[ovs-dev] [PATCH ovn 3/3] northd: add chec_pkt_len lflows for ingress traffic
Lorenzo Bianconi
lorenzo.bianconi at redhat.com
Wed May 19 15:35:45 UTC 2021
Introduce chec_pkt_len action for ingress traffic entering the cluster
from a distributed gw router port or from a gw router.
Rearrange logical router ingress pipeline in order to properly manage
icmp error packets.
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
---
northd/ovn-northd.c | 154 +++++++++++++-------------
tests/ovn-northd.at | 150 +++++++++++++-------------
tests/ovn.at | 258 ++++++++++++++++++++++++++++++++++++++++----
3 files changed, 394 insertions(+), 168 deletions(-)
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index ec63eb75c..95fcee69d 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -183,18 +183,18 @@ enum ovn_stage {
PIPELINE_STAGE(ROUTER, IN, LEARN_NEIGHBOR, 2, "lr_in_learn_neighbor") \
PIPELINE_STAGE(ROUTER, IN, IP_INPUT, 3, "lr_in_ip_input") \
PIPELINE_STAGE(ROUTER, IN, DEFRAG, 4, "lr_in_defrag") \
- PIPELINE_STAGE(ROUTER, IN, UNSNAT, 5, "lr_in_unsnat") \
- PIPELINE_STAGE(ROUTER, IN, DNAT, 6, "lr_in_dnat") \
- PIPELINE_STAGE(ROUTER, IN, ECMP_STATEFUL, 7, "lr_in_ecmp_stateful") \
- PIPELINE_STAGE(ROUTER, IN, ND_RA_OPTIONS, 8, "lr_in_nd_ra_options") \
- PIPELINE_STAGE(ROUTER, IN, ND_RA_RESPONSE, 9, "lr_in_nd_ra_response") \
- PIPELINE_STAGE(ROUTER, IN, IP_ROUTING, 10, "lr_in_ip_routing") \
- PIPELINE_STAGE(ROUTER, IN, IP_ROUTING_ECMP, 11, "lr_in_ip_routing_ecmp") \
- PIPELINE_STAGE(ROUTER, IN, POLICY, 12, "lr_in_policy") \
- PIPELINE_STAGE(ROUTER, IN, POLICY_ECMP, 13, "lr_in_policy_ecmp") \
- PIPELINE_STAGE(ROUTER, IN, ARP_RESOLVE, 14, "lr_in_arp_resolve") \
- PIPELINE_STAGE(ROUTER, IN, CHK_PKT_LEN , 15, "lr_in_chk_pkt_len") \
- PIPELINE_STAGE(ROUTER, IN, LARGER_PKTS, 16, "lr_in_larger_pkts") \
+ PIPELINE_STAGE(ROUTER, IN, CHK_PKT_LEN, 5, "lr_in_chk_pkt_len") \
+ PIPELINE_STAGE(ROUTER, IN, LARGER_PKTS, 6, "lr_in_larger_pkts") \
+ PIPELINE_STAGE(ROUTER, IN, UNSNAT, 7, "lr_in_unsnat") \
+ PIPELINE_STAGE(ROUTER, IN, DNAT, 8, "lr_in_dnat") \
+ PIPELINE_STAGE(ROUTER, IN, ECMP_STATEFUL, 9, "lr_in_ecmp_stateful") \
+ PIPELINE_STAGE(ROUTER, IN, ND_RA_OPTIONS, 10, "lr_in_nd_ra_options") \
+ PIPELINE_STAGE(ROUTER, IN, ND_RA_RESPONSE, 11, "lr_in_nd_ra_response") \
+ PIPELINE_STAGE(ROUTER, IN, IP_ROUTING, 12, "lr_in_ip_routing") \
+ PIPELINE_STAGE(ROUTER, IN, IP_ROUTING_ECMP, 13, "lr_in_ip_routing_ecmp") \
+ PIPELINE_STAGE(ROUTER, IN, POLICY, 14, "lr_in_policy") \
+ PIPELINE_STAGE(ROUTER, IN, POLICY_ECMP, 15, "lr_in_policy_ecmp") \
+ PIPELINE_STAGE(ROUTER, IN, ARP_RESOLVE, 16, "lr_in_arp_resolve") \
PIPELINE_STAGE(ROUTER, IN, GW_REDIRECT, 17, "lr_in_gw_redirect") \
PIPELINE_STAGE(ROUTER, IN, ARP_REQUEST, 18, "lr_in_arp_request") \
\
@@ -10399,6 +10399,67 @@ build_arp_resolve_flows_for_lrouter_port(
}
+static void
+build_icmperr_pkt_big_flows(struct ovn_port *op, int mtu, struct hmap *lflows,
+ struct ds *match, struct ds *actions)
+{
+ if (op->lrp_networks.ipv4_addrs) {
+ ds_clear(match);
+ ds_put_format(match, "inport == %s && ip4 && "REGBIT_PKT_LARGER,
+ op->json_key);
+
+ ds_clear(actions);
+ /* Set icmp4.frag_mtu to gw_mtu */
+ ds_put_format(actions,
+ "icmp4_error {"
+ REGBIT_EGRESS_LOOPBACK" = 1; "
+ REGBIT_PKT_LARGER" = 0; "
+ "eth.dst = %s; "
+ "ip4.dst = ip4.src; "
+ "ip4.src = %s; "
+ "ip.ttl = 255; "
+ "icmp4.type = 3; /* Destination Unreachable. */ "
+ "icmp4.code = 4; /* Frag Needed and DF was Set. */ "
+ "icmp4.frag_mtu = %d; "
+ "next(pipeline=ingress, table=%d); };",
+ op->lrp_networks.ea_s,
+ op->lrp_networks.ipv4_addrs[0].addr_s,
+ mtu, ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
+ ovn_lflow_add_with_hint(lflows, op->od,
+ S_ROUTER_IN_LARGER_PKTS, 50,
+ ds_cstr(match), ds_cstr(actions),
+ &op->nbrp->header_);
+ }
+
+ if (op->lrp_networks.ipv6_addrs) {
+ ds_clear(match);
+ ds_put_format(match, "inport == %s&& ip6 && "REGBIT_PKT_LARGER,
+ op->json_key);
+
+ ds_clear(actions);
+ /* Set icmp6.frag_mtu to gw_mtu */
+ ds_put_format(actions,
+ "icmp6_error {"
+ REGBIT_EGRESS_LOOPBACK" = 1; "
+ REGBIT_PKT_LARGER" = 0; "
+ "eth.dst = %s; "
+ "ip6.dst = ip6.src; "
+ "ip6.src = %s; "
+ "ip.ttl = 255; "
+ "icmp6.type = 2; /* Packet Too Big. */ "
+ "icmp6.code = 0; "
+ "icmp6.frag_mtu = %d; "
+ "next(pipeline=ingress, table=%d); };",
+ op->lrp_networks.ea_s,
+ op->lrp_networks.ipv6_addrs[0].addr_s,
+ mtu, ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
+ ovn_lflow_add_with_hint(lflows, op->od,
+ S_ROUTER_IN_LARGER_PKTS, 50,
+ ds_cstr(match), ds_cstr(actions),
+ &op->nbrp->header_);
+ }
+}
+
static void
build_check_pkt_len_flows_for_lrp(struct ovn_port *op,
struct hmap *lflows, struct hmap *ports,
@@ -10414,81 +10475,26 @@ build_check_pkt_len_flows_for_lrp(struct ovn_port *op,
return;
}
- ds_clear(match);
- ds_put_format(match, "outport == %s", op->json_key);
-
ds_clear(actions);
ds_put_format(actions,
REGBIT_PKT_LARGER" = check_pkt_larger(%d);"
" next;", gw_mtu + VLAN_ETH_HEADER_LEN);
+
+ ovn_lflow_add_with_hint(lflows, op->od, S_ROUTER_IN_CHK_PKT_LEN, 100,
+ REGBIT_EGRESS_LOOPBACK, "next;",
+ &op->nbrp->header_);
ovn_lflow_add_with_hint(lflows, op->od, S_ROUTER_IN_CHK_PKT_LEN, 50,
- ds_cstr(match), ds_cstr(actions),
+ "1", ds_cstr(actions),
&op->nbrp->header_);
for (size_t i = 0; i < op->od->nbr->n_ports; i++) {
struct ovn_port *rp = ovn_port_find(ports,
op->od->nbr->ports[i]->name);
- if (!rp || rp == op) {
+ if (!rp) {
continue;
}
- if (rp->lrp_networks.ipv4_addrs) {
- ds_clear(match);
