On Thu, Sep 15, 2022 at 10:30 AM Vladislav Odintsov <[email protected]> wrote: > > Hi Numan, > > thanks for the provided case. Unfortunately, I’m now sure I correctly > understand it. > Could you please provide ovn-nbctl commands to create such a topology so I > could reproduce and recheck?
Something like ovn-nbctl ls-add public # localnet port ovn-nbctl lsp-add public ln-public ovn-nbctl lsp-set-type ln-public localnet ovn-nbctl lsp-set-addresses ln-public unknown ovn-nbctl lsp-set-options ln-public network_name=public # create a logical port ovn-nbctl lsp-add public p-port1 ovn-nbctl lsp-set-addresses p-port1 "50:54:00:00:00:03 172.16.0.100" (assuming 172.16.0.0/24 is the provider network CIDR) # attach p-port1 to a VM/container ovs-vsctl set open . external_ids:ovn-bridge-mappings="br-ex:public" # Create br-ex and attach physical interface to br-ex. If you ping from an external machine with say IP 172.16.0.20 to p-port1 (172.16.0.100), then the packet will enter physical interface -> br-ex -> patch port -> br-int (using ln-public) and it will enter logical ingress pipeline of public and then egress pipeline of public and then delivered to p-public. Thanks Numan > > Regards, > Vladislav Odintsov > > > On 15 Sep 2022, at 15:42, Numan Siddique <[email protected]> wrote: > > > > On Thu, Sep 8, 2022 at 7:41 AM Vladislav Odintsov <[email protected] > > <mailto:[email protected]>> wrote: > >> > >> Prior to this patch traffic to LSPs, which are disabled with > >> `ovn-nbctl lsp-set-enabled <LSP> disabled` was dropped in the end of > >> lswitch egress pipeline. This means that traffic is processed in vain: > >> - traffic, which should be dropped, first travels from one chassis to > >> another (if source/dest LSPs reside on different nodes) and dropped on > >> the destination chassis; > >> - when such traffic reaches destination chassis, if stateful services are > >> enabled within logical switch, first traffic is sent to conntrack and > >> is dropped after that. > >> > >> So it is costly to drop traffic in such manner especially in case LSP is > >> disabled to prevent any harmful traffic to affect infrastructure. This > >> patch changes "to-lport" drop behaviour. Now it is dropped in lswitch > >> ingress pipeline to avoid sending traffic to disabled LSP from one > >> chassis to another. > >> Traffic doesn't reach conntrack in destination LSP's zone now as well. > >> > >> Port security testcases are updated. > >> > >> Signed-off-by: Vladislav Odintsov <[email protected]> > > > > Hi Vladislav, > > > > It might break the scenario for the traffic from the provider network > > (external) destined to a logical port connected > > to a logical switch with localnet port. The traffic would be now delivered. > > > > I'd suggest dropping the traffic both in ls_in_check_port_sec and in > > ls_out_check_port_sec for a disabled logical port. What do you think > > ? > > > > Thanks > > Numan > > > > > > > >> --- > >> northd/northd.c | 22 +++--- > >> tests/ovn-northd.at | 184 +++++++++++++++++++++++++++----------------- > >> 2 files changed, 128 insertions(+), 78 deletions(-) > >> > >> diff --git a/northd/northd.c b/northd/northd.c > >> index 4a40ec9b0..5497a88ca 100644 > >> --- a/northd/northd.c > >> +++ b/northd/northd.c > >> @@ -5475,9 +5475,8 @@ build_lswitch_port_sec_op(struct ovn_port *op, > >> struct hmap *lflows, > >> ds_clear(match); > >> ds_put_format(match, "outport == %s", op->json_key); > >> ovn_lflow_add_with_lport_and_hint( > >> - lflows, op->od, S_SWITCH_OUT_CHECK_PORT_SEC, 150, > >> - ds_cstr(match), REGBIT_PORT_SEC_DROP" = 1; next;", > >> - op->key, &op->nbsp->header_); > >> + lflows, op->od, S_SWITCH_IN_L2_UNKNOWN, 50, ds_cstr(match), > >> + "drop;", op->key, &op->nbsp->header_); > >> return; > >> } > >> > >> @@ -8466,6 +8465,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, > >> * Ethernet address followed by zero or more IPv4 > >> * or IPv6 addresses (or both). */ > >> struct eth_addr mac; > >> + bool lsp_enabled = lsp_is_enabled(op->nbsp); > >> + char *action = lsp_enabled ? "output" : "drop"; > >> if (ovs_scan(op->nbsp->addresses[i], > >> ETH_ADDR_SCAN_FMT, ETH_ADDR_SCAN_ARGS(mac))) { > >> ds_clear(match); > >> @@ -8473,13 +8474,14 @@ build_lswitch_ip_unicast_lookup(struct ovn_port > >> *op, > >> ETH_ADDR_ARGS(mac)); > >> > >> ds_clear(actions); > >> - ds_put_format(actions, "outport = %s; output;", > >> op->json_key); > >> + ds_put_format(actions, "outport = %s; %s;", op->json_key, > >> + action); > >> ovn_lflow_add_with_hint(lflows, op->od, > >> S_SWITCH_IN_L2_LKUP, > >> 50, ds_cstr(match), > >> ds_cstr(actions), > >> &op->nbsp->header_); > >> } else if (!strcmp(op->nbsp->addresses[i], "unknown")) { > >> - if (lsp_is_enabled(op->nbsp)) { > >> + if (lsp_enabled) { > >> ovs_mutex_lock(&mcgroup_mutex); > >> ovn_multicast_add(mcgroups, &mc_unknown, op); > >> ovs_mutex_unlock(&mcgroup_mutex); > >> @@ -8496,7 +8498,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, > >> ETH_ADDR_ARGS(mac)); > >> > >> ds_clear(actions); > >> - ds_put_format(actions, "outport = %s; output;", > >> op->json_key); > >> + ds_put_format(actions, "outport = %s; %s;", op->json_key, > >> + action); > >> ovn_lflow_add_with_hint(lflows, op->od, > >> S_SWITCH_IN_L2_LKUP, > >> 50, ds_cstr(match), > >> ds_cstr(actions), > >> @@ -8544,7 +8547,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, > >> } > >> > >> ds_clear(actions); > >> - ds_put_format(actions, "outport = %s; output;", > >> op->json_key); > >> + ds_put_format(actions, "outport = %s; %s;", op->json_key, > >> + action); > >> ovn_lflow_add_with_hint(lflows, op->od, > >> S_SWITCH_IN_L2_LKUP, 50, > >> ds_cstr(match), ds_cstr(actions), > >> @@ -8567,8 +8571,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op, > >> nat->logical_port); > >> > >> ds_clear(actions); > >> - ds_put_format(actions, "outport = %s; > >> output;", > >> - op->json_key); > >> + ds_put_format(actions, "outport = %s; %s;", > >> + op->json_key, action); > >> ovn_lflow_add_with_hint(lflows, op->od, > >> S_SWITCH_IN_L2_LKUP, > >> 50, > >> ds_cstr(match), > >> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at > >> index d5136ac6d..521942aeb 100644 > >> --- a/tests/ovn-northd.at > >> +++ b/tests/ovn-northd.at > >> @@ -7425,16 +7425,22 @@ check ovn-nbctl --wait=sb ls-add sw0 > >> ovn-sbctl dump-flows sw0 > sw0flows > >> AT_CAPTURE_FILE([sw0flows]) > >> > >> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed > >> 's/table=./table=?/' ], [0], [dnl > >> - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > >> action=(drop;) > >> - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), > >> action=(drop;) > >> - table=? (ls_in_check_port_sec), priority=50 , match=(1), > >> action=(reg0[[15]] = check_in_port_sec(); next;) > >> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), > >> action=(next;) > >> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> - table=? (ls_out_check_port_sec), priority=0 , match=(1), > >> action=(reg0[[15]] = check_out_port_sec(); next;) > >> - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), > >> action=(reg0[[15]] = 0; next;) > >> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > >> action=(output;) > >> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > >> ls_in_l2_unknown | \ > >> +sort | sed 's/table=../table=??/' ], [0], [dnl > >> + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > >> action=(drop;) > >> + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), > >> action=(drop;) > >> + table=??(ls_in_check_port_sec), priority=50 , match=(1), > >> action=(reg0[[15]] = check_in_port_sec(); next;) > >> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), > >> action=(next;) > >> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), > >> action=(outport = get_fdb(eth.dst); next;) > >> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > >> $svc_monitor_mac), action=(handle_svc_check(inport);) > >> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > >> action=(outport = "_MC_flood"; output;) > >> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), > >> action=(output;) > >> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >> "none"), action=(drop;) > >> + table=??(ls_out_check_port_sec), priority=0 , match=(1), > >> action=(reg0[[15]] = check_out_port_sec(); next;) > >> + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), > >> action=(reg0[[15]] = 0; next;) > >> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > >> action=(output;) > >> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> ]) > >> > >> check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1 > >> "00:00:00:00:00:01" > >> @@ -7444,16 +7450,24 @@ check ovn-nbctl --wait=sb lsp-add sw0 localnetport > >> -- lsp-set-type localnetport > >> ovn-sbctl dump-flows sw0 > sw0flows > >> AT_CAPTURE_FILE([sw0flows]) > >> > >> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed > >> 's/table=./table=?/' ], [0], [dnl > >> - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > >> action=(drop;) > >> - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), > >> action=(drop;) > >> - table=? (ls_in_check_port_sec), priority=50 , match=(1), > >> action=(reg0[[15]] = check_in_port_sec(); next;) > >> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), > >> action=(next;) > >> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> - table=? (ls_out_check_port_sec), priority=0 , match=(1), > >> action=(reg0[[15]] = check_out_port_sec(); next;) > >> - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), > >> action=(reg0[[15]] = 0; next;) > >> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > >> action=(output;) > >> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > >> ls_in_l2_unknown | \ > >> +sort | sed 's/table=../table=??