[ovs-dev] [PATCH ovn 5/5] ovn-northd: Use reject OVN action for reject ACL.
Numan Siddique
numans at ovn.org
Mon Oct 5 18:23:49 UTC 2020
On Mon, Oct 5, 2020 at 11:20 PM <numans at ovn.org> wrote:
>
> From: Numan Siddique <numans at ovn.org>
>
> Before this patch, we were adding 4 lflows for a reject ACL (with no allow-related)
> ACLs and 8 lflows for a reject ACL (with other allow-related ACLs present).
>
> With this patch, there will be just one lflow for each reject ACL. This reduces the
> number of lflows and size of the south db and it will be helpful in large scale
> deployments.
>
> Signed-off-by: Numan Siddique <numans at ovn.org>
I made a mistake in sending the patches. Please ignore this patch.
Instead consider this one -
https://mail.openvswitch.org/pipermail/ovs-dev/2020-October/375763.html
Both are the same except the commit message.
Thanks
Numan
> ---
> northd/ovn-northd.c | 50 +----------
> tests/ovn-northd.at | 214 +++++++-------------------------------------
> tests/system-ovn.at | 46 +++++++++-
> 3 files changed, 81 insertions(+), 229 deletions(-)
>
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index d5fd7da03a..12a27611cc 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -5422,57 +5422,15 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
> if (extra_match->length > 0) {
> ds_put_format(&match, "(%s) && ", extra_match->string);
> }
> - ds_put_format(&match, "ip4 && tcp && (%s)", acl->match);
> - ds_put_format(&actions, "reg0 = 0; "
> - "eth.dst <-> eth.src; ip4.dst <-> ip4.src; "
> - "tcp_reset { outport <-> inport; %s };", next_action);
> - ovn_lflow_add_with_hint(lflows, od, stage,
> - acl->priority + OVN_ACL_PRI_OFFSET + 10,
> - ds_cstr(&match), ds_cstr(&actions), stage_hint);
> - ds_clear(&match);
> - ds_clear(&actions);
> - build_acl_log(&actions, acl);
> - if (extra_match->length > 0) {
> - ds_put_format(&match, "(%s) && ", extra_match->string);
> - }
> - ds_put_format(&match, "ip6 && tcp && (%s)", acl->match);
> - ds_put_format(&actions, "reg0 = 0; "
> - "eth.dst <-> eth.src; ip6.dst <-> ip6.src; "
> - "tcp_reset { outport <-> inport; %s };", next_action);
> - ovn_lflow_add_with_hint(lflows, od, stage,
> - acl->priority + OVN_ACL_PRI_OFFSET + 10,
> - ds_cstr(&match), ds_cstr(&actions), stage_hint);
> + ds_put_cstr(&match, acl->match);
>
> - /* IP traffic */
> - ds_clear(&match);
> - ds_clear(&actions);
> - build_acl_log(&actions, acl);
> - if (extra_match->length > 0) {
> - ds_put_format(&match, "(%s) && ", extra_match->string);
> - }
> - ds_put_format(&match, "ip4 && (%s)", acl->match);
> if (extra_actions->length > 0) {
> ds_put_format(&actions, "%s ", extra_actions->string);
> }
> +
> ds_put_format(&actions, "reg0 = 0; "
> - "icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; "
> - "outport <-> inport; %s };", next_action);
> - ovn_lflow_add_with_hint(lflows, od, stage,
> - acl->priority + OVN_ACL_PRI_OFFSET,
> - ds_cstr(&match), ds_cstr(&actions), stage_hint);
> - ds_clear(&match);
> - ds_clear(&actions);
> - build_acl_log(&actions, acl);
> - if (extra_match->length > 0) {
> - ds_put_format(&match, "(%s) && ", extra_match->string);
> - }
> - ds_put_format(&match, "ip6 && (%s)", acl->match);
> - if (extra_actions->length > 0) {
> - ds_put_format(&actions, "%s ", extra_actions->string);
> - }
> - ds_put_format(&actions, "reg0 = 0; icmp6 { "
> - "eth.dst <-> eth.src; ip6.dst <-> ip6.src; "
> - "outport <-> inport; %s };", next_action);
> + "reject { eth.dst <-> eth.src; ip.dst <-> ip.src; "
> + "outport <-> inport; %s };", next_action);
> ovn_lflow_add_with_hint(lflows, od, stage,
> acl->priority + OVN_ACL_PRI_OFFSET,
> ds_cstr(&match), ds_cstr(&actions), stage_hint);
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index d020d3921a..fe92a99533 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -2047,232 +2047,86 @@ ovn-nbctl --wait=hv sync
>
> AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl
> table=7 (ls_in_acl ), priority=2002 , dnl
> -match=(ip4 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
> -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=egress,table=6); };)
> - table=7 (ls_in_acl ), priority=2002 , dnl
> -match=(ip6 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
> -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=egress,table=6); };)
> - table=7 (ls_in_acl ), priority=2012 , dnl
> -match=(ip4 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };)
> - table=7 (ls_in_acl ), priority=2012 , dnl
> -match=(ip6 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };)
> +match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), dnl
> +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=egress,table=6); };)
> ])
>
> AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl
> table=7 (ls_in_acl ), priority=2002 , dnl
> -match=(ip4 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
> -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=egress,table=6); };)
> - table=7 (ls_in_acl ), priority=2002 , dnl
> -match=(ip6 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
> -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=egress,table=6); };)
> - table=7 (ls_in_acl ), priority=2012 , dnl
> -match=(ip4 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };)
> - table=7 (ls_in_acl ), priority=2012 , dnl
> -match=(ip6 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };)
> +match=(inport == @pg0 && ip4 && tcp && tcp.dst == 80), dnl
> +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=egress,table=6); };)
> ])
>
> AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
> table=5 (ls_out_acl ), priority=2003 , dnl
> -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2003 , dnl
> -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=(outport == @pg0 && ip6 && udp), dnl
> +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> ])
>
> AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
> table=5 (ls_out_acl ), priority=2003 , dnl
> -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2003 , dnl
> -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=(outport == @pg0 && ip6 && udp), dnl
> +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> ])
>
> ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && udp" reject
>
> AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
> table=5 (ls_out_acl ), priority=2002 , dnl
> -match=(ip4 && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2002 , dnl
> -match=(ip6 && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2003 , dnl
> -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=(outport == @pg0 && ip4 && udp), dnl
> +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> table=5 (ls_out_acl ), priority=2003 , dnl
> -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2012 , dnl
> -match=(ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2012 , dnl
> -match=(ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=(outport == @pg0 && ip6 && udp), dnl
> +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> ])
>
> AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
> table=5 (ls_out_acl ), priority=2002 , dnl
> -match=(ip4 && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2002 , dnl
> -match=(ip6 && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2003 , dnl
> -match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=(outport == @pg0 && ip4 && udp), dnl
> +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> table=5 (ls_out_acl ), priority=2003 , dnl
> -match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2012 , dnl
> -match=(ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2012 , dnl
> -match=(ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=(outport == @pg0 && ip6 && udp), dnl
> +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> ])
>
> ovn-nbctl --wait=sb acl-add pg0 to-lport 1001 "outport == @pg0 && ip" allow-related
>
> AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
> table=5 (ls_out_acl ), priority=2001 , dnl
> -match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), dnl
> -action=(reg0[[1]] = 1; next;)
> +match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;)
> table=5 (ls_out_acl ), priority=2001 , dnl
> match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;)
> table=5 (ls_out_acl ), priority=2002 , dnl
> -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl
> -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), dnl
> +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> table=5 (ls_out_acl ), priority=2002 , dnl
> -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl
> -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2002 , dnl
> -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2002 , dnl
> -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2003 , dnl
> -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2003 , dnl
> -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), dnl
> +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> table=5 (ls_out_acl ), priority=2003 , dnl
> -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), dnl
> +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> table=5 (ls_out_acl ), priority=2003 , dnl
> -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2012 , dnl
> -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2012 , dnl
> -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2012 , dnl
> -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2012 , dnl