- ds_put_format(match, "inport == %s && outport == %s"
- " && ip4 && "REGBIT_PKT_LARGER,
- rp->json_key, op->json_key);
-
- ds_clear(actions);
- /* Set icmp4.frag_mtu to gw_mtu */
- ds_put_format(actions,
- "icmp4_error {"
- REGBIT_EGRESS_LOOPBACK" = 1; "
- "eth.dst = %s; "
- "ip4.dst = ip4.src; "
- "ip4.src = %s; "
- "ip.ttl = 255; "
- "icmp4.type = 3; /* Destination Unreachable. */ "
- "icmp4.code = 4; /* Frag Needed and DF was Set. */ "
- "icmp4.frag_mtu = %d; "
- "next(pipeline=ingress, table=%d); };",
- rp->lrp_networks.ea_s,
- rp->lrp_networks.ipv4_addrs[0].addr_s,
- gw_mtu,
- ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
- ovn_lflow_add_with_hint(lflows, op->od,
- S_ROUTER_IN_LARGER_PKTS, 50,
- ds_cstr(match), ds_cstr(actions),
- &rp->nbrp->header_);
- }
-
- if (rp->lrp_networks.ipv6_addrs) {
- ds_clear(match);
- ds_put_format(match, "inport == %s && outport == %s"
- " && ip6 && "REGBIT_PKT_LARGER,
- rp->json_key, op->json_key);
-
- ds_clear(actions);
- /* Set icmp6.frag_mtu to gw_mtu */
- ds_put_format(actions,
- "icmp6_error {"
- REGBIT_EGRESS_LOOPBACK" = 1; "
- "eth.dst = %s; "
- "ip6.dst = ip6.src; "
- "ip6.src = %s; "
- "ip.ttl = 255; "
- "icmp6.type = 2; /* Packet Too Big. */ "
- "icmp6.code = 0; "
- "icmp6.frag_mtu = %d; "
- "next(pipeline=ingress, table=%d); };",
- rp->lrp_networks.ea_s,
- rp->lrp_networks.ipv6_addrs[0].addr_s,
- gw_mtu,
- ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
- ovn_lflow_add_with_hint(lflows, op->od,
- S_ROUTER_IN_LARGER_PKTS, 50,
- ds_cstr(match), ds_cstr(actions),
- &rp->nbrp->header_);
- }
+ build_icmperr_pkt_big_flows(rp, gw_mtu, lflows, match, actions);
}
}
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index bff2ade43..77d3abdb3 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -1466,8 +1466,8 @@ ovn-nbctl set logical_router lr0 options:dnat_force_snat_ip=192.168.2.3
ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list lr0 | grep lr_in_unsnat | sort], [0], [dnl
- table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
- table=5 (lr_in_unsnat ), priority=110 , match=(ip4 && ip4.dst == 192.168.2.3), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(ip4 && ip4.dst == 192.168.2.3), action=(ct_snat;)
])
AT_CLEANUP
@@ -2596,11 +2596,11 @@ ovn-sbctl dump-flows lr0 > lr0flows3
AT_CAPTURE_FILE([lr0flows3])
AT_CHECK([grep "lr_in_policy" lr0flows3 | sort], [0], [dnl
- table=12(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] = 0; next;)
- table=12(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.3), action=(reg8[[0..15]] = 1; reg8[[16..31]] = select(1, 2);)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == 1 && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == 1 && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == 0), action=(next;)
+ table=14(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] = 0; next;)
+ table=14(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.3), action=(reg8[[0..15]] = 1; reg8[[16..31]] = select(1, 2);)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == 1 && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == 1 && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == 0), action=(next;)
])
check ovn-nbctl --wait=sb lr-policy-add lr0 10 "ip4.src == 10.0.0.4" reroute 172.168.0.101,172.168.0.102,172.168.0.103
@@ -2610,15 +2610,15 @@ AT_CAPTURE_FILE([lr0flows3])
AT_CHECK([grep "lr_in_policy" lr0flows3 | \
sed 's/reg8\[[0..15\]] = [[0-9]]*/reg8\[[0..15\]] = <cleared>/' | \
sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] == <cleared>/' | sort], [0], [dnl
- table=12(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] = <cleared>; next;)
- table=12(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.3), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2);)
- table=12(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.4), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2, 3);)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 3), action=(reg0 = 172.168.0.103; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == <cleared>), action=(next;)
+ table=14(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] = <cleared>; next;)
+ table=14(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.3), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2);)
+ table=14(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.4), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2, 3);)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 3), action=(reg0 = 172.168.0.103; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == <cleared>), action=(next;)
])
check ovn-nbctl --wait=sb lr-policy-add lr0 10 "ip4.src == 10.0.0.5" reroute 172.168.0.110
@@ -2628,16 +2628,16 @@ AT_CAPTURE_FILE([lr0flows3])
AT_CHECK([grep "lr_in_policy" lr0flows3 | \
sed 's/reg8\[[0..15\]] = [[0-9]]*/reg8\[[0..15\]] = <cleared>/' | \
sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] == <cleared>/' | sort], [0], [dnl
- table=12(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] = <cleared>; next;)
- table=12(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.3), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2);)
- table=12(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.4), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2, 3);)
- table=12(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.5), action=(reg0 = 172.168.0.110; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; reg8[[0..15]] = <cleared>; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 3), action=(reg0 = 172.168.0.103; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == <cleared>), action=(next;)
