[ovs-dev] [PATCH v2 14/14] tests: Test ACLs in OVN end-to-end test.

Ben Pfaff blp at nicira.com
Wed Sep 2 23:44:11 UTC 2015


Signed-off-by: Ben Pfaff <blp at nicira.com>
---
 tests/ovn.at | 57 ++++++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 44 insertions(+), 13 deletions(-)

diff --git a/tests/ovn.at b/tests/ovn.at
index 8e442fa..a83b127 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -435,6 +435,7 @@ ovn_start
 # Add all of the vifs to a single logical switch lsw0.
 # Turn on port security on all the vifs except vif[123]1.
 # Make vif13, vif2[23], vif3[123] destinations for unknown MACs.
+# Add some ACLs for Ethertypes 1234, 1235, 1236.
 ovn-nbctl lswitch-add lsw0
 net_add n1
 for i in 1 2 3; do
@@ -454,6 +455,14 @@ for i in 1 2 3; do
         fi
     done
 done
+ovn-nbctl \
+  -- --id=@acl1 create acl priority=1000 action=drop \
+                       match='"eth.type == 0x1234"' \
+  -- --id=@acl2 create acl priority=1000 action=drop \
+                       match='"eth.type == 0x1235 && inport == \"lp11\""' \
+  -- --id=@acl3 create acl priority=1000 action=drop \
+                       match='"eth.type == 0x1236 && outport == \"lp33\""' \
+  -- set Logical_Switch lsw0 acls=@acl1, at acl2, at acl3
 
 # Pre-populate the hypervisors' ARP tables so that we don't lose any
 # packets for ARP resolution (native tunneling doesn't queue packets
@@ -508,31 +517,46 @@ test_packet() {
 #
 # 6. The lswitch delivers packets with an unknown destination to lports with
 #    "unknown" among their MAC addresses (and port security disabled).
+#
+# 7. The lswitch drops unicast packets that violate an ACL.
+#
+# 8. The lswitch drops multicast and broadcast packets that violate an ACL.
 for is in 1 2 3; do
     for js in 1 2 3; do
         s=$is$js
         bcast=
 	unknown=
+	bacl2=
+	bacl3=
         for id in 1 2 3; do
             for jd in 1 2 3; do
                 d=$id$jd
-                impersonate=
-                if test $d != $s; then
-                    unicast=$d
-                    bcast="$bcast $d"
-                    if test $js = 1; then
-                        impersonate=$d
-                    fi
-		    if test $jd = 1; then
-		        unknown="$unknown $d"
-		    fi
-                else
-                    unicast=
-                fi
+
+                if test $d != $s; then unicast=$d; else unicast=; fi
                 test_packet $s f000000000$d f000000000$s $s$d $unicast     #1
+
+                if test $d != $s && test $js = 1; then
+		    impersonate=$d
+		else
+		    impersonate=
+		fi
                 test_packet $s f000000000$d f00000000055 55$d $impersonate #3
+
+		if test $d != $s && test $s != 11; then acl2=$d; else acl2=; fi
+		if test $d != $s && test $d != 33; then acl3=$d; else acl3=; fi
+                test_packet $s f000000000$d f000000000$s 1234        #7, acl1
+                test_packet $s f000000000$d f000000000$s 1235 $acl2  #7, acl2
+                test_packet $s f000000000$d f000000000$s 1236 $acl3  #7, acl3
+
                 test_packet $s f000000000$d f00000000055 810000091234      #4
                 test_packet $s f000000000$d 0100000000$s $s$d              #5
+
+		if test $d != $s && test $jd = 1; then
+		    unknown="$unknown $d"
+		fi
+                bcast="$bcast $unicast"
+                bacl2="$bacl2 $acl2"
+                bacl3="$bacl3 $acl3"
             done
         done
 
@@ -547,6 +571,13 @@ for is in 1 2 3; do
         test_packet $s 010000000000 f00000000044 44ff $bcast_impersonate   #3
 
         test_packet $s f0000000ffff f000000000$s ${s}66 $unknown           #6
+
+        test_packet $s ffffffffffff f000000000$s 1234                #8, acl1
+        test_packet $s ffffffffffff f000000000$s 1235 $bacl2         #8, acl2
+        test_packet $s ffffffffffff f000000000$s 1236 $bacl3         #8, acl3
+        test_packet $s 010000000000 f000000000$s 1234                #8, acl1
+        test_packet $s 010000000000 f000000000$s 1235 $bacl2         #8, acl2
+        test_packet $s 010000000000 f000000000$s 1236 $bacl3         #8, acl3
     done
 done
 
-- 
2.1.3




More information about the dev mailing list