> On Apr 6, 2016, at 11:26 PM, Numan Siddique <nusid...@redhat.com> wrote:
>
>
> ​Thanks for the comments Justin. I tried a similar approach. It will not work
> in the cases where the port security address also has a prefix defined.
> For example with port security - "00:00:00:00:00:02 10.0.0.4/24", the ovn
> lexer parser is throwing the below error,
>
> -------
> lflow|WARN|error parsing match "outport == "sw0-port2" && eth.dst ==
> 00:00:00:00:00:02 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.0.0.4/24}":
> Value contains unmasked 1-bits.
> ------
Ah, it should probably be added to the unit tests to make sure we don't
reintroduce a problem. (Thanks for writing unit tests, by the way.) What if
you apply the mask first like the patch at the end of this message? I also
expanded your unit tests to include a check for the issue you mentioned.
--Justin
-=-=-=-=-=-=-
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 302cc1d..e60f72e 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -1179,8 +1179,11 @@ build_port_security_nd(struct ovn_port *op, struct hmap *
if (ps.n_ipv4_addrs) {
ds_put_cstr(&match, " && (");
for (size_t i = 0; i < ps.n_ipv4_addrs; i++) {
- ds_put_format(&match, "arp.spa == "IP_FMT" || ",
- IP_ARGS(ps.ipv4_addrs[i].addr));
+ ovs_be32 mask = be32_prefix_mask(ps.ipv4_addrs[i].plen);
+ ds_put_cstr(&match, "arp.spa == ");
+ ip_format_masked(ps.ipv4_addrs[i].addr & mask, mask,
+ &match);
+ ds_put_cstr(&match, " || ");
}
ds_chomp(&match, ' ');
ds_chomp(&match, '|');
@@ -1264,7 +1267,9 @@ build_port_security_ip(enum ovn_pipeline pipeline, struct
}
for (int i = 0; i < ps.n_ipv4_addrs; i++) {
- ds_put_format(&match, IP_FMT", ", IP_ARGS(ps.ipv4_addrs[i].addr
+ ovs_be32 mask = be32_prefix_mask(ps.ipv4_addrs[i].plen);
+ ip_format_masked(ps.ipv4_addrs[i].addr & mask, mask, &match);
+ ds_put_cstr(&match, ", ");
}
/* Replace ", " by "}". */
diff --git a/tests/ovn.at b/tests/ovn.at
index 22121e1..d8bc395 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -1930,6 +1930,27 @@ for i in 1 2 3; do
test_ipv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip $tip
done
+# configure lport13 to send and received IPv4 packets with an address range
+ovn-nbctl lport-set-port-security lp13 "f0:00:00:00:00:13 192.168.0.13 10.0.0.4
+
+sip=`ip_to_hex 10 0 0 14`
+tip=`ip_to_hex 192 168 0 23`
+# IPv4 packet from lport13 with src ip 10.0.0.14 destined to lport23
+# with dst ip 192.168.0.23 should be allowed
+test_ip 13 f00000000013 f00000000023 $sip $tip 23
+
+sip=`ip_to_hex 192 168 0 33`
+tip=`ip_to_hex 10 0 0 15`
+# IPv4 packet from lport33 with src ip 192.168.0.33 destined to lport13
+# with dst ip 10.0.0.15 should be received by lport13
+test_ip 33 f00000000033 f00000000013 $sip $tip 13
+
+sip=`ip_to_hex 10 0 0 13`
+tip=`ip_to_hex 192 168 0 22`
+# arp packet with inner ip 10.0.0.13 should be allowed for lport13
+test_arp 13 f00000000013 f00000000013 $sip $tip 0 f00000000022
+
+
# Allow some time for packet forwarding.
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
