I’ve submitted v3: https://patchwork.ozlabs.org/project/ovn/patch/[email protected]/
Regards, Vladislav Odintsov > On 16 Sep 2022, at 03:04, Numan Siddique <[email protected]> wrote: > > On Thu, Sep 15, 2022 at 7:59 PM Vladislav Odintsov <[email protected] > <mailto:[email protected]>> wrote: >> >> Numan, >> >> I’ve just to be sure we’re on the same page about moving drop flow. >> You have reviewed this patch v1 or v2 [1]? > > I reviewed v2. > > Thanks > Numan > >> >> 1: >> https://patchwork.ozlabs.org/project/ovn/patch/[email protected]/ >> >> Regards, >> Vladislav Odintsov >> >>> On 16 Sep 2022, at 02:25, Vladislav Odintsov <[email protected]> wrote: >>> >>> Ok, >>> I’ll correct patch and resend v2. >>> >>> Regards, >>> Vladislav Odintsov >>> >>>> On 16 Sep 2022, at 01:06, Numan Siddique <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> On Thu, Sep 15, 2022 at 12:46 PM Vladislav Odintsov <[email protected] >>>> <mailto:[email protected]> <mailto:[email protected] >>>> <mailto:[email protected]>>> wrote: >>>>> >>>>> I’ve tried this setup and it seems working correctly to me (with this >>>>> patch applied). >>>>> First, I checked that when p-port1 is enabled, the traffic passes >>>>> (succeeded), next, I’ve disabled p-port1. >>>>> The traffic got dropped if an excess drop lflow in l2_lkup table: >>>> >>>> Ok. Thanks for testing this scenario and correcting me. I think it's >>>> still better to drop both in ingress pipeline (at the beginning - >>>> in_port_sec_check stage) and in egress pipeline as I suggested if the >>>> lport is disabled. >>>> >>>> >>>> Thanks >>>> Numan >>>> >>>>> >>>>> >>>>> [root@dev1 ~]# ovs-appctl ofproto/trace >>>>> 'recirc_id(0),in_port(internet),eth(src=9a:09:91:98:16:48,dst=50:54:00:00:00:03),eth_type(0x0800),ipv4(frag=no)' >>>>> | ovn-detrace >>>>> Flow: >>>>> ip,in_port=LOCAL,vlan_tci=0x0000,dl_src=9a:09:91:98:16:48,dl_dst=50:54:00:00:00:03,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_proto=0,nw_tos=0,nw_ecn=0,nw_ttl=0 >>>>> >>>>> bridge("internet") >>>>> ------------------ >>>>> 0. priority 0 >>>>> NORMAL >>>>> -> forwarding to learned port >>>>> >>>>> bridge("br-int") >>>>> ---------------- >>>>> 0. in_port=260,vlan_tci=0x0000/0x1000, priority 100, cookie 0x6aca4e04 >>>>> set_field:0x2->reg11 >>>>> set_field:0x3->reg12 >>>>> set_field:0x1->metadata >>>>> set_field:0x1->reg14 >>>>> resubmit(,8) >>>>> * Logical datapath: "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) >>>>> * Port Binding: logical_port "ln-public", tunnel_key 1, >>>>> 8. metadata=0x1, priority 50, cookie 0x6e9dd5a0 >>>>> set_field:0/0x1000->reg10 >>>>> resubmit(,73) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=0 (ls_in_check_port_sec), priority=50, match=(1), >>>>> actions=(reg0[15] = check_in_port_sec(); next;) >>>>> 73. reg0=0x2, priority 0 >>>>> drop >>>>> move:NXM_NX_REG10[12]->NXM_NX_XXREG0[111] >>>>> -> NXM_NX_XXREG0[111] is now 0 >>>>> resubmit(,9) >>>>> 9. metadata=0x1, priority 0, cookie 0xe9361b4d >>>>> resubmit(,10) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=1 (ls_in_apply_port_sec), priority=0, match=(1), >>>>> actions=(next;) >>>>> 10. metadata=0x1, priority 0, cookie 0x15c54e25 >>>>> resubmit(,11) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=2 (ls_in_lookup_fdb), priority=0, match=(1), >>>>> actions=(next;) >>>>> 11. metadata=0x1, priority 0, cookie 0x5ed9f6ec >>>>> resubmit(,12) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=3 (ls_in_put_fdb), priority=0, match=(1), >>>>> actions=(next;) >>>>> 12. metadata=0x1, priority 0, cookie 0xb80c6b65 >>>>> resubmit(,13) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=4 (ls_in_pre_acl), priority=0, match=(1), >>>>> actions=(next;) >>>>> 13. ip,reg14=0x1,metadata=0x1, priority 110, cookie 0xb6e9951d >>>>> resubmit(,14) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * Logical flow: table=5 (ls_in_pre_lb), priority=110, match=(ip && inport >>>>> == "ln-public), actions=(next;) >>>>> * Logical Switch Port: ln-public type localnet (addresses ['unknown'], >>>>> dynamic addresses [], security [] >>>>> 14. metadata=0x1, priority 0, cookie 0xe50e3177 >>>>> resubmit(,15) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=6 (ls_in_pre_stateful), priority=0, match=(1), >>>>> actions=(next;) >>>>> 15. metadata=0x1, priority 65535, cookie 0x20b95bf3 >>>>> resubmit(,16) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=7 (ls_in_acl_hint), priority=65535, match=(1), >>>>> actions=(next;) >>>>> 16. metadata=0x1, priority 65535, cookie 0x350b5e98 >>>>> resubmit(,17) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=8 (ls_in_acl), priority=65535, match=(1), >>>>> actions=(next;) >>>>> 17. metadata=0x1, priority 0, cookie 0xeeb3f3fd >>>>> resubmit(,18) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=9 (ls_in_qos_mark), priority=0, match=(1), >>>>> actions=(next;) >>>>> 18. metadata=0x1, priority 0, cookie 0x1925a192 >>>>> resubmit(,19) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=10 (ls_in_qos_meter), priority=0, match=(1), >>>>> actions=(next;) >>>>> 19. metadata=0x1, priority 0, cookie 0x11fe85e6 >>>>> resubmit(,20) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=11 (ls_in_lb), priority=0, match=(1), >>>>> actions=(next;) >>>>> 20. metadata=0x1, priority 0, cookie 0xfa28e4a9 >>>>> resubmit(,21) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=12 (ls_in_acl_after_lb), priority=0, match=(1), >>>>> actions=(next;) >>>>> 21. metadata=0x1, priority 0, cookie 0x3b7258ea >>>>> resubmit(,22) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=13 (ls_in_stateful), priority=0, match=(1), >>>>> actions=(next;) >>>>> 22. metadata=0x1, priority 0, cookie 0x4f035815 >>>>> resubmit(,23) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=14 (ls_in_pre_hairpin), priority=0, match=(1), >>>>> actions=(next;) >>>>> 23. metadata=0x1, priority 0, cookie 0xcbbf42c6 >>>>> resubmit(,24) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=15 (ls_in_nat_hairpin), priority=0, match=(1), >>>>> actions=(next;) >>>>> 24. metadata=0x1, priority 0, cookie 0x54cfeb04 >>>>> resubmit(,25) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=16 (ls_in_hairpin), priority=0, match=(1), >>>>> actions=(next;) >>>>> 25. reg14=0x1,metadata=0x1, priority 100, cookie 0x4c1cce2f >>>>> resubmit(,26) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * Logical flow: table=17 (ls_in_arp_rsp), priority=100, match=(inport == >>>>> "ln-public), actions=(next;) >>>>> * Logical Switch Port: ln-public type localnet (addresses ['unknown'], >>>>> dynamic addresses [], security [] >>>>> 26. metadata=0x1, priority 0, cookie 0x331bd252 >>>>> resubmit(,27) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=18 (ls_in_dhcp_options), priority=0, match=(1), >>>>> actions=(next;) >>>>> 27. metadata=0x1, priority 0, cookie 0x71caba46 >>>>> resubmit(,28) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=19 (ls_in_dhcp_response), priority=0, match=(1), >>>>> actions=(next;) >>>>> 28. metadata=0x1, priority 0, cookie 0xaaf918b1 >>>>> resubmit(,29) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=20 (ls_in_dns_lookup), priority=0, match=(1), >>>>> actions=(next;) >>>>> 29. metadata=0x1, priority 0, cookie 0xe6aeb3f9 >>>>> resubmit(,30) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=21 (ls_in_dns_response), priority=0, match=(1), >>>>> actions=(next;) >>>>> 30. metadata=0x1, priority 0, cookie 0x9b612ad4 >>>>> resubmit(,31) >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * "outside" (f34ded49-cf91-4932-99dd-24f0d7653ec8) [ingress] >>>>> * Logical flow: table=22 (ls_in_external_port), priority=0, match=(1), >>>>> actions=(next;) >>>>> 31. metadata=0x1,dl_dst=50:54:00:00:00:03, priority 50, cookie 0x278cc83c >>>>> drop >>>>> * Logical datapaths: >>>>> * "public" (a150aaf7-99ea-4635-a768-99c9d4bf4f11) [ingress] >>>>> * Logical flow: table=23 (ls_in_l2_lkup), priority=50, match=(eth.dst == >>>>> 50:54:00:00:00:03), actions=(drop;) >>>>> * Logical Switch Port: p-port1 type (addresses ['50:54:00:00:00:03 >>>>> 172.16.0.100'], dynamic addresses [], security [] >>>>> >>>>> Final flow: unchanged >>>>> Megaflow: >>>>> recirc_id=0,eth,ip,in_port=LOCAL,dl_src=9a:09:91:98:16:48,dl_dst=50:54:00:00:00:03,nw_frag=no >>>>> Datapath actions: drop >>>>> >>>>> [root@dev1 ~]# ovn-nbctl show public >>>>> switch 633ad6c1-f3e5-4f31-b2fe-215203cf5272 (public) >>>>> port p-port1 >>>>> addresses: ["50:54:00:00:00:03 172.16.0.100"] >>>>> port ln-public >>>>> type: localnet >>>>> addresses: ["unknown"] >>>>> [root@dev1 ~]# ovn-nbctl list logical-switch-port p-port1 >>>>> _uuid : b0ac9cb9-cc13-4184-af17-3fb6505975f8 >>>>> addresses : ["50:54:00:00:00:03 172.16.0.100"] >>>>> dhcpv4_options : [] >>>>> dhcpv6_options : [] >>>>> dynamic_addresses : [] >>>>> enabled : false >>>>> external_ids : {} >>>>> ha_chassis_group : [] >>>>> name : p-port1 >>>>> options : {} >>>>> parent_name : [] >>>>> port_security : [] >>>>> tag : [] >>>>> tag_request : [] >>>>> type : "" >>>>> up : true >>>>> [root@dev1 ~]# ovn-nbctl list logical-switch-port ln-public >>>>> _uuid : e51d2489-e3da-4989-935c-949533b00b35 >>>>> addresses : [unknown] >>>>> dhcpv4_options : [] >>>>> dhcpv6_options : [] >>>>> dynamic_addresses : [] >>>>> enabled : [] >>>>> external_ids : {} >>>>> ha_chassis_group : [] >>>>> name : ln-public >>>>> options : {network_name=public} >>>>> parent_name : [] >>>>> port_security : [] >>>>> tag : [] >>>>> tag_request : [] >>>>> type : localnet >>>>> up : false >>>>> >>>>> Regards, >>>>> Vladislav Odintsov >>>>> >>>>>> On 15 Sep 2022, at 17:51, Numan Siddique <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>> On Thu, Sep 15, 2022 at 10:30 AM Vladislav Odintsov <[email protected] >>>>>> <mailto:[email protected]> <mailto:[email protected] >>>>>> <mailto:[email protected]>> <mailto:[email protected] >>>>>> <mailto:[email protected]> <mailto:[email protected] >>>>>> <mailto:[email protected]>>>> wrote: >>>>>>> >>>>>>> Hi Numan, >>>>>>> >>>>>>> thanks for the provided case. Unfortunately, I’m now sure I correctly >>>>>>> understand it. >>>>>>> Could you please provide ovn-nbctl commands to create such a topology >>>>>>> so I could reproduce and recheck? >>>>>> >>>>>> Something like >>>>>> >>>>>> ovn-nbctl ls-add public >>>>>> # localnet port >>>>>> ovn-nbctl lsp-add public ln-public >>>>>> ovn-nbctl lsp-set-type ln-public localnet >>>>>> ovn-nbctl lsp-set-addresses ln-public unknown >>>>>> ovn-nbctl lsp-set-options ln-public network_name=public >>>>>> >>>>>> # create a logical port >>>>>> ovn-nbctl lsp-add public p-port1 >>>>>> ovn-nbctl lsp-set-addresses p-port1 "50:54:00:00:00:03 172.16.0.100" >>>>>> (assuming 172.16.0.0/24 is the provider network CIDR) >>>>>> >>>>>> # attach p-port1 to a VM/container >>>>>> >>>>>> ovs-vsctl set open . external_ids:ovn-bridge-mappings="br-ex:public" >>>>>> >>>>>> # Create br-ex and attach physical interface to br-ex. >>>>>> >>>>>> If you ping from an external machine with say IP 172.16.0.20 to >>>>>> p-port1 (172.16.0.100), then the packet will enter >>>>>> physical interface -> br-ex -> patch port -> br-int (using ln-public) >>>>>> and it will enter logical ingress pipeline of public >>>>>> and then egress pipeline of public and then delivered to p-public. >>>>>> >>>>>> Thanks >>>>>> Numan >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Vladislav Odintsov >>>>>>> >>>>>>>> On 15 Sep 2022, at 15:42, Numan Siddique <[email protected] >>>>>>>> <mailto:[email protected]> <mailto:[email protected] >>>>>>>> <mailto:[email protected]>> <mailto:[email protected] >>>>>>>> <mailto:[email protected]> <mailto:[email protected] >>>>>>>> <mailto:[email protected]>>>> wrote: >>>>>>>> >>>>>>>> On Thu, Sep 8, 2022 at 7:41 AM Vladislav Odintsov <[email protected] >>>>>>>> <mailto:[email protected]> <mailto:[email protected] >>>>>>>> <mailto:[email protected]>> <mailto:[email protected] >>>>>>>> <mailto:[email protected]> <mailto:[email protected] >>>>>>>> <mailto:[email protected]>>> <mailto:[email protected] >>>>>>>> <mailto:[email protected]> <mailto:[email protected] >>>>>>>> <mailto:[email protected]>> <mailto:[email protected] >>>>>>>> <mailto:[email protected]> <mailto:[email protected] >>>>>>>> <mailto:[email protected]>>>>> wrote: >>>>>>>>> >>>>>>>>> Prior to this patch traffic to LSPs, which are disabled with >>>>>>>>> `ovn-nbctl lsp-set-enabled <LSP> disabled` was dropped in the end of >>>>>>>>> lswitch egress pipeline. This means that traffic is processed in >>>>>>>>> vain: >>>>>>>>> - traffic, which should be dropped, first travels from one chassis to >>>>>>>>> another (if source/dest LSPs reside on different nodes) and dropped on >>>>>>>>> the destination chassis; >>>>>>>>> - when such traffic reaches destination chassis, if stateful services >>>>>>>>> are >>>>>>>>> enabled within logical switch, first traffic is sent to conntrack and >>>>>>>>> is dropped after that. >>>>>>>>> >>>>>>>>> So it is costly to drop traffic in such manner especially in case LSP >>>>>>>>> is >>>>>>>>> disabled to prevent any harmful traffic to affect infrastructure. >>>>>>>>> This >>>>>>>>> patch changes "to-lport" drop behaviour. Now it is dropped in lswitch >>>>>>>>> ingress pipeline to avoid sending traffic to disabled LSP from one >>>>>>>>> chassis to another. >>>>>>>>> Traffic doesn't reach conntrack in destination LSP's zone now as well. >>>>>>>>> >>>>>>>>> Port security testcases are updated. >>>>>>>>> >>>>>>>>> Signed-off-by: Vladislav Odintsov <[email protected] >>>>>>>>> <mailto:[email protected]>> >>>>>>>> >>>>>>>> Hi Vladislav, >>>>>>>> >>>>>>>> It might break the scenario for the traffic from the provider network >>>>>>>> (external) destined to a logical port connected >>>>>>>> to a logical switch with localnet port. The traffic would be now >>>>>>>> delivered. >>>>>>>> >>>>>>>> I'd suggest dropping the traffic both in ls_in_check_port_sec and in >>>>>>>> ls_out_check_port_sec for a disabled logical port. What do you think >>>>>>>> ? >>>>>>>> >>>>>>>> Thanks >>>>>>>> Numan >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> --- >>>>>>>>> northd/northd.c | 22 +++--- >>>>>>>>> tests/ovn-northd.at <http://ovn-northd.at/> | 184 >>>>>>>>> +++++++++++++++++++++++++++----------------- >>>>>>>>> 2 files changed, 128 insertions(+), 78 deletions(-) >>>>>>>>> >>>>>>>>> diff --git a/northd/northd.c b/northd/northd.c >>>>>>>>> index 4a40ec9b0..5497a88ca 100644 >>>>>>>>> --- a/northd/northd.c >>>>>>>>> +++ b/northd/northd.c >>>>>>>>> @@ -5475,9 +5475,8 @@ build_lswitch_port_sec_op(struct ovn_port *op, >>>>>>>>> struct hmap *lflows, >>>>>>>>> ds_clear(match); >>>>>>>>> ds_put_format(match, "outport == %s", op->json_key); >>>>>>>>> ovn_lflow_add_with_lport_and_hint( >>>>>>>>> - lflows, op->od, S_SWITCH_OUT_CHECK_PORT_SEC, 150, >>>>>>>>> - ds_cstr(match), REGBIT_PORT_SEC_DROP" = 1; next;", >>>>>>>>> - op->key, &op->nbsp->header_); >>>>>>>>> + lflows, op->od, S_SWITCH_IN_L2_UNKNOWN, 50, >>>>>>>>> ds_cstr(match), >>>>>>>>> + "drop;", op->key, &op->nbsp->header_); >>>>>>>>> return; >>>>>>>>> } >>>>>>>>> >>>>>>>>> @@ -8466,6 +8465,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port >>>>>>>>> *op, >>>>>>>>> * Ethernet address followed by zero or more IPv4 >>>>>>>>> * or IPv6 addresses (or both). */ >>>>>>>>> struct eth_addr mac; >>>>>>>>> + bool lsp_enabled = lsp_is_enabled(op->nbsp); >>>>>>>>> + char *action = lsp_enabled ? "output" : "drop"; >>>>>>>>> if (ovs_scan(op->nbsp->addresses[i], >>>>>>>>> ETH_ADDR_SCAN_FMT, ETH_ADDR_SCAN_ARGS(mac))) { >>>>>>>>> ds_clear(match); >>>>>>>>> @@ -8473,13 +8474,14 @@ build_lswitch_ip_unicast_lookup(struct >>>>>>>>> ovn_port *op, >>>>>>>>> ETH_ADDR_ARGS(mac)); >>>>>>>>> >>>>>>>>> ds_clear(actions); >>>>>>>>> - ds_put_format(actions, "outport = %s; output;", >>>>>>>>> op->json_key); >>>>>>>>> + ds_put_format(actions, "outport = %s; %s;", >>>>>>>>> op->json_key, >>>>>>>>> + action); >>>>>>>>> ovn_lflow_add_with_hint(lflows, op->od, >>>>>>>>> S_SWITCH_IN_L2_LKUP, >>>>>>>>> 50, ds_cstr(match), >>>>>>>>> ds_cstr(actions), >>>>>>>>> &op->nbsp->header_); >>>>>>>>> } else if (!strcmp(op->nbsp->addresses[i], "unknown")) { >>>>>>>>> - if (lsp_is_enabled(op->nbsp)) { >>>>>>>>> + if (lsp_enabled) { >>>>>>>>> ovs_mutex_lock(&mcgroup_mutex); >>>>>>>>> ovn_multicast_add(mcgroups, &mc_unknown, op); >>>>>>>>> ovs_mutex_unlock(&mcgroup_mutex); >>>>>>>>> @@ -8496,7 +8498,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port >>>>>>>>> *op, >>>>>>>>> ETH_ADDR_ARGS(mac)); >>>>>>>>> >>>>>>>>> ds_clear(actions); >>>>>>>>> - ds_put_format(actions, "outport = %s; output;", >>>>>>>>> op->json_key); >>>>>>>>> + ds_put_format(actions, "outport = %s; %s;", >>>>>>>>> op->json_key, >>>>>>>>> + action); >>>>>>>>> ovn_lflow_add_with_hint(lflows, op->od, >>>>>>>>> S_SWITCH_IN_L2_LKUP, >>>>>>>>> 50, ds_cstr(match), >>>>>>>>> ds_cstr(actions), >>>>>>>>> @@ -8544,7 +8547,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port >>>>>>>>> *op, >>>>>>>>> } >>>>>>>>> >>>>>>>>> ds_clear(actions); >>>>>>>>> - ds_put_format(actions, "outport = %s; output;", >>>>>>>>> op->json_key); >>>>>>>>> + ds_put_format(actions, "outport = %s; %s;", >>>>>>>>> op->json_key, >>>>>>>>> + action); >>>>>>>>> ovn_lflow_add_with_hint(lflows, op->od, >>>>>>>>> S_SWITCH_IN_L2_LKUP, 50, >>>>>>>>> ds_cstr(match), ds_cstr(actions), >>>>>>>>> @@ -8567,8 +8571,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port >>>>>>>>> *op, >>>>>>>>> nat->logical_port); >>>>>>>>> >>>>>>>>> ds_clear(actions); >>>>>>>>> - ds_put_format(actions, "outport = %s; >>>>>>>>> output;", >>>>>>>>> - op->json_key); >>>>>>>>> + ds_put_format(actions, "outport = %s; >>>>>>>>> %s;", >>>>>>>>> + op->json_key, action); >>>>>>>>> ovn_lflow_add_with_hint(lflows, op->od, >>>>>>>>> S_SWITCH_IN_L2_LKUP, >>>>>>>>> 50, >>>>>>>>> ds_cstr(match), >>>>>>>>> diff --git a/tests/ovn-northd.at <http://ovn-northd.at/> >>>>>>>>> b/tests/ovn-northd.at <http://ovn-northd.at/> >>>>>>>>> index d5136ac6d..521942aeb 100644 >>>>>>>>> --- a/tests/ovn-northd.at <http://ovn-northd.at/> >>>>>>>>> +++ b/tests/ovn-northd.at <http://ovn-northd.at/> >>>>>>>>> @@ -7425,16 +7425,22 @@ check ovn-nbctl --wait=sb ls-add sw0 >>>>>>>>> ovn-sbctl dump-flows sw0 > sw0flows >>>>>>>>> AT_CAPTURE_FILE([sw0flows]) >>>>>>>>> >>>>>>>>> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed >>>>>>>>> 's/table=./table=?/' ], [0], [dnl >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(eth.src[[40]]), action=(drop;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(vlan.present), action=(drop;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=50 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) >>>>>>>>> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(next;) >>>>>>>>> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=0 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=100 , >>>>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e >>>>>>>>> ls_in_l2_unknown | \ >>>>>>>>> +sort | sed 's/table=../table=??/' ], [0], [dnl >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(eth.src[[40]]), action=(drop;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(vlan.present), action=(drop;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=50 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) >>>>>>>>> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(next;) >>>>>>>>> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), >>>>>>>>> action=(outport = get_fdb(eth.dst); next;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == >>>>>>>>> $svc_monitor_mac), action=(handle_svc_check(inport);) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), >>>>>>>>> action=(outport = "_MC_flood"; output;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == >>>>>>>>> "none"), action=(drop;) >>>>>>>>> + table=??(ls_out_check_port_sec), priority=0 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) >>>>>>>>> + table=??(ls_out_check_port_sec), priority=100 , >>>>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> ]) >>>>>>>>> >>>>>>>>> check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1 >>>>>>>>> "00:00:00:00:00:01" >>>>>>>>> @@ -7444,16 +7450,24 @@ check ovn-nbctl --wait=sb lsp-add sw0 >>>>>>>>> localnetport -- lsp-set-type localnetport >>>>>>>>> ovn-sbctl dump-flows sw0 > sw0flows >>>>>>>>> AT_CAPTURE_FILE([sw0flows]) >>>>>>>>> >>>>>>>>> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed >>>>>>>>> 's/table=./table=?/' ], [0], [dnl >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(eth.src[[40]]), action=(drop;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(vlan.present), action=(drop;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=50 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) >>>>>>>>> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(next;) >>>>>>>>> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=0 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=100 , >>>>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e >>>>>>>>> ls_in_l2_unknown | \ >>>>>>>>> +sort | sed 's/table=../table=??/' ], [0], [dnl >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(eth.src[[40]]), action=(drop;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(vlan.present), action=(drop;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=50 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) >>>>>>>>> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(next;) >>>>>>>>> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), >>>>>>>>> action=(outport = get_fdb(eth.dst); next;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == >>>>>>>>> $svc_monitor_mac), action=(handle_svc_check(inport);) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == >>>>>>>>> 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == >>>>>>>>> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), >>>>>>>>> action=(outport = "_MC_flood"; output;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == >>>>>>>>> "none"), action=(drop;) >>>>>>>>> + table=??(ls_out_check_port_sec), priority=0 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) >>>>>>>>> + table=??(ls_out_check_port_sec), priority=100 , >>>>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> ]) >>>>>>>>> >>>>>>>>> check ovn-nbctl lsp-set-port-security sw0p1 "00:00:00:00:00:01 >>>>>>>>> 10.0.0.3 1000::3" >>>>>>>>> @@ -7462,16 +7476,24 @@ check ovn-nbctl --wait=sb >>>>>>>>> lsp-set-port-security sw0p2 "00:00:00:00:00:02 10.0.0. >>>>>>>>> ovn-sbctl dump-flows sw0 > sw0flows >>>>>>>>> AT_CAPTURE_FILE([sw0flows]) >>>>>>>>> >>>>>>>>> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed >>>>>>>>> 's/table=./table=?/' ], [0], [dnl >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(eth.src[[40]]), action=(drop;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(vlan.present), action=(drop;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=50 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) >>>>>>>>> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(next;) >>>>>>>>> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=0 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=100 , >>>>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e >>>>>>>>> ls_in_l2_unknown | \ >>>>>>>>> +sort | sed 's/table=../table=??/' ], [0], [dnl >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(eth.src[[40]]), action=(drop;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(vlan.present), action=(drop;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=50 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) >>>>>>>>> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(next;) >>>>>>>>> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), >>>>>>>>> action=(outport = get_fdb(eth.dst); next;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == >>>>>>>>> $svc_monitor_mac), action=(handle_svc_check(inport);) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == >>>>>>>>> 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == >>>>>>>>> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), >>>>>>>>> action=(outport = "_MC_flood"; output;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == >>>>>>>>> "none"), action=(drop;) >>>>>>>>> + table=??(ls_out_check_port_sec), priority=0 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) >>>>>>>>> + table=??(ls_out_check_port_sec), priority=100 , >>>>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> ]) >>>>>>>>> >>>>>>>>> # Disable sw0p1 >>>>>>>>> @@ -7480,37 +7502,53 @@ check ovn-nbctl --wait=sb set >>>>>>>>> logical_switch_port sw0p1 enabled=false >>>>>>>>> ovn-sbctl dump-flows sw0 > sw0flows >>>>>>>>> AT_CAPTURE_FILE([sw0flows]) >>>>>>>>> >>>>>>>>> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed >>>>>>>>> 's/table=./table=?/' ], [0], [dnl >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(eth.src[[40]]), action=(drop;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , match=(inport == >>>>>>>>> "sw0p1"), action=(reg0[[15]] = 1; next;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(vlan.present), action=(drop;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=50 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) >>>>>>>>> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(next;) >>>>>>>>> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=0 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=100 , >>>>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=150 , match=(outport == >>>>>>>>> "sw0p1"), action=(reg0[[15]] = 1; next;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e >>>>>>>>> ls_in_l2_unknown | \ >>>>>>>>> +sort | sed 's/table=../table=??/' ], [0], [dnl >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(eth.src[[40]]), action=(drop;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , match=(inport == >>>>>>>>> "sw0p1"), action=(reg0[[15]] = 1; next;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(vlan.present), action=(drop;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=50 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) >>>>>>>>> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(next;) >>>>>>>>> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), >>>>>>>>> action=(outport = get_fdb(eth.dst); next;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == >>>>>>>>> $svc_monitor_mac), action=(handle_svc_check(inport);) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == >>>>>>>>> 00:00:00:00:00:01), action=(outport = "sw0p1"; drop;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == >>>>>>>>> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), >>>>>>>>> action=(outport = "_MC_flood"; output;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == >>>>>>>>> "none"), action=(drop;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == >>>>>>>>> "sw0p1"), action=(drop;) >>>>>>>>> + table=??(ls_out_check_port_sec), priority=0 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) >>>>>>>>> + table=??(ls_out_check_port_sec), priority=100 , >>>>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> ]) >>>>>>>>> >>>>>>>>> check ovn-nbctl --wait=sb lsp-set-options sw0p2 qdisc_queue_id=10 >>>>>>>>> ovn-sbctl dump-flows sw0 > sw0flows >>>>>>>>> AT_CAPTURE_FILE([sw0flows]) >>>>>>>>> >>>>>>>>> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed >>>>>>>>> 's/table=./table=?/' ], [0], [dnl >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(eth.src[[40]]), action=(drop;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , match=(inport == >>>>>>>>> "sw0p1"), action=(reg0[[15]] = 1; next;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(vlan.present), action=(drop;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=50 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == >>>>>>>>> "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); >>>>>>>>> next;) >>>>>>>>> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(next;) >>>>>>>>> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=0 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=100 , >>>>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=150 , match=(outport == >>>>>>>>> "sw0p1"), action=(reg0[[15]] = 1; next;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e >>>>>>>>> ls_in_l2_unknown | \ >>>>>>>>> +sort | sed 's/table=../table=??/' ], [0], [dnl >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(eth.src[[40]]), action=(drop;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , match=(inport == >>>>>>>>> "sw0p1"), action=(reg0[[15]] = 1; next;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(vlan.present), action=(drop;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=50 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == >>>>>>>>> "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); >>>>>>>>> next;) >>>>>>>>> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(next;) >>>>>>>>> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), >>>>>>>>> action=(outport = get_fdb(eth.dst); next;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == >>>>>>>>> $svc_monitor_mac), action=(handle_svc_check(inport);) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == >>>>>>>>> 00:00:00:00:00:01), action=(outport = "sw0p1"; drop;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == >>>>>>>>> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), >>>>>>>>> action=(outport = "_MC_flood"; output;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == >>>>>>>>> "none"), action=(drop;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == >>>>>>>>> "sw0p1"), action=(drop;) >>>>>>>>> + table=??(ls_out_check_port_sec), priority=0 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) >>>>>>>>> + table=??(ls_out_check_port_sec), priority=100 , >>>>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> ]) >>>>>>>>> >>>>>>>>> check ovn-nbctl set logical_switch_port sw0p1 enabled=true >>>>>>>>> @@ -7519,20 +7557,28 @@ check ovn-nbctl --wait=sb lsp-set-options >>>>>>>>> localnetport qdisc_queue_id=10 >>>>>>>>> ovn-sbctl dump-flows sw0 > sw0flows >>>>>>>>> AT_CAPTURE_FILE([sw0flows]) >>>>>>>>> >>>>>>>>> -AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed >>>>>>>>> 's/table=./table=?/' ], [0], [dnl >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(eth.src[[40]]), action=(drop;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(vlan.present), action=(drop;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=50 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == >>>>>>>>> "localnetport"), action=(set_queue(10); reg0[[15]] = >>>>>>>>> check_in_port_sec(); next;) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == >>>>>>>>> "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) >>>>>>>>> - table=? (ls_in_check_port_sec), priority=70 , match=(inport == >>>>>>>>> "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); >>>>>>>>> next;) >>>>>>>>> - table=? (ls_in_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(next;) >>>>>>>>> - table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=0 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) >>>>>>>>> - table=? (ls_out_check_port_sec), priority=100 , >>>>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=100 , match=(outport == >>>>>>>>> "localnetport"), action=(set_queue(10); output;) >>>>>>>>> - table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> +AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e >>>>>>>>> ls_in_l2_unknown | \ >>>>>>>>> +sort | sed 's/table=../table=??/' ], [0], [dnl >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(eth.src[[40]]), action=(drop;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=100 , >>>>>>>>> match=(vlan.present), action=(drop;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=50 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_in_port_sec(); next;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == >>>>>>>>> "localnetport"), action=(set_queue(10); reg0[[15]] = >>>>>>>>> check_in_port_sec(); next;) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == >>>>>>>>> "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);) >>>>>>>>> + table=??(ls_in_check_port_sec), priority=70 , match=(inport == >>>>>>>>> "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); >>>>>>>>> next;) >>>>>>>>> + table=??