On Mon, Oct 17, 2022 at 9:15 AM Adrian Moreno <[email protected]> wrote:
>
> By default, traffic that doesn't match any configured flow will be dropped.
> But having that behavior implicit makes those drops more difficult to
> visualize.
>
> Make default drops explicit both as default logical flows and as default
> openflow flows (e.g: for physical tables).
>
> Signed-off-by: Adrian Moreno <[email protected]>
Thanks for the patch.
Can you please update the documentation in ovn-northd.8.xml about the
newly added flows ?
Also the same applies for patch 3.
Thanks
Numan
> ---
> controller/physical.c | 45 ++++++++
> northd/northd.c | 34 +++++-
> tests/ovn-northd.at | 84 ++++++++++++++
> tests/ovn.at | 256 ++++++++++++++++++++++++++++++++++++------
> 4 files changed, 383 insertions(+), 36 deletions(-)
>
> diff --git a/controller/physical.c b/controller/physical.c
> index 705146316..415d16b76 100644
> --- a/controller/physical.c
> +++ b/controller/physical.c
> @@ -833,6 +833,17 @@ put_zones_ofpacts(const struct zone_ids *zone_ids,
> struct ofpbuf *ofpacts_p)
> }
> }
>
> +static void
> +add_default_drop_flow(uint8_t table_id,
> + struct ovn_desired_flow_table *flow_table)
> +{
> + struct match match = MATCH_CATCHALL_INITIALIZER;
> + struct ofpbuf ofpacts;
> + ofpbuf_init(&ofpacts, 0);
> + ofctrl_add_flow(flow_table, table_id, 0, 0, &match,
> + &ofpacts, hc_uuid);
> +}
> +
> static void
> put_local_common_flows(uint32_t dp_key,
> const struct sbrec_port_binding *pb,
> @@ -2114,6 +2125,13 @@ physical_run(struct physical_ctx *p_ctx,
> }
> }
>
> + /* Table 0, priority 0.
> + * ======================
> + *
> + * Drop packets tha do not match any tunnel in_port.
> + */
> + add_default_drop_flow(OFTABLE_PHY_TO_LOG, flow_table);
> +
> /* Table 37, priority 150.
> * =======================
> *
> @@ -2159,6 +2177,13 @@ physical_run(struct physical_ctx *p_ctx,
> ofctrl_add_flow(flow_table, OFTABLE_REMOTE_OUTPUT, 0, 0, &match,
> &ofpacts, hc_uuid);
>
> + /* Table 38, priority 0.
> + * ======================
> + *
> + * Drop packets that do not match previous flows.
> + */
> + add_default_drop_flow(OFTABLE_LOCAL_OUTPUT, flow_table);
> +
> /* Table 39, Priority 0.
> * =======================
> *
> @@ -2185,5 +2210,25 @@ physical_run(struct physical_ctx *p_ctx,
> ofctrl_add_flow(flow_table, OFTABLE_SAVE_INPORT, 0, 0, &match,
> &ofpacts, hc_uuid);
>
> + /* Table 65, priority 0.
> + * ======================
> + *
> + * Drop packets that do not match previous flows.
> + */
> + add_default_drop_flow(OFTABLE_LOG_TO_PHY, flow_table);
> +
> + /* Table 68, priority 0.
> + * ======================
> + *
> + * Drop packets that do not match previous flows.
> + */
> + add_default_drop_flow(OFTABLE_CHK_LB_HAIRPIN, flow_table);
> +
> + /* Table 70, priority 0.
> + * ======================
> + *
> + * Drop packets that do not match previous flows.
> + */
> + add_default_drop_flow(OFTABLE_CT_SNAT_HAIRPIN, flow_table);
> ofpbuf_uninit(&ofpacts);
> }
> diff --git a/northd/northd.c b/northd/northd.c
> index 6771ccce5..ce4f0af56 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -5164,6 +5164,16 @@ ovn_lflow_add_at(struct hmap *lflow_map, struct
> ovn_datapath *od,
> io_port, ctrl_meter, stage_hint, where, hash);
> }
>
> +static void
> +__ovn_lflow_add_default_drop(struct hmap *lflow_map,
> + struct ovn_datapath *od,
> + enum ovn_stage stage,
> + const char *where)
> +{
> + ovn_lflow_add_at(lflow_map, od, stage, 0, "1", "drop;",
> + NULL, NULL, NULL, where );
> +}
> +
> /* Adds a row with the specified contents to the Logical_Flow table. */
> #define ovn_lflow_add_with_hint__(LFLOW_MAP, OD, STAGE, PRIORITY, MATCH, \
> ACTIONS, IN_OUT_PORT, CTRL_METER, \
> @@ -5176,6 +5186,10 @@ ovn_lflow_add_at(struct hmap *lflow_map, struct
> ovn_datapath *od,
> ovn_lflow_add_at(LFLOW_MAP, OD, STAGE, PRIORITY, MATCH, ACTIONS, \
> NULL, NULL, STAGE_HINT, OVS_SOURCE_LOCATOR)
>
> +#define ovn_lflow_add_default_drop(LFLOW_MAP, OD, STAGE) \
> + __ovn_lflow_add_default_drop(LFLOW_MAP, OD, STAGE, OVS_SOURCE_LOCATOR)
> +
> +
> /* This macro is similar to ovn_lflow_add_with_hint, except that it requires
> * the IN_OUT_PORT argument, which tells the lport name that appears in the
> * MATCH, which helps ovn-controller to bypass lflows parsing when the lport
> is
> @@ -10983,6 +10997,9 @@ build_adm_ctrl_flows_for_lrouter(
> * Broadcast/multicast source address is invalid. */
> ovn_lflow_add(lflows, od, S_ROUTER_IN_ADMISSION, 100,
> "vlan.present || eth.src[40]", "drop;");
> +
> + /* Default action for L2 security is to drop. */
> + ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_ADMISSION);
> }
> }
>
> @@ -11224,6 +11241,8 @@ build_neigh_learning_flows_for_lrouter(
> "nd_ns", "put_nd(inport, ip6.src, nd.sll); next;",
> copp_meter_get(COPP_ND_NS, od->nbr->copp,
> meter_groups));
> +
> + ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_LEARN_NEIGHBOR);
> }
>
> }
> @@ -11500,6 +11519,8 @@ build_static_route_flows_for_lrouter(
> const struct hmap *bfd_connections)
> {
> if (od->nbr) {
> + ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_IP_ROUTING_ECMP);
> + ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_IP_ROUTING);
> ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING_ECMP, 150,
> REG_ECMP_GROUP_ID" == 0", "next;");
>
> @@ -11671,6 +11692,7 @@ build_ingress_policy_flows_for_lrouter(
> REG_ECMP_GROUP_ID" = 0; next;");
> ovn_lflow_add(lflows, od, S_ROUTER_IN_POLICY_ECMP, 150,
> REG_ECMP_GROUP_ID" == 0", "next;");
> + ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_POLICY_ECMP);
>
> /* Convert routing policies to flows. */
> uint16_t ecmp_group_id = 1;
> @@ -11703,11 +11725,13 @@ build_arp_resolve_flows_for_lrouter(
> ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 500,
> "ip4.mcast || ip6.mcast", "next;");
>
> - ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 0, "ip4",
> + ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 1, "ip4",
> "get_arp(outport, " REG_NEXT_HOP_IPV4 "); next;");
>
> - ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 0, "ip6",
> + ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 1, "ip6",
> "get_nd(outport, " REG_NEXT_HOP_IPV6 "); next;");
> +
> + ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_ARP_RESOLVE);
> }
> }
>
> @@ -11833,9 +11857,9 @@ build_arp_resolve_flows_for_lrouter_port(
> * in stage "lr_in_ip_input" but traffic that could have been
> unSNATed
> * but didn't match any existing session might still end up here.
> *
> - * Priority 1.
> + * Priority 2.
> */
> - build_lrouter_drop_own_dest(op, S_ROUTER_IN_ARP_RESOLVE, 1, true,
> + build_lrouter_drop_own_dest(op, S_ROUTER_IN_ARP_RESOLVE, 2, true,
> lflows);
> } else if (op->od->n_router_ports && !lsp_is_router(op->nbsp)
> && strcmp(op->nbsp->type, "virtual")) {
> @@ -12437,6 +12461,8 @@ build_egress_delivery_flows_for_lrouter_port(
> ds_put_format(match, "outport == %s", op->json_key);
> ovn_lflow_add(lflows, op->od, S_ROUTER_OUT_DELIVERY, 100,
> ds_cstr(match), "output;");
> +
> + ovn_lflow_add_default_drop(lflows, op->od, S_ROUTER_OUT_DELIVERY);
> }
>
> }
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index bd6dad910..4ca6e0fc8 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -2848,6 +2848,7 @@ AT_CAPTURE_FILE([lr0flows3])
> AT_CHECK([grep "lr_in_policy" lr0flows3 | sed 's/table=../table=??/' |
> sort], [0], [dnl
> table=??(lr_in_policy ), priority=0 , match=(1),
> action=(reg8[[0..15]] = 0; next;)
> table=??(lr_in_policy ), priority=10 , match=(ip4.src ==
> 10.0.0.3), action=(reg8[[0..15]] = 1; reg8[[16..31]] = select(1, 2);)
> + table=??(lr_in_policy_ecmp ), priority=0 , match=(1), action=(drop;)
> table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == 1
> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100;
> eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1;
> next;)
> table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == 1
> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100;
> eth.src = 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1;
> next;)
> table=??(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == 0),
> action=(next;)
> @@ -2863,6 +2864,7 @@ sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] ==
> <cleared>/' | sed 's/table
> table=??(lr_in_policy ), priority=0 , match=(1),
> action=(reg8[[0..15]] = <cleared>; next;)
> table=??(lr_in_policy ), priority=10 , match=(ip4.src ==
> 10.0.0.3), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2);)
> table=??(lr_in_policy ), priority=10 , match=(ip4.src ==
> 10.0.0.4), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2,
> 3);)
> + table=??(lr_in_policy_ecmp ), priority=0 , match=(1), action=(drop;)
> table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] ==
> <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 =
> 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public";
> flags.loopback = 1; next;)
> table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] ==
> <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 =
> 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public";
> flags.loopback = 1; next;)
> table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] ==
> <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 =
> 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public";
> flags.loopback = 1; next;)
> @@ -2882,6 +2884,7 @@ sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] ==
> <cleared>/' | sed 's/table
> table=??(lr_in_policy ), priority=10 , match=(ip4.src ==
> 10.0.0.3), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2);)
> table=??(lr_in_policy ), priority=10 , match=(ip4.src ==
> 10.0.0.4), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2,
> 3);)
> table=??(lr_in_policy ), priority=10 , match=(ip4.src ==
> 10.0.0.5), action=(reg0 = 172.168.0.110; reg1 = 172.168.0.100; eth.src =
> 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; reg8[[0..15]]
> = <cleared>; next;)
> + table=??(lr_in_policy_ecmp ), priority=0 , match=(1), action=(drop;)
> table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] ==
> <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 =
> 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public";
> flags.loopback = 1; next;)
> table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] ==
> <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 =
> 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public";
> flags.loopback = 1; next;)
> table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] ==
> <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 =
> 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public";
> flags.loopback = 1; next;)
> @@ -2900,6 +2903,7 @@ sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] ==
> <cleared>/' | sed 's/table
> table=??(lr_in_policy ), priority=0 , match=(1),
> action=(reg8[[0..15]] = <cleared>; next;)
> table=??(lr_in_policy ), priority=10 , match=(ip4.src ==
> 10.0.0.4), action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2,
> 3);)
> table=??(lr_in_policy ), priority=10 , match=(ip4.src ==
> 10.0.0.5), action=(reg0 = 172.168.0.110; reg1 = 172.168.0.100; eth.src =
> 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; reg8[[0..15]]
> = <cleared>; next;)
> + table=??(lr_in_policy_ecmp ), priority=0 , match=(1), action=(drop;)
> table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] ==
> <cleared> && reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 =
> 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public";
> flags.loopback = 1; next;)
> table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] ==
> <cleared> && reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 =
> 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public";
> flags.loopback = 1; next;)
> table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] ==
> <cleared> && reg8[[16..31]] == 3), action=(reg0 = 172.168.0.103; reg1 =
> 172.168.0.100; eth.src = 00:00:20:20:12:13; outport = "lr0-public";
> flags.loopback = 1; next;)
> @@ -2915,6 +2919,7 @@ sed 's/reg8\[[0..15\]] = [[0-9]]*/reg8\[[0..15\]] =
> <cleared>/' | \
> sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] == <cleared>/' | sed
> 's/table=../table=??/' | sort], [0], [dnl
> table=??(lr_in_policy ), priority=0 , match=(1),
> action=(reg8[[0..15]] = <cleared>; next;)
> table=??(lr_in_policy ), priority=10 , match=(ip4.src ==
> 10.0.0.5), action=(reg0 = 172.168.0.110; reg1 = 172.168.0.100; eth.src =
> 00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; reg8[[0..15]]
> = <cleared>; next;)
> + table=??(lr_in_policy_ecmp ), priority=0 , match=(1), action=(drop;)
> table=??(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] ==
> <cleared>), action=(next;)
> ])
>
> @@ -2926,6 +2931,7 @@ AT_CHECK([grep "lr_in_policy" lr0flows3 | \
> sed 's/reg8\[[0..15\]] = [[0-9]]*/reg8\[[0..15\]] = <cleared>/' | \
> sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] == <cleared>/' | sed
> 's/table=../table=??/' | sort], [0], [dnl
> table=??(lr_in_policy ), priority=0 , match=(1),
> action=(reg8[[0..15]] = <cleared>; next;)
> + table=??(lr_in_policy_ecmp ), priority=0 , match=(1), action=(drop;)
> table=??(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] ==
> <cleared>), action=(next;)
> ])
>
> @@ -5750,6 +5756,7 @@ ovn-sbctl dump-flows lr0 > lr0flows
> AT_CHECK([grep -e "lr_in_ip_routing.*select" lr0flows |sort], [0], [dnl
> ])
> AT_CHECK([grep -e "lr_in_ip_routing_ecmp" lr0flows | sed
> 's/table=../table=??/' |sort], [0], [dnl
> + table=??(lr_in_ip_routing_ecmp), priority=0 , match=(1), action=(drop;)
> table=??(lr_in_ip_routing_ecmp), priority=150 , match=(reg8[[0..15]] ==
> 0), action=(next;)
> ])
>
> @@ -5760,6 +5767,7 @@ AT_CHECK([grep -e "lr_in_ip_routing.*select" lr0flows |
> sed 's/table=../table=??
> table=??(lr_in_ip_routing ), priority=97 , match=(reg7 == 0 && ip4.dst
> == 1.0.0.1/32), action=(ip.ttl--; flags.loopback = 1; reg8[[0..15]] = 1;
> reg8[[16..31]] = select(1, 2);)
> ])
> AT_CHECK([grep -e "lr_in_ip_routing_ecmp" lr0flows | sed
> 's/192\.168\.0\..0/192.168.0.??/' | sed 's/table=../table=??/' | sort], [0],
> [dnl
> + table=??(lr_in_ip_routing_ecmp), priority=0 , match=(1), action=(drop;)
> table=??(lr_in_ip_routing_ecmp), priority=100 , match=(reg8[[0..15]] == 1
> && reg8[[16..31]] == 1), action=(reg0 = 192.168.0.??; reg1 = 192.168.0.1;
> eth.src = 00:00:20:20:12:13; outport = "lr0-public"; next;)
> table=??(lr_in_ip_routing_ecmp), priority=100 , match=(reg8[[0..15]] == 1
> && reg8[[16..31]] == 2), action=(reg0 = 192.168.0.??; reg1 = 192.168.0.1;
> eth.src = 00:00:20:20:12:13; outport = "lr0-public"; next;)
> table=??(lr_in_ip_routing_ecmp), priority=150 , match=(reg8[[0..15]] ==
> 0), action=(next;)
> @@ -5803,6 +5811,7 @@ AT_CHECK([grep -e "lr_in_ip_routing.*select" lr0flows |
> sed 's/table=../table=??
