[ovs-dev] [PATCH] ovn-northd: Apply pre ACLs when using Port Groups

Han Zhou zhouhan at gmail.com
Thu Jun 21 07:07:09 UTC 2018


On Tue, Jun 19, 2018 at 7:15 PM, Han Zhou <zhouhan at gmail.com> wrote:
>
>
>
> On Tue, Jun 19, 2018 at 5:49 PM, Ben Pfaff <blp at ovn.org> wrote:
> >
> > On Tue, Jun 19, 2018 at 05:27:20PM -0700, Han Zhou wrote:
> > > All looks good to me except that the test case "ovn -- ACLs on Port
Groups"
> > > is broken with this change. I think it is because conntrack is not
> > > supported in the dummy datapath and so the stateful ACL would not
work in
> > > the test suites, and it was passing just because of this bug. So, to
fix
> > > the test case, you need below change:
> >
> > I would have guessed that conntrack works OK in the dummy datapath
> > because dpif-netdev supports conntrack.
>
> Ah, I admit that I am ignorant on this. I need to study more on it to
understand why this test case doesn't work. Is there any
tool/documentation/example on how to debug the dummy datapath conntrack,
such as dumping the conntrack table entries?
>
I checked more on this. I didn't find any tools to debug the user space
conntrack module, but I found "ovs-appctl dpif/dump-flows" useful for
debugging the dummy datapath. By dumping flow it shows the packets are
dropped because the conntrack state for the packets are marked as
"invalid". It is marked as invalid because the checksum we used in the test
packets are all 0s and conn_key_extract() returns false. This is why
stateful ACL seems not working in test cases, and probably this is why none
of the ACL test cases were actually testing "allow-related".

conn_key_extract() checks both L3 and L4 checksums. I tried with a single
ICMP request packet with correct IP header checksum and ICMP checksum, and
the packet went through the conntrack and was received successfully. So I
think there are 2 alternatives to test stateful ACLs in test cases.

option1: write a script to generate proper checksums, and use it in test
cases when correct checksum is required
option2: add an option to the dummy datapath to bypass checksum validation
in connection tracking

I will try option1 first, but any suggestions are welcome.

Thanks,
Han


More information about the dev mailing list