Prior to this patch traffic to LSPs, which are disabled with
`ovn-nbctl lsp-set-enabled <LSP> disabled` was dropped in the end of
lswitch egress pipeline. This means that traffic is processed in vain:
- traffic, which should be dropped, first travels from one chassis to
another (if source/dest LSPs reside on different nodes) and dropped on
the destination chassis;
- when such traffic reaches destination chassis, if stateful services are
enabled within logical switch, first traffic is sent to conntrack and
is dropped after that.
So it is costly to drop traffic in such manner especially in case LSP is
disabled to prevent any harmful traffic to affect infrastructure. This
patch changes "to-lport" drop behaviour. Now it is dropped in lswitch
ingress pipeline to avoid sending traffic to disabled LSP from one
chassis to another.
Traffic doesn't reach conntrack in destination LSP's zone now as well.
Port security testcases are updated.
Signed-off-by: Vladislav Odintsov <odiv...@gmail.com>
---
northd/northd.c | 22 +++---
tests/ovn-northd.at | 184 +++++++++++++++++++++++++++-----------------
2 files changed, 128 insertions(+), 78 deletions(-)
diff --git a/northd/northd.c b/northd/northd.c
index 4a40ec9b0..5497a88ca 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -5475,9 +5475,8 @@ build_lswitch_port_sec_op(struct ovn_port *op, struct
hmap *lflows,
ds_clear(match);
ds_put_format(match, "outport == %s", op->json_key);
ovn_lflow_add_with_lport_and_hint(
- lflows, op->od, S_SWITCH_OUT_CHECK_PORT_SEC, 150,
- ds_cstr(match), REGBIT_PORT_SEC_DROP" = 1; next;",
- op->key, &op->nbsp->header_);
+ lflows, op->od, S_SWITCH_IN_L2_UNKNOWN, 50, ds_cstr(match),
+ "drop;", op->key, &op->nbsp->header_);
return;
}
@@ -8466,6 +8465,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op,
* Ethernet address followed by zero or more IPv4
* or IPv6 addresses (or both). */
struct eth_addr mac;
+ bool lsp_enabled = lsp_is_enabled(op->nbsp);
+ char *action = lsp_enabled ? "output" : "drop";
if (ovs_scan(op->nbsp->addresses[i],
ETH_ADDR_SCAN_FMT, ETH_ADDR_SCAN_ARGS(mac))) {
ds_clear(match);
@@ -8473,13 +8474,14 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op,
ETH_ADDR_ARGS(mac));
ds_clear(actions);
- ds_put_format(actions, "outport = %s; output;", op->json_key);
+ ds_put_format(actions, "outport = %s; %s;", op->json_key,
+ action);
ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP,
50, ds_cstr(match),
ds_cstr(actions),
&op->nbsp->header_);
} else if (!strcmp(op->nbsp->addresses[i], "unknown")) {
- if (lsp_is_enabled(op->nbsp)) {
+ if (lsp_enabled) {
ovs_mutex_lock(&mcgroup_mutex);
ovn_multicast_add(mcgroups, &mc_unknown, op);
ovs_mutex_unlock(&mcgroup_mutex);
@@ -8496,7 +8498,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op,
ETH_ADDR_ARGS(mac));
ds_clear(actions);
- ds_put_format(actions, "outport = %s; output;", op->json_key);
+ ds_put_format(actions, "outport = %s; %s;", op->json_key,
+ action);
ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_L2_LKUP,
50, ds_cstr(match),
ds_cstr(actions),
@@ -8544,7 +8547,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op,
}
ds_clear(actions);
- ds_put_format(actions, "outport = %s; output;", op->json_key);
+ ds_put_format(actions, "outport = %s; %s;", op->json_key,
+ action);
ovn_lflow_add_with_hint(lflows, op->od,
S_SWITCH_IN_L2_LKUP, 50,
ds_cstr(match), ds_cstr(actions),
@@ -8567,8 +8571,8 @@ build_lswitch_ip_unicast_lookup(struct ovn_port *op,
nat->logical_port);
ds_clear(actions);
- ds_put_format(actions, "outport = %s; output;",
- op->json_key);
+ ds_put_format(actions, "outport = %s; %s;",
+ op->json_key, action);
ovn_lflow_add_with_hint(lflows, op->od,
S_SWITCH_IN_L2_LKUP, 50,
ds_cstr(match),
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index d5136ac6d..521942aeb 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -7425,16 +7425,22 @@ check ovn-nbctl --wait=sb ls-add sw0
ovn-sbctl dump-flows sw0 > sw0flows
AT_CAPTURE_FILE([sw0flows])
-AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ],
[0], [dnl
- table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
action=(drop;)
- table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present),
action=(drop;)
- table=? (ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
- table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
- table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
- table=? (ls_out_check_port_sec), priority=0 , match=(1),
action=(reg0[[15]] = check_out_port_sec(); next;)
- table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
- table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;)
- table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
+AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown
| \
+sort | sed 's/table=../table=??/' ], [0], [dnl
+ table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
action=(drop;)
+ table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
action=(drop;)
+ table=??(ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
+ table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
+ table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport =
get_fdb(eth.dst); next;)
+ table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(handle_svc_check(inport);)
+ table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
+ table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;)
+ table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"),
action=(drop;)
+ table=??(ls_out_check_port_sec), priority=0 , match=(1),
action=(reg0[[15]] = check_out_port_sec(); next;)
+ table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
+ table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;)
+ table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
])
check ovn-nbctl lsp-add sw0 sw0p1 -- lsp-set-addresses sw0p1
"00:00:00:00:00:01"
@@ -7444,16 +7450,24 @@ check ovn-nbctl --wait=sb lsp-add sw0 localnetport --
lsp-set-type localnetport
ovn-sbctl dump-flows sw0 > sw0flows
AT_CAPTURE_FILE([sw0flows])
-AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ],
[0], [dnl
- table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
action=(drop;)
- table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present),
action=(drop;)
- table=? (ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
- table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
