Use cidr_bits instead of ovs_be32 mask to compute logical flows
priority for nat rules if exempted_ext_ips is specified.
This patch fix an issue for IPv6 snat where exempted_ext_ips
configuration does not take effect.
Acked-by: Mark Michelson <[email protected]>
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2066611
Signed-off-by: Lorenzo Bianconi <[email protected]>
---
Changes since v1:
- rebase on top of ovn master
---
northd/northd.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/northd/northd.c b/northd/northd.c
index a56666297..d197c343f 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -10306,7 +10306,7 @@ static inline void
lrouter_nat_add_ext_ip_match(struct ovn_datapath *od,
struct hmap *lflows, struct ds *match,
const struct nbrec_nat *nat,
- bool is_v6, bool is_src, ovs_be32 mask)
+ bool is_v6, bool is_src, int cidr_bits)
{
struct nbrec_address_set *allowed_ext_ips = nat->allowed_ext_ips;
struct nbrec_address_set *exempted_ext_ips = nat->exempted_ext_ips;
@@ -10342,7 +10342,7 @@ lrouter_nat_add_ext_ip_match(struct ovn_datapath *od,
priority = 100 + 2;
} else {
/* S_ROUTER_OUT_SNAT uses priority (mask + 1 + 128 + 1) */
- priority = count_1bits(ntohl(mask)) + 3;
+ priority = cidr_bits + 3;
if (!od->is_gw_router) {
priority += 128;
@@ -12842,7 +12842,7 @@ static void
build_lrouter_in_dnat_flow(struct hmap *lflows, struct ovn_datapath *od,
const struct nbrec_nat *nat, struct ds *match,
struct ds *actions, bool distributed,
- ovs_be32 mask, bool is_v6,
+ int cidr_bits, bool is_v6,
struct ovn_port *l3dgw_port)
{
/* Ingress DNAT table: Packets enter the pipeline with destination
@@ -12861,7 +12861,7 @@ build_lrouter_in_dnat_flow(struct hmap *lflows, struct
ovn_datapath *od,
ds_clear(actions);
if (nat->allowed_ext_ips || nat->exempted_ext_ips) {
lrouter_nat_add_ext_ip_match(od, lflows, match, nat,
- is_v6, true, mask);
+ is_v6, true, cidr_bits);
}
if (!lport_addresses_is_empty(&od->dnat_force_snat_addrs)) {
@@ -12905,7 +12905,7 @@ build_lrouter_in_dnat_flow(struct hmap *lflows, struct
ovn_datapath *od,
ds_clear(actions);
if (nat->allowed_ext_ips || nat->exempted_ext_ips) {
lrouter_nat_add_ext_ip_match(od, lflows, match, nat,
- is_v6, true, mask);
+ is_v6, true, cidr_bits);
}
if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
@@ -13009,8 +13009,7 @@ static void
build_lrouter_out_snat_flow(struct hmap *lflows, struct ovn_datapath *od,
const struct nbrec_nat *nat, struct ds *match,
struct ds *actions, bool distributed,
- struct eth_addr mac, ovs_be32 mask,
- int cidr_bits, bool is_v6,
+ struct eth_addr mac, int cidr_bits, bool is_v6,
struct ovn_port *l3dgw_port)
{
/* Egress SNAT table: Packets enter the egress pipeline with
@@ -13029,7 +13028,7 @@ build_lrouter_out_snat_flow(struct hmap *lflows, struct
ovn_datapath *od,
if (nat->allowed_ext_ips || nat->exempted_ext_ips) {
lrouter_nat_add_ext_ip_match(od, lflows, match, nat,
- is_v6, false, mask);
+ is_v6, false, cidr_bits);
}
if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
@@ -13078,7 +13077,7 @@ build_lrouter_out_snat_flow(struct hmap *lflows, struct
ovn_datapath *od,
if (nat->allowed_ext_ips || nat->exempted_ext_ips) {
lrouter_nat_add_ext_ip_match(od, lflows, match, nat,
- is_v6, false, mask);
+ is_v6, false, cidr_bits);
}
if (distributed) {
@@ -13440,7 +13439,7 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath
*od, struct hmap *lflows,
is_v6, l3dgw_port);
/* S_ROUTER_IN_DNAT */
build_lrouter_in_dnat_flow(lflows, od, nat, match, actions,
distributed,
- mask, is_v6, l3dgw_port);
+ cidr_bits, is_v6, l3dgw_port);
/* ARP resolve for NAT IPs. */
if (od->is_gw_router) {
@@ -13479,7 +13478,7 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath
*od, struct hmap *lflows,
mac, is_v6, l3dgw_port);
/* S_ROUTER_OUT_SNAT */
build_lrouter_out_snat_flow(lflows, od, nat, match, actions,
distributed,
- mac, mask, cidr_bits, is_v6, l3dgw_port);
+ mac, cidr_bits, is_v6, l3dgw_port);
/* S_ROUTER_IN_ADMISSION - S_ROUTER_IN_IP_INPUT */
build_lrouter_ingress_flow(lflows, od, nat, match, actions, mac,
