[ovs-dev] [PATCH] ovn: support acl logging for INVALID packets

Ben Pfaff blp at ovn.org
Mon Oct 30 20:52:25 UTC 2017


Justin, are you going to take a look at this?

On Wed, Aug 30, 2017 at 03:42:31PM -0700, Han Zhou wrote:
> INVALID packets doesn't map to any ACL, but sometimes we need to
> know when these packets are detected and dropped. This patch supports
> logging for such packets and provides a global configuration in NB
> to enable/disable this behavior. Default behavior is not logging,
> so that it is backward compatible.
> 
> Signed-off-by: Han Zhou <zhouhan at gmail.com>
> ---
>  ovn/northd/ovn-northd.c | 20 +++++++++++++-------
>  ovn/ovn-nb.ovsschema    |  8 +++++---
>  ovn/ovn-nb.xml          |  6 ++++++
>  tests/ovn.at            | 11 ++++++++++-
>  4 files changed, 34 insertions(+), 11 deletions(-)
> 
> diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
> index 49e4ac3..b003d96 100644
> --- a/ovn/northd/ovn-northd.c
> +++ b/ovn/northd/ovn-northd.c
> @@ -3052,7 +3052,8 @@ build_acl_log(struct ds *actions, const struct nbrec_acl *acl)
>  }
>  
>  static void
> -build_acls(struct ovn_datapath *od, struct hmap *lflows)
> +build_acls(struct northd_context *ctx, struct ovn_datapath *od,
> +           struct hmap *lflows)
>  {
>      bool has_stateful = has_stateful_acl(od);
>  
> @@ -3098,12 +3099,16 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows)
>           * for deletion (bit 0 of ct_label is set).
>           *
>           * This is enforced at a higher priority than ACLs can be defined. */
> +        const struct nbrec_nb_global *nbg = nbrec_nb_global_first(ctx->ovnnb_idl);
> +        bool acl_log_invalid = nbg ? nbg->acl_log_invalid : false;
>          ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
>                        "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)",
> -                      "drop;");
> +                      acl_log_invalid ?
> +                      "log(name=\"INVALID\", verdict=drop); /* drop */" : "drop;");
>          ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
>                        "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)",
> -                      "drop;");
> +                      acl_log_invalid ?
> +                      "log(name=\"INVALID\", verdict=drop); /* drop */" : "drop;");
>  
>          /* Ingress and Egress ACL Table (Priority 65535).
>           *
> @@ -3478,8 +3483,9 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows)
>  }
>  
>  static void
> -build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
> -                    struct hmap *lflows, struct hmap *mcgroups)
> +build_lswitch_flows(struct northd_context *ctx, struct hmap *datapaths,
> +                    struct hmap *ports, struct hmap *lflows,
> +                    struct hmap *mcgroups)
>  {
>      /* This flow table structure is documented in ovn-northd(8), so please
>       * update ovn-northd.8.xml if you change anything. */
> @@ -3498,7 +3504,7 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
>          build_pre_acls(od, lflows);
>          build_pre_lb(od, lflows);
>          build_pre_stateful(od, lflows);
> -        build_acls(od, lflows);
> +        build_acls(ctx, od, lflows);
>          build_qos(od, lflows);
>          build_lb(od, lflows);
>          build_stateful(od, lflows);
> @@ -5658,7 +5664,7 @@ build_lflows(struct northd_context *ctx, struct hmap *datapaths,
>      struct hmap lflows = HMAP_INITIALIZER(&lflows);
>      struct hmap mcgroups = HMAP_INITIALIZER(&mcgroups);
>  
> -    build_lswitch_flows(datapaths, ports, &lflows, &mcgroups);
> +    build_lswitch_flows(ctx, datapaths, ports, &lflows, &mcgroups);
>      build_lrouter_flows(datapaths, ports, &lflows);
>  
>      /* Push changes to the Logical_Flow table to database. */
> diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
> index a077bfb..2db788e 100644
> --- a/ovn/ovn-nb.ovsschema
> +++ b/ovn/ovn-nb.ovsschema
> @@ -1,7 +1,7 @@
>  {
>      "name": "OVN_Northbound",
> -    "version": "5.8.0",
> -    "cksum": "2812300190 16766",
> +    "version": "5.9.0",
> +    "cksum": "2103124828 16872",
>      "tables": {
>          "NB_Global": {
>              "columns": {
> @@ -19,7 +19,9 @@
>                  "ssl": {
>                      "type": {"key": {"type": "uuid",
>                                       "refTable": "SSL"},
> -                                     "min": 0, "max": 1}}},
> +                                     "min": 0, "max": 1}},
> +                "acl_log_invalid": {
> +                    "type": {"key": "boolean", "min": 0, "max": 1}}},
>              "maxRows": 1,
>              "isRoot": true},
>          "Logical_Switch": {
> diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
> index be72610..1cf349e 100644
> --- a/ovn/ovn-nb.xml
> +++ b/ovn/ovn-nb.xml
> @@ -80,6 +80,12 @@
>          Global SSL configuration.
>        </column>
>      </group>
> +    <group title="ACL Logging Options">
> +      These columns controls the behaviour related to ACL logging.
> +      <column name="acl_log_invalid">
> +        Whether to log the packets classified as invalid by conntrack.
> +      </column>
> +    </group>
>    </table>
>  
>    <table name="Logical_Switch" title="L2 logical switch">
> diff --git a/tests/ovn.at b/tests/ovn.at
> index fb9fc73..c3af03d 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -5775,6 +5775,8 @@ ovn-nbctl --wait=sb lsp-add lsw0 lp1
>  ovn-nbctl --wait=sb lsp-add lsw0 lp2
>  ovn-nbctl lsp-set-addresses lp1 $lp1_mac
>  ovn-nbctl lsp-set-addresses lp2 $lp2_mac
> +# enable logging for invalid packets
> +ovn-nbctl set nb_global . acl_log_invalid=true
>  ovn-nbctl --wait=sb sync
>  
>  ovn-nbctl acl-add lsw0 to-lport 1000 'tcp.dst==80' drop
> @@ -5840,13 +5842,20 @@ packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac &&
>          tcp && tcp.flags==2 && tcp.src==4367 && tcp.dst==87"
>  as hv ovs-appctl -t ovn-controller inject-pkt "$packet"
>  
> -OVS_WAIT_UNTIL([ test 4 = $(grep -c 'acl_log' hv/ovn-controller.log) ])
> +# Send packet that is invalid and should be dropped with logging.
> +packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac &&
> +        ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip &&
> +        tcp && tcp.src==4367 && tcp.dst==99"
> +as hv ovs-appctl -t ovn-controller inject-pkt "$packet"
> +
> +OVS_WAIT_UNTIL([ test 5 = $(grep -c 'acl_log' hv/ovn-controller.log) ])
>  
>  AT_CHECK([grep 'acl_log' hv/ovn-controller.log | sed 's/.*name=/name=/'], [0], [dnl
>  name="drop-flow", verdict=drop, severity=alert: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4361,tp_dst=81,tcp_flags=syn
>  name="allow-flow", verdict=allow, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4363,tp_dst=83,tcp_flags=syn
>  name="<unnamed>", verdict=allow, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4365,tp_dst=85,tcp_flags=syn
>  name="reject-flow", verdict=reject, severity=alert: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=87,tcp_flags=syn
> +name="INVALID", verdict=drop, severity=info: tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=99,tcp_flags=0
>  ])
>  
>  OVN_CLEANUP([hv])
> -- 
> 2.1.0
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev


More information about the dev mailing list