[ovs-build] Passed: ovsrobot/ovn#1058 (series_204465 - 56afa67)
builds at travis-ci.com
Mon Sep 28 01:46:47 UTC 2020
Build Update for ovsrobot/ovn
Duration: 23 mins and 13 secs
Commit: 56afa67 (series_204465)
Author: Han Zhou
Message: ovn-northd.c: Fix ACL priority related to tcp_reset action.
When there "reject" is used as ACL action, there are logical flows generated
to handle TCP and non-TCP packets separately, so that tcp_reset is used to
reject TCP packets while ICMP is used to reject non-TCP packets.
The current implementation uses priority OVN_ACL_PRI_OFFSET + acl_priroity + 10
for handling TCP packets, while OVN_ACL_PRI_OFFSET + acl_priroity for
non-TCP packets. This can cause the ACL priorities defined by users incorrectly
handled. For example, a user creates two ACLs:
1. priority: 1001, match: tcp.dst == 443, action: allow
2. priority: 1000, match: any, action: reject
The generates lflows would be:
1. priority: 2010, match: any, action: tcp_reset
2. priority: 2001, match: tcp.dst == 443, action: allow
3. priority: 2000, match: any, action: icmp
Now if a TCP packet with dst port 443 comes, it will be rejected.
This patch fixes the problem by using OVN_ACL_PRI_OFFSET + acl_priority * 2 + 1
as flow priority for the tcp_reset flow, and OVN_ACL_PRI_OFFSET + acl_priority * 2
for other ACL related flows including the ICMP flows.
Fixes: 366ac0d89 ("OVN: add tcp_reset action to ovn acl reject support")
Signed-off-by: Han Zhou <hzhou at ovn.org>
Signed-off-by: 0-day Robot <robot at bytheb.org>
View the changeset: https://github.com/ovsrobot/ovn/commit/56afa67728dc
View the full build log and details: https://travis-ci.com/github/ovsrobot/ovn/builds/186915126?utm_medium=notification&utm_source=email
You can unsubscribe from build emails from the ovsrobot/ovn repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=9136199&utm_medium=notification&utm_source=email.
Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification&utm_source=email.
Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the build