On Thu, Apr 13, 2023 at 11:35 PM Ihar Hrachyshka <[email protected]> wrote:
> When setting flows for LS, OVN distinguishes between two states: where > there’s a stateful ACL present in its list (has_stateful == true *) > and when it’s missing (all ACLs are stateless). > > When has_stateful == true, the following is done (among other things): > - ct handling flows are set; > - they are omitted by a higher priority flow for “service” protocols: > NA, RA, MLD. > > The latter is done because of a known issue in kernel ct > implementation for the protocols: > > * https://bugzilla.kernel.org/show_bug.cgi?id=11797 > > The assumption is that by default OVN allows all traffic unless > explicitly forbidden, so omitting ct flows only avoids ct machinery > but doesn't affect functional behavior of flow tables for the > protocols. > > But if an ACL that forbids these protocols is configured, because of > the ct omittance, this ACL is not in effect. (But only when > has_stateful == true.) > > This behavior results in inconsistent and confusing behavior in > OpenStack Neutron where > > (1) the default security group behavior is drop all IP traffic > (achieved with default "drop" Port_Group); and > (2) ports that have stateful and stateless ACLs configured can > co-exist in the same network. > > In which case, depending on other "stateful" ports present in the > network, "stateless" ports may or may not observe RA / NA / MLD > traffic. Which affects their IPv6 address configuration. > > In this patch, I suggest that we don't make RA / NA / MLD behavior > dependent on whether "stateful" ACLs are present. Instead, make the > protocols always allowed, regardless of ACLs configured (whether > stateful ACLs or ACLs that forbid packets of these protocols). > > Note: an argument can be made that the same "always-on" behavior > should be guaranteed for ARP protocol that serves a similar goal in a > IPv4 network as RA / NA do for IPv6 networks. This scenario is not > directly related to the inconsistency between "purely stateless" and > "mixed-stateful" networks and hence is left for a follow-up patch. > > Note: this patch carries a test case that utilizes scapy tool to > construct packets for the protocols under test. A proper backport may > demand backporting scapy related patches too. > > Reported-At: https://bugs.launchpad.net/neutron/+bug/2006949 > Reported-At: https://bugzilla.redhat.com/show_bug.cgi?id=2149731 > Signed-off-by: Ihar Hrachyshka <[email protected]> > --- > v1: initial version > v2: remove debug ov?-*ctl commands from the new test case > v2: adjust failing test cases that didn't expect new flows > --- > NEWS | 2 + > northd/northd.c | 20 ++++--- > northd/ovn-northd.8.xml | 18 ++++-- > tests/ovn-northd.at | 26 +++++++++ > tests/ovn.at | 124 ++++++++++++++++++++++++++++++++++++++++ > 5 files changed, 176 insertions(+), 14 deletions(-) > > diff --git a/NEWS b/NEWS > index f71f408d0..60467581a 100644 > --- a/NEWS > +++ b/NEWS > @@ -12,6 +12,8 @@ Post v23.03.0 > target mac address matches. Arp requests matching no Logical Router > will > only be forwarded to non-router ports. Default is true which keeps the > existing behaviour of flooding these arp requests to all attached > Ports. > + - Always allow IPv6 Router Discovery, Neighbor Discovery, and Multicast > + Listener Discovery protocols, regardless of ACLs defined. > > OVN v23.03.0 - 03 Mar 2023 > -------------------------- > diff --git a/northd/northd.c b/northd/northd.c > index c10e5c20c..5f9cb9fa5 100644 > --- a/northd/northd.c > +++ b/northd/northd.c > @@ -6943,20 +6943,24 @@ build_acls(struct ovn_datapath *od, const struct > chassis_features *features, > ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, > ds_cstr(&match), ct_out_acl_action); > > - /* Ingress and Egress ACL Table (Priority 65532). > - * > - * Not to do conntrack on ND packets. */ > - ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3, > - "nd || nd_ra || nd_rs || mldv1 || mldv2", "next;"); > - ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, > - "nd || nd_ra || nd_rs || mldv1 || mldv2", "next;"); > - > /* Reply and related traffic matched by an "allow-related" ACL > * should be allowed in the ls_in_acl_after_lb stage too. */ > ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB, UINT16_MAX - > 3, > REGBIT_ACL_HINT_ALLOW_REL" == 1", "next;"); > } > > + /* Ingress and Egress ACL Table (Priority 65532). > + * > + * Always allow service IPv6 protocols regardless of other ACLs > defined. > + * > + * Also, don't send them to conntrack because session tracking > + * for these protocols is not working properly: > + * https://bugzilla.kernel.org/show_bug.cgi?id=11797. */ > + ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3, > + "nd || nd_ra || nd_rs || mldv1 || mldv2", "next;"); > + ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3, > + "nd || nd_ra || nd_rs || mldv1 || mldv2", "next;"); > + > /* Ingress or Egress ACL Table (Various priorities). */ > for (size_t i = 0; i < od->nbs->n_acls; i++) { > struct nbrec_acl *acl = od->nbs->acls[i]; > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > index 6a02a30e3..29eca7070 100644 > --- a/northd/ovn-northd.8.xml > +++ b/northd/ovn-northd.8.xml > @@ -748,6 +748,12 @@ > drop behavior. > </p> > > + <p> > + A priority-65532 flow is added to allow IPv6 Neighbor solicitation, > + Neighbor discover, Router solicitation, Router advertisement and MLD > + packets regardless of other ACLs defined. > + </p> > + > <p> > If the logical datapath has a stateful ACL or a load balancer with > VIP > configured, the following flows will also be added: > @@ -824,12 +830,6 @@ > in the request direction are skipped here to let a newly created > ACL re-allow this connection. > </li> > - > - <li> > - A priority-65532 flow that allows IPv6 Neighbor solicitation, > - Neighbor discover, Router solicitation, Router advertisement and > MLD > - packets. > - </li> > </ul> > > <p> > @@ -2123,6 +2123,12 @@ output; > <code>to-lport</code> ACLs. > </p> > > + <p> > + Similar to ingress table, a priority-65532 flow is added to allow > IPv6 > + Neighbor solicitation, Neighbor discover, Router solicitation, > Router > + advertisement and MLD packets regardless of other ACLs defined. > + </p> > + > <p> > In addition, the following flows are added. > </p> > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at > index 1d2febdac..1d4dce5bd 100644 > --- a/tests/ovn-northd.at > +++ b/tests/ovn-northd.at > @@ -2531,8 +2531,10 @@ ovn-nbctl --wait=sb clear logical_switch ls > load_balancer > AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e > ls_out_acl_hint -e ls_in_acl -e ls_out_acl | sort], [0], [dnl > table=17(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) > table=3 (ls_out_acl_hint ), priority=65535, match=(1), action=(next;) > + table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=4 (ls_out_acl ), priority=65535, match=(1), action=(next;) > table=7 (ls_in_acl_hint ), priority=65535, match=(1), action=(next;) > + table=8 (ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=8 (ls_in_acl ), priority=65535, match=(1), action=(next;) > ]) > > @@ -7244,11 +7246,13 @@ flow="inport == \"lsp1\" && eth.src == > 00:00:00:00:00:01 && eth.dst == 00:00:00: > AS_BOX([No ACL, default_acl_drop not set]) > check ovn-nbctl --wait=sb sync > AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed > 's/table=../table=??/' | sort], [0], [dnl > + table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_in_acl ), priority=65535, match=(1), action=(next;) > table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(next;) > + table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_out_acl ), priority=65535, match=(1), action=(next;) > table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) > @@ -7263,11 +7267,13 @@ output("lsp2"); > AS_BOX([No ACL, default_acl_drop false]) > check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=false > AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed > 's/table=../table=??/' | sort], [0], [dnl > + table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_in_acl ), priority=65535, match=(1), action=(next;) > table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(next;) > + table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_out_acl ), priority=65535, match=(1), action=(next;) > table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) > @@ -7282,11 +7288,13 @@ output("lsp2"); > AS_BOX([No ACL, default_acl_drop true]) > check ovn-nbctl --wait=sb set NB_Global . options:default_acl_drop=true > AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed > 's/table=../table=??/' | sort], [0], [dnl > + table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_in_acl ), priority=65535, match=(1), action=(next;) > table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_hint ), priority=65535, match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(next;) > + table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_out_acl ), priority=65535, match=(1), action=(next;) > table=??(ls_out_acl_hint ), priority=65535, match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) > @@ -7308,12 +7316,14 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | sed 's/table=../table=??/ > table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl ), priority=1001 , match=(ip4 && tcp), > action=(next;) > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > + table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(next;) > table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > + table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == > $svc_monitor_mac), action=(next;) > @@ -7330,12 +7340,14 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | sed 's/table=../table=??/ > table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl ), priority=1001 , match=(ip4 && tcp), > action=(next;) > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > + table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(next;) > table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > + table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == > $svc_monitor_mac), action=(next;) > @@ -7352,12 +7364,14 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E > "ls_.