---
controller/physical.c | 45 ++++++++
northd/northd.c | 34 +++++-
tests/ovn-northd.at | 84 ++++++++++++++
tests/ovn.at | 256 ++++++++++++++++++++++++++++++++++++------
4 files changed, 383 insertions(+), 36 deletions(-)
diff --git a/controller/physical.c b/controller/physical.c
index 705146316..415d16b76 100644
--- a/controller/physical.c
+++ b/controller/physical.c
@@ -833,6 +833,17 @@ put_zones_ofpacts(const struct zone_ids *zone_ids, struct
ofpbuf *ofpacts_p)
}
}
+static void
+add_default_drop_flow(uint8_t table_id,
+ struct ovn_desired_flow_table *flow_table)
+{
+ struct match match = MATCH_CATCHALL_INITIALIZER;
+ struct ofpbuf ofpacts;
+ ofpbuf_init(&ofpacts, 0);
+ ofctrl_add_flow(flow_table, table_id, 0, 0, &match,
+ &ofpacts, hc_uuid);
+}
+
static void
put_local_common_flows(uint32_t dp_key,
const struct sbrec_port_binding *pb,
@@ -2114,6 +2125,13 @@ physical_run(struct physical_ctx *p_ctx,
}
}
+ /* Table 0, priority 0.
+ * ======================
+ *
+ * Drop packets tha do not match any tunnel in_port.
+ */
+ add_default_drop_flow(OFTABLE_PHY_TO_LOG, flow_table);
+
/* Table 37, priority 150.
* =======================
*
@@ -2159,6 +2177,13 @@ physical_run(struct physical_ctx *p_ctx,
ofctrl_add_flow(flow_table, OFTABLE_REMOTE_OUTPUT, 0, 0, &match,
&ofpacts, hc_uuid);
+ /* Table 38, priority 0.
+ * ======================
+ *
+ * Drop packets that do not match previous flows.
+ */
+ add_default_drop_flow(OFTABLE_LOCAL_OUTPUT, flow_table);
+
/* Table 39, Priority 0.
* =======================
*
@@ -2185,5 +2210,25 @@ physical_run(struct physical_ctx *p_ctx,
ofctrl_add_flow(flow_table, OFTABLE_SAVE_INPORT, 0, 0, &match,
&ofpacts, hc_uuid);
+ /* Table 65, priority 0.
+ * ======================
+ *
+ * Drop packets that do not match previous flows.
+ */
+ add_default_drop_flow(OFTABLE_LOG_TO_PHY, flow_table);
+
+ /* Table 68, priority 0.
+ * ======================
+ *
+ * Drop packets that do not match previous flows.
+ */
+ add_default_drop_flow(OFTABLE_CHK_LB_HAIRPIN, flow_table);
+
+ /* Table 70, priority 0.
+ * ======================
+ *
+ * Drop packets that do not match previous flows.
+ */
+ add_default_drop_flow(OFTABLE_CT_SNAT_HAIRPIN, flow_table);
ofpbuf_uninit(&ofpacts);
}
diff --git a/northd/northd.c b/northd/northd.c
index 6771ccce5..ce4f0af56 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -5164,6 +5164,16 @@ ovn_lflow_add_at(struct hmap *lflow_map, struct
ovn_datapath *od,
io_port, ctrl_meter, stage_hint, where, hash);
}
+static void
+__ovn_lflow_add_default_drop(struct hmap *lflow_map,
+ struct ovn_datapath *od,
+ enum ovn_stage stage,
+ const char *where)
+{
+ ovn_lflow_add_at(lflow_map, od, stage, 0, "1", "drop;",
+ NULL, NULL, NULL, where );
+}
+
/* Adds a row with the specified contents to the Logical_Flow table. */
#define ovn_lflow_add_with_hint__(LFLOW_MAP, OD, STAGE, PRIORITY, MATCH, \
ACTIONS, IN_OUT_PORT, CTRL_METER, \
@@ -5176,6 +5186,10 @@ ovn_lflow_add_at(struct hmap *lflow_map, struct
ovn_datapath *od,
ovn_lflow_add_at(LFLOW_MAP, OD, STAGE, PRIORITY, MATCH, ACTIONS, \
NULL, NULL, STAGE_HINT, OVS_SOURCE_LOCATOR)
+#define ovn_lflow_add_default_drop(LFLOW_MAP, OD, STAGE) \
+ __ovn_lflow_add_default_drop(LFLOW_MAP, OD, STAGE, OVS_SOURCE_LOCATOR)
+
+
/* This macro is similar to ovn_lflow_add_with_hint, except that it requires
* the IN_OUT_PORT argument, which tells the lport name that appears in the
* MATCH, which helps ovn-controller to bypass lflows parsing when the lport
is
@@ -10983,6 +10997,9 @@ build_adm_ctrl_flows_for_lrouter(
* Broadcast/multicast source address is invalid. */
ovn_lflow_add(lflows, od, S_ROUTER_IN_ADMISSION, 100,
"vlan.present || eth.src[40]", "drop;");
+
+ /* Default action for L2 security is to drop. */
+ ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_ADMISSION);
}
}
@@ -11224,6 +11241,8 @@ build_neigh_learning_flows_for_lrouter(
"nd_ns", "put_nd(inport, ip6.src, nd.sll); next;",
copp_meter_get(COPP_ND_NS, od->nbr->copp,
meter_groups));
+
+ ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_LEARN_NEIGHBOR);
}
}
@@ -11500,6 +11519,8 @@ build_static_route_flows_for_lrouter(
const struct hmap *bfd_connections)
{
if (od->nbr) {
+ ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_IP_ROUTING_ECMP);
+ ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_IP_ROUTING);
ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING_ECMP, 150,
REG_ECMP_GROUP_ID" == 0", "next;");