- table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
- table=? (ls_out_check_port_sec), priority=0 , match=(1),
action=(reg0[[15]] = check_out_port_sec(); next;)
- table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
- table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;)
- table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
+AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown
| \
+sort | sed 's/table=../table=??/' ], [0], [dnl
+ table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
action=(drop;)
+ table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
action=(drop;)
+ table=??(ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
+ table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
+ table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport =
get_fdb(eth.dst); next;)
+ table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(handle_svc_check(inport);)
+ table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:00:01), action=(outport = "sw0p1"; output;)
+ table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:00:02), action=(outport = "sw0p2"; output;)
+ table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
+ table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;)
+ table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"),
action=(drop;)
+ table=??(ls_out_check_port_sec), priority=0 , match=(1),
action=(reg0[[15]] = check_out_port_sec(); next;)
+ table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
+ table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;)
+ table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
])
check ovn-nbctl lsp-set-port-security sw0p1 "00:00:00:00:00:01 10.0.0.3
1000::3"
@@ -7462,16 +7476,24 @@ check ovn-nbctl --wait=sb lsp-set-port-security sw0p2
"00:00:00:00:00:02 10.0.0.
ovn-sbctl dump-flows sw0 > sw0flows
AT_CAPTURE_FILE([sw0flows])
-AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ],
[0], [dnl
- table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
action=(drop;)
- table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present),
action=(drop;)
- table=? (ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
- table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
- table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
- table=? (ls_out_check_port_sec), priority=0 , match=(1),
action=(reg0[[15]] = check_out_port_sec(); next;)
- table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
- table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;)
- table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
+AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown
| \
+sort | sed 's/table=../table=??/' ], [0], [dnl
+ table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
action=(drop;)
+ table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
action=(drop;)
+ table=??(ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
+ table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
+ table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport =
get_fdb(eth.dst); next;)
+ table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(handle_svc_check(inport);)
+ table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:00:01), action=(outport = "sw0p1"; output;)
+ table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:00:02), action=(outport = "sw0p2"; output;)
+ table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
+ table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;)
+ table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"),
action=(drop;)
+ table=??(ls_out_check_port_sec), priority=0 , match=(1),
action=(reg0[[15]] = check_out_port_sec(); next;)
+ table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
+ table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;)
+ table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
])
# Disable sw0p1
@@ -7480,37 +7502,53 @@ check ovn-nbctl --wait=sb set logical_switch_port sw0p1
enabled=false
ovn-sbctl dump-flows sw0 > sw0flows
AT_CAPTURE_FILE([sw0flows])
-AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ],
[0], [dnl
- table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
action=(drop;)
- table=? (ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"),
action=(reg0[[15]] = 1; next;)
- table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present),
action=(drop;)
- table=? (ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
- table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
- table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
- table=? (ls_out_check_port_sec), priority=0 , match=(1),
action=(reg0[[15]] = check_out_port_sec(); next;)
- table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
- table=? (ls_out_check_port_sec), priority=150 , match=(outport == "sw0p1"),
action=(reg0[[15]] = 1; next;)
- table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;)
- table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
+AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown
| \
+sort | sed 's/table=../table=??/' ], [0], [dnl
+ table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
action=(drop;)
+ table=??(ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"),
action=(reg0[[15]] = 1; next;)
+ table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
action=(drop;)
+ table=??(ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
+ table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
+ table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport =
get_fdb(eth.dst); next;)
+ table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(handle_svc_check(inport);)
+ table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:00:01), action=(outport = "sw0p1"; drop;)
+ table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:00:02), action=(outport = "sw0p2"; output;)
+ table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
+ table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;)
+ table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"),
action=(drop;)
+ table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"),
action=(drop;)
+ table=??(ls_out_check_port_sec), priority=0 , match=(1),
action=(reg0[[15]] = check_out_port_sec(); next;)
+ table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
+ table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;)
