From: Xavier Simonart <[email protected]>
A) routed traffic and l3gw
B) non routed traffic and vxlan.
Routed traffic and l3gw
=======================
Configuration: p1 - LS1 - Router - LS2 - p2, with p1 on hv1, p2 on hv2 and
Router
a l3gw chassis on hv2.
If p1 sends an over-mtu packet towards p2, this will cause a
icmp_type=3,icmp_code=4
being received from the tunnel interface. It will be received back in LS1 from
LS1-router (l3gateway) port.
If some ACLs are present, icmp was sent to ct, resulting in ct_inv and packet
being dropped.
Before this patch and patch [1], l3gateway ports were ** sometimes **
considered as
related lports. There was no code adding such ports to related_lports ssets, but
L3gateway ports are sometimes created as patch ports (which are related_lports)
and then modified to l3gateway ports.
Until patch [1], such a port type modification did not cause the port to be
removed
from the sset. Hence, remote l3gateway ports were sometimes considered as
related ports,
and proper flows were installed to skip ct.
This means that before this patch and before patch [1]
- After a recompute, "remote" l3gateway ports were not considered as related
ports and packet being dropped in above use case.
- in I+P, if the l3gateway port was directly created (i.e. in one sb
transaction, w/o going through a patch port), it was also not in the
related_lports set, resulting in a similar packet drop in the above use case.
Patch [1] always consideres "remote" l3gateway ports were not related_ports, in
both
I+P and recompute cases. In that sense, it made the behaviour more consistent,
icmp
type=3, code=4 was always dropped in this scenario.
With patch [1] and this patch, remote l3gateway ports are still non related
ports, but ct
is skipped for icmp type=3, code=4.
Non routed traffic and vxlan.
=============================
Configuration: p1 - S1 - p2 with p1 on hv1 and p2 on hv2, and vxlan tunnel.
If p1 sends ovn-mtu packet towards p2, an icmp 'packet too big' (type=3,
code=4),
generated by the kernel, is received on the tunnel interface. It's being handled
by table CT_ZONE_LOOKUP with outport=p2 and inport=0. Hence table CT_ZONE_LOOKUP
will not load any ct_zone.
Later on this packet is sent to conntrack, resulting in ct_inv flag set and
packet being dropped.
There is no need to send such a icmp 'packet too big' to ct in ingress datapath.
This patch adds two flows to skip ct for such a packet.
[1] a680c96465cd
Fixes: a680c96465cd ("controller: Nonvif related lports handling.")
Fixes: 3faadc76ad71 ("northd: Fix pmtud for non routed traffic.")
Reported-at: https://issues.redhat.com/browse/FDP-685
Signed-off-by: Mark Michelson <[email protected]>
---
northd/northd.c | 13 +++
tests/multinode.at | 33 ++++--
tests/ovn-macros.at | 4 +
tests/ovn-northd.at | 254 +++++++++++++++++++++++---------------------
4 files changed, 174 insertions(+), 130 deletions(-)
diff --git a/northd/northd.c b/northd/northd.c
index 0192cbde7..321020b65 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -6017,6 +6017,13 @@ build_ls_stateful_rec_pre_acls(
*
* 'REGBIT_CONNTRACK_DEFRAG' is set to let the pre-stateful table send
* it to conntrack for tracking and defragmentation. */
+
+ /* We do not want icmp type=3 code=4 (packet too big) to go to ct */
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
+ "((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
+ " (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&"
+ " flags.tunnel_rx == 1",
+ "next;", lflow_ref);
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 100, "ip",
REGBIT_CONNTRACK_DEFRAG" = 1; next;",
lflow_ref);
@@ -6145,6 +6152,12 @@ build_pre_lb(struct ovn_datapath *od, const struct shash
*meter_groups,
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110,
"nd || nd_rs || nd_ra || mldv1 || mldv2",
"next;", lflow_ref);
+ /* Do not send icmp packet too big to conntrack in ingress */
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110,
+ "((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
+ "(ip6 && icmp6.type == 2 && icmp6.code == 0)) &&"
+ " flags.tunnel_rx == 1",
+ "next;", lflow_ref);
/* Do not send service monitor packets to conntrack. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110,
diff --git a/tests/multinode.at b/tests/multinode.at
index c66c8f941..3dfa17cb2 100644
--- a/tests/multinode.at
+++ b/tests/multinode.at
@@ -933,7 +933,17 @@ M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route get
10.0.0.1 dev sw0p1 | gre
AT_CLEANUP
-AT_SETUP([ovn multinode pmtu - logical switch - geneve])
+m4_define([PMTUD_SWITCH_TESTS],
+ [