+ table=14(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] = <cleared>; next;)
+ table=14(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.3), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2);)
+ table=14(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.4), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2, 3);)
+ table=14(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.5), action=(reg0 = 172.168.0.110; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; reg8[[0..15]] = <cleared>; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 3), action=(reg0 = 172.168.0.103; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == <cleared>), action=(next;)
])
check ovn-nbctl --wait=sb lr-policy-del lr0 10 "ip4.src == 10.0.0.3"
@@ -2647,13 +2647,13 @@ AT_CAPTURE_FILE([lr0flows3])
AT_CHECK([grep "lr_in_policy" lr0flows3 | \
sed 's/reg8\[[0..15\]] = [[0-9]]*/reg8\[[0..15\]] = <cleared>/' | \
sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] == <cleared>/' | sort], [0], [dnl
- table=12(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] = <cleared>; next;)
- table=12(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.4), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2, 3);)
- table=12(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.5), action=(reg0 = 172.168.0.110; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; reg8[[0..15]] = <cleared>; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 3), action=(reg0 = 172.168.0.103; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
- table=13(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == <cleared>), action=(next;)
+ table=14(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] = <cleared>; next;)
+ table=14(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.4), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2, 3);)
+ table=14(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.5), action=(reg0 = 172.168.0.110; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; reg8[[0..15]] = <cleared>; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> && reg8[[16..31]] == 3), action=(reg0 = 172.168.0.103; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
+ table=15(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == <cleared>), action=(next;)
])
check ovn-nbctl --wait=sb lr-policy-del lr0 10 "ip4.src == 10.0.0.4"
@@ -2663,9 +2663,9 @@ AT_CAPTURE_FILE([lr0flows3])
AT_CHECK([grep "lr_in_policy" lr0flows3 | \
sed 's/reg8\[[0..15\]] = [[0-9]]*/reg8\[[0..15\]] = <cleared>/' | \
sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] == <cleared>/' | sort], [0], [dnl
- table=12(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] = <cleared>; next;)
- table=12(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.5), action=(reg0 = 172.168.0.110; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; reg8[[0..15]] = <cleared>; next;)
- table=13(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == <cleared>), action=(next;)
+ table=14(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] = <cleared>; next;)
+ table=14(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.5), action=(reg0 = 172.168.0.110; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; reg8[[0..15]] = <cleared>; next;)
+ table=15(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == <cleared>), action=(next;)
])
check ovn-nbctl --wait=sb add logical_router_policy . nexthops "2000\:\:b"
@@ -2675,8 +2675,8 @@ AT_CAPTURE_FILE([lr0flows3])
AT_CHECK([grep "lr_in_policy" lr0flows3 | \
sed 's/reg8\[[0..15\]] = [[0-9]]*/reg8\[[0..15\]] = <cleared>/' | \
sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] == <cleared>/' | sort], [0], [dnl
- table=12(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] = <cleared>; next;)
- table=13(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == <cleared>), action=(next;)
+ table=14(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] = <cleared>; next;)
+ table=15(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == <cleared>), action=(next;)
])
AT_CLEANUP
@@ -3113,14 +3113,14 @@ ovn-sbctl dump-flows lr0 > lr0flows
AT_CAPTURE_FILE([lr0flows])
AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
- table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
+ table=7 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
])
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
- table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_dnat;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_lb(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+ table=8 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
+ table=8 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_dnat;)
+ table=8 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_lb(backends=10.0.0.4:8080);)
+ table=8 (lr_in_dnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="20.0.0.4 aef0::4"
@@ -3130,16 +3130,16 @@ AT_CAPTURE_FILE([lr0flows])
AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
- table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
- table=5 (lr_in_unsnat ), priority=110 , match=(ip4 && ip4.dst == 20.0.0.4), action=(ct_snat;)
- table=5 (lr_in_unsnat ), priority=110 , match=(ip6 && ip6.dst == aef0::4), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(ip4 && ip4.dst == 20.0.0.4), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(ip6 && ip6.dst == aef0::4), action=(ct_snat;)
])
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
- table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_dnat;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+ table=8 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
+ table=8 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_dnat;)
+ table=8 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.4:8080);)
+ table=8 (lr_in_dnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
@@ -3158,17 +3158,17 @@ AT_CHECK([grep "lr_in_ip_input" lr0flows | grep "priority=60" | sort], [0], [dnl
])
AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
- table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-public" && ip4.dst == 172.168.0.100), action=(ct_snat;)
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw0" && ip4.dst == 10.0.0.1), action=(ct_snat;)
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip4.dst == 20.0.0.1), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-public" && ip4.dst == 172.168.0.100), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw0" && ip4.dst == 10.0.0.1), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip4.dst == 20.0.0.1), action=(ct_snat;)
])
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
- table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_dnat;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+ table=8 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
+ table=8 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_dnat;)
+ table=8 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.4:8080);)
+ table=8 (lr_in_dnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
@@ -3185,7 +3185,7 @@ ovn-sbctl dump-flows lr0 > lr0flows
AT_CAPTURE_FILE([lr0flows])
AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
- table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
+ table=7 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
])
AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
@@ -3200,18 +3200,18 @@ ovn-sbctl dump-flows lr0 > lr0flows
AT_CAPTURE_FILE([lr0flows])
AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
- table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-public" && ip4.dst == 172.168.0.100), action=(ct_snat;)
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw0" && ip4.dst == 10.0.0.1), action=(ct_snat;)
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip4.dst == 20.0.0.1), action=(ct_snat;)
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip6.dst == bef0::1), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-public" && ip4.dst == 172.168.0.100), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw0" && ip4.dst == 10.0.0.1), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip4.dst == 20.0.0.1), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip6.dst == bef0::1), action=(ct_snat;)
])
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
- table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_dnat;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+ table=8 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
+ table=8 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_dnat;)
+ table=8 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.4:8080);)
+ table=8 (lr_in_dnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
@@ -3230,16 +3230,16 @@ check ovn-nbctl --wait=sb lb-del lb1
ovn-sbctl dump-flows lr0 > lr0flows
AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
- table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-public" && ip4.dst == 172.168.0.100), action=(ct_snat;)
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw0" && ip4.dst == 10.0.0.1), action=(ct_snat;)
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip4.dst == 20.0.0.1), action=(ct_snat;)
- table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip6.dst == bef0::1), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-public" && ip4.dst == 172.168.0.100), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw0" && ip4.dst == 10.0.0.1), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip4.dst == 20.0.0.1), action=(ct_snat;)
+ table=7 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip6.dst == bef0::1), action=(ct_snat;)
])
AT_CHECK([grep "lr_in_dnat" lr0flows | grep skip_snat_for_lb | sort], [0], [dnl
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_dnat;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb(backends=10.0.0.40:8080);)
+ table=8 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_dnat;)
+ table=8 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb(backends=10.0.0.40:8080);)
])
AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | sort], [0], [dnl
diff --git a/tests/ovn.at b/tests/ovn.at
index 248319262..eef03982c 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -16246,7 +16246,7 @@ test_ip_packet_larger() {
ip_csum=f993
icmp_reply=${src_mac}${dst_mac}08004500${reply_pkt_len}00004000fe016867
icmp_reply=${icmp_reply}${src_ip}${dst_ip}0304${ip_csum}0000$(printf "%04x" $mtu)
- icmp_reply=${icmp_reply}4500${pkt_len}000000003f01c4d9
+ icmp_reply=${icmp_reply}4500${pkt_len}000000004001c3d9
icmp_reply=${icmp_reply}${orig_packet_l3}
echo $icmp_reply > hv1-vif1.expected
fi
@@ -16275,6 +16275,52 @@ test_ip_packet_larger() {
fi
}
+test_ip_packet_larger_ext() {
+ local mtu=$1
+
+ # Send ip packet from sw0-port1 to outside
+ src_mac="00000012af11" # external mac
+ dst_mac="000020201213" # lr0-public mac
+ src_ip=`ip_to_hex 172 168 0 4`
+ dst_ip=`ip_to_hex 172 168 0 100`
+ # Set the packet length to 118.
