On Thu, Sep 8, 2022 at 7:41 AM Vladislav Odintsov <[email protected]> wrote:
>
> Prior to this patch traffic to LSPs, which are disabled with
> `ovn-nbctl lsp-set-enabled <LSP> disabled` was dropped in the end of
> lswitch egress pipeline. This means that traffic is processed in vain:
> - traffic, which should be dropped, first travels from one chassis to
> another (if source/dest LSPs reside on different nodes) and dropped on
> the destination chassis;
> - when such traffic reaches destination chassis, if stateful services are
> enabled within logical switch, first traffic is sent to conntrack and
> is dropped after that.
>
> So it is costly to drop traffic in such manner especially in case LSP is
> disabled to prevent any harmful traffic to affect infrastructure. This
> patch changes "to-lport" drop behaviour. Now it is dropped in lswitch
> ingress pipeline to avoid sending traffic to disabled LSP from one
> chassis to another.
> Traffic doesn't reach conntrack in destination LSP's zone now as well.
>
> Port security testcases are updated.
>
> Signed-off-by: Vladislav Odintsov <[email protected]>
Hi Vladislav,
It might break the scenario for the traffic from the provider network
(external) destined to a logical port connected
to a logical switch with localnet port. The traffic would be now delivered.
I'd suggest dropping the traffic both in ls_in_check_port_sec and in
ls_out_check_port_sec for a disabled logical port. What do you think
?
Thanks
Numan
> ---
> northd/northd.c | 22 +++---
> tests/ovn-northd.at | 184 +++++++++++++++++++++++++++-----------------
> 2 files changed, 128 insertions(+), 78 deletions(-)
>
> diff --git a/northd/northd.c b/northd/northd.c
> index 4a40ec9b0..5497a88ca 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -5475,9 +5475,8 @@ build_lswitch_port_sec_op(struct ovn_port *op, struct
> hmap *lflows,
> ds_clear(match);
> ds_put_format(match, "outport == %s", op->json_key);
> ovn_lflow_add_with_lport_and_hint(
> - lflows, op->od, S_SWITCH_OUT_CHECK_PORT_SEC, 150,
> - ds_cstr(match), REGBIT_PORT_SEC_DROP" = 1; next;",
> - op->key, &op->nbsp->header_);
> + lflows, op->od, S_SWITCH_IN_L2_UNKNOWN, 50, ds_cstr(match),
> + "drop;", op->key, &op->nbsp->header_);
> return;
> }
>
> @@ -8466,6 +8465,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op,
> * Ethernet address followed by zero or more IPv4
> * or IPv6 addresses (or both). */
> struct eth_addr mac;
> + bool lsp_enabled = lsp_is_enabled(op->nbsp);
> + char *action = lsp_enabled ? "output" : "drop";
> if (ovs_scan(op->nbsp->addresses[i],
> ETH_ADDR_SCAN_FMT, ETH_ADDR_SCAN_ARGS(mac))) {
> ds_clear(match);
> @@ -8473,13 +8474,14 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op,
> ETH_ADDR_ARGS(mac));
>
> ds_clear(actions);
> - ds_put_format(actions, "outport = %s; output;",
> op->json_key);
> + ds_put_format(actions, "outport = %s; %s;", op->json_key,
> + action);
> ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP,
> 50, ds_cstr(match),
> ds_cstr(actions),
> &op->nbsp->header_);
> } else if (!strcmp(op->nbsp->addresses[i], "unknown")) {
> - if (lsp_is_enabled(op->nbsp)) {
> + if (lsp_enabled) {
> ovs_mutex_lock(&mcgroup_mutex);
> ovn_multicast_add(mcgroups, &mc_unknown, op);
> ovs_mutex_unlock(&mcgroup_mutex);
> @@ -8496,7 +8498,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op,
> ETH_ADDR_ARGS(mac));
>
> ds_clear(actions);
> - ds_put_format(actions, "outport = %s; output;",
> op->json_key);
> + ds_put_format(actions, "outport = %s; %s;", op->json_key,
> + action);
> ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP,
> 50, ds_cstr(match),
> ds_cstr(actions),
> @@ -8544,7 +8547,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op,
> }
>
> ds_clear(actions);
> - ds_put_format(actions, "outport = %s; output;",
> op->json_key);
> + ds_put_format(actions, "outport = %s; %s;", op->json_key,
> + action);
> ovn_lflow_add_with_hint(lflows, op->od,
> S_SWITCH_IN_L2_LKUP, 50,
> ds_cstr(match), ds_cstr(actions),
> @@ -8567,8 +8571,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op,
> nat->logical_port);
>
> ds_clear(actions);
> - ds_put_format(actions, "outport = %s; output;",
> - op->json_key);
> + ds_put_format(actions, "outport = %s; %s;",
> + op->json_key, action);
> ovn_lflow_add_with_hint(lflows, op->od,
> S_SWITCH_IN_L2_LKUP, 50,
> ds_cstr(match),
