_BR([br-int]) + +# Set external-ids in br-int needed for ovn-controller +check ovs-vsctl \ + -- set Open_vSwitch . external-ids:system-id=hv1 \ + -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ + -- set bridge br-int fail-mode=secure other-config:disable-in-band=true + +# Start ovn-controller + +start_daemon ovn-controller + +check ovn-nbctl ls-add ls +check ovn-nbctl lsp-add ls lsp1 -- lsp-set-addresses lsp1 "00:00:00:00:00:01 10.0.0.1" +check ovn-nbctl lsp-add ls lsp2 -- lsp-set-addresses lsp2 "00:00:00:00:00:02 10.0.0.2" + +check ovn-nbctl pg-add pg lsp1 lsp2 + +ADD_NAMESPACES(lsp1) +ADD_VETH(lsp1, lsp1, br-int, "10.0.0.1/24", "00:00:00:00:00:01") +ADD_NAMESPACES(lsp2) +ADD_VETH(lsp2, lsp2, br-int, "10.0.0.2/24", "00:00:00:00:00:02") + +m4_define([PING_PCT], [grep -o "[[0-9]]\{1,3\}% packet loss"]) + +acl_test() { + direction=$1 + options=$2 + thing=$3 + + # First a baseline. If traffic isn't being allowed, then something is + # very wrong. + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +0% packet loss +]) + # Add an untiered drop ACL. This should cause pings to fail. + check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.dst == 10.0.0.2" drop + acl1_uuid=$(ovn-nbctl --bare --columns _uuid find ACL priority=1000) + + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +100% packet loss +]) + + # Change the tier to 3. Despite there being "holes" in tiers 0, 1, and 2, + # the ACL should still apply, and pings should fail. + check ovn-nbctl --wait=sb set ACL $acl1_uuid tier=3 + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +100% packet loss +]) + + # Add a tier-0 ACL that allows the traffic. The priority is only 4, but + # since it is a higher tier, the traffic should be allowed. + check ovn-nbctl --wait=sb $options acl-add $thing $direction 4 "ip4.dst == 10.0.0.2" allow + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +0% packet loss +]) + + # Removing the 0-tier ACL should make traffic go back to being dropped. + check ovn-nbctl --wait=sb acl-del $thing $direction 4 "ip4.dst == 10.0.0.2" + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +100% packet loss +]) + + # Removing all ACLs should make traffic go back to passing. + check ovn-nbctl --wait=sb acl-del $thing + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +0% packet loss +]) +} + +acl_test from-lport "" ls +acl_test from-lport "--apply-after-lb" ls +acl_test to-lport "" ls +acl_test from-lport "" pg +acl_test from-lport "--apply-after-lb" pg +acl_test to-lport "" pg + +OVS_APP_EXIT_AND_WAIT([ovn-controller]) + +as ovn-sb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as ovn-nb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as northd +OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE]) + +as +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d +/connection dropped.*/d"]) +AT_CLEANUP +]) From patchwork Thu May 18 18:48:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1783478 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=O/qCjs78; dkim-atps=neutral Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QMfC207wlz20dX for ; Fri, 19 May 2023 04:49:01 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 7C2E44171B; Thu, 18 May 2023 18:48:55 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7C2E44171B Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=O/qCjs78 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E0xYSQ4TZ7LH; Thu, 18 May 2023 18:48:53 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp4.osuosl.org (Postfix) with ESMTPS id 7EC154168D; Thu, 18 May 2023 18:48:52 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7EC154168D Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 353E2C007A; Thu, 18 May 2023 18:48:52 