+ pkt_len=0076
+ packet=${dst_mac}${src_mac}08004500${pkt_len}000000004001c3d9
+ orig_packet_l3=${src_ip}${dst_ip}0900000000000000
+ orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+ orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+ orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+ orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+ orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+ packet=${packet}${orig_packet_l3}
+
+ gw_ip_garp=ffffffffffff00002020121308060001080006040001000020201213aca80064000000000000aca80064
+ ext_ip_garp=ffffffffffff00000012af110806000108000604000100000012af11aca80004000000000000aca80004
+
+ src_ip=`ip_to_hex 172 168 0 100`
+ dst_ip=`ip_to_hex 172 168 0 4`
+ # pkt len should be 146 (28 (icmp packet) + 118 (orig ip + payload))
+ reply_pkt_len=0092
+ ip_csum=508d
+ icmp_reply=${src_mac}${dst_mac}08004500${reply_pkt_len}00004000fe0122b2
+ icmp_reply=${icmp_reply}${src_ip}${dst_ip}0304${ip_csum}0000$(printf "%04x" $mtu)
+ icmp_reply=${icmp_reply}4500${pkt_len}000000004001c3d9
+ icmp_reply=${icmp_reply}${orig_packet_l3}
+ echo $icmp_reply > br-phys_n1.expected
+
+ echo $gw_ip_garp >> br-phys_n1.expected
+
+ as hv1 reset_pcap_file br-phys_n1 hv1/br-phys_n1
+ as hv1 reset_pcap_file hv1-vif1 hv1/vif1
+
+ check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $ext_ip_garp
+ sleep 1
+ # Send packet from sw0-port1 to outside
+ check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $packet
+
+ OVN_CHECK_PACKETS([hv1/br-phys_n1-tx.pcap], [br-phys_n1.expected])
+}
+
test_ip6_packet_larger() {
local mtu=$1
@@ -16307,7 +16353,7 @@ test_ip6_packet_larger() {
mtu_needed=$(expr ${packet_bytes} - 18)
if test $mtu -lt $mtu_needed; then
# First construct the inner IPv6 packet.
- inner_ip6=6000000000583afe${ipv6_src}${ipv6_dst}
+ inner_ip6=6000000000583aff${ipv6_src}${ipv6_dst}
inner_icmp6=8000000062f00001
inner_icmp6_and_payload=$(icmp6_csum_inplace ${inner_icmp6}${payload} ${inner_ip6})
inner_packet=${inner_ip6}${inner_icmp6_and_payload}
@@ -16329,6 +16375,53 @@ test_ip6_packet_larger() {
fi
}
+test_ip6_packet_larger_ext() {
+ local mtu=$1
+
+ local eth_src=00000012af11
+ local eth_dst=000020201213
+
+ local ipv6_src=20000000000000000000000000000004
+ local ipv6_dst=20000000000000000000000000000001
+
+ local payload=0000000000000000000000000000000000000000
+ local payload=${payload}0000000000000000000000000000000000000000
+ local payload=${payload}0000000000000000000000000000000000000000
+ local payload=${payload}0000000000000000000000000000000000000000
+
+ local ip6_hdr=6000000000583aff${ipv6_src}${ipv6_dst}
+ local packet=${eth_dst}${eth_src}86dd${ip6_hdr}9000cc7662f00001${payload}
+
+ local ns=ffffffffffff00002020121308060001080006040001000020201213aca80064000000000000aca80064
+ echo $ns > br-phys_n1.expected
+
+ as hv1 reset_pcap_file br-phys_n1 hv1/br-phys_n1
+ as hv1 reset_pcap_file hv1-vif1 hv1/vif1
+
+ local na_ip6_hdr=6000000000203aff${ipv6_src}${ipv6_dst}
+ local na=${eth_dst}${eth_src}86dd${na_ip6_hdr}8800d78440000000${ipv6_src}0201${eth_src}
+ check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $na
+ sleep 1
+ check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $packet
+ AT_CAPTURE_FILE([trace-$mtu])
+
+ # First construct the inner IPv6 packet.
