Please, ignore this patch. It contains errors, I’ll resend v2. Regards, Vladislav Odintsov
> On 8 Sep 2022, at 14:40, Vladislav Odintsov <[email protected]> wrote: > > Prior to this patch traffic to LSPs, which are disabled with > `ovn-nbctl lsp-set-enabled <LSP> disabled` was dropped in the end of > lswitch egress pipeline. This means that traffic is processed in vain: > - traffic, which should be dropped, first travels from one chassis to > another (if source/dest LSPs reside on different nodes) and dropped on > the destination chassis; > - when such traffic reaches destination chassis, if stateful services are > enabled within logical switch, first traffic is sent to conntrack and > is dropped after that. > > So it is costly to drop traffic in such manner especially in case LSP is > disabled to prevent any harmful traffic to affect infrastructure. This > patch changes "to-lport" drop behaviour. Now it is dropped in lswitch > ingress pipeline to avoid sending traffic to disabled LSP from one > chassis to another. > Traffic doesn't reach conntrack in destination LSP's zone now as well. > > Port security testcases are updated. > > Signed-off-by: Vladislav Odintsov <[email protected]> > --- > northd/northd.c | 22 +++--- > tests/ovn-northd.at | 184 +++++++++++++++++++++++++++----------------- > 2 files changed, 128 insertions(+), 78 deletions(-) > > diff --git a/northd/northd.c b/northd/northd.c > index 4a40ec9b0..5497a88ca 100644 > --- a/northd/northd.c > +++ b/northd/northd.c > @@ -5475,9 +5475,8 @@ build_lswitch_port_sec_op(struct ovn_port *op, struct > hmap *lflows, > ds_clear(match); > ds_put_format(match, "outport == %s", op->json_key); > ovn_lflow_add_with_lport_and_hint( > - lflows, op->od, S_SWITCH_OUT_CHECK_PORT_SEC, 150, > - ds_cstr(match), REGBIT_PORT_SEC_DROP" = 1; next;", > - op->key, &op->nbsp->header_); > + lflows, op->od, S_SWITCH_IN_L2_UNKNOWN, 50, ds_cstr(match), > + "drop;", op->key, &op->nbsp->header_); > return; > } > > @@ -8466,6 +8465,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, > * Ethernet address followed by zero or more IPv4 > * or IPv6 addresses (or both). */ > struct eth_addr mac; > + bool lsp_enabled = lsp_is_enabled(op->nbsp); > + char *action = lsp_enabled ? "output" : "drop"; > if (ovs_scan(op->nbsp->addresses[i], > ETH_ADDR_SCAN_FMT, ETH_ADDR_SCAN_ARGS(mac))) { > ds_clear(match); > @@ -8473,13 +8474,14 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, > ETH_ADDR_ARGS(mac)); > > ds_clear(actions); > - ds_put_format(actions, "outport = %s; output;", > op->json_key); > + ds_put_format(actions, "outport = %s; %s;", op->json_key, > + action); > ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP, > 50, ds_cstr(match), > ds_cstr(actions), > &op->nbsp->header_); > } else if (!strcmp(op->nbsp->addresses[i], "unknown")) { > - if (lsp_is_enabled(op->nbsp)) { > + if (lsp_enabled) { > ovs_mutex_lock(&mcgroup_mutex); > ovn_multicast_add(mcgroups, &mc_unknown, op); > ovs_mutex_unlock(&mcgroup_mutex); > @@ -8496,7 +8498,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, > ETH_ADDR_ARGS(mac)); > > ds_clear(actions); > - ds_put_format(actions, "outport = %s; output;", > op->json_key); > + ds_put_format(actions, "outport = %s; %s;", op->json_key, > + action); > ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP, > 50, ds_cstr(match), > ds_cstr(actions), > @@ -8544,7 +8547,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, > } > > ds_clear(actions); > - ds_put_format(actions, "outport = %s; output;", > op->json_key); > + ds_put_format(actions, "outport = %s; %s;", op->json_key, > + action); > ovn_lflow_add_with_hint(lflows, op->od, > S_SWITCH_IN_L2_LKUP, 50, > ds_cstr(match), ds_cstr(actions), > @@ -8567,8 +8571,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, > nat->logical_port); > > ds_clear(actions); > - ds_put_format(actions, "outport = %s; output;", > - op->json_key); > + ds_put_format(actions, "outport = %s; %s;", > + op->json_key, action); > ovn_lflow_add_with_hint(lflows, op->od, > S_SWITCH_IN_L2_LKUP, 50, > ds_cstr(match), > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at > index d5136ac6d..521942aeb 100644 > --- a/tests/ovn-northd.at > +++ b/tests/ovn-northd.at > @@ -7425,16 +7425,22 @@ check ovn-nbctl --wait=sb ls-add sw0 > ovn-sbctl dump-flows sw0 > sw0flows > AT_CAPTURE_FILE([sw0flows]) > > -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' > ], [0], [dnl > - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > action=(drop;) > - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), > action=(drop;) > - table=? (ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[[15]] = check_in_port_sec(); next;) > - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > - table=? (ls_out_check_port_sec), priority=0 , match=(1), > action=(reg0[[15]] = check_out_port_sec(); next;) > - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), > action=(reg0[[15]] = 0; next;) > - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > action=(output;) > - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > ls_in_l2_unknown | \ > +sort | sed 's/table=../table=??/' ], [0], [dnl > + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > action=(drop;) > + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), > action=(drop;) > + table=??(ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[[15]] = check_in_port_sec(); next;) > + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport > = get_fdb(eth.dst); next;) > + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(handle_svc_check(inport);) > + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > action=(outport = "_MC_flood"; output;) > + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) > + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), > action=(drop;) > + table=??