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3FC07C002A for ; Thu, 18 May 2023 18:48:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 073C342B95 for ; Thu, 18 May 2023 18:48:50 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 073C342B95 Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=O/qCjs78 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGY94C6Gmo8P for ; Thu, 18 May 2023 18:48:48 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 94EB541CD9 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 94EB541CD9 for ; Thu, 18 May 2023 18:48:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1684435727; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=21PGeAL9QS9CCkbsXilsvp9R5L4yj/AolAdPA6grCSQ=; b=O/qCjs78QB64cHT4UMu8cIRlU4o2JZscszbEob22GOndSa207Q54CbZeP1jDSweO2/w4hl 2mNeVJAGDrRX+6KYwdhfBeEo2CqGE3KaI4awDXUi65RCBVkQgXYe+7w+BXsycT4DGMkdbt VE7OQYN+z2B5f8uw8Po0ZOUn1KceRPk= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-553-Q1xaxPY8OpyPI5K7iYhuqg-1; Thu, 18 May 2023 14:48:46 -0400 X-MC-Unique: Q1xaxPY8OpyPI5K7iYhuqg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CF5ED101A54F for ; Thu, 18 May 2023 18:48:45 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.22.48.14]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7C8192166B31 for ; Thu, 18 May 2023 18:48:45 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Thu, 18 May 2023 14:48:41 -0400 Message-Id: <20230518184842.1681582-3-mmichels@redhat.com> In-Reply-To: <20230518184842.1681582-1-mmichels@redhat.com> References: <20230518184842.1681582-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 3/4] ovn-nbctl: Add tier ACL options. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This modifies the acl-add and acl-del commands so that an ACL tier can be specified when adding or deleting ACLs. For acl-add, if the tier is specified, then the ACL created by the command will have that tier set. For acl-del, if the tier is specified, then the tier will be one of the criteria used when deciding which ACLs to delete. Because the tier is not any more or less specific than the other criteria used for deleting ACLs, a bitmap approach is used to determine the final set of ACLs that should be deleted. Signed-off-by: Mark Michelson Reviewed-by: Ales Musil --- NEWS | 3 + tests/ovn-nbctl.at | 77 ++++++++++++++++++++++ tests/system-ovn.at | 1 - utilities/ovn-nbctl.8.xml | 29 ++++++--- utilities/ovn-nbctl.c | 131 ++++++++++++++++++++++++++------------ 5 files changed, 192 insertions(+), 49 deletions(-) diff --git a/NEWS b/NEWS index a7a11061f..e29193104 100644 --- a/NEWS +++ b/NEWS @@ -31,6 +31,9 @@ Post v23.03.0 port is possible to define QoS rules to apply to the local egress localnet port. Please note now the QoS will be applied just to the local localnet port and not to all localnet port marked with ovn-egress iface. + - Support for tiered ACLs has been added. This allows for ACLs to be layered + into separate tiers of priority. For more information, please see the + ovn-nb and ovn-northd manpages. OVN v23.03.0 - 03 Mar 2023 -------------------------- diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index 478a32f5a..fde3a28ee 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -2616,6 +2616,83 @@ ovn-nbctl: no row "foo1" in table Logical_Switch dnl --------------------------------------------------------------------- +OVN_NBCTL_TEST([acl_tiers], [ACL tier operations], [ +check ovn-nbctl ls-add ls +check ovn-nbctl --tier=3 acl-add ls from-lport 1000 "ip" drop +check_column 3 nb:ACL tier priority=1000 + +check ovn-nbctl --tier=3 acl-add ls from-lport 1001 "ip" drop +check_column 3 nb:ACL tier priority=1001 + +check ovn-nbctl --tier=2 acl-add ls from-lport 1002 "ip" drop +check_column 2 nb:ACL tier