+ AT_SETUP([ovn multinode pmtu - logical switch - $1])
+ encap=$1
+ if test "$encap" = "vxlan"; then
+ encap_sys="vxlan_sys"
+ overhead=50
+ else
+ encap_sys="genev_sys"
+ overhead=58
+ fi
# Check that ovn-fake-multinode setup is up and running
check_fake_multinode_setup
@@ -947,12 +957,12 @@ m_as ovn-chassis-2 ip link del sw0p2-p
# Reset geneve tunnels
for c in ovn-chassis-1 ovn-chassis-2 ovn-gw-1
do
- m_as $c ovs-vsctl set open . external-ids:ovn-encap-type=geneve
+ m_as $c ovs-vsctl set open . external-ids:ovn-encap-type=$encap
done
-OVS_WAIT_UNTIL([m_as ovn-chassis-1 ip link show | grep -q genev_sys])
-OVS_WAIT_UNTIL([m_as ovn-chassis-2 ip link show | grep -q genev_sys])
-OVS_WAIT_UNTIL([m_as ovn-gw-1 ip link show | grep -q genev_sys])
+OVS_WAIT_UNTIL([m_as ovn-chassis-1 ip link show | grep -q $encap_sys])
+OVS_WAIT_UNTIL([m_as ovn-chassis-2 ip link show | grep -q $encap_sys])
+OVS_WAIT_UNTIL([m_as ovn-gw-1 ip link show | grep -q $encap_sys])
# Test East-West switching
check multinode_nbctl ls-add sw0
@@ -1008,7 +1018,8 @@ M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3
-i 0.3 -w 2 10.0.0.4 | F
# Change ptmu for the geneve tunnel
m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1200 dev eth1
-M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 5 -s 1300 -M do 10.0.0.4
2>&1 | grep -q "message too long, mtu=1142"])
+mtu=$((1200 - overhead))
+M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 5 -s 1300 -M do 10.0.0.4
2>&1 | grep -q "message too long, mtu=$mtu"])
M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24 dev sw0p1])
@@ -1021,19 +1032,25 @@ M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3
-i 0.3 -w 2 20.0.0.3 | F
# Change ptmu for the geneve tunnel
m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1100 dev eth1
-M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 5 -s 1300 -M do 20.0.0.3
2>&1 | grep -q "message too long, mtu=1042"])
+mtu=$((1100 - overhead))
+M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 5 -s 1300 -M do 20.0.0.3
2>&1 | grep -q "message too long, mtu=$mtu"])
M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24 dev sw0p1])
M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via 10.0.0.1
dev sw0p1])
m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1000 dev eth1
+mtu=$((1000 - overhead))
for i in $(seq 30); do
M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [sh -c 'dd bs=512 count=2
if=/dev/urandom | nc -u 10.0.0.1 8080'], [ignore], [ignore], [ignore])
done
-M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route get 10.0.0.1 dev sw0p1 |
grep -q 'mtu 942'])
+M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route get 10.0.0.1 dev sw0p1 |
grep -q "mtu $mtu"])
AT_CLEANUP
+])
+
+PMTUD_SWITCH_TESTS(["geneve"])
+PMTUD_SWITCH_TESTS(["vxlan"])
AT_SETUP([Migration of container ports])
# Migrate vif port between chassis-1 and chassis-3; send packets between
diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at
index 132bdf031..bf944b6d4 100644
--- a/tests/ovn-macros.at
+++ b/tests/ovn-macros.at
@@ -1071,6 +1071,10 @@ trim_zeros() {
sed 's/\(00\)\{1,\}$//'
}
+ovn_strip_lflows() {
+ sed 's/table=[[0-9]]\{1,2\}\s\?/table=??/g' | sort
+}
+
OVS_END_SHELL_HELPERS
m4_define([OVN_POPULATE_ARP], [AT_CHECK(ovn_populate_arp__, [0], [ignore])])
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 817ef4c68..8b93c5a17 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -4525,26 +4525,27 @@ check_stateful_flows() {
ovn-sbctl dump-flows sw0 > sw0flows
AT_CAPTURE_FILE([sw0flows])
- AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort | sed 's/table=./table=?/'],
[0], [dnl
- table=? (ls_in_pre_lb ), priority=0 , match=(1), action=(next;)
- table=? (ls_in_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]]
= 1; next;)
- table=? (ls_in_pre_lb ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=? (ls_in_pre_lb ), priority=110 , match=(eth.mcast),
action=(next;)
- table=? (ls_in_pre_lb ), priority=110 , match=(ip && inport ==
"sw0-lr0"), action=(next;)
- table=? (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2), action=(next;)
- table=? (ls_in_pre_lb ), priority=110 , match=(reg0[[16]] == 1),
action=(next;)
-])
-
- AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort | sed
's/table=./table=?/'], [0], [dnl
- table=? (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)
- table=? (ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1),
action=(ct_next;)
- table=? (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=115 , match=(reg0[[2]] == 1 &&
ip.is_frag), action=(reg0[[19]] = 1; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 &&
ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]]
= 80; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 &&
ip4.dst == 10.0.0.20 && tcp.dst == 80), action=(reg1 = 10.0.0.20; reg2[[0..15]]
= 80; ct_lb_mark;)
-])
-
- AT_CHECK([grep "ls_in_lb " sw0flows | sort | sed 's/table=../table=??/'],
[0], [dnl
+ AT_CHECK([grep "ls_in_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_pre_lb ), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]]
= 1; next;)
+ table=??(ls_in_pre_lb ), priority=110 , match=(((ip4 && icmp4.type ==
3 && icmp4.code == 4) ||(ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
flags.tunnel_rx == 1), action=(next;)
+ table=??(ls_in_pre_lb ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_in_pre_lb ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_in_pre_lb ), priority=110 , match=(ip && inport ==
"sw0-lr0"), action=(next;)
+ table=??(ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2), action=(next;)
+ table=??(ls_in_pre_lb ), priority=110 , match=(reg0[[16]] == 1),
action=(next;)
+])
+
+ AT_CHECK([grep "ls_in_pre_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1),
action=(ct_next;)
+ table=??(ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
+ table=??(ls_in_pre_stateful ), priority=115 , match=(reg0[[2]] == 1 &&
ip.is_frag), action=(reg0[[19]] = 1; ct_lb_mark;)
+ table=??(ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 &&
ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]]
= 80; ct_lb_mark;)
+ table=??(ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 &&
ip4.dst == 10.0.0.20 && tcp.dst == 80), action=(reg1 = 10.0.0.20; reg2[[0..15]]
= 80; ct_lb_mark;)
+])
+
+ AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_in_lb ), priority=0 , match=(1), action=(next;)
table=??(ls_in_lb ), priority=110 , match=(ct.trk && !ct.rpl &&
reg0[[19]] == 1 && ip4), action=(reg1 = ct_nw_dst(); reg2[[0..15]] =
ct_tp_dst(); next;)
table=??(ls_in_lb ), priority=110 , match=(ct.trk && !ct.rpl &&
reg0[[19]] == 1 && ip6), action=(xxreg1 = ct_ip6_dst(); reg2[[0..15]] =
ct_tp_dst(); next;)
@@ -4552,31 +4553,31 @@ check_stateful_flows() {
table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.20 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.20;
reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.40:8080);)
])
- AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed
's/table=../table=??/'], [0], [dnl
+ AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)
table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label =
reg3; }; next;)
])
- AT_CHECK_UNQUOTED([grep "ls_out_pre_lb" sw0flows | sort], [0], [dnl
- table=1 (ls_out_pre_lb ), priority=0 , match=(1), action=(next;)
- table=1 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]]
= 1; next;)
- table=1 (ls_out_pre_lb ), priority=110 , match=(eth.mcast),
action=(next;)
- table=1 (ls_out_pre_lb ), priority=110 , match=(eth.src ==
\$svc_monitor_mac), action=(next;)
- table=1 (ls_out_pre_lb ), priority=110 , match=(ip && outport ==
"sw0-lr0"), action=($action)
- table=1 (ls_out_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2), action=(next;)
- table=1 (ls_out_pre_lb ), priority=110 , match=(reg0[[16]] == 1),
action=(next;)
+ AT_CHECK_UNQUOTED([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0],
[dnl
+ table=??(ls_out_pre_lb ), priority=0 , match=(1), action=(next;)
+ table=??(ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]]
= 1; next;)
+ table=??(ls_out_pre_lb ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_out_pre_lb ), priority=110 , match=(eth.src ==
\$svc_monitor_mac), action=(next;)
+ table=??(ls_out_pre_lb ), priority=110 , match=(ip && outport ==
"sw0-lr0"), action=($action)
+ table=??(ls_out_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2), action=(next;)
+ table=??(ls_out_pre_lb ), priority=110 , match=(reg0[[16]] == 1),
action=(next;)
])
- AT_CHECK([grep "ls_out_pre_stateful" sw0flows | sort], [0], [dnl
- table=2 (ls_out_pre_stateful), priority=0 , match=(1), action=(next;)
- table=2 (ls_out_pre_stateful), priority=100 , match=(reg0[[0]] == 1),
action=(ct_next;)
- table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
+ AT_CHECK([grep "ls_out_pre_stateful" sw0flows | ovn_strip_lflows], [0],
[dnl
+ table=??(ls_out_pre_stateful), priority=0 , match=(1), action=(next;)
+ table=??(ls_out_pre_stateful), priority=100 , match=(reg0[[0]] == 1),
action=(ct_next;)
+ table=??(ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
])
AT_CHECK([grep "ls_out_lb" sw0flows | sort], [0], [])
- AT_CHECK([grep "ls_out_stateful" sw0flows | sed 's/table=../table=??/' |
sort], [0], [dnl
+ AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)
table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label =
reg3; }; next;)
@@ -4599,48 +4600,49 @@ check ovn-nbctl --wait=sb sync
ovn-sbctl dump-flows sw0 > sw0flows
AT_CAPTURE_FILE([sw0flows])
-AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort | sed 's/table=./table=?/'],
[0], [dnl
- table=? (ls_in_pre_lb ), priority=0 , match=(1), action=(next;)
- table=? (ls_in_pre_lb ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=? (ls_in_pre_lb ), priority=110 , match=(eth.mcast),
action=(next;)
- table=? (ls_in_pre_lb ), priority=110 , match=(ip && inport ==
"sw0-lr0"), action=(next;)
- table=? (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2), action=(next;)
- table=? (ls_in_pre_lb ), priority=110 , match=(reg0[[16]] == 1),
action=(next;)
+AT_CHECK([grep "ls_in_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_pre_lb ), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_pre_lb ), priority=110 , match=(((ip4 && icmp4.type ==
3 && icmp4.code == 4) ||(ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
flags.tunnel_rx == 1), action=(next;)
+ table=??(ls_in_pre_lb ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_in_pre_lb ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_in_pre_lb ), priority=110 , match=(ip && inport ==
"sw0-lr0"), action=(next;)
+ table=??(ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2), action=(next;)
+ table=??(ls_in_pre_lb ), priority=110 , match=(reg0[[16]] == 1),
action=(next;)
])
-AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort | sed
's/table=./table=?/'], [0], [dnl
- table=? (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)
- table=? (ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1),
action=(ct_next;)
- table=? (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=115 , match=(reg0[[2]] == 1 &&
ip.is_frag), action=(reg0[[19]] = 1; ct_lb_mark;)
+AT_CHECK([grep "ls_in_pre_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1),
action=(ct_next;)
+ table=??(ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
+ table=??(ls_in_pre_stateful ), priority=115 , match=(reg0[[2]] == 1 &&
ip.is_frag), action=(reg0[[19]] = 1; ct_lb_mark;)
])
-AT_CHECK([grep "ls_in_lb " sw0flows | sort | sed 's/table=../table=??/'], [0],
[dnl
+AT_CHECK([grep "ls_in_lb " sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_in_lb ), priority=0 , match=(1), action=(next;)
])
-AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed 's/table=../table=??/'],
[0], [dnl
+AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_in_stateful ), priority=0 , match=(1), action=(next;)
table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
table=??(ls_in_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label =
reg3; }; next;)
])
-AT_CHECK([grep "ls_out_pre_lb" sw0flows | sort], [0], [dnl
- table=1 (ls_out_pre_lb ), priority=0 , match=(1), action=(next;)
- table=1 (ls_out_pre_lb ), priority=110 , match=(eth.mcast),
action=(next;)
- table=1 (ls_out_pre_lb ), priority=110 , match=(eth.src ==
$svc_monitor_mac), action=(next;)
- table=1 (ls_out_pre_lb ), priority=110 , match=(ip && outport ==
"sw0-lr0"), action=(next;)
- table=1 (ls_out_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2), action=(next;)
- table=1 (ls_out_pre_lb ), priority=110 , match=(reg0[[16]] == 1),
action=(next;)
+AT_CHECK([grep "ls_out_pre_lb" sw0flows | ovn_strip_lflows], [0], [dnl
+ table=??(ls_out_pre_lb ), priority=0 , match=(1), action=(next;)
+ table=??(ls_out_pre_lb ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_out_pre_lb ), priority=110 , match=(eth.src ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_out_pre_lb ), priority=110 , match=(ip && outport ==
"sw0-lr0"), action=(next;)
+ table=??(ls_out_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2), action=(next;)
+ table=??(ls_out_pre_lb ), priority=110 , match=(reg0[[16]] == 1),
action=(next;)
])
-AT_CHECK([grep "ls_out_pre_stateful" sw0flows | sort], [0], [dnl
- table=2 (ls_out_pre_stateful), priority=0 , match=(1), action=(next;)
- table=2 (ls_out_pre_stateful), priority=100 , match=(reg0[[0]] == 1),
action=(ct_next;)
- table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
+AT_CHECK([grep "ls_out_pre_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
+ table=??(ls_out_pre_stateful), priority=0 , match=(1), action=(next;)
+ table=??(ls_out_pre_stateful), priority=100 , match=(reg0[[0]] == 1),
action=(ct_next;)
+ table=??(ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
])
-AT_CHECK([grep "ls_out_stateful" sw0flows | sed 's/table=../table=??/' |
sort], [0], [dnl
+AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
table=??(ls_out_stateful ), priority=0 , match=(1), action=(next;)
table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;)
table=??(ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 &&
reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label =
reg3; }; next;)
@@ -4650,7 +4652,7 @@ AT_CHECK([grep "ls_out_stateful" sw0flows | sed
's/table=../table=??/' | sort],
AT_CHECK([ovn-nbctl create load_balancer name=lb1 options:reject=false
options:event=false vips:\"10.0.0.20\"=\"\" protocol=tcp], [0], [ignore])
check ovn-nbctl --wait=sb ls-lb-add sw0 lb1
-AT_CHECK([ovn-sbctl dump-flows sw0 | grep "ls_in_lb " | sed
's/table=../table=??/' | sort ], [0], [dnl
+AT_CHECK([ovn-sbctl dump-flows sw0 | grep "ls_in_lb " | ovn_strip_lflows ],
[0], [dnl
table=??(ls_in_lb ), priority=0 , match=(1), action=(next;)
table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
10.0.0.20), action=(drop;)
table=??(ls_in_lb ), priority=110 , match=(ct.trk && !ct.rpl &&
reg0[[19]] == 1 && ip4), action=(reg1 = ct_nw_dst(); reg2[[0..15]] =
ct_tp_dst(); next;)
@@ -8138,6 +8140,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
sed 's/table=../table=??/
table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est),
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type ==
3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
flags.tunnel_rx == 1), action=(next;)
table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
@@ -8322,6 +8325,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
sed 's/table=../table=??/
table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est),
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type ==
3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
flags.tunnel_rx == 1), action=(next;)
table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
@@ -8504,6 +8508,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
sed 's/table=../table=??/
table=??(ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est),
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type ==
3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
flags.tunnel_rx == 1), action=(next;)
table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
@@ -11662,34 +11667,36 @@ check ovn-nbctl acl-add pg_dgw from-lport 1002
"inport == @pg_dgw && ip4" allow-
check ovn-nbctl acl-add pg_dgw to-lport 1003 "outport == @pg_dgw && ip4"
allow-related
# Check skip conntrack option with 'enable_router_port_acl' default (false)
-AT_CHECK([ovn-sbctl dump-flows S1 | grep pre_acl | sed 's/table=./table=?/'],
[0], [dnl
- table=? (ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(ip && inport ==
"S1-R1"), action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
- table=? (ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
- table=? (ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(eth.src ==
$svc_monitor_mac), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(ip && outport ==
"S1-R1"), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
- table=? (ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
- table=? (ls_out_pre_acl ), priority=0 , match=(1), action=(next;)
+AT_CHECK([ovn-sbctl dump-flows S1 | grep pre_acl | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type ==
3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
flags.tunnel_rx == 1), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(ip && inport ==
"S1-R1"), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
+ table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;)
+ table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(ip && outport ==
"S1-R1"), action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
])
# Enable 'enable_router_port_acl' and check the flows
check ovn-nbctl --wait=sb lsp-set-options S1-R1 router-port=R1-S1
enable_router_port_acl=true
-AT_CHECK([ovn-sbctl dump-flows S1 | grep pre_acl | sed 's/table=./table=?/'],
[0], [dnl
- table=? (ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
- table=? (ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
- table=? (ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(eth.src ==
$svc_monitor_mac), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
- table=? (ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
- table=? (ls_out_pre_acl ), priority=0 , match=(1), action=(next;)
+AT_CHECK([ovn-sbctl dump-flows S1 | grep pre_acl | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type ==
3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
flags.tunnel_rx == 1), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