> table=??(lr_in_ip_routing ), priority=97 , match=(reg7 == 0 && ip4.dst
> == 1.0.0.1/32), action=(ip.ttl--; flags.loopback = 1; reg8[[0..15]] = 1;
> reg8[[16..31]] = select(1, 2);)
> ])
> AT_CHECK([grep -e "lr_in_ip_routing_ecmp" lr0flows | sed
> 's/192\.168\.0\..0/192.168.0.??/' | sed 's/table=../table=??/' | sort], [0],
> [dnl
> + table=??(lr_in_ip_routing_ecmp), priority=0 , match=(1), action=(drop;)
> table=??(lr_in_ip_routing_ecmp), priority=100 , match=(reg8[[0..15]] == 1
> && reg8[[16..31]] == 1), action=(reg0 = 192.168.0.??; reg1 = 192.168.0.1;
> eth.src = 00:00:20:20:12:13; outport = "lr0-public"; next;)
> table=??(lr_in_ip_routing_ecmp), priority=100 , match=(reg8[[0..15]] == 1
> && reg8[[16..31]] == 2), action=(reg0 = 192.168.0.??; reg1 = 192.168.0.1;
> eth.src = 00:00:20:20:12:13; outport = "lr0-public"; next;)
> table=??(lr_in_ip_routing_ecmp), priority=150 , match=(reg8[[0..15]] ==
> 0), action=(next;)
> @@ -6881,6 +6890,7 @@ AT_CHECK([cat lrflows | grep -e lr_in_lookup_neighbor
> -e lr_in_learn_neighbor |
> table=1 (lr_in_lookup_neighbor), priority=100 , match=(arp.op == 2),
> action=(reg9[[2]] = lookup_arp(inport, arp.spa, arp.sha); next;)
> table=1 (lr_in_lookup_neighbor), priority=100 , match=(nd_na),
> action=(reg9[[2]] = lookup_nd(inport, nd.target, nd.tll); next;)
> table=1 (lr_in_lookup_neighbor), priority=100 , match=(nd_ns),
> action=(reg9[[2]] = lookup_nd(inport, ip6.src, nd.sll); next;)
> + table=2 (lr_in_learn_neighbor), priority=0 , match=(1), action=(drop;)
> table=2 (lr_in_learn_neighbor), priority=100 , match=(reg9[[2]] == 1),
> action=(next;)
> table=2 (lr_in_learn_neighbor), priority=90 , match=(arp),
> action=(put_arp(inport, arp.spa, arp.sha); next;)
> table=2 (lr_in_learn_neighbor), priority=90 , match=(nd_na),
> action=(put_nd(inport, nd.target, nd.tll); next;)
> @@ -7903,3 +7913,77 @@ AT_CHECK([grep "lr_in_arp_resolve" R1flows | grep
> priority=90 | sort], [0], [dnl
>
> AT_CLEANUP
> ])
> +
> +OVN_FOR_EACH_NORTHD([
> +AT_SETUP([Check default drop])
> +AT_KEYWORDS([drop])
> +
> +# Check that there is an explicit drop lflow in all tables.
> +check_default_lflow() {
> + dps=$(ovn-sbctl --bare --columns=_uuid list Datapath_Binding | xargs)
> + for dp in $dps; do
> + for pipeline in ingress egress; do
> + for table in $(ovn-sbctl --bare --columns=table_id find
> Logical_Flow logical_datapath="$dp" pipeline="$pipeline" | xargs | sort |
> uniq); do
> + echo "Checking if datapath $dp pipeline $pipeline table
> $table has a default action"
> + AT_CHECK([ovn-sbctl --columns=_uuid find Logical_Flow
> logical_datapath="$dp" pipeline="$pipeline" table_id=$table match="1"
> priority">="0 | wc -l | tr -d "\n\r" ], [0], [1], [ignore],
> + [echo "Datapath $dp pipeline $pipeline table $table does not
> have a default action"])
> + done
> + done
> + done
> +}
> +
> +ovn_start
> +
> +# Create LS + LR
> +check ovn-nbctl --wait=sb \
> + -- lr-add R1 \
> + -- lrp-add R1 R1-S1 02:ac:10:01:00:01 172.16.1.1/24 \
> + -- ls-add S1 \
> + -- lsp-add S1 S1-R1 \
> + -- lsp-set-type S1-R1 router \
> + -- lsp-set-addresses S1-R1 02:ac:10:01:00:01 \
> + -- lsp-set-options S1-R1 router-port=R1-S1 \
> + -- lsp-add S1 p1 \
> + -- lsp-set-addresses p1 "02:ac:10:01:00:0a 172.16.1.100"
> +
> +check_default_lflow
> +
> +# Add stateless ACL
> +check ovn-nbctl --wait=sb \
> + -- acl-add S1 from-lport 100 'inport=p1 && ip4'
> allow-stateless
> +
> +check_default_lflow
> +
> +check ovn-nbctl --wait=sb acl-del S1
> +
> +
> +# Add stateful ACL
> +check ovn-nbctl --wait=sb \
> + -- acl-add S1 from-lport 2 "udp" allow-related
> +
> +check_default_lflow
> +
> +check ovn-nbctl --wait=sb acl-del S1
> +
> +# Add LB
> +check ovn-nbctl --wait=sb \
> + -- lb-add lb "10.0.0.1" "10.0.0.2" \
> + -- ls-lb-add S1 lb
> +
> +check_default_lflow
> +
> +# Check LB + stateless ACL
> +check ovn-nbctl --wait=sb \
> + -- acl-add S1 from-lport 100 'inport=p1 && ip4'
> allow-stateless
> +check_default_lflow
> +
> +check ovn-nbctl --wait=sb acl-del S1
> +
> +# Check LB + statelful ACL
> +check ovn-nbctl --wait=sb \
> + -- acl-add S1 from-lport 2 "udp" allow-related
> +
> +check_default_lflow
> +
> +AT_CLEANUP
> +])
> diff --git a/tests/ovn.at b/tests/ovn.at
> index 95176f131..a4cb408c8 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -12704,7 +12704,7 @@ for i in 1 2; do
> done
> done
>
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk '/table=65/{print
> substr($8, 16, length($8))}' |sort -n], [0], [dnl
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk '/table=65/ &&
> !/actions=drop/{print substr($8, 16, length($8))}' |sort -n], [0], [dnl
> 10
> 11
> ])
> @@ -12713,7 +12713,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk
> '/table=65/{print substr($8, 1
> as hv1
> check ovs-vsctl del-port vif01
> check ovn-nbctl --wait=hv sync
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk '/table=65/{print
> substr($8, 16, length($8))}' |sort -n], [0], [dnl
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk '/table=65/ &&
> !/actions=drop/{print substr($8, 16, length($8))}' |sort -n], [0], [dnl
> 11
> ])
>
> @@ -12721,7 +12721,7 @@ as hv1
> check ovs-vsctl add-port br-int vif01 \
> -- set Interface vif01 external-ids:iface-id=lp01
> check ovn-nbctl --wait=hv sync
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk '/table=65/{print
> substr($8, 16, length($8))}' |sort -n], [0], [dnl
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk '/table=65/ &&
> !/actions=drop/{print substr($8, 16, length($8))}' |sort -n], [0], [dnl
> 2
> 11
> ])
> @@ -27829,7 +27829,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep
> "actions=controller" | grep
> ])
>
> # The packet should've been dropped in the lr_in_arp_resolve stage.
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=23,
> n_packets=1,.* priority=1,ip,metadata=0x${sw_key},nw_dst=10.0.1.1
> actions=drop" -c], [0], [dnl
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=23,
> n_packets=1,.* priority=2,ip,metadata=0x${sw_key},nw_dst=10.0.1.1
> actions=drop" -c], [0], [dnl
> 1
> ])
>
> @@ -28585,31 +28585,36 @@ check ovn-nbctl lb-add lb-ipv4-udp 88.88.88.88:4040
> 42.42.42.1:2021 udp
> check ovn-nbctl lb-add lb-ipv6-tcp [[8800::0088]]:8080 [[4200::1]]:4041 tcp
> check ovn-nbctl --wait=hv lb-add lb-ipv6-udp [[8800::0088]]:4040
> [[4200::1]]:2021 udp
>
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | grep -v NXST], [1],
