Drop ip packets with ct status set to invalid in post snat and
lb_aff_learn router stages.
Do not pass ICMPv{4,6} error messages packet too big through connection
tracking since they will result in ct.inv (we will not have any entry
for them in ct table) and the source ip address is already properly set.Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2160685 Signed-off-by: Lorenzo Bianconi <[email protected]> --- northd/northd.c | 52 +++++++++++++++++++++++++++++++++-- northd/ovn-northd.8.xml | 51 +++++++++++++++++++++++++++++++++-- tests/ovn-northd.at | 47 +++++++++++++++++++++++++++++++- tests/ovn.at | 60 +++++++++++++++++++++-------------------- tests/system-ovn.at | 16 +++++------ 5 files changed, 184 insertions(+), 42 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 77e105b86..71507d031 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -7507,6 +7507,10 @@ build_lb_affinity_default_flows(struct ovn_datapath *od, struct hmap *lflows) if (od->nbr) { ovn_lflow_add(lflows, od, S_ROUTER_IN_LB_AFF_CHECK, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_ROUTER_IN_LB_AFF_LEARN, 0, "1", "next;"); + if (use_ct_inv_match) { + ovn_lflow_add(lflows, od, S_ROUTER_IN_LB_AFF_LEARN, 200, + "ip && ct.trk && ct.inv", debug_drop_action()); + } } } @@ -11402,7 +11406,29 @@ build_lrouter_force_snat_flows_op(struct ovn_port *op, struct hmap *lflows, struct ds *match, struct ds *actions) { - if (!op->nbrp || !op->peer || !op->od->lb_force_snat_router_ip) { + if (!op->nbrp || !op->peer) { + return; + } + + if (op->od->is_gw_router && op->lrp_networks.n_ipv4_addrs) { + ds_clear(match); + ds_put_format(match, + "ip4.src == %s && icmp4.type == 3 && icmp4.code == 4", + op->lrp_networks.ipv4_addrs[0].addr_s); + ovn_lflow_add(lflows, op->od, S_ROUTER_OUT_SNAT, 200, + ds_cstr(match), "next;"); + } + + if (op->od->is_gw_router && op->lrp_networks.n_ipv6_addrs > 1) { + ds_clear(match); + ds_put_format(match, + "ip6.src == %s && icmp6.type == 2 && icmp6.code == 0", + op->lrp_networks.ipv6_addrs[0].addr_s); + ovn_lflow_add(lflows, op->od, S_ROUTER_OUT_SNAT, 200, + ds_cstr(match), "next;"); + } + + if (!op->od->lb_force_snat_router_ip) { return; } @@ -13856,6 +13882,21 @@ build_lrouter_out_is_dnat_local(struct hmap *lflows, struct ovn_datapath *od, &nat->header_); } +static void +build_lrouter_out_post_snat_flow(struct ovn_datapath *od, struct hmap *lflows) +{ + if (!od->nbr) { + return; + } + + ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_SNAT, 0, "1", "next;"); + + if (use_ct_inv_match) { + ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_SNAT, 100, + "ip && ct.trk && ct.inv", debug_drop_action()); + } +} + static void build_lrouter_out_snat_flow(struct hmap *lflows, struct ovn_datapath *od, const struct nbrec_nat *nat, struct ds *match, @@ -14244,7 +14285,6 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows, ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_UNDNAT, 0, "1", "next;"); - ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_SNAT, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_ROUTER_IN_ECMP_STATEFUL, 0, "1", "next;"); @@ -14298,6 +14338,13 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows, * flag set. Some NICs are unable to offload these flows. */ if (od->is_gw_router && (od->nbr->n_nat || od->has_lb_vip)) { + /* Do not send ND or ICMP packets to connection tracking. */ + ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 100, + "nd || nd_rs || nd_ra", "next;"); + ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 100, + "(ip4 && icmp4.type == 3 && icmp4.code == 4) ||" + "(ip6 && icmp6.type == 2 && icmp6.code == 0)", + "next;"); ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 50, "ip", "flags.loopback = 1; ct_dnat;"); ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_UNDNAT, 50, @@ -14622,6 +14669,7 @@ build_lswitch_and_lrouter_iterate_by_od(struct ovn_datapath *od, build_lrouter_nat_defrag_and_lb(od, lsi->lflows, lsi->ports, &lsi->match, &lsi->actions, lsi->meter_groups, lsi->features); + build_lrouter_out_post_snat_flow(od, lsi->lflows); build_lb_affinity_default_flows(od, lsi->lflows); } diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 3d7a92ea8..c74367440 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -3622,6 +3622,12 @@ icmp6 { </p> <ul> + <li> + If <code>use_ct_inv_match</code> is set, a priority-200 flow + matches <code>ip && ct.trk && ct.inv</code> with + action <code>drop;</code>. + </li> + <li> For all the configured load balancing rules for a logical router where a positive affinity timeout <var>T</var> is specified in <code>options @@ -4704,6 +4710,16 @@ nd_ns { <h3>Egress Table 1: UNDNAT on Gateway Routers</h3> <ul> + <li> + For IPv6 Neighbor Discovery or Router Solicitation/Advertisement + traffic, a priority-100 flow with action <code>next;</code>. + </li> + + <li> + For ICMPv4/ICMPv6 packet too big traffic, a priority-100 flow with + action <code>next;</code>. + </li> + <li> For all IP packets, a priority-50 flow with an action <code>flags.loopback = 1; ct_dnat;</code>. @@ -4804,6 +4820,19 @@ nd_ns { <p>Egress Table 3: SNAT on Gateway Routers</p> <ul> + <li> + <p> + If the Gateway router in the OVN Northbound database has been + configured to perform SNAT, a priority-200 flow matches + <code>ip4.src == <var>A</var> && icmp4.type == 3 && + icmp4.code == 4</code> with an action <code>next;</code> is + added, where <var>A</var> is the router IP address. + For IPv6 traffic a similar flow is added with match + <code>ip6.src == <var>A</var> && icmp6.type == 2 && + icmp6.code == 0</code> and action <code>next;</code>. + </p> + </li> + <li> <p> If the Gateway router in the OVN Northbound database has been @@ -4981,7 +5010,25 @@ nd_ns { </li> </ul> - <h3>Egress Table 4: Egress Loopback</h3> + <h3>Egress Table 4: Post SNAT</h3> + + <p> + Packets reaching this table are processed according to the flows below: + <ul> + <li> + If <code>use_ct_inv_match</code> is set, a priority-100 flow + matches <code>ip && ct.trk && ct.inv</code> with + action <code>drop;</code>. + </li> + + <li> + A priority-0 logical flow that matches all packets not already + handled (match <code>1</code>) and action <code>next;</code>. + </li> + </ul> + </p> + + <h3>Egress Table 5: Egress Loopback</h3> <p> For distributed logical routers where one of the logical router @@ -5053,7 +5100,7 @@ clone { </li> </ul> - <h3>Egress Table 5: Delivery</h3> + <h3>Egress Table 6: Delivery</h3> <p> Packets that reach this table are ready for delivery. It contains: diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 3fa02d2b3..d205c1c4d 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -1033,6 +1033,7 @@ AT_CHECK([grep -e "lr_out_snat" drflows | sed 's/table=../table=??/' | sort], [0 AT_CHECK([grep -e "lr_out_snat" crflows | sed 's/table=../table=??/' | sort], [0], [dnl table=??(lr_out_snat ), priority=0 , match=(1), action=(next;) table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=??(lr_out_snat ), priority=200 , match=(ip4.src == 172.16.1.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) table=??(lr_out_snat ), priority=33 , match=(ip && ip4.src == 50.0.0.11 && ip4.dst == $allowed_range && (!ct.trk || !ct.rpl)), action=(ct_snat(172.16.1.1);) ]) @@ -1065,6 +1066,7 @@ AT_CHECK([grep -e "lr_out_snat" drflows2 | sed 's/table=../table=??/' | sort], [ AT_CHECK([grep -e "lr_out_snat" crflows2 | sed 's/table=../table=??/' | sort], [0], [dnl table=??(lr_out_snat ), priority=0 , match=(1), action=(next;) table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=??(lr_out_snat ), priority=200 , match=(ip4.src == 172.16.1.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) table=??(lr_out_snat ), priority=33 , match=(ip && ip4.src == 50.0.0.11 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.16.1.1);) table=??(lr_out_snat ), priority=35 , match=(ip && ip4.src == 50.0.0.11 && ip4.dst == $disallowed_range), action=(next;) ]) @@ -1094,6 +1096,7 @@ AT_CHECK([grep -e "lr_out_snat" drflows3 | sed 's/table=../table=??/' | sort], [ AT_CHECK([grep -e "lr_out_snat" crflows3 | sed 's/table=../table=??/' | sort], [0], [dnl table=??(lr_out_snat ), priority=0 , match=(1), action=(next;) table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=??(lr_out_snat ), priority=200 , match=(ip4.src == 172.16.1.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) table=??(lr_out_snat ), priority=33 , match=(ip && ip4.src == 50.0.0.11 && ip4.dst == $allowed_range && (!ct.trk || !ct.rpl)), action=(ct_snat(172.16.1.2);) ]) @@ -1123,6 +1126,7 @@ AT_CHECK([grep -e "lr_out_snat" drflows4 | sed 's/table=../table=??/' | sort], [ AT_CHECK([grep -e "lr_out_snat" crflows4 | sed 's/table=../table=??/' | sort], [0], [dnl table=??(lr_out_snat ), priority=0 , match=(1), action=(next;) table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=??(lr_out_snat ), priority=200 , match=(ip4.src == 172.16.1.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) table=??(lr_out_snat ), priority=33 , match=(ip && ip4.src == 50.0.0.11 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.16.1.2);) table=??(lr_out_snat ), priority=35 , match=(ip && ip4.src == 50.0.0.11 && ip4.dst == $disallowed_range), action=(next;) ]) @@ -1151,6 +1155,7 @@ AT_CHECK([grep -e "lr_out_snat" drflows5 | sed 's/table=../table=??/' | sort], [ AT_CHECK([grep -e "lr_out_snat" crflows5 | sed 's/table=../table=??/' | sort], [0], [dnl table=??(lr_out_snat ), priority=0 , match=(1), action=(next;) table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=??(lr_out_snat ), priority=200 , match=(ip4.src == 172.16.1.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) table=??(lr_out_snat ), priority=33 , match=(ip && ip4.src == 50.0.0.11 && ip4.dst == $allowed_range), action=(ip4.src=172.16.1.2; next;) ]) @@ -1181,6 +1186,7 @@ AT_CHECK([grep -e "lr_out_snat" drflows6 | sed 's/table=../table=??/' | sort], [ AT_CHECK([grep -e "lr_out_snat" crflows6 | sed 's/table=../table=??/' | sort], [0], [dnl table=??(lr_out_snat ), priority=0 , match=(1), action=(next;) table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=??(lr_out_snat ), priority=200 , match=(ip4.src == 172.16.1.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) table=??(lr_out_snat ), priority=33 , match=(ip && ip4.src == 50.0.0.11), action=(ip4.src=172.16.1.2; next;) table=??(lr_out_snat ), priority=35 , match=(ip && ip4.src == 50.0.0.11 && ip4.dst == $disallowed_range), action=(next;) ]) @@ -3773,7 +3779,6 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) - check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="20.0.0.4 aef0::4" ovn-sbctl dump-flows lr0 > lr0flows @@ -3809,10 +3814,15 @@ AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [ table=? (lr_out_snat ), priority=100 , match=(flags.force_snat_for_lb == 1 && ip4), action=(ct_snat(20.0.0.4);) table=? (lr_out_snat ), priority=100 , match=(flags.force_snat_for_lb == 1 && ip6), action=(ct_snat(aef0::4);) table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 10.0.0.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 172.168.0.100 && icmp4.type == 3 && icmp4.code == 4), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 20.0.0.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) ]) AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=((ip4 && icmp4.type == 3 && icmp4.code == 4) ||(ip6 && icmp6.type == 2 && icmp6.code == 0)), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs || nd_ra), action=(next;) table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;) ]) @@ -3860,10 +3870,15 @@ AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);) table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw1"), action=(ct_snat(20.0.0.1);) table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 10.0.0.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 172.168.0.100 && icmp4.type == 3 && icmp4.code == 4), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 20.0.0.