/' ], [0], [dnl > >> + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > >> action=(drop;) > >> + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), > >> action=(drop;) > >> + table=??(ls_in_check_port_sec), priority=50 , match=(1), > >> action=(reg0[[15]] = check_in_port_sec(); next;) > >> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), > >> action=(next;) > >> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), > >> action=(outport = get_fdb(eth.dst); next;) > >> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > >> $svc_monitor_mac), action=(handle_svc_check(inport);) > >> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >> 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) > >> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > >> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > >> action=(outport = "_MC_flood"; output;) > >> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), > >> action=(output;) > >> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >> "none"), action=(drop;) > >> + table=??(ls_out_check_port_sec), priority=0 , match=(1), > >> action=(reg0[[15]] = check_out_port_sec(); next;) > >> + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), > >> action=(reg0[[15]] = 0; next;) > >> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > >> action=(output;) > >> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> ]) > >> > >> check ovn-nbctl lsp-set-port-security sw0p1 "00:00:00:00:00:01 10.0.0.3 > >> 1000::3" > >> @@ -7462,16 +7476,24 @@ check ovn-nbctl --wait=sb lsp-set-port-security > >> sw0p2 "00:00:00:00:00:02 10.0.0. > >> ovn-sbctl dump-flows sw0 > sw0flows > >> AT_CAPTURE_FILE([sw0flows]) > >> > >> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed > >> 's/table=./table=?/' ], [0], [dnl > >> - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > >> action=(drop;) > >> - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), > >> action=(drop;) > >> - table=? (ls_in_check_port_sec), priority=50 , match=(1), > >> action=(reg0[[15]] = check_in_port_sec(); next;) > >> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), > >> action=(next;) > >> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> - table=? (ls_out_check_port_sec), priority=0 , match=(1), > >> action=(reg0[[15]] = check_out_port_sec(); next;) > >> - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), > >> action=(reg0[[15]] = 0; next;) > >> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > >> action=(output;) > >> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > >> ls_in_l2_unknown | \ > >> +sort | sed 's/table=../table=??/' ], [0], [dnl > >> + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > >> action=(drop;) > >> + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), > >> action=(drop;) > >> + table=??(ls_in_check_port_sec), priority=50 , match=(1), > >> action=(reg0[[15]] = check_in_port_sec(); next;) > >> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), > >> action=(next;) > >> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), > >> action=(outport = get_fdb(eth.dst); next;) > >> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > >> $svc_monitor_mac), action=(handle_svc_check(inport);) > >> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >> 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) > >> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > >> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > >> action=(outport = "_MC_flood"; output;) > >> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), > >> action=(output;) > >> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >> "none"), action=(drop;) > >> + table=??(ls_out_check_port_sec), priority=0 , match=(1), > >> action=(reg0[[15]] = check_out_port_sec(); next;) > >> + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), > >> action=(reg0[[15]] = 0; next;) > >> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > >> action=(output;) > >> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> ]) > >> > >> # Disable sw0p1 > >> @@ -7480,37 +7502,53 @@ check ovn-nbctl --wait=sb set logical_switch_port > >> sw0p1 enabled=false > >> ovn-sbctl dump-flows sw0 > sw0flows > >> AT_CAPTURE_FILE([sw0flows]) > >> > >> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed > >> 's/table=./table=?/' ], [0], [dnl > >> - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > >> action=(drop;) > >> - table=? (ls_in_check_port_sec), priority=100 , match=(inport == > >> "sw0p1"), action=(reg0[[15]] = 1; next;) > >> - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), > >> action=(drop;) > >> - table=? (ls_in_check_port_sec), priority=50 , match=(1), > >> action=(reg0[[15]] = check_in_port_sec(); next;) > >> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), > >> action=(next;) > >> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> - table=? (ls_out_check_port_sec), priority=0 , match=(1), > >> action=(reg0[[15]] = check_out_port_sec(); next;) > >> - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), > >> action=(reg0[[15]] = 0; next;) > >> - table=? (ls_out_check_port_sec), priority=150 , match=(outport == > >> "sw0p1"), action=(reg0[[15]] = 1; next;) > >> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > >> action=(output;) > >> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > >> ls_in_l2_unknown | \ > >> +sort | sed 's/table=../table=??/' ], [0], [dnl > >> + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > >> action=(drop;) > >> + table=??(ls_in_check_port_sec), priority=100 , match=(inport == > >> "sw0p1"), action=(reg0[[15]] = 1; next;) > >> + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), > >> action=(drop;) > >> + table=??(ls_in_check_port_sec), priority=50 , match=(1), > >> action=(reg0[[15]] = check_in_port_sec(); next;) > >> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), > >> action=(next;) > >> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), > >> action=(outport = get_fdb(eth.dst); next;) > >> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > >> $svc_monitor_mac), action=(handle_svc_check(inport);) > >> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >> 00:00:00:00:00:01), action=(outport = "sw0p1"; drop;) > >> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > >> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > >> action=(outport = "_MC_flood"; output;) > >> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), > >> action=(output;) > >> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >> "none"), action=(drop;) > >> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >> "sw0p1"), action=(drop;) > >> + table=??(ls_out_check_port_sec), priority=0 , match=(1), > >> action=(reg0[[15]] = check_out_port_sec(); next;) > >> + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), > >> action=(reg0[[15]] = 0; next;) > >> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > >> action=(output;) > >> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> ]) > >> > >> check ovn-nbctl --wait=sb lsp-set-options sw0p2 qdisc_queue_id=10 > >> ovn-sbctl dump-flows sw0 > sw0flows > >> AT_CAPTURE_FILE([sw0flows]) > >> > >> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed > >> 's/table=./table=?/' ], [0], [dnl > >> - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > >> action=(drop;) > >> - table=? (ls_in_check_port_sec), priority=100 , match=(inport == > >> "sw0p1"), action=(reg0[[15]] = 1; next;) > >> - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), > >> action=(drop;) > >> - table=? (ls_in_check_port_sec), priority=50 , match=(1), > >> action=(reg0[[15]] = check_in_port_sec(); next;) > >> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == > >> "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) > >> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), > >> action=(next;) > >> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> - table=? (ls_out_check_port_sec), priority=0 , match=(1), > >> action=(reg0[[15]] = check_out_port_sec(); next;) > >> - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), > >> action=(reg0[[15]] = 0; next;) > >> - table=? (ls_out_check_port_sec), priority=150 , match=(outport == > >> "sw0p1"), action=(reg0[[15]] = 1; next;) > >> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > >> action=(output;) > >> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > >> ls_in_l2_unknown | \ > >> +sort | sed 's/table=../table=??/' ], [0], [dnl > >> + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > >> action=(drop;) > >> + table=??(ls_in_check_port_sec), priority=100 , match=(inport == > >> "sw0p1"), action=(reg0[[15]] = 1; next;) > >> + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), > >> action=(drop;) > >> + table=??(ls_in_check_port_sec), priority=50 , match=(1), > >> action=(reg0[[15]] = check_in_port_sec(); next;) > >> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == > >> "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) > >> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), > >> action=(next;) > >> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), > >> action=(outport = get_fdb(eth.dst); next;) > >> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > >> $svc_monitor_mac), action=(handle_svc_check(inport);) > >> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >> 00:00:00:00:00:01), action=(outport = "sw0p1"; drop;) > >> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > >> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > >> action=(outport = "_MC_flood"; output;) > >> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), > >> action=(output;) > >> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >> "none"), action=(drop;) > >> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >> "sw0p1"), action=(drop;) > >> + table=??