On 02/08/2016 13:19, "Joe Stringer" <j...@ovn.org> wrote: >On 2 August 2016 at 11:58, Daniele Di Proietto <diproiet...@vmware.com> wrote: >> The conntrack unit tests seem to generate different megaflow masks on >> Windows. The megaflow masks depend on the internal ordering of the >> subtables, which are sorted using qsort(), based on their max priority. >> If two subtables have the same priority the ordering between them depend >> on the stability property of qsort(), which apparently are different >> between Windows and Linux/*BSD. >> >> This commit uses multiple OpenFlow tables to build our conntrack >> pipelines in the tests, which gives us more control over the visited >> subtables and also improves clarity >> >> Reported-by: Alin Serdean <aserd...@cloudbasesolutions.com> >> Signed-off-by: Daniele Di Proietto <diproiet...@vmware.com> > >Thanks for fixing this, LGTM. > >Minor comment, the flows for port 2 in table 0 in each of these tests >don't really need a match on ct_state=-trk now that we have different >tables for pre-conntrack and post-conntrack flows.
Good point, I removed all the superfluous ct_state=-trk from the tables. > >Acked-by: Joe Stringer <j...@ovn.org> Thanks for the fast review, applied to master > >> --- >> tests/ofproto-dpif.at | 263 >> +++++++++++++++++++++++++++++++++----------------- >> 1 file changed, 174 insertions(+), 89 deletions(-) >> >> diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at >> index 5ce6439..b2373d3 100644 >> --- a/tests/ofproto-dpif.at >> +++ b/tests/ofproto-dpif.at >> @@ -8107,11 +8107,17 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg >> vconn:info ofproto_dpif:info]) >> >> dnl Allow new connections on p1->p2, but not on p2->p1. >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=100,in_port=1,udp,action=ct(commit,zone=0),controller >> -priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0,zone=0) >> -priority=100,in_port=2,ct_state=+trk+est-new,udp,action=controller >> +dnl Table 0 >> +dnl >> +table=0,priority=100,arp,action=normal >> +table=0,priority=10,in_port=1,udp,action=ct(commit,zone=0),controller >> +table=0,priority=10,in_port=2,ct_state=-trk,udp,action=ct(table=1,zone=0) >> +table=0,priority=1,action=drop >> +dnl >> +dnl Table 1 >> +dnl >> +table=1,priority=10,in_port=2,ct_state=+trk+est-new,udp,action=controller >> +table=1,priority=1,action=drop >> ]) >> >> AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) >> @@ -8137,7 +8143,7 @@ AT_CHECK([cat ofctl_monitor.log], [0], [dnl >> NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 in_port=1 (via action) >> data_len=42 (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=1,tp_dst=2 >> udp_csum:e9d6 >> dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 >> udp_csum:e9d6 >> ]) >> >> @@ -8160,7 +8166,7 @@ AT_CHECK([cat ofctl_monitor.log], [0], [dnl >> NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 in_port=1 (via action) >> data_len=42 (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=3,tp_dst=4 >> udp_csum:e9d2 >> dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4,tp_dst=3 >> udp_csum:e9d2 >> ]) >> >> @@ -8176,11 +8182,16 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg >> vconn:info ofproto_dpif:info]) >> >> dnl Allow new connections on p1->p2, but not on p2->p1. >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=100,in_port=1,udp6,action=ct(commit,zone=0),controller >> -priority=100,in_port=2,ct_state=-trk,udp6,action=ct(table=0,zone=0) >> -priority=100,in_port=2,ct_state=+trk+est-new,udp6,action=controller >> +dnl Table 0 >> +dnl >> +table=0,priority=100,arp,action=normal >> +table=0,priority=10,in_port=1,udp6,action=ct(commit,zone=0),controller >> +table=0,priority=10,in_port=2,ct_state=-trk,udp6,action=ct(table=1,zone=0) >> +table=0,priority=1,action=drop >> +dnl Table 1 >> +dnl >> +table=1,priority=10,in_port=2,ct_state=+trk+est-new,udp6,action=controller >> +table=1,priority=1,action=drop >> ]) >> >> AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) >> @@ -8205,7 +8216,7 @@ dnl happens because the ct_state field is available >> only after recirc. >> AT_CHECK([cat ofctl_monitor.log], [0], [dnl >> NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=62 in_port=1 (via action) >> data_len=62 (unbuffered) >> >> udp6,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,ipv6_src=2001:db8::1,ipv6_dst=2001:db8::2,ipv6_label=0x00000,nw_tos=112,nw_ecn=0,nw_ttl=128,tp_src=1,tp_dst=2 >> udp_csum:a466 >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=62 >> ct_state=est|rpl|trk,in_port=2 (via action) data_len=62 (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=62 >> ct_state=est|rpl|trk,in_port=2 (via action) data_len=62 (unbuffered) >> >> udp6,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,ipv6_src=2001:db8::2,ipv6_dst=2001:db8::1,ipv6_label=0x00000,nw_tos=112,nw_ecn=0,nw_ttl=128,tp_src=2,tp_dst=1 >> udp_csum:a466 >> ]) >> >> @@ -8221,11 +8232,26 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg >> vconn:info ofproto_dpif:info]) >> >> dnl Allow new connections on p1->p2. Allow only established connections >> p2->p1 >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=100,in_port=1,udp,action=ct(commit,zone=0),2 >> -priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0,zone=0) >> -priority=100,in_port=2,ct_state=+trk+est-new,udp,action=1 >> +dnl The flows are in two separate tables for two reasons: >> +dnl * To make the pipeline more clear. >> +dnl * To make megaflows more consistent (we check megaflows below). The >> +dnl unwildcarding in megaflows depends on the internal ordering of the >> +dnl subtables, which are sorted using the system qsort(). qsort() >> +dnl is provided by libc and may or may not be stable, so we can't rely >> +dnl on that. By having separate tables we have more control over which >> +dnl subtables are visited, meaning consistent megaflows. >> +dnl >> +dnl Table 0 >> +dnl >> +table=0,priority=100,arp,action=normal >> +table=0,priority=10,in_port=1,udp,action=ct(commit,zone=0),2 >> +table=0,priority=10,in_port=2,ct_state=-trk,udp,action=ct(table=1,zone=0) >> +table=0,priority=1,action=drop >> +dnl >> +dnl Table 1 >> +dnl >> +table=1,priority=10,in_port=2,ct_state=+trk+est-new,udp,action=1 >> +table=1,priority=1,action=drop >> ]) >> >> AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) >> @@ -8265,11 +8291,17 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg >> vconn:info ofproto_dpif:info]) >> >> dnl Allow new connections on p1->p2. Allow only established connections >> p2->p1 >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=100,in_port=1,udp,action=ct(commit,zone=0) >> -priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0,zone=0) >> -priority=100,in_port=2,ct_state=+trk+est-new,udp,action=controller >> +dnl Table 0 >> +dnl >> +table=0,priority=100,arp,action=normal >> +table=0,priority=10,in_port=1,udp,action=ct(commit,zone=0) >> +table=0,priority=10,in_port=2,ct_state=-trk,udp,action=ct(table=1,zone=0) >> +table=0,priority=1,action=drop >> +dnl >> +dnl Table 1 >> +dnl >> +table=1,priority=10,in_port=2,ct_state=+trk+est-new,udp,action=controller >> +table=1,priority=1,action=drop >> ]) >> >> AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) >> @@ -8295,7 +8327,7 @@ OVS_WAIT_UNTIL([ovs-appctl -t ovs-ofctl exit]) >> >> dnl Check this output. Only one reply must be there >> AT_CHECK([cat ofctl_monitor.log], [0], [dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 >> udp_csum:e9d6 >> dnl >> OFPT_ECHO_REQUEST (xid=0x0): 0 bytes of payload >> @@ -8347,14 +8379,20 @@ dnl Allow new connections on p1->p2 or p3->p4. >> dnl Allow only established connections p2->p1 and p4->p3 >> dnl p1,p2 and p3,p4 are on different zones >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=100,in_port=1,udp,action=ct(commit,zone=0),controller >> -priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0,zone=0) >> -priority=100,in_port=2,ct_state=+trk+est-new,udp,action=controller >> -priority=100,in_port=3,udp,action=ct(commit,zone=1),controller >> -priority=100,in_port=4,ct_state=-trk,udp,action=ct(table=0,zone=1) >> -priority=100,in_port=4,ct_state=+trk+est-new,udp,action=controller >> +dnl Table 0 >> +dnl >> +table=0,priority=100,arp,action=normal >> +table=0,priority=10,in_port=1,udp,action=ct(commit,zone=0),controller >> +table=0,priority=10,in_port=2,ct_state=-trk,udp,action=ct(table=1,zone=0) >> +table=0,priority=10,in_port=3,udp,action=ct(commit,zone=1),controller >> +table=0,priority=10,in_port=4,ct_state=-trk,udp,action=ct(table=1,zone=1) >> +table=0,priority=1,action=drop >> +dnl >> +dnl Table 1 >> +dnl >> +table=1,priority=10,in_port=2,ct_state=+trk+est-new,udp,action=controller >> +table=1,priority=10,in_port=4,ct_state=+trk+est-new,udp,action=controller >> +table=1,priority=1,action=drop >> ]) >> >> AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) >> @@ -8382,17 +8420,16 @@ AT_CHECK([cat ofctl_monitor.log], [0], [dnl >> NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 