> > From: Numan Siddique <[email protected]> > > The icmp packet generated by ovn-controller for reject ACL action > for non TCP packets is not getting delivered to the sender of > the original packet. This is because the icmp packets are skipped > from out_pre_lb/out_pre_acl logical switch egress pipeline and this > results in these icmp packets getting dropped in the ACL stage because > of invalid ct flags. This patch fixes this issue by removing those logical > flows. The IP checksum generated by ovn-controller is invalid. This patch > fixes this issue as well. > > Signed-off-by: Numan Siddique <[email protected]>
Tested-by: Lorenzo Bianconi <[email protected]> > --- > controller/pinctrl.c | 102 ++++++++++++++++++++++++++++--------------- > northd/ovn-northd.c | 22 +++++----- > tests/ovn.at | 46 +++++++++---------- > tests/system-ovn.at | 95 ++++++++++++++++++++++++++++++++-------- > 4 files changed, 177 insertions(+), 88 deletions(-) > > diff --git a/controller/pinctrl.c b/controller/pinctrl.c > index 3230bb386..63796d88c 100644 > --- a/controller/pinctrl.c > +++ b/controller/pinctrl.c > @@ -1453,7 +1453,7 @@ static void > pinctrl_handle_icmp(struct rconn *swconn, const struct flow *ip_flow, > struct dp_packet *pkt_in, > const struct match *md, struct ofpbuf *userdata, > - bool include_orig_ip_datagram) > + bool set_icmp_code) > { > /* This action only works for IP packets, and the switch should only send > * us IP packets this way, but check here just to be sure. */ > @@ -1500,46 +1500,51 @@ pinctrl_handle_icmp(struct rconn *swconn, const > struct flow *ip_flow, > packet_set_ipv4(&packet, ip_flow->nw_src, ip_flow->nw_dst, > ip_flow->nw_tos, 255); > > + uint8_t icmp_code = 1; > + if (set_icmp_code && in_ip->ip_proto == IPPROTO_UDP) { > + icmp_code = 3; > + } > + > struct icmp_header *ih = dp_packet_put_zeros(&packet, sizeof *ih); > dp_packet_set_l4(&packet, ih); > - packet_set_icmp(&packet, ICMP4_DST_UNREACH, 1); > - > - if (include_orig_ip_datagram) { > - /* RFC 1122: 3.2.2 MUST send at least the IP header and 8 bytes > - * of header. MAY send more. > - * RFC says return as much as we can without exceeding 576 > - * bytes. > - * So, lets return as much as we can. */ > - > - /* Calculate available room to include the original IP + data. */ > - nh = dp_packet_l3(&packet); > - uint16_t room = 576 - (sizeof *eh + ntohs(nh->ip_tot_len)); > - if (in_ip_len > room) { > - in_ip_len = room; > - } > - dp_packet_put(&packet, in_ip, in_ip_len); > - > - /* dp_packet_put may reallocate the buffer. Get the l3 and l4 > - * header pointers again. */ > - nh = dp_packet_l3(&packet); > - ih = dp_packet_l4(&packet); > - uint16_t ip_total_len = ntohs(nh->ip_tot_len) + in_ip_len; > - nh->ip_tot_len = htons(ip_total_len); > - ih->icmp_csum = 0; > - ih->icmp_csum = csum(ih, sizeof *ih + in_ip_len); > - nh->ip_csum = 0; > - nh->ip_csum = csum(nh, sizeof *nh); > - } > + packet_set_icmp(&packet, ICMP4_DST_UNREACH, icmp_code); > + > + /* RFC 1122: 3.2.2 MUST send at least the IP header and 8 bytes > + * of header. MAY send more. > + * RFC says return as much as we can without exceeding 576 > + * bytes. > + * So, lets return as much as we can. */ > + > + /* Calculate available room to include the original IP + data. */ > + nh = dp_packet_l3(&packet); > + uint16_t room = 576 - (sizeof *eh + ntohs(nh->ip_tot_len)); > + if (in_ip_len > room) { > + in_ip_len = room; > + } > + dp_packet_put(&packet, in_ip, in_ip_len); > + > + /* dp_packet_put may reallocate the buffer. Get the l3 and l4 > + * header pointers again. */ > + nh = dp_packet_l3(&packet); > + ih = dp_packet_l4(&packet); > + uint16_t ip_total_len = ntohs(nh->ip_tot_len) + in_ip_len; > + nh->ip_tot_len = htons(ip_total_len); > + ih->icmp_csum = 0; > + ih->icmp_csum = csum(ih, sizeof *ih + in_ip_len); > + nh->ip_csum = 0; > + nh->ip_csum = csum(nh, sizeof *nh); > + > } else { > struct ip6_hdr *nh = dp_packet_put_zeros(&packet, sizeof *nh); > struct icmp6_data_header *ih; > uint32_t icmpv6_csum; > + struct ip6_hdr *in_ip = dp_packet_l3(pkt_in); > > eh->eth_type = htons(ETH_TYPE_IPV6); > dp_packet_set_l3(&packet, nh); > nh->ip6_vfc = 0x60; > nh->ip6_nxt = IPPROTO_ICMPV6; > - nh->ip6_plen = htons(sizeof(*nh) + ICMP6_DATA_HEADER_LEN); > + nh->ip6_plen = htons(ICMP6_DATA_HEADER_LEN); > packet_set_ipv6(&packet, &ip_flow->ipv6_src, &ip_flow->ipv6_dst, > ip_flow->nw_tos, ip_flow->ipv6_label, 255); > > @@ -1547,15 +1552,42 @@ pinctrl_handle_icmp(struct rconn *swconn, const > struct flow *ip_flow, > dp_packet_set_l4(&packet, ih); > ih->icmp6_base.icmp6_type = ICMP6_DST_UNREACH; > ih->icmp6_base.icmp6_code = 1; > + > + if (set_icmp_code && in_ip->ip6_nxt == IPPROTO_UDP) { > + ih->icmp6_base.icmp6_code = ICMP6_DST_UNREACH_NOPORT; > + } > ih->icmp6_base.icmp6_cksum = 0; > > - uint8_t *data = dp_packet_put_zeros(&packet, sizeof *nh); > - memcpy(data, dp_packet_l3(pkt_in), sizeof(*nh)); > + nh = dp_packet_l3(&packet); > + > + /* RFC 4443: 3.1. > + * > + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > + * | Type | Code | Checksum | > + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > + * | Unused | > + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > + * | As much of invoking packet | > + * + as possible without the ICMPv6 packet + > + * | exceeding the minimum IPv6 MTU [IPv6] | > + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > + */ > + > + uint16_t room = 1280 - (sizeof *eh + sizeof *nh + > + ICMP6_DATA_HEADER_LEN); > + uint16_t in_ip_len = (uint16_t) sizeof *in_ip + > ntohs(in_ip->ip6_plen); > + if (in_ip_len > room) { > + in_ip_len = room; > + } > + > + dp_packet_put(&packet, in_ip, in_ip_len); > + nh->ip6_plen = htons(ICMP6_DATA_HEADER_LEN + in_ip_len); > > icmpv6_csum = packet_csum_pseudoheader6(dp_packet_l3(&packet)); > ih->icmp6_base.icmp6_cksum = csum_finish( > csum_continue(icmpv6_csum, ih, > - sizeof(*nh) + ICMP6_DATA_HEADER_LEN)); > + in_ip_len + ICMP6_DATA_HEADER_LEN)); > } > > if (ip_flow->vlans[0].tci & htons(VLAN_CFI)) { > @@ -2646,12 +2678,12 @@ process_packet_in(struct rconn *swconn, const struct > ofp_header *msg) > > case ACTION_OPCODE_ICMP: > pinctrl_handle_icmp(swconn, &headers, &packet, &pin.flow_metadata, > - &userdata, false); > + &userdata, true); > break; > > case ACTION_OPCODE_ICMP4_ERROR: > pinctrl_handle_icmp(swconn, &headers, &packet, &pin.flow_metadata, > - &userdata, true); > + &userdata, false); > break; > > case ACTION_OPCODE_TCP_RESET: > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > index 63753ac61..eb459c8c4 100644 > --- a/northd/ovn-northd.c > +++ b/northd/ovn-northd.c > @@ -4724,12 +4724,10 @@ build_pre_acls(struct ovn_datapath *od, struct hmap > *lflows) > * Not to do conntrack on ND and ICMP destination > * unreachable packets. */ > ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, > - "nd || nd_rs || nd_ra || icmp4.type == 3 || " > - "icmp6.type == 1 || " > + "nd || nd_rs || nd_ra || " > "(udp && udp.src == 546 && udp.dst == 547)", "next;"); > ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, > - "nd || nd_rs || nd_ra || icmp4.type == 3 || " > - "icmp6.type == 1 || " > + "nd || nd_rs || nd_ra || " > "(udp && udp.src == 546 && udp.dst == 547)", "next;"); > > /* Ingress and Egress Pre-ACL Table (Priority 100). > @@ -4841,12 +4839,10 @@ build_pre_lb(struct ovn_datapath *od, struct hmap > *lflows, > { > /* Do not send ND packets to conntrack */ > ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110, > - "nd || nd_rs || nd_ra || icmp4.type == 3 ||" > - "icmp6.type == 1", > + "nd || nd_rs || nd_ra", > "next;"); > ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110, > - "nd || nd_rs || nd_ra || icmp4.type == 3 ||" > - "icmp6.type == 1", > + "nd || nd_rs || nd_ra", > "next;"); > > /* Do not send service monitor packets to conntrack. */ > @@ -5025,9 +5021,10 @@ build_reject_acl_rules(struct ovn_datapath *od, struct > hmap *lflows, > ds_put_format(&actions, "%s ", extra_actions->string); > } > ds_put_format(&actions, "reg0 = 0; " > - "eth.dst <-> eth.src; ip4.dst <-> ip4.src; " > - "icmp4 { outport <-> inport; %s };", > - ingress ? "output;" : "next(pipeline=ingress,table=0);"); > + "icmp4 { eth.dst <-> eth.src; ip4.dst <-> ip4.src; " > + "outport <-> inport; %s };", > + ingress ? "next(pipeline=egress,table=5);" > + : "next(pipeline=ingress,table=19);"); > ovn_lflow_add_with_hint(lflows, od, stage, > acl->priority + OVN_ACL_PRI_OFFSET, > ds_cstr(&match), ds_cstr(&actions), stage_hint); > @@ -5044,7 +5041,8 @@ build_reject_acl_rules(struct ovn_datapath *od, struct > hmap *lflows, > ds_put_format(&actions, "reg0 = 0; icmp6 { " > "eth.dst <-> eth.src; ip6.dst <-> ip6.src; " > "outport <-> inport; %s };", > - ingress ? "output;" : "next(pipeline=ingress,table=0);"); > + ingress ? "next(pipeline=egress,table=5);" > + : "next(pipeline=ingress,table=19);"); > ovn_lflow_add_with_hint(lflows, od, stage, > acl->priority + OVN_ACL_PRI_OFFSET, > ds_cstr(&match), ds_cstr(&actions), stage_hint); > diff --git a/tests/ovn.at b/tests/ovn.at > index e6febd4c2..6467bdc42 100644 > --- a/tests/ovn.at > +++ b/tests/ovn.at > @@ -11813,13 +11813,13 @@ test_ip_packet() { > > local ip_ttl=ff > local > packet=${eth_dst}${eth_src}08004500001400004000${ip_ttl}01${ip_chksum}${ipv4_src}${ipv4_dst} > - > + local > orig_pkt_in_reply=4500001400004000${ip_ttl}01${ip_chksum}${ipv4_src}${ipv4_dst} > local reply_icmp_ttl=ff > local icmp_type_code_response=0301 > local icmp_data=00000000 > local > reply_icmp_payload=${icmp_type_code_response}${exp_icmp_chksum}${icmp_data} > - local > reply=${eth_src}${eth_dst}08004500001c00004000${reply_icmp_ttl}01${exp_ip_chksum}${ipv4_dst}${ipv4_src}${reply_icmp_payload} > - echo $reply >> vif$inport.expected > + local > reply=${eth_src}${eth_dst}08004500003000004000${reply_icmp_ttl}01${exp_ip_chksum}${ipv4_dst}${ipv4_src}${reply_icmp_payload} > + echo $reply$orig_pkt_in_reply >> vif$inport.expected > > as hv$hv ovs-appctl