Justin, are you going to take a look at this?
On Wed, Aug 30, 2017 at 03:42:31PM -0700, Han Zhou wrote: > INVALID packets doesn't map to any ACL, but sometimes we need to > know when these packets are detected and dropped. This patch supports > logging for such packets and provides a global configuration in NB > to enable/disable this behavior. Default behavior is not logging, > so that it is backward compatible. > > Signed-off-by: Han Zhou <[email protected]> > --- > ovn/northd/ovn-northd.c | 20 +++++++++++++------- > ovn/ovn-nb.ovsschema | 8 +++++--- > ovn/ovn-nb.xml | 6 ++++++ > tests/ovn.at | 11 ++++++++++- > 4 files changed, 34 insertions(+), 11 deletions(-) > > diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c > index 49e4ac3..b003d96 100644 > --- a/ovn/northd/ovn-northd.c > +++ b/ovn/northd/ovn-northd.c > @@ -3052,7 +3052,8 @@ build_acl_log(struct ds *actions, const struct > nbrec_acl *acl) > } > > static void > -build_acls(struct ovn_datapath *od, struct hmap *lflows) > +build_acls(struct northd_context *ctx, struct ovn_datapath *od, > + struct hmap *lflows) > { > bool has_stateful = has_stateful_acl(od); > > @@ -3098,12 +3099,16 @@ build_acls(struct ovn_datapath *od, struct hmap > *lflows) > * for deletion (bit 0 of ct_label is set). > * > * This is enforced at a higher priority than ACLs can be defined. */ > + const struct nbrec_nb_global *nbg = > nbrec_nb_global_first(ctx->ovnnb_idl); > + bool acl_log_invalid = nbg ? nbg->acl_log_invalid : false; > ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, > "ct.inv || (ct.est && ct.rpl && ct_label.blocked == > 1)", > - "drop;"); > + acl_log_invalid ? > + "log(name=\"INVALID\", verdict=drop); /* drop */" : > "drop;"); > ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, > "ct.inv || (ct.est && ct.rpl && ct_label.blocked == > 1)", > - "drop;"); > + acl_log_invalid ? > + "log(name=\"INVALID\", verdict=drop); /* drop */" : > "drop;"); > > /* Ingress and Egress ACL Table (Priority 65535). > * > @@ -3478,8 +3483,9 @@ build_stateful(struct ovn_datapath *od, struct hmap > *lflows) > } > > static void > -build_lswitch_flows(struct hmap *datapaths, struct hmap *ports, > - struct hmap *lflows, struct hmap *mcgroups) > +build_lswitch_flows(struct northd_context *ctx, struct hmap *datapaths, > + struct hmap *ports, struct hmap *lflows, > + struct hmap *mcgroups) > { > /* This flow table structure is documented in ovn-northd(8), so please > * update ovn-northd.8.xml if you change anything. */ > @@ -3498,7 +3504,7 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap > *ports, > build_pre_acls(od, lflows); > build_pre_lb(od, lflows); > build_pre_stateful(od, lflows); > - build_acls(od, lflows); > + build_acls(ctx, od, lflows); > build_qos(od, lflows); > build_lb(od, lflows); > build_stateful(od, lflows); > @@ -5658,7 +5664,7 @@ build_lflows(struct northd_context *ctx, struct hmap > *datapaths, > struct hmap lflows = HMAP_INITIALIZER(&lflows); > struct hmap mcgroups = HMAP_INITIALIZER(&mcgroups); > > - build_lswitch_flows(datapaths, ports, &lflows, &mcgroups); > + build_lswitch_flows(ctx, datapaths, ports, &lflows, &mcgroups); > build_lrouter_flows(datapaths, ports, &lflows); > > /* Push changes to the Logical_Flow table to database. */ > diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema > index a077bfb..2db788e 100644 > --- a/ovn/ovn-nb.ovsschema > +++ b/ovn/ovn-nb.ovsschema > @@ -1,7 +1,7 @@ > { > "name": "OVN_Northbound", > - "version": "5.8.0", > - "cksum": "2812300190 16766", > + "version": "5.9.0", > + "cksum": "2103124828 16872", > "tables": { > "NB_Global": { > "columns": { > @@ -19,7 +19,9 @@ > "ssl": { > "type": {"key": {"type": "uuid", > "refTable": "SSL"}, > - "min": 0, "max": 1}}}, > + "min": 0, "max": 1}}, > + "acl_log_invalid": { > + "type": {"key": "boolean", "min": 0, "max": 1}}}, > "maxRows": 1, > "isRoot": true}, > "Logical_Switch": { > diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml > index be72610..1cf349e 100644 > --- a/ovn/ovn-nb.xml > +++ b/ovn/ovn-nb.xml > @@ -80,6 +80,12 @@ > Global SSL configuration. > </column> > </group> > + <group title="ACL Logging Options"> > + These columns controls the behaviour related to ACL logging. > + <column name="acl_log_invalid"> > + Whether to log the packets classified as invalid by conntrack. > + </column> > + </group> > </table> > > <table name="Logical_Switch" title="L2 logical switch"> > diff --git a/tests/ovn.at b/tests/ovn.at > index fb9fc73..c3af03d 100644 > --- a/tests/ovn.at > +++ b/tests/ovn.at > @@ -5775,6 +5775,8 @@ ovn-nbctl --wait=sb lsp-add lsw0 lp1 > ovn-nbctl --wait=sb lsp-add lsw0 lp2 > ovn-nbctl lsp-set-addresses lp1 $lp1_mac > ovn-nbctl lsp-set-addresses lp2 $lp2_mac > +# enable logging for invalid packets > +ovn-nbctl set nb_global . acl_log_invalid=true > ovn-nbctl --wait=sb sync > > ovn-nbctl acl-add lsw0 to-lport 1000 'tcp.dst==80' drop > @@ -5840,13 +5842,20 @@ packet="inport==\"lp1\" && eth.src==$lp1_mac && > eth.dst==$lp2_mac && > tcp && tcp.flags==2 && tcp.src==4367 && tcp.dst==87" > as hv ovs-appctl -t ovn-controller inject-pkt "$packet" > > -OVS_WAIT_UNTIL([ test 4 = $(grep -c 'acl_log' hv/ovn-controller.log) ]) > +# Send packet that is invalid and should be dropped with logging. > +packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac && > + ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip && > + tcp && tcp.src==4367 && tcp.dst==99" > +as hv ovs-appctl -t ovn-controller inject-pkt "$packet" > + > +OVS_WAIT_UNTIL([ test 5 = $(grep -c 'acl_log' hv/ovn-controller.log) ]) > > AT_CHECK([grep 'acl_log' hv/ovn-controller.log | sed 's/.*name=/name=/'], > [0], [dnl > name="drop-flow", verdict=drop, severity=alert: > tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4361,tp_dst=81,tcp_flags=syn > name="allow-flow", verdict=allow, severity=info: > tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4363,tp_dst=83,tcp_flags=syn > name="<unnamed>", verdict=allow, severity=info: > tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4365,tp_dst=85,tcp_flags=syn > name="reject-flow", verdict=reject, severity=alert: > tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=87,tcp_flags=syn > +name="INVALID", verdict=drop, severity=info: > tcp,vlan_tci=0x0000,dl_src=f0:00:00:00:00:01,dl_dst=f0:00:00:00:00:02,nw_src=192.168.1.2,nw_dst=192.168.1.3,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4367,tp_dst=99,tcp_flags=0 > ]) > > OVN_CLEANUP([hv]) > -- > 2.1.0 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
