Re: [ovs-dev] [PATCH] ovn-northd: Handle IPv4 addresses with prefixes in lport port security
> > Huh, there's a fair amount of subtlety there. What about logic similar to > the following (untested) code? > > -=-=-=-=-=-=-=-=- > ovs_be32 mask = be32_prefix_mask(ps.ipv4_addrs[i].plen); > /* When the netmask is applied, if the host portion is > * non-zero, the host can only use the specified > * address. If zero, the host is allowed to use any > * address in the subnet. */ > if (ps.ipv4_addrs[i].addr & ~mask) { > ds_put_format(, IP_FMT, > IP_ARGS(ps.ipv4_addrs[i].addr)); > } else { > ip_format_masked(ps.ipv4_addrs[i].addr & mask, mask, > ); > } > -=-=-=-=-=-=-=-=- > > > Below is the port security description > > > > > > Each element in the set may additionally contain one or more > IPv4 or > > IPv6 addresses (or both), with optional masks. If a mask is > given, it > > must be a CIDR mask. In addition to the restrictions > described for > > Ethernet addresses above, such an element restricts the IPv4 > or IPv6 > > addresses from which the host may send and to which it may > receive > > packets to the specified addresses. A masked address, if the > host part > > is zero, indicates that the host is allowed to use any address > in the > > subnet; if the host part is nonzero, the mask simply indicates > the size > > of the subnet. In addition: > > > > The next paragraph is interesting because it describes what should happen > with the subnet: > > · If any IPv4 address is given, the host is also > allowed to > receive packets to the IPv4 local broadcast > address > 255.255.255.255 and to IPv4 multicast > addresses > (224.0.0.0/4). If an IPv4 address with a mask is > given, > the host is also allowed to receive packets to the > broad‐ > cast address in that specified subnet. > > Would you mind expanding the tests to make sure that we're testing these > different combinations both on the send and receive enforcement? We > clearly had some gaps before. > > Sure. I will do that. Thanks for the suggestions and comments. > Thanks for noticing these issues. > > --Justin > > > ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] ovn-northd: Handle IPv4 addresses with prefixes in lport port security
> On Apr 7, 2016, at 11:34 AM, Numan Siddiquewrote: > > Hi Justin, there is still a problem with the below approach. > > In the case where port security has "10.0.0.4/24" it means that the logical > port is restricted in sending and receiving IP traffic with ip address > 10.0.0.4. IP traffic with any other ip address should be dropped. But with > the below approach we would be allowing all the ip addresses in the > 10.0.0.0/24. Huh, there's a fair amount of subtlety there. What about logic similar to the following (untested) code? -=-=-=-=-=-=-=-=- ovs_be32 mask = be32_prefix_mask(ps.ipv4_addrs[i].plen); /* When the netmask is applied, if the host portion is * non-zero, the host can only use the specified * address. If zero, the host is allowed to use any * address in the subnet. */ if (ps.ipv4_addrs[i].addr & ~mask) { ds_put_format(, IP_FMT, IP_ARGS(ps.ipv4_addrs[i].addr)); } else { ip_format_masked(ps.ipv4_addrs[i].addr & mask, mask, ); } -=-=-=-=-=-=-=-=- > Below is the port security description > > > Each element in the set may additionally contain one or more IPv4 or > IPv6 addresses (or both), with optional masks. If a mask is given, > it > must be a CIDR mask. In addition to the restrictions described for > Ethernet addresses above, such an element restricts the IPv4 or IPv6 > addresses from which the host may send and to which it may receive > packets to the specified addresses. A masked address, if the host > part > is zero, indicates that the host is allowed to use any address in > the > subnet; if the host part is nonzero, the mask simply indicates the > size > of the subnet. In addition: > The next paragraph is interesting because it describes what should happen with the subnet: · If any IPv4 address is given, the host is also allowed to receive packets to the IPv4 local broadcast address 255.255.255.255 and to IPv4 multicast addresses (224.0.0.0/4). If an IPv4 address with a mask is given, the host is also allowed to receive packets to the broad‐ cast address in that specified subnet. Would you mind expanding the tests to make sure that we're testing these different combinations both on the send and receive enforcement? We clearly had some gaps before. Thanks for noticing these issues. --Justin ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] ovn-northd: Handle IPv4 addresses with prefixes in lport port security