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index d5136ac6d..521942aeb 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -7425,16 +7425,22 @@ check ovn-nbctl --wait=sb ls-add sw0
> ovn-sbctl dump-flows sw0 > sw0flows
> AT_CAPTURE_FILE([sw0flows])
>
> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/'
> ], [0], [dnl
> - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> action=(drop;)
> - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present),
> action=(drop;)
> - table=? (ls_in_check_port_sec), priority=50 , match=(1),
> action=(reg0[[15]] = check_in_port_sec(); next;)
> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> - table=? (ls_out_check_port_sec), priority=0 , match=(1),
> action=(reg0[[15]] = check_out_port_sec(); next;)
> - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast),
> action=(reg0[[15]] = 0; next;)
> - table=? (ls_out_apply_port_sec), priority=0 , match=(1),
> action=(output;)
> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e
> ls_in_l2_unknown | \
> +sort | sed 's/table=../table=??/' ], [0], [dnl
> + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> action=(drop;)
> + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
> action=(drop;)
> + table=??(ls_in_check_port_sec), priority=50 , match=(1),
> action=(reg0[[15]] = check_in_port_sec(); next;)
> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport
> = get_fdb(eth.dst); next;)
> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(handle_svc_check(inport);)
> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
> action=(outport = "_MC_flood"; output;)
> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;)
> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"),
> action=(drop;)
> + table=??(ls_out_check_port_sec), priority=0 , match=(1),
> action=(reg0[[15]] = check_out_port_sec(); next;)
> + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
> action=(reg0[[15]] = 0; next;)
> + table=??(ls_out_apply_port_sec), priority=0 , match=(1),
> action=(output;)
> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> ])
>
> check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1
> "00:00:00:00:00:01"
> @@ -7444,16 +7450,24 @@ check ovn-nbctl --wait=sb lsp-add sw0 localnetport --
> lsp-set-type localnetport
> ovn-sbctl dump-flows sw0 > sw0flows
> AT_CAPTURE_FILE([sw0flows])
>
> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/'
> ], [0], [dnl
> - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> action=(drop;)
> - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present),
> action=(drop;)
> - table=? (ls_in_check_port_sec), priority=50 , match=(1),
> action=(reg0[[15]] = check_in_port_sec(); next;)
> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> - table=? (ls_out_check_port_sec), priority=0 , match=(1),
> action=(reg0[[15]] = check_out_port_sec(); next;)
> - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast),
> action=(reg0[[15]] = 0; next;)
> - table=? (ls_out_apply_port_sec), priority=0 , match=(1),
> action=(output;)
> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e
> ls_in_l2_unknown | \
> +sort | sed 's/table=../table=??/' ], [0], [dnl
> + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> action=(drop;)
> + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
> action=(drop;)
> + table=??(ls_in_check_port_sec), priority=50 , match=(1),
> action=(reg0[[15]] = check_in_port_sec(); next;)
> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport
> = get_fdb(eth.dst); next;)
> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(handle_svc_check(inport);)
> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
> 00:00:00:00:00:01), action=(outport = "sw0p1"; output;)
> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;)
> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
> action=(outport = "_MC_flood"; output;)
> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;)
> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"),
> action=(drop;)
> + table=??(ls_out_check_port_sec), priority=0 , match=(1),
> action=(reg0[[15]] = check_out_port_sec(); next;)
> + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
> action=(reg0[[15]] = 0; next;)
> + table=??(ls_out_apply_port_sec), priority=0 , match=(1),
> action=(output;)
> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> ])
>
> check ovn-nbctl lsp-set-port-security sw0p1 "00:00:00:00:00:01 10.0.0.3
> 1000::3"
> @@ -7462,16 +7476,24 @@ check ovn-nbctl --wait=sb lsp-set-port-security sw0p2
> "00:00:00:00:00:02 10.0.0.
> ovn-sbctl dump-flows sw0 > sw0flows
> AT_CAPTURE_FILE([sw0flows])
>
> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/'
> ], [0], [dnl
> - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> action=(drop;)
> - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present),
> action=(drop;)
> - table=? (ls_in_check_port_sec), priority=50 , match=(1),
> action=(reg0[[15]] = check_in_port_sec(); next;)
> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> - table=? (ls_out_check_port_sec), priority=0 , match=(1),
> action=(reg0[[15]] = check_out_port_sec(); next;)
> - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast),
> action=(reg0[[15]] = 0; next;)
> - table=? (ls_out_apply_port_sec), priority=0 , match=(1),
> action=(output;)
> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e
> ls_in_l2_unknown | \
> +sort | sed 's/table=../table=??/' ], [0], [dnl
> + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> action=(drop;)
> + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
> action=(drop;)
> + table=??(ls_in_check_port_sec), priority=50 , match=(1),
> action=(reg0[[15]] = check_in_port_sec(); next;)
> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport
> = get_fdb(eth.dst); next;)
> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(handle_svc_check(inport);)
> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
> 00:00:00:00:00:01), action=(outport = "sw0p1"; output;)
> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;)
> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
> action=(outport = "_MC_flood"; output;)
> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;)
> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"),
> action=(drop;)
> + table=??(ls_out_check_port_sec), priority=0 , match=(1),
> action=(reg0[[15]] = check_out_port_sec(); next;)
> + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
> action=(reg0[[15]] = 0; next;)
> + table=??(ls_out_apply_port_sec), priority=0 , match=(1),
> action=(output;)
> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> ])
>
> # Disable sw0p1
> @@ -7480,37 +7502,53 @@ check ovn-nbctl --wait=sb set logical_switch_port
> sw0p1 enabled=false
> ovn-sbctl dump-flows sw0 > sw0flows
> AT_CAPTURE_FILE([sw0flows])
>
> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/'
> ], [0], [dnl
> - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> action=(drop;)
> - table=? (ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"),
> action=(reg0[[15]] = 1; next;)
> - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present),
> action=(drop;)
> - table=? (ls_in_check_port_sec), priority=50 , match=(1),
> action=(reg0[[15]] = check_in_port_sec(); next;)
> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> - table=? (ls_out_check_port_sec), priority=0 , match=(1),
> action=(reg0[[15]] = check_out_port_sec(); next;)
> - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast),
> action=(reg0[[15]] = 0; next;)
> - table=? (ls_out_check_port_sec), priority=150 , match=(outport ==
> "sw0p1"), action=(reg0[[15]] = 1; next;)
> - table=? (ls_out_apply_port_sec), priority=0 , match=(1),
> action=(output;)
> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e
> ls_in_l2_unknown | \
> +sort | sed 's/table=../table=??/' ], [0], [dnl
> + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> action=(drop;)
> + table=??(ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"),
> action=(reg0[[15]] = 1; next;)
> + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
> action=(drop;)
> + table=??(ls_in_check_port_sec), priority=50 , match=(1),
> action=(reg0[[15]] = check_in_port_sec(); next;)
> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport
> = get_fdb(eth.dst); next;)
> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(handle_svc_check(inport);)
> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
> 00:00:00:00:00:01), action=(outport = "sw0p1"; drop;)
> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;)
> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
> action=(outport = "_MC_flood"; output;)
> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;)
> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"),
> action=(drop;)
> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"),
> action=(drop;)
> + table=??(ls_out_check_port_sec), priority=0 , match=(1),
> action=(reg0[[15]] = check_out_port_sec(); next;)
> + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
> action=(reg0[[15]] = 0; next;)
> + table=??(ls_out_apply_port_sec), priority=0 , match=(1),
> action=(output;)
> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> ])
>
> check ovn-nbctl --wait=sb lsp-set-options sw0p2 qdisc_queue_id=10
> ovn-sbctl dump-flows sw0 > sw0flows
> AT_CAPTURE_FILE([sw0flows])
>
> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/'
> ], [0], [dnl
> - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> action=(drop;)
> - table=? (ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"),
> action=(reg0[[15]] = 1; next;)
> - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present),
> action=(drop;)
> - table=? (ls_in_check_port_sec), priority=50 , match=(1),
> action=(reg0[[15]] = check_in_port_sec(); next;)
> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"),
