On Mon, Mar 20, 2023 at 2:30 PM Lorenzo Bianconi
<[email protected]> wrote:
>
> Drop ip packets with ct status set to invalid in post snat and
> lb_aff_learn router stages.
> Skip ICMPv{4,6} error messages packet in ct.inv rules in order to avoid
> to introduce too complicated code.
>
> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2160685
> Reviewed-by: Simon Horman <[email protected]>
> Signed-off-by: Lorenzo Bianconi <[email protected]>
> ---
> Changes since v3:
> - rebase on top of ovn main branch
> Changes since v2:
> - rebase on top of ovn main branch
> - cosmetics
> Changes since v1:
> - skip ICMPv{4,6} error messages packet in ct.inv rules
> - this series is based on the following series not yet applied in ovn master:
> https://patchwork.ozlabs.org/project/ovn/list/?series=343841
Hi Lorenzo,
The patch overall LGTM.
I've few minor comments. Please see below
> ---
> northd/northd.c | 30 ++++++++++++++++++++-
> northd/ovn-northd.8.xml | 43 +++++++++++++++++++++++++++--
> tests/ovn-northd.at | 13 +++++++++
> tests/ovn.at | 60 +++++++++++++++++++++--------------------
> tests/system-ovn.at | 16 +++++------
> 5 files changed, 122 insertions(+), 40 deletions(-)
>
> diff --git a/northd/northd.c b/northd/northd.c
> index 5f0b436c2..5884f50e1 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -13822,6 +13822,31 @@ build_lrouter_out_is_dnat_local(struct hmap *lflows,
> struct ovn_datapath *od,
> &nat->header_);
> }
>
> +static void
> +build_lrouter_drop_ct_inv_flow(struct ovn_datapath *od, struct hmap *lflows)
> +{
> + if (!od->nbr) {
> + return;
> + }
> +
> + ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_SNAT, 0, "1", "next;");
Small nit - Since the name of the function is -
build_lrouter_drop_ct_inv_flow(), I'd suggest moving the above logical
flow with prio-0 back to its original place.
> +
> + if (use_ct_inv_match) {
Can you please add a few comments on the icmp type and codes used below.
It's not obvious the logical flow is added to advance the Packet too
big icmp packets.
With these addressed :
Acked-by: Numan Siddique <[email protected]>
I'm not too sure if it's a good idea to add a new predicate symbol in
the symbol table (in lib/logical-fields.c) for these icmp error types
and codes ?
Like
expr_symtab_add_predicate(symtab, "icmp4_too_big", "icmp4.type == 3 &&
icmp4.code == 4");
I don't like the name - icmp4_too_big though.
Thoughts ?
@Dumitru Ceara wdyt ?
I'm fine if we don't want to add this as this could result in
ovn-controllers rejecting the logical flow if ovn-northd is upgraded
first.
Thanks
Numan
> + ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_SNAT, 150,
> + "((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
> + " (ip6 && icmp6.type == 2 && icmp6.code == 0))",
> + "next;");
> + ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_SNAT, 100,
> + "ip && ct.trk && ct.inv", debug_drop_action());
> + ovn_lflow_add(lflows, od, S_ROUTER_IN_LB_AFF_LEARN, 250,
> + "((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
> + " (ip6 && icmp6.type == 2 && icmp6.code == 0))",
> + "next;");
> + ovn_lflow_add(lflows, od, S_ROUTER_IN_LB_AFF_LEARN, 200,
> + "ip && ct.trk && ct.inv", debug_drop_action());
> + }
> +}
> +
> static void
> build_lrouter_out_snat_flow(struct hmap *lflows, struct ovn_datapath *od,
> const struct nbrec_nat *nat, struct ds *match,
> @@ -14210,7 +14235,6 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath
> *od, struct hmap *lflows,
> ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 0, "1", "next;");
> ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;");
> ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_UNDNAT, 0, "1", "next;");
> - ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_SNAT, 0, "1", "next;");
> ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;");
> ovn_lflow_add(lflows, od, S_ROUTER_IN_ECMP_STATEFUL, 0, "1", "next;");
>
> @@ -14264,6 +14288,9 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath
> *od, struct hmap *lflows,
> * flag set. Some NICs are unable to offload these flows.
