[ovs-dev] [PATCH] ovn: support acl logging for INVALID packets

Han Zhou zhouhan at gmail.com
Wed Aug 30 22:42:31 UTC 2017


INVALID packets doesn't map to any ACL, but sometimes we need to
know when these packets are detected and dropped. This patch supports
logging for such packets and provides a global configuration in NB
to enable/disable this behavior. Default behavior is not logging,
so that it is backward compatible.

Signed-off-by: Han Zhou <zhouhan at gmail.com>
---
 ovn/northd/ovn-northd.c | 20 +++++++++++++-------
 ovn/ovn-nb.ovsschema    |  8 +++++---
 ovn/ovn-nb.xml          |  6 ++++++
 tests/ovn.at            | 11 ++++++++++-
 4 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 49e4ac3..b003d96 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -3052,7 +3052,8 @@ build_acl_log(struct ds *actions, const struct nbrec_acl *acl)
 }
 
 static void
-build_acls(struct ovn_datapath *od, struct hmap *lflows)
+build_acls(struct northd_context *ctx, struct ovn_datapath *od,
+           struct hmap *lflows)
 {
     bool has_stateful = has_stateful_acl(od);
 
@@ -3098,12 +3099,16 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows)
          * for deletion (bit 0 of ct_label is set).
          *
          * This is enforced at a higher priority than ACLs can be defined. */
+        const struct nbrec_nb_global *nbg = nbrec_nb_global_first(ctx->ovnnb_idl);
+        bool acl_log_invalid = nbg ? nbg->acl_log_invalid : false;
         ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
                       "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)",
-                      "drop;");
+                      acl_log_invalid ?
+                      "log(name=\"INVALID\", verdict=drop); /* drop */" : "drop;");
         ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
                       "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)",
-                      "drop;");
+                      acl_log_invalid ?
+                      "log(name=\"INVALID\", verdict=drop); /* drop */" : "drop;");
 
         /* Ingress and Egress ACL Table (Priority 65535).
          *
@@ -3478,8 +3483,9 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows)
 }
 
 static void
-build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
-                    struct hmap *lflows, struct hmap *mcgroups)
+build_lswitch_flows(struct northd_context *ctx, struct hmap *datapaths,
+                    struct hmap *ports, struct hmap *lflows,
+                    struct hmap *mcgroups)
 {
     /* This flow table structure is documented in ovn-northd(8), so please
      * update ovn-northd.8.xml if you change anything. */
@@ -3498,7 +3504,7 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
         build_pre_acls(od, lflows);
         build_pre_lb(od, lflows);
         build_pre_stateful(od, lflows);
-        build_acls(od, lflows);
+        build_acls(ctx, od, lflows);
         build_qos(od, lflows);
         build_lb(od, lflows);
         build_stateful(od, lflows);
@@ -5658,7 +5664,7 @@ build_lflows(struct northd_context *ctx, struct hmap *datapaths,
     struct hmap lflows = HMAP_INITIALIZER(&lflows);
     struct hmap mcgroups = HMAP_INITIALIZER(&mcgroups);
 
-    build_lswitch_flows(datapaths, ports, &lflows, &mcgroups);
+    build_lswitch_flows(ctx, datapaths, ports, &lflows, &mcgroups);
     build_lrouter_flows(datapaths, ports, &lflows);
 
     /* Push changes to the Logical_Flow table to database. */
diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
index a077bfb..2db788e 100644
--- a/ovn/ovn-nb.ovsschema
+++ b/ovn/ovn-nb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_Northbound",
-    "version": "5.8.0",
-    "cksum": "2812300190 16766",
+    "version": "5.9.0",
+    "cksum": "2103124828 16872",
     "tables": {
         "NB_Global": {
             "columns": {
@@ -19,7 +19,9 @@
                 "ssl": {
                     "type": {"key": {"type": "uuid",
                                      "refTable": "SSL"},
-                                     "min": 0, "max": 1}}},
+                                     "min": 0, "max": 1}},
+                "acl_log_invalid": {
+                    "type": {"key": "boolean", "min": 0, "max": 1}}},
             "maxRows": 1,
             "isRoot": true},
         "Logical_Switch": {
diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
index be72610..1cf349e 100644
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@@ -80,6 +80,12 @@
         Global SSL configuration.
       </column>
     </group>
+    <group title="ACL Logging Options">
+      These columns controls the behaviour related to ACL logging.
+      <column name="acl_log_invalid">
+        Whether to log the packets classified as invalid by conntrack.
+      </column>
+    </group>
   </table>
 
   <table name="Logical_Switch" title="L2 logical switch">
diff --git a/tests/ovn.at b/tests/ovn.at
index fb9fc73..c3af03d 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -5775,6 +5775,8 @@ ovn-nbctl --wait=sb lsp-add lsw0 lp1
 ovn-nbctl --wait=sb lsp-add lsw0 lp2
 ovn-nbctl lsp-set-addresses lp1 $lp1_mac
 ovn-nbctl lsp-set-addresses lp2 $lp2_mac
+# enable logging for invalid packets
+ovn-nbctl set nb_global . acl_log_invalid=true
 ovn-nbctl --wait=sb sync
 
 ovn-nbctl acl-add lsw0 to-lport 1000 'tcp.dst==80' drop
@@ -5840,13 +5842,20 @@ packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac &&
         tcp && tcp.flags==2 && tcp.src==4367 && tcp.dst==87"
 as hv ovs-appctl -t ovn-controller inject-pkt "$packet"
 
-OVS_WAIT_UNTIL([ test 4 = $(grep -c 'acl_log' hv/ovn-controller.log) ])
+# Send packet that is invalid and should be dropped with logging.
+packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac &&
+        ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip &&
+        tcp && tcp.src==4367 && tcp.dst==99"
+as hv ovs-appctl -t ovn-controller inject-pkt "$packet"
+
+OVS_WAIT_UNTIL([ test 5 = $(grep -c 'acl_log' hv/ovn-controller.log) ])
 
 AT_CHECK([grep 'acl_log' hv/ovn-controller.log | sed 's/.*name=/name=/'], [0], [dnl
 name="drop-flow", verdict=drop, severity=alert: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4361,tp_dst=81,tcp_flags=syn
 name="allow-flow", verdict=allow, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4363,tp_dst=83,tcp_flags=syn
 name="<unnamed>", verdict=allow, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4365,tp_dst=85,tcp_flags=syn
 name="reject-flow", verdict=reject, severity=alert: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=87,tcp_flags=syn
+name="INVALID", verdict=drop, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=99,tcp_flags=0
 ])
 
 OVN_CLEANUP([hv])
-- 
2.1.0



More information about the dev mailing list