> action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> - table=? (ls_out_check_port_sec), priority=0 , match=(1),
> action=(reg0[[15]] = check_out_port_sec(); next;)
> - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast),
> action=(reg0[[15]] = 0; next;)
> - table=? (ls_out_check_port_sec), priority=150 , match=(outport ==
> "sw0p1"), action=(reg0[[15]] = 1; next;)
> - table=? (ls_out_apply_port_sec), priority=0 , match=(1),
> action=(output;)
> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e
> ls_in_l2_unknown | \
> +sort | sed 's/table=../table=??/' ], [0], [dnl
> + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> action=(drop;)
> + table=??(ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"),
> action=(reg0[[15]] = 1; next;)
> + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
> action=(drop;)
> + table=??(ls_in_check_port_sec), priority=50 , match=(1),
> action=(reg0[[15]] = check_in_port_sec(); next;)
> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"),
> action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport
> = get_fdb(eth.dst); next;)
> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(handle_svc_check(inport);)
> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
> 00:00:00:00:00:01), action=(outport = "sw0p1"; drop;)
> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;)
> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
> action=(outport = "_MC_flood"; output;)
> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;)
> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"),
> action=(drop;)
> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"),
> action=(drop;)
> + table=??(ls_out_check_port_sec), priority=0 , match=(1),
> action=(reg0[[15]] = check_out_port_sec(); next;)
> + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
> action=(reg0[[15]] = 0; next;)
> + table=??(ls_out_apply_port_sec), priority=0 , match=(1),
> action=(output;)
> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> ])
>
> check ovn-nbctl set logical_switch_port sw0p1 enabled=true
> @@ -7519,20 +7557,28 @@ check ovn-nbctl --wait=sb lsp-set-options
> localnetport qdisc_queue_id=10
> ovn-sbctl dump-flows sw0 > sw0flows
> AT_CAPTURE_FILE([sw0flows])
>
> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/'
> ], [0], [dnl
> - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> action=(drop;)
> - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present),
> action=(drop;)
> - table=? (ls_in_check_port_sec), priority=50 , match=(1),
> action=(reg0[[15]] = check_in_port_sec(); next;)
> - table=? (ls_in_check_port_sec), priority=70 , match=(inport ==
> "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec();
> next;)
> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"),
> action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);)
> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"),
> action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> - table=? (ls_out_check_port_sec), priority=0 , match=(1),
> action=(reg0[[15]] = check_out_port_sec(); next;)
> - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast),
> action=(reg0[[15]] = 0; next;)
> - table=? (ls_out_apply_port_sec), priority=0 , match=(1),
> action=(output;)
> - table=? (ls_out_apply_port_sec), priority=100 , match=(outport ==
> "localnetport"), action=(set_queue(10); output;)
> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e
> ls_in_l2_unknown | \
> +sort | sed 's/table=../table=??/' ], [0], [dnl
> + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> action=(drop;)
> + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
> action=(drop;)
> + table=??(ls_in_check_port_sec), priority=50 , match=(1),
> action=(reg0[[15]] = check_in_port_sec(); next;)
> + table=??(ls_in_check_port_sec), priority=70 , match=(inport ==
> "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec();
> next;)
> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"),
> action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);)
> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"),
> action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport
> = get_fdb(eth.dst); next;)
> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(handle_svc_check(inport);)
> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
> 00:00:00:00:00:01), action=(outport = "sw0p1"; output;)
> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;)
> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
> action=(outport = "_MC_flood"; output;)
> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;)
> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"),
> action=(drop;)
> + table=??(ls_out_check_port_sec), priority=0 , match=(1),
> action=(reg0[[15]] = check_out_port_sec(); next;)
> + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
> action=(reg0[[15]] = 0; next;)
> + table=??(ls_out_apply_port_sec), priority=0 , match=(1),
> action=(output;)
> + table=??(ls_out_apply_port_sec), priority=100 , match=(outport ==
> "localnetport"), action=(set_queue(10); output;)
> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
> action=(drop;)
> ])
>
> AT_CLEANUP
> --
> 2.36.1
>
> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