@@ -11671,6 +11692,7 @@ build_ingress_policy_flows_for_lrouter(
REG_ECMP_GROUP_ID" = 0; next;");
ovn_lflow_add(lflows, od, S_ROUTER_IN_POLICY_ECMP, 150,
REG_ECMP_GROUP_ID" == 0", "next;");
+ ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_POLICY_ECMP);
/* Convert routing policies to flows. */
uint16_t ecmp_group_id = 1;
@@ -11703,11 +11725,13 @@ build_arp_resolve_flows_for_lrouter(
ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 500,
"ip4.mcast || ip6.mcast", "next;");
- ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 0, "ip4",
+ ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 1, "ip4",
"get_arp(outport, " REG_NEXT_HOP_IPV4 "); next;");
- ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 0, "ip6",
+ ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 1, "ip6",
"get_nd(outport, " REG_NEXT_HOP_IPV6 "); next;");
+
+ ovn_lflow_add_default_drop(lflows, od, S_ROUTER_IN_ARP_RESOLVE);
}
}
@@ -11833,9 +11857,9 @@ build_arp_resolve_flows_for_lrouter_port(
* in stage "lr_in_ip_input" but traffic that could have been unSNATed
* but didn't match any existing session might still end up here.
*
- * Priority 1.
+ * Priority 2.
*/
- build_lrouter_drop_own_dest(op, S_ROUTER_IN_ARP_RESOLVE, 1, true,
+ build_lrouter_drop_own_dest(op, S_ROUTER_IN_ARP_RESOLVE, 2, true,
lflows);
} else if (op->od->n_router_ports && !lsp_is_router(op->nbsp)
&& strcmp(op->nbsp->type, "virtual")) {
@@ -12437,6 +12461,8 @@ build_egress_delivery_flows_for_lrouter_port(
ds_put_format(match, "outport == %s", op->json_key);
ovn_lflow_add(lflows, op->od, S_ROUTER_OUT_DELIVERY, 100,
ds_cstr(match), "output;");
+
+ ovn_lflow_add_default_drop(lflows, op->od, S_ROUTER_OUT_DELIVERY);
}
}
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index bd6dad910..4ca6e0fc8 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -2848,6 +2848,7 @@ AT_CAPTURE_FILE([lr0flows3])
AT_CHECK([grep "lr_in_policy" lr0flows3 | sed 's/table=../table=??/' | sort],
[0], [dnl
table=??(lr_in_policy ), priority=0 , match=(1),
action=(reg8[[0..15]] = 0; next;)
table=??(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.3),
action=(reg8[[0..15]] = 1; reg8[[16..31]] = select(1, 2);)
+ table=??(lr_in_policy_ecmp ), priority=0 , match=(1), action=(drop;)
table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == 1 &&
reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src =
00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == 1 &&
reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src =
00:00:20:20:12:13; outport = "lr0-public"; flags.loopback = 1; next;)
table=??(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] == 0),
action=(next;)
@@ -2863,6 +2864,7 @@ sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] ==
<cleared>/' | sed 's/table
table=??(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] =
<cleared>; next;)
table=??(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.3),
action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2);)
table=??(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.4),
action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2, 3);)
+ table=??(lr_in_policy_ecmp ), priority=0 , match=(1), action=(drop;)
table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> &&
reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13;
outport = "lr0-public"; flags.loopback = 1; next;)
table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> &&
reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13;
outport = "lr0-public"; flags.loopback = 1; next;)
table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> &&
reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13;
outport = "lr0-public"; flags.loopback = 1; next;)
@@ -2882,6 +2884,7 @@ sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] ==
<cleared>/' | sed 's/table
table=??(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.3),
action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2);)
table=??(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.4),
action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2, 3);)
table=??(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.5), action=(reg0 =
172.168.0.110; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport =
"lr0-public"; flags.loopback = 1; reg8[[0..15]] = <cleared>; next;)
+ table=??(lr_in_policy_ecmp ), priority=0 , match=(1), action=(drop;)
table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> &&
reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13;
outport = "lr0-public"; flags.loopback = 1; next;)
table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> &&
reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13;
outport = "lr0-public"; flags.loopback = 1; next;)
table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> &&
reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13;
outport = "lr0-public"; flags.loopback = 1; next;)
@@ -2900,6 +2903,7 @@ sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] ==
<cleared>/' | sed 's/table
table=??(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] =
<cleared>; next;)
table=??(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.4),
action=(reg8[[0..15]] = <cleared>; reg8[[16..31]] = select(1, 2, 3);)
table=??(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.5), action=(reg0 =
172.168.0.110; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport =
"lr0-public"; flags.loopback = 1; reg8[[0..15]] = <cleared>; next;)
+ table=??(lr_in_policy_ecmp ), priority=0 , match=(1), action=(drop;)
table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> &&
reg8[[16..31]] == 1), action=(reg0 = 172.168.0.101; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13;
outport = "lr0-public"; flags.loopback = 1; next;)
table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> &&
reg8[[16..31]] == 2), action=(reg0 = 172.168.0.102; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13;
outport = "lr0-public"; flags.loopback = 1; next;)
table=??(lr_in_policy_ecmp ), priority=100 , match=(reg8[[0..15]] == <cleared> &&
reg8[[16..31]] == 3), action=(reg0 = 172.168.0.103; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13;
outport = "lr0-public"; flags.loopback = 1; next;)
@@ -2915,6 +2919,7 @@ sed 's/reg8\[[0..15\]] = [[0-9]]*/reg8\[[0..15\]] =
<cleared>/' | \
sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] == <cleared>/' | sed
's/table=../table=??/' | sort], [0], [dnl
table=??(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] =
<cleared>; next;)
table=??(lr_in_policy ), priority=10 , match=(ip4.src == 10.0.0.5), action=(reg0 =
172.168.0.110; reg1 = 172.168.0.100; eth.src = 00:00:20:20:12:13; outport =
"lr0-public"; flags.loopback = 1; reg8[[0..15]] = <cleared>; next;)
+ table=??(lr_in_policy_ecmp ), priority=0 , match=(1), action=(drop;)
table=??(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] ==
<cleared>), action=(next;)
])
@@ -2926,6 +2931,7 @@ AT_CHECK([grep "lr_in_policy" lr0flows3 | \
sed 's/reg8\[[0..15\]] = [[0-9]]*/reg8\[[0..15\]] = <cleared>/' | \
sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] == <cleared>/' | sed
's/table=../table=??/' | sort], [0], [dnl
table=??(lr_in_policy ), priority=0 , match=(1), action=(reg8[[0..15]] =
<cleared>; next;)
+ table=??(lr_in_policy_ecmp ), priority=0 , match=(1), action=(drop;)
table=??(lr_in_policy_ecmp ), priority=150 , match=(reg8[[0..15]] ==
<cleared>), action=(next;)
])
@@ -5750,6 +5756,7 @@ ovn-sbctl dump-flows lr0 > lr0flows
AT_CHECK([grep -e "lr_in_ip_routing.*select" lr0flows |sort], [0], [dnl
])
AT_CHECK([grep -e "lr_in_ip_routing_ecmp" lr0flows | sed
's/table=../table=??/' |sort], [0], [dnl
+ table=??(lr_in_ip_routing_ecmp), priority=0 , match=(1), action=(drop;)
table=??(lr_in_ip_routing_ecmp), priority=150 , match=(reg8[[0..15]] ==
0), action=(next;)
])
@@ -5760,6 +5767,7 @@ AT_CHECK([grep -e "lr_in_ip_routing.*select" lr0flows |
sed 's/table=../table=??
table=??(lr_in_ip_routing ), priority=97 , match=(reg7 == 0 && ip4.dst
== 1.0.0.1/32), action=(ip.ttl--; flags.loopback = 1; reg8[[0..15]] = 1; reg8[[16..31]]
= select(1, 2);)
])
AT_CHECK([grep -e "lr_in_ip_routing_ecmp" lr0flows | sed
's/192\.168\.0\..0/192.168.0.??/' | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_in_ip_routing_ecmp), priority=0 , match=(1), action=(drop;)
table=??(lr_in_ip_routing_ecmp), priority=100 , match=(reg8[[0..15]] == 1 &&
reg8[[16..31]] == 1), action=(reg0 = 192.168.0.??; reg1 = 192.168.0.1; eth.src =
00:00:20:20:12:13; outport = "lr0-public"; next;)
table=??(lr_in_ip_routing_ecmp), priority=100 , match=(reg8[[0..15]] == 1 &&
reg8[[16..31]] == 2), action=(reg0 = 192.168.0.??; reg1 = 192.168.0.1; eth.src =
00:00:20:20:12:13; outport = "lr0-public"; next;)
table=??(lr_in_ip_routing_ecmp), priority=150 , match=(reg8[[0..15]] ==
0), action=(next;)
@@ -5803,6 +5811,7 @@ AT_CHECK([grep -e "lr_in_ip_routing.*select" lr0flows |
sed 's/table=../table=??