> */
> if (od->is_gw_router && (od->nbr->n_nat || od->has_lb_vip)) {
> + /* Do not send ND or ICMP packets to connection tracking. */
> + ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 100,
> + "nd || nd_rs || nd_ra", "next;");
> ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 50,
> "ip", "flags.loopback = 1; ct_dnat;");
> ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_UNDNAT, 50,
> @@ -14588,6 +14615,7 @@ build_lswitch_and_lrouter_iterate_by_od(struct
> ovn_datapath *od,
> build_lrouter_nat_defrag_and_lb(od, lsi->lflows, lsi->ports, &lsi->match,
> &lsi->actions, lsi->meter_groups,
> lsi->features);
> + build_lrouter_drop_ct_inv_flow(od, lsi->lflows);
> build_lb_affinity_default_flows(od, lsi->lflows);
> }
>
> diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> index 5d513e65a..2e7f0cac5 100644
> --- a/northd/ovn-northd.8.xml
> +++ b/northd/ovn-northd.8.xml
> @@ -3656,6 +3656,17 @@ icmp6 {
> </p>
>
> <ul>
> + <li>
> + For ICMPv4/ICMPv6 packet too big traffic, a priority-250 flow with
> + action <code>next;</code>.
> + </li>
> +
> + <li>
> + If <code>use_ct_inv_match</code> is set, a priority-200 flow
> + matches <code>ip && ct.trk && ct.inv</code> with
> + action <code>drop;</code>.
> + </li>
> +
> <li>
> For all the configured load balancing rules for a logical router
> where
> a positive affinity timeout <var>T</var> is specified in
> <code>options
> @@ -4715,6 +4726,11 @@ nd_ns {
> <h3>Egress Table 1: UNDNAT on Gateway Routers</h3>
>
> <ul>
> + <li>
> + For IPv6 Neighbor Discovery or Router Solicitation/Advertisement
> + traffic, a priority-100 flow with action <code>next;</code>.
> + </li>
> +
> <li>
> For all IP packets, a priority-50 flow with an action
> <code>flags.loopback = 1; ct_dnat;</code>.
> @@ -4992,7 +5008,30 @@ nd_ns {
> </li>
> </ul>
>
> - <h3>Egress Table 4: Egress Loopback</h3>
> + <h3>Egress Table 4: Post SNAT</h3>
> +
> + <p>
> + Packets reaching this table are processed according to the flows below:
> + <ul>
> + <li>
> + For ICMPv4/ICMPv6 packet too big traffic, a priority-150 flow with
> + action <code>next;</code>.
> + </li>
> +
> + <li>
> + If <code>use_ct_inv_match</code> is set, a priority-100 flow
> + matches <code>ip && ct.trk && ct.inv</code> with
> + action <code>drop;</code>.
> + </li>
> +
> + <li>
> + A priority-0 logical flow that matches all packets not already
> + handled (match <code>1</code>) and action <code>next;</code>.
> + </li>
> + </ul>
> + </p>
> +
> + <h3>Egress Table 5: Egress Loopback</h3>
>
> <p>
> For distributed logical routers where one of the logical router
> @@ -5064,7 +5103,7 @@ clone {
> </li>
> </ul>
>
> - <h3>Egress Table 5: Delivery</h3>
> + <h3>Egress Table 6: Delivery</h3>
>
> <p>
> Packets that reach this table are ready for delivery. It contains:
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index ef29233db..2855f198e 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -3813,6 +3813,7 @@ AT_CHECK([grep "lr_out_snat" lr0flows | sed
> 's/table=./table=?/' | sort], [0], [
>
> AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort],
> [0], [dnl
> table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
> + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs ||
> nd_ra), action=(next;)
> table=? (lr_out_undnat ), priority=50 , match=(ip),
> action=(flags.loopback = 1; ct_dnat;)
> ])
>
> @@ -3864,6 +3865,7 @@ AT_CHECK([grep "lr_out_snat" lr0flows | sed
> 's/table=./table=?/' | sort], [0], [
>
> AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort],
> [0], [dnl
> table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
> + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs ||
> nd_ra), action=(next;)
> table=? (lr_out_undnat ), priority=50 , match=(ip),
> action=(flags.loopback = 1; ct_dnat;)
> ])
>
> @@ -3929,6 +3931,7 @@ AT_CHECK([grep "lr_out_snat" lr0flows | sed
> 's/table=./table=?/' | sort], [0], [
>
> AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort],
> [0], [dnl
> table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
> + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs ||
> nd_ra), action=(next;)
> table=? (lr_out_undnat ), priority=50 , match=(ip),
> action=(flags.loopback = 1; ct_dnat;)
> ])
>
> @@ -3970,6 +3973,7 @@ AT_CHECK([grep "lr_out_snat" lr0flows | grep
> skip_snat_for_lb | sed 's/table=./t
>
> AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort],
> [0], [dnl
> table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
> + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs ||
> nd_ra), action=(next;)
> table=? (lr_out_undnat ), priority=50 , match=(ip),
> action=(flags.loopback = 1; ct_dnat;)
> ])
>
> @@ -5315,6 +5319,7 @@ AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed
> 's/table=./table=?/' | sor
>
> AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort],
> [0], [dnl
> table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
> + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs ||
> nd_ra), action=(next;)
> table=? (lr_out_undnat ), priority=50 , match=(ip),
> action=(flags.loopback = 1; ct_dnat;)
> ])
>
> @@ -5380,6 +5385,7 @@ AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed
> 's/table=./table=?/' | sor
>
> AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort],
> [0], [dnl
> table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
> + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs ||
> nd_ra), action=(next;)
> table=? (lr_out_undnat ), priority=50 , match=(ip),
> action=(flags.loopback = 1; ct_dnat;)
> ])
>
> @@ -5450,6 +5456,7 @@ AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed
> 's/table=./table=?/' | sor
>
> AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort],
> [0], [dnl
> table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
> + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs ||
> nd_ra), action=(next;)
> table=? (lr_out_undnat ), priority=50 , match=(ip),
> action=(flags.loopback = 1; ct_dnat;)
> ])
>
> @@ -5533,6 +5540,7 @@ AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed
> 's/table=./table=?/' | sor
>
> AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort],
> [0], [dnl
> table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
> + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs ||
> nd_ra), action=(next;)
> table=? (lr_out_undnat ), priority=50 , match=(ip),
> action=(flags.loopback = 1; ct_dnat;)
> ])
>
> @@ -5595,6 +5603,7 @@ AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed
> 's/table=./table=?/' | sor
>
> AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort],
> [0], [dnl
> table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
> + table=? (lr_out_undnat ), priority=100 , match=(nd || nd_rs ||
> nd_ra), action=(next;)
> table=? (lr_out_undnat ), priority=50 , match=(ip),
> action=(flags.loopback = 1; ct_dnat;)
> ])
>
> @@ -8231,6 +8240,8 @@ AT_CHECK([grep "lr_in_lb_aff_check" R1flows | sort],
> [0], [dnl
> ])
> AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | sort], [0], [dnl
> table=8 (lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;)
> + table=8 (lr_in_lb_aff_learn ), priority=200 , match=(ip && ct.trk &&
> ct.inv), action=(drop;)
> + table=8 (lr_in_lb_aff_learn ), priority=250 , match=(((ip4 && icmp4.type
> == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0))),
> action=(next;)
> ])
>
> ovn-nbctl --wait=sb set load_balancer lb0 options:affinity_timeout=60
> @@ -8277,6 +8288,8 @@ AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | sort],
> [0], [dnl
> table=8 (lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;)
> table=8 (lr_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 &&
> ct.new && ip4 && reg0 == 172.16.0.10 && reg9[[16..31]] == 80 && ip4.dst ==
> 10.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80",
> backend = "10.0.0.2:80", proto = tcp, timeout = 60); /* drop */)
> table=8 (lr_in_lb_aff_learn ), priority=100 , match=(reg9[[6]] == 0 &&