*_acl" | sed 's/table=../table=??/ > table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) > table=??(ls_in_acl ), priority=1001 , match=(ip4 && tcp), > action=(next;) > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > + table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) > table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(next;) > table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) > table=??(ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > + table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == > $svc_monitor_mac), action=(next;) > @@ -7433,6 +7447,7 @@ check ovn-nbctl --wait=sb remove NB_Global . options > default_acl_drop > AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed > 's/table=../table=??/' | sort], [0], [dnl > table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > + table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_after_lb ), priority=1001 , match=(ip4 && tcp), > action=(next;) > table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) > @@ -7440,6 +7455,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" > | sed 's/table=../table=??/ > table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(next;) > table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > + table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == > $svc_monitor_mac), action=(next;) > @@ -7455,6 +7471,7 @@ check ovn-nbctl --wait=sb set NB_Global . > options:default_acl_drop=false > AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed > 's/table=../table=??/' | sort], [0], [dnl > table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > + table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_after_lb ), priority=1001 , match=(ip4 && tcp), > action=(next;) > table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) > @@ -7462,6 +7479,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" > | sed 's/table=../table=??/ > table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(next;) > table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > + table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == > $svc_monitor_mac), action=(next;) > @@ -7477,6 +7495,7 @@ check ovn-nbctl --wait=sb set NB_Global . > options:default_acl_drop=true > AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed > 's/table=../table=??/' | sort], [0], [dnl > table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > + table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) > table=??(ls_in_acl_after_lb ), priority=1001 , match=(ip4 && tcp), > action=(next;) > table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) > @@ -7484,6 +7503,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" > | sed 's/table=../table=??/ > table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == > $svc_monitor_mac), action=(next;) > table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) > table=??(ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > + table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == > $svc_monitor_mac), action=(next;) > @@ -7559,6 +7579,7 @@ check ovn-nbctl --wait=sb remove NB_Global . options > default_acl_drop > AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed > 's/table=../table=??/' | sort], [0], [dnl > table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > + table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) > @@ -7566,6 +7587,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" > | sed 's/table=../table=??/ > table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_acl ), priority=1001 , match=(ip4 && tcp), > action=(next;) > table=??(ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > + table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == > $svc_monitor_mac), action=(next;) > @@ -7581,6 +7603,7 @@ check ovn-nbctl --wait=sb set NB_Global . > options:default_acl_drop=false > AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed > 's/table=../table=??/' | sort], [0], [dnl > table=??(ls_in_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > + table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(next;) > table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) > @@ -7588,6 +7611,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" > | sed 's/table=../table=??/ > table=??(ls_out_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_acl ), priority=1001 , match=(ip4 && tcp), > action=(next;) > table=??(ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > + table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == > $svc_monitor_mac), action=(next;) > @@ -7603,6 +7627,7 @@ check ovn-nbctl --wait=sb set NB_Global . > options:default_acl_drop=true > AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | sed > 's/table=../table=??/' | sort], [0], [dnl > table=??(ls_in_acl ), priority=0 , match=(1), action=(drop;) > table=??