table=??(lr_in_ip_routing ), priority=97 , match=(reg7 == 0 && ip4.dst
== 1.0.0.1/32), action=(ip.ttl--; flags.loopback = 1; reg8[[0..15]] = 1; reg8[[16..31]]
= select(1, 2);)
])
AT_CHECK([grep -e "lr_in_ip_routing_ecmp" lr0flows | sed
's/192\.168\.0\..0/192.168.0.??/' | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_in_ip_routing_ecmp), priority=0 , match=(1), action=(drop;)
table=??(lr_in_ip_routing_ecmp), priority=100 , match=(reg8[[0..15]] == 1 &&
reg8[[16..31]] == 1), action=(reg0 = 192.168.0.??; reg1 = 192.168.0.1; eth.src =
00:00:20:20:12:13; outport = "lr0-public"; next;)
table=??(lr_in_ip_routing_ecmp), priority=100 , match=(reg8[[0..15]] == 1 &&
reg8[[16..31]] == 2), action=(reg0 = 192.168.0.??; reg1 = 192.168.0.1; eth.src =
00:00:20:20:12:13; outport = "lr0-public"; next;)
table=??(lr_in_ip_routing_ecmp), priority=150 , match=(reg8[[0..15]] ==
0), action=(next;)
@@ -6881,6 +6890,7 @@ AT_CHECK([cat lrflows | grep -e lr_in_lookup_neighbor -e
lr_in_learn_neighbor |
table=1 (lr_in_lookup_neighbor), priority=100 , match=(arp.op == 2),
action=(reg9[[2]] = lookup_arp(inport, arp.spa, arp.sha); next;)
table=1 (lr_in_lookup_neighbor), priority=100 , match=(nd_na),
action=(reg9[[2]] = lookup_nd(inport, nd.target, nd.tll); next;)
table=1 (lr_in_lookup_neighbor), priority=100 , match=(nd_ns),
action=(reg9[[2]] = lookup_nd(inport, ip6.src, nd.sll); next;)
+ table=2 (lr_in_learn_neighbor), priority=0 , match=(1), action=(drop;)
table=2 (lr_in_learn_neighbor), priority=100 , match=(reg9[[2]] == 1),
action=(next;)
table=2 (lr_in_learn_neighbor), priority=90 , match=(arp),
action=(put_arp(inport, arp.spa, arp.sha); next;)
table=2 (lr_in_learn_neighbor), priority=90 , match=(nd_na),
action=(put_nd(inport, nd.target, nd.tll); next;)
@@ -7903,3 +7913,77 @@ AT_CHECK([grep "lr_in_arp_resolve" R1flows | grep
priority=90 | sort], [0], [dnl
AT_CLEANUP
])
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([Check default drop])
+AT_KEYWORDS([drop])
+
+# Check that there is an explicit drop lflow in all tables.
+check_default_lflow() {
+ dps=$(ovn-sbctl --bare --columns=_uuid list Datapath_Binding | xargs)
+ for dp in $dps; do
+ for pipeline in ingress egress; do
+ for table in $(ovn-sbctl --bare --columns=table_id find Logical_Flow
logical_datapath="$dp" pipeline="$pipeline" | xargs | sort | uniq); do
+ echo "Checking if datapath $dp pipeline $pipeline table $table has a
default action"
+ AT_CHECK([ovn-sbctl --columns=_uuid find Logical_Flow logical_datapath="$dp"
pipeline="$pipeline" table_id=$table match="1" priority">="0 | wc -l | tr -d "\n\r" ],
[0], [1], [ignore],
+ [echo "Datapath $dp pipeline $pipeline table $table does not have a
default action"])
+ done
+ done
+ done
+}
+
+ovn_start
+
+# Create LS + LR
+check ovn-nbctl --wait=sb \
+ -- lr-add R1 \
+ -- lrp-add R1 R1-S1 02:ac:10:01:00:01 172.16.1.1/24 \
+ -- ls-add S1 \
+ -- lsp-add S1 S1-R1 \
+ -- lsp-set-type S1-R1 router \
+ -- lsp-set-addresses S1-R1 02:ac:10:01:00:01 \
+ -- lsp-set-options S1-R1 router-port=R1-S1 \
+ -- lsp-add S1 p1 \
+ -- lsp-set-addresses p1 "02:ac:10:01:00:0a 172.16.1.100"
+
+check_default_lflow
+
+# Add stateless ACL
+check ovn-nbctl --wait=sb \
+ -- acl-add S1 from-lport 100 'inport=p1 && ip4' allow-stateless
+
+check_default_lflow
+
+check ovn-nbctl --wait=sb acl-del S1
+
+
+# Add stateful ACL
+check ovn-nbctl --wait=sb \
+ -- acl-add S1 from-lport 2 "udp" allow-related
+
+check_default_lflow
+
+check ovn-nbctl --wait=sb acl-del S1
+
+# Add LB
+check ovn-nbctl --wait=sb \
+ -- lb-add lb "10.0.0.1" "10.0.0.2" \
+ -- ls-lb-add S1 lb
+
+check_default_lflow
+
+# Check LB + stateless ACL
+check ovn-nbctl --wait=sb \
+ -- acl-add S1 from-lport 100 'inport=p1 && ip4' allow-stateless
+check_default_lflow
+
+check ovn-nbctl --wait=sb acl-del S1
+
+# Check LB + statelful ACL
+check ovn-nbctl --wait=sb \
+ -- acl-add S1 from-lport 2 "udp" allow-related
+
+check_default_lflow
+
+AT_CLEANUP
+])
diff --git a/tests/ovn.at b/tests/ovn.at
index 95176f131..a4cb408c8 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -12704,7 +12704,7 @@ for i in 1 2; do
done
done
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk '/table=65/{print substr($8,
16, length($8))}' |sort -n], [0], [dnl
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk '/table=65/ &&
!/actions=drop/{print substr($8, 16, length($8))}' |sort -n], [0], [dnl
10
11
])
@@ -12713,7 +12713,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk
'/table=65/{print substr($8, 1
as hv1
check ovs-vsctl del-port vif01
check ovn-nbctl --wait=hv sync
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk '/table=65/{print substr($8,
16, length($8))}' |sort -n], [0], [dnl
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk '/table=65/ &&
!/actions=drop/{print substr($8, 16, length($8))}' |sort -n], [0], [dnl
11
])
@@ -12721,7 +12721,7 @@ as hv1
check ovs-vsctl add-port br-int vif01 \
-- set Interface vif01 external-ids:iface-id=lp01
check ovn-nbctl --wait=hv sync
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk '/table=65/{print substr($8,
16, length($8))}' |sort -n], [0], [dnl
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int |awk '/table=65/ &&
!/actions=drop/{print substr($8, 16, length($8))}' |sort -n], [0], [dnl
2
11
])
@@ -27829,7 +27829,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep
"actions=controller" | grep
])