priority=1002 + +# Removing the tier 3 acls from ls should result in 1 ACL +# remaining. +check ovn-nbctl --tier=3 acl-del ls +check_row_count nb:ACL 1 +check_column 2 nb:ACL tier priority=1002 + +# Add two egress ACLs at tier 2. +check ovn-nbctl --tier=2 acl-add ls to-lport 1000 "ip" drop +check ovn-nbctl --tier=2 acl-add ls to-lport 1001 "ip" drop + +check_row_count nb:ACL 3 tier=2 + +# This should remove the egress tier 2 ACLs and leave the +# ingress tier 2 ACL +check ovn-nbctl --tier=2 acl-del ls to-lport +check_row_count nb:ACL 1 +check_column 2 nb:ACL tier priority=1002 +check_column from-lport nb:ACL direction priority=1002 + +# Re-add two ingress ACLs at tier 2. +check ovn-nbctl --tier=2 acl-add ls from-lport 1000 "ip" drop +check ovn-nbctl --tier=2 acl-add ls from-lport 1001 "ip" drop + +check_row_count nb:ACL 3 + +# Attempt to remove all tier 3 ACLs. All three ACLs are tier 2 +# so this shouldn't have any effect. +check ovn-nbctl --tier=3 acl-del ls +check_row_count nb:ACL 3 + +# Attempt to remove all ingress tier 3 ACLs. All three ACLs are tier +# 2, so this shouldn't have any effect. +check ovn-nbctl --tier=3 acl-del ls from-lport +check_row_count nb:ACL 3 + +# Attempt to remove the 1000 priority ACL but specify tier 3. Since +# all ACLs are tier 2, this should have no effect. +check ovn-nbctl --tier=3 acl-del ls from-lport 1000 "ip" +check_row_count nb:ACL 3 + +# Specifying the proper tier should result in all ACLs being deleted. +check ovn-nbctl --tier=2 acl-del ls +check_row_count nb:ACL 0 + +# Now let's experiment with identical ACLs at different tiers. +check ovn-nbctl --tier=1 acl-add ls from-lport 1000 "ip" drop +check ovn-nbctl --tier=2 acl-add ls from-lport 1000 "ip" drop +check ovn-nbctl --tier=3 acl-add ls from-lport 1000 "ip" drop +check_row_count nb:ACL 3 +check_row_count nb:ACL 1 tier=1 +check_row_count nb:ACL 1 tier=2 +check_row_count nb:ACL 1 tier=3 + +# Specifying tier 1 should result in only one ACL being deleted. +check ovn-nbctl --tier=1 acl-del ls from-lport 1000 "ip" +check_row_count nb:ACL 2 +check_row_count nb:ACL 1 tier=2 +check_row_count nb:ACL 1 tier=3 + +# Not specifying a tier should result in all ACLs being deleted. +check ovn-nbctl acl-del ls from-lport 1000 "ip" +check_row_count nb:ACL 0 +]) + +dnl --------------------------------------------------------------------- + AT_SETUP([ovn-nbctl - daemon retry connection]) OVN_NBCTL_TEST_START daemon AT_CHECK([kill `cat ovsdb-server.pid`]) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index b9288c24f..1b39a320b 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -11363,7 +11363,6 @@ acl_test() { # Add an untiered drop ACL. This should cause pings to fail. check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.dst == 10.0.0.2" drop acl1_uuid=$(ovn-nbctl --bare --columns _uuid find ACL priority=1000) - NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 100% packet loss diff --git a/utilities/ovn-nbctl.8.xml b/utilities/ovn-nbctl.8.xml index 8b4c3f29a..b4af43185 100644 --- a/utilities/ovn-nbctl.8.xml +++ b/utilities/ovn-nbctl.8.xml @@ -399,7 +399,7 @@ must be either switch or port-group.

    -
    [--type={switch | port-group}] [--log] [--meter=meter] [--severity=severity] [--name=name] [--label=label] [--may-exist] [--apply-after-lb] acl-add entity direction priority match verdict
    +
    [--type={switch | port-group}] [--log] [--meter=meter] [--severity=severity] [--name=name] [--label=label] [--may-exist] [--apply-after-lb] [--tier] acl-add entity direction priority match verdict

    Adds the specified ACL to entity. direction @@ -430,16 +430,29 @@ of the ACL table. As the option name suggests, the ACL will be applied after the logical switch load balancer stage.