> [dnl
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> ])
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=69 | grep -v NXST], [1],
> [dnl
> ])
>
> -AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | grep -v NXST], [1],
> [dnl
> +AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> ])
>
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | grep -v NXST], [1],
> [dnl
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> ])
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 | grep -v NXST], [1],
> [dnl
> ])
>
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | grep -v NXST], [1],
> [dnl
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> ])
>
> check ovn-nbctl --wait=hv ls-lb-add sw0 lb-ipv4-tcp
>
> OVS_WAIT_UNTIL(
> - [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 1]
> + [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 2]
> )
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> ])
>
> @@ -28618,25 +28623,29 @@ NXST_FLOW reply (xid=0x8):
> ])
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> ])
>
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | grep -v NXST], [1],
> [dnl
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> ])
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 | grep -v NXST], [1],
> [dnl
> ])
>
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | grep -v NXST], [1],
> [dnl
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> ])
>
> check ovn-nbctl lb-add lb-ipv4-tcp 88.88.88.90:8080
> 42.42.42.42:4041,52.52.52.52:4042 tcp
>
> OVS_WAIT_UNTIL(
> - [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 3]
> + [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 4]
> )
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28647,17 +28656,20 @@ NXST_FLOW reply (xid=0x8):
> ])
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
> ])
>
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | grep -v NXST], [1],
> [dnl
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> ])
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 | grep -v NXST], [1],
> [dnl
> ])
>
> -AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | grep -v NXST], [1],
> [dnl
> +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> ])
>
>
> @@ -28666,10 +28678,11 @@ check ovn-nbctl lsp-add sw0 sw0-p2
> OVS_WAIT_UNTIL([test x$(ovn-nbctl lsp-get-up sw0-p2) = xup])
>
> OVS_WAIT_UNTIL(
> - [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 3]
> + [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 4]
> )
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28679,6 +28692,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69
> | grep -v NXST], [1], [dnl
> ])
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
> ])
> @@ -28686,14 +28700,15 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int
> table=70 | ofctl_strip_all | grep -
> check ovn-nbctl --wait=hv ls-lb-add sw0 lb-ipv4-udp
>
> OVS_WAIT_UNTIL(
> - [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 4]
> + [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 5]
> )
>
> OVS_WAIT_UNTIL(
> - [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 4]
> + [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 5]
> )
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28704,12 +28719,14 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int
> table=69 | grep -v NXST], [1], [dnl
> ])
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
> table=70, priority=100,udp,reg1=0x58585858,reg2=0xfc8/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> ])
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28720,6 +28737,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69
> | grep -v NXST], [1], [dnl
> ])
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
> table=70, priority=100,udp,reg1=0x58585858,reg2=0xfc8/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> @@ -28728,14 +28746,15 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int
> table=70 | ofctl_strip_all | grep -
> check ovn-nbctl --wait=hv ls-lb-add sw0 lb-ipv6-tcp
>
> OVS_WAIT_UNTIL(
> - [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 5]
> + [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 6]
> )
>
> OVS_WAIT_UNTIL(
> - [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 5]
> + [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 6]
> )
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28747,6 +28766,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69
> | grep -v NXST], [1], [dnl
> ])
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
> table=70,
> priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
> @@ -28754,6 +28774,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70
> | ofctl_strip_all | grep -
> ])
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28765,6 +28786,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69
> | grep -v NXST], [1], [dnl
> ])
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
> table=70,
> priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
> @@ -28774,14 +28796,15 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int
> table=70 | ofctl_strip_all | grep -
> check ovn-nbctl --wait=hv ls-lb-add sw0 lb-ipv6-udp
>
> OVS_WAIT_UNTIL(
> - [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 6]
> + [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 7]
> )
>
> OVS_WAIT_UNTIL(
> - [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 6]
> + [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 7]
> )
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28794,6 +28817,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69
> | grep -v NXST], [1], [dnl
> ])
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
> table=70,
> priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
> @@ -28802,6 +28826,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70
> | ofctl_strip_all | grep -
> ])
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28814,6 +28839,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69
> | grep -v NXST], [1], [dnl
> ])
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
> table=70,
> priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
> @@ -28826,14 +28852,15 @@ check ovn-nbctl --wait=hv ls-lb-add sw1 lb-ipv6-udp
> # Number of hairpin flows shouldn't change as it doesn't depend on how many
> # datapaths the LB is applied.
> OVS_WAIT_UNTIL(
> - [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 6]
> + [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 7]
> )
>
> OVS_WAIT_UNTIL(
> - [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 6]
> + [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 7]
> )
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28846,6 +28873,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69
> | grep -v NXST], [1], [dnl
> ])
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
> table=70,
> priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
> @@ -28854,6 +28882,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70
> | ofctl_strip_all | grep -
> ])
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28866,6 +28895,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69
> | grep -v NXST], [1], [dnl
> ])
>
> AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
> table=70,
> priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
> @@ -28887,6 +28917,7 @@ check ovn-sbctl \
> -- remove load_balancer lb-ipv6-udp options hairpin_orig_tuple
>
> OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=68 |
> ofctl_strip_all | grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_state=+trk+dnat,ct_mark=0x2/0x2,ct_ipv6_dst=8800::88,ct_nw_proto=17,ct_tp_dst=4040,udp6,ipv6_src=4200::1,ipv6_dst=4200::1,tp_dst=2021
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x86dd,NXM_NX_IPV6_SRC[[]],ipv6_dst=8800::88,nw_proto=17,NXM_OF_UDP_SRC[[]]=NXM_OF_UDP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_state=+trk+dnat,ct_mark=0x2/0x2,ct_ipv6_dst=8800::88,ct_nw_proto=6,ct_tp_dst=8080,tcp6,ipv6_src=4200::1,ipv6_dst=4200::1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x86dd,NXM_NX_IPV6_SRC[[]],ipv6_dst=8800::88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_state=+trk+dnat,ct_mark=0x2/0x2,ct_nw_dst=88.88.88.88,ct_nw_proto=17,ct_tp_dst=4040,udp,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=2021
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=17,NXM_OF_UDP_SRC[[]]=NXM_OF_UDP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28899,6 +28930,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69
> | grep -v NXST], [1], [dnl
> ])
>
> OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=70 |
> ofctl_strip_all | grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70,
> priority=100,ct_state=+trk+dnat,ct_ipv6_dst=8800::88,ct_nw_proto=17,ct_tp_dst=4040,udp6
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
> table=70,
> priority=100,ct_state=+trk+dnat,ct_ipv6_dst=8800::88,ct_nw_proto=6,ct_tp_dst=8080,tcp6
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
> table=70,
> priority=100,ct_state=+trk+dnat,ct_nw_dst=88.88.88.88,ct_nw_proto=17,ct_tp_dst=4040,udp
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> @@ -28907,6 +28939,7 @@ OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows
> br-int table=70 | ofctl_strip_a
> ])
>
> OVS_WAIT_FOR_OUTPUT([as hv2 ovs-ofctl dump-flows br-int table=68 |
> ofctl_strip_all | grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_state=+trk+dnat,ct_mark=0x2/0x2,ct_ipv6_dst=8800::88,ct_nw_proto=17,ct_tp_dst=4040,udp6,ipv6_src=4200::1,ipv6_dst=4200::1,tp_dst=2021
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x86dd,NXM_NX_IPV6_SRC[[]],ipv6_dst=8800::88,nw_proto=17,NXM_OF_UDP_SRC[[]]=NXM_OF_UDP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_state=+trk+dnat,ct_mark=0x2/0x2,ct_ipv6_dst=8800::88,ct_nw_proto=6,ct_tp_dst=8080,tcp6,ipv6_src=4200::1,ipv6_dst=4200::1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x86dd,NXM_NX_IPV6_SRC[[]],ipv6_dst=8800::88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_state=+trk+dnat,ct_mark=0x2/0x2,ct_nw_dst=88.88.88.88,ct_nw_proto=17,ct_tp_dst=4040,udp,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=2021
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=17,NXM_OF_UDP_SRC[[]]=NXM_OF_UDP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28919,6 +28952,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69
> | grep -v NXST], [1], [dnl
> ])
>
> OVS_WAIT_FOR_OUTPUT([as hv2 ovs-ofctl dump-flows br-int table=70 |
> ofctl_strip_all | grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70,
> priority=100,ct_state=+trk+dnat,ct_ipv6_dst=8800::88,ct_nw_proto=17,ct_tp_dst=4040,udp6
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
> table=70,
> priority=100,ct_state=+trk+dnat,ct_ipv6_dst=8800::88,ct_nw_proto=6,ct_tp_dst=8080,tcp6
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
> table=70,
> priority=100,ct_state=+trk+dnat,ct_nw_dst=88.88.88.88,ct_nw_proto=17,ct_tp_dst=4040,udp
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> @@ -28938,7 +28972,7 @@ OVS_WAIT_UNTIL([test x$(ovn-nbctl lsp-get-up sw0-p2)
> = xdown])
> as hv2 ovn-appctl -t ovn-controller recompute
>
> OVS_WAIT_UNTIL(
> - [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 0]
> + [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 1]
> )
>
> OVS_WAIT_UNTIL(
> @@ -28946,24 +28980,25 @@ OVS_WAIT_UNTIL(
> )
>
> OVS_WAIT_UNTIL(
> - [test $(as hv2 ovs-ofctl dump-flows br-int table=70 | grep -c -v NXST)
> -eq 0]
> + [test $(as hv2 ovs-ofctl dump-flows br-int table=70 | grep -c -v NXST)
> -eq 1]
> )
>
> OVS_WAIT_UNTIL(
> - [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 6]
> + [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 7]
> )
>
> check ovn-nbctl --wait=hv lb-del lb-ipv4-tcp
>
> OVS_WAIT_UNTIL(
> - [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 3]
> + [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 4]
> )
>
> OVS_WAIT_UNTIL(
> - [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 0]
> + [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 1]
> )
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=68, priority=0 actions=drop
> table=68,
> priority=100,ct_mark=0x2/0x2,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88,ipv6_src=4200::1,ipv6_dst=4200::1,tp_dst=4041
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x86dd,NXM_NX_IPV6_SRC[[]],ipv6_dst=8800::88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,udp,reg1=0x58585858,reg2=0xfc8/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=2021
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=17,NXM_OF_UDP_SRC[[]]=NXM_OF_UDP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> table=68,
> priority=100,ct_mark=0x2/0x2,udp6,reg2=0xfc8/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88,ipv6_src=4200::1,ipv6_dst=4200::1,tp_dst=2021
>
> actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x86dd,NXM_NX_IPV6_SRC[[]],ipv6_dst=8800::88,nw_proto=17,NXM_OF_UDP_SRC[[]]=NXM_OF_UDP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
> @@ -28974,6 +29009,7 @@ NXST_FLOW reply (xid=0x8):
> ])
>
> AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
> grep -v NXST], [0], [dnl
> + table=70, priority=0 actions=drop
> table=70,
> priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
> table=70, priority=100,udp,reg1=0x58585858,reg2=0xfc8/0xffff
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
> table=70,
> priority=100,udp6,reg2=0xfc8/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
> actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
> @@ -28983,7 +29019,7 @@ check ovn-nbctl --wait=hv ls-del sw0
> check ovn-nbctl --wait=hv ls-del sw1
>
> OVS_WAIT_UNTIL(
> - [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 0]
> + [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 1]
> )
>
> OVS_WAIT_UNTIL(
> @@ -28991,11 +29027,11 @@ OVS_WAIT_UNTIL(
> )
>
> OVS_WAIT_UNTIL(
> - [test $(as hv1 ovs-ofctl dump-flows br-int table=70 | grep -c -v NXST)
> -eq 0]
> + [test $(as hv1 ovs-ofctl dump-flows br-int table=70 | grep -c -v NXST)
> -eq 1]
> )
>
> OVS_WAIT_UNTIL(
> - [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 0]
> + [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST)
> -eq 1]
> )
>
> OVS_WAIT_UNTIL(
> @@ -29003,7 +29039,7 @@ OVS_WAIT_UNTIL(
> )
>
> OVS_WAIT_UNTIL(
> - [test $(as hv2 ovs-ofctl dump-flows br-int table=70 | grep -c -v NXST)
> -eq 0]
> + [test $(as hv2 ovs-ofctl dump-flows br-int table=70 | grep -c -v NXST)
> -eq 1]
> )
>
> OVN_CLEANUP([hv1], [hv2])
> @@ -33000,3 +33036,159 @@ check ovn-nbctl --wait=hv sync
> OVN_CLEANUP([hv1])
> AT_CLEANUP
> ])
> +
> +OVN_FOR_EACH_NORTHD([
> +AT_SETUP([Check default openflow flows])
> +ovn_start
> +
> +# Check that every table has a default (i.e: priority=0) flow.
> +# Technically a default flow would have no match but we allow the datapath
> +# match (metadata=0xXX) to be present.
> +check_default_flows() {
> + ovs-ofctl dump-flows br-int > oflows
> + AT_CAPTURE_FILE([oflows])
> + for table in $(grep -oP "table=\K\d*, " oflows | sort -n | uniq); do
> + AT_CHECK([grep -qe "table=$table.* priority=0\(,metadata=0x\w*\)\?
> actions" oflows], [0], [ignore], [ignore], [echo "Table $table does not
> contain a default action"])
> + done
> +}
> +
> +# Logical network:
> +# Two LRs - R1 and R2 that are connected to each other as peers in
> 20.0.0.0/24
> +# network. R1 has a switchs ls1 (191.168.1.0/24) connected to it.
> +# R2 has ls2 (172.16.1.0/24) connected to it.