On Thu, Apr 7, 2016 at 9:48 PM, Justin Pettitwrote: > > > On Apr 6, 2016, at 11:26 PM, Numan Siddique wrote: > > > > > > Thanks for the comments Justin. I tried a similar approach. It will not > work in the cases where the port security address also has a prefix defined. > > For example with port security - "00:00:00:00:00:02 10.0.0.4/24", the > ovn lexer parser is throwing the below error, > > > > --- > > lflow|WARN|error parsing match "outport == "sw0-port2" && eth.dst == > 00:00:00:00:00:02 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.0.0.4/24}": > Value contains unmasked 1-bits. > > -- > > Ah, it should probably be added to the unit tests to make sure we don't > reintroduce a problem. (Thanks for writing unit tests, by the way.) > What if you apply the mask first like the patch at the end of this > message? I also expanded your unit tests to include a check for the issue > you mentioned. > > Hi Justin, there is still a problem with the below approach. In the case where port security has "10.0.0.4/24" it means that the logical port is restricted in sending and receiving IP traffic with ip address 10.0.0.4. IP traffic with any other ip address should be dropped. But with the below approach we would be allowing all the ip addresses in the 10.0.0.0/24. Below is the port security description Each element in the set may additionally contain one or more IPv4 or IPv6 addresses (or both), with optional masks. If a mask is given, it must be a CIDR mask. In addition to the restrictions described for Ethernet addresses above, such an element restricts the IPv4 or IPv6 addresses from which the host may send and to which it may receive packets to the specified addresses. A masked address, if the host part is zero, indicates that the host is allowed to use any address in the subnet; if the host part is nonzero, the mask simply indicates the size of the subnet. In addition: In the initial implementation I had missed to implement the case where the host part is zero. :) Thanks Numan --Justin > > > -=-=-=-=-=-=- > > diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c > index 302cc1d..e60f72e 100644 > --- a/ovn/northd/ovn-northd.c > +++ b/ovn/northd/ovn-northd.c > @@ -1179,8 +1179,11 @@ build_port_security_nd(struct ovn_port *op, struct > hmap * > if (ps.n_ipv4_addrs) { > ds_put_cstr(, " && ("); > for (size_t i = 0; i < ps.n_ipv4_addrs; i++) { > -ds_put_format(, "arp.spa == "IP_FMT" || ", > - IP_ARGS(ps.ipv4_addrs[i].addr)); > +ovs_be32 mask = > be32_prefix_mask(ps.ipv4_addrs[i].plen); > +ds_put_cstr(, "arp.spa == "); > +ip_format_masked(ps.ipv4_addrs[i].addr & mask, mask, > + ); > +ds_put_cstr(, " || "); > } > ds_chomp(, ' '); > ds_chomp(, '|'); > @@ -1264,7 +1267,9 @@ build_port_security_ip(enum ovn_pipeline pipeline, > struct > } > > for (int i = 0; i < ps.n_ipv4_addrs; i++) { > -ds_put_format(, IP_FMT", ", > IP_ARGS(ps.ipv4_addrs[i].addr > +ovs_be32 mask = be32_prefix_mask(ps.ipv4_addrs[i].plen); > +ip_format_masked(ps.ipv4_addrs[i].addr & mask, mask, > ); > +ds_put_cstr(, ", "); > } > > /* Replace ", " by "}". */ > diff --git a/tests/ovn.at b/tests/ovn.at > index 22121e1..d8bc395 100644 > --- a/tests/ovn.at > +++ b/tests/ovn.at > @@ -1930,6 +1930,27 @@ for i in 1 2 3; do > test_ipv6 ${i}3 f${i}${i}3 f021 $sip $tip > done > > +# configure lport13 to send and received IPv4 packets with an address > range > +ovn-nbctl lport-set-port-security lp13 "f0:00:00:00:00:13 192.168.0.13 > 10.0.0.4 > + > +sip=`ip_to_hex 10 0 0 14` > +tip=`ip_to_hex 192 168 0 23` > +# IPv4 packet from lport13 with src ip 10.0.0.14 destined to lport23 > +# with dst ip 192.168.0.23 should be allowed > +test_ip 13 f013 f023 $sip $tip 23 > + > +sip=`ip_to_hex 192 168 0 33` > +tip=`ip_to_hex 10 0 0 15` > +# IPv4 packet from lport33 with src ip 192.168.0.33 destined to lport13 > +# with dst ip 10.0.0.15 should be received by lport13 > +test_ip 33 f033 f013 $sip $tip 13 > + > +sip=`ip_to_hex 10 0 0 13` > +tip=`ip_to_hex 192 168 0 22` > +# arp packet with inner ip 10.0.0.13 should be allowed for lport13 > +test_arp 13 f013 f013 $sip $tip 0 f022 > + > + > > # Allow some time for packet forwarding. > > > > > ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] ovn-northd: Handle IPv4 addresses with prefixes in lport port security