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) ]) AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=((ip4 && icmp4.type == 3 && icmp4.code == 4) ||(ip6 && icmp6.type == 2 && icmp6.code == 0)), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs || nd_ra), action=(next;) table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;) ]) @@ -3925,10 +3940,16 @@ AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw1"), action=(ct_snat(20.0.0.1);) table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip6 && outport == "lr0-sw1"), action=(ct_snat(bef0::1);) table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 10.0.0.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 172.168.0.100 && icmp4.type == 3 && icmp4.code == 4), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 20.0.0.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip6.src == bef0::1 && icmp6.type == 2 && icmp6.code == 0), action=(next;) ]) AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=((ip4 && icmp4.type == 3 && icmp4.code == 4) ||(ip6 && icmp6.type == 2 && icmp6.code == 0)), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs || nd_ra), action=(next;) table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;) ]) @@ -3970,6 +3991,8 @@ AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | sed 's/table=./t AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=((ip4 && icmp4.type == 3 && icmp4.code == 4) ||(ip6 && icmp6.type == 2 && icmp6.code == 0)), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs || nd_ra), action=(next;) table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;) ]) @@ -5314,6 +5337,8 @@ AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sor AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=((ip4 && icmp4.type == 3 && icmp4.code == 4) ||(ip6 && icmp6.type == 2 && icmp6.code == 0)), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs || nd_ra), action=(next;) table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;) ]) @@ -5325,6 +5350,8 @@ AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl table=? (lr_out_snat ), priority=0 , match=(1), action=(next;) table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 10.0.0.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 172.168.0.10 && icmp4.type == 3 && icmp4.code == 4), action=(next;) table=? (lr_out_snat ), priority=25 , match=(ip && ip4.src == 10.0.0.0/24 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.168.0.10);) table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.10 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.168.0.30);) table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.3 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.168.0.20);) @@ -5379,6 +5406,8 @@ AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sor AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=((ip4 && icmp4.type == 3 && icmp4.code == 4) ||(ip6 && icmp6.type == 2 && icmp6.code == 0)), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs || nd_ra), action=(next;) table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;) ]) @@ -5392,6 +5421,8 @@ AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.10);) table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);) table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 10.0.0.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 172.168.0.10 && icmp4.type == 3 && icmp4.code == 4), action=(next;) table=? (lr_out_snat ), priority=25 , match=(ip && ip4.src == 10.0.0.0/24 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.168.0.10);) table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.10 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.168.0.30);) table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.3 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.168.0.20);) @@ -5449,6 +5480,8 @@ AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sor AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=((ip4 && icmp4.type == 3 && icmp4.code == 4) ||(ip6 && icmp6.type == 2 && icmp6.code == 0)), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs || nd_ra), action=(next;) table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;) ]) @@ -5462,6 +5495,8 @@ AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.10);) table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);) table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 10.0.0.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 172.168.0.10 && icmp4.type == 3 && icmp4.code == 4), action=(next;) table=? (lr_out_snat ), priority=25 , match=(ip && ip4.src == 10.0.0.0/24 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.168.0.10);) table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.10 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.168.0.30);) table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.3 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.168.0.20);) @@ -5532,6 +5567,8 @@ AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sor AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=((ip4 && icmp4.type == 3 && icmp4.code == 4) ||(ip6 && icmp6.type == 2 && icmp6.code == 0)), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs || nd_ra), action=(next;) table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;) ]) @@ -5547,6 +5584,10 @@ AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip6 && outport == "lr0-public"), action=(ct_snat(def0::10);) table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip6 && outport == "lr0-sw0"), action=(ct_snat(aef0::1);) table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 10.0.0.1 && icmp4.type == 3 && icmp4.code == 4), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip4.src == 172.168.0.10 && icmp4.type == 3 && icmp4.code == 4), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip6.src == aef0::1 && icmp6.type == 2 && icmp6.code == 0), action=(next;) + table=? (lr_out_snat ), priority=200 , match=(ip6.src == def0::10 && icmp6.type == 2 && icmp6.code == 0), action=(next;) table=? (lr_out_snat ), priority=25 , match=(ip && ip4.src == 10.0.0.0/24 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.168.0.10);) table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.10 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.168.0.30);) table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.3 && (!ct.trk || !ct.rpl)), action=(ct_snat(172.168.0.20);) @@ -5594,6 +5635,8 @@ AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sor AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=((ip4 && icmp4.type == 3 && icmp4.code == 4) ||(ip6 && icmp6.type == 2 && icmp6.code == 0)), action=(next;) + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs || nd_ra), action=(next;) table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;) ]) @@ -8214,6 +8257,7 @@ AT_CHECK([grep "lr_in_lb_aff_check" R1flows | sort], [0], [dnl ]) AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | sort], [0], [dnl table=8 (lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) + table=8 (lr_in_lb_aff_learn ), priority=200 , match=(ip && ct.trk && ct.inv), action=(drop;) ]) ovn-nbctl --wait=sb set load_balancer lb0 options:affinity_timeout=60 @@ -8260,6 +8304,7 @@ AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | sort], [0], [dnl table=8 (lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) table=8 (lr_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg0 == 172.16.0.10 && reg9[[16..31]] == 80 && ip4.dst == 10.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "10.0.0.2:80", proto = tcp, timeout = 60); /* drop */) table=8 (lr_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 && ct.new && ip4 && reg0 == 172.16.0.10 && reg9[[16..31]] == 80 && ip4.dst == 20.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80", backend = "20.0.0.2:80", proto = tcp, timeout = 60); /* drop */) + table=8 (lr_in_lb_aff_learn ), priority=200 , match=(ip && ct.trk && ct.inv), action=(drop;) ]) AS_BOX([Test LR flows - skip_snat=true]) diff --git a/tests/ovn.at b/tests/ovn.at index e9b8bc677..d217fff1c 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -12245,7 +12245,7 @@ nexthop_mac="f00000010204" AS_BOX([Send ip packet from foo1 to 8.8.8.8]) src_mac="f00000010203" dst_mac="000001010203" -packet=${foo_mac}${foo1_mac}08004500001c0000000040110000${foo1_ip}${dst_ip}0035111100080000 +packet=${foo_mac}${foo1_mac}080045000028000000004006a916${foo1_ip}${dst_ip}0035111112345678000000005002faf069450000 AS_BOX([Wait for GARPs announcing gw IP to arrive]) OVS_WAIT_UNTIL([ @@ -12256,15 +12256,12 @@ grep actions=mod_dl_dst:f0:00:00:01:02:04 | wc -l` -eq 1 AS_BOX([Verify VLAN tagged packet on bridge connecting hv1 and hv2]) # VLAN tagged packet with router port(192.168.1.1) MAC as destination MAC # is expected on bridge connecting hv1 and hv2 -expected=${foo_mac}${foo1_mac}8100000208004500001c0000000040110000${foo1_ip}${dst_ip}0035111100080000 +expected=${foo_mac}${foo1_mac}81000002080045000028000000004006a916${foo1_ip}${dst_ip}0035111112345678000000005002faf069450000 echo $expected > hv1-br-ex_n2.expected AS_BOX([Verify packet at outside1 i.e nexthop(172.16.1.1) port]) # Packet to Expect at outside1 i.e nexthop(172.16.1.1) port. -# As connection tracking not enabled for this test, snat can't be done on the packet. -# We still see foo1 as the source ip address. But source mac(gateway MAC) and -# dest mac(nexthop mac) are properly configured. -expected=${nexthop_mac}${gw_mac}08004500001c000000003f110100${foo1_ip}${dst_ip}0035111100080000 +expected=${nexthop_mac}${gw_mac}080045000028000000003f06beaa${gw_ip}${dst_ip}0035111112345678000000005002faf07dd90000 echo $expected > hv3-vif1.expected check as hv1 ovs-appctl dpctl/del-flows @@ -12295,7 +12292,7 @@ cat hv1-br-ex_n2.expected > expout AT_CHECK([sort hv1-br-ex_n2], [0], [expout]) AS_BOX([Check expected packet on nexthop interface]) -$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv3/vif1-tx.pcap | grep ${foo1_ip}${dst_ip} | uniq > hv3-vif1 +$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv3/vif1-tx.pcap | grep ${gw_ip}${dst_ip} | uniq > hv3-vif1 cat hv3-vif1.expected > expout AT_CHECK([sort hv3-vif1], [0], [expout]) @@ -19696,7 +19693,7 @@ test_ip_packet_larger() { # Set the packet length to 114. pkt_len=0072 packet=${dst_mac}${src_mac}08004500${pkt_len}000000004001c3dd - orig_packet_l3=${src_ip}${dst_ip}0304fcfb00000000 + orig_packet_l3=${src_ip}${dst_ip}0800f7ff00000000 orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000 orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000 orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000 @@ -19720,10 +19717,10 @@ test_ip_packet_larger() { # Packet to expect at br-phys. src_mac="000020201213" dst_mac="00000012af11" - src_ip=`ip_to_hex 10 0 0 3` + src_ip=`ip_to_hex 172 168 0 100` dst_ip=`ip_to_hex 172 168 0 3` - expected=${dst_mac}${src_mac}08004500${pkt_len}000000003f01c4dd - expected=${expected}${src_ip}${dst_ip}0304fcfb00000000 + expected=${dst_mac}${src_mac}08004500${pkt_len}000000003f0121d4 + expected=${expected}${src_ip}${dst_ip}0800f7ff00000000 expected=${expected}000000000000000000000000000000000000 expected=${expected}000000000000000000000000000000000000 expected=${expected}000000000000000000000000000000000000 @@ -19784,7 +19781,7 @@ test_ip_packet_larger_ext() { # Set the packet length to 114. pkt_len=0072 packet=${dst_mac}${src_mac}08004500${pkt_len}000000004001${checksum} - orig_packet_l3=${src_ip}${dst_ip}0900000000000000 + orig_packet_l3=${src_ip}${dst_ip}0800f7ff00000000 orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000 orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000 orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000 @@ -19801,7 +19798,7 @@ test_ip_packet_larger_ext() { dst_ip=`ip_to_hex 172 168 0 4` # pkt len should be 146 (28 (icmp packet) + 118 (orig ip + payload)) reply_pkt_len=008e - ip_csum=f39b + ip_csum=$7 icmp_reply=${src_mac}${dst_mac}08004500${reply_pkt_len}00004000fe01${reply_checksum} icmp_reply=${icmp_reply}${src_ip}${dst_ip}0304${ip_csum}0000$(printf "%04x" $mtu) icmp_reply=${icmp_reply}4500${pkt_len}000000004001${checksum} @@ -19976,10 +19973,10 @@ OVS_WAIT_FOR_OUTPUT([ ]) AS_BOX([testing ingress traffic mtu 100 - IPv4]) -test_ip_packet_larger_ext 1 000020201213 $(ip_to_hex 172 168 0 100) 20cf 100 22b6 +test_ip_packet_larger_ext 1 000020201213 $(ip_to_hex 172 168 0 100) 20d3 100 22b6 fc97 AS_BOX([testing ingress traffic mtu 100 - IPv4 FIP]) -test_ip_packet_larger_ext 2 f00000010204 $(ip_to_hex 172 168 0 110) 20c5 100 22ac +test_ip_packet_larger_ext 2 f00000010204 $(ip_to_hex 172 168 0 110) 20c5 100 22ac fc9b AS_BOX([testing ingress traffic mtu 100 - IPv6]) test_ip6_packet_larger_ext 1 000020201213 20000000000000000000000000000001 100 cc7a @@ -20046,10 +20043,10 @@ OVS_WAIT_FOR_OUTPUT([ ]) AS_BOX([testing ingress traffic mtu 100 for gw router - IPv4]) -test_ip_packet_larger_ext 1 000020201213 $(ip_to_hex 172 168 0 100) 20cf 100 22b6 +test_ip_packet_larger_ext 1 000020201213 $(ip_to_hex 172 168 0 100) 20d3 100 22b6 fc97 AS_BOX([testing ingress traffic mtu 100 for gw router - IPv6]) -test_ip6_packet_larger_ext 1 000020201213 20000000000000000000000000000001 100 cc7a +test_ip6_packet_larger_ext 1 000020201213 20000000000000000000000000000001 100 cc7a fc9b OVN_CLEANUP([hv1]) AT_CLEANUP @@ -27122,22 +27119,24 @@ sleep 5 send_ipv4_pkt() { local hv=$1 inport=$2 eth_src=$3 eth_dst=$4 local ip_src=$5 ip_dst=$6 - packet=${eth_dst}${eth_src}08004500001c0000000040110000${ip_src}${ip_dst}0035111100080000 + local ip_cksum=$7 tcp_cksum=$8 + packet=${eth_dst}${eth_src}080045000028000000004006${ip_cksum}${ip_src}${ip_dst}0035111112345678000000005002faf0${tcp_cksum}0000 tcpdump_hex $packet as $hv ovs-appctl netdev-dummy/receive ${inport} ${packet} } send_icmp6_packet() { - local hv=$1 inport=$2 eth_src=$3 eth_dst=$4 ipv6_src=$5 ipv6_dst=$6 + local hv=$1 inport=$2 eth_src=$3 eth_dst=$4 ipv6_src=$5 ipv6_dst=$6 tcp_cksum=$7 - local ip6_hdr=6000000000083aff${ipv6_src}${ipv6_dst} - local packet=${eth_dst}${eth_src}86dd${ip6_hdr}8000dcb662f00001 + local ip6_hdr=60000000001406ff${ipv6_src}${ipv6_dst} + local packet=${eth_dst}${eth_src}86dd${ip6_hdr}0035111112345678000000005002faf0${tcp_cksum}0000 as $hv ovs-appctl netdev-dummy/receive ${inport} ${packet} } send_ipv4_pkt hv1 hv1-vif1 505400000003 00000000ff01 \ - $(ip_to_hex 10 0 0 3) $(ip_to_hex 172 168 0 120) + $(ip_to_hex 10 0 0 3) $(ip_to_hex 172 168 0 120) \ + c3ad 83dc AT_CAPTURE_FILE([offlows2]) OVS_WAIT_UNTIL([ @@ -27154,7 +27153,8 @@ AT_CHECK([ # Send the pkt from sw0-port2. Packet should not be marked. send_ipv4_pkt hv1 hv1-vif2 505400000004 00000000ff01 \ - $(ip_to_hex 10 0 0 4) $(ip_to_hex 172 168 0 120) + $(ip_to_hex 10 0 0 4) $(ip_to_hex 172 168 0 120) \ + c3ac 83db AT_CHECK([ test 1 -eq $(as hv1 ovs-ofctl dump-flows br-phys table=0 | \ @@ -27188,7 +27188,8 @@ AT_CHECK([ ovn-nbctl set logical_router_policy $pol1 options:pkt_mark=2 send_ipv4_pkt hv1 hv1-vif1 505400000003 00000000ff01 \ - $(ip_to_hex 10 0 0 3) $(ip_to_hex 172 168 0 120) + $(ip_to_hex 10 0 0 3) $(ip_to_hex 172 168 0 120) \ + c3ad 83dc OVS_WAIT_UNTIL([ test 1 -eq $(as hv1 ovs-ofctl dump-flows br-int table=23 | \ @@ -27221,7 +27222,8 @@ AT_CHECK([ # Send with src ip 10.0.0.5. The reroute policy should be hit # and the packet should be marked with 5. send_ipv4_pkt hv1 hv1-vif1 505400000003 00000000ff01 \ - $(ip_to_hex 10 0 0 5) $(ip_to_hex 172 168 0 120) + $(ip_to_hex 10 0 0 5) $(ip_to_hex 172 168 0 120) \ + c3ab 83da OVS_WAIT_UNTIL([ test 1 -eq $(as hv1 ovs-ofctl dump-flows br-phys table=0 | \ @@ -27233,7 +27235,7 @@ OVS_WAIT_UNTIL([ src_ip6=aef00000000000000000000000000004 dst_ip6=bef00000000000000000000000000004 -send_icmp6_packet hv1 hv1-vif2 505400000004 00000000ff01 ${src_ip6} ${dst_ip6} +send_icmp6_packet hv1 hv1-vif2 505400000004 00000000ff01 ${src_ip6} ${dst_ip6} cd16 OVS_WAIT_UNTIL([ test 1 -eq $(as hv1 ovs-ofctl dump-flows br-phys table=0 | \ @@ -27253,7 +27255,7 @@ AT_CHECK([ src_ip6=aef00000000000000000000000000004 dst_ip6=bef00000000000000000000000000005 -send_icmp6_packet hv1 hv1-vif2 505400000004 00000000ff01 ${src_ip6} ${dst_ip6} +send_icmp6_packet hv1 hv1-vif2 505400000004 00000000ff01 ${src_ip6} ${dst_ip6} cd15 OVS_WAIT_UNTIL([ test 1 -eq $(as hv1 ovs-ofctl dump-flows br-phys table=0 | \ @@ -28527,7 +28529,7 @@ src_mac="f00000000102" dst_mac="000000000101" src_ip=`ip_to_hex 10 0 1 2` dst_ip=`ip_to_hex 10 0 1 1` -packet=${dst_mac}${src_mac}08004500001c0000000040110000${src_ip}${dst_ip}0035111100080000 +packet=${dst_mac}${src_mac}08004500001c00000000401164cf${src_ip}${dst_ip}0035111100080000 as hv1 ovs-appctl netdev-dummy/receive hv1-vif1 $packet # Even after configuring a router owned IP for SNAT, no packet-ins should @@ -28553,7 +28555,7 @@ src_mac="f00000000202" dst_mac="000000000201" src_ip=`ip_to_hex 10 0 2 2` dst_ip=`ip_to_hex 10 0 1 1` -packet=${dst_mac}${src_mac}08004500001c0000000040110000${src_ip}${dst_ip}0035111100080000 +packet=${dst_mac}${src_mac}08004500001c00000000401163cf${src_ip}${dst_ip}0035111100080000 as hv1 ovs-appctl netdev-dummy/receive hv1-vif2 $packet # Still no packet-ins should reach ovn-controller. diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 2ece0f571..251b91530 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -5950,10 +5950,10 @@ tcp,orig=(src=172.16.0.1,dst=10.0.0.2,sport=<cleared>,dport=<cleared>),reply=(sr # Ensure datapaths show conntrack states as expected # Like with conntrack entries, we shouldn't try to predict # port binding tunnel keys. So omit them from expected labels. -AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(+new-est-rpl+trk).*ct(.*label=0x401020400000000/.*)' -c], [0], [dnl +AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(+new-est-rpl-inv+trk).*ct(.*label=0x401020400000000/.*)' -c], [0], [dnl 1 ]) -AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(-new+est+rpl+trk).*ct_label(0x401020400000000)' -c], [0], [dnl +AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(-new+est+rpl-inv+trk).*ct_label(0x401020400000000)' -c], [0], [dnl 1 ]) @@ -5968,10 +5968,10 @@ ovn-nbctl set Logical_Switch_Port r2-ext \ ovn-nbctl --wait=hv sync NS_CHECK_EXEC([bob1], [nc -z 10.0.0.2 80], [0]) -AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(+new-est-rpl+trk).*ct(.*label=0x1001020400000000/.*)' -c], [0], [dnl +AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(+new-est-rpl-inv+trk).*ct(.*label=0x1001020400000000/.*)' -c], [0], [dnl 1 ]) -AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(-new+est+rpl+trk).*ct_label(0x1001020400000000)' -c], [0], [dnl +AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(-new+est+rpl-inv+trk).*ct_label(0x1001020400000000)' -c], [0], [dnl 1 ]) @@ -6135,11 +6135,11 @@ NS_CHECK_EXEC([bob1], [nc -6 -z fd01::2 80], [0]) # Ensure datapaths show conntrack states as expected # Like with conntrack entries, we shouldn't try to predict # port binding tunnel keys. So omit them from expected labels. -AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(+new-est-rpl+trk).*ct(.*label=0x401020400000000/.*)' -c], [0], [dnl +AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(+new-est-rpl-inv+trk).*ct(.*label=0x401020400000000/.*)' -c], [0], [dnl 1 ]) -AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(-new+est+rpl+trk).*ct_label(0x401020400000000)' -c], [0], [dnl +AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(-new+est+rpl-inv+trk).*ct_label(0x401020400000000)' -c], [0], [dnl 1 ]) @@ -6162,10 +6162,10 @@ ovn-nbctl set Logical_Switch_Port r2-ext \ NS_CHECK_EXEC([bob1], [nc -6 -z fd01::2 80], [0]) -AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(+new-est-rpl+trk).*ct(.*label=0x1001020400000000/.*)' -c], [0], [dnl +AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(+new-est-rpl-inv+trk).*ct(.*label=0x1001020400000000/.*)' -c], [0], [dnl 1 ]) -AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(-new+est+rpl+trk).*ct_label(0x1001020400000000)' -c], [0], [dnl +AT_CHECK([ovs-appctl dpctl/dump-flows | grep 'ct_state(-new+est+rpl-inv+trk).*ct_label(0x1001020400000000)' -c], [0], [dnl 1 ]) -- 2.39.1 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
