[ovs-build] Broken: openvswitch/ovs#8612 (branch-2.12 - 1f82d15)

Wed Sep 25 21:25:59 UTC 2019

Build Update for openvswitch/ovs
-------------------------------------

Build: #8612
Status: Broken

Duration: 1 hr, 19 mins, and 3 secs
Commit: 1f82d15 (branch-2.12)
Author: Numan Siddique
Message: ovn: Exclude inport and outport symbol tables from conjunction

If there are multiple ACLs associated with a port group and they
match on a range of some field, then ovn-controller doesn't install
the flows properly and this results in broken ACL functionality.

For example, if there is a port group - pg1 with logical ports - [p1, p2]
and if there are below ACLs (only match condition is shown)

1 -  outport == @pg1 && ip4 && tcp.dst >= 500 && tcp.dst <= 501
2 -  outport == @pg1 && ip4 && tcp.dst >= 600 && tcp.dst <= 601

The first ACL will result in the below OF flows

1.  conj_id=1,tcp
2.  tcp,reg15=0x11: conjunction(1, 1/2)
3.  tcp,reg15=0x12: conjunction(1, 1/2)
5.  tcp,tp_dst=500: conjunction(1, 2/2)
6.  tcp,tp_dst=501: conjunction(1, 2/2)

The second ACL will result in the below OF flows
7.  conj_id=2,tcp
8.  tcp,reg15=0x11: conjunction(2, 1/2)
9.  tcp,reg15=0x12: conjunction(2, 1/2)
11. tcp,tp_dst=600: conjunction(2, 2/2)
12. tcp,tp_dst=601: conjunction(2, 3/2)

The OF flows (2) and (8) have the exact match but with different action.
This results in only one of the flows getting installed. The same goes
for the flows (3) and (9). And this completely breaks the ACL functionality
for such scenarios.

In order to fix this issue, this patch excludes the 'inport' and 'outport' symbols
from conjunction. With this patch we will have the below flows.

tcp,reg15=0x11,tp_dst=500
tcp,reg15=0x11,tp_dst=501
tcp,reg15=0x12,tp_dst=500
tcp,reg15=0x12,tp_dst=501
tcp,reg15=0x13,tp_dst=500
tcp,reg15=0x13,tp_dst=501
tcp,reg15=0x11,tp_dst=600
tcp,reg15=0x11,tp_dst=601
tcp,reg15=0x12,tp_dst=600
tcp,reg15=0x12,tp_dst=601
tcp,reg15=0x13,tp_dst=600
tcp,reg15=0x13,tp_dst=601

Acked-by: Mark Michelson <mmichels at redhat.com>
Acked-by: Daniel Alvarez <dalvarez at redhat.com>
Signed-off-by: Numan Siddique <nusiddiq at redhat.com>

(cherry-picked from ovn commit 298701dbc99645700be41680a43d049cb061847a)

Signed-off-by: Ben Pfaff <blp at ovn.org>

View the changeset: https://github.com/openvswitch/ovs/compare/e6aebc90210b...1f82d15cb883

View the full build log and details: https://travis-ci.org/openvswitch/ovs/builds/589611799?utm_medium=notification&utm_source=email

--

You can unsubscribe from build emails from the openvswitch/ovs repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=2143550&utm_medium=notification&utm_source=email.
Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email.
Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-build/attachments/20190925/4dad76d9/attachment-0001.html>