The test was setting ACL rules, then sending packets, then changing ACLs rules, then sending packets. Then it checked whether those packets were properly received/dropped at the end. It should check whether those packets are properly recived/dropped before updating ACLs rules for the second test phase, as otherwise there is no guarentee that packet are fully handled when we update the ACL rules.
Signed-off-by: Xavier Simonart <xsimo...@redhat.com> --- tests/ovn.at | 76 ++++++++++++++++++++++++++++------------------------ 1 file changed, 41 insertions(+), 35 deletions(-) diff --git a/tests/ovn.at b/tests/ovn.at index b1bdae7d2..863f7c71d 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -18919,6 +18919,46 @@ for sf in 0 1; do done done +check_packets() { + n_allowed=$1 + > expected + > received + for i in 1 2 3; do + echo "--- hv$i vif${i}1" | tee -a expected >> received + sort ${i}1.expected >> expected + $PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv$i/vif${i}1-tx.pcap | sort >> received + echo | tee -a expected >> received + done + + # need to verify the log for ACL hit as well, since in the allow case + # (unlike the drop case) it is tricky to pass just with the expected; + # since with the stateful rule the packet will still get by (default + # rule) even if it doesn't hit the allow rule. + # The hit count for the ACL is 6 (1 unicast + 2 non-unicast) * 2 + # (with/without stateful rule) for hv1 and hv2, each. + cat >>expected <<EOF +--- acl logging +hv1_drop hit 6 +hv2_drop hit 6 +hv1_allow hit $n_allowed +hv2_allow hit $n_allowed +EOF + +cat >>received <<EOF +--- acl logging +hv1_drop hit `grep -c 'acl_log.*|INFO|name="drop-acl"' hv1/ovn-controller.log` +hv2_drop hit `grep -c 'acl_log.*|INFO|name="drop-acl"' hv2/ovn-controller.log` +hv1_allow hit `grep -c 'acl_log.*|INFO|name="allow-acl"' hv1/ovn-controller.log` +hv2_allow hit `grep -c 'acl_log.*|INFO|name="allow-acl"' hv2/ovn-controller.log` +EOF + + $at_diff expected received >/dev/null +} + +# We need to wait and check here that packets are received as they should as otherwise packets +# which were just sent might by handled after setting next ACL (allow) rules. +OVS_WAIT_UNTIL([check_packets 0], [$at_diff -F'^---' expected received]) + # Test allow rule #---------------- ovn-nbctl acl-del lsw0 @@ -18967,41 +19007,7 @@ as hv3 ovs-ofctl -O OpenFlow13 dump-flows br-int > offlows3 # Now check the packets actually received against the ones expected. AT_CAPTURE_FILE([expected]) AT_CAPTURE_FILE([received]) -check_packets() { - > expected - > received - for i in 1 2 3; do - echo "--- hv$i vif${i}1" | tee -a expected >> received - sort ${i}1.expected >> expected - $PYTHON "$ovs_srcdir/utilities/ovs-pcap.in" hv$i/vif${i}1-tx.pcap | sort >> received - echo | tee -a expected >> received - done - - # need to verify the log for ACL hit as well, since in the allow case - # (unlike the drop case) it is tricky to pass just with the expected; - # since with the stateful rule the packet will still get by (default - # rule) even if it doesn't hit the allow rule. - # The hit count for the ACL is 6 (1 unicast + 2 non-unicast) * 2 - # (with/without stateful rule) for hv1 and hv2, each. - cat >>expected <<EOF ---- acl logging -hv1_drop hit 6 -hv2_drop hit 6 -hv1_allow hit 6 -hv2_allow hit 6 -EOF - -cat >>received <<EOF ---- acl logging -hv1_drop hit `grep -c 'acl_log.*|INFO|name="drop-acl"' hv1/ovn-controller.log` -hv2_drop hit `grep -c 'acl_log.*|INFO|name="drop-acl"' hv2/ovn-controller.log` -hv1_allow hit `grep -c 'acl_log.*|INFO|name="allow-acl"' hv1/ovn-controller.log` -hv2_allow hit `grep -c 'acl_log.*|INFO|name="allow-acl"' hv2/ovn-controller.log` -EOF - - $at_diff expected received >/dev/null -} -OVS_WAIT_UNTIL([check_packets], [$at_diff -F'^---' expected received]) +OVS_WAIT_UNTIL([check_packets 6], [$at_diff -F'^---' expected received]) OVN_CLEANUP([hv1],[hv2],[hv3]) -- 2.31.1 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev