On allow-related ACLs, if the ACL changes and no longer matches an
established session, then traffic will no longer automatically be
allowed. Instead, traffic on the established session will be subject
to ACL matching, and therefore the traffic may be dropped.
This behavior can be altered by setting the "persist-established"
option on allow-related ACLs. When set to true, we set a specific
bit in the ct_mark when the conntrack entry is committed. If this bit
is set, then established session traffic will always be allowed, even
if the ACL is altered to no longer match the traffic.
Upcoming commits will put in place methods so that deleting the ACL or
changing the action type on the ACL will remove the conntrack entry that
allows the established traffic.
Signed-off-by: Mark Michelson <mmich...@redhat.com>
Acked-by: Ales Musil <amu...@redhat.com>
---
v6 -> v7:
* Rebased.
v5 -> v6:
* Added Ales's Ack.
v4 -> v5:
* Renamed option from "persist_established" to "persist-established" to
be consistent with other multi-word options.
* Fixed failing tests.
v3 -> v4:
* Rebased.
* Addressed minor formatting comments from Ales.
* Changed the name of the new option to "persist_established".
* Changed system test to match on cookie instead of other properties
when testing if the ACL drop was hit.
* The version in the northbound database is unchanged by this patch
now.
* The python client now passes the newline to the server. This way if
a future test uses this file and passes a line longer than 1024
characters, there won't be extra newlines inserted by the server.
* The server now prints a message when it is ready to accept
connections. I did this because I noticed the test would sometimes
fail because the client would get a "Connection Refused" error. Now
the test waits for the server to ensure it is ready before attempting
to start the client.
v2 -> v3:
* The configuration mechanism changed from a new ACL action to being an
option that supplements "allow-related" ACLs. The new option is
called bypass_match_for_established. A suggestion for the option was
"flush_ct_on_removal". I elected not to go with this because flushing
CT on removal isn't the real draw of the option. Admins set the
option so that the ACL does not have to be matched once the
connection is established. The flush of CT is a necessity of the
feature, but it's not why the admin is setting the option.
v1 -> v2:
* Fixed formatting issues
* Fixed flake8 issues
* Check for CT label flush chassis feature
---
include/ovn/logical-fields.h | 1 +
lib/logical-fields.c | 5 +
northd/northd.c | 55 ++++++-
ovn-nb.xml | 26 ++++
tests/automake.mk | 4 +-
tests/client.py | 36 +++++
tests/ovn-northd.at | 270 ++++++++++++++++++++++++++++-------
tests/ovn.at | 1 +
tests/server.py | 33 +++++
tests/system-ovn.at | 179 +++++++++++++++++++++++
10 files changed, 550 insertions(+), 60 deletions(-)
create mode 100755 tests/client.py
create mode 100755 tests/server.py
diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h
index 6a87fc386..02efd3359 100644
--- a/include/ovn/logical-fields.h
+++ b/include/ovn/logical-fields.h
@@ -207,6 +207,7 @@ const struct ovn_field *ovn_field_from_name(const char
*name);
#define OVN_CT_LB_FORCE_SNAT_BIT 3
#define OVN_CT_OBS_STAGE_1ST_BIT 4
#define OVN_CT_OBS_STAGE_END_BIT 5
+#define OVN_CT_ALLOW_ESTABLISHED_BIT 6
#define OVN_CT_BLOCKED 1
#define OVN_CT_NATTED 2
diff --git a/lib/logical-fields.c b/lib/logical-fields.c
index f49a0a79d..03a9a0506 100644
--- a/lib/logical-fields.c
+++ b/lib/logical-fields.c
@@ -174,6 +174,11 @@ ovn_init_symtab(struct shash *symtab)
OVN_CT_STR(OVN_CT_OBS_STAGE_END_BIT)
"]",
WR_CT_COMMIT);
+ expr_symtab_add_subfield_scoped(symtab, "ct_mark.allow_established", NULL,
+ "ct_mark["
+ OVN_CT_STR(OVN_CT_ALLOW_ESTABLISHED_BIT)
+ "]",
+ WR_CT_COMMIT);
expr_symtab_add_subfield_scoped(symtab, "ct_mark.obs_collector_id", NULL,
"ct_mark[16..23]", WR_CT_COMMIT);
diff --git a/northd/northd.c b/northd/northd.c
index 3ff4326e6..e4ff4965d 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -124,6 +124,8 @@ static bool vxlan_mode;
#define REGBIT_ACL_HINT_ALLOW_REL "reg0[17]"
#define REGBIT_FROM_ROUTER_PORT "reg0[18]"
#define REGBIT_IP_FRAG "reg0[19]"
+#define REGBIT_ACL_PERSIST_ID "reg0[20]"
+#define REGBIT_ACL_HINT_ALLOW_PERSISTED "reg0[21]"
/* Register definitions for switches and routers. */
@@ -7109,7 +7111,8 @@ consider_acl(struct lflow_table *lflows, const struct
ovn_datapath *od,
const struct nbrec_acl *acl, bool has_stateful,
const struct shash *meter_groups, uint64_t max_acl_tier,
struct ds *match, struct ds *actions,
- struct lflow_ref *lflow_ref)
+ struct lflow_ref *lflow_ref,
+ const struct chassis_features *features)
{
bool ingress = !strcmp(acl->direction, "from-lport") ? true :false;
enum ovn_stage stage;
@@ -7195,6 +7198,19 @@ consider_acl(struct lflow_table *lflows, const struct
ovn_datapath *od,
ds_truncate(actions, log_verdict_len);
ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
+ if (smap_get_bool(&acl->options, "persist-established", false)) {
+ if (!features->ct_label_flush) {
+ static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
+ VLOG_WARN_RL(&rl, "OVS does not support CT label flush. "
+ "persist-established option cannot "
+ "be honored for ACL "UUID_FMT".",
+ UUID_ARGS(&acl->header_.uuid));
+ } else {
+ ds_put_format(actions,
+ REGBIT_ACL_PERSIST_ID " = 1; ");
+ }
+ }
+
/* For stateful ACLs sample "new" and "established" packets. */
build_acl_sample_label_action(actions, acl, acl->sample_new,
acl->sample_est, obs_stage);
@@ -7696,6 +7712,32 @@ build_acls(const struct ls_stateful_record
*ls_stateful_rec,
REGBIT_ACL_HINT_ALLOW_REL" == 1",
REGBIT_ACL_VERDICT_ALLOW " = 1; next;",
lflow_ref);
+
+ /* Ingress and egress ACL Table (Priority 65532).