> +
> +ls1_lp1_mac="f0:00:00:01:02:03"
> +rp_ls1_mac="00:00:00:01:02:03"
> +rp_ls2_mac="00:00:00:01:02:04"
> +ls2_lp1_mac="f0:00:00:01:02:04"
> +
> +ls1_lp1_ip="192.168.1.2"
> +ls2_lp1_ip="172.16.1.2"
> +
> +ovn-nbctl lr-add R1
> +ovn-nbctl ls-add ls1
> +ovn-nbctl ls-add ls2
> +
> +# Connect ls1 to R1
> +ovn-nbctl lrp-add R1 ls1 $rp_ls1_mac 192.168.1.1/24
> +
> +ovn-nbctl lsp-add ls1 rp-ls1 -- set Logical_Switch_Port rp-ls1 type=router \
> + options:router-port=ls1 addresses=\"$rp_ls1_mac\"
> +
> +# Connect ls2 to R1
> +ovn-nbctl lrp-add R1 ls2 $rp_ls2_mac 172.16.1.1/24
> +
> +ovn-nbctl lsp-add ls2 rp-ls2 -- set Logical_Switch_Port rp-ls2 type=router \
> + options:router-port=ls2 addresses=\"$rp_ls2_mac\"
> +
> +# Create logical port ls1-lp1 in ls1
> +ovn-nbctl lsp-add ls1 ls1-lp1 \
> +-- lsp-set-addresses ls1-lp1 "$ls1_lp1_mac $ls1_lp1_ip"
> +
> +# Create logical port ls2-lp1 in ls2
> +ovn-nbctl lsp-add ls2 ls2-lp1 \
> +-- lsp-set-addresses ls2-lp1 "$ls2_lp1_mac $ls2_lp1_ip"
> +
> +# Create two hypervisor and create OVS ports corresponding to logical ports.
> +net_add n1
> +
> +sim_add hv1
> +as hv1
> +ovs-vsctl add-br br-phys
> +ovn_attach n1 br-phys 192.168.0.1
> +ovs-vsctl -- add-port br-int hv1-vif1 -- \
> + set interface hv1-vif1 external-ids:iface-id=ls1-lp1 \
> + options:tx_pcap=hv1/vif1-tx.pcap \
> + options:rxq_pcap=hv1/vif1-rx.pcap \
> + ofport-request=1
> +
> +sim_add hv2
> +as hv2
> +ovs-vsctl add-br br-phys
> +ovn_attach n1 br-phys 192.168.0.2
> +ovs-vsctl -- add-port br-int hv2-vif1 -- \
> + set interface hv2-vif1 external-ids:iface-id=ls2-lp1 \
> + options:tx_pcap=hv2/vif1-tx.pcap \
> + options:rxq_pcap=hv2/vif1-rx.pcap \
> + ofport-request=1
> +
> +
> +# Allow some time for ovn-northd and ovn-controller to catch up.
> +wait_for_ports_up
> +check ovn-nbctl --wait=hv sync
> +
> +as hv1
> +check_default_flows
> +as hv2
> +check_default_flows
> +
> +# Add stateless ACL
> +check ovn-nbctl --wait=sb \
> + -- acl-add ls1 from-lport 100 'ip4' allow-stateless
> +check ovn-nbctl --wait=sb \
> + -- acl-add ls2 from-lport 100 'ip4' allow-stateless
> +
> +as hv1
> +check_default_flows
> +as hv2
> +check_default_flows
> +
> +check ovn-nbctl --wait=sb acl-del ls1
> +check ovn-nbctl --wait=sb acl-del ls2
> +
> +# Add stateful ACL
> +check ovn-nbctl --wait=sb \
> + -- acl-add ls1 from-lport 100 "udp" allow-related
> +check ovn-nbctl --wait=sb \
> + -- acl-add ls2 from-lport 100 "udp" allow-related
> +
> +as hv1
> +check_default_flows
> +as hv2
> +check_default_flows
> +
> +check ovn-nbctl --wait=sb acl-del ls1
> +check ovn-nbctl --wait=sb acl-del ls2
> +
> +# Add LB
> +check ovn-nbctl --wait=sb \
> + -- lb-add lb1 "10.0.0.1" "10.0.0.2" \
> + -- ls-lb-add ls1 lb1
> +
> +check ovn-nbctl --wait=sb \
> + -- lb-add lb2 "10.0.1.1" "10.0.1.2" \
> + -- ls-lb-add ls2 lb2
> +
> +as hv1
> +check_default_flows
> +as hv2
> +check_default_flows
> +
> +# LB + stateless ACL
> +check ovn-nbctl --wait=sb \
> + -- acl-add ls1 from-lport 100 'ip4' allow-stateless
> +check ovn-nbctl --wait=sb \
> + -- acl-add ls2 from-lport 100 'ip4' allow-stateless
> +
> +as hv1
> +check_default_flows
> +as hv2
> +check_default_flows
> +
> +check ovn-nbctl --wait=sb acl-del ls1
> +check ovn-nbctl --wait=sb acl-del ls2
> +
> +# LB + stateful ACL
> +check ovn-nbctl --wait=sb \
> + -- acl-add ls1 from-lport 100 "udp" allow-related
> +check ovn-nbctl --wait=sb \
> + -- acl-add ls2 from-lport 100 "udp" allow-related
> +
> +as hv1
> +check_default_flows
> +as hv2
> +check_default_flows
> +
> +OVN_CLEANUP([hv1],[hv2])
> +AT_CLEANUP
> +])
> --
> 2.37.3
>
> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