netdev-dummy/receive vif$inport $packet > } > @@ -11836,7 +11836,7 @@ test_ipv6_packet() { > local ip6_hdr=6000000000083aff${ipv6_src}${ipv6_dst} > local packet=${eth_dst}${eth_src}86dd${ip6_hdr}0000000000000000 > > - local > reply=${eth_src}${eth_dst}86dd6000000000303aff${ipv6_dst}${ipv6_src}0101${exp_icmp_chksum}00000000${ip6_hdr} > + local > reply=${eth_src}${eth_dst}86dd6000000000383aff${ipv6_dst}${ipv6_src}0101${exp_icmp_chksum}00000000${ip6_hdr}0000000000000000 > echo $reply >> vif$inport.expected > > as hv$hv ovs-appctl netdev-dummy/receive vif$inport $packet > @@ -11914,11 +11914,11 @@ ovn-nbctl --log acl-add sw0 from-lport 1000 "inport > == \"sw0-p21\"" reject > # Allow some time for ovn-northd and ovn-controller to catch up. > ovn-nbctl --timeout=3 --wait=hv sync > > -test_ip_packet 11 1 000000000011 000000000021 $(ip_to_hex 192 168 1 11) > $(ip_to_hex 192 168 1 21) 0000 7d8d fcfe > -test_ip_packet 21 2 000000000021 000000000011 $(ip_to_hex 192 168 1 21) > $(ip_to_hex 192 168 1 11) 0000 7d8d fcfe > -test_ip_packet 31 3 000000000031 000000000012 $(ip_to_hex 192 168 1 31) > $(ip_to_hex 192 168 1 12) 0000 7d82 fcfe > +test_ip_packet 11 1 000000000011 000000000021 $(ip_to_hex 192 168 1 11) > $(ip_to_hex 192 168 1 21) 0000 f85b f576 > +test_ip_packet 21 2 000000000021 000000000011 $(ip_to_hex 192 168 1 21) > $(ip_to_hex 192 168 1 11) 0000 f85b f576 > +test_ip_packet 31 3 000000000031 000000000012 $(ip_to_hex 192 168 1 31) > $(ip_to_hex 192 168 1 12) 0000 f850 f56b > > -test_ipv6_packet 11 1 000000000011 000000000021 > fe80000000000000020001fffe000001 fe80000000000000020001fffe000002 6183 > +test_ipv6_packet 11 1 000000000011 000000000021 > fe80000000000000020001fffe000001 fe80000000000000020001fffe000002 617b > > test_tcp_syn_packet 11 1 000000000011 000000000021 $(ip_to_hex 192 168 1 11) > $(ip_to_hex 192 168 1 21) 0000 8b40 3039 0000 b85f 70e4 > test_tcp_syn_packet 21 2 000000000021 000000000011 $(ip_to_hex 192 168 1 21) > $(ip_to_hex 192 168 1 11) 0000 8b40 3039 0000 b85f 70e4 > @@ -12871,13 +12871,13 @@ test_ip_packet() { > > local ip_ttl=01 > local > packet=${eth_dst}${eth_src}08004500001400004000${ip_ttl}01${ip_chksum}${ipv4_src}${ipv4_dst} > - > + local > orig_pkt_in_reply=4500001400004000${ip_ttl}01${ip_chksum}${ipv4_src}${ipv4_dst} > local reply_icmp_ttl=fe > local icmp_type_code_response=0b00 > local icmp_data=00000000 > local > reply_icmp_payload=${icmp_type_code_response}${exp_icmp_chksum}${icmp_data} > - local > reply=${eth_src}${eth_dst}08004500001c00004000${reply_icmp_ttl}01${exp_ip_chksum}${ip_router}${ipv4_src}${reply_icmp_payload} > - echo $reply >> vif$inport.expected > + local > reply=${eth_src}${eth_dst}08004500003000004000${reply_icmp_ttl}01${exp_ip_chksum}${ip_router}${ipv4_src}${reply_icmp_payload} > + echo $reply$orig_pkt_in_reply >> vif$inport.expected > > as hv$hv ovs-appctl netdev-dummy/receive vif$inport $packet > } > @@ -12895,7 +12895,7 @@ test_ip6_packet() { > local ip6_hdr=6000000000151101${ipv6_src}${ipv6_dst} > local > packet=${eth_dst}${eth_src}86dd${ip6_hdr}dbb8303900155bac6b646f65206676676e6d66720a > > - local > reply=${eth_src}${eth_dst}86dd6000000000303afe${ipv6_router}${ipv6_src}0300${exp_icmp_chksum}00000000${ip6_hdr} > + local > reply=${eth_src}${eth_dst}86dd6000000000453afe${ipv6_router}${ipv6_src}0300${exp_icmp_chksum}00000000${ip6_hdr}dbb8303900155bac6b646f65206676676e6d66720a > echo $reply >> vif$inport.expected > > as hv$hv ovs-appctl netdev-dummy/receive vif$inport $packet > @@ -12937,8 +12937,8 @@ OVN_POPULATE_ARP > # allow some time for ovn-northd and ovn-controller to catch up. > ovn-nbctl --wait=hv sync > > -test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) > $(ip_to_hex 192 168 2 1) $(ip_to_hex 192 168 1 254) 0000 7dae f4ff > -test_ip6_packet 1 1 000000000001 00000000ff01 > 20010db8000100000000000000000011 20010db8000200000000000000000011 > 20010db8000100000000000000000001 d461 > +test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) > $(ip_to_hex 192 168 2 1) $(ip_to_hex 192 168 1 254) 0000 f87c ea96 > +test_ip6_packet 1 1 000000000001 00000000ff01 > 20010db8000100000000000000000011 20010db8000200000000000000000011 > 20010db8000100000000000000000001 1c22 > OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected]) > > OVN_CLEANUP([hv1], [hv2]) > @@ -12967,12 +12967,12 @@ test_ip_packet() { > > local ip_ttl=ff > local > packet=${eth_dst}${eth_src}08004500001400004000${ip_ttl}${l4_proto}${ip_chksum}${ipv4_src}${ip_router} > - > + local > orig_pkt_in_reply=4500001400004000${ip_ttl}${l4_proto}${ip_chksum}${ipv4_src}${ip_router} > local reply_icmp_ttl=fe > local icmp_data=00000000 > local reply_icmp_payload=${exp_icmp_code}${exp_icmp_chksum}${icmp_data} > - local > reply=${eth_src}${eth_dst}08004500001c00004000${reply_icmp_ttl}01${exp_ip_chksum}${ip_router}${ipv4_src}${reply_icmp_payload} > - echo $reply >> vif$inport.expected > + local > reply=${eth_src}${eth_dst}08004500003000004000${reply_icmp_ttl}01${exp_ip_chksum}${ip_router}${ipv4_src}${reply_icmp_payload} > + echo $reply$orig_pkt_in_reply >> vif$inport.expected > > as hv$hv ovs-appctl netdev-dummy/receive vif$inport $packet > } > @@ -13038,7 +13038,9 @@ test_ip6_packet() { > local ip6_hdr=60000000${ipv6_len}${ipv6_proto}ff${ipv6_src}${ipv6_dst} > local packet=${eth_dst}${eth_src}86dd${ip6_hdr}${data} > > - local > reply=${eth_src}${eth_dst}86dd6000000000303afe${ipv6_dst}${ipv6_src}${exp_icmp_code}${exp_icmp_chksum}00000000${ip6_hdr} > + local reply_ip_len=`expr 48 + ${#data} / 2` > + reply_ip_len=$(printf "%x" $reply_ip_len) > + local > reply=${eth_src}${eth_dst}86dd6000000000${reply_ip_len}3afe${ipv6_dst}${ipv6_src}${exp_icmp_code}${exp_icmp_chksum}00000000${ip6_hdr}${data} > echo $reply >> vif$inport.expected > > as hv$hv ovs-appctl netdev-dummy/receive vif$inport $packet > @@ -13080,13 +13082,13 @@ OVN_POPULATE_ARP > # allow some time for ovn-northd and ovn-controller to catch up. > ovn-nbctl --wait=hv sync > > -test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) > $(ip_to_hex 192 168 1 254) 11 0000 7dae fcfc 0303 > -test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) > $(ip_to_hex 192 168 1 254) 84 0000 7dae fcfd 0302 > -test_ip6_packet 1 1 000000000001 00000000ff01 > 20010db8000100000000000000000011 20010db8000100000000000000000001 11 0015 > dbb8303900155bac6b646f65206676676e6d66720a 0104 d570 > +test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) > $(ip_to_hex 192 168 1 254) 11 0000 f87c f485 0303 > +test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) > $(ip_to_hex 192 168 1 254) 84 0000 f87c f413 0302 > +test_ip6_packet 1 1 