+ *
+ * Allow traffic that is established if the ACL has a persistent
+ * conntrack ID configured.
+ */
+ ds_clear(&match);
+ const char *pre_lb_persisted_acl_action =
+ REGBIT_ACL_HINT_ALLOW_PERSISTED" = 1; "
+ REGBIT_ACL_VERDICT_ALLOW" = 1; next;";
+ const char *persisted_acl_action =
+ REGBIT_ACL_VERDICT_ALLOW" = 1; next;";
+ ds_put_format(&match, "ct.est && ct_mark.allow_established == 1");
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, UINT16_MAX - 3,
+ ds_cstr(&match),
+ pre_lb_persisted_acl_action,
+ lflow_ref);
+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, UINT16_MAX - 3,
+ ds_cstr(&match),
+ persisted_acl_action,
+ lflow_ref);
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_AFTER_LB_EVAL,
+ UINT16_MAX - 3,
+ REGBIT_ACL_HINT_ALLOW_PERSISTED" == 1",
+ persisted_acl_action,
+ lflow_ref);
}
/* Ingress and Egress ACL Table (Priority 65532).
@@ -7729,7 +7771,7 @@ build_acls(const struct ls_stateful_record
*ls_stateful_rec,
uint64_t max_acl_tier = choose_max_acl_tier(ls_stateful_rec, acl);
consider_acl(lflows, od, acl, has_stateful,
meter_groups, max_acl_tier,
- &match, &actions, lflow_ref);
+ &match, &actions, lflow_ref, features);
build_acl_sample_flows(ls_stateful_rec, od, lflows, acl,
&match, &actions, sampling_apps,
features, lflow_ref);
@@ -7750,7 +7792,7 @@ build_acls(const struct ls_stateful_record
*ls_stateful_rec,
acl);
consider_acl(lflows, od, acl, has_stateful,
meter_groups, max_acl_tier,
- &match, &actions, lflow_ref);
+ &match, &actions, lflow_ref, features);
build_acl_sample_flows(ls_stateful_rec, od, lflows, acl,
&match, &actions, sampling_apps,
features, lflow_ref);
@@ -8374,6 +8416,7 @@ build_stateful(struct ovn_datapath *od, struct
lflow_table *lflows,
ds_put_cstr(&actions,
"ct_commit { "
"ct_mark.blocked = 0; "
+ "ct_mark.allow_established = " REGBIT_ACL_PERSIST_ID "; "
"ct_mark.obs_stage = " REGBIT_ACL_OBS_STAGE "; "
"ct_mark.obs_collector_id = " REG_OBS_COLLECTOR_ID_EST "; "
"ct_label.obs_point_id = " REG_OBS_POINT_ID_EST "; "
@@ -8394,7 +8437,11 @@ build_stateful(struct ovn_datapath *od, struct
lflow_table *lflows,
* any packet that makes it this far is part of a connection we
* want to allow to continue. */
ds_clear(&actions);
- ds_put_cstr(&actions, "ct_commit { ct_mark.blocked = 0; }; next;");
+ ds_put_cstr(&actions,
+ "ct_commit { "
+ "ct_mark.blocked = 0; "
+ "ct_mark.allow_established = " REGBIT_ACL_PERSIST_ID "; "
+ "}; next;");
ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100,
REGBIT_CONNTRACK_COMMIT" == 1 && "
REGBIT_ACL_LABEL" == 0",
diff --git a/ovn-nb.xml b/ovn-nb.xml
index d82f9872b..df7f66330 100644
--- a/ovn-nb.xml
+++ b/ovn-nb.xml
@@ -2567,6 +2567,32 @@ or
of all the ACLs and the default deny/allow ACLs if any.
</p>
</column>
+
+ <column name="options" key="persist-established">
+ <p>
+ This option applies only to ACLs whose <ref column="action"/> is set
+ to <code>allow-related</code>.
+ </p>
+
+ <p>
+ <code>allow-related</code> ACLs create a conntrack entry when a
+ packet matches the ACL's <ref column="match"/> column. Typically,
+ traffic must continue to match these conditions in order to continue
+ to be allowed by the ACL. With this option set to <code>true</code>,
+ then the ACL match is bypassed once the original match occurs.
+ Instead, a mark bit in the conntrack entry is used to allow the
+ traffic. This means that traffic will continue to be allowed even if
+ the ACL's match changes and no longer matches the established
+ traffic.