+ table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;)
+ table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
])
# ICMP packets from router port to external network should go to conntrack
@@ -11707,50 +11714,53 @@ ct_next(ct_state=est|trk) {
# Disable 'enable_router_port_acl' and check the flows
check ovn-nbctl --wait=sb lsp-set-options S1-R1 router-port=R1-S1
enable_router_port_acl=false
-AT_CHECK([ovn-sbctl dump-flows S1 | grep pre_acl | sed 's/table=./table=?/'],
[0], [dnl
- table=? (ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(ip && inport ==
"S1-R1"), action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
- table=? (ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
- table=? (ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(eth.src ==
$svc_monitor_mac), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(ip && outport ==
"S1-R1"), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
- table=? (ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
- table=? (ls_out_pre_acl ), priority=0 , match=(1), action=(next;)
+AT_CHECK([ovn-sbctl dump-flows S1 | grep pre_acl | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type ==
3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
flags.tunnel_rx == 1), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(ip && inport ==
"S1-R1"), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
+ table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;)
+ table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(ip && outport ==
"S1-R1"), action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
])
# Clear the option 'enable_router_port_acl' and check the flows. Before that
enable the option.
check ovn-nbctl --wait=sb lsp-set-options S1-R1 router-port=R1-S1
enable_router_port_acl=true
-AT_CHECK([ovn-sbctl dump-flows S1 | grep pre_acl | sed 's/table=./table=?/'],
[0], [dnl
- table=? (ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
- table=? (ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
- table=? (ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(eth.src ==
$svc_monitor_mac), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
- table=? (ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
- table=? (ls_out_pre_acl ), priority=0 , match=(1), action=(next;)
+AT_CHECK([ovn-sbctl dump-flows S1 | grep pre_acl | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type ==
3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
flags.tunnel_rx == 1), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
+ table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;)
+ table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
])
check ovn-nbctl --wait=sb lsp-set-options S1-R1 router-port=R1-S1
-AT_CHECK([ovn-sbctl dump-flows S1 | grep pre_acl | sed 's/table=./table=?/'],
[0], [dnl
- table=? (ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(ip && inport ==
"S1-R1"), action=(next;)
- table=? (ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
- table=? (ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
- table=? (ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(eth.src ==
$svc_monitor_mac), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(ip && outport ==
"S1-R1"), action=(next;)
- table=? (ls_out_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
- table=? (ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
- table=? (ls_out_pre_acl ), priority=0 , match=(1), action=(next;)
+AT_CHECK([ovn-sbctl dump-flows S1 | grep pre_acl | ovn_strip_lflows], [0], [dnl
+ table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
+ table=??(ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(((ip4 && icmp4.type ==
3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) &&
flags.tunnel_rx == 1), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(ip && inport ==
"S1-R1"), action=(next;)
+ table=??(ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
+ table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;)
+ table=??(ls_out_pre_acl ), priority=100 , match=(ip), action=(reg0[[0]]
= 1; next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(eth.mcast),
action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(eth.src ==
$svc_monitor_mac), action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(ip && outport ==
"S1-R1"), action=(next;)
+ table=??(ls_out_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra
|| mldv1 || mldv2 || (udp && udp.src == 546 && udp.dst == 547)), action=(next;)
])
AT_CLEANUP
--
2.45.2
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