000000000001 00000000ff01 > 20010db8000100000000000000000011 20010db8000100000000000000000001 11 0015 > dbb8303900155bac6b646f65206676676e6d66720a 0104 1d31 > OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected]) > > test_tcp_syn_packet 2 2 000000000002 00000000ff02 $(ip_to_hex 192 168 2 1) > $(ip_to_hex 192 168 2 254) 0000 8b40 3039 0000 b680 6e05 > -test_ip6_packet 2 2 000000000002 00000000ff02 > 20010db8000200000000000000000011 20010db8000200000000000000000001 84 0004 > 01020304 0103 627e > +test_ip6_packet 2 2 000000000002 00000000ff02 > 20010db8000200000000000000000011 20010db8000200000000000000000001 84 0004 > 01020304 0103 5e74 > test_tcp6_packet 2 2 000000000002 00000000ff02 > 20010db8000200000000000000000011 20010db8000200000000000000000001 8b40 3039 > 0000 98cd > OVN_CHECK_PACKETS([hv2/vif2-tx.pcap], [vif2.expected]) > > diff --git a/tests/system-ovn.at b/tests/system-ovn.at > index fa3b83cb1..117f1e835 100644 > --- a/tests/system-ovn.at > +++ b/tests/system-ovn.at > @@ -3697,7 +3697,7 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port > patch-.*/d > AT_CLEANUP > > > -AT_SETUP([ovn -- ACL reject - TCP reset]) > +AT_SETUP([ovn -- ACL reject]) > AT_SKIP_IF([test $HAVE_NC = no]) > AT_KEYWORDS([lb]) > > @@ -3736,13 +3736,14 @@ ovn-nbctl acl-add pg0_drop from-lport 1001 "inport == > @pg0_drop && ip" drop > ovn-nbctl acl-add pg0_drop to-lport 1001 "outport == @pg0_drop && ip" drop > > ovn-nbctl pg-add pg0 sw0-p1-rej sw0-p2-rej > -ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4" allow-related > +ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip" allow-related > ovn-nbctl --log acl-add pg0 from-lport 1004 "inport == @pg0 && ip && tcp && > tcp.dst == 80" reject > +ovn-nbctl --log acl-add pg0 from-lport 1004 "inport == @pg0 && ip && udp && > udp.dst == 90" reject > > -ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == > 0.0.0.0/0 && icmp4" allow-related > ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == > 0.0.0.0/0 && tcp && tcp.dst == 82" allow-related > ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == > 0.0.0.0/0 && udp && udp.dst == 82" allow-related > ovn-nbctl --log acl-add pg0 to-lport 1004 "inport == @pg0 && ip && tcp && > tcp.dst == 84" reject > +ovn-nbctl --log acl-add pg0 to-lport 1004 "inport == @pg0 && ip && udp && > udp.dst == 94" reject > > OVN_POPULATE_ARP > ovn-nbctl --wait=hv sync > @@ -3758,33 +3759,38 @@ ADD_VETH(sw0-p2-rej, sw0-p2-rej, br-int, > "10.0.0.4/24", "50:54:00:00:00:04", \ > NS_CHECK_EXEC([sw0-p1-rej], [ip a a aef0::3/64 dev sw0-p1-rej], [0]) > NS_CHECK_EXEC([sw0-p2-rej], [ip a a aef0::4/64 dev sw0-p2-rej], [0]) > > -# Capture packets in sw0-p1-rej. > -NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 2 -i sw0-p1-rej tcp port 80 > > sw0-p1-rej-ip4.pcap &], [0]) > sleep 1 > > -NS_CHECK_EXEC([sw0-p1-rej], [nc 10.0.0.4 80], [1], [], > -[dnl > -Ncat: Connection refused. > -]) > +# Capture packets in sw0-p1-rej. > +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 4 -i sw0-p1-rej tcp > > sw0-p1-rej-ip4.pcap &], [0]) > + > +sleep 1 > > OVS_WAIT_UNTIL([ > - total=`cat sw0-p1-rej-ip4.pcap | wc -l` > - echo "total = $total" > - test "${total}" = "2" > + ip netns exec sw0-p1-rej nc 10.0.0.4 80 2> r > + res=$(cat r) > + test "$res" = "Ncat: Connection refused." > ]) > > # Now send traffic to port 84 > -NS_CHECK_EXEC([sw0-p1-rej], [nc 10.0.0.4 84], [1], [], > -[dnl > -Ncat: Connection refused. > +OVS_WAIT_UNTIL([ > + ip netns exec sw0-p1-rej nc 10.0.0.4 84 2> r > + res=$(cat r) > + test "$res" = "Ncat: Connection refused." > ]) > > -AT_CHECK([ > +OVS_WAIT_UNTIL([ > n_pkt=$(ovs-ofctl dump-flows br-int table=44 | grep -v n_packets=0 | \ > grep controller | grep tp_dst=84 -c) > test $n_pkt -eq 1 > ]) > > +OVS_WAIT_UNTIL([ > + total=`cat sw0-p1-rej-ip4.pcap | wc -l` > + echo "total = $total" > + test "${total}" = "4" > +]) > + > # Without this sleep, test case fails intermittently. > sleep 3 > > @@ -3792,17 +3798,68 @@ NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 2 -i > sw0-p2-rej tcp port 80 > sw0-p2- > > sleep 1 > > -NS_CHECK_EXEC([sw0-p2-rej], [nc -6 aef0::3 80], [1], [], > -[dnl > -Ncat: Connection refused. > +OVS_WAIT_UNTIL([ > + ip netns exec sw0-p2-rej nc -6 aef0::3 80 2> r > + res=$(cat r) > + test "$res" = "Ncat: Connection refused." > ]) > > + > OVS_WAIT_UNTIL([ > total=`cat sw0-p2-rej-ip6.pcap | wc -l` > echo "total = $total" > test "${total}" = "2" > ]) > > +# Now test for IPv4 UDP. > +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 1 -i sw0-p1-rej udp port 90 > > sw0-p1-rej-udp.pcap &], [0]) > +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 1 -i sw0-p1-rej icmp > > sw0-p1-rej-icmp.pcap &], [0]) > + > +echo "foo" > foo > +OVS_WAIT_UNTIL([ > + ip netns exec sw0-p1-rej nc -u 10.0.0.4 90 < foo > + c=$(cat sw0-p1-rej-icmp.pcap | grep \ > +"10.0.0.4 > 10.0.0.3: ICMP 10.0.0.4 udp port dnsix unreachable" | uniq | wc > -l) > + test $c -eq 1 > +]) > + > +rm -f *.pcap > + > +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 1 -i sw0-p1-rej udp port 94 > > sw0-p1-rej-udp.pcap &], [0]) > +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 1 -i sw0-p1-rej icmp > > sw0-p1-rej-icmp.pcap &], [0]) > + > +OVS_WAIT_UNTIL([ > + ip netns exec sw0-p1-rej nc -u 10.0.0.4 94 < foo > + c=$(cat sw0-p1-rej-icmp.pcap | grep \ > +"10.0.0.4 > 10.0.0.3: ICMP 10.0.0.4 udp port objcall unreachable" | uniq | > wc -l) > + test $c -eq 1 > +]) > + > +# Now test for IPv6 UDP. > +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 1 -i sw0-p2-rej udp port 90 > > sw0-p2-rej-ip6-udp.pcap &], [0]) > +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 1 -i sw0-p2-rej icmp6 > > sw0-p2-rej-icmp6.pcap &], [0]) > + > +OVS_WAIT_UNTIL([ > + ip netns exec sw0-p2-rej nc -u -6 aef0::3 90 < foo > + c=$(cat sw0-p2-rej-icmp6.pcap | grep \ > +"IP6 aef0::3 > aef0::4: ICMP6, destination unreachable, unreachable port, \ > +aef0::3 udp port dnsix" | uniq | wc -l) > + test $c -eq 1 > +]) > + > +rm -f *.pcap > + > +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 1 -i sw0-p2-rej udp port 94 > > sw0-p2-rej-ip6-udp.pcap &], [0]) > +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 1 -i sw0-p2-rej icmp6 > > sw0-p2-rej-icmp6.pcap &], [0]) > + > +OVS_WAIT_UNTIL([ > + ip netns exec sw0-p2-rej nc -u -6 aef0::3 94 < foo > + c=$(cat sw0-p2-rej-icmp6.pcap | grep \ > +"IP6 aef0::3 > aef0::4: ICMP6, destination unreachable, unreachable port, \ > +aef0::3 udp port objcall" | uniq | wc -l) > + test $c -eq 1 > +]) > + > OVS_APP_EXIT_AND_WAIT([ovn-controller]) > > as ovn-sb > -- > 2.25.1 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