> ct.new && ip4 && reg0 == 172.16.0.10 && reg9[[16..31]] == 80 && ip4.dst ==
> 20.0.0.2 && tcp.dst == 80), action=(commit_lb_aff(vip = "172.16.0.10:80",
> backend = "20.0.0.2:80", proto = tcp, timeout = 60); /* drop */)
> + table=8 (lr_in_lb_aff_learn ), priority=200 , match=(ip && ct.trk &&
> ct.inv), action=(drop;)
> + table=8 (lr_in_lb_aff_learn ), priority=250 , match=(((ip4 && icmp4.type
> == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0))),
> action=(next;)
> ])
>
> AS_BOX([Test LR flows - skip_snat=true])
> diff --git a/tests/ovn.at b/tests/ovn.at
> index c2883ffca..4aa67673e 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -12254,7 +12254,7 @@ nexthop_mac="f00000010204"
> AS_BOX([Send ip packet from foo1 to 8.8.8.8])
> src_mac="f00000010203"
> dst_mac="000001010203"
> -packet=${foo_mac}${foo1_mac}08004500001c0000000040110000${foo1_ip}${dst_ip}0035111100080000
> +packet=${foo_mac}${foo1_mac}080045000028000000004006a916${foo1_ip}${dst_ip}0035111112345678000000005002faf069450000
>
> AS_BOX([Wait for GARPs announcing gw IP to arrive])
> OVS_WAIT_UNTIL([
> @@ -12265,15 +12265,12 @@ grep actions=mod_dl_dst:f0:00:00:01:02:04 | wc -l`
> -eq 1
> AS_BOX([Verify VLAN tagged packet on bridge connecting hv1 and hv2])
> # VLAN tagged packet with router port(192.168.1.1) MAC as destination MAC
> # is expected on bridge connecting hv1 and hv2
> -expected=${foo_mac}${foo1_mac}8100000208004500001c0000000040110000${foo1_ip}${dst_ip}0035111100080000
> +expected=${foo_mac}${foo1_mac}81000002080045000028000000004006a916${foo1_ip}${dst_ip}0035111112345678000000005002faf069450000
> echo $expected > hv1-br-ex_n2.expected
>
> AS_BOX([Verify packet at outside1 i.e nexthop(172.16.1.1) port])
> # Packet to Expect at outside1 i.e nexthop(172.16.1.1) port.
> -# As connection tracking not enabled for this test, snat can't be done on
> the packet.
> -# We still see foo1 as the source ip address. But source mac(gateway MAC) and
> -# dest mac(nexthop mac) are properly configured.
> -expected=${nexthop_mac}${gw_mac}08004500001c000000003f110100${foo1_ip}${dst_ip}0035111100080000
> +expected=${nexthop_mac}${gw_mac}080045000028000000003f06beaa${gw_ip}${dst_ip}0035111112345678000000005002faf07dd90000
> echo $expected > hv3-vif1.expected
>
> check as hv1 ovs-appctl revalidator/purge
> @@ -12304,7 +12301,7 @@ cat hv1-br-ex_n2.expected > expout
> AT_CHECK([sort hv1-br-ex_n2], [0], [expout])
>
> AS_BOX([Check expected packet on nexthop interface])
> -$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv3/vif1-tx.pcap | grep
> ${foo1_ip}${dst_ip} | uniq > hv3-vif1
> +$PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv3/vif1-tx.pcap | grep
> ${gw_ip}${dst_ip} | uniq > hv3-vif1
> cat hv3-vif1.expected > expout
> AT_CHECK([sort hv3-vif1], [0], [expout])
>
> @@ -19705,7 +19702,7 @@ test_ip_packet_larger() {
> # Set the packet length to 114.
> pkt_len=0072
> packet=${dst_mac}${src_mac}08004500${pkt_len}000000004001c3dd
> - orig_packet_l3=${src_ip}${dst_ip}0304fcfb00000000
> + orig_packet_l3=${src_ip}${dst_ip}0800f7ff00000000
> orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
> orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
> orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
> @@ -19729,10 +19726,10 @@ test_ip_packet_larger() {
> # Packet to expect at br-phys.
> src_mac="000020201213"
> dst_mac="00000012af11"
> - src_ip=`ip_to_hex 10 0 0 3`
> + src_ip=`ip_to_hex 172 168 0 100`
> dst_ip=`ip_to_hex 172 168 0 3`
> - expected=${dst_mac}${src_mac}08004500${pkt_len}000000003f01c4dd
> - expected=${expected}${src_ip}${dst_ip}0304fcfb00000000
> + expected=${dst_mac}${src_mac}08004500${pkt_len}000000003f0121d4
> + expected=${expected}${src_ip}${dst_ip}0800f7ff00000000
> expected=${expected}000000000000000000000000000000000000
> expected=${expected}000000000000000000000000000000000000
> expected=${expected}000000000000000000000000000000000000
> @@ -19793,7 +19790,7 @@ test_ip_packet_larger_ext() {
> # Set the packet length to 114.
> pkt_len=0072
> packet=${dst_mac}${src_mac}08004500${pkt_len}000000004001${checksum}
> - orig_packet_l3=${src_ip}${dst_ip}0900000000000000
> + orig_packet_l3=${src_ip}${dst_ip}0800f7ff00000000
> orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
> orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
> orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
> @@ -19810,7 +19807,7 @@ test_ip_packet_larger_ext() {
> dst_ip=`ip_to_hex 172 168 0 4`
> # pkt len should be 146 (28 (icmp packet) + 118 (orig ip + payload))
> reply_pkt_len=008e
> - ip_csum=f39b
> + ip_csum=$7
>
> icmp_reply=${src_mac}${dst_mac}08004500${reply_pkt_len}00004000fe01${reply_checksum}
> icmp_reply=${icmp_reply}${src_ip}${dst_ip}0304${ip_csum}0000$(printf
> "%04x" $mtu)
> icmp_reply=${icmp_reply}4500${pkt_len}000000004001${checksum}
> @@ -19985,10 +19982,10 @@ OVS_WAIT_FOR_OUTPUT([
> ])
>
> AS_BOX([testing ingress traffic mtu 100 - IPv4])
> -test_ip_packet_larger_ext 1 000020201213 $(ip_to_hex 172 168 0 100) 20cf 100
> 22b6
> +test_ip_packet_larger_ext 1 000020201213 $(ip_to_hex 172 168 0 100) 20d3 100
> 22b6 fc97
>
> AS_BOX([testing ingress traffic mtu 100 - IPv4 FIP])
> -test_ip_packet_larger_ext 2 f00000010204 $(ip_to_hex 172 168 0 110) 20c5 100
> 22ac
> +test_ip_packet_larger_ext 2 f00000010204 $(ip_to_hex 172 168 0 110) 20c5 100
> 22ac fc9b
>
> AS_BOX([testing ingress traffic mtu 100 - IPv6])
> test_ip6_packet_larger_ext 1 000020201213 20000000000000000000000000000001
> 100 cc7a
> @@ -20055,10 +20052,10 @@ OVS_WAIT_FOR_OUTPUT([
> ])
>
> AS_BOX([testing ingress traffic mtu 100 for gw router - IPv4])
> -test_ip_packet_larger_ext 1 000020201213 $(ip_to_hex 172 168 0 100) 20cf 100
> 22b6
> +test_ip_packet_larger_ext 1 000020201213 $(ip_to_hex 172 168 0 100) 20d3 100
> 22b6 fc97
>
> AS_BOX([testing ingress traffic mtu 100 for gw router - IPv6])
> -test_ip6_packet_larger_ext 1 000020201213 20000000000000000000000000000001
> 100 cc7a
> +test_ip6_packet_larger_ext 1 000020201213 20000000000000000000000000000001
> 100 cc7a fc9b
>
> OVN_CLEANUP([hv1])
> AT_CLEANUP
> @@ -27284,22 +27281,24 @@ sleep 5
> send_ipv4_pkt() {
> local hv=$1 inport=$2 eth_src=$3 eth_dst=$4
> local ip_src=$5 ip_dst=$6
> -
> packet=${eth_dst}${eth_src}08004500001c0000000040110000${ip_src}${ip_dst}0035111100080000
> + local ip_cksum=$7 tcp_cksum=$8
> +
> packet=${eth_dst}${eth_src}080045000028000000004006${ip_cksum}${ip_src}${ip_dst}0035111112345678000000005002faf0${tcp_cksum}0000
> tcpdump_hex $packet
> as $hv ovs-appctl netdev-dummy/receive ${inport} ${packet}
> }
>
> send_icmp6_packet() {
> - local hv=$1 inport=$2 eth_src=$3 eth_dst=$4 ipv6_src=$5 ipv6_dst=$6
> + local hv=$1 inport=$2 eth_src=$3 eth_dst=$4 ipv6_src=$5 ipv6_dst=$6
> tcp_cksum=$7
>
> - local ip6_hdr=6000000000083aff${ipv6_src}${ipv6_dst}
> - local packet=${eth_dst}${eth_src}86dd${ip6_hdr}8000dcb662f00001
> + local ip6_hdr=60000000001406ff${ipv6_src}${ipv6_dst}
> + local
> packet=${eth_dst}${eth_src}86dd${ip6_hdr}0035111112345678000000005002faf0${tcp_cksum}0000
>
> as $hv ovs-appctl netdev-dummy/receive ${inport} ${packet}
> }
>
> send_ipv4_pkt hv1 hv1-vif1 505400000003 00000000ff01 \
> - $(ip_to_hex 10 0 0 3) $(ip_to_hex 172 168 0 120)
> + $(ip_to_hex 10 0 0 3) $(ip_to_hex 172 168 0 120) \
> + c3ad 83dc
>
> AT_CAPTURE_FILE([offlows2])
> OVS_WAIT_UNTIL([
> @@ -27316,7 +27315,8 @@ AT_CHECK([
>
> # Send the pkt from sw0-port2. Packet should not be marked.
> send_ipv4_pkt hv1 hv1-vif2 505400000004 00000000ff01 \
> - $(ip_to_hex 10 0 0 4) $(ip_to_hex 172 168 0 120)
> + $(ip_to_hex 10 0 0 4) $(ip_to_hex 172 168 0 120) \
> + c3ac 83db
>
> AT_CHECK([
> test 1 -eq $(as hv1 ovs-ofctl dump-flows br-phys table=0 | \
> @@ -27350,7 +27350,8 @@ AT_CHECK([
>
> ovn-nbctl set logical_router_policy $pol1 options:pkt_mark=2
> send_ipv4_pkt hv1 hv1-vif1 505400000003 00000000ff01 \
> - $(ip_to_hex 10 0 0 3) $(ip_to_hex 172 168 0 120)
> + $(ip_to_hex 10 0 0 3) $(ip_to_hex 172 168 0 120) \
> + c3ad 83dc
>
> OVS_WAIT_UNTIL([
> test 1 -eq $(as hv1 ovs-ofctl dump-flows br-int table=23 | \
> @@ -27383,7 +27384,8 @@ AT_CHECK([
> # Send with src ip 10.0.0.5. The reroute policy should be hit
> # and the packet should be marked with 5.
> send_ipv4_pkt hv1 hv1-vif1 505400000003 00000000ff01 \
> - $(ip_to_hex 10 0 0 5) $(ip_to_hex 172 168 0 120)
> + $(ip_to_hex 10 0 0 5) $(ip_to_hex 172 168 0 120) \
> + c3ab 83da
>
> OVS_WAIT_UNTIL([
> test 1 -eq $(as hv1 ovs-ofctl dump-flows br-phys table=0 | \
> @@ -27395,7 +27397,7 @@ OVS_WAIT_UNTIL([
> src_ip6=aef00000000000000000000000000004
> dst_ip6=bef00000000000000000000000000004
>
> -send_icmp6_packet hv1 hv1-vif2 505400000004 00000000ff01 ${src_ip6}
> ${dst_ip6}
> +send_icmp6_packet hv1 hv1-vif2 505400000004 00000000ff01 ${src_ip6}
> ${dst_ip6} cd16
>
> OVS_WAIT_UNTIL([
> test 1 -eq $(as hv1 ovs-ofctl dump-flows br-phys table=0 | \
> @@ -27415,7 +27417,7 @@ AT_CHECK([
> src_ip6=aef00000000000000000000000000004
> dst_ip6=bef00000000000000000000000000005
>
> -send_icmp6_packet hv1 hv1-vif2 505400000004 00000000ff01 ${src_ip6}
> ${dst_ip6}
> +send_icmp6_packet hv1 hv1-vif2 505400000004 00000000ff01 ${src_ip6}
> ${dst_ip6} cd15
>
> OVS_WAIT_UNTIL([
> test 1 -eq $(as hv1 ovs-ofctl dump-flows br-phys table=0 | \
> @@ -28689,7 +28691,7 @@ src_mac="f00000000102"
> dst_mac="000000000101"
> src_ip=`ip_to_hex 10 0 1 2`
> dst_ip=`ip_to_hex 10 0 1 1`
> -packet=${dst_mac}${src_mac}08004500001c0000000040110000${src_ip}${dst_ip}0035111100080000
> +packet=${dst_mac}${src_mac}08004500001c00000000401164cf${src_ip}${dst_ip}0035111100080000
> as hv1 ovs-appctl netdev-dummy/receive hv1-vif1 $packet
>
> # Even after configuring a router owned IP for SNAT, no packet-ins should
> @@ -28715,7 +28717,7 @@ src_mac="f00000000202"
> dst_mac="000000000201"
> src_ip=`ip_to_hex 10 0 2 2`
> dst_ip=`ip_to_hex 10 0 1 1`
> -packet=${dst_mac}${src_mac}08004500001c0000000040110000${src_ip}${dst_ip}0035111100080000
> +packet=${dst_mac}${src_mac}08004500001c00000000401163cf${src_ip}${dst_ip}0035111100080000
> as hv1 ovs-appctl netdev-dummy/receive hv1-vif2 $packet
>
> # Still no packet-ins should reach ovn-controller.
