On Thu, Sep 15, 2022 at 7:59 PM Vladislav Odintsov <[email protected]> wrote: > > Numan, > > I’ve just to be sure we’re on the same page about moving drop flow. > You have reviewed this patch v1 or v2 [1]?
I reviewed v2. Thanks Numan > > 1: > https://patchwork.ozlabs.org/project/ovn/patch/[email protected]/ > > Regards, > Vladislav Odintsov > > > On 16 Sep 2022, at 02:25, Vladislav Odintsov <[email protected]> wrote: > > > > Ok, > > I’ll correct patch and resend v2. > > > > Regards, > > Vladislav Odintsov > > > >> On 16 Sep 2022, at 01:06, Numan Siddique <[email protected] > >> <mailto:[email protected]>> wrote: > >> > >> On Thu, Sep 15, 2022 at 12:46 PM Vladislav Odintsov <[email protected] > >> <mailto:[email protected]> <mailto:[email protected] > >> <mailto:[email protected]>>> wrote: > >>> > >>> I’ve tried this setup and it seems working correctly to me (with this > >>> patch applied). > >>> First, I checked that when p-port1 is enabled, the traffic passes > >>> (succeeded), next, I’ve disabled p-port1. > >>> The traffic got dropped if an excess drop lflow in l2_lkup table: > >> > >> Ok. Thanks for testing this scenario and correcting me. I think it's > >> still better to drop both in ingress pipeline (at the beginning - > >> in_port_sec_check stage) and in egress pipeline as I suggested if the > >> lport is disabled. > >> > >> > >> Thanks > >> Numan > >> > >>> > >>> > >>> [root@dev1 ~]# ovs-appctl ofproto/trace > >>> 'recirc_id(0),in_port(internet),eth(src=9a:09:91:98:16:48,dst=50:54:00:00:00:03),eth_type(0x0800),ipv4(frag=no)' > >>> | ovn-detrace > >>> Flow: > >>> ip,in_port=LOCAL,vlan_tci=0x0000,dl_src=9a:09:91:98:16:48,dl_dst=50:54:00:00:00:03,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_proto=0,nw_tos=0,nw_ecn=0,nw_ttl=0 > >>> > >>> bridge("internet") > >>> ------------------ > >>> 0. priority 0 > >>> NORMAL > >>> -> forwarding to learned port > >>> > >>> bridge("br-int") > >>> ---------------- > >>> 0. in_port=260,vlan_tci=0x0000/0x1000, priority 100, cookie 0x6aca4e04 > >>> set_field:0x2->reg11 > >>> set_field:0x3->reg12 > >>> set_field:0x1->metadata > >>> set_field:0x1->reg14 > >>> resubmit(,8) > >>> * Logical datapath: "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) > >>> * Port Binding: logical_port "ln-public", tunnel_key 1, > >>> 8. metadata=0x1, priority 50, cookie 0x6e9dd5a0 > >>> set_field:0/0x1000->reg10 > >>> resubmit(,73) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=0 (ls_in_check_port_sec), priority=50, match=(1), > >>> actions=(reg0[15] = check_in_port_sec(); next;) > >>> 73. reg0=0x2, priority 0 > >>> drop > >>> move:NXM_NX_REG10[12]->NXM_NX_XXREG0[111] > >>> -> NXM_NX_XXREG0[111] is now 0 > >>> resubmit(,9) > >>> 9. metadata=0x1, priority 0, cookie 0xe9361b4d > >>> resubmit(,10) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=1 (ls_in_apply_port_sec), priority=0, match=(1), > >>> actions=(next;) > >>> 10. metadata=0x1, priority 0, cookie 0x15c54e25 > >>> resubmit(,11) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=2 (ls_in_lookup_fdb), priority=0, match=(1), > >>> actions=(next;) > >>> 11. metadata=0x1, priority 0, cookie 0x5ed9f6ec > >>> resubmit(,12) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=3 (ls_in_put_fdb), priority=0, match=(1), > >>> actions=(next;) > >>> 12. metadata=0x1, priority 0, cookie 0xb80c6b65 > >>> resubmit(,13) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=4 (ls_in_pre_acl), priority=0, match=(1), > >>> actions=(next;) > >>> 13. ip,reg14=0x1,metadata=0x1, priority 110, cookie 0xb6e9951d > >>> resubmit(,14) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * Logical flow: table=5 (ls_in_pre_lb), priority=110, match=(ip && inport > >>> == "ln-public), actions=(next;) > >>> * Logical Switch Port: ln-public type localnet (addresses ['unknown'], > >>> dynamic addresses [], security [] > >>> 14. metadata=0x1, priority 0, cookie 0xe50e3177 > >>> resubmit(,15) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=6 (ls_in_pre_stateful), priority=0, match=(1), > >>> actions=(next;) > >>> 15. metadata=0x1, priority 65535, cookie 0x20b95bf3 > >>> resubmit(,16) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=7 (ls_in_acl_hint), priority=65535, match=(1), > >>> actions=(next;) > >>> 16. metadata=0x1, priority 65535, cookie 0x350b5e98 > >>> resubmit(,17) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=8 (ls_in_acl), priority=65535, match=(1), > >>> actions=(next;) > >>> 17. metadata=0x1, priority 0, cookie 0xeeb3f3fd > >>> resubmit(,18) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=9 (ls_in_qos_mark), priority=0, match=(1), > >>> actions=(next;) > >>> 18. metadata=0x1, priority 0, cookie 0x1925a192 > >>> resubmit(,19) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=10 (ls_in_qos_meter), priority=0, match=(1), > >>> actions=(next;) > >>> 19. metadata=0x1, priority 0, cookie 0x11fe85e6 > >>> resubmit(,20) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=11 (ls_in_lb), priority=0, match=(1), > >>> actions=(next;) > >>> 20. metadata=0x1, priority 0, cookie 0xfa28e4a9 > >>> resubmit(,21) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=12 (ls_in_acl_after_lb), priority=0, match=(1), > >>> actions=(next;) > >>> 21. metadata=0x1, priority 0, cookie 0x3b7258ea > >>> resubmit(,22) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=13 (ls_in_stateful), priority=0, match=(1), > >>> actions=(next;) > >>> 22. metadata=0x1, priority 0, cookie 0x4f035815 > >>> resubmit(,23) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=14 (ls_in_pre_hairpin), priority=0, match=(1), > >>> actions=(next;) > >>> 23. metadata=0x1, priority 0, cookie 0xcbbf42c6 > >>> resubmit(,24) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=15 (ls_in_nat_hairpin), priority=0, match=(1), > >>> actions=(next;) > >>> 24. metadata=0x1, priority 0, cookie 0x54cfeb04 > >>> resubmit(,25) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=16 (ls_in_hairpin), priority=0, match=(1), > >>> actions=(next;) > >>> 25. reg14=0x1,metadata=0x1, priority 100, cookie 0x4c1cce2f > >>> resubmit(,26) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * Logical flow: table=17 (ls_in_arp_rsp), priority=100, match=(inport == > >>> "ln-public), actions=(next;) > >>> * Logical Switch Port: ln-public type localnet (addresses ['unknown'], > >>> dynamic addresses [], security [] > >>> 26. metadata=0x1, priority 0, cookie 0x331bd252 > >>> resubmit(,27) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=18 (ls_in_dhcp_options), priority=0, match=(1), > >>> actions=(next;) > >>> 27. metadata=0x1, priority 0, cookie 0x71caba46 > >>> resubmit(,28) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=19 (ls_in_dhcp_response), priority=0, match=(1), > >>> actions=(next;) > >>> 28. metadata=0x1, priority 0, cookie 0xaaf918b1 > >>> resubmit(,29) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=20 (ls_in_dns_lookup), priority=0, match=(1), > >>> actions=(next;) > >>> 29. metadata=0x1, priority 0, cookie 0xe6aeb3f9 > >>> resubmit(,30) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=21 (ls_in_dns_response), priority=0, match=(1), > >>> actions=(next;) > >>> 30. metadata=0x1, priority 0, cookie 0x9b612ad4 > >>> resubmit(,31) > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] > >>> * Logical flow: table=22 (ls_in_external_port), priority=0, match=(1), > >>> actions=(next;) > >>> 31. metadata=0x1,dl_dst=50:54:00:00:00:03, priority 50, cookie 0x278cc83c > >>> drop > >>> * Logical datapaths: > >>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] > >>> * Logical flow: table=23 (ls_in_l2_lkup), priority=50, match=(eth.dst == > >>> 50:54:00:00:00:03), actions=(drop;) > >>> * Logical Switch Port: p-port1 type (addresses ['50:54:00:00:00:03 > >>> 172.16.0.100'], dynamic addresses [], security [] > >>> > >>> Final flow: unchanged > >>> Megaflow: > >>> recirc_id=0,eth,ip,in_port=LOCAL,dl_src=9a:09:91:98:16:48,dl_dst=50:54:00:00:00:03,nw_frag=no > >>> Datapath actions: drop > >>> > >>> [root@dev1 ~]# ovn-nbctl show public > >>> switch 633ad6c1-f3e5-4f31-b2fe-215203cf5272 (public) > >>> port p-port1 > >>> addresses: ["50:54:00:00:00:03 172.16.0.100"] > >>> port ln-public > >>> type: localnet > >>> addresses: ["unknown"] > >>> [root@dev1 ~]# ovn-nbctl list logical-switch-port p-port1 > >>> _uuid : b0ac9cb9-cc13-4184-af17-3fb6505975f8 > >>> addresses : ["50:54:00:00:00:03 172.16.0.100"] > >>> dhcpv4_options : [] > >>> dhcpv6_options : [] > >>> dynamic_addresses : [] > >>> enabled : false > >>> external_ids : {} > >>> ha_chassis_group : [] > >>> name : p-port1 > >>> options : {} > >>> parent_name : [] > >>> port_security : [] > >>> tag : [] > >>> tag_request : [] > >>> type : "" > >>> up : true > >>> [root@dev1 ~]# ovn-nbctl list logical-switch-port ln-public > >>> _uuid : e51d2489-e3da-4989-935c-949533b00b35 > >>> addresses : [unknown] > >>> dhcpv4_options : [] > >>> dhcpv6_options : [] > >>> dynamic_addresses : [] > >>> enabled : [] > >>> external_ids : {} > >>> ha_chassis_group : [] > >>> name : ln-public > >>> options : {network_name=public} > >>> parent_name : [] > >>> port_security : [] > >>> tag : [] > >>> tag_request : [] > >>> type : localnet > >>> up : false > >>> > >>> Regards, > >>> Vladislav Odintsov > >>> > >>>> On 15 Sep 2022, at 17:51, Numan Siddique <[email protected] > >>>> <mailto:[email protected]>> wrote: > >>>> > >>>> On Thu, Sep 15, 2022 at 10:30 AM Vladislav Odintsov <[email protected] > >>>> <mailto:[email protected]> <mailto:[email protected] > >>>> <mailto:[email protected]>> <mailto:[email protected] > >>>> <mailto:[email protected]> <mailto:[email protected] > >>>> <mailto:[email protected]>>>> wrote: > >>>>> > >>>>> Hi Numan, > >>>>> > >>>>> thanks for the provided case. Unfortunately, I’m now sure I correctly > >>>>> understand it. > >>>>> Could you please provide ovn-nbctl commands to create such a topology > >>>>> so I could reproduce and recheck? > >>>> > >>>> Something like > >>>> > >>>> ovn-nbctl ls-add public > >>>> # localnet port > >>>> ovn-nbctl lsp-add public ln-public > >>>> ovn-nbctl lsp-set-type ln-public localnet > >>>> ovn-nbctl lsp-set-addresses ln-public unknown > >>>> ovn-nbctl lsp-set-options ln-public network_name=public > >>>> > >>>> # create a logical port > >>>> ovn-nbctl lsp-add public p-port1 > >>>> ovn-nbctl lsp-set-addresses p-port1 "50:54:00:00:00:03 172.16.0.100" > >>>> (assuming 172.16.0.0/24 is the provider network CIDR) > >>>> > >>>> # attach p-port1 to a VM/container > >>>> > >>>> ovs-vsctl set open . external_ids:ovn-bridge-mappings="br-ex:public" > >>>> > >>>> # Create br-ex and attach physical interface to br-ex. > >>>> > >>>> If you ping from an external machine with say IP 172.16.0.20 to > >>>> p-port1 (172.16.0.100), then the packet will enter > >>>> physical interface -> br-ex -> patch port -> br-int (using ln-public) > >>>> and it will enter logical ingress pipeline of public > >>>> and then egress pipeline of public and then delivered to p-public. > >>>> > >>>> Thanks > >>>> Numan > >>>> > >>>> > >>>> > >>>> > >>>>> > >>>>> Regards, > >>>>> Vladislav Odintsov > >>>>> > >>>>>> On 15 Sep 2022, at 15:42, Numan Siddique <[email protected] > >>>>>> <mailto:[email protected]> <mailto:[email protected] > >>>>>> <mailto:[email protected]>> <mailto:[email protected] > >>>>>> <mailto:[email protected]> <mailto:[email protected] > >>>>>> <mailto:[email protected]>>>> wrote: > >>>>>> > >>>>>> On Thu, Sep 8, 2022 at 7:41 AM Vladislav Odintsov <[email protected] > >>>>>> <mailto:[email protected]> <mailto:[email protected] > >>>>>> <mailto:[email protected]>> <mailto:[email protected] > >>>>>> <mailto:[email protected]> <mailto:[email protected] > >>>>>> <mailto:[email protected]>>> <mailto:[email protected] > >>>>>> <mailto:[email protected]> <mailto:[email protected] > >>>>>> <mailto:[email protected]>> <mailto:[email protected] > >>>>>> <mailto:[email protected]> <mailto:[email protected] > >>>>>> <mailto:[email protected]>>>>> wrote: > >>>>>>> > >>>>>>> Prior to this patch traffic to LSPs, which are disabled with > >>>>>>> `ovn-nbctl lsp-set-enabled <LSP> disabled` was dropped in the end of > >>>>>>> lswitch egress pipeline. This means that traffic is processed in > >>>>>>> vain: > >>>>>>> - traffic, which should be dropped, first travels from one chassis to > >>>>>>> another (if source/dest LSPs reside on different nodes) and dropped on > >>>>>>> the destination chassis; > >>>>>>> - when such traffic reaches destination chassis, if stateful services > >>>>>>> are > >>>>>>> enabled within logical switch, first traffic is sent to conntrack and > >>>>>>> is dropped after that. > >>>>>>> > >>>>>>> So it is costly to drop traffic in such manner especially in case LSP > >>>>>>> is > >>>>>>> disabled to prevent any harmful traffic to affect infrastructure. > >>>>>>> This > >>>>>>> patch changes "to-lport" drop behaviour. Now it is dropped in lswitch > >>>>>>> ingress pipeline to avoid sending traffic to disabled LSP from one > >>>>>>> chassis to another. > >>>>>>> Traffic doesn't reach conntrack in destination LSP's zone now as well. > >>>>>>> > >>>>>>> Port security testcases are updated. > >>>>>>> > >>>>>>> Signed-off-by: Vladislav Odintsov <[email protected] > >>>>>>> <mailto:[email protected]>> > >>>>>> > >>>>>> Hi Vladislav, > >>>>>> > >>>>>> It might break the scenario for the traffic from the provider network > >>>>>> (external) destined to a logical port connected > >>>>>> to a logical switch with localnet port. The traffic would be now > >>>>>> delivered. > >>>>>> > >>>>>> I'd suggest dropping the traffic both in ls_in_check_port_sec and in > >>>>>> ls_out_check_port_sec for a disabled logical