(ls_in_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(next;) >>>>>>>>> + table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=0 , match=(1), >>>>>>>>> action=(outport = get_fdb(eth.dst); next;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst == >>>>>>>>> $svc_monitor_mac), action=(handle_svc_check(inport);) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == >>>>>>>>> 00:00:00:00:00:01), action=(outport = "sw0p1"; output;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst == >>>>>>>>> 00:00:00:00:00:02), action=(outport = "sw0p2"; output;) >>>>>>>>> + table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), >>>>>>>>> action=(outport = "_MC_flood"; output;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> + table=??(ls_in_l2_unknown ), priority=50 , match=(outport == >>>>>>>>> "none"), action=(drop;) >>>>>>>>> + table=??(ls_out_check_port_sec), priority=0 , match=(1), >>>>>>>>> action=(reg0[[15]] = check_out_port_sec(); next;) >>>>>>>>> + table=??(ls_out_check_port_sec), priority=100 , >>>>>>>>> match=(eth.mcast), action=(reg0[[15]] = 0; next;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=0 , match=(1), >>>>>>>>> action=(output;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=100 , match=(outport == >>>>>>>>> "localnetport"), action=(set_queue(10); output;) >>>>>>>>> + table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] >>>>>>>>> == 1), action=(drop;) >>>>>>>>> ]) >>>>>>>>> >>>>>>>>> AT_CLEANUP >>>>>>>>> -- >>>>>>>>> 2.36.1 >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> dev mailing list >>>>>>>>> [email protected] <mailto:[email protected]> >>>>>>>>> <mailto:[email protected] <mailto:[email protected]>> >>>>>>>>> <mailto:[email protected] <mailto:[email protected]> >>>>>>>>> <mailto:[email protected] <mailto:[email protected]>>> >>>>>>>>> <mailto:[email protected] >>>>>>>>> <mailto:[email protected]><mailto:[email protected] >>>>>>>>> <mailto:[email protected]>> <mailto:[email protected] >>>>>>>>> <mailto:[email protected]> <mailto:[email protected] >>>>>>>>> <mailto:[email protected]>>>> >>>>>>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>> >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>>> >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev><https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>> >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev><https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>>>> >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> dev mailing list >>>>>>>> [email protected] <mailto:[email protected]> >>>>>>>> <mailto:[email protected] <mailto:[email protected]>> >>>>>>>> <mailto:[email protected] <mailto:[email protected]> >>>>>>>> <mailto:[email protected] <mailto:[email protected]>>> >>>>>>>> <mailto:[email protected] <mailto:[email protected]> >>>>>>>> <mailto:[email protected] <mailto:[email protected]>> >>>>>>>> <mailto:[email protected] <mailto:[email protected]> >>>>>>>> <mailto:[email protected] <mailto:[email protected]>>>> >>>>>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>> >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>>> >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev><https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>> >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>><https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>>>> >>>>>>> _______________________________________________ >>>>>>> dev mailing list >>>>>>> [email protected] <mailto:[email protected]> >>>>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> >>>>>> _______________________________________________ >>>>>> dev mailing list >>>>>> [email protected] <mailto:[email protected]> >>>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>>>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> >>>>> _______________________________________________ >>>>> dev mailing list >>>>> [email protected] >>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>>> >>>> _______________________________________________ >>>> dev mailing list >>>> [email protected] >>>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>> >>> _______________________________________________ >>> dev mailing list >>> [email protected] <mailto:[email protected]> >>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> >> _______________________________________________ >> dev mailing list >> [email protected] >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ > dev mailing list > [email protected] <mailto:[email protected]> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