> diff --git a/tests/system-ovn.at b/tests/system-ovn.at
> index 8afb4db56..e706c25ca 100644
> --- a/tests/system-ovn.at
> +++ b/tests/system-ovn.at
> @@ -6131,10 +6131,10 @@
> tcp,orig=(src=172.16.0.1,dst=10.0.0.2,sport=<cleared>,dport=<cleared>),reply=(sr
> # Ensure datapaths show conntrack states as expected
> # Like with conntrack entries, we shouldn't try to predict
> # port binding tunnel keys. So omit them from expected labels.
> -AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(+new-est-rpl+trk).*ct(.*label=0x401020400000000/.*)' -c], [0], [dnl
> +AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(+new-est-rpl-inv+trk).*ct(.*label=0x401020400000000/.*)' -c], [0],
> [dnl
> 1
> ])
> -AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(-new+est+rpl+trk).*ct_label(0x401020400000000)' -c], [0], [dnl
> +AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(-new+est+rpl-inv+trk).*ct_label(0x401020400000000)' -c], [0], [dnl
> 1
> ])
>
> @@ -6149,10 +6149,10 @@ ovn-nbctl set Logical_Switch_Port r2-ext \
> ovn-nbctl --wait=hv sync
>
> NS_CHECK_EXEC([bob1], [nc -z 10.0.0.2 80], [0])
> -AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(+new-est-rpl+trk).*ct(.*label=0x1001020400000000/.*)' -c], [0], [dnl
> +AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(+new-est-rpl-inv+trk).*ct(.*label=0x1001020400000000/.*)' -c], [0],
> [dnl
> 1
> ])
> -AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(-new+est+rpl+trk).*ct_label(0x1001020400000000)' -c], [0], [dnl
> +AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(-new+est+rpl-inv+trk).*ct_label(0x1001020400000000)' -c], [0], [dnl
> 1
> ])
>
> @@ -6316,11 +6316,11 @@ NS_CHECK_EXEC([bob1], [nc -6 -z fd01::2 80], [0])
> # Ensure datapaths show conntrack states as expected
> # Like with conntrack entries, we shouldn't try to predict
> # port binding tunnel keys. So omit them from expected labels.
> -AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(+new-est-rpl+trk).*ct(.*label=0x401020400000000/.*)' -c], [0], [dnl
> +AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(+new-est-rpl-inv+trk).*ct(.*label=0x401020400000000/.*)' -c], [0],
> [dnl
> 1
> ])
>
> -AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(-new+est+rpl+trk).*ct_label(0x401020400000000)' -c], [0], [dnl
> +AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(-new+est+rpl-inv+trk).*ct_label(0x401020400000000)' -c], [0], [dnl
> 1
> ])
>
> @@ -6343,10 +6343,10 @@ ovn-nbctl set Logical_Switch_Port r2-ext \
>
> NS_CHECK_EXEC([bob1], [nc -6 -z fd01::2 80], [0])
>
> -AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(+new-est-rpl+trk).*ct(.*label=0x1001020400000000/.*)' -c], [0], [dnl
> +AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(+new-est-rpl-inv+trk).*ct(.*label=0x1001020400000000/.*)' -c], [0],
> [dnl
> 1
> ])
> -AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(-new+est+rpl+trk).*ct_label(0x1001020400000000)' -c], [0], [dnl
> +AT_CHECK([ovs-appctl dpctl/dump-flows | grep
> 'ct_state(-new+est+rpl-inv+trk).*ct_label(0x1001020400000000)' -c], [0], [dnl
> 1
> ])
>
> --
> 2.39.2
>
> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