port. What do you think > >>>>>> ? > >>>>>> > >>>>>> Thanks > >>>>>> Numan > >>>>>> > >>>>>> > >>>>>> > >>>>>>> --- > >>>>>>> northd/northd.c | 22 +++--- > >>>>>>> tests/ovn-northd.at <http://ovn-northd.at/> | 184 > >>>>>>> +++++++++++++++++++++++++++----------------- > >>>>>>> 2 files changed, 128 insertions(+), 78 deletions(-) > >>>>>>> > >>>>>>> diff --git a/northd/northd.c b/northd/northd.c > >>>>>>> index 4a40ec9b0..5497a88ca 100644 > >>>>>>> --- a/northd/northd.c > >>>>>>> +++ b/northd/northd.c > >>>>>>> @@ -5475,9 +5475,8 @@ build_lswitch_port_sec_op(struct ovn_port *op, > >>>>>>> struct hmap *lflows, > >>>>>>> ds_clear(match); > >>>>>>> ds_put_format(match, "outport == %s", op->json_key); > >>>>>>> ovn_lflow_add_with_lport_and_hint( > >>>>>>> - lflows, op->od, S_SWITCH_OUT_CHECK_PORT_SEC, 150, > >>>>>>> - ds_cstr(match), REGBIT_PORT_SEC_DROP" = 1; next;", > >>>>>>> - op->key, &op->nbsp->header_); > >>>>>>> + lflows, op->od, S_SWITCH_IN_L2_UNKNOWN, 50, > >>>>>>> ds_cstr(match), > >>>>>>> + "drop;", op->key, &op->nbsp->header_); > >>>>>>> return; > >>>>>>> } > >>>>>>> > >>>>>>> @@ -8466,6 +8465,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port > >>>>>>> *op, > >>>>>>> * Ethernet address followed by zero or more IPv4 > >>>>>>> * or IPv6 addresses (or both). */ > >>>>>>> struct eth_addr mac; > >>>>>>> + bool lsp_enabled = lsp_is_enabled(op->nbsp); > >>>>>>> + char *action = lsp_enabled ? "output" : "drop"; > >>>>>>> if (ovs_scan(op->nbsp->addresses[i], > >>>>>>> ETH_ADDR_SCAN_FMT, ETH_ADDR_SCAN_ARGS(mac))) { > >>>>>>> ds_clear(match); > >>>>>>> @@ -8473,13 +8474,14 @@ build_lswitch_ip_unicast_lookup(struct > >>>>>>> ovn_port *op, > >>>>>>> ETH_ADDR_ARGS(mac)); > >>>>>>> > >>>>>>> ds_clear(actions); > >>>>>>> - ds_put_format(actions, "outport = %s; output;", > >>>>>>> op->json_key); > >>>>>>> + ds_put_format(actions, "outport = %s; %s;", > >>>>>>> op->json_key, > >>>>>>> + action); > >>>>>>> ovn_lflow_add_with_hint(lflows, op->od, > >>>>>>> S_SWITCH_IN_L2_LKUP, > >>>>>>> 50, ds_cstr(match), > >>>>>>> ds_cstr(actions), > >>>>>>> &op->nbsp->header_); > >>>>>>> } else if (!strcmp(op->nbsp->addresses[i], "unknown")) { > >>>>>>> - if (lsp_is_enabled(op->nbsp)) { > >>>>>>> + if (lsp_enabled) { > >>>>>>> ovs_mutex_lock(&mcgroup_mutex); > >>>>>>> ovn_multicast_add(mcgroups, &mc_unknown, op); > >>>>>>> ovs_mutex_unlock(&mcgroup_mutex); > >>>>>>> @@ -8496,7 +8498,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port > >>>>>>> *op, > >>>>>>> ETH_ADDR_ARGS(mac)); > >>>>>>> > >>>>>>> ds_clear(actions); > >>>>>>> - ds_put_format(actions, "outport = %s; output;", > >>>>>>> op->json_key); > >>>>>>> + ds_put_format(actions, "outport = %s; %s;", > >>>>>>> op->json_key, > >>>>>>> + action); > >>>>>>> ovn_lflow_add_with_hint(lflows, op->od, > >>>>>>> S_SWITCH_IN_L2_LKUP, > >>>>>>> 50, ds_cstr(match), > >>>>>>> ds_cstr(actions), > >>>>>>> @@ -8544,7 +8547,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port > >>>>>>> *op, > >>>>>>> } > >>>>>>> > >>>>>>> ds_clear(actions); > >>>>>>> - ds_put_format(actions, "outport = %s; output;", > >>>>>>> op->json_key); > >>>>>>> + ds_put_format(actions, "outport = %s; %s;", > >>>>>>> op->json_key, > >>>>>>> + action); > >>>>>>> ovn_lflow_add_with_hint(lflows, op->od, > >>>>>>> S_SWITCH_IN_L2_LKUP, 50, > >>>>>>> ds_cstr(match), ds_cstr(actions), > >>>>>>> @@ -8567,8 +8571,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port > >>>>>>> *op, > >>>>>>> nat->logical_port); > >>>>>>> > >>>>>>> ds_clear(actions); > >>>>>>> - ds_put_format(actions, "outport = %s; > >>>>>>> output;", > >>>>>>> - op->json_key); > >>>>>>> + ds_put_format(actions, "outport = %s; > >>>>>>> %s;", > >>>>>>> + op->json_key, action); > >>>>>>> ovn_lflow_add_with_hint(lflows, op->od, > >>>>>>> S_SWITCH_IN_L2_LKUP, > >>>>>>> 50, > >>>>>>> ds_cstr(match), > >>>>>>> diff --git a/tests/ovn-northd.at <http://ovn-northd.at/> > >>>>>>> b/tests/ovn-northd.at <http://ovn-northd.at/> > >>>>>>> index d5136ac6d..521942aeb 100644 > >>>>>>> --- a/tests/ovn-northd.at <http://ovn-northd.at/> > >>>>>>> +++ b/tests/ovn-northd.at <http://ovn-northd.at/> > >>>>>>> @@ -7425,16 +7425,22 @@ check ovn-nbctl --wait=sb ls-add sw0 > >>>>>>> ovn-sbctl dump-flows sw0 > sw0flows > >>>>>>> AT_CAPTURE_FILE([sw0flows]) > >>>>>>> > >>>>>>> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed > >>>>>>> 's/table=./table=?