    +

    + The --tier option sets the ACL's tier to the specified + value. For more information about ACL tiers, see the documentation + for the ovn-nb(5) database. +

    -
    [--type={switch | port-group}] acl-del entity [direction [priority match]]
    +
    [--type={switch | port-group}] [--tier] acl-del entity [direction [priority match]]
    - Deletes ACLs from entity. If only entity is - supplied, all the ACLs from the entity are deleted. If - direction is also specified, then all the flows in that - direction will be deleted from the entity. If all the - fields are given, then a single flow that matches all the fields will - be deleted. +

    + Deletes ACLs from entity. If only entity is + supplied, all the ACLs from the entity are deleted. If + direction is also specified, then all the flows in that + direction will be deleted from the entity. If all the + fields are given, then a single flow that matches all the fields will + be deleted. +

    + +

    + If the --tier option is provided, then only ACLs of the + given tier value will be deleted, in addition to whatever other + criteria have been provided. +

    [--type={switch | port-group}] acl-list entity
    diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index 279088aaf..de03f870c 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -48,6 +48,7 @@ #include "unixctl.h" #include "util.h" #include "openvswitch/vlog.h" +#include "bitmap.h" VLOG_DEFINE_THIS_MODULE(nbctl); @@ -2116,6 +2117,8 @@ acl_cmp(const void *acl1_, const void *acl2_) return after_lb2 ? -1 : 1; } else if (acl1->priority != acl2->priority) { return acl1->priority > acl2->priority ? -1 : 1; + } else if (acl1->tier != acl2->tier) { + return acl1->tier > acl2->tier ? -1 : 1; } else { return strcmp(acl1->match, acl2->match); } @@ -2299,6 +2302,7 @@ nbctl_pre_acl(struct ctl_context *ctx) ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_priority); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_match); ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_options); + ovsdb_idl_add_column(ctx->idl, &nbrec_acl_col_tier); } static void @@ -2406,6 +2410,16 @@ nbctl_acl_add(struct ctl_context *ctx) nbrec_acl_set_options(acl, &options); } + const char *tier_s = shash_find_data(&ctx->options, "--tier"); + if (tier_s) { + long tier; + if (!str_to_long(tier_s, 10, &tier)) { + ctl_error(ctx, "Invalid tier %s", tier_s); + return; + } + nbrec_acl_set_tier(acl, tier); + } + /* Check if same acl already exists for the ls/portgroup */ size_t n_acls = pg ? pg->n_acls : ls->n_acls; struct nbrec_acl **acls = pg ? pg->acls : ls->acls; @@ -2434,6 +2448,10 @@ nbctl_acl_del(struct ctl_context *ctx) { const struct nbrec_logical_switch *ls = NULL; const struct nbrec_port_group *pg = NULL; + const char *tier_s = shash_find_data(&ctx->options, "--tier"); + long tier; + unsigned long *bitmaps[3]; + size_t n_bitmaps = 0; char *error = acl_cmd_get_pg_or_ls(ctx, &ls, &pg); if (error) { @@ -2441,8 +2459,13 @@ nbctl_acl_del(struct ctl_context *ctx) return; } - if (ctx->argc == 2) { - /* If direction, priority, and match are not specified, delete + if (tier_s && !str_to_long(tier_s, 10, &tier)) { + ctl_error(ctx, "Invalid tier %s", tier_s); + return; + } + + if (ctx->argc == 2 && !tier_s) { + /* If direction, priority, tier, and match are not specified, delete * all ACLs. */ if (pg) { nbrec_port_group_verify_acls(pg); @@ -2454,55 +2477,83 @@ nbctl_acl_del(struct ctl_context *ctx) return; } - const char *direction; - error = parse_direction(ctx->argv[2], &direction); - if (error) { - ctx->error = error; - return; - } - size_t n_acls = pg ? pg->n_acls : ls->n_acls; struct nbrec_acl **acls = pg ? pg->acls : ls->acls; - /* If priority and match are not specified, delete all ACLs with the - * specified direction. */ - if (ctx->argc == 3) { + + if (tier_s) { + bitmaps[n_bitmaps] = bitmap_allocate(n_acls); for (size_t i = 0; i < n_acls; i++) { - if (!strcmp(direction, acls[i]->direction)) { - if (pg) { - nbrec_port_group_update_acls_delvalue(pg, acls[i]); - } else { - nbrec_logical_switch_update_acls_delvalue(ls, acls[i]); - } + if (acls[i]->tier == tier) { + bitmap_set1(bitmaps[n_bitmaps], i); } } - return; + n_bitmaps++; } - int64_t priority; - error = parse_priority(ctx->argv[3], &priority); - if (error) { - ctx->error = error; - return; - } + if (ctx->argc >= 3) { + const char *direction; + error = parse_direction(ctx->argv[2], &direction); + if (error) { + ctx->error = error; + goto cleanup; + } - if (ctx->argc == 4) { - ctl_error(ctx, "cannot specify priority without match"); - return; + /* If priority and match are not specified, delete all ACLs with the + * specified direction. */ + bitmaps[n_bitmaps] = bitmap_allocate(n_acls); + for (size_t i = 0; i < n_acls; i++) { + if (!strcmp(direction, acls[i]->direction)) { + bitmap_set1(bitmaps[n_bitmaps], i); + } + } + n_bitmaps++; } - /* Remove the matching rule. */ - for (size_t i = 0; i < n_acls; i++) { - struct nbrec_acl *acl = acls[i]; + if (ctx->argc >= 4) { + int64_t priority; + error = parse_priority(ctx->argv[3], &priority); + if (error) { + ctx->error = error; + goto cleanup; + } - if (priority == acl->priority && !strcmp(ctx->argv[4], acl->match) && - !strcmp(direction, acl->direction)) { - if (pg) { - nbrec_port_group_update_acls_delvalue(pg, acl); - } else { - nbrec_logical_switch_update_acls_delvalue(ls, acl); + if (ctx->argc == 4) { + ctl_error(ctx, "cannot specify priority without match"); + goto cleanup; + } + + /* Remove the matching rule. */ + bitmaps[n_bitmaps] = bitmap_allocate(n_acls); + for (size_t i = 0; i < n_acls; i++) { + struct nbrec_acl *acl = acls[i]; + + if (priority == acl->priority && + !strcmp(ctx->argv[4], acl->match)) { + bitmap_set1(bitmaps[n_bitmaps], i); } - return; } + n_bitmaps++; + } + + unsigned long *bitmap_result = bitmap_allocate1(n_acls); + for (size_t i = 0; i < n_bitmaps; i++) { + bitmap_result = bitmap_and(bitmap_result, bitmaps[i], n_acls); + } + + size_t index; + BITMAP_FOR_EACH_1 (index, n_acls, bitmap_result) { + if (pg) { + nbrec_port_group_update_acls_delvalue(pg, acls[index]); + } else { + nbrec_logical_switch_update_acls_delvalue(ls, acls[index]); + } + } + + free(bitmap_result); + +cleanup: + for (size_t i = 0; i < n_bitmaps; i++) { + free(bitmaps[i]); } } @@ -7680,9 +7731,9 @@ static const struct ctl_command_syntax nbctl_commands[] = { { "acl-add", 5, 6, "{SWITCH | PORTGROUP} DIRECTION PRIORITY MATCH ACTION", nbctl_pre_acl, nbctl_acl_add, NULL, "--log,--may-exist,--type=,--name=,--severity=,--meter=,--label=," - "--apply-after-lb", RW }, + "--apply-after-lb,--tier=", RW }, { "acl-del", 1, 4, "{SWITCH | PORTGROUP} [DIRECTION [PRIORITY MATCH]]", - nbctl_pre_acl, nbctl_acl_del, NULL, "--type=", RW }, + nbctl_pre_acl, nbctl_acl_del, NULL, "--type=,--tier=", RW }, { "acl-list", 1, 1, "{SWITCH | PORTGROUP}", nbctl_pre_acl_list, nbctl_acl_list, NULL, "--type=", RO }, From patchwork Thu May 18 18:48:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1783479 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZU9Hi71V; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QMfC22mh8z20f0 for ; Fri, 19 May 2023 04:49:02 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 37DF842BCA; Thu, 18 May 2023 