|
 |
ebb439 |
From 8466c0de9f209011d82331521bd5c47422963c15 Mon Sep 17 00:00:00 2001
|
|
|
ebb439 |
From: Numan Siddique <numans@ovn.org>
|
|
|
ebb439 |
Date: Mon, 5 Oct 2020 12:52:15 +0530
|
|
|
ebb439 |
Subject: [PATCH 1/5] northd: Use 'enum ovn_stage' for the table value in the
|
|
|
ebb439 |
'next' OVN action.
|
|
|
ebb439 |
|
|
|
ebb439 |
Multiple places in ovn-northd.c hard codes the table value in the next() OVN action.
|
|
|
ebb439 |
This patch changes those occurrences to use ovn_stage_get_table('enum ovn_stage' value).
|
|
|
ebb439 |
|
|
|
ebb439 |
Hard coding of the table number can result in errors if new stages are added (like
|
|
|
ebb439 |
the patch [1] which added new stages - ls_in_acl_hint and ls_out_acl_hint). After the patch [1],
|
|
|
ebb439 |
the table number was wrong for reject ACLs associated in ingress logical switch pipeline stage.
|
|
|
ebb439 |
Although this didn't result in any packet drops. This patch avoids such cases in the future.
|
|
|
ebb439 |
|
|
|
ebb439 |
This patch also adds a new test case in ovn-northd.at for reject ACL flows.
|
|
|
ebb439 |
|
|
|
ebb439 |
[1] - 209ea46bbf9d("ovn-northd: Reduce number of flows generated for stateful ACLs.")
|
|
|
ebb439 |
|
|
|
ebb439 |
Acked-by: Dumitru Ceara <dceara@redhat.com>
|
|
|
ebb439 |
Signed-off-by: Numan Siddique <numans@ovn.org>
|
|
|
ebb439 |
|
|
|
ebb439 |
(cherry-picked from master commit 4ab6b79a81b15d727b0a0f617f267d3169f7b486)
|
|
|
ebb439 |
---
|
|
|
ebb439 |
northd/ovn-northd.c | 36 ++++---
|
|
|
ebb439 |
tests/ovn-northd.at | 247 ++++++++++++++++++++++++++++++++++++++++++++
|
|
|
ebb439 |
2 files changed, 266 insertions(+), 17 deletions(-)
|
|
|
ebb439 |
|
|
|
ebb439 |
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
|
|
|
ebb439 |
index 73e37985e..b099f705b 100644
|
|
|
ebb439 |
--- a/northd/ovn-northd.c
|
|
|
ebb439 |
+++ b/northd/ovn-northd.c
|
|
|
ebb439 |
@@ -5379,6 +5379,12 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
|
|
|
ebb439 |
struct ds actions = DS_EMPTY_INITIALIZER;
|
|
|
ebb439 |
bool ingress = (stage == S_SWITCH_IN_ACL);
|
|
|
ebb439 |
|
|
|
ebb439 |
+ char *next_action =
|
|
|
ebb439 |
+ xasprintf("next(pipeline=%s,table=%d);",
|
|
|
ebb439 |
+ ingress ? "egress": "ingress",
|
|
|
ebb439 |
+ ingress ? ovn_stage_get_table(S_SWITCH_OUT_QOS_MARK)
|
|
|
ebb439 |
+ : ovn_stage_get_table(S_SWITCH_IN_L2_LKUP));
|
|
|
ebb439 |
+
|
|
|
ebb439 |
/* TCP */
|
|
|
ebb439 |
build_acl_log(&actions, acl);
|
|
|
ebb439 |
if (extra_match->length > 0) {
|
|
|
ebb439 |
@@ -5387,9 +5393,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
|
|
|
ebb439 |
ds_put_format(&match, "ip4 && tcp && (%s)", acl->match);
|
|
|
ebb439 |
ds_put_format(&actions, "reg0 = 0; "
|
|
|
ebb439 |
"eth.dst <-> eth.src; ip4.dst <-> ip4.src; "
|
|
|
ebb439 |
- "tcp_reset { outport <-> inport; %s };",
|
|
|
ebb439 |
- ingress ? "next(pipeline=egress,table=5);"
|
|
|
ebb439 |
- : "next(pipeline=ingress,table=20);");
|
|
|
ebb439 |
+ "tcp_reset { outport <-> inport; %s };", next_action);
|
|
|
ebb439 |
ovn_lflow_add_with_hint(lflows, od, stage,
|
|
|
ebb439 |
acl->priority + OVN_ACL_PRI_OFFSET + 10,
|
|
|
ebb439 |
ds_cstr(&match), ds_cstr(&actions), stage_hint);
|
|
|
ebb439 |
@@ -5402,9 +5406,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
|
|
|
ebb439 |
ds_put_format(&match, "ip6 && tcp && (%s)", acl->match);
|
|
|
ebb439 |
ds_put_format(&actions, "reg0 = 0; "
|
|
|
ebb439 |
"eth.dst <-> eth.src; ip6.dst <-> ip6.src; "
|
|
|
ebb439 |
- "tcp_reset { outport <-> inport; %s };",
|
|
|
ebb439 |
- ingress ? "next(pipeline=egress,table=5);"
|
|
|
ebb439 |
- : "next(pipeline=ingress,table=20);");
|
|
|
ebb439 |
+ "tcp_reset { outport <-> inport; %s };", next_action);
|
|
|
ebb439 |
ovn_lflow_add_with_hint(lflows, od, stage,
|
|
|
ebb439 |
acl->priority + OVN_ACL_PRI_OFFSET + 10,
|
|
|
ebb439 |
ds_cstr(&match), ds_cstr(&actions), stage_hint);
|
|
|
ebb439 |
@@ -5422,9 +5424,7 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
|
|
|
ebb439 |
}
|
|
|
ebb439 |
ds_put_format(&actions, "reg0 = 0; "
|
|
|
ebb439 |
"icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; "
|
|
|
ebb439 |
- "outport <-> inport; %s };",
|
|
|
ebb439 |
- ingress ? "next(pipeline=egress,table=5);"
|
|
|
ebb439 |
- : "next(pipeline=ingress,table=20);");
|
|
|
ebb439 |
+ "outport <-> inport; %s };", next_action);
|
|
|
ebb439 |
ovn_lflow_add_with_hint(lflows, od, stage,
|
|
|
ebb439 |
acl->priority + OVN_ACL_PRI_OFFSET,
|
|
|
ebb439 |
ds_cstr(&match), ds_cstr(&actions), stage_hint);
|
|
|
ebb439 |
@@ -5440,13 +5440,12 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows,
|
|
|
ebb439 |
}
|
|
|
ebb439 |
ds_put_format(&actions, "reg0 = 0; icmp6 { "
|
|
|
ebb439 |
"eth.dst <-> eth.src; ip6.dst <-> ip6.src; "
|
|
|
ebb439 |
- "outport <-> inport; %s };",
|
|
|
ebb439 |
- ingress ? "next(pipeline=egress,table=5);"
|
|
|
ebb439 |
- : "next(pipeline=ingress,table=20);");
|
|
|
ebb439 |
+ "outport <-> inport; %s };", next_action);
|
|
|
ebb439 |
ovn_lflow_add_with_hint(lflows, od, stage,
|
|
|
ebb439 |
acl->priority + OVN_ACL_PRI_OFFSET,
|
|
|
ebb439 |
ds_cstr(&match), ds_cstr(&actions), stage_hint);
|
|
|
ebb439 |
|
|
|
ebb439 |
+ free(next_action);
|
|
|
ebb439 |
ds_destroy(&match);
|
|
|
ebb439 |
ds_destroy(&actions);
|
|
|
ebb439 |
}
|
|
|
ebb439 |
@@ -9963,7 +9962,8 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
|
|
|
ebb439 |
ds_put_format(&actions, "reg%d = 0; ", j);
|
|
|
ebb439 |
}
|
|
|
ebb439 |
ds_put_format(&actions, REGBIT_EGRESS_LOOPBACK" = 1; "
|
|
|
ebb439 |
- "next(pipeline=ingress, table=0); };");
|
|
|
ebb439 |
+ "next(pipeline=ingress, table=%d); };",
|
|
|
ebb439 |
+ ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
|
|
|
ebb439 |
ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_EGR_LOOP, 100,
|
|
|
ebb439 |
ds_cstr(&match), ds_cstr(&actions),
|
|
|
ebb439 |
&nat->header_);
|
|
|
ebb439 |
@@ -11145,10 +11145,11 @@ build_check_pkt_len_flows_for_lrouter(
|
|
|
ebb439 |
"icmp4.type = 3; /* Destination Unreachable. */ "
|
|
|
ebb439 |
"icmp4.code = 4; /* Frag Needed and DF was Set. */ "
|
|
|
ebb439 |
"icmp4.frag_mtu = %d; "
|
|
|
ebb439 |
- "next(pipeline=ingress, table=0); };",
|
|
|
ebb439 |
+ "next(pipeline=ingress, table=%d); };",
|
|
|
ebb439 |
rp->lrp_networks.ea_s,
|
|
|
ebb439 |
rp->lrp_networks.ipv4_addrs[0].addr_s,
|
|
|
ebb439 |
- gw_mtu);
|
|
|
ebb439 |
+ gw_mtu,
|
|
|
ebb439 |
+ ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
|
|
|
ebb439 |
ovn_lflow_add_with_hint(lflows, od,
|
|
|
ebb439 |
S_ROUTER_IN_LARGER_PKTS, 50,
|
|
|
ebb439 |
ds_cstr(match), ds_cstr(actions),
|
|
|
ebb439 |
@@ -11173,10 +11174,11 @@ build_check_pkt_len_flows_for_lrouter(
|
|
|
ebb439 |
"icmp6.type = 2; /* Packet Too Big. */ "
|
|
|
ebb439 |
"icmp6.code = 0; "
|
|
|
ebb439 |
"icmp6.frag_mtu = %d; "
|
|
|
ebb439 |
- "next(pipeline=ingress, table=0); };",
|
|
|
ebb439 |
+ "next(pipeline=ingress, table=%d); };",
|
|
|
ebb439 |
rp->lrp_networks.ea_s,
|
|
|
ebb439 |
rp->lrp_networks.ipv6_addrs[0].addr_s,
|
|
|
ebb439 |
- gw_mtu);
|
|
|
ebb439 |
+ gw_mtu,
|
|
|
ebb439 |
+ ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
|
|
|
ebb439 |
ovn_lflow_add_with_hint(lflows, od,
|
|
|
ebb439 |
S_ROUTER_IN_LARGER_PKTS, 50,
|
|
|
ebb439 |
ds_cstr(match), ds_cstr(actions),
|
|
|
ebb439 |
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
|
|
|
ebb439 |
index 99a9204f1..a6c32c115 100644
|
|
|
ebb439 |
--- a/tests/ovn-northd.at
|
|
|
ebb439 |
+++ b/tests/ovn-northd.at
|
|
|
ebb439 |
@@ -2010,3 +2010,250 @@ ovn-nbctl --wait=sb set NB_Global . options:ignore_lsp_down=true
|
|
|
ebb439 |
AT_CHECK([ovn-sbctl lflow-list | grep arp | grep 10\.0\.0\.1], [0], [ignore])
|
|
|
ebb439 |
|
|
|
ebb439 |
AT_CLEANUP
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+AT_SETUP([ovn-northd -- reject ACL])
|
|
|
ebb439 |
+ovn_start
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+ovn-nbctl ls-add sw0
|
|
|
ebb439 |
+ovn-nbctl lsp-add sw0 sw0-p1
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+ovn-nbctl ls-add sw1
|
|
|
ebb439 |
+ovn-nbctl lsp-add sw1 sw1-p1
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+ovn-nbctl pg-add pg0 sw0-p1 sw1-p1
|
|
|
ebb439 |
+ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4 && tcp && tcp.dst == 80" reject
|
|
|
ebb439 |
+ovn-nbctl acl-add pg0 to-lport 1003 "outport == @pg0 && ip6 && udp" reject
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+ovn-nbctl --wait=hv sync
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl
|
|
|
ebb439 |
+ table=7 (ls_in_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=(ip4 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=egress,table=6); };)
|
|
|
ebb439 |
