From 35a77738b9032480c3983ff93080cd1cada85fad Mon Sep 17 00:00:00 2001 From: Numan Siddique Date: Thu, 12 Mar 2020 15:58:38 +0530 Subject: [PATCH] ovn-northd: Add lflows to by pass the svc monitor packets from conntrack. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The commit [1] added lflows to by pass the service monitor health check packets from conntrack. But it missed out adding in the ingress pre_acl and egress pre_acl of logical switch pipeline. This patch adds these missing lflows. It also enhanced the system lb health check tests to add the acls to test this scenario. [1] - bb9f2b9ce56c("ovn-northd: Consider load balancer active backends in router pipeline) Fixes: bb9f2b9ce56c("ovn-northd: Consider load balancer active backends in router pipeline) Change-Id: I591f98dbb945ea63acf0d1f37f0bb09f43e205c7 Reported-by: Maciej Józefczyk Acked-by: Dumitru Ceara Acked-by: Maciej Jozefczyk Signed-off-by: Numan Siddique --- ovn/northd/ovn-northd.8.xml | 22 +++++++++++++++++++++- ovn/northd/ovn-northd.c | 15 ++++++++++++++- tests/ovn.at | 22 ++++++++++++++++++++++ tests/system-ovn.at | 22 ++++++++++++++++++++++ 4 files changed, 79 insertions(+), 2 deletions(-) diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index c09e5ff44..f4d6c8f08 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -283,6 +283,16 @@ priority-110 flow is added to skip over stateful ACLs.

+

+ This table also has a priority-110 flow with the match + eth.dst == E for all logical switch + datapaths to move traffic to the next table. Where E + is the service monitor mac defined in the + colum of table. +

+

Ingress Table 4: Pre-LB

@@ -310,7 +320,7 @@

This table also has a priority-110 flow with the match - eth.src == E for all logical switch + eth.dst == E for all logical switch datapaths to move traffic to the next table. Where E is the service monitor mac defined in the to-lport traffic.

+

+ This table also has a priority-110 flow with the match + eth.src == E for all logical switch + datapaths to move traffic to the next table. Where E + is the service monitor mac defined in the + colum of table. +

+

Egress Table 2: Pre-stateful

diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index abe5508c3..c2ac5ce07 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -4502,6 +4502,16 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows) ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 0, "1", "next;"); + char *svc_check_match = xasprintf("eth.dst == %s", svc_monitor_mac); + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, svc_check_match, + "next;"); + free(svc_check_match); + + svc_check_match = xasprintf("eth.src == %s", svc_monitor_mac); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, svc_check_match, + "next;"); + free(svc_check_match); + /* If there are any stateful ACL rules in this datapath, we must * send all IP packets through the conntrack action, which handles * defragmentation, in order to match L4 headers. */ @@ -4672,9 +4682,12 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows, "nd || nd_rs || nd_ra", "next;"); /* Do not send service monitor packets to conntrack. */ - char *svc_check_match = xasprintf("eth.src == %s", svc_monitor_mac); + char *svc_check_match = xasprintf("eth.dst == %s", svc_monitor_mac); ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110, svc_check_match, "next;"); + free(svc_check_match); + + svc_check_match = xasprintf("eth.src == %s", svc_monitor_mac); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110, svc_check_match, "next;"); free(svc_check_match); diff --git a/tests/ovn.at b/tests/ovn.at index dd94776e6..9fb6e4f98 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -17032,12 +17032,34 @@ ovn-nbctl lsp-set-port-security sw0-p1 "50:54:00:00:00:03 10.0.0.3" ovn-nbctl lsp-set-addresses sw0-p2 "50:54:00:00:00:04 10.0.0.4" ovn-nbctl lsp-set-port-security sw0-p2 "50:54:00:00:00:04 10.0.0.4" +# Create port group and ACLs for sw0 ports. +ovn-nbctl pg-add pg0_drop sw0-p1 sw0-p2 +ovn-nbctl acl-add pg0_drop from-lport 1001 "inport == @pg0_drop && ip" drop +ovn-nbctl acl-add pg0_drop to-lport 1001 "outport == @pg0_drop && ip" drop + +ovn-nbctl pg-add pg0 sw0-p1 sw0-p2 +ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4" allow-related +ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" allow-related +ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 80" allow-related +ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst == 80" allow-related + # Create the second logical switch with one port ovn-nbctl ls-add sw1 ovn-nbctl lsp-add sw1 sw1-p1 ovn-nbctl lsp-set-addresses sw1-p1 "40:54:00:00:00:03 20.0.0.3" ovn-nbctl lsp-set-port-security sw1-p1 "40:54:00:00:00:03 20.0.0.3" +# Create port group and ACLs for sw1 ports. +ovn-nbctl pg-add pg1_drop sw1-p1 +ovn-nbctl acl-add pg1_drop from-lport 1001 "inport == @pg1_drop && ip" drop +ovn-nbctl acl-add pg1_drop to-lport 1001 "outport == @pg1_drop && ip" drop + +ovn-nbctl pg-add pg1 sw1-p1 +ovn-nbctl acl-add pg1 from-lport 1002 "inport == @pg1 && ip4" allow-related +ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" allow-related +ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 80" allow-related +ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst == 80" allow-related + # Create a logical router and attach both logical switches ovn-nbctl lr-add lr0 ovn-nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01 10.0.0.1/24 diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 7d1c65d85..22e9a5926 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -2552,12 +2552,34 @@ ovn-nbctl lsp-add sw0 sw0-p2 ovn-nbctl lsp-set-addresses sw0-p2 "50:54:00:00:00:04 10.0.0.4" ovn-nbctl lsp-set-port-security sw0-p2 "50:54:00:00:00:04 10.0.0.4" +# Create port group and ACLs for sw0 ports. +ovn-nbctl pg-add pg0_drop sw0-p1 sw0-p2 +ovn-nbctl acl-add pg0_drop from-lport 1001 "inport == @pg0_drop && ip" drop +ovn-nbctl acl-add pg0_drop to-lport 1001 "outport == @pg0_drop && ip" drop + +ovn-nbctl pg-add pg0 sw0-p1 sw0-p2 +ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4" allow-related +ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" allow-related +ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 80" allow-related +ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst == 80" allow-related + # Create the second logical switch with one port ovn-nbctl ls-add sw1 ovn-nbctl lsp-add sw1 sw1-p1 ovn-nbctl lsp-set-addresses sw1-p1 "40:54:00:00:00:03 20.0.0.3" ovn-nbctl lsp-set-port-security sw1-p1 "40:54:00:00:00:03 20.0.0.3" +# Create port group and ACLs for sw1 ports. +ovn-nbctl pg-add pg1_drop sw1-p1 +ovn-nbctl acl-add pg1_drop from-lport 1001 "inport == @pg1_drop && ip" drop +ovn-nbctl acl-add pg1_drop to-lport 1001 "outport == @pg1_drop && ip" drop + +ovn-nbctl pg-add pg1 sw1-p1 +ovn-nbctl acl-add pg1 from-lport 1002 "inport == @pg1 && ip4" allow-related +ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" allow-related +ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 80" allow-related +ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst == 80" allow-related + # Create a logical router and attach both logical switches ovn-nbctl lr-add lr0 ovn-nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01 10.0.0.1/24 -- 2.24.1