+ </p>
+
+ <p>
+ The traffic will stop being allowed automatically if this option is
+ set to <code>false</code>, if the ACL's <ref column="action"/> is
+ changed to something other than <code>allow-related</code>, or if the
+ ACL is destroyed.
+ </p>
+ </column>
</group>
<group title="Logging">
diff --git a/tests/automake.mk b/tests/automake.mk
index 3899c9e80..940f5b923 100644
--- a/tests/automake.mk
+++ b/tests/automake.mk
@@ -313,7 +313,9 @@ CHECK_PYFILES = \
tests/uuidfilt.py \
tests/test-tcp-rst.py \
tests/check_acl_log.py \
- tests/scapy-server.py
+ tests/scapy-server.py \
+ tests/client.py \
+ tests/server.py
EXTRA_DIST += $(CHECK_PYFILES)
PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage
diff --git a/tests/client.py b/tests/client.py
new file mode 100755
index 000000000..22fb7f126
--- /dev/null
+++ b/tests/client.py
@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+
+import socket
+import time
+import argparse
+
+
+def send_data_from_fifo_to_server(
+ fifo_path='/tmp/myfifo', host='127.0.0.1', port=10000
+):
+ # Open the FIFO for reading (blocking mode)
+ with open(fifo_path, 'r') as fifo_file:
+ with socket.socket(
+ socket.AF_INET, socket.SOCK_STREAM
+ ) as client_socket:
+ client_socket.connect((host, port))
+ # Continuously read from the FIFO and send to the server
+ while True:
+ data = fifo_file.readline()
+ if data:
+ client_socket.sendall(data.encode())
+ else:
+ time.sleep(0.1)
+
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser()
+ group = parser.add_argument_group()
+ group.add_argument("-f", "--fifo_path")
+ group.add_argument("-i", "--server-host")
+ group.add_argument("-p", "--server-port", type=int)
+ args = parser.parse_args()
+
+ send_data_from_fifo_to_server(
+ args.fifo_path, args.server_host, args.server_port
+ )
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index df646ec68..71a0b0a99 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -2669,6 +2669,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]]
= 1; ct_commit_nat;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0;
reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_hint ), priority=1 , match=(ct.est &&
ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)
table=??(ls_in_acl_hint ), priority=2 , match=(ct.est &&
ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;)
@@ -2681,6 +2682,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
ct_commit_nat;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
next;)
+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_out_acl_hint ), priority=1 , match=(ct.est &&
ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)
table=??(ls_out_acl_hint ), priority=2 , match=(ct.est &&
ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;)
@@ -2702,6 +2704,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra ||
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1),
action=(reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] == 1),
action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;)
table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est),
action=(reg0[[1]] = 1; next;)
table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
@@ -2710,6 +2713,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]]
= 1; ct_commit_nat;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0;
reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)
@@ -2728,6 +2732,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
table=??(ls_out_acl_eval ), priority=34000, match=(eth.src ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
ct_commit_nat;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
next;)
+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;)
@@ -4680,8 +4685,8 @@ check_stateful_flows() {
AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
AT_CHECK_UNQUOTED([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0],
[dnl
@@ -4704,8 +4709,8 @@ check_stateful_flows() {
AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
}
@@ -4748,8 +4753,8 @@ AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows],
[0], [dnl
AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
AT_CHECK([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl
@@ -4769,8 +4774,8 @@ AT_CHECK([grep "ls_out_pre_stateful" sw0flows |
ovn_strip_lflows], [0], [dnl
AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
# LB with event=false and reject=false
@@ -4806,8 +4811,8 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 |
ovn_strip_lflows], [0]
])
AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows],
[0], [dnl
@@ -4816,8 +4821,8 @@ AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002
| ovn_strip_lflows], [0
])
AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
# Add new ACL without label
@@ -4835,8 +4840,8 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 |
ovn_strip_lflows], [0]
])
AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows],
[0], [dnl
@@ -4847,8 +4852,8 @@ AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002
| ovn_strip_lflows], [0
])
AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
# Delete new ACL with label
@@ -4864,8 +4869,8 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 |
ovn_strip_lflows], [0]
])
AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows],
[0], [dnl
@@ -4874,8 +4879,8 @@ AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002
| ovn_strip_lflows], [0
])
AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
AT_CLEANUP
])
@@ -4903,7 +4908,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234
acl-add ls from-lport 1
dnl Check that the label is committed to conntrack in the ingress pipeline
AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e
ls_in_stateful -A 2 | grep commit], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
])
AS_BOX([from-lport --apply-after-lb allow-related ACL])
@@ -4911,7 +4916,7 @@ check ovn-nbctl --wait=sb -- acl-del ls --
--apply-after-lb --label=1234 acl-add
dnl Check that the label is committed to conntrack in the ingress pipeline
AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e
ls_in_stateful -A 2 | grep commit], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
])
AS_BOX([to-lport allow-related ACL])
@@ -4919,7 +4924,7 @@ check ovn-nbctl --wait=sb -- acl-del ls -- --label=1234
acl-add ls to-lport 1 ip
dnl Check that the label is committed to conntrack in the ingress pipeline
AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new ls "$flow" | grep -e
ls_out_stateful -A 2 | grep commit], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
])
AT_CLEANUP
@@ -4940,6 +4945,7 @@ AT_CAPTURE_FILE([sw0flows])
AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 | ovn_strip_lflows],
[0], [dnl
table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]]
= 1; ct_commit_nat;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0;
reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
])
@@ -4947,6 +4953,7 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 |
ovn_strip_lflows], [0]
AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 | ovn_strip_lflows],
[0], [dnl
table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
ct_commit_nat;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
next;)
+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
])
@@ -4961,6 +4968,7 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 |
ovn_strip_lflows], [0]
table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1;
ct_commit_nat;)
table=??(ls_in_acl_eval ), priority=65532, match=((ct.est && ct.rpl &&
ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] =
0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
])
@@ -4968,6 +4976,7 @@ AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553
| ovn_strip_lflows], [0
table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
table=??(ls_out_acl_eval ), priority=65532, match=((ct.est && ct.rpl &&
ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
])
@@ -4984,6 +4993,7 @@ AT_CAPTURE_FILE([sw0flows])
AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 | ovn_strip_lflows],
[0], [dnl
table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]]
= 1; ct_commit_nat;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0;
reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
])
@@ -4991,6 +5001,7 @@ AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 6553 |
ovn_strip_lflows], [0]
AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 6553 | ovn_strip_lflows],
[0], [dnl
table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
ct_commit_nat;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