(ls_out_check_port_sec), priority=0 , match=(1), > action=(reg0[[15]] = check_out_port_sec(); next;) > + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), > action=(reg0[[15]] = 0; next;) > + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > action=(output;) > + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > ]) > > check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1 > "00:00:00:00:00:01" > @@ -7444,16 +7450,24 @@ check ovn-nbctl --wait=sb lsp-add sw0 localnetport -- > lsp-set-type localnetport > ovn-sbctl dump-flows sw0 > sw0flows > AT_CAPTURE_FILE([sw0flows]) > > -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' > ], [0], [dnl > - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > action=(drop;) > - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), > action=(drop;) > - table=? (ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[[15]] = check_in_port_sec(); next;) > - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > - table=? (ls_out_check_port_sec), priority=0 , match=(1), > action=(reg0[[15]] = check_out_port_sec(); next;) > - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), > action=(reg0[[15]] = 0; next;) > - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > action=(output;) > - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > ls_in_l2_unknown | \ > +sort | sed 's/table=../table=??/' ], [0], [dnl > + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > action=(drop;) > + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), > action=(drop;) > + table=??(ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[[15]] = check_in_port_sec(); next;) > + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport > = get_fdb(eth.dst); next;) > + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(handle_svc_check(inport);) > + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) > + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > action=(outport = "_MC_flood"; output;) > + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) > + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), > action=(drop;) > + table=??(ls_out_check_port_sec), priority=0 , match=(1), > action=(reg0[[15]] = check_out_port_sec(); next;) > + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), > action=(reg0[[15]] = 0; next;) > + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > action=(output;) > + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > ]) > > check ovn-nbctl lsp-set-port-security sw0p1 "00:00:00:00:00:01 10.0.0.3 > 1000::3" > @@ -7462,16 +7476,24 @@ check ovn-nbctl --wait=sb lsp-set-port-security sw0p2 > "00:00:00:00:00:02 10.0.0. > ovn-sbctl dump-flows sw0 > sw0flows > AT_CAPTURE_FILE([sw0flows]) > > -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' > ], [0], [dnl > - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > action=(drop;) > - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), > action=(drop;) > - table=? (ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[[15]] = check_in_port_sec(); next;) > - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > - table=? (ls_out_check_port_sec), priority=0 , match=(1), > action=(reg0[[15]] = check_out_port_sec(); next;) > - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), > action=(reg0[[15]] = 0; next;) > - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > action=(output;) > - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > ls_in_l2_unknown | \ > +sort | sed 's/table=../table=??/' ], [0], [dnl > + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > action=(drop;) > + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), > action=(drop;) > + table=??(ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[[15]] = check_in_port_sec(); next;) > + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport > = get_fdb(eth.dst); next;) > + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(handle_svc_check(inport);) > + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) > + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > action=(outport = "_MC_flood"; output;) > + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) > + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), > action=(drop;) > + table=??(ls_out_check_port_sec), priority=0 , match=(1), > action=(reg0[[15]] = check_out_port_sec(); next;) > + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), > action=(reg0[[15]] = 0; next;) > + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > action=(output;) > + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > ]) > > # Disable sw0p1 > @@ -7480,37 +7502,53 @@ check ovn-nbctl --wait=sb set logical_switch_port > sw0p1 enabled=false > ovn-sbctl dump-flows sw0 > sw0flows > AT_CAPTURE_FILE([sw0flows]) > > -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' > ], [0], [dnl > - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > action=(drop;) > - table=? (ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), > action=(reg0[[15]] = 1; next;) > - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), > action=(drop;) > - table=? (ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[[15]] = check_in_port_sec(); next;) > - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > - table=? (ls_out_check_port_sec), priority=0 , match=(1), > action=(reg0[[15]] = check_out_port_sec(); next;) > - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), > action=(reg0[[15]] = 0; next;) > - table=? (ls_out_check_port_sec), priority=150 , match=(outport == > "sw0p1"), action=(reg0[[15]] = 1; next;) > - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > action=(output;) > - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > ls_in_l2_unknown | \ > +sort | sed 's/table=../table=??/' ], [0], [dnl > + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > action=(drop;) > + table=??(ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), > action=(reg0[[15]] = 1; next;) > + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), > action=(drop;) > + table=??(ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[[15]] = check_in_port_sec(); next;) > + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport > = get_fdb(eth.dst); next;) > + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(handle_svc_check(inport);) > + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > 00:00:00:00:00:01), action=(outport = "sw0p1"; drop;) > + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > action=(outport = "_MC_flood"; output;) > + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) > + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), > action=(drop;) > + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"), > action=(drop;) > + table=??