(ls_out_check_port_sec), priority=0 , match=(1), > >> action=(reg0[[15]] = check_out_port_sec(); next;) > >> + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), > >> action=(reg0[[15]] = 0; next;) > >> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > >> action=(output;) > >> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> ]) > >> > >> check ovn-nbctl set logical_switch_port sw0p1 enabled=true > >> @@ -7519,20 +7557,28 @@ check ovn-nbctl --wait=sb lsp-set-options > >> localnetport qdisc_queue_id=10 > >> ovn-sbctl dump-flows sw0 > sw0flows > >> AT_CAPTURE_FILE([sw0flows]) > >> > >> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed > >> 's/table=./table=?/' ], [0], [dnl > >> - table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > >> action=(drop;) > >> - table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present), > >> action=(drop;) > >> - table=? (ls_in_check_port_sec), priority=50 , match=(1), > >> action=(reg0[[15]] = check_in_port_sec(); next;) > >> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == > >> "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); > >> next;) > >> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == > >> "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) > >> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == > >> "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) > >> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), > >> action=(next;) > >> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> - table=? (ls_out_check_port_sec), priority=0 , match=(1), > >> action=(reg0[[15]] = check_out_port_sec(); next;) > >> - table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast), > >> action=(reg0[[15]] = 0; next;) > >> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > >> action=(output;) > >> - table=? (ls_out_apply_port_sec), priority=100 , match=(outport == > >> "localnetport"), action=(set_queue(10); output;) > >> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > >> ls_in_l2_unknown | \ > >> +sort | sed 's/table=../table=??/' ], [0], [dnl > >> + table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]), > >> action=(drop;) > >> + table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present), > >> action=(drop;) > >> + table=??(ls_in_check_port_sec), priority=50 , match=(1), > >> action=(reg0[[15]] = check_in_port_sec(); next;) > >> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == > >> "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); > >> next;) > >> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == > >> "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) > >> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == > >> "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;) > >> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), > >> action=(next;) > >> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), > >> action=(outport = get_fdb(eth.dst); next;) > >> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > >> $svc_monitor_mac), action=(handle_svc_check(inport);) > >> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >> 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) > >> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > >> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > >> action=(outport = "_MC_flood"; output;) > >> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), > >> action=(output;) > >> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >> "none"), action=(drop;) > >> + table=??(ls_out_check_port_sec), priority=0 , match=(1), > >> action=(reg0[[15]] = check_out_port_sec(); next;) > >> + table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast), > >> action=(reg0[[15]] = 0; next;) > >> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > >> action=(output;) > >> + table=??(ls_out_apply_port_sec), priority=100 , match=(outport == > >> "localnetport"), action=(set_queue(10); output;) > >> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == > >> 1), action=(drop;) > >> ]) > >> > >> AT_CLEANUP > >> -- > >> 2.36.1 > >> > >> _______________________________________________ > >> dev mailing list > >> [email protected] <mailto:[email protected]> > >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > >> > > _______________________________________________ > > dev mailing list > > [email protected] <mailto:[email protected]> > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