+ table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
])
check ovn-nbctl --wait=sb lsp-set-options sw0p2 qdisc_queue_id=10
ovn-sbctl dump-flows sw0 > sw0flows
AT_CAPTURE_FILE([sw0flows])
-AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ],
[0], [dnl
- table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
action=(drop;)
- table=? (ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"),
action=(reg0[[15]] = 1; next;)
- table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present),
action=(drop;)
- table=? (ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
- table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"),
action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
- table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
- table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
- table=? (ls_out_check_port_sec), priority=0 , match=(1),
action=(reg0[[15]] = check_out_port_sec(); next;)
- table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
- table=? (ls_out_check_port_sec), priority=150 , match=(outport == "sw0p1"),
action=(reg0[[15]] = 1; next;)
- table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;)
- table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
+AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown
| \
+sort | sed 's/table=../table=??/' ], [0], [dnl
+ table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
action=(drop;)
+ table=??(ls_in_check_port_sec), priority=100 , match=(inport == "sw0p1"),
action=(reg0[[15]] = 1; next;)
+ table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
action=(drop;)
+ table=??(ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
+ table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"),
action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
+ table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
+ table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport =
get_fdb(eth.dst); next;)
+ table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(handle_svc_check(inport);)
+ table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:00:01), action=(outport = "sw0p1"; drop;)
+ table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:00:02), action=(outport = "sw0p2"; output;)
+ table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
+ table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;)
+ table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"),
action=(drop;)
+ table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "sw0p1"),
action=(drop;)
+ table=??(ls_out_check_port_sec), priority=0 , match=(1),
action=(reg0[[15]] = check_out_port_sec(); next;)
+ table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
+ table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;)
+ table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
])
check ovn-nbctl set logical_switch_port sw0p1 enabled=true
@@ -7519,20 +7557,28 @@ check ovn-nbctl --wait=sb lsp-set-options localnetport
qdisc_queue_id=10
ovn-sbctl dump-flows sw0 > sw0flows
AT_CAPTURE_FILE([sw0flows])
-AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 's/table=./table=?/' ],
[0], [dnl
- table=? (ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
action=(drop;)
- table=? (ls_in_check_port_sec), priority=100 , match=(vlan.present),
action=(drop;)
- table=? (ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
- table=? (ls_in_check_port_sec), priority=70 , match=(inport ==
"localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
- table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"),
action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);)
- table=? (ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"),
action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
- table=? (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
- table=? (ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
- table=? (ls_out_check_port_sec), priority=0 , match=(1),
action=(reg0[[15]] = check_out_port_sec(); next;)
- table=? (ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
- table=? (ls_out_apply_port_sec), priority=0 , match=(1), action=(output;)
- table=? (ls_out_apply_port_sec), priority=100 , match=(outport ==
"localnetport"), action=(set_queue(10); output;)
- table=? (ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
+AT_CHECK([cat sw0flows | grep -e port_sec -e ls_in_l2_lkup -e ls_in_l2_unknown
| \
+sort | sed 's/table=../table=??/' ], [0], [dnl
+ table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
action=(drop;)
+ table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
action=(drop;)
+ table=??(ls_in_check_port_sec), priority=50 , match=(1),
action=(reg0[[15]] = check_in_port_sec(); next;)
+ table=??(ls_in_check_port_sec), priority=70 , match=(inport ==
"localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
+ table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p1"),
action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);)
+ table=??(ls_in_check_port_sec), priority=70 , match=(inport == "sw0p2"),
action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
+ table=??(ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
+ table=??(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport =
get_fdb(eth.dst); next;)
+ table=??(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(handle_svc_check(inport);)
+ table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:00:01), action=(outport = "sw0p1"; output;)
+ table=??(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:00:02), action=(outport = "sw0p2"; output;)
+ table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
+ table=??(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;)
+ table=??(ls_in_l2_unknown ), priority=50 , match=(outport == "none"),
action=(drop;)
+ table=??(ls_out_check_port_sec), priority=0 , match=(1),
action=(reg0[[15]] = check_out_port_sec(); next;)
+ table=??(ls_out_check_port_sec), priority=100 , match=(eth.mcast),
action=(reg0[[15]] = 0; next;)
+ table=??(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;)
+ table=??(ls_out_apply_port_sec), priority=100 , match=(outport ==
"localnetport"), action=(set_queue(10); output;)
+ table=??(ls_out_apply_port_sec), priority=50 , match=(reg0[[15]] == 1),
action=(drop;)
])
AT_CLEANUP
--
2.36.1
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