# The packet should've been dropped in the lr_in_arp_resolve stage.
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=23, n_packets=1,.*
priority=1,ip,metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | grep -E "table=23, n_packets=1,.*
priority=2,ip,metadata=0x${sw_key},nw_dst=10.0.1.1 actions=drop" -c], [0], [dnl
1
])
@@ -28585,31 +28585,36 @@ check ovn-nbctl lb-add lb-ipv4-udp 88.88.88.88:4040
42.42.42.1:2021 udp
check ovn-nbctl lb-add lb-ipv6-tcp [[8800::0088]]:8080 [[4200::1]]:4041 tcp
check ovn-nbctl --wait=hv lb-add lb-ipv6-udp [[8800::0088]]:4040
[[4200::1]]:2021 udp
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | grep -v NXST], [1],
[dnl
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all | grep
-v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
])
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=69 | grep -v NXST], [1],
[dnl
])
-AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | grep -v NXST], [1],
[dnl
+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all | grep
-v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | grep -v NXST], [1],
[dnl
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all | grep
-v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
])
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 | grep -v NXST], [1],
[dnl
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | grep -v NXST], [1],
[dnl
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all | grep
-v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
])
check ovn-nbctl --wait=hv ls-lb-add sw0 lb-ipv4-tcp
OVS_WAIT_UNTIL(
- [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
1]
+ [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
2]
)
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
])
@@ -28618,25 +28623,29 @@ NXST_FLOW reply (xid=0x8):
])
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | grep -v NXST], [1],
[dnl
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all | grep
-v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
])
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 | grep -v NXST], [1],
[dnl
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | grep -v NXST], [1],
[dnl
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all | grep
-v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
])
check ovn-nbctl lb-add lb-ipv4-tcp 88.88.88.90:8080
42.42.42.42:4041,52.52.52.52:4042 tcp
OVS_WAIT_UNTIL(
- [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
3]
+ [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
4]
)
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28647,17 +28656,20 @@ NXST_FLOW reply (xid=0x8):
])
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | grep -v NXST], [1],
[dnl
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all | grep
-v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
])
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 | grep -v NXST], [1],
[dnl
])
-AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | grep -v NXST], [1],
[dnl
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all | grep
-v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
])
@@ -28666,10 +28678,11 @@ check ovn-nbctl lsp-add sw0 sw0-p2
OVS_WAIT_UNTIL([test x$(ovn-nbctl lsp-get-up sw0-p2) = xup])
OVS_WAIT_UNTIL(
- [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
3]
+ [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
4]
)
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28679,6 +28692,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 |
grep -v NXST], [1], [dnl
])
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
])
@@ -28686,14 +28700,15 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70
| ofctl_strip_all | grep -
check ovn-nbctl --wait=hv ls-lb-add sw0 lb-ipv4-udp
OVS_WAIT_UNTIL(
- [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
4]
+ [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
5]
)
OVS_WAIT_UNTIL(
- [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
4]
+ [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
5]
)
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28704,12 +28719,14 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69
| grep -v NXST], [1], [dnl
])
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
table=70, priority=100,udp,reg1=0x58585858,reg2=0xfc8/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
])
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28720,6 +28737,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 |
grep -v NXST], [1], [dnl
])
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
table=70, priority=100,udp,reg1=0x58585858,reg2=0xfc8/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
@@ -28728,14 +28746,15 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70
| ofctl_strip_all | grep -
check ovn-nbctl --wait=hv ls-lb-add sw0 lb-ipv6-tcp
OVS_WAIT_UNTIL(
- [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
5]
+ [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
6]
)
OVS_WAIT_UNTIL(
- [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
5]
+ [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
6]
)
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28747,6 +28766,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 |
grep -v NXST], [1], [dnl
])
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
table=70,
priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
@@ -28754,6 +28774,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 |
ofctl_strip_all | grep -
])
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28765,6 +28786,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 |
grep -v NXST], [1], [dnl
])
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
table=70,
priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
@@ -28774,14 +28796,15 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70
| ofctl_strip_all | grep -
check ovn-nbctl --wait=hv ls-lb-add sw0 lb-ipv6-udp
OVS_WAIT_UNTIL(
- [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
6]
+ [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
7]
)
OVS_WAIT_UNTIL(
- [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
6]
+ [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
7]
)
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28794,6 +28817,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 |
grep -v NXST], [1], [dnl
])
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
table=70,
priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
@@ -28802,6 +28826,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 |
ofctl_strip_all | grep -
])
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28814,6 +28839,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 |
grep -v NXST], [1], [dnl
])
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
table=70,
priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
@@ -28826,14 +28852,15 @@ check ovn-nbctl --wait=hv ls-lb-add sw1 lb-ipv6-udp
# Number of hairpin flows shouldn't change as it doesn't depend on how many
# datapaths the LB is applied.
OVS_WAIT_UNTIL(
- [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
6]
+ [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
7]
)
OVS_WAIT_UNTIL(
- [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
6]
+ [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
7]
)
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28846,6 +28873,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 |
grep -v NXST], [1], [dnl
])
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
table=70,
priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
@@ -28854,6 +28882,7 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 |
ofctl_strip_all | grep -
])
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x58585858,reg2=0x1f90/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=42.42.42.42,nw_dst=42.42.42.42,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff,nw_src=52.52.52.52,nw_dst=52.52.52.52,tp_dst=4042
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.90,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28866,6 +28895,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 |
grep -v NXST], [1], [dnl
])
AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70, priority=100,tcp,reg1=0x58585858,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
table=70, priority=100,tcp,reg1=0x5858585a,reg2=0x1f90/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.90))
table=70,
priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
@@ -28887,6 +28917,7 @@ check ovn-sbctl \
-- remove load_balancer lb-ipv6-udp options hairpin_orig_tuple
OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=68 |
ofctl_strip_all | grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_state=+trk+dnat,ct_mark=0x2/0x2,ct_ipv6_dst=8800::88,ct_nw_proto=17,ct_tp_dst=4040,udp6,ipv6_src=4200::1,ipv6_dst=4200::1,tp_dst=2021
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x86dd,NXM_NX_IPV6_SRC[[]],ipv6_dst=8800::88,nw_proto=17,NXM_OF_UDP_SRC[[]]=NXM_OF_UDP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_state=+trk+dnat,ct_mark=0x2/0x2,ct_ipv6_dst=8800::88,ct_nw_proto=6,ct_tp_dst=8080,tcp6,ipv6_src=4200::1,ipv6_dst=4200::1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x86dd,NXM_NX_IPV6_SRC[[]],ipv6_dst=8800::88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_state=+trk+dnat,ct_mark=0x2/0x2,ct_nw_dst=88.88.88.88,ct_nw_proto=17,ct_tp_dst=4040,udp,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=2021
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=17,NXM_OF_UDP_SRC[[]]=NXM_OF_UDP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28899,6 +28930,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 |
grep -v NXST], [1], [dnl
])
OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=70 |
ofctl_strip_all | grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70,
priority=100,ct_state=+trk+dnat,ct_ipv6_dst=8800::88,ct_nw_proto=17,ct_tp_dst=4040,udp6
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
table=70,
priority=100,ct_state=+trk+dnat,ct_ipv6_dst=8800::88,ct_nw_proto=6,ct_tp_dst=8080,tcp6
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
table=70,
priority=100,ct_state=+trk+dnat,ct_nw_dst=88.88.88.88,ct_nw_proto=17,ct_tp_dst=4040,udp
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
@@ -28907,6 +28939,7 @@ OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int
table=70 | ofctl_strip_a
])
OVS_WAIT_FOR_OUTPUT([as hv2 ovs-ofctl dump-flows br-int table=68 |
ofctl_strip_all | grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_state=+trk+dnat,ct_mark=0x2/0x2,ct_ipv6_dst=8800::88,ct_nw_proto=17,ct_tp_dst=4040,udp6,ipv6_src=4200::1,ipv6_dst=4200::1,tp_dst=2021
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x86dd,NXM_NX_IPV6_SRC[[]],ipv6_dst=8800::88,nw_proto=17,NXM_OF_UDP_SRC[[]]=NXM_OF_UDP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_state=+trk+dnat,ct_mark=0x2/0x2,ct_ipv6_dst=8800::88,ct_nw_proto=6,ct_tp_dst=8080,tcp6,ipv6_src=4200::1,ipv6_dst=4200::1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x86dd,NXM_NX_IPV6_SRC[[]],ipv6_dst=8800::88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_state=+trk+dnat,ct_mark=0x2/0x2,ct_nw_dst=88.88.88.88,ct_nw_proto=17,ct_tp_dst=4040,udp,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=2021
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=17,NXM_OF_UDP_SRC[[]]=NXM_OF_UDP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28919,6 +28952,7 @@ AT_CHECK([as hv2 ovs-ofctl dump-flows br-int table=69 |
grep -v NXST], [1], [dnl
])
OVS_WAIT_FOR_OUTPUT([as hv2 ovs-ofctl dump-flows br-int table=70 |
ofctl_strip_all | grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70,