/' ], [0], [dnl > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , > >>>>>>> match=(eth.src[[40]]), action=(drop;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , > >>>>>>> match=(vlan.present), action=(drop;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=50 , match=(1), > >>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) > >>>>>>> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(next;) > >>>>>>> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=0 , match=(1), > >>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=100 , > >>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > >>>>>>> ls_in_l2_unknown | \ > >>>>>>> +sort | sed 's/table=../table=??/' ], [0], [dnl > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , > >>>>>>> match=(eth.src[[40]]), action=(drop;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , > >>>>>>> match=(vlan.present), action=(drop;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=50 , match=(1), > >>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) > >>>>>>> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(next;) > >>>>>>> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), > >>>>>>> action=(outport = get_fdb(eth.dst); next;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > >>>>>>> $svc_monitor_mac), action=(handle_svc_check(inport);) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > >>>>>>> action=(outport = "_MC_flood"; output;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >>>>>>> "none"), action=(drop;) > >>>>>>> + table=??(ls_out_check_port_sec), priority=0 , match=(1), > >>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) > >>>>>>> + table=??(ls_out_check_port_sec), priority=100 , > >>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> ]) > >>>>>>> > >>>>>>> check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1 > >>>>>>> "00:00:00:00:00:01" > >>>>>>> @@ -7444,16 +7450,24 @@ check ovn-nbctl --wait=sb lsp-add sw0 > >>>>>>> localnetport -- lsp-set-type localnetport > >>>>>>> ovn-sbctl dump-flows sw0 > sw0flows > >>>>>>> AT_CAPTURE_FILE([sw0flows]) > >>>>>>> > >>>>>>> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed > >>>>>>> 's/table=./table=?/' ], [0], [dnl > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , > >>>>>>> match=(eth.src[[40]]), action=(drop;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , > >>>>>>> match=(vlan.present), action=(drop;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=50 , match=(1), > >>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) > >>>>>>> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(next;) > >>>>>>> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=0 , match=(1), > >>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=100 , > >>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > >>>>>>> ls_in_l2_unknown | \ > >>>>>>> +sort | sed 's/table=../table=??/' ], [0], [dnl > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , > >>>>>>> match=(eth.src[[40]]), action=(drop;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , > >>>>>>> match=(vlan.present), action=(drop;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=50 , match=(1), > >>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) > >>>>>>> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(next;) > >>>>>>> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), > >>>>>>> action=(outport = get_fdb(eth.dst); next;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > >>>>>>> $svc_monitor_mac), action=(handle_svc_check(inport);) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >>>>>>> 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >>>>>>> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > >>>>>>> action=(outport = "_MC_flood"; output;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >>>>>>> "none"), action=(drop;) > >>>>>>> + table=??(ls_out_check_port_sec), priority=0 , match=(1), > >>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) > >>>>>>> + table=??(ls_out_check_port_sec), priority=100 , > >>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> ]) > >>>>>>> > >>>>>>> check ovn-nbctl lsp-set-port-security sw0p1 "00:00:00:00:00:01 > >>>>>>> 10.0.0.3 1000::3" > >>>>>>> @@ -7462,16 +7476,24 @@ check ovn-nbctl --wait=sb > >>>>>>> lsp-set-port-security sw0p2 "00:00:00:00:00:02 10.0.0. > >>>>>>> ovn-sbctl dump-flows sw0 > sw0flows > >>>>>>> AT_CAPTURE_FILE([sw0flows]) > >>>>>>> > >>>>>>> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed > >>>>>>> 's/table=./table=?