next;)
+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
])
@@ -7840,6 +7851,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint"
lsflows | ovn_strip_lflo
table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra ||
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1),
action=(reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] == 1),
action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;)
table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est),
action=(reg0[[1]] = 1; next;)
table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
@@ -7854,6 +7866,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint"
lsflows | ovn_strip_lflo
table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]]
= 1; ct_commit_nat;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0;
reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)
@@ -7875,8 +7888,8 @@ AT_CHECK([grep -e "ls_in_lb " lsflows |
ovn_strip_lflows], [0], [dnl
AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl
table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
AS_BOX([Remove and add the ACLs back with the apply-after-lb option])
@@ -7905,12 +7918,14 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint"
lsflows | ovn_strip_lflo
table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[9]] == 1 &&
(ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra ||
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1),
action=(reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] == 1),
action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;)
table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est),
action=(reg0[[1]] = 1; next;)
table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]]
= 1; ct_commit_nat;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0;
reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)
@@ -7932,8 +7947,8 @@ AT_CHECK([grep -e "ls_in_lb " lsflows |
ovn_strip_lflows], [0], [dnl
AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl
table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
AS_BOX([Remove and add the ACLs back with a few ACLs with apply-after-lb
option])
@@ -7958,6 +7973,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint"
lsflows | ovn_strip_lflo
table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[9]] == 1 &&
(ip4 && ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra ||
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1),
action=(reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] == 1),
action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;)
table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est),
action=(reg0[[1]] = 1; next;)
table=??(ls_in_acl_eval ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
@@ -7968,6 +7984,7 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint"
lsflows | ovn_strip_lflo
table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]]
= 1; ct_commit_nat;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0;
reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)
@@ -7989,8 +8006,8 @@ AT_CHECK([grep -e "ls_in_lb " lsflows |
ovn_strip_lflows], [0], [dnl
AT_CHECK([grep -e "ls_in_stateful" lsflows | ovn_strip_lflows], [0], [dnl
table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
- table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage =
reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id
= reg9; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; }; next;)
+ table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0;
ct_mark.allow_established = reg0[[20]]; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
next;)
])
AT_CLEANUP
@@ -8502,6 +8519,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
ovn_strip_lflows], [0], [
table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra ||
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1),
action=(reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] == 1),
action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
action=(next;)
table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;)
table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est),
action=(next;)
@@ -8511,6 +8529,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
ovn_strip_lflows], [0], [
table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]]
= 1; ct_commit_nat;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0;
reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)
@@ -8538,6 +8557,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
ovn_strip_lflows], [0], [
table=??(ls_out_acl_eval ), priority=34000, match=(eth.src ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
ct_commit_nat;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
next;)
+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;)
@@ -8701,6 +8721,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
ovn_strip_lflows], [0], [
table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 &&
(ip4 && tcp)), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra ||
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1),
action=(reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] == 1),
action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
action=(next;)
table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;)
table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est),
action=(next;)
@@ -8708,6 +8729,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
ovn_strip_lflows], [0], [
table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]]
= 1; ct_commit_nat;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0;
reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)
@@ -8735,6 +8757,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
ovn_strip_lflows], [0], [
table=??(ls_out_acl_eval ), priority=34000, match=(eth.src ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
ct_commit_nat;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
next;)
+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;)
@@ -8896,6 +8919,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
ovn_strip_lflows], [0], [
table=??(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra ||
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1),
action=(reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] == 1),
action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_after_lb_sample), priority=0 , match=(1),
action=(next;)
table=??(ls_in_acl_eval ), priority=0 , match=(1), action=(next;)
table=??(ls_in_acl_eval ), priority=1 , match=(ip && !ct.est),
action=(next;)
@@ -8903,6 +8927,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
ovn_strip_lflows], [0], [
table=??(ls_in_acl_eval ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]]
= 1; ct_commit_nat;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0;
reg0[[10]] = 0; reg0[[17]] = 1; reg8[[16]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_in_acl_hint ), priority=0 , match=(1), action=(next;)
@@ -8932,6 +8957,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
ovn_strip_lflows], [0], [
table=??(ls_out_acl_eval ), priority=34000, match=(eth.src ==
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel &&
!ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
ct_commit_nat;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel &&
!ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1;
next;)
+ table=??(ls_out_acl_eval ), priority=65532, match=(ct.est &&
ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est &&
ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;)
table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
table=??(ls_out_acl_hint ), priority=0 , match=(1), action=(next;)
@@ -10625,8 +10651,8 @@ dnl commits to happen:
dnl - in the egress pipeline of S1, when sending the packet out on s1_r1
dnl - in the ingress pipeline of S2, when processing the packet on s2_r1
AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --ct new s1 "$flow" | grep -e
ls_in_stateful -e ls_out_stateful -A 2 | grep commit], [0], [dnl
- ct_commit { ct_mark.blocked = 0; };
- ct_commit { ct_mark.blocked = 0; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; };
])
AT_CLEANUP
@@ -12895,7 +12921,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_in_acl_sample -e ls_in_acl_eval -e l
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg9 = 4302;
sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);
@@ -12904,7 +12930,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" |
TRACE_FILTER], [0], [dnl
dnl Trace estasblished connections.
flow="$base_flow && ct_label.obs_point_id == 4302"
AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg9 = 4302;
sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);
sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302);
@@ -12926,7 +12952,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_in_acl_sample -e ls_in_acl_eval -e l
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg9 = 0;
sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);
@@ -12958,7 +12984,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_in_acl_after_lb_sample -e ls_in_acl_
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg9 = 4302;
sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);
@@ -12967,7 +12993,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" |
TRACE_FILTER], [0], [dnl
dnl Trace estasblished connections.
flow="$base_flow && ct_label.obs_point_id == 4302"
AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg9 = 4302;
sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);
sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302);
@@ -12989,7 +13015,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_in_acl_after_lb_sample -e ls_in_acl_
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg9 = 0;
sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);
@@ -13021,8 +13047,8 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_out_acl_sample -e ls_out_acl_eval -e
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER],
[0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
- ct_commit { ct_mark.blocked = 0; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; };
reg9 = 4302;
sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);
@@ -13031,7 +13057,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls
"$flow" | TRACE_FILTER], [0],
dnl Trace estasblished connections.
flow="$base_flow && ct_label.obs_point_id == 4302"
AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER],
[0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg9 = 4302;
sample(probability=65535,collector_set=100,obs_domain=43,obs_point=4302);
sample(probability=65535,collector_set=200,obs_domain=43,obs_point=4302);
@@ -13053,8 +13079,8 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_out_acl_sample -e ls_out_acl_eval -e
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER],
[0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
- ct_commit { ct_mark.blocked = 0; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; };
reg9 = 0;
sample(probability=65535,collector_set=100,obs_domain=42,obs_point=4301);
sample(probability=65535,collector_set=200,obs_domain=42,obs_point=4301);
@@ -13116,7 +13142,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_in_acl_sample -e ls_in_acl_eval -e l
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg8[[0..7]] = 1;
reg8[[8..15]] = 1;
reg9 = 4302;
@@ -13126,7 +13152,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" |
TRACE_FILTER], [0], [dnl
dnl Trace estasblished connections.
flow="$base_flow && ct_label.obs_point_id == 4302"
AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg8[[0..7]] = 1;
reg8[[8..15]] = 1;
reg9 = 4302;
@@ -13154,7 +13180,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_in_acl_sample -e ls_in_acl_eval -e l
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg8[[0..7]] = 1;
reg8[[8..15]] = 1;
reg9 = 4302;
@@ -13164,7 +13190,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" |
TRACE_FILTER], [0], [dnl
dnl Trace estasblished connections.
flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 0 &&
ct_mark.obs_collector_id == 1"
AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg8[[0..7]] = 1;
reg8[[8..15]] = 1;
reg9 = 4302;
@@ -13187,7 +13213,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_in_acl_sample -e ls_in_acl_eval -e l
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg8[[0..7]] = 1;
reg8[[8..15]] = 0;
reg9 = 0;
@@ -13222,7 +13248,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_in_acl_after_lb_sample -e ls_in_acl_
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg8[[0..7]] = 1;
reg8[[8..15]] = 1;
reg9 = 4302;
@@ -13232,7 +13258,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" |
TRACE_FILTER], [0], [dnl
dnl Trace estasblished connections.
flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 1 &&
ct_mark.obs_collector_id == 1"
AT_CHECK_UNQUOTED([ovn_trace --ct est ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg8[[0..7]] = 1;
reg8[[8..15]] = 1;
reg9 = 4302;
@@ -13255,7 +13281,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_in_acl_after_lb_sample -e ls_in_acl_
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new ls "$flow" | TRACE_FILTER], [0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg8[[0..7]] = 1;
reg8[[8..15]] = 0;
reg9 = 0;
@@ -13290,8 +13316,8 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_out_acl_sample -e ls_out_acl_eval -e
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER],
[0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
- ct_commit { ct_mark.blocked = 0; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; };
reg8[[0..7]] = 1;
reg8[[8..15]] = 1;
reg9 = 4302;
@@ -13301,7 +13327,7 @@ AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls
"$flow" | TRACE_FILTER], [0],
dnl Trace estasblished connections.
flow="$base_flow && ct_label.obs_point_id == 4302 && ct_mark.obs_stage == 2 &&
ct_mark.obs_collector_id == 1"
AT_CHECK_UNQUOTED([ovn_trace --ct est --ct est ls "$flow" | TRACE_FILTER],
[0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
reg8[[0..7]] = 1;
reg8[[8..15]] = 1;
reg9 = 4302;
@@ -13324,8 +13350,8 @@ AT_CHECK([ovn-sbctl lflow-list | grep -e
ls_out_acl_sample -e ls_out_acl_eval -e
dnl Trace new connections.