priority=100,ct_state=+trk+dnat,ct_ipv6_dst=8800::88,ct_nw_proto=17,ct_tp_dst=4040,udp6
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
table=70,
priority=100,ct_state=+trk+dnat,ct_ipv6_dst=8800::88,ct_nw_proto=6,ct_tp_dst=8080,tcp6
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
table=70,
priority=100,ct_state=+trk+dnat,ct_nw_dst=88.88.88.88,ct_nw_proto=17,ct_tp_dst=4040,udp
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
@@ -28938,7 +28972,7 @@ OVS_WAIT_UNTIL([test x$(ovn-nbctl lsp-get-up sw0-p2) =
xdown])
as hv2 ovn-appctl -t ovn-controller recompute
OVS_WAIT_UNTIL(
- [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
0]
+ [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
1]
)
OVS_WAIT_UNTIL(
@@ -28946,24 +28980,25 @@ OVS_WAIT_UNTIL(
)
OVS_WAIT_UNTIL(
- [test $(as hv2 ovs-ofctl dump-flows br-int table=70 | grep -c -v NXST) -eq
0]
+ [test $(as hv2 ovs-ofctl dump-flows br-int table=70 | grep -c -v NXST) -eq
1]
)
OVS_WAIT_UNTIL(
- [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
6]
+ [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
7]
)
check ovn-nbctl --wait=hv lb-del lb-ipv4-tcp
OVS_WAIT_UNTIL(
- [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
3]
+ [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
4]
)
OVS_WAIT_UNTIL(
- [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
0]
+ [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
1]
)
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=68 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=68, priority=0 actions=drop
table=68,
priority=100,ct_mark=0x2/0x2,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88,ipv6_src=4200::1,ipv6_dst=4200::1,tp_dst=4041
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x86dd,NXM_NX_IPV6_SRC[[]],ipv6_dst=8800::88,nw_proto=6,NXM_OF_TCP_SRC[[]]=NXM_OF_TCP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,udp,reg1=0x58585858,reg2=0xfc8/0xffff,nw_src=42.42.42.1,nw_dst=42.42.42.1,tp_dst=2021
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x800,NXM_OF_IP_SRC[[]],ip_dst=88.88.88.88,nw_proto=17,NXM_OF_UDP_SRC[[]]=NXM_OF_UDP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
table=68,
priority=100,ct_mark=0x2/0x2,udp6,reg2=0xfc8/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88,ipv6_src=4200::1,ipv6_dst=4200::1,tp_dst=2021
actions=load:0x1->NXM_NX_REG10[[7]],learn(table=69,delete_learned,OXM_OF_METADATA[[]],eth_type=0x86dd,NXM_NX_IPV6_SRC[[]],ipv6_dst=8800::88,nw_proto=17,NXM_OF_UDP_SRC[[]]=NXM_OF_UDP_DST[[]],load:0x1->NXM_NX_REG10[[7]])
@@ -28974,6 +29009,7 @@ NXST_FLOW reply (xid=0x8):
])
AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=70 | ofctl_strip_all |
grep -v NXST], [0], [dnl
+ table=70, priority=0 actions=drop
table=70,
priority=100,tcp6,reg2=0x1f90/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
table=70, priority=100,udp,reg1=0x58585858,reg2=0xfc8/0xffff
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=88.88.88.88))
table=70,
priority=100,udp6,reg2=0xfc8/0xffff,reg4=0x88000000,reg5=0,reg6=0,reg7=0x88
actions=ct(commit,zone=NXM_NX_REG12[[0..15]],nat(src=8800::88))
@@ -28983,7 +29019,7 @@ check ovn-nbctl --wait=hv ls-del sw0
check ovn-nbctl --wait=hv ls-del sw1
OVS_WAIT_UNTIL(
- [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
0]
+ [test $(as hv1 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
1]
)
OVS_WAIT_UNTIL(
@@ -28991,11 +29027,11 @@ OVS_WAIT_UNTIL(
)
OVS_WAIT_UNTIL(
- [test $(as hv1 ovs-ofctl dump-flows br-int table=70 | grep -c -v NXST) -eq
0]
+ [test $(as hv1 ovs-ofctl dump-flows br-int table=70 | grep -c -v NXST) -eq
1]
)
OVS_WAIT_UNTIL(
- [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
0]
+ [test $(as hv2 ovs-ofctl dump-flows br-int table=68 | grep -c -v NXST) -eq
1]
)
OVS_WAIT_UNTIL(
@@ -29003,7 +29039,7 @@ OVS_WAIT_UNTIL(
)
OVS_WAIT_UNTIL(
- [test $(as hv2 ovs-ofctl dump-flows br-int table=70 | grep -c -v NXST) -eq
0]
+ [test $(as hv2 ovs-ofctl dump-flows br-int table=70 | grep -c -v NXST) -eq
1]
)
OVN_CLEANUP([hv1], [hv2])
@@ -33000,3 +33036,159 @@ check ovn-nbctl --wait=hv sync
OVN_CLEANUP([hv1])
AT_CLEANUP
])
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([Check default openflow flows])
+ovn_start
+
+# Check that every table has a default (i.e: priority=0) flow.
+# Technically a default flow would have no match but we allow the datapath
+# match (metadata=0xXX) to be present.
+check_default_flows() {
+ ovs-ofctl dump-flows br-int > oflows
+ AT_CAPTURE_FILE([oflows])
+ for table in $(grep -oP "table=\K\d*, " oflows | sort -n | uniq); do
+ AT_CHECK([grep -qe "table=$table.* priority=0\(,metadata=0x\w*\)\? actions"
oflows], [0], [ignore], [ignore], [echo "Table $table does not contain a default action"])
+ done
+}
+
+# Logical network:
+# Two LRs - R1 and R2 that are connected to each other as peers in 20.0.0.0/24
+# network. R1 has a switchs ls1 (191.168.1.0/24) connected to it.
+# R2 has ls2 (172.16.1.0/24) connected to it.