(ls_out_check_port_sec), priority=0 , match=(1), > action=(reg0[[15]] = check_out_port_sec(); next;) > + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), > action=(reg0[[15]] = 0; next;) > + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > action=(output;) > + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > ]) > > check ovn-nbctl --wait=sb lsp-set-options sw0p2 qdisc_queue_id=10 > ovn-sbctl dump-flows sw0 > sw0flows > AT_CAPTURE_FILE([sw0flows]) > > -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' > ], [0], [dnl > - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > action=(drop;) > - table=? (ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), > action=(reg0[[15]] = 1; next;) > - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), > action=(drop;) > - table=? (ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[[15]] = check_in_port_sec(); next;) > - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), > action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) > - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > - table=? (ls_out_check_port_sec), priority=0 , match=(1), > action=(reg0[[15]] = check_out_port_sec(); next;) > - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), > action=(reg0[[15]] = 0; next;) > - table=? (ls_out_check_port_sec), priority=150 , match=(outport == > "sw0p1"), action=(reg0[[15]] = 1; next;) > - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > action=(output;) > - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > ls_in_l2_unknown | \ > +sort | sed 's/table=../table=??/' ], [0], [dnl > + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > action=(drop;) > + table=??(ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"), > action=(reg0[[15]] = 1; next;) > + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), > action=(drop;) > + table=??(ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[[15]] = check_in_port_sec(); next;) > + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), > action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) > + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport > = get_fdb(eth.dst); next;) > + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(handle_svc_check(inport);) > + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > 00:00:00:00:00:01), action=(outport = "sw0p1"; drop;) > + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > action=(outport = "_MC_flood"; output;) > + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) > + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), > action=(drop;) > + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"), > action=(drop;) > + table=??(ls_out_check_port_sec), priority=0 , match=(1), > action=(reg0[[15]] = check_out_port_sec(); next;) > + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), > action=(reg0[[15]] = 0; next;) > + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > action=(output;) > + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > ]) > > check ovn-nbctl set logical_switch_port sw0p1 enabled=true > @@ -7519,20 +7557,28 @@ check ovn-nbctl --wait=sb lsp-set-options > localnetport qdisc_queue_id=10 > ovn-sbctl dump-flows sw0 > sw0flows > AT_CAPTURE_FILE([sw0flows]) > > -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' > ], [0], [dnl > - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > action=(drop;) > - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), > action=(drop;) > - table=? (ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[[15]] = check_in_port_sec(); next;) > - table=? (ls_in_check_port_sec), priority=70 , match=(inport == > "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); > next;) > - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"), > action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) > - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), > action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) > - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > - table=? (ls_out_check_port_sec), priority=0 , match=(1), > action=(reg0[[15]] = check_out_port_sec(); next;) > - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), > action=(reg0[[15]] = 0; next;) > - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > action=(output;) > - table=? (ls_out_apply_port_sec), priority=100 , match=(outport == > "localnetport"), action=(set_queue(10); output;) > - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > ls_in_l2_unknown | \ > +sort | sed 's/table=../table=??/' ], [0], [dnl > + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > action=(drop;) > + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), > action=(drop;) > + table=??(ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[[15]] = check_in_port_sec(); next;) > + table=??(ls_in_check_port_sec), priority=70 , match=(inport == > "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); > next;) > + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"), > action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) > + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"), > action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) > + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport > = get_fdb(eth.dst); next;) > + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(handle_svc_check(inport);) > + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) > + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > action=(outport = "_MC_flood"; output;) > + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) > + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), > action=(drop;) > + table=??(ls_out_check_port_sec), priority=0 , match=(1), > action=(reg0[[15]] = check_out_port_sec(); next;) > + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), > action=(reg0[[15]] = 0; next;) > + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > action=(output;) > + table=??(ls_out_apply_port_sec), priority=100 , match=(outport == > "localnetport"), action=(set_queue(10); output;) > + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1), > action=(drop;) > ]) > > AT_CLEANUP > -- > 2.36.1 > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