flow="$base_flow"
AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new ls "$flow" | TRACE_FILTER],
[0], [dnl
- ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[[19..20]];
ct_mark.obs_collector_id = reg8[[8..15]]; ct_label.obs_point_id = reg9; };
- ct_commit { ct_mark.blocked = 0; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]];
ct_mark.obs_stage = reg8[[19..20]]; ct_mark.obs_collector_id = reg8[[8..15]];
ct_label.obs_point_id = reg9; };
+ ct_commit { ct_mark.blocked = 0; ct_mark.allow_established = reg0[[20]]; };
reg8[[0..7]] = 1;
reg8[[8..15]] = 0;
reg9 = 0;
@@ -14445,3 +14471,137 @@ AT_CHECK([ovn-sbctl lflow-list S1 | grep
ls_out_acl_action | grep priority=500 |
AT_CLEANUP
])
+
+OVN_FOR_EACH_NORTHD_NO_HV([
+AT_SETUP([ACL persistent ID - Logical Flows])
+ovn_start
+
+dnl For this test, we want to ensure that the logical flows for ACLs are
+dnl what we expect.
+dnl
+dnl First, we'll ensure that an ACL that does not have
+dnl "persist-established" sets the relevant CT values to 0.
+dnl
+dnl Then we'll change the ACL to have "persist-established" to true
+dnl and ensure the logical flows do set the appropriate values.
+dnl
+dnl Then finally, we'll check other ACL actions and ensure that
+dnl "persist-established" sets the relevant CT values to 0.
+
+check ovn-nbctl ls-add sw
+
+check ovn-nbctl acl-add sw from-lport 1001 "tcp" allow-related
+check ovn-nbctl acl-add sw to-lport 1002 "ip" allow-related
+check ovn-nbctl --apply-after-lb acl-add sw from-lport 1003 "udp" allow-related
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep priority=2001 |
ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] == 1 &&
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[8]] == 1 &&
(tcp)), action=(reg8[[16]] = 1; next;)
+])
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_after_lb_eval | grep
priority=2003 | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] == 1 &&
(udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+ table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[8]] == 1 &&
(udp)), action=(reg8[[16]] = 1; next;)
+])
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | grep priority=2002
| ovn_strip_lflows], [0], [dnl
+ table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 &&
(ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+ table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 &&
(ip)), action=(reg8[[16]] = 1; next;)
+])
+
+ingress_uuid=$(fetch_column nb:ACL _uuid priority=1001)
+egress_uuid=$(fetch_column nb:ACL _uuid priority=1002)
+after_lb_uuid=$(fetch_column nb:ACL _uuid priority=1003)
+
+check ovn-nbctl set acl $ingress_uuid options:persist-established=true
+check ovn-nbctl set acl $egress_uuid options:persist-established=true
+check ovn-nbctl set acl $after_lb_uuid options:persist-established=true
+
+dnl Now we should see the registers being set to the appropriate values.
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep priority=2001 |
ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[7]] == 1 &&
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[20]] = 1; next;)
+ table=??(ls_in_acl_eval ), priority=2001 , match=(reg0[[8]] == 1 &&
(tcp)), action=(reg8[[16]] = 1; next;)
+])
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_after_lb_eval | grep
priority=2003 | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] == 1 &&
(udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[20]] = 1; next;)
+ table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[8]] == 1 &&
(udp)), action=(reg8[[16]] = 1; next;)
+])
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | grep priority=2002
| ovn_strip_lflows], [0], [dnl
+ table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[7]] == 1 &&
(ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[20]] = 1; next;)
+ table=??(ls_out_acl_eval ), priority=2002 , match=(reg0[[8]] == 1 &&
(ip)), action=(reg8[[16]] = 1; next;)
+])
+
+dnl Now try the other ACL verdicts and ensure that they do not
+dnl try to set the values.