> -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), dnl
> +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> ])
>
> AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
> table=5 (ls_out_acl ), priority=2001 , dnl
> -match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), dnl
> -action=(reg0[[1]] = 1; next;)
> +match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), action=(reg0[[1]] = 1; next;)
> table=5 (ls_out_acl ), priority=2001 , dnl
> match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;)
> table=5 (ls_out_acl ), priority=2002 , dnl
> -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl
> -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=((reg0[[10]] == 1) && outport == @pg0 && ip4 && udp), dnl
> +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> table=5 (ls_out_acl ), priority=2002 , dnl
> -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl
> -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2002 , dnl
> -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2002 , dnl
> -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2003 , dnl
> -match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2003 , dnl
> -match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=((reg0[[9]] == 1) && outport == @pg0 && ip4 && udp), dnl
> +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> table=5 (ls_out_acl ), priority=2003 , dnl
> -match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=((reg0[[10]] == 1) && outport == @pg0 && ip6 && udp), dnl
> +action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> table=5 (ls_out_acl ), priority=2003 , dnl
> -match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2012 , dnl
> -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2012 , dnl
> -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2012 , dnl
> -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2012 , dnl
> -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> - table=5 (ls_out_acl ), priority=2013 , dnl
> -match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
> -action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
> +match=((reg0[[9]] == 1) && outport == @pg0 && ip6 && udp), dnl
> +action=(reg0 = 0; reject { eth.dst <-> eth.src; ip.dst <-> ip.src; outport <-> inport; next(pipeline=ingress,table=20); };)
> ])
>
> AT_CLEANUP
> diff --git a/tests/system-ovn.at b/tests/system-ovn.at
> index 420610f89f..b8e6ea32a8 100644
> --- a/tests/system-ovn.at
> +++ b/tests/system-ovn.at
> @@ -4473,9 +4473,6 @@ ovn-nbctl lsp-add sw0 sw0-p2-rej
> ovn-nbctl lsp-set-addresses sw0-p2-rej "50:54:00:00:00:04 10.0.0.4 aef0::4"
> ovn-nbctl lsp-set-port-security sw0-p2-rej "50:54:00:00:00:04 10.0.0.4 aef0::4"
>
> -#ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p1\" && tcp && tcp.dst == 80" reject
> -#ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p2\" && ip6 && tcp && tcp.dst == 80" reject
> -
> # Create port group and ACLs for sw0 ports.
> ovn-nbctl pg-add pg0_drop sw0-p1-rej sw0-p2-rej
> ovn-nbctl acl-add pg0_drop from-lport 1001 "inport == @pg0_drop && ip" drop
> @@ -4638,6 +4635,49 @@ aef0::3 udp port objcall" | uniq | wc -l)
> test $c -eq 1
> ])
>
> +# Delete all the ACLs of pg0 and add the ACL with a generic match with reject action.
> +ovn-nbctl pg-del pg0
> +ovn-nbctl pg-add pg0 sw0-p1-rej sw0-p2-rej
> +ovn-nbctl --log acl-add pg0 from-lport 1004 "inport == @pg0 && ip && (tcp || udp)" reject
> +
> +OVS_WAIT_UNTIL([
> + ip netns exec sw0-p1-rej nc 10.0.0.4 80 2> r
> + res=$(cat r)
> + echo "result = $res"
> + test "$res" = "Ncat: Connection refused."
> +])
> +
> +OVS_WAIT_UNTIL([
> + ip netns exec sw0-p2-rej nc -6 aef0::3 80 2> r
> + res=$(cat r)
> + test "$res" = "Ncat: Connection refused."
> +])
> +
> +rm -f *.pcap
> +
> +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 1 -i sw0-p1-rej icmp > sw0-p1-rej-icmp.pcap &], [0])
> +
> +printf '.%.0s' {1..100} > foo
> +OVS_WAIT_UNTIL([
> + ip netns exec sw0-p1-rej nc -u 10.0.0.4 90 < foo
> + c=$(cat sw0-p1-rej-icmp.pcap | grep \
> +"10.0.0.4 > 10.0.0.3: ICMP 10.0.0.4 udp port dnsix unreachable" | uniq | wc -l)
> + test $c -eq 1
> +])
> +
> +rm -f *.pcap
> +# Now test for IPv6 UDP.
> +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 1 -i sw0-p2-rej icmp6 > sw0-p2-rej-icmp6.pcap &], [0])
> +
> +OVS_WAIT_UNTIL([
> + ip netns exec sw0-p2-rej nc -u -6 aef0::3 90 < foo
> + c=$(cat sw0-p2-rej-icmp6.pcap | grep \
> +"IP6 aef0::3 > aef0::4: ICMP6, destination unreachable, unreachable port, \
> +aef0::3 udp port dnsix" | uniq | wc -l)
> + test $c -eq 1
> +])
> +
> +
> OVS_APP_EXIT_AND_WAIT([ovn-controller])
>
> as ovn-sb
> --
> 2.26.2
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
More information about the dev
mailing list