+ table=7 (ls_in_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=(ip6 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=egress,table=6); };)
|
|
|
ebb439 |
+ table=7 (ls_in_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=(ip4 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };)
|
|
|
ebb439 |
+ table=7 (ls_in_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=(ip6 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };)
|
|
|
ebb439 |
+])
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_in_acl" | grep pg0 | sort], [0], [dnl
|
|
|
ebb439 |
+ table=7 (ls_in_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=(ip4 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=egress,table=6); };)
|
|
|
ebb439 |
+ table=7 (ls_in_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=(ip6 && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=egress,table=6); };)
|
|
|
ebb439 |
+ table=7 (ls_in_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=(ip4 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };)
|
|
|
ebb439 |
+ table=7 (ls_in_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=(ip6 && tcp && (inport == @pg0 && ip4 && tcp && tcp.dst == 80)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=egress,table=6); };)
|
|
|
ebb439 |
+])
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+])
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+])
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && udp" reject
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=(ip4 && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=(ip6 && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=(ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=(ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+])
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=(ip4 && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=(ip6 && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=(ip4 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=(ip6 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=(ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=(ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=(ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=(ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+])
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+ovn-nbctl --wait=sb acl-add pg0 to-lport 1001 "outport == @pg0 && ip" allow-related
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+AT_CHECK([ovn-sbctl lflow-list sw0 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2001 , dnl
|
|
|
ebb439 |
+match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), dnl
|
|
|
ebb439 |
+action=(reg0[[1]] = 1; next;)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2001 , dnl
|
|
|
ebb439 |
+match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+])
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+AT_CHECK([ovn-sbctl lflow-list sw1 | grep "ls_out_acl" | grep pg0 | sort], [0], [dnl
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2001 , dnl
|
|
|
ebb439 |
+match=(reg0[[7]] == 1 && (outport == @pg0 && ip)), dnl
|
|
|
ebb439 |
+action=(reg0[[1]] = 1; next;)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2001 , dnl
|
|
|
ebb439 |
+match=(reg0[[8]] == 1 && (outport == @pg0 && ip)), action=(next;)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2002 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(ct_commit { ct_label.blocked = 1; }; reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip4 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2003 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip6 && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2012 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip4 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=((reg0[[10]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip4 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip4.dst <-> ip4.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+ table=5 (ls_out_acl ), priority=2013 , dnl
|
|
|
ebb439 |
+match=((reg0[[9]] == 1) && ip6 && tcp && (outport == @pg0 && ip6 && udp)), dnl
|
|
|
ebb439 |
+action=(reg0 = 0; eth.dst <-> eth.src; ip6.dst <-> ip6.src; tcp_reset { outport <-> inport; next(pipeline=ingress,table=20); };)
|
|
|
ebb439 |
+])
|
|
|
ebb439 |
+
|
|
|
ebb439 |
+AT_CLEANUP
|
|
|
ebb439 |
--
|
|
|
ebb439 |
2.26.2
|
|
|
ebb439 |
|