/' ], [0], [dnl > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , > >>>>>>> match=(eth.src[[40]]), action=(drop;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , > >>>>>>> match=(vlan.present), action=(drop;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=50 , match=(1), > >>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) > >>>>>>> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(next;) > >>>>>>> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=0 , match=(1), > >>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=100 , > >>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > >>>>>>> ls_in_l2_unknown | \ > >>>>>>> +sort | sed 's/table=../table=??/' ], [0], [dnl > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , > >>>>>>> match=(eth.src[[40]]), action=(drop;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , > >>>>>>> match=(vlan.present), action=(drop;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=50 , match=(1), > >>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) > >>>>>>> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(next;) > >>>>>>> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), > >>>>>>> action=(outport = get_fdb(eth.dst); next;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > >>>>>>> $svc_monitor_mac), action=(handle_svc_check(inport);) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >>>>>>> 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >>>>>>> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > >>>>>>> action=(outport = "_MC_flood"; output;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >>>>>>> "none"), action=(drop;) > >>>>>>> + table=??(ls_out_check_port_sec), priority=0 , match=(1), > >>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) > >>>>>>> + table=??(ls_out_check_port_sec), priority=100 , > >>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> ]) > >>>>>>> > >>>>>>> # Disable sw0p1 > >>>>>>> @@ -7480,37 +7502,53 @@ check ovn-nbctl --wait=sb set > >>>>>>> logical_switch_port sw0p1 enabled=false > >>>>>>> ovn-sbctl dump-flows sw0 > sw0flows > >>>>>>> AT_CAPTURE_FILE([sw0flows]) > >>>>>>> > >>>>>>> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed > >>>>>>> 's/table=./table=?/' ], [0], [dnl > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , > >>>>>>> match=(eth.src[[40]]), action=(drop;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , match=(inport == > >>>>>>> "sw0p1"), action=(reg0[[15]] = 1; next;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , > >>>>>>> match=(vlan.present), action=(drop;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=50 , match=(1), > >>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) > >>>>>>> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(next;) > >>>>>>> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=0 , match=(1), > >>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=100 , > >>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=150 , match=(outport == > >>>>>>> "sw0p1"), action=(reg0[[15]] = 1; next;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > >>>>>>> ls_in_l2_unknown | \ > >>>>>>> +sort | sed 's/table=../table=??/' ], [0], [dnl > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , > >>>>>>> match=(eth.src[[40]]), action=(drop;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , match=(inport == > >>>>>>> "sw0p1"), action=(reg0[[15]] = 1; next;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , > >>>>>>> match=(vlan.present), action=(drop;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=50 , match=(1), > >>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) > >>>>>>> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(next;) > >>>>>>> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), > >>>>>>> action=(outport = get_fdb(eth.dst); next;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > >>>>>>> $svc_monitor_mac), action=(handle_svc_check(inport);) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >>>>>>> 00:00:00:00:00:01), action=(outport = "sw0p1"; drop;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >>>>>>> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > >>>>>>> action=(outport = "_MC_flood"; output;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >>>>>>> "none"), action=(drop;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >>>>>>> "sw0p1"), action=(drop;) > >>>>>>> + table=??(ls_out_check_port_sec), priority=0 , match=(1), > >>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) > >>>>>>> + table=??(ls_out_check_port_sec), priority=100 , > >>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> ]) > >>>>>>> > >>>>>>> check ovn-nbctl --wait=sb lsp-set-options sw0p2 qdisc_queue_id=10 > >>>>>>> ovn-sbctl dump-flows sw0 > sw0flows > >>>>>>> AT_CAPTURE_FILE([sw0flows]) > >>>>>>> > >>>>>>> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed > >>>>>>> 's/table=./table=?