+for verdict in allow allow-stateless
+do
+ echo "verdict is $verdict"
+ check ovn-nbctl set acl $ingress_uuid action=$verdict
+ check ovn-nbctl set acl $egress_uuid action=$verdict
+ check ovn-nbctl set acl $after_lb_uuid action=$verdict
+
+ AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep
priority=2001 | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_acl_eval ), priority=2001 , match=((tcp)),
action=(reg8[[16]] = 1; next;)
+])
+
+ AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_after_lb_eval | grep
priority=2003 | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_acl_after_lb_eval), priority=2003 , match=((udp)),
action=(reg8[[16]] = 1; next;)
+])
+
+ AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | grep
priority=2002 | ovn_strip_lflows], [0], [dnl
+ table=??(ls_out_acl_eval ), priority=2002 , match=((ip)),
action=(reg8[[16]] = 1; next;)
+])
+done
+
+check ovn-nbctl set acl $ingress_uuid action=drop
+check ovn-nbctl set acl $egress_uuid action=drop
+check ovn-nbctl set acl $after_lb_uuid action=drop
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep priority=2001 |
ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_acl_eval ), priority=2001 , match=((tcp)),
action=(reg8[[17]] = 1; next;)
+])
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_after_lb_eval | grep
priority=2003 | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_acl_after_lb_eval), priority=2003 , match=((udp)),
action=(reg8[[17]] = 1; next;)
+])
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | grep priority=2002
| ovn_strip_lflows], [0], [dnl
+ table=??(ls_out_acl_eval ), priority=2002 , match=((ip)),
action=(reg8[[17]] = 1; next;)
+])
+
+check ovn-nbctl set acl $ingress_uuid action=reject
+check ovn-nbctl set acl $egress_uuid action=reject
+check ovn-nbctl set acl $after_lb_uuid action=reject
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep priority=2001 |
ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_acl_eval ), priority=2001 , match=((tcp)),
action=(reg8[[18]] = 1; next;)
+])
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_after_lb_eval | grep
priority=2003 | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_acl_after_lb_eval), priority=2003 , match=((udp)),
action=(reg8[[18]] = 1; next;)
+])
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | grep priority=2002
| ovn_strip_lflows], [0], [dnl
+ table=??(ls_out_acl_eval ), priority=2002 , match=((ip)),
action=(reg8[[18]] = 1; next;)
+])
+
+check ovn-nbctl set acl $ingress_uuid action=pass
+check ovn-nbctl set acl $egress_uuid action=pass
+check ovn-nbctl set acl $after_lb_uuid action=pass
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep priority=2001 |
ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_acl_eval ), priority=2001 , match=((tcp)), action=(next;)
+])
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_after_lb_eval | grep
priority=2003 | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_acl_after_lb_eval), priority=2003 , match=((udp)),
action=(next;)
+])
+
+AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | grep priority=2002
| ovn_strip_lflows], [0], [dnl
+ table=??(ls_out_acl_eval ), priority=2002 , match=((ip)), action=(next;)
+])
+
+AT_CLEANUP
+])
diff --git a/tests/ovn.at b/tests/ovn.at
index 8ecf1f6bf..aa9179a67 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -145,6 +145,7 @@ ct_label.label = ct_label[96..127]
ct_label.obs_point_id = ct_label[96..127]
ct_label.obs_unused = ct_label[0..95]
ct_mark = NXM_NX_CT_MARK
+ct_mark.allow_established = ct_mark[6]
ct_mark.blocked = ct_mark[0]
ct_mark.ecmp_reply_port = ct_mark[16..31]
ct_mark.force_snat = ct_mark[3]
diff --git a/tests/server.py b/tests/server.py
new file mode 100755
index 000000000..ac0321f20
--- /dev/null
+++ b/tests/server.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+
+import socket
+import argparse
+
+
+def start_server(host='127.0.0.1', port=10000):
+ # Create a TCP/IP socket
+ with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as server_socket:
+ server_socket.bind((host, port))
+ server_socket.listen()
+ with open("output.txt", "a") as f:
+ f.write("Server Ready\n")
+ while True:
+ client_socket, client_address = server_socket.accept()
+ with client_socket:
+ # Receive the data from the client in chunks and write
+ # to a file
+ data = client_socket.recv(1024)
+ while data:
+ with open("output.txt", "a") as f:
+ f.write(data.decode())
+ data = client_socket.recv(1024)
+
+
+if __name__ == "__main__":
+ parser = argparse.ArgumentParser()
+ group = parser.add_argument_group()
+ group.add_argument("-i", "--bind-host")
+ group.add_argument("-p", "--bind-port", type=int)
+ args = parser.parse_args()
+
+ start_server(args.bind_host, args.bind_port)
diff --git a/tests/system-ovn.at b/tests/system-ovn.at
index 2035c7190..d62aa94a9 100644
--- a/tests/system-ovn.at
+++ b/tests/system-ovn.at
@@ -14402,6 +14402,185 @@ as
OVS_TRAFFIC_VSWITCHD_STOP(["/.*error receiving.*/d
/failed to query port patch-.*/d
/.*terminating with signal 15.*/d"])
+
+AT_CLEANUP
+])
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([ACLs - persistent sessions])
+
+CHECK_CONNTRACK()
+CHECK_CONNTRACK_NAT()
+ovn_start
+OVS_TRAFFIC_VSWITCHD_START()
+ADD_BR([br-int])
+
+ovs-vsctl set-fail-mode br-ext standalone
+# Set external-ids in br-int needed for ovn-controller
+ovs-vsctl \
+ -- set Open_vSwitch . external-ids:system-id=hv1 \
+ -- set Open_vSwitch .
external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \
+ -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \
+ -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \
+ -- set bridge br-int fail-mode=secure other-config:disable-in-band=true
+
+start_daemon ovn-controller
+
+# For this test, we want to ensure that established traffic
+# is allowed on ACLs when the persist-established option
+# is enabled.
+#
+# To start, we will set up allow-related ACLs.
+# We will send traffic and ensure it is allowed. Then we will adjust
+# the ACL so it no longer matches, and we will ensure that the traffic
+# is no longer allowed.
+#
+# Next, we will reset the ACL to its initial state, but we will also
+# change the ACL to have persist-established enabled.
+# We will flush conntrack, and rerun the test exactly as before.
+# The difference this time is that after we adjust the ACL so it no
+# longer matches, the traffic should still be allowed.
+
+check ovn-nbctl ls-add sw
+check ovn-nbctl lsp-add sw swp1 -- lsp-set-addresses swp1 "00:00:00:00:00:01
192.168.1.1"
+check ovn-nbctl lsp-add sw swp2 -- lsp-set-addresses swp2 "00:00:00:00:00:02
192.168.1.2"
+
+ADD_NAMESPACES(swp1)
+ADD_VETH(swp1, swp1, br-int, "192.168.1.1/24", "00:00:00:00:00:01")
+
+ADD_NAMESPACES(swp2)
+ADD_VETH(swp2, swp2, br-int, "192.168.1.2/24", "00:00:00:00:00:02")
+
+# Start a TCP server on swp2.