+
+ls1_lp1_mac="f0:00:00:01:02:03"
+rp_ls1_mac="00:00:00:01:02:03"
+rp_ls2_mac="00:00:00:01:02:04"
+ls2_lp1_mac="f0:00:00:01:02:04"
+
+ls1_lp1_ip="192.168.1.2"
+ls2_lp1_ip="172.16.1.2"
+
+ovn-nbctl lr-add R1
+ovn-nbctl ls-add ls1
+ovn-nbctl ls-add ls2
+
+# Connect ls1 to R1
+ovn-nbctl lrp-add R1 ls1 $rp_ls1_mac 192.168.1.1/24
+
+ovn-nbctl lsp-add ls1 rp-ls1 -- set Logical_Switch_Port rp-ls1 type=router \
+ options:router-port=ls1 addresses=\"$rp_ls1_mac\"
+
+# Connect ls2 to R1
+ovn-nbctl lrp-add R1 ls2 $rp_ls2_mac 172.16.1.1/24
+
+ovn-nbctl lsp-add ls2 rp-ls2 -- set Logical_Switch_Port rp-ls2 type=router \
+ options:router-port=ls2 addresses=\"$rp_ls2_mac\"
+
+# Create logical port ls1-lp1 in ls1
+ovn-nbctl lsp-add ls1 ls1-lp1 \
+-- lsp-set-addresses ls1-lp1 "$ls1_lp1_mac $ls1_lp1_ip"
+
+# Create logical port ls2-lp1 in ls2
+ovn-nbctl lsp-add ls2 ls2-lp1 \
+-- lsp-set-addresses ls2-lp1 "$ls2_lp1_mac $ls2_lp1_ip"
+
+# Create two hypervisor and create OVS ports corresponding to logical ports.
+net_add n1
+
+sim_add hv1
+as hv1
+ovs-vsctl add-br br-phys
+ovn_attach n1 br-phys 192.168.0.1
+ovs-vsctl -- add-port br-int hv1-vif1 -- \
+ set interface hv1-vif1 external-ids:iface-id=ls1-lp1 \
+ options:tx_pcap=hv1/vif1-tx.pcap \
+ options:rxq_pcap=hv1/vif1-rx.pcap \
+ ofport-request=1
+
+sim_add hv2
+as hv2
+ovs-vsctl add-br br-phys
+ovn_attach n1 br-phys 192.168.0.2
+ovs-vsctl -- add-port br-int hv2-vif1 -- \
+ set interface hv2-vif1 external-ids:iface-id=ls2-lp1 \
+ options:tx_pcap=hv2/vif1-tx.pcap \
+ options:rxq_pcap=hv2/vif1-rx.pcap \
+ ofport-request=1
+
+
+# Allow some time for ovn-northd and ovn-controller to catch up.
+wait_for_ports_up
+check ovn-nbctl --wait=hv sync
+
+as hv1
+check_default_flows
+as hv2
+check_default_flows
+
+# Add stateless ACL
+check ovn-nbctl --wait=sb \
+ -- acl-add ls1 from-lport 100 'ip4' allow-stateless
+check ovn-nbctl --wait=sb \
+ -- acl-add ls2 from-lport 100 'ip4' allow-stateless
+
+as hv1
+check_default_flows
+as hv2
+check_default_flows
+
+check ovn-nbctl --wait=sb acl-del ls1
+check ovn-nbctl --wait=sb acl-del ls2
+
+# Add stateful ACL
+check ovn-nbctl --wait=sb \
+ -- acl-add ls1 from-lport 100 "udp" allow-related
+check ovn-nbctl --wait=sb \
+ -- acl-add ls2 from-lport 100 "udp" allow-related
+
+as hv1
+check_default_flows
+as hv2
+check_default_flows
+
+check ovn-nbctl --wait=sb acl-del ls1
+check ovn-nbctl --wait=sb acl-del ls2
+
+# Add LB
+check ovn-nbctl --wait=sb \
+ -- lb-add lb1 "10.0.0.1" "10.0.0.2" \
+ -- ls-lb-add ls1 lb1
+
+check ovn-nbctl --wait=sb \
+ -- lb-add lb2 "10.0.1.1" "10.0.1.2" \
+ -- ls-lb-add ls2 lb2
+
+as hv1
+check_default_flows
+as hv2
+check_default_flows
+
+# LB + stateless ACL
+check ovn-nbctl --wait=sb \
+ -- acl-add ls1 from-lport 100 'ip4' allow-stateless
+check ovn-nbctl --wait=sb \
+ -- acl-add ls2 from-lport 100 'ip4' allow-stateless
+
+as hv1
+check_default_flows
+as hv2
+check_default_flows
+
+check ovn-nbctl --wait=sb acl-del ls1
+check ovn-nbctl --wait=sb acl-del ls2
+
+# LB + stateful ACL
+check ovn-nbctl --wait=sb \
+ -- acl-add ls1 from-lport 100 "udp" allow-related
+check ovn-nbctl --wait=sb \
+ -- acl-add ls2 from-lport 100 "udp" allow-related
+
+as hv1
+check_default_flows
+as hv2
+check_default_flows
+
+OVN_CLEANUP([hv1],[hv2])
+AT_CLEANUP
+])
--
2.37.3
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