/' ], [0], [dnl > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , > >>>>>>> match=(eth.src[[40]]), action=(drop;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , match=(inport == > >>>>>>> "sw0p1"), action=(reg0[[15]] = 1; next;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , > >>>>>>> match=(vlan.present), action=(drop;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=50 , match=(1), > >>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == > >>>>>>> "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); > >>>>>>> next;) > >>>>>>> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(next;) > >>>>>>> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=0 , match=(1), > >>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=100 , > >>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=150 , match=(outport == > >>>>>>> "sw0p1"), action=(reg0[[15]] = 1; next;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > >>>>>>> ls_in_l2_unknown | \ > >>>>>>> +sort | sed 's/table=../table=??/' ], [0], [dnl > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , > >>>>>>> match=(eth.src[[40]]), action=(drop;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , match=(inport == > >>>>>>> "sw0p1"), action=(reg0[[15]] = 1; next;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , > >>>>>>> match=(vlan.present), action=(drop;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=50 , match=(1), > >>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == > >>>>>>> "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); > >>>>>>> next;) > >>>>>>> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(next;) > >>>>>>> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), > >>>>>>> action=(outport = get_fdb(eth.dst); next;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > >>>>>>> $svc_monitor_mac), action=(handle_svc_check(inport);) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >>>>>>> 00:00:00:00:00:01), action=(outport = "sw0p1"; drop;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >>>>>>> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > >>>>>>> action=(outport = "_MC_flood"; output;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >>>>>>> "none"), action=(drop;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >>>>>>> "sw0p1"), action=(drop;) > >>>>>>> + table=??(ls_out_check_port_sec), priority=0 , match=(1), > >>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) > >>>>>>> + table=??(ls_out_check_port_sec), priority=100 , > >>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> ]) > >>>>>>> > >>>>>>> check ovn-nbctl set logical_switch_port sw0p1 enabled=true > >>>>>>> @@ -7519,20 +7557,28 @@ check ovn-nbctl --wait=sb lsp-set-options > >>>>>>> localnetport qdisc_queue_id=10 > >>>>>>> ovn-sbctl dump-flows sw0 > sw0flows > >>>>>>> AT_CAPTURE_FILE([sw0flows]) > >>>>>>> > >>>>>>> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed > >>>>>>> 's/table=./table=?/' ], [0], [dnl > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , > >>>>>>> match=(eth.src[[40]]), action=(drop;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=100 , > >>>>>>> match=(vlan.present), action=(drop;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=50 , match=(1), > >>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == > >>>>>>> "localnetport"), action=(set_queue(10); reg0[[15]] = > >>>>>>> check_in_port_sec(); next;) > >>>>>>> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == > >>>>>>> "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) > >>>>>>> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == > >>>>>>> "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); > >>>>>>> next;) > >>>>>>> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(next;) > >>>>>>> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=0 , match=(1), > >>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) > >>>>>>> - table=? (ls_out_check_port_sec), priority=100 , > >>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=100 , match=(outport == > >>>>>>> "localnetport"), action=(set_queue(10); output;) > >>>>>>> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e > >>>>>>> ls_in_l2_unknown | \ > >>>>>>> +sort | sed 's/table=../table=??