in_port=1 (via action) >> data_len=42 (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=1,tp_dst=2 >> udp_csum:e9d6 >> dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 >> udp_csum:e9d6 >> dnl >> NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 in_port=3 (via action) >> data_len=42 (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=1,tp_dst=2 >> udp_csum:e9d6 >> dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,ct_zone=1,in_port=4 (via action) data_len=42 >> (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,ct_zone=1,in_port=4 (via action) data_len=42 >> (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 >> udp_csum:e9d6 >> ]) >> >> - >> OVS_VSWITCHD_STOP >> AT_CLEANUP >> >> @@ -8405,11 +8442,17 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg >> vconn:info ofproto_dpif:info]) >> >> dnl Allow new connections on p1->p2. Allow only established connections >> p2->p1 >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=100,ct_state=-trk,udp,action=ct(table=0,zone=0) >> -priority=100,in_port=1,ct_state=+trk+new,udp,action=ct(commit,zone=0),controller >> -priority=100,ct_state=+trk+est,udp,action=controller >> +dnl Table 0 >> +dnl >> +table=0,priority=100,arp,action=normal >> +table=0,priority=10,ct_state=-trk,udp,action=ct(table=1,zone=0) >> +table=0,priority=1,action=drop >> +dnl >> +dnl Table 1 >> +dnl >> +table=1,priority=10,in_port=1,ct_state=+trk+new,udp,action=ct(commit,zone=0),controller >> +table=1,priority=10,ct_state=+trk+est,udp,action=controller >> +table=1,priority=1,action=drop >> ]) >> >> AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) >> @@ -8430,10 +8473,10 @@ OVS_WAIT_UNTIL([ovs-appctl -t ovs-ofctl exit]) >> >> dnl Check this output. We only see the latter two packets, not the first. >> AT_CHECK([cat ofctl_monitor.log], [0], [dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=new|trk,in_port=1 >> (via action) data_len=42 (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 >> ct_state=new|trk,in_port=1 (via action) data_len=42 (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=1,tp_dst=2 >> udp_csum:e9d6 >> dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 >> udp_csum:e9d6 >> ]) >> >> @@ -8447,12 +8490,18 @@ add_of_ports br0 1 2 >> >> dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from >> ns1->ns0. >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=100,in_port=1,ct_state=-trk,udp,action=ct(commit,zone=0,table=0) >> -priority=100,in_port=1,ct_state=+trk,actions=controller >> -priority=100,in_port=2,ct_state=-trk,action=ct(table=0,zone=0) >> -priority=100,in_port=2,ct_state=+trk-inv-new,action=controller >> +dnl Table 0 >> +dnl >> +table=0,priority=100,arp,action=normal >> +table=0,priority=10,in_port=1,ct_state=-trk,udp,action=ct(commit,table=1) >> +table=0,priority=10,in_port=2,ct_state=-trk,action=ct(table=1) >> +table=0,priority=1,action=drop >> +dnl >> +dnl Table 1 >> +dnl >> +table=1,priority=10,in_port=1,ct_state=+trk,action=controller >> +table=1,priority=10,in_port=2,ct_state=+trk-inv-new,action=controller >> +table=1,priority=1,action=drop >> ]) >> >> AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) >> @@ -8461,23 +8510,23 @@ AT_CAPTURE_FILE([ofctl_monitor.log]) >> AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl -P nxt_packet_in --detach >> --no-chdir --pidfile 2> ofctl_monitor.log]) >> >> dnl 1. Send an ICMP port unreach reply for port 8738, without any previous >> request >> -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0,zone=0\) >> 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f351ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000da5a06369616f0a']) >> +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=1\) >> 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f351ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000da5a06369616f0a']) >> >> dnl 2. Send and UDP packet to port 5555 >> -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 >> ct\(commit,zone=0,table=0\) >> 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) >> +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=1\) >> 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) >> >> dnl 3. Send an ICMP port unreach reply for port 5555, related to the first >> packet >> -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0,zone=0\) >> 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) >> +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=1\) >> 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a']) >> >> OVS_WAIT_UNTIL([test `wc -l < ofctl_monitor.log` -ge 4]) >> OVS_WAIT_UNTIL([ovs-appctl -t ovs-ofctl exit]) >> >> dnl Check this output. We only see the first and the last packet >> AT_CHECK([cat ofctl_monitor.log], [0], [dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 >> (via action) data_len=47 (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=47 >> ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 >> udp_csum:2096 >> dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 >> ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=75 >> ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered) >> >> icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 >> icmp_csum:553f >> ]) >> >> @@ -8493,13 +8542,19 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg >> vconn:info ofproto_dpif:info]) >> >> dnl Allow new connections on p1->p2. Allow only established connections >> p2->p1 >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=100,in_port=1,ct_state=-trk,udp,tp_src=1,action=ct(commit,exec(set_field:1->ct_mark)),controller >> -priority=100,in_port=1,ct_state=-trk,udp,tp_src=3,action=ct(commit,exec(set_field:3->ct_mark)),controller >> -priority=100,in_port=1,ct_state=-trk,udp,tp_src=5,action=ct(commit,exec(set_field:5->ct_mark)),controller >> -priority=100,in_port=2,ct_state=-trk,actions=ct(table=0) >> -priority=100,ct_state=+trk+rpl,ct_mark=0/4,actions=controller >> +dnl Table 0 >> +dnl >> +table=0,priority=100,arp,action=normal >> +table=0,priority=10,in_port=1,ct_state=-trk,udp,tp_src=1,action=ct(commit,exec(set_field:1->ct_mark)),controller >> +table=0,priority=10,in_port=1,ct_state=-trk,udp,tp_src=3,action=ct(commit,exec(set_field:3->ct_mark)),controller >> +table=0,priority=10,in_port=1,ct_state=-trk,udp,tp_src=5,action=ct(commit,exec(set_field:5->ct_mark)),controller >> +table=0,priority=10,in_port=2,ct_state=-trk,actions=ct(table=1) >> +table=0,priority=1,action=drop >> +dnl >> +dnl Table 1 >> +dnl >> +table=1,priority=100,ct_state=+trk+rpl,ct_mark=0/4,actions=controller >> +table=1,priority=1,action=drop >> ]) >> >> AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) >> @@ -8529,10 +8584,10 @@ dnl >> NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_mark=0x5,in_port=1 (via >> action) data_len=42 (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=5,tp_dst=6 >> udp_csum:e9ce >> dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,ct_mark=0x1,in_port=2 (via action) data_len=42 >> (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,ct_mark=0x1,in_port=2 (via action) data_len=42 >> (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 >> udp_csum:e9d6 >> dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,ct_mark=0x3,in_port=2 (via action) data_len=42 >> (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,ct_mark=0x3,in_port=2 (via action) data_len=42 >> (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4,tp_dst=3 >> udp_csum:e9d2 >> ]) >> >> @@ -8548,12 +8603,17 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg >> vconn:info ofproto_dpif:info]) >> >> dnl Allow new connections on p1->p2. Allow only established connections >> p2->p1 >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=100,in_port=1,ct_state=-trk,udp,tp_src=1,action=ct(commit,exec(set_field:000000000000000001->ct_label)) >> -priority=100,in_port=1,ct_state=-trk,udp,tp_src=3,action=ct(commit,exec(set_field:000000000000000002->ct_label)) >> -priority=100,in_port=2,ct_state=-trk,actions=ct(table=0) >> -priority=100,ct_state=+trk+rpl,actions=controller >> +dnl Table 0 >> +dnl >> +table=0,priority=100,arp,action=normal >> +table=0,priority=10,in_port=1,ct_state=-trk,udp,tp_src=1,action=ct(commit,exec(set_field:000000000000000001->ct_label)) >> +table=0,priority=10,in_port=1,ct_state=-trk,udp,tp_src=3,action=ct(commit,exec(set_field:000000000000000002->ct_label)) >> +table=0,priority=10,in_port=2,ct_state=-trk,actions=ct(table=1) >> +dnl >> +dnl Table 1 >> +dnl >> +table=1,priority=10,ct_state=+trk+rpl,actions=controller >> +table=1,priority=1,action=drop >> ]) >> >> AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) >> @@ -8572,10 +8632,10 @@ OVS_WAIT_UNTIL([ovs-appctl -t ovs-ofctl exit]) >> >> dnl Check this output. >> AT_CHECK([cat ofctl_monitor.log], [0], [dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,ct_label=0x1,in_port=2 (via action) data_len=42 >> (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,ct_label=0x1,in_port=2 (via action) data_len=42 >> (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 >> udp_csum:e9d6 >> dnl >> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,ct_label=0x2,in_port=2 (via action) data_len=42 >> (unbuffered) >> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 >> ct_state=est|rpl|trk,ct_label=0x2,in_port=2 (via action) data_len=42 >> (unbuffered) >> >> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4,tp_dst=3 >> udp_csum:e9d2 >> ]) >> >> @@ -8591,11 +8651,26 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg >> vconn:info ofproto_dpif:info]) >> >> dnl Allow new connections on p1->p2. Allow only established connections >> p2->p1 >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=100,in_port=1,ct_state=-trk,udp,tp_src=1,action=ct(commit,exec(set_field:1->ct_label)),2 >> -priority=100,in_port=2,ct_state=-trk,actions=ct(table=0) >> -priority=100,ct_state=+trk+rpl,ct_label=0x1,actions=1 >> +dnl The flows are in two separate tables for two reasons: >> +dnl * To make the pipeline more clear. >> +dnl * To make megaflows more consistent (we check megaflows below). The >> +dnl unwildcarding in megaflows depends on the internal ordering of the >> +dnl subtables, which are sorted using the system qsort(). qsort() >> +dnl is provided by libc and may or may not be stable, so we can't rely >> +dnl on that. By having separate tables we have more control over which >> +dnl subtables are visited, meaning consistent megaflows. >> +dnl >> +dnl Table 0 >> +dnl >> +table=0,priority=100,arp,action=normal >> +table=0,priority=10,in_port=1,ct_state=-trk,udp,tp_src=1,action=ct(commit,exec(set_field:1->ct_label)),2 >> +table=0,priority=10,in_port=2,ct_state=-trk,actions=ct(table=1) >> +table=0,priority=1,action=drop >> +dnl >> +dnl Table 1 >> +dnl >> +table=1,priority=10,ct_state=+trk+rpl,ct_label=0x1,actions=1 >> +table=1,priority=1,action=drop >> ]) >> >> AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) >> @@ -8645,17 +8720,22 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg >> vconn:info ofproto_dpif:info]) >> >> dnl Allow new connections on p1->p2. Allow only established connections >> p2->p1 >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -in_port=1,ip,ct_state=-trk,action=ct(commit,table=0) >> +dnl Table 0 >> +dnl >> +table=0,priority=100,arp,action=normal >> +table=0,priority=10,in_port=1,ip,ct_state=-trk,action=ct(commit,table=1) >> +table=0,priority=10,in_port=2,ip,ct_state=-trk,action=ct(table=1) >> +table=0,priority=1,action=drop >> +dnl >> +dnl Table 1 >> +dnl >> dnl The following two flows are separated to explicitly count the packets >> dnl that create a new connection >> -priority=100,cookie=0x1,in_port=1,ip,ct_state=+trk+new-inv-rpl,action=2 >> -priority=100,in_port=1,ip,ct_state=+trk-new-inv-rpl,action=2 >> +table=1,priority=100,cookie=0x1,in_port=1,ip,ct_state=+trk+new-inv-rpl,action=2 >> +table=1,priority=100,in_port=1,ip,ct_state=+trk-new-inv-rpl,action=2 >> dnl >> -priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0) >> -priority=100,in_port=2,ip,ct_state=+trk+est+rpl-new-inv,action=1 >> -ip,ct_state=+trk+inv,action=drop >> +table=1,priority=100,in_port=2,ip,ct_state=+trk+est+rpl-new-inv,action=1 >> +table=1,ip,ct_state=+trk+inv,action=drop >> ]) >> >> AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) >> @@ -8704,12 +8784,17 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg >> vconn:info ofproto_dpif:info]) >> >> dnl Allow new connections on p1->p2. Allow only established connections >> p2->p1 >> AT_DATA([flows.txt], [dnl >> -priority=1,action=drop >> -priority=10,arp,action=normal >> -priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=0,table=0) >> -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=0) >> -priority=100,in_port=2,tcp,ct_state=+trk+est-new,action=drop >> -cookie=0x1,ip,ct_state=+trk+inv,action=controller >> +dnl Table 0 >> +dnl >> +table=0,priority=100,arp,action=normal >> +table=0,priority=10,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=1) >> +table=0,priority=10,in_port=2,tcp,ct_state=-trk,action=ct(table=1) >> +table=0,priority=1,action=drop >> +dnl >> +dnl Table 1 >> +dnl >> +table=1,priority=10,cookie=0x1,ip,ct_state=+trk+inv,action=controller >> +table=1,priority=1,action=drop >> ]) >> >> AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) >> -- >> 2.8.1 >> >> _______________________________________________ >> dev mailing list >> dev@openvswitch.org >> http://openvswitch.org/mailman/listinfo/dev _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev