[ovs-build] Failed: ovsrobot/ovn#319 (series_149687 - d6c52d9)

Travis CI builds at travis-ci.com
Thu Dec 19 19:28:34 UTC 2019 

Build Update for ovsrobot/ovn
-------------------------------------

Build: #319
Status: Failed

Duration: 29 mins and 28 secs
Commit: d6c52d9 (series_149687)
Author: venu iyer
Message: ovn-northd: ls_*_acl behavior not consistent for untracked flows

If one creates a port group and a MAC address set, and an
ACL that prevents packets being output to a port in that Port Group from
any MAC address in that address set, the outcome is not consistent.

The outcome depends on whether there is a stateful rule on the switch or not.

Specifically:

Assuming 'l2pg' is a port group with a list of ports and 'macs' is an Address
Set with a list of MAC addresses and the intent is to drop all packets
with source MAC address in 'macs' to any port in 'l2pg' using:

ovn-nbctl acl-add <switch> to-lport 5000 \
	"outport == @l2pg && eth.src == $macs" drop

Without any stateful rule on the logical switch, the corresponding
logical flow looks like:
	table=4 (ls_out_acl        ), priority=6000,\
		match=(outport == @l2pg && eth.src == $macs), \
		action=(/* drop */)

Based on this rule, any packet destined to the ports in 'l2pg' with source
Address in 'macs' will be dropped - as is expected from the ACL above.

While with a Stateful rule on the switch (any stateful rule will do),
the same rule looks like:
	table=4 (ls_out_acl        ), priority=6000, \
		match=((!ct.est || (ct.est && ct_label.blocked == 1)) && \
		(outport == @l2pg && eth.src == $macs)), action=(/* drop */)

With this, however, only packets that are tracked will match the rule
and be dropped, e.g. IP packets will be dropped, but ARP etc., will go
through - this is not expected.

Based on whether there are stateful rules or not on the switch,
untracked packets will see different behavior.

The fix is to make the rule in the stateful case comprehensive, i.e.
instead of just looking for flows that are not established (or not new),
we should also look for flows that are not tracked.

The fix was tested in the above scenario. Additionally, the following
ACL was added to test the change in the "allow" case (i.e. to drop
all the packets based on the above ACL, but have a higher priority
rule that selectively allow ARP).

ovn-nbctl acl-add ls1 to-lport 6000
        "outport == @l2pg && eth.type == 0x806" allow

with and without the stateful rule to make sure the behavior is the
same.  The test suite has been enhanced to add the above test cases
(with different ethertype) for drop and allow.

OVN test cases were run with this fix and no failures were seen.

Signed-off-by: venu iyer <venugopali at nvidia.com>
Signed-off-by: 0-day Robot <robot at bytheb.org>

View the changeset: https://github.com/ovsrobot/ovn/compare/b441bf3a7211^...d6c52d957bd2

View the full build log and details: https://travis-ci.com/ovsrobot/ovn/builds/141809772?utm_medium=notification&utm_source=email

--

You can unsubscribe from build emails from the ovsrobot/ovn repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=9136199&utm_medium=notification&utm_source=email.
Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification&utm_source=email.
Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-build/attachments/20191219/0ba9de5b/attachment.html>

More information about the build mailing list