+ inner_ip6=6000000000583aff${ipv6_src}${ipv6_dst}
+ inner_icmp6=9000000062f00001
+ inner_icmp6_and_payload=$(icmp6_csum_inplace ${inner_icmp6}${payload} ${inner_ip6})
+ inner_packet=${inner_ip6}${inner_icmp6_and_payload}
+
+ # Then the outer.
+ outer_ip6=6000000000883afe${ipv6_dst}${ipv6_src}
+ outer_icmp6_and_payload=$(icmp6_csum_inplace 020000000000$(printf "%04x" $mtu)${inner_packet} $outer_ip6)
+ outer_packet=${outer_ip6}${outer_icmp6_and_payload}
+
+ icmp6_reply=${eth_src}${eth_dst}86dd${outer_packet}
+ echo $icmp6_reply >> br-phys_n1.expected
+
+ OVN_CHECK_PACKETS([hv1/br-phys_n1-tx.pcap], [br-phys_n1.expected])
+}
+
wait_for_ports_up
ovn-nbctl --wait=hv sync
@@ -16371,6 +16464,23 @@ for mtu in 100 500 118; do
test_ip6_packet_larger $mtu
done
+AS_BOX([testing mtu $mtu])
+check ovn-nbctl --wait=hv set logical_router_port lr0-public options:gateway_mtu=100
+ovn-sbctl dump-flows > ext-sbflows-100
+AT_CAPTURE_FILE([ext-sbflows-$mtu])
+
+OVS_WAIT_FOR_OUTPUT([
+ as hv1 ovs-ofctl dump-flows br-int > ext-br-int-flows-100
+ AT_CAPTURE_FILE([ext-br-int-flows-100])
+ grep "check_pkt_larger(118)" ext-br-int-flows-100 | wc -l], [0], [1
+])
+
+AS_BOX([testing ext mtu 100 - IPv4])
+test_ip_packet_larger_ext 100
+
+AS_BOX([testing mtu 100 - IPv6])
+test_ip6_packet_larger_ext 100
+
OVN_CLEANUP([hv1])
AT_CLEANUP
])
@@ -16484,7 +16594,7 @@ test_ip_packet_larger() {
ip_csum=f993
icmp_reply=${src_mac}${dst_mac}08004500${reply_pkt_len}00004000fe016867
icmp_reply=${icmp_reply}${src_ip}${dst_ip}0304${ip_csum}0000$(printf "%04x" $mtu)
- icmp_reply=${icmp_reply}4500${pkt_len}000000003f01c4d9
+ icmp_reply=${icmp_reply}4500${pkt_len}000000004001c3d9
icmp_reply=${icmp_reply}${orig_packet_l3}
echo $icmp_reply > hv1-vif1.expected
fi
@@ -16513,6 +16623,52 @@ test_ip_packet_larger() {
fi
}
+test_ip_packet_larger_ext() {
+ local mtu=$1
+
+ # Send ip packet from sw0-port1 to outside
+ src_mac="00000012af11" # external mac
+ dst_mac="000020201213" # lr0-public mac
+ src_ip=`ip_to_hex 172 168 0 4`
+ dst_ip=`ip_to_hex 172 168 0 100`
+ # Set the packet length to 118.
+ pkt_len=0076
+ packet=${dst_mac}${src_mac}08004500${pkt_len}000000004001c3d9
+ orig_packet_l3=${src_ip}${dst_ip}0900000000000000
+ orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+ orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+ orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+ orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+ orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+ packet=${packet}${orig_packet_l3}
+
+ gw_ip_garp=ffffffffffff00002020121308060001080006040001000020201213aca80064000000000000aca80064
+ ext_ip_garp=ffffffffffff00000012af110806000108000604000100000012af11aca80004000000000000aca80004
+
+ src_ip=`ip_to_hex 172 168 0 100`
+ dst_ip=`ip_to_hex 172 168 0 4`
+ # pkt len should be 146 (28 (icmp packet) + 118 (orig ip + payload))
+ reply_pkt_len=0092
+ ip_csum=508d
+ icmp_reply=${src_mac}${dst_mac}08004500${reply_pkt_len}00004000fe0122b2
+ icmp_reply=${icmp_reply}${src_ip}${dst_ip}0304${ip_csum}0000$(printf "%04x" $mtu)
+ icmp_reply=${icmp_reply}4500${pkt_len}000000004001c3d9
+ icmp_reply=${icmp_reply}${orig_packet_l3}
+ echo $icmp_reply > br-phys_n1.expected
+
+ echo $gw_ip_garp >> br-phys_n1.expected
+
+ as hv1 reset_pcap_file br-phys_n1 hv1/br-phys_n1
+ as hv1 reset_pcap_file hv1-vif1 hv1/vif1
+
+ check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $ext_ip_garp
+ sleep 1
+ # Send packet from sw0-port1 to outside
+ check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $packet
+
+ OVN_CHECK_PACKETS([hv1/br-phys_n1-tx.pcap], [br-phys_n1.expected])
+}
+
test_ip6_packet_larger() {
local mtu=$1
@@ -16545,7 +16701,7 @@ test_ip6_packet_larger() {
mtu_needed=$(expr ${packet_bytes} - 18)