(ls_in_acl ), priority=34000, match=(eth.dst == > $svc_monitor_mac), action=(next;) > + table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_in_acl_after_lb ), priority=0 , match=(1), action=(drop;) > table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) > @@ -7610,6 +7635,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" > | sed 's/table=../table=??/ > table=??(ls_out_acl ), priority=0 , match=(1), action=(drop;) > table=??(ls_out_acl ), priority=1001 , match=(ip4 && tcp), > action=(next;) > table=??(ls_out_acl ), priority=34000, match=(eth.src == > $svc_monitor_mac), action=(next;) > + table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || > nd_rs || mldv1 || mldv2), action=(next;) > table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) > table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == > $svc_monitor_mac), action=(next;) > diff --git a/tests/ovn.at b/tests/ovn.at > index 8e80765c6..2d92e96a9 100644 > --- a/tests/ovn.at > +++ b/tests/ovn.at > @@ -13898,6 +13898,130 @@ OVN_CLEANUP([gw1],[gw2],[hv1]) > AT_CLEANUP > ]) > > +OVN_FOR_EACH_NORTHD([ > +AT_SETUP([allow IPv6 RA / NA / MLD by default]) > +AT_SKIP_IF([test $HAVE_SCAPY = no]) > +ovn_start > +net_add n1 > +sim_add hv1 > +as hv1 > +ovs-vsctl add-br br-phys > +ovn_attach n1 br-phys 192.168.0.1 > + > +lsp_mac_prefix=50:64:00:00:00:0 > +lsp_ip_prefix=10.0.0. > +lsp_ip6_prefix=aef0::5264:00ff:fe00:000 > + > +check ovn-nbctl ls-add ls0 > +for i in 1 2; do > + check ovn-nbctl lsp-add ls0 lsp$i > + check ovn-nbctl lsp-set-addresses lsp$i \ > + "${lsp_mac_prefix}$i ${lsp_ip_prefix}$i ${lsp_ip6_prefix}$i" > + > + # forbid all traffic for the ports > + for direction in from to; do > + check ovn-nbctl acl-add ls0 $direction-lport 1000 "outport == > \"lsp$i\"" drop > + done > + > + ovs-vsctl -- add-port br-int vif$i -- \ > + set interface vif$i external-ids:iface-id=lsp$i \ > + options:tx_pcap=hv1/vif$i-tx.pcap \ > + options:rxq_pcap=hv1/vif$i-rx.pcap > + : > $i.expected > +done > + > +router_mac=fa:16:3e:00:00:01 > +router_prefix=fdad:1234:5678:: > +router_ip=${router_prefix}1 > +ovn-nbctl lr-add lr0 > +ovn-nbctl lrp-add lr0 lrp0 ${router_mac} ${router_ip}/64 > +ovn-nbctl set Logical_Router_Port lrp0 > ipv6_ra_configs:address_mode="slaac" > +ovn-nbctl \ > + -- lsp-add ls0 rp0 \ > + -- set Logical_Switch_Port rp0 type=router \ > + options:router-port=lrp0 \ > + addresses='"${router_mac} ${router_ip}"' > + > +wait_for_ports_up > + > +test_ns_na() { > + local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5 > + > + packet=$(fmt_pkt " > + Ether(dst='ff:ff:ff:ff:ff:ff', src='${src_mac}') / > + IPv6(src='${src_ip}', dst='ff02::1:ff00:2') / > + ICMPv6ND_NS(tgt='${dst_ip}') > + ") > + as hv1 ovs-appctl netdev-dummy/receive vif${inport} $packet > + > + expected_packet=$(fmt_pkt " > + Ether(dst='${src_mac}', src='${dst_mac}') / > + IPv6(src='${dst_ip}', dst='${src_ip}') / > + ICMPv6ND_NA(tgt='${dst_ip}', R=0, S=1) / > + ICMPv6NDOptDstLLAddr(lladdr='${dst_mac}') > + ") > + echo $expected_packet >> $inport.expected > +} > + > +test_rs_ra() { > + local inport=$1 src_mac=$2 src_ip=$3 > + local router_mac=$4 router_prefix=$5 router_ip=$6 > + > + packet=$(fmt_pkt " > + Ether(dst='ff:ff:ff:ff:ff:ff', src='${src_mac}') / > + IPv6(src='${src_ip}', dst='ff02::2') / > + ICMPv6ND_RS() > + ") > + as hv1 ovs-appctl netdev-dummy/receive vif${inport} $packet > + > + expected_packet=$(fmt_pkt " > + Ether(dst='${src_mac}', src='${router_mac}') / > + IPv6(src='${router_ip}', dst='${src_ip}') / > + ICMPv6ND_RA(chlim=255, prf=0, routerlifetime=65535) / > + ICMPv6NDOptSrcLLAddr(lladdr='${router_mac}') / > + ICMPv6NDOptPrefixInfo(prefix='${router_prefix}') > + ") > + echo $expected_packet >> $inport.expected > +} > + > +test_mldv2() { > + local inport=$1 outport=$2 src_mac=$3 src_ip=$4 > + > + packet=$(fmt_pkt " > + Ether(dst='ff:ff:ff:ff:ff:ff', src='${src_mac}') / > + IPv6(src='${src_ip}', dst='ff02::2') / > + ICMPv6MLQuery2() > + ") > + as hv1 ovs-appctl netdev-dummy/receive vif${inport} $packet > + > + expected_packet=$packet > + echo $expected_packet >> $outport.expected > +} > + > +src_mac=${lsp_mac_prefix}1 > +dst_mac=${lsp_mac_prefix}2 > +src_ip=${lsp_ip6_prefix}1 > +dst_ip=${lsp_ip6_prefix}2 > + > +as hv1 > +test_ns_na 1 $src_mac $dst_mac $src_ip $dst_ip > + > +as hv1 > +router_local_ip=fe80::f816:3eff:fe00:1 > +test_rs_ra 1 $src_mac $src_ip $router_mac $router_prefix $router_local_ip > + > +as hv1 > +src_ip=fe80::1 > +test_mldv2 1 2 $src_mac $src_ip > + > +OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [1.expected]) > +OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [2.expected]) > + > +OVN_CLEANUP([hv1]) > + > +AT_CLEANUP > +]) > + > OVN_FOR_EACH_NORTHD([ > AT_SETUP([IPv6 Neighbor Solicitation for unknown MAC]) > AT_KEYWORDS([ovn-nd_ns for unknown mac]) > -- > 2.38.1 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > Looks good to me, thanks. Acked-by: Ales Musil <[email protected]> -- Ales Musil Senior Software Engineer - OVN Core Red Hat EMEA <https://www.redhat.com> [email protected] IM: amusil <https://red.ht/sig> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