18:48:58 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 37DF842BCA Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZU9Hi71V X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gA28TTvPOTLt; Thu, 18 May 2023 18:48:56 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 217C742BB7; Thu, 18 May 2023 18:48:55 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 217C742BB7 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id DF2DEC008C; Thu, 18 May 2023 18:48:52 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 80AD3C002A for ; Thu, 18 May 2023 18:48:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 5BE7781E05 for ; Thu, 18 May 2023 18:48:50 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 5BE7781E05 Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZU9Hi71V X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1qmpTDdOISeR for ; Thu, 18 May 2023 18:48:49 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org E968A81DE3 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id E968A81DE3 for ; Thu, 18 May 2023 18:48:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1684435727; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1PLB2PPMxauDM5x0H+1Y+WHHQaDUs8q6l78CC1YmK6A=; b=ZU9Hi71V/PbhlsEbhJIYWS/5ZJ28rtVJRO7cAKiW38mFAXEXpHLc5vssHuIqCadKbpePbo vxhXLhIZJxiHl4qXQhIP+GHbyTkCNDNlvcseoVecoPZujdwFV2BUQp6hHHFH3vxOpmUMBK DBKuglxOm6mPw0I0mEDX1qKASuR4/1I= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-216-hE8YbFhoMT68VYi5gCa0EQ-1; Thu, 18 May 2023 14:48:46 -0400 X-MC-Unique: hE8YbFhoMT68VYi5gCa0EQ-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 664F887DC02 for ; Thu, 18 May 2023 18:48:46 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.22.48.14]) by smtp.corp.redhat.com (Postfix) with ESMTP id 134302166B31 for ; Thu, 18 May 2023 18:48:45 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Thu, 18 May 2023 14:48:42 -0400 Message-Id: <20230518184842.1681582-4-mmichels@redhat.com> In-Reply-To: <20230518184842.1681582-1-mmichels@redhat.com> References: <20230518184842.1681582-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v5 4/4] acls: Add "pass" ACL action. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This allows for evaluating ACLs at the current tier to stop, and to start evaluating ACLs at the next tier. If not using tiers, or if we match on the final ACL tier, then a "pass" verdict results in the default ACL action being applied. Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2134138 Signed-off-by: Mark Michelson Reviewed-by: Ales Musil --- northd/northd.c | 8 ++++++- northd/ovn-northd.8.xml | 9 ++++++++ ovn-nb.ovsschema | 6 +++--- ovn-nb.xml | 10 +++++++++ tests/ovn-northd.at | 46 +++++++++++++++++++++++++++++++++++++++++ tests/system-ovn.at | 40 ++++++++++++++++++++++++++++++++--- utilities/ovn-nbctl.c | 2 +- 7 files changed, 113 insertions(+), 8 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 212327b99..07b127cdf 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -6377,6 +6377,8 @@ build_acl_log(struct ds *actions, const struct nbrec_acl *acl, ds_put_cstr(actions, "verdict=drop, "); } else if (!strcmp(acl->action, "reject")) { ds_put_cstr(actions, "verdict=reject, "); + } else if (!strcmp(acl->action, "pass")) { + ds_put_cstr(actions, "verdict=pass, "); } else if (!strcmp(acl->action, "allow") || !strcmp(acl->action, "allow-related") || !strcmp(acl->action, "allow-stateless")) { @@ -6415,6 +6417,8 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, verdict = REGBIT_ACL_VERDICT_DROP " = 1; "; } else if (!strcmp(acl->action, "reject")) { verdict = REGBIT_ACL_VERDICT_REJECT " = 1; "; + } else if (!strcmp(acl->action, "pass")) { + verdict = ""; } else { verdict = REGBIT_ACL_VERDICT_ALLOW " = 1; "; } @@ -6434,7 +6438,9 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od, match_tier_len = match->length; } - if (!has_stateful || !strcmp(acl->action, "allow-stateless")) { + if (!has_stateful + || !strcmp(acl->action, "pass") + || !strcmp(acl->action, "allow-stateless")) { ds_put_cstr(actions, "next;"); ds_put_format(match, "(%s)", acl->match); ovn_lflow_add_with_hint(lflows, od, stage, priority, diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index c0b7a69f2..540fe03bd 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -743,6 +743,10 @@ reject ACLs translate into logical flows with that set the reject bit and advance to the next table. +
  • + pass ACLs translate into logical flows that do not set the + allow, drop, or reject bit and advance to the next table. +
  • Other ACLs set the drop bit and advance to the next table for new or untracked connections. For known connections, they set the drop bit, @@ -1223,6 +1227,11 @@ reject apply-after-lb ACLs translate into logical flows that set the reject bit and advance to the next table.
    • +
  • + pass apply-after-lb ACLs translate into logical flows that + do not set the allow, drop, or reject bit and advance to the next + table. +
  • Other apply-after-lb ACLs set the drop bit for new or untracked connections and ct_commit(ct_label=1/1); for known diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index 789275f37..f8bac5302 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "7.0.3", - "cksum": "3667000751 33787", + "version": "7.0.4", + "cksum": "1676649201 33795", "tables": { "NB_Global": { "columns": { @@ -260,7 +260,7 @@ "enum": ["set", ["allow", "allow-related", "allow-stateless", "drop", - "reject"]]}}}, + "reject", "pass"]]}}}, "log": {"type": "boolean"}, "severity": {"type": {"key": {"type": "string", "enum": ["set", diff --git a/ovn-nb.xml b/ovn-nb.xml index 4a8279f6a..9afe3b584 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -2281,6 +2281,16 @@ or ICMPv4/ICMPv6 unreachable message for other IPv4/IPv6-based protocols.
    • + +
  • + pass: Pass to the next ACL tier. If using multiple ACL + tiers, a match on this ACL will stop evaluating ACLs at the current + tier and move to the next one. If not using ACL tiers or if a + pass ACL is matched at the final tier, then the + + option from the table is used to + determine how to proceed. +
    • diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 7d94cd6ac..2c4129bf3 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -9379,3 +9379,49 @@ acl_test to-lport "" pg ls_out_acl_eval ls_out_acl_action 4 AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ACL "pass" logical flows]) +AT_KEYWORDS([acl]) + +ovn_start +check ovn-nbctl ls-add ls +check ovn-nbctl lsp-add ls lsp +check ovn-nbctl pg-add pg lsp + +m4_define([ACL_FLOWS], [grep -w $1 lflows | grep "$2" | sed 's/table=../table=??/' | sed "s/\($1[[^)]]*\)/$1/" | sort]) + +acl_test() { + direction=$1 + options=$2 + thing=$3 + eval_stage=$4 + + # Baseline. Ensure no ACL eval flows are present. + ovn-sbctl lflow-list ls > lflows + AT_CHECK([ACL_FLOWS([$eval_stage], [priority=2000])], [0], []) + + # Add an ACL with the "pass" verdict. Ensure that it is in the logical flow + # table and that it simply moves to the next table without setting a specific + # verdict bit. + check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.addr == 80.111.111.112" pass + ovn-sbctl lflow-list ls > lflows + AT_CHECK_UNQUOTED([ACL_FLOWS([$eval_stage], [priority=2000])], [0], [dnl + table=??