Ales Musil <amu...@redhat.com> writes: > Add extension that allows to flush connections from CT > by specifying fields that the connections should be > matched against. This allows to match only some fields > of the connection e.g. source address for orig direrction. > > Reported-at: https://bugzilla.redhat.com/2120546 > Signed-off-by: Ales Musil <amu...@redhat.com> > --- > v3: Rebase on top of master. > v2: Rebase on top of master. > Use suggestion from Ilya. > ---
Although a second opinion would be nice to have here, the patch LGTM and the tests succeeded. Acked-by: Paolo Valerio <pvale...@redhat.com> > NEWS | 3 + > include/openflow/nicira-ext.h | 30 +++++++ > include/openvswitch/ofp-msgs.h | 4 + > include/openvswitch/ofp-util.h | 4 + > lib/ofp-bundle.c | 1 + > lib/ofp-ct-util.c | 146 +++++++++++++++++++++++++++++++++ > lib/ofp-ct-util.h | 9 ++ > lib/ofp-print.c | 20 +++++ > lib/ofp-util.c | 25 ++++++ > lib/rconn.c | 1 + > ofproto/ofproto-dpif.c | 8 +- > ofproto/ofproto-provider.h | 7 +- > ofproto/ofproto.c | 30 ++++++- > tests/ofp-print.at | 93 +++++++++++++++++++++ > tests/ovs-ofctl.at | 12 +++ > tests/system-traffic.at | 116 ++++++++++++++------------ > utilities/ovs-ofctl.c | 38 +++++++++ > 17 files changed, 489 insertions(+), 58 deletions(-) > > diff --git a/NEWS b/NEWS > index ff8904b02..46b8faa41 100644 > --- a/NEWS > +++ b/NEWS > @@ -16,6 +16,9 @@ Post-v3.0.0 > by specifying 'max-rate' or '[r]stp-path-cost' accordingly. > - ovs-dpctl and related ovs-appctl commands: > * "flush-conntrack" is capable of handling partial 5-tuple. > + - OpenFlow: > + * New OpenFlow extension NXT_CT_FLUSH to flush connections matching > + the specified fields. > > > v3.0.0 - 15 Aug 2022 > diff --git a/include/openflow/nicira-ext.h b/include/openflow/nicira-ext.h > index b68804991..32ce56d31 100644 > --- a/include/openflow/nicira-ext.h > +++ b/include/openflow/nicira-ext.h > @@ -1064,4 +1064,34 @@ struct nx_zone_id { > }; > OFP_ASSERT(sizeof(struct nx_zone_id) == 8); > > +/* CT flush available TLVs. */ > +enum nx_ct_flush_tlv_type { > + /* Outer types. */ > + NXT_CT_ORIG_DIRECTION, /* CT orig direction outer type. */ > + NXT_CT_REPLY_DIRECTION, /* CT reply direction outer type. */ > + > + /* Nested types. */ > + NXT_CT_SRC, /* CT source IPv6 or mapped IPv4 address. */ > + NXT_CT_DST, /* CT destination IPv6 or mapped IPv4 address. > */ > + NXT_CT_SRC_PORT, /* CT source port. */ > + NXT_CT_DST_PORT, /* CT destination port. */ > + NXT_CT_ICMP_ID, /* CT ICMP id. */ > + NXT_CT_ICMP_TYPE, /* CT ICMP type. */ > + NXT_CT_ICMP_CODE, /* CT ICMP code. */ > + > + /* Primitive types. */ > + NXT_CT_ZONE_ID, /* CT zone id. */ > +}; > + > +/* NXT_CT_FLUSH. > + * > + * Flushes the connection tracking specified by 5-tuple. > + * The struct should be followed by TLVs specifying the matching parameters. > */ > +struct nx_ct_flush { > + uint8_t ip_proto; /* IP protocol. */ > + uint8_t family; /* L3 address family. */ > + uint8_t zero[6]; /* Must be zero. */ > +}; > +OFP_ASSERT(sizeof(struct nx_ct_flush) == 8); > + > #endif /* openflow/nicira-ext.h */ > diff --git a/include/openvswitch/ofp-msgs.h b/include/openvswitch/ofp-msgs.h > index 921a937e5..659b0a3e7 100644 > --- a/include/openvswitch/ofp-msgs.h > +++ b/include/openvswitch/ofp-msgs.h > @@ -526,6 +526,9 @@ enum ofpraw { > > /* NXST 1.0+ (4): struct nx_ipfix_stats_reply[]. */ > OFPRAW_NXST_IPFIX_FLOW_REPLY, > + > + /* NXT 1.0+ (32): struct nx_ct_flush, uint8_t[8][]. */ > + OFPRAW_NXT_CT_FLUSH, > }; > > /* Decoding messages into OFPRAW_* values. */ > @@ -772,6 +775,7 @@ enum ofptype { > OFPTYPE_IPFIX_FLOW_STATS_REQUEST, /* OFPRAW_NXST_IPFIX_FLOW_REQUEST */ > OFPTYPE_IPFIX_FLOW_STATS_REPLY, /* OFPRAW_NXST_IPFIX_FLOW_REPLY */ > OFPTYPE_CT_FLUSH_ZONE, /* OFPRAW_NXT_CT_FLUSH_ZONE. */ > + OFPTYPE_CT_FLUSH, /* OFPRAW_NXT_CT_FLUSH. */ > > /* Flow monitor extension. */ > OFPTYPE_FLOW_MONITOR_CANCEL, /* OFPRAW_NXT_FLOW_MONITOR_CANCEL. > diff --git a/include/openvswitch/ofp-util.h b/include/openvswitch/ofp-util.h > index 84937ae26..e10d90b9f 100644 > --- a/include/openvswitch/ofp-util.h > +++ b/include/openvswitch/ofp-util.h > @@ -65,6 +65,10 @@ struct ofpbuf *ofputil_encode_echo_reply(const struct > ofp_header *); > > struct ofpbuf *ofputil_encode_barrier_request(enum ofp_version); > > +struct ofpbuf *ofputil_ct_match_encode(const struct ofputil_ct_match *match, > + uint16_t *zone_id, > + enum ofp_version version); > + > #ifdef __cplusplus > } > #endif > diff --git a/lib/ofp-bundle.c b/lib/ofp-bundle.c > index 0161c2bc6..941a8370e 100644 > --- a/lib/ofp-bundle.c > +++ b/lib/ofp-bundle.c > @@ -292,6 +292,7 @@ ofputil_is_bundlable(enum ofptype type) > case OFPTYPE_IPFIX_FLOW_STATS_REQUEST: > case OFPTYPE_IPFIX_FLOW_STATS_REPLY: > case OFPTYPE_CT_FLUSH_ZONE: > + case OFPTYPE_CT_FLUSH: > break; > } > > diff --git a/lib/ofp-ct-util.c b/lib/ofp-ct-util.c > index 9112305cc..276932ea6 100644 > --- a/lib/ofp-ct-util.c > +++ b/lib/ofp-ct-util.c > @@ -23,8 +23,12 @@ > > #include "ct-dpif.h" > #include "ofp-ct-util.h" > +#include "openflow/nicira-ext.h" > #include "openvswitch/dynamic-string.h" > +#include "openvswitch/ofp-msgs.h" > #include "openvswitch/ofp-parse.h" > +#include "openvswitch/ofp-errors.h" > +#include "openvswitch/ofp-prop.h" > #include "openvswitch/ofp-util.h" > #include "openvswitch/packets.h" > > @@ -309,3 +313,145 @@ error: > free(copy); > return false; > } > + > +static enum ofperr > +ofpprop_pull_value(struct ofpbuf *property, void *value, size_t len) > +{ > + if (ofpbuf_msgsize(property) < len) { > + return OFPERR_OFPBPC_BAD_LEN; > + } > + > + memcpy(value, property->msg, len); > + > + return 0; > +} > + > +static enum ofperr > +ofputil_ct_tuple_decode_nested(struct ofpbuf *property, > + struct ofputil_ct_tuple *tuple) > +{ > + struct ofpbuf nested; > + enum ofperr error = ofpprop_parse_nested(property, &nested); > + if (error) { > + return error; > + } > + > + while (nested.size) { > + struct ofpbuf inner; > + uint64_t type; > + > + error = ofpprop_pull(&nested, &inner, &type); > + if (error) { > + return error; > + } > + switch (type) { > + case NXT_CT_SRC: > + ofpprop_pull_value(&inner, &tuple->src, sizeof tuple->src); > + break; > + case NXT_CT_DST: > + ofpprop_pull_value(&inner, &tuple->dst, sizeof tuple->dst); > + break; > + case NXT_CT_SRC_PORT: > + ofpprop_parse_be16(&inner, &tuple->src_port); > + break; > + case NXT_CT_DST_PORT: > + ofpprop_parse_be16(&inner, &tuple->dst_port); > + break; > + case NXT_CT_ICMP_ID: > + ofpprop_parse_be16(&inner, &tuple->icmp_id); > + break; > + case NXT_CT_ICMP_TYPE: > + ofpprop_parse_u8(&inner, &tuple->icmp_type); > + break; > + case NXT_CT_ICMP_CODE: > + ofpprop_parse_u8(&inner, &tuple->icmp_code); > + } > + } > + > + return 0; > +} > + > +enum ofperr > +ofputil_ct_match_decode(struct ofputil_ct_match *match, bool *with_zone, > + uint16_t *zone_id, const struct ofp_header *oh) > +{ > + struct ofpbuf msg = ofpbuf_const_initializer(oh, ntohs(oh->length)); > + ofpraw_pull_assert(&msg); > + > + const struct nx_ct_flush *nx_flush = ofpbuf_pull(&msg, sizeof *nx_flush); > + > + if (!is_all_zeros(nx_flush->zero, sizeof nx_flush->zero)) { > + return OFPERR_NXBRC_MUST_BE_ZERO; > + } > + > + match->l3_type = nx_flush->family; > + match->ip_proto = nx_flush->ip_proto; > + > + struct ofputil_ct_tuple *orig = &match->tuple_orig; > + struct ofputil_ct_tuple *reply = &match->tuple_reply; > + > + while (msg.size) { > + struct ofpbuf property; > + uint64_t type; > + > + enum ofperr error = ofpprop_pull(&msg, &property, &type); > + if (error) { > + return error; > + } > + > + switch (type) { > + case NXT_CT_ORIG_DIRECTION: > + ofputil_ct_tuple_decode_nested(&property, orig); > + break; > + case NXT_CT_REPLY_DIRECTION: > + ofputil_ct_tuple_decode_nested(&property, reply); > + break; > + case NXT_CT_ZONE_ID: > + if (with_zone) { > + *with_zone = true; > + } > + ofpprop_parse_u16(&property, zone_id); > + break; > + } > + } > + > + return 0; > +} > + > +void > +ofputil_ct_tuple_encode(const struct ofputil_ct_tuple *tuple, > + struct ofpbuf *buf, enum nx_ct_flush_tlv_type type, > + uint8_t ip_proto) > +{ > + /* 128 B is enough to hold the whole tuple. */ > + uint8_t stub[128]; > + struct ofpbuf nested = OFPBUF_STUB_INITIALIZER(stub); > + > + if (!ipv6_is_zero(&tuple->src)) { > + ofpprop_put(&nested, NXT_CT_SRC, &tuple->src, sizeof tuple->src); > + } > + > + if (!ipv6_is_zero(&tuple->dst)) { > + ofpprop_put(&nested, NXT_CT_DST, &tuple->dst, sizeof tuple->dst); > + } > + > + if (ip_proto == IPPROTO_ICMP || ip_proto == IPPROTO_ICMPV6) { > + ofpprop_put_be16(&nested, NXT_CT_ICMP_ID, tuple->icmp_id); > + ofpprop_put_u8(&nested, NXT_CT_ICMP_TYPE, tuple->icmp_type); > + ofpprop_put_u8(&nested, NXT_CT_ICMP_CODE, tuple->icmp_code); > + } else { > + if (tuple->src_port) { > + ofpprop_put_be16(&nested, NXT_CT_SRC_PORT, tuple->src_port); > + } > + > + if (tuple->dst_port) { > + ofpprop_put_be16(&nested, NXT_CT_DST_PORT, tuple->dst_port); > + } > + } > + > + if (nested.size) { > + ofpprop_put_nested(buf, type, &nested); > + } > + > + ofpbuf_uninit(&nested); > +} > diff --git a/lib/ofp-ct-util.h b/lib/ofp-ct-util.h > index a53d73cb0..5d862500f 100644 > --- a/lib/ofp-ct-util.h > +++ b/lib/ofp-ct-util.h > @@ -17,6 +17,7 @@ > #define OVS_OFP_CT_UTIL_H > > #include "ct-dpif.h" > +#include "openflow/nicira-ext.h" > #include "openvswitch/ofp-util.h" > > bool ofputil_ct_match_cmp(const struct ofputil_ct_match *match, > @@ -31,4 +32,12 @@ void ofputil_ct_match_format(struct ds *ds, > bool ofputil_ct_match_parse(struct ofputil_ct_match *match, const char *s, > struct ds *ds); > > +enum ofperr ofputil_ct_match_decode(struct ofputil_ct_match *match, > + bool *with_zone, uint16_t *zone_id, > + const struct ofp_header *oh); > + > +void ofputil_ct_tuple_encode(const struct ofputil_ct_tuple *tuple, > + struct ofpbuf *buf, > + enum nx_ct_flush_tlv_type type, uint8_t > ip_proto); > + > #endif /* lib/ofp-ct-util.h */ > diff --git a/lib/ofp-print.c b/lib/ofp-print.c > index bd37fa17a..94bfa7070 100644 > --- a/lib/ofp-print.c > +++ b/lib/ofp-print.c > @@ -36,6 +36,7 @@ > #include "learn.h" > #include "multipath.h" > #include "netdev.h" > +#include "ofp-ct-util.h" > #include "nx-match.h" > #include "odp-util.h" > #include "openflow/nicira-ext.h" > @@ -949,6 +950,23 @@ ofp_print_nxt_ct_flush_zone(struct ds *string, const > struct nx_zone_id *nzi) > return 0; > } > > +static enum ofperr > +ofp_print_nxt_ct_flush(struct ds *string, const struct ofp_header *oh) > +{ > + uint16_t zone_id = 0; > + struct ofputil_ct_match match = {0}; > + > + enum ofperr error = ofputil_ct_match_decode(&match, NULL, &zone_id, oh); > + if (error) { > + return error; > + } > + > + ofputil_ct_match_format(string, &match); > + ds_put_format(string, ",zone_id=%"PRIu16, zone_id); > + > + return 0; > +} > + > static enum ofperr > ofp_to_string__(const struct ofp_header *oh, > const struct ofputil_port_map *port_map, > @@ -1184,6 +1202,8 @@ ofp_to_string__(const struct ofp_header *oh, > > case OFPTYPE_CT_FLUSH_ZONE: > return ofp_print_nxt_ct_flush_zone(string, ofpmsg_body(oh)); > + case OFPTYPE_CT_FLUSH: > + return ofp_print_nxt_ct_flush(string, oh); > } > > return 0; > diff --git a/lib/ofp-util.c b/lib/ofp-util.c > index a324ceeea..a14cb6860 100644 > --- a/lib/ofp-util.c > +++ b/lib/ofp-util.c > @@ -31,6 +31,7 @@ > #include "multipath.h" > #include "netdev.h" > #include "nx-match.h" > +#include "ofp-ct-util.h" > #include "id-pool.h" > #include "openflow/netronome-ext.h" > #include "openvswitch/dynamic-string.h" > @@ -237,3 +238,27 @@ ofputil_encode_barrier_request(enum ofp_version > ofp_version) > > return ofpraw_alloc(type, ofp_version, 0); > } > + > +struct ofpbuf * > +ofputil_ct_match_encode(const struct ofputil_ct_match *match, > + uint16_t *zone_id, enum ofp_version version) > +{ > + struct ofpbuf *msg = ofpraw_alloc(OFPRAW_NXT_CT_FLUSH, version, 0); > + struct nx_ct_flush *nx_flush = ofpbuf_put_zeros(msg, sizeof *nx_flush); > + const struct ofputil_ct_tuple *orig = &match->tuple_orig; > + const struct ofputil_ct_tuple *reply = &match->tuple_reply; > + > + nx_flush->ip_proto = match->ip_proto; > + nx_flush->family = match->l3_type; > + > + ofputil_ct_tuple_encode(orig, msg, NXT_CT_ORIG_DIRECTION, > + match->ip_proto); > + ofputil_ct_tuple_encode(reply, msg, NXT_CT_REPLY_DIRECTION, > + match->ip_proto); > + > + if (zone_id) { > + ofpprop_put_u16(msg, NXT_CT_ZONE_ID, *zone_id); > + } > + > + return msg; > +} > diff --git a/lib/rconn.c b/lib/rconn.c > index a96b2eb8b..4afa21515 100644 > --- a/lib/rconn.c > +++ b/lib/rconn.c > @@ -1426,6 +1426,7 @@ is_admitted_msg(const struct ofpbuf *b) > case OFPTYPE_IPFIX_FLOW_STATS_REQUEST: > case OFPTYPE_IPFIX_FLOW_STATS_REPLY: > case OFPTYPE_CT_FLUSH_ZONE: > + case OFPTYPE_CT_FLUSH: > default: > return true; > } > diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c > index f9562dee8..29174a585 100644 > --- a/ofproto/ofproto-dpif.c > +++ b/ofproto/ofproto-dpif.c > @@ -5358,11 +5358,12 @@ type_set_config(const char *type, const struct smap > *other_config) > } > > static void > -ct_flush(const struct ofproto *ofproto_, const uint16_t *zone) > +ct_flush(const struct ofproto *ofproto_, const uint16_t *zone, > + const struct ofputil_ct_match *match) > { > struct ofproto_dpif *ofproto = ofproto_dpif_cast(ofproto_); > > - ct_dpif_flush(ofproto->backer->dpif, zone, NULL); > + ct_dpif_flush(ofproto->backer->dpif, zone, match); > } > > static struct ct_timeout_policy * > @@ -5674,6 +5675,9 @@ get_datapath_cap(const char *datapath_type, struct smap > *cap) > smap_add(cap, "lb_output_action", s.lb_output_action ? "true" : "false"); > smap_add(cap, "ct_zero_snat", s.ct_zero_snat ? "true" : "false"); > smap_add(cap, "add_mpls", s.add_mpls ? "true" : "false"); > + /* The ct_tuple_flush is implemented on dpif level, so it is supported > + * for all backers. */ > + smap_add(cap, "ct_flush", "true"); > } > > /* Gets timeout policy name in 'backer' based on 'zone', 'dl_type' and > diff --git a/ofproto/ofproto-provider.h b/ofproto/ofproto-provider.h > index 7e3fb6698..5e39234f9 100644 > --- a/ofproto/ofproto-provider.h > +++ b/ofproto/ofproto-provider.h > @@ -49,6 +49,7 @@ > #include "openvswitch/ofp-port.h" > #include "openvswitch/ofp-switch.h" > #include "openvswitch/ofp-table.h" > +#include "openvswitch/ofp-util.h" > #include "ovs-atomic.h" > #include "ovs-rcu.h" > #include "ovs-thread.h" > @@ -1902,8 +1903,10 @@ struct ofproto_class { > /* ## Connection tracking ## */ > /* ## ------------------- ## */ > /* Flushes the connection tracking tables. If 'zone' is not NULL, > - * only deletes connections in '*zone'. */ > - void (*ct_flush)(const struct ofproto *, const uint16_t *zone); > + * only deletes connections in '*zone'. If 'match' is not NULL, > + * deletes connections specified by the match. */ > + void (*ct_flush)(const struct ofproto *, const uint16_t *zone, > + const struct ofputil_ct_match *match); > > /* Sets conntrack timeout policy specified by 'timeout_policy' to 'zone' > * in datapath type 'dp_type'. */ > diff --git a/ofproto/ofproto.c b/ofproto/ofproto.c > index 3a527683c..c9b222994 100644 > --- a/ofproto/ofproto.c > +++ b/ofproto/ofproto.c > @@ -34,6 +34,7 @@ > #include "openvswitch/hmap.h" > #include "netdev.h" > #include "nx-match.h" > +#include "ofp-ct-util.h" > #include "ofproto.h" > #include "ofproto-provider.h" > #include "openflow/nicira-ext.h" > @@ -934,7 +935,31 @@ handle_nxt_ct_flush_zone(struct ofconn *ofconn, const > struct ofp_header *oh) > > uint16_t zone = ntohs(nzi->zone_id); > if (ofproto->ofproto_class->ct_flush) { > - ofproto->ofproto_class->ct_flush(ofproto, &zone); > + ofproto->ofproto_class->ct_flush(ofproto, &zone, NULL); > + } else { > + return EOPNOTSUPP; > + } > + > + return 0; > +} > + > +static enum ofperr > +handle_nxt_ct_flush(struct ofconn *ofconn, const struct ofp_header *oh) > +{ > + struct ofproto *ofproto = ofconn_get_ofproto(ofconn); > + struct ofputil_ct_match match = {0}; > + bool with_zone = false; > + uint16_t zone_id = 0; > + > + enum ofperr error = > + ofputil_ct_match_decode(&match, &with_zone, &zone_id, oh); > + if (error) { > + return error; > + } > + > + if (ofproto->ofproto_class->ct_flush) { > + ofproto->ofproto_class->ct_flush(ofproto, with_zone ? &zone_id : > NULL, > + &match); > } else { > return EOPNOTSUPP; > } > @@ -8787,6 +8812,9 @@ handle_single_part_openflow(struct ofconn *ofconn, > const struct ofp_header *oh, > case OFPTYPE_CT_FLUSH_ZONE: > return handle_nxt_ct_flush_zone(ofconn, oh); > > + case OFPTYPE_CT_FLUSH: > + return handle_nxt_ct_flush(ofconn, oh); > + > case OFPTYPE_HELLO: > case OFPTYPE_ERROR: > case OFPTYPE_FEATURES_REPLY: > diff --git a/tests/ofp-print.at b/tests/ofp-print.at > index fe41cc42c..7c6a86133 100644 > --- a/tests/ofp-print.at > +++ b/tests/ofp-print.at > @@ -4073,3 +4073,96 @@ AT_CHECK([ovs-ofctl ofp-print "\ > NXT_CT_FLUSH_ZONE (xid=0x3): zone_id=13 > ]) > AT_CLEANUP > + > +AT_SETUP([NXT_CT_FLUSH]) > +AT_KEYWORDS([ofp-print]) > +AT_CHECK([ovs-ofctl ofp-print "\ > +01 04 00 18 00 00 00 03 00 00 23 20 00 00 00 20 \ > +06 \ > +02 \ > +00 00 00 00 00 00 \ > +"], [0], [dnl > +NXT_CT_FLUSH (xid=0x3): > l3_type=2,ip_proto=6,orig=(src=::,dst=::,src_port=0,dst_port=0),reply=(src=::,dst=::,src_port=0,dst_port=0),zone_id=0 > +]) > + > +AT_CHECK([ovs-ofctl ofp-print "\ > +01 04 00 20 00 00 00 03 00 00 23 20 00 00 00 20 \ > +06 \ > +02 \ > +00 00 00 00 00 00 \ > +00 09 00 08 00 0d 00 00 \ > +"], [0], [dnl > +NXT_CT_FLUSH (xid=0x3): > l3_type=2,ip_proto=6,orig=(src=::,dst=::,src_port=0,dst_port=0),reply=(src=::,dst=::,src_port=0,dst_port=0),zone_id=13 > +]) > + > +AT_CHECK([ovs-ofctl ofp-print "\ > +01 04 00 68 00 00 00 03 00 00 23 20 00 00 00 20 \ > +06 \ > +02 \ > +00 00 00 00 00 00 \ > +00 09 00 08 00 0d 00 00 \ > +00 00 00 48 00 00 00 00 \ > +00 02 00 14 00 00 00 00 00 00 00 00 00 00 ff ff 0a 0a 00 01 00 00 00 00 \ > +00 03 00 14 00 00 00 00 00 00 00 00 00 00 ff ff 0a 0a 00 02 00 00 00 00 \ > +00 04 00 08 00 50 00 00 \ > +00 05 00 08 1f 90 00 00 \ > +"], [0], [dnl > +NXT_CT_FLUSH (xid=0x3): > l3_type=2,ip_proto=6,orig=(src=10.10.0.1,dst=10.10.0.2,src_port=80,dst_port=8080),reply=(src=::,dst=::,src_port=0,dst_port=0),zone_id=13 > +]) > + > +AT_CHECK([ovs-ofctl ofp-print "\ > +01 04 00 68 00 00 00 03 00 00 23 20 00 00 00 20 \ > +06 \ > +02 \ > +00 00 00 00 00 00 \ > +00 09 00 08 00 0d 00 00 \ > +00 01 00 48 00 00 00 00 \ > +00 03 00 14 00 00 00 00 00 00 00 00 00 00 ff ff 0a 0a 00 01 00 00 00 00 \ > +00 02 00 14 00 00 00 00 00 00 00 00 00 00 ff ff 0a 0a 00 02 00 00 00 00 \ > +00 05 00 08 00 50 00 00 \ > +00 04 00 08 1f 90 00 00 \ > +"], [0], [dnl > +NXT_CT_FLUSH (xid=0x3): > l3_type=2,ip_proto=6,orig=(src=::,dst=::,src_port=0,dst_port=0),reply=(src=10.10.0.2,dst=10.10.0.1,src_port=8080,dst_port=80),zone_id=13 > +]) > + > +AT_CHECK([ovs-ofctl ofp-print "\ > +01 04 00 b0 00 00 00 03 00 00 23 20 00 00 00 20 \ > +06 \ > +02 \ > +00 00 00 00 00 00 \ > +00 09 00 08 00 0d 00 00 \ > +00 00 00 48 00 00 00 00 \ > +00 02 00 14 00 00 00 00 00 00 00 00 00 00 ff ff 0a 0a 00 01 00 00 00 00 \ > +00 03 00 14 00 00 00 00 00 00 00 00 00 00 ff ff 0a 0a 00 02 00 00 00 00 \ > +00 04 00 08 00 50 00 00 \ > +00 05 00 08 1f 90 00 00 \ > +00 01 00 48 00 00 00 00 \ > +00 03 00 14 00 00 00 00 00 00 00 00 00 00 ff ff 0a 0a 00 01 00 00 00 00 \ > +00 02 00 14 00 00 00 00 00 00 00 00 00 00 ff ff 0a 0a 00 02 00 00 00 00 \ > +00 05 00 08 00 50 00 00 \ > +00 04 00 08 1f 90 00 00 \ > +"], [0], [dnl > +NXT_CT_FLUSH (xid=0x3): > l3_type=2,ip_proto=6,orig=(src=10.10.0.1,dst=10.10.0.2,src_port=80,dst_port=8080),reply=(src=10.10.0.2,dst=10.10.0.1,src_port=8080,dst_port=80),zone_id=13 > +]) > + > +AT_CHECK([ovs-ofctl ofp-print "\ > +01 04 00 b8 00 00 00 03 00 00 23 20 00 00 00 20 \ > +01 \ > +0a \ > +00 00 00 00 00 00 \ > +00 00 00 50 00 00 00 00 \ > +00 02 00 14 fd 18 00 00 00 00 00 00 00 00 ff ff ab cd 00 01 00 00 00 00 \ > +00 03 00 14 fd 18 00 00 00 00 00 00 00 00 ff ff ab cd 00 02 00 00 00 00 \ > +00 06 00 08 00 0a 00 00 \ > +00 07 00 05 01 00 00 00 \ > +00 08 00 05 02 00 00 00 \ > +00 01 00 50 00 00 00 00 \ > +00 02 00 14 fd 18 00 00 00 00 00 00 00 00 ff ff ab cd 00 02 00 00 00 00 \ > +00 02 00 14 fd 18 00 00 00 00 00 00 00 00 ff ff ab cd 00 01 00 00 00 00 \ > +00 06 00 08 00 0a 00 00 \ > +00 07 00 05 03 00 00 00 \ > +00 08 00 05 04 00 00 00 \ > +"], [0], [dnl > +NXT_CT_FLUSH (xid=0x3): > l3_type=10,ip_proto=1,orig=(src=fd18::ffff:abcd:1,dst=fd18::ffff:abcd:2,icmp_id=10,icmp_type=1,icmp_code=2),reply=(src=fd18::ffff:abcd:1,dst=::,icmp_id=10,icmp_type=3,icmp_code=4),zone_id=0 > +]) > +AT_CLEANUP > diff --git a/tests/ovs-ofctl.at b/tests/ovs-ofctl.at > index a8934051e..ad94e75be 100644 > --- a/tests/ovs-ofctl.at > +++ b/tests/ovs-ofctl.at > @@ -3271,3 +3271,15 @@ AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | > ofctl_strip | sed '/OFPST_FLO > > OVS_VSWITCHD_STOP(["/Flow exceeded the maximum flow statistics reply size > and was excluded from the response set/d"]) > AT_CLEANUP > + > +AT_SETUP([ovs-ofctl ct - flush-conntrack]) > +OVS_VSWITCHD_START > + > +AT_CHECK([ovs-appctl vlog/set ct_dpif:dbg]) > +AT_CHECK([ovs-ofctl flush-conntrack br0 zone=5 > 'ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1']) > + > +OVS_WAIT_UNTIL([grep -q "|ct_dpif|DBG|.*ct_flush" ovs-vswitchd.log]) > +AT_CHECK([grep -q "ct_dpif|DBG|.*ct_flush: > l3_type=2,ip_proto=17,orig=(src=10.1.1.1,dst=10.1.1.2,src_port=1,dst_port=0),reply=(src=::,dst=::,src_port=0,dst_port=0) > in zone 5" ovs-vswitchd.log]) > + > +OVS_VSWITCHD_STOP > +AT_CLEANUP > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index 51903a658..396d81ad9 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -2250,126 +2250,136 @@ > priority=100,in_port=2,icmp,action=ct(zone=5,commit),1 > > AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > > -dnl Test UDP from port 1 > -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 > actions=resubmit(,0)"]) > +flush_conntrack() { > + if [[ "$1" == "dpctl" ]]; then > + AT_CHECK([ovs-appctl dpctl/flush-conntrack ${@:2}]) > + else > + AT_CHECK([ovs-ofctl flush-conntrack br0 ${@:2}]) > + fi > +} > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], > [], [dnl > +for type in dpctl ofctl; do > + AS_BOX([Testing with $type command]) > + > + dnl Test UDP from port 1 > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 > actions=resubmit(,0)"]) > + > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep > "orig=.src=10\.1\.1\.1,"], [], [dnl > > udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1) > ]) > > -AT_CHECK([ovs-appctl dpctl/flush-conntrack > 'ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=17,ct_tp_src=2,ct_tp_dst=1']) > + AT_CHECK([flush_conntrack $type > 'ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=17,ct_tp_src=2,ct_tp_dst=1']) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], > [1], [dnl > -]) > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep > "orig=.src=10\.1\.1\.1,"], [1]) > > -dnl Test UDP from port 2 > -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 > actions=resubmit(,0)"]) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], > [0], [dnl > + dnl Test UDP from port 2 > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 > actions=resubmit(,0)"]) > + > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep > "orig=.src=10\.1\.1\.2,"], [0], [dnl > > udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5 > ]) > > -AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=5 > 'ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2']) > + AT_CHECK([flush_conntrack $type zone=5 > 'ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2']) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > -]) > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0]) > > -dnl Test ICMP traffic > -NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], > [0], [dnl > + dnl Test ICMP traffic > + NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | > FORMAT_PING], [0], [dnl > 3 packets transmitted, 3 received, 0% packet loss, time 0ms > ]) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], > [0], [stdout]) > -AT_CHECK([cat stdout | FORMAT_CT(10.1.1.1)], [0],[dnl > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep > "orig=.src=10\.1\.1\.2,"], [0], [stdout]) > + AT_CHECK([cat stdout | FORMAT_CT(10.1.1.1)], [0],[dnl > > icmp,orig=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=8,code=0),reply=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=0,code=0),zone=5 > ]) > > -ICMP_ID=`cat stdout | cut -d ',' -f4 | cut -d '=' -f2` > -ICMP_TUPLE=ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=1,icmp_id=$ICMP_ID,icmp_type=8,icmp_code=0 > -AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=5 $ICMP_TUPLE]) > + ICMP_ID=`cat stdout | cut -d ',' -f4 | cut -d '=' -f2` > + > ICMP_TUPLE=ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=1,icmp_id=$ICMP_ID,icmp_type=8,icmp_code=0 > + AT_CHECK([flush_conntrack $type zone=5 $ICMP_TUPLE]) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], > [1], [dnl > -]) > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep > "orig=.src=10\.1\.1\.2,"], [1]) > > -dnl Test UDP from port 1 and 2, partial flush by src port > -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 > actions=resubmit(,0)"]) > -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 > actions=resubmit(,0)"]) > + dnl Test UDP from port 1 and 2, partial flush by src port > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 > actions=resubmit(,0)"]) > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 > actions=resubmit(,0)"]) > > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1" | sort], [0], > [dnl > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1" | sort], > [0], [dnl > > udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1) > > udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5 > ]) > > -AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_proto=17,ct_tp_src=1']) > + AT_CHECK([flush_conntrack $type 'ct_nw_proto=17,ct_tp_src=1']) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [0], [dnl > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [0], > [dnl > > udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5 > ]) > > -AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_proto=17,ct_tp_src=2']) > + AT_CHECK([flush_conntrack $type 'ct_nw_proto=17,ct_tp_src=2']) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [1]) > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [1]) > > -dnl Test UDP from port 1 and 2, partial flush by dst port > -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 > actions=resubmit(,0)"]) > -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 > actions=resubmit(,0)"]) > + dnl Test UDP from port 1 and 2, partial flush by dst port > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 > actions=resubmit(,0)"]) > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 > actions=resubmit(,0)"]) > > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1" | sort], [0], > [dnl > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1" | sort], > [0], [dnl > > udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1) > > udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5 > ]) > > -AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_proto=17,ct_tp_dst=2']) > + AT_CHECK([flush_conntrack $type 'ct_nw_proto=17,ct_tp_dst=2']) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [0], [dnl > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [0], > [dnl > > udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5 > ]) > > -AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_proto=17,ct_tp_dst=1']) > + AT_CHECK([flush_conntrack $type 'ct_nw_proto=17,ct_tp_dst=1']) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [1]) > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [1]) > > -dnl Test UDP from port 1 and 2, partial flush by src address > -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 > actions=resubmit(,0)"]) > -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 > actions=resubmit(,0)"]) > + dnl Test UDP from port 1 and 2, partial flush by src address > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 > actions=resubmit(,0)"]) > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 > actions=resubmit(,0)"]) > > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1" | sort], [0], > [dnl > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1" | sort], > [0], [dnl > > udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1) > > udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5 > ]) > > -AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_src=10.1.1.1']) > + AT_CHECK([flush_conntrack $type 'ct_nw_src=10.1.1.1']) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [0], [dnl > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [0], > [dnl > > udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5 > ]) > > -AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_src=10.1.1.2']) > + AT_CHECK([flush_conntrack $type 'ct_nw_src=10.1.1.2']) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [1]) > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [1]) > > -dnl Test UDP from port 1 and 2, partial flush by dst address > -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 > actions=resubmit(,0)"]) > -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 > actions=resubmit(,0)"]) > + dnl Test UDP from port 1 and 2, partial flush by dst address > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 > actions=resubmit(,0)"]) > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 > packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 > actions=resubmit(,0)"]) > > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1" | sort], [0], > [dnl > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1" | sort], > [0], [dnl > > udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1) > > udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5 > ]) > > -AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_dst=10.1.1.2']) > + AT_CHECK([flush_conntrack $type 'ct_nw_dst=10.1.1.2']) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [0], [dnl > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [0], > [dnl > > udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5 > ]) > > -AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_dst=10.1.1.1']) > + AT_CHECK([flush_conntrack $type 'ct_nw_dst=10.1.1.1']) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [1]) > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "10\.1\.1\.1"], [1]) > +done > > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > diff --git a/utilities/ovs-ofctl.c b/utilities/ovs-ofctl.c > index fe9114580..26fc28746 100644 > --- a/utilities/ovs-ofctl.c > +++ b/utilities/ovs-ofctl.c > @@ -40,6 +40,7 @@ > #include "fatal-signal.h" > #include "nx-match.h" > #include "odp-util.h" > +#include "ofp-ct-util.h" > #include "ofp-version-opt.h" > #include "ofproto/ofproto.h" > #include "openflow/nicira-ext.h" > @@ -3050,6 +3051,40 @@ ofctl_ct_flush_zone(struct ovs_cmdl_context *ctx) > vconn_close(vconn); > } > > +static void > +ofctl_ct_flush_conntrack(struct ovs_cmdl_context *ctx) > +{ > + struct vconn *vconn; > + struct ofputil_ct_match match = {0}; > + struct ds ds = DS_EMPTY_INITIALIZER; > + uint16_t zone; > + bool with_zone = false; > + int args = ctx->argc - 1; > + > + /* Parse ct tuple */ > + if (args) { > + if (!ofputil_ct_match_parse(&match, ctx->argv[args], &ds)) { > + ovs_fatal(0, "Failed to parse ct-tuple: %s", ds_cstr(&ds)); > + } > + args--; > + } > + > + /* Parse zone */ > + if (args && ovs_scan(ctx->argv[args], "zone=%"SCNu16, &zone)) { > + with_zone = true; > + } > + > + open_vconn(ctx->argv[1], &vconn); > + enum ofp_version version = vconn_get_version(vconn); > + > + struct ofpbuf *msg = > + ofputil_ct_match_encode(&match, with_zone ? &zone : NULL, version); > + > + ds_destroy(&ds); > + transact_noreply(vconn, msg); > + vconn_close(vconn); > +} > + > static void > ofctl_dump_ipfix_flow(struct ovs_cmdl_context *ctx) > { > @@ -5063,6 +5098,9 @@ static const struct ovs_cmdl_command all_commands[] = { > { "ct-flush-zone", "switch zone", > 2, 2, ofctl_ct_flush_zone, OVS_RO }, > > + { "flush-conntrack", "switch [zone=N] [ct-tuple]", > + 1, 3, ofctl_ct_flush_conntrack, OVS_RO }, > + > { "ofp-parse", "file", > 1, 1, ofctl_ofp_parse, OVS_RW }, > { "ofp-parse-pcap", "pcap", > -- > 2.38.1 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev