Use cidr_bits instead of ovs_be32 mask to compute logical flows priority for nat rules if exempted_ext_ips is specified. This patch fix an issue for IPv6 snat where exempted_ext_ips configuration does not take effect.
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2066611 Signed-off-by: Lorenzo Bianconi <[email protected]> --- northd/northd.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 2fb0a93c2..c3a52b714 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -10171,7 +10171,7 @@ static inline void lrouter_nat_add_ext_ip_match(struct ovn_datapath *od, struct hmap *lflows, struct ds *match, const struct nbrec_nat *nat, - bool is_v6, bool is_src, ovs_be32 mask) + bool is_v6, bool is_src, int cidr_bits) { struct nbrec_address_set *allowed_ext_ips = nat->allowed_ext_ips; struct nbrec_address_set *exempted_ext_ips = nat->exempted_ext_ips; @@ -10207,7 +10207,7 @@ lrouter_nat_add_ext_ip_match(struct ovn_datapath *od, priority = 100 + 2; } else { /* S_ROUTER_OUT_SNAT uses priority (mask + 1 + 128 + 1) */ - priority = count_1bits(ntohl(mask)) + 3; + priority = cidr_bits + 3; if (!od->is_gw_router) { priority += 128; @@ -12728,7 +12728,7 @@ static void build_lrouter_in_dnat_flow(struct hmap *lflows, struct ovn_datapath *od, const struct nbrec_nat *nat, struct ds *match, struct ds *actions, bool distributed, - ovs_be32 mask, bool is_v6) + bool is_v6, int cidr_bits) { /* Ingress DNAT table: Packets enter the pipeline with destination * IP address that needs to be DNATted from a external IP address @@ -12746,7 +12746,7 @@ build_lrouter_in_dnat_flow(struct hmap *lflows, struct ovn_datapath *od, ds_clear(actions); if (nat->allowed_ext_ips || nat->exempted_ext_ips) { lrouter_nat_add_ext_ip_match(od, lflows, match, nat, - is_v6, true, mask); + is_v6, true, cidr_bits); } if (!lport_addresses_is_empty(&od->dnat_force_snat_addrs)) { @@ -12790,7 +12790,7 @@ build_lrouter_in_dnat_flow(struct hmap *lflows, struct ovn_datapath *od, ds_clear(actions); if (nat->allowed_ext_ips || nat->exempted_ext_ips) { lrouter_nat_add_ext_ip_match(od, lflows, match, nat, - is_v6, true, mask); + is_v6, true, cidr_bits); } if (!strcmp(nat->type, "dnat_and_snat") && stateless) { @@ -12893,8 +12893,7 @@ static void build_lrouter_out_snat_flow(struct hmap *lflows, struct ovn_datapath *od, const struct nbrec_nat *nat, struct ds *match, struct ds *actions, bool distributed, - struct eth_addr mac, ovs_be32 mask, - int cidr_bits, bool is_v6) + struct eth_addr mac, int cidr_bits, bool is_v6) { /* Egress SNAT table: Packets enter the egress pipeline with * source ip address that needs to be SNATted to a external ip @@ -12912,7 +12911,7 @@ build_lrouter_out_snat_flow(struct hmap *lflows, struct ovn_datapath *od, if (nat->allowed_ext_ips || nat->exempted_ext_ips) { lrouter_nat_add_ext_ip_match(od, lflows, match, nat, - is_v6, false, mask); + is_v6, false, cidr_bits); } if (!strcmp(nat->type, "dnat_and_snat") && stateless) { @@ -12960,7 +12959,7 @@ build_lrouter_out_snat_flow(struct hmap *lflows, struct ovn_datapath *od, if (nat->allowed_ext_ips || nat->exempted_ext_ips) { lrouter_nat_add_ext_ip_match(od, lflows, match, nat, - is_v6, false, mask); + is_v6, false, cidr_bits); } if (distributed) { @@ -13305,7 +13304,7 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows, is_v6); /* S_ROUTER_IN_DNAT */ build_lrouter_in_dnat_flow(lflows, od, nat, match, actions, distributed, - mask, is_v6); + is_v6, cidr_bits); /* ARP resolve for NAT IPs. */ if (od->is_gw_router) { @@ -13344,7 +13343,7 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows, mac, is_v6); /* S_ROUTER_OUT_SNAT */ build_lrouter_out_snat_flow(lflows, od, nat, match, actions, distributed, - mac, mask, cidr_bits, is_v6); + mac, cidr_bits, is_v6); /* S_ROUTER_IN_ADMISSION - S_ROUTER_IN_IP_INPUT */ build_lrouter_ingress_flow(lflows, od, nat, match, actions, -- 2.35.1 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