if test $mtu -lt $mtu_needed; then
# First construct the inner IPv6 packet.
- inner_ip6=6000000000583afe${ipv6_src}${ipv6_dst}
+ inner_ip6=6000000000583aff${ipv6_src}${ipv6_dst}
inner_icmp6=8000000062f00001
inner_icmp6_and_payload=$(icmp6_csum_inplace ${inner_icmp6}${payload} ${inner_ip6})
inner_packet=${inner_ip6}${inner_icmp6_and_payload}
@@ -16567,6 +16723,53 @@ test_ip6_packet_larger() {
fi
}
+test_ip6_packet_larger_ext() {
+ local mtu=$1
+
+ local eth_src=00000012af11
+ local eth_dst=000020201213
+
+ local ipv6_src=20000000000000000000000000000004
+ local ipv6_dst=20000000000000000000000000000001
+
+ local payload=0000000000000000000000000000000000000000
+ local payload=${payload}0000000000000000000000000000000000000000
+ local payload=${payload}0000000000000000000000000000000000000000
+ local payload=${payload}0000000000000000000000000000000000000000
+
+ local ip6_hdr=6000000000583aff${ipv6_src}${ipv6_dst}
+ local packet=${eth_dst}${eth_src}86dd${ip6_hdr}9000cc7662f00001${payload}
+
+ local ns=ffffffffffff00002020121308060001080006040001000020201213aca80064000000000000aca80064
+ echo $ns > br-phys_n1.expected
+
+ as hv1 reset_pcap_file br-phys_n1 hv1/br-phys_n1
+ as hv1 reset_pcap_file hv1-vif1 hv1/vif1
+
+ local na_ip6_hdr=6000000000203aff${ipv6_src}${ipv6_dst}
+ local na=${eth_dst}${eth_src}86dd${na_ip6_hdr}8800d78440000000${ipv6_src}0201${eth_src}
+ check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $na
+ sleep 1
+ check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $packet
+ AT_CAPTURE_FILE([trace-$mtu])
+
+ # First construct the inner IPv6 packet.
+ inner_ip6=6000000000583aff${ipv6_src}${ipv6_dst}
+ inner_icmp6=9000000062f00001
+ inner_icmp6_and_payload=$(icmp6_csum_inplace ${inner_icmp6}${payload} ${inner_ip6})
+ inner_packet=${inner_ip6}${inner_icmp6_and_payload}
+
+ # Then the outer.
+ outer_ip6=6000000000883afe${ipv6_dst}${ipv6_src}
+ outer_icmp6_and_payload=$(icmp6_csum_inplace 020000000000$(printf "%04x" $mtu)${inner_packet} $outer_ip6)
+ outer_packet=${outer_ip6}${outer_icmp6_and_payload}
+
+ icmp6_reply=${eth_src}${eth_dst}86dd${outer_packet}
+ echo $icmp6_reply >> br-phys_n1.expected
+
+ OVN_CHECK_PACKETS([hv1/br-phys_n1-tx.pcap], [br-phys_n1.expected])
+}
+
wait_for_ports_up
ovn-nbctl --wait=hv sync
@@ -16609,6 +16812,23 @@ for mtu in 100 500 118; do
test_ip6_packet_larger $mtu
done
+AS_BOX([testing mtu $mtu])
+check ovn-nbctl --wait=hv set logical_router_port lr0-public options:gateway_mtu=100
+ovn-sbctl dump-flows > ext-sbflows-100
+AT_CAPTURE_FILE([ext-sbflows-$mtu])
+
+OVS_WAIT_FOR_OUTPUT([
+ as hv1 ovs-ofctl dump-flows br-int > ext-br-int-flows-100
+ AT_CAPTURE_FILE([ext-br-int-flows-100])
+ grep "check_pkt_larger(118)" ext-br-int-flows-100 | wc -l], [0], [1
+])
+
+AS_BOX([testing ext mtu 100 - IPv4])
+test_ip_packet_larger_ext 100
+
+AS_BOX([testing mtu 100 - IPv6])
+test_ip6_packet_larger_ext 100
+
OVN_CLEANUP([hv1])
AT_CLEANUP
])
@@ -22511,7 +22731,7 @@ ovn-sbctl dump-flows > sbflows
AT_CAPTURE_FILE([sbflows])
AT_CAPTURE_FILE([offlows])
OVS_WAIT_UNTIL([
- as hv1 ovs-ofctl dump-flows br-int table=20 > offlows
+ as hv1 ovs-ofctl dump-flows br-int table=22 > offlows
test $(grep -c "load:0x64->NXM_NX_PKT_MARK" offlows) = 1 && \
test $(grep -c "load:0x3->NXM_NX_PKT_MARK" offlows) = 1 && \
test $(grep -c "load:0x4->NXM_NX_PKT_MARK" offlows) = 1 && \
@@ -22604,12 +22824,12 @@ send_ipv4_pkt hv1 hv1-vif1 505400000003 00000000ff01 \
$(ip_to_hex 10 0 0 3) $(ip_to_hex 172 168 0 120)
OVS_WAIT_UNTIL([
- test 1 -eq $(as hv1 ovs-ofctl dump-flows br-int table=20 | \
+ test 1 -eq $(as hv1 ovs-ofctl dump-flows br-int table=22 | \
grep "load:0x2->NXM_NX_PKT_MARK" -c)
])
AT_CHECK([
- test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=20 | \
+ test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=22 | \
grep "load:0x64->NXM_NX_PKT_MARK" -c)