($eval_stage), priority=2000 , match=((ip4.addr == 80.111.111.112)), action=(next;) +]) + + # Remove the ACL with the "pass" verdict. Ensure that no eval flows are present. + check ovn-nbctl acl-del $thing + ovn-sbctl lflow-list ls > lflows + AT_CHECK([ACL_FLOWS([$eval_stage], [priority=2000])], [0], []) +} + +acl_test from-lport "" ls ls_in_acl_eval +acl_test from-lport "--apply-after-lb" ls ls_in_acl_after_lb_eval +acl_test to-lport "" ls ls_out_acl_eval +acl_test from-lport "" pg ls_in_acl_eval +acl_test from-lport "--apply-after-lb" pg ls_in_acl_after_lb_eval +acl_test to-lport "" pg ls_out_acl_eval + +AT_CLEANUP +]) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 1b39a320b..68a5e9527 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -11378,20 +11378,54 @@ acl_test() { # Add a tier-0 ACL that allows the traffic. The priority is only 4, but # since it is a higher tier, the traffic should be allowed. - check ovn-nbctl --wait=sb $options acl-add $thing $direction 4 "ip4.dst == 10.0.0.2" allow + check ovn-nbctl --wait=hv $options acl-add $thing $direction 4 "ip4.dst == 10.0.0.2" allow NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 0% packet loss ]) - # Removing the 0-tier ACL should make traffic go back to being dropped. + # Add a higher-priority tier-0 ACL that passes. This should cause the traffic + # to pass over the lower-priority tier-0 "allow" ACL, and move to the tier-3 + # ACL that drops the traffic. + check ovn-nbctl --wait=sb $options acl-add $thing $direction 1000 "ip4.dst == 10.0.0.2" pass + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +100% packet loss +]) + + # Remove the "pass" ACL, and the "allow" rule should kick back in. + check ovn-nbctl --wait=sb --tier=0 acl-del $thing $direction 1000 "ip4.dst == 10.0.0.2" + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +0% packet loss +]) + + # Removing the remaining 0-tier ACL should make traffic go back to being dropped. check ovn-nbctl --wait=sb acl-del $thing $direction 4 "ip4.dst == 10.0.0.2" NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl 100% packet loss ]) - # Removing all ACLs should make traffic go back to passing. + # Adding a higher-priority "pass" ACL at tier 3 should result in using the + # default ACL action. Currently, the default is to allow traffic, so the + # traffic should be allowed. + check ovn-nbctl --wait=sb --tier=3 $options acl-add $thing $direction 2000 "ip4.dst == 10.0.0.2" pass + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +0% packet loss +]) + + # Change the default ACL action to drop, and now the traffic should be dropped. + check ovn-nbctl set NB_Global . options:default_acl_drop=true + NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ +[0], [dnl +100% packet loss +]) + + # Removing all ACLs (and setting the default acl drop back to false) should + # make traffic go back to passing. + check ovn-nbctl clear NB_Global . options check ovn-nbctl --wait=sb acl-del $thing NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 10.0.0.2 | PING_PCT], \ [0], [dnl diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index de03f870c..7a4f6b1b3 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -2348,7 +2348,7 @@ nbctl_acl_add(struct ctl_context *ctx) /* Validate action. */ if (strcmp(action, "allow") && strcmp(action, "allow-related") && strcmp(action, "allow-stateless") && strcmp(action, "drop") - && strcmp(action, "reject")) { + && strcmp(action, "reject") && strcmp(action, "pass")) { ctl_error(ctx, "%s: action must be one of \"allow\", " "\"allow-related\", \"allow-stateless\", \"drop\", " "and \"reject\"", action);