[ovs-dev] [PATCH ovn v2 5/9] ovn.at: Add test case for duplicated flow handling.

Han Zhou hzhou at ovn.org
Mon Sep 7 06:45:38 UTC 2020


In ofctrl_put() of controller/ofctrl.c, some special considerations have been
made to handle duplicated match conditions from difference desired flows
because OVS doesn't allow multiple flows with same priority and same match
condition. This patch adds a test to cover such scenarios make sure it works
as expected.

Signed-off-by: Han Zhou <hzhou at ovn.org>
---
 tests/ovn.at | 120 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 120 insertions(+)

diff --git a/tests/ovn.at b/tests/ovn.at
index 31cfddc..3414de9 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -21537,3 +21537,123 @@ OVS_WAIT_UNTIL([test x$(as hv1 ovn-appctl -t ovn-controller debug/status) = "xru
 
 OVN_CLEANUP([hv1])
 AT_CLEANUP
+
+# Duplicate ACLs (same match with same action) should work as expected.
+# Conflict ACLs (same match with different actions) behavior is unpredictable
+# (only one of them would work).
+# This test covers both situation and also makes sure adding/deleting in
+# different order is handled properly (duplicated flow handling in ofctrl_put()
+# of ovn-controller)
+AT_SETUP([ovn -- conflict or duplicate ACLs resulting in same OVS match])
+ovn_start
+
+ovn-nbctl ls-add ls1
+
+ovn-nbctl lsp-add ls1 lsp1 \
+-- lsp-set-addresses lsp1 "f0:00:00:00:00:01 10.0.0.1"
+
+ovn-nbctl lsp-add ls1 lsp2 \
+-- lsp-set-addresses lsp2 "f0:00:00:00:00:02 10.0.0.2"
+
+net_add n1
+sim_add hv1
+
+as hv1
+ovs-vsctl add-br br-phys
+ovn_attach n1 br-phys 192.168.0.1
+ovs-vsctl -- add-port br-int hv1-vif1 -- \
+    set interface hv1-vif1 external-ids:iface-id=lsp1 \
+    options:tx_pcap=hv1/vif1-tx.pcap \
+    options:rxq_pcap=hv1/vif1-rx.pcap \
+    ofport-request=1
+
+ovs-vsctl -- add-port br-int hv1-vif2 -- \
+    set interface hv1-vif2 external-ids:iface-id=lsp2 \
+    options:tx_pcap=hv1/vif2-tx.pcap \
+    options:rxq_pcap=hv1/vif2-rx.pcap \
+    ofport-request=2
+
+# Default drop
+ovn-nbctl acl-add ls1 to-lport 1000 \
+'outport == "lsp1" && ip4' drop
+
+# test_ip INPORT SRC_MAC DST_MAC SRC_IP DST_IP OUTPORT...
+#
+# This shell function causes an ip packet to be received on INPORT.
+# The packet's content has Ethernet destination DST and source SRC
+# (each exactly 12 hex digits) and Ethernet type ETHTYPE (4 hex digits).
+# The OUTPORTs (zero or more) list the VIFs on which the packet should
+# be received.  INPORT and the OUTPORTs are specified as logical switch
+# port numbers, e.g. 11 for vif11.
+test_ip() {
+    # This packet has bad checksums but logical L3 routing doesn't check.
+    local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5
+    local packet=${dst_mac}${src_mac}08004500001c0000000040110000${src_ip}\
+${dst_ip}0035111100080000
+    shift; shift; shift; shift; shift
+    as hv1 ovs-appctl netdev-dummy/receive hv1-vif$inport $packet
+    for outport; do
+        echo $packet >> $outport.expected
+    done
+}
+
+ip_to_hex() {
+    printf "%02x%02x%02x%02x" "$@"
+}
+
+reset_pcap_file() {
+    local iface=$1
+    local pcap_file=$2
+    ovs-vsctl -- set Interface $iface options:tx_pcap=dummy-tx.pcap \
+options:rxq_pcap=dummy-rx.pcap
+    rm -f ${pcap_file}*.pcap
+    ovs-vsctl -- set Interface $iface options:tx_pcap=${pcap_file}-tx.pcap \
+options:rxq_pcap=${pcap_file}-rx.pcap
+}
+
+
+# Create overlapping ACLs resulting in duplicated desired OVS flows
+ovn-nbctl acl-add ls1 to-lport 1001 \
+'outport == "lsp1" && ip4 && ip4.src == 10.0.0.2' allow
+ovn-nbctl acl-add ls1 to-lport 1001 \
+'outport == "lsp1" && ip4 && ip4.src == {10.0.0.2, 10.0.0.3}' allow
+
+ovn-nbctl --wait=hv sync
+
+sip=`ip_to_hex 10 0 0 2`
+dip=`ip_to_hex 10 0 0 1`
+test_ip 2 f00000000002 f00000000001 $sip $dip 1
+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [1.expected])
+
+# Delete one of the ACLs.
+ovn-nbctl acl-del ls1 to-lport 1001 \
+'outport == "lsp1" && ip4 && ip4.src == {10.0.0.2, 10.0.0.3}'
+
+test_ip 2 f00000000002 f00000000001 $sip $dip 1
+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [1.expected])
+
+# Add a conflict ACL with drop action.
+ovn-nbctl acl-add ls1 to-lport 1001 \
+'outport == "lsp1" && ip4 && ip4.src == {10.0.0.2, 10.0.0.3}' drop
+# Don't test because it is unpredicatable which rule will take effect.
+
+# Delete the ACL that has "allow" action
+ovn-nbctl acl-del ls1 to-lport 1001 \
+'outport == "lsp1" && ip4 && ip4.src == 10.0.0.2'
+
+# Packet should be dropped
+test_ip 2 f00000000002 f00000000001 $sip $dip
+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [1.expected])
+
+# Add the ACL back and delete the "drop" ACL
+ovn-nbctl acl-add ls1 to-lport 1001 \
+'outport == "lsp1" && ip4 && ip4.src == 10.0.0.2' allow
+ovn-nbctl acl-del ls1 to-lport 1001 \
+'outport == "lsp1" && ip4 && ip4.src == {10.0.0.2, 10.0.0.3}'
+
+# Packet should be received
+test_ip 2 f00000000002 f00000000001 $sip $dip 1
+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [1.expected])
+
+OVN_CLEANUP([hv1])
+AT_CLEANUP
-- 
2.1.0



More information about the dev mailing list