])
@@ -22681,31 +22901,31 @@ AT_CHECK([
])
AT_CHECK([ovn-sbctl lflow-list | grep -E "lr_in_policy.*priority=1001" | sort], [0], [dnl
- table=12(lr_in_policy ), priority=1001 , dnl
+ table=14(lr_in_policy ), priority=1001 , dnl
match=(ip6), action=(pkt.mark = 4294967295; reg8[[0..15]] = 0; next;)
])
ovn-nbctl --wait=hv set logical_router_policy $pol5 options:pkt_mark=-1
AT_CHECK([ovn-sbctl lflow-list | grep -E "lr_in_policy.*priority=1001" | sort], [0], [dnl
- table=12(lr_in_policy ), priority=1001 , dnl
+ table=14(lr_in_policy ), priority=1001 , dnl
match=(ip6), action=(reg8[[0..15]] = 0; next;)
])
ovn-nbctl --wait=hv set logical_router_policy $pol5 options:pkt_mark=2147483648
AT_CHECK([ovn-sbctl lflow-list | grep -E "lr_in_policy.*priority=1001" | sort], [0], [dnl
- table=12(lr_in_policy ), priority=1001 , dnl
+ table=14(lr_in_policy ), priority=1001 , dnl
match=(ip6), action=(pkt.mark = 2147483648; reg8[[0..15]] = 0; next;)
])
ovn-nbctl --wait=hv set logical_router_policy $pol5 options:pkt_mark=foo
AT_CHECK([ovn-sbctl lflow-list | grep -E "lr_in_policy.*priority=1001" | sort], [0], [dnl
- table=12(lr_in_policy ), priority=1001 , dnl
+ table=14(lr_in_policy ), priority=1001 , dnl
match=(ip6), action=(reg8[[0..15]] = 0; next;)
])
ovn-nbctl --wait=hv set logical_router_policy $pol5 options:pkt_mark=4294967296
AT_CHECK([ovn-sbctl lflow-list | grep -E "lr_in_policy.*priority=1001" | sort], [0], [dnl
- table=12(lr_in_policy ), priority=1001 , dnl
+ table=14(lr_in_policy ), priority=1001 , dnl
match=(ip6), action=(reg8[[0..15]] = 0; next;)
])
@@ -23275,23 +23495,23 @@ check ovn-nbctl --wait=hv sync
# Ensure ECMP symmetric reply flows are not present on any hypervisor.
AT_CHECK([
- test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=15 | \
+ test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=17 | \
grep "priority=100" | \
grep "ct(commit,zone=NXM_NX_REG11\\[[0..15\\]],exec(move:NXM_OF_ETH_SRC\\[[\\]]->NXM_NX_CT_LABEL\\[[32..79\\]],load:0x[[0-9]]->NXM_NX_CT_LABEL\\[[80..95\\]]))" -c)
])
AT_CHECK([
- test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=21 | \
+ test 0 -eq $(as hv1 ovs-ofctl dump-flows br-int table=23 | \
grep "priority=200" | \
grep "actions=move:NXM_NX_CT_LABEL\\[[32..79\\]]->NXM_OF_ETH_DST\\[[\\]]" -c)
])
AT_CHECK([
- test 0 -eq $(as hv2 ovs-ofctl dump-flows br-int table=15 | \
+ test 0 -eq $(as hv2 ovs-ofctl dump-flows br-int table=17 | \
grep "priority=100" | \
grep "ct(commit,zone=NXM_NX_REG11\\[[0..15\\]],exec(move:NXM_OF_ETH_SRC\\[[\\]]->NXM_NX_CT_LABEL\\[[32..79\\]],load:0x[[0-9]]->NXM_NX_CT_LABEL\\[[80..95\\]]))" -c)
])
AT_CHECK([
- test 0 -eq $(as hv2 ovs-ofctl dump-flows br-int table=21 | \
+ test 0 -eq $(as hv2 ovs-ofctl dump-flows br-int table=23 | \
grep "priority=200" | \
grep "actions=move:NXM_NX_CT_LABEL\\[[32..79\\]]->NXM_OF_ETH_DST\\[[\\]]" -c)
])
@@ -23308,11 +23528,11 @@ AT_CAPTURE_FILE([hv2flows])
AT_CHECK([
for hv in 1 2; do
- grep table=15 hv${hv}flows | \
+ grep table=17 hv${hv}flows | \
grep "priority=100" | \
grep -c "ct(commit,zone=NXM_NX_REG11\\[[0..15\\]],exec(move:NXM_OF_ETH_SRC\\[[\\]]->NXM_NX_CT_LABEL\\[[32..79\\]],load:0x[[0-9]]->NXM_NX_CT_LABEL\\[[80..95\\]]))"
- grep table=22 hv${hv}flows | \
+ grep table=24 hv${hv}flows | \
grep "priority=200" | \
grep -c "actions=move:NXM_NX_CT_LABEL\\[[32..79\\]]->NXM_OF_ETH_DST\\[[\\]]"
done; :], [0], [dnl
@@ -23932,7 +24152,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep "actions=controller" | grep
])
# The packet should've been dropped in the lr_in_arp_resolve stage.
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=22, n_packets=1,.* priority=1,ip,metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=24, n_packets=1,.* priority=1,ip,metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl
1
])
--
2.31.1
More information about the dev
mailing list