+NETNS_DAEMONIZE(swp2, [server.py -i 192.168.1.2 -p 10000], [server.pid])
+
+# Ensure TCP server is ready for connections
+OVS_WAIT_FOR_OUTPUT([cat output.txt], [0], [dnl
+Server Ready
+])
+: > output.txt
+
+# Make a FIFO and send its output to a client
+# from swp1
+mkfifo /tmp/myfifo
+on_exit 'rm -rf /tmp/myfifo'
+
+NETNS_DAEMONIZE(swp1, [client.py -f "/tmp/myfifo" -i 192.168.1.2 -p 10000],
[client.pid])
+
+# First, ensure that we have basic connectivity before we even start setting
+# up ACLs.
+AT_CHECK([printf "test\n" > /tmp/myfifo], [0], [dnl
+])
+
+OVS_WAIT_FOR_OUTPUT([cat output.txt], [0], [dnl
+test
+])
+
+: > output.txt
+
+check ovn-nbctl acl-add sw from-lport 1000 'ip4.dst == 192.168.1.2'
allow-related
+check ovn-nbctl acl-add sw from-lport 0 '1' drop
+
+# Do another basic connectivity check to ensure the ACL is allowing traffic as
expected.
+AT_CHECK([printf "test\n" > /tmp/myfifo], [0], [dnl
+])
+
+OVS_WAIT_FOR_OUTPUT([cat output.txt], [0], [dnl
+test
+])
+
+: > output.txt
+
+# At this point, I need to adjust the ACL so it no longer matches. We then need
+# to ensure that the traffic does not pass. How we test this is...interesting.
I'm
+# not sure how to test for a negative condition accurately.
+
+acl_uuid=$(fetch_column nb:ACL _uuid priority=1000)
+
+# Update the ACL so that it no longer matches our client-server traffic
+check ovn-nbctl set ACL $acl_uuid match="\"ip4.dst == 192.168.1.3\""
+
+# Send another packet from the client to the server.
+AT_CHECK([printf "test\n" > /tmp/myfifo], [0], [dnl
+])
+
+# The traffic should be blocked. We'll check the "drop" ACL to see if it has
+# been hit. We can't predict the number of packets that will be seen, but we
know
+# it will be non-zero.
+lflow_table=$(ovn-debug lflow-stage-to-ltable ls_in_acl_eval)
+drop_acl_lflow_uuid=$(fetch_column Logical_Flow _uuid pipeline=ingress
table_id=$lflow_table priority=1000 match="\"reg0[[9]] == 1 && (1)\"")
+drop_acl_cookie=$(ovn-debug uuid-to-cookie $drop_acl_lflow_uuid)
+
+OVS_WAIT_FOR_OUTPUT([ovs-ofctl dump-flows br-int | grep
"cookie=$drop_acl_cookie" | grep -c "n_packets=[[1-9]][[0-9]]*"], [0], [dnl
+1
+])
+
+# And just to be safe, let's make sure the output file is still empty
+AT_CHECK([cat output.txt], [0], [dnl
+])
+
+# Reset the client and server processes so that we create a new connection
+client_pid=$(cat client.pid)
+server_pid=$(cat server.pid)
+kill $server_pid
+kill $client_pid
+OVS_WAIT_WHILE([kill -0 $server_pid 2>/dev/null])
+OVS_WAIT_WHILE([kill -0 $client_pid 2>/dev/null])
+
+NETNS_DAEMONIZE(swp2, [server.py -i 192.168.1.2 -p 20000], [server.pid])
+#
+# Ensure TCP server is ready for connections
+OVS_WAIT_FOR_OUTPUT([cat output.txt], [0], [dnl
+Server Ready
+])
+: > output.txt
+
+NETNS_DAEMONIZE(swp1, [client.py -f "/tmp/myfifo" -i 192.168.1.2 -p 20000],
[client.pid])
+
+# Now we'll re-set the ACL to allow the traffic.
+check ovn-nbctl set ACL $acl_uuid match="\"ip4.dst == 192.168.1.2\""
+
+# We'll also enable persist-established.
+check ovn-nbctl --wait=hv set ACL $acl_uuid options:persist-established=true
+
+# Make sure traffic passes
+AT_CHECK([printf "test\n" > /tmp/myfifo], [0], [dnl
+])
+
+OVS_WAIT_FOR_OUTPUT([cat output.txt], [0], [dnl
+test
+])
+
+: > output.txt
+
+# Adjust the ACL so that it no longer matches
+check ovn-nbctl set ACL $acl_uuid match="\"ip4.dst == 192.168.1.3\""
+
+# Traffic should still pass
+AT_CHECK([printf "test\n" > /tmp/myfifo], [0], [dnl
+])
+
+OVS_WAIT_FOR_OUTPUT([cat output.txt], [0], [dnl
+test
+])
+
+: > output.txt
+
+OVS_APP_EXIT_AND_WAIT([ovn-controller])
+
+as ovn-sb
+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+
+as ovn-nb
+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+
+as northd
+OVS_APP_EXIT_AND_WAIT([ovn-northd])
+
+as
+OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d
+/connection dropped.*/d"])
+
AT_CLEANUP
])
--
2.45.2
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