/' ], [0], [dnl > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , > >>>>>>> match=(eth.src[[40]]), action=(drop;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=100 , > >>>>>>> match=(vlan.present), action=(drop;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=50 , match=(1), > >>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == > >>>>>>> "localnetport"), action=(set_queue(10); reg0[[15]] = > >>>>>>> check_in_port_sec(); next;) > >>>>>>> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == > >>>>>>> "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) > >>>>>>> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == > >>>>>>> "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); > >>>>>>> next;) > >>>>>>> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(next;) > >>>>>>> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), > >>>>>>> action=(outport = get_fdb(eth.dst); next;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == > >>>>>>> $svc_monitor_mac), action=(handle_svc_check(inport);) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >>>>>>> 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == > >>>>>>> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) > >>>>>>> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), > >>>>>>> action=(outport = "_MC_flood"; output;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == > >>>>>>> "none"), action=(drop;) > >>>>>>> + table=??(ls_out_check_port_sec), priority=0 , match=(1), > >>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) > >>>>>>> + table=??(ls_out_check_port_sec), priority=100 , > >>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), > >>>>>>> action=(output;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=100 , match=(outport == > >>>>>>> "localnetport"), action=(set_queue(10); output;) > >>>>>>> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] > >>>>>>> == 1), action=(drop;) > >>>>>>> ]) > >>>>>>> > >>>>>>> AT_CLEANUP > >>>>>>> -- > >>>>>>> 2.36.1 > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> dev mailing list > >>>>>>> [email protected] <mailto:[email protected]> > >>>>>>> <mailto:[email protected] <mailto:[email protected]>> > >>>>>>> <mailto:[email protected] <mailto:[email protected]> > >>>>>>> <mailto:[email protected] <mailto:[email protected]>>> > >>>>>>> <mailto:[email protected] > >>>>>>> <mailto:[email protected]><mailto:[email protected] > >>>>>>> <mailto:[email protected]>> <mailto:[email protected] > >>>>>>> <mailto:[email protected]> <mailto:[email protected] > >>>>>>> <mailto:[email protected]>>>> > >>>>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>> > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>>> > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev><https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>> > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev><https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>>>> > >>>>>>> > >>>>>> _______________________________________________ > >>>>>> dev mailing list > >>>>>> [email protected] <mailto:[email protected]> > >>>>>> <mailto:[email protected] <mailto:[email protected]>> > >>>>>> <mailto:[email protected] <mailto:[email protected]> > >>>>>> <mailto:[email protected] <mailto:[email protected]>>> > >>>>>> <mailto:[email protected] <mailto:[email protected]> > >>>>>> <mailto:[email protected] <mailto:[email protected]>> > >>>>>> <mailto:[email protected] <mailto:[email protected]> > >>>>>> <mailto:[email protected] <mailto:[email protected]>>>> > >>>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>> > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>>> > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev><https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>> > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>><https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>>>> > >>>>> _______________________________________________ > >>>>> dev mailing list > >>>>> [email protected] <mailto:[email protected]> > >>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > >>>> _______________________________________________ > >>>> dev mailing list > >>>> [email protected] <mailto:[email protected]> > >>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > >>> _______________________________________________ > >>> dev mailing list > >>> [email protected] > >>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >> > >> _______________________________________________ > >> dev mailing list > >> [email protected] > >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > _______________________________________________ > > dev mailing list > > [email protected] <mailto:[email protected]> > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