> On Apr 6, 2016, at 11:26 PM, Numan Siddiquewrote: > > > Thanks for the comments Justin. I tried a similar approach. It will not work > in the cases where the port security address also has a prefix defined. > For example with port security - "00:00:00:00:00:02 10.0.0.4/24", the ovn > lexer parser is throwing the below error, > > --- > lflow|WARN|error parsing match "outport == "sw0-port2" && eth.dst == > 00:00:00:00:00:02 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.0.0.4/24}": > Value contains unmasked 1-bits. > -- Ah, it should probably be added to the unit tests to make sure we don't reintroduce a problem. (Thanks for writing unit tests, by the way.)What if you apply the mask first like the patch at the end of this message? I also expanded your unit tests to include a check for the issue you mentioned. --Justin -=-=-=-=-=-=- diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 302cc1d..e60f72e 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -1179,8 +1179,11 @@ build_port_security_nd(struct ovn_port *op, struct hmap * if (ps.n_ipv4_addrs) { ds_put_cstr(, " && ("); for (size_t i = 0; i < ps.n_ipv4_addrs; i++) { -ds_put_format(, "arp.spa == "IP_FMT" || ", - IP_ARGS(ps.ipv4_addrs[i].addr)); +ovs_be32 mask = be32_prefix_mask(ps.ipv4_addrs[i].plen); +ds_put_cstr(, "arp.spa == "); +ip_format_masked(ps.ipv4_addrs[i].addr & mask, mask, + ); +ds_put_cstr(, " || "); } ds_chomp(, ' '); ds_chomp(, '|'); @@ -1264,7 +1267,9 @@ build_port_security_ip(enum ovn_pipeline pipeline, struct } for (int i = 0; i < ps.n_ipv4_addrs; i++) { -ds_put_format(, IP_FMT", ", IP_ARGS(ps.ipv4_addrs[i].addr +ovs_be32 mask = be32_prefix_mask(ps.ipv4_addrs[i].plen); +ip_format_masked(ps.ipv4_addrs[i].addr & mask, mask, ); +ds_put_cstr(, ", "); } /* Replace ", " by "}". */ diff --git a/tests/ovn.at b/tests/ovn.at index 22121e1..d8bc395 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -1930,6 +1930,27 @@ for i in 1 2 3; do test_ipv6 ${i}3 f${i}${i}3 f021 $sip $tip done +# configure lport13 to send and received IPv4 packets with an address range +ovn-nbctl lport-set-port-security lp13 "f0:00:00:00:00:13 192.168.0.13 10.0.0.4 + +sip=`ip_to_hex 10 0 0 14` +tip=`ip_to_hex 192 168 0 23` +# IPv4 packet from lport13 with src ip 10.0.0.14 destined to lport23 +# with dst ip 192.168.0.23 should be allowed +test_ip 13 f013 f023 $sip $tip 23 + +sip=`ip_to_hex 192 168 0 33` +tip=`ip_to_hex 10 0 0 15` +# IPv4 packet from lport33 with src ip 192.168.0.33 destined to lport13 +# with dst ip 10.0.0.15 should be received by lport13 +test_ip 33 f033 f013 $sip $tip 13 + +sip=`ip_to_hex 10 0 0 13` +tip=`ip_to_hex 192 168 0 22` +# arp packet with inner ip 10.0.0.13 should be allowed for lport13 +test_arp 13 f013 f013 $sip $tip 0 f022 + + # Allow some time for packet forwarding. ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] ovn-northd: Handle IPv4 addresses with prefixes in lport port security
On Thu, Apr 7, 2016 at 3:37 AM, Justin Pettitwrote: > I think you might be able to write a slightly simpler patch by using > ip_format_masked() like the following: > > -=-=-=-=-=-=-=-=-=- > diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c > index 4b1d611..890b17c 100644 > --- a/ovn/northd/ovn-northd.c > +++ b/ovn/northd/ovn-northd.c > @@ -1179,8 +1179,11 @@ build_port_security_nd(struct ovn_port *op, struct > hmap * > if (ps.n_ipv4_addrs) { > ds_put_cstr(, " && ("); > for (size_t i = 0; i < ps.n_ipv4_addrs; i++) { > -ds_put_format(, "arp.spa == "IP_FMT" || ", > - IP_ARGS(ps.ipv4_addrs[i].addr)); > +ds_put_cstr(, "arp.spa == "); > +ip_format_masked(ps.ipv4_addrs[i].addr, > + > be32_prefix_mask(ps.ipv4_addrs[i].plen), > + ); > +ds_put_cstr(, " || "); > } > ds_chomp(, ' '); > ds_chomp(, '|'); > @@ -1264,7 +1267,10 @@ build_port_security_ip(enum ovn_pipeline pipeline, > struct > } > > for (int i = 0; i < ps.n_ipv4_addrs; i++) { > -ds_put_format(, IP_FMT", ", > IP_ARGS(ps.ipv4_addrs[i].addr > +ip_format_masked(ps.ipv4_addrs[i].addr, > + be32_prefix_mask(ps.ipv4_addrs[i].plen), > + ); > +ds_put_cstr(, ", "); > } > > /* Replace ", " by "}". */ > -=-=-=-=-=-=-=-=-=- > > What do you think? > > Thanks for the comments Justin. I tried a similar approach. It will not work in the cases where the port security address also has a prefix defined. For example with port security - "00:00:00:00:00:02 10.0.0.4/24", the ovn lexer parser is throwing the below error, --- lflow|WARN|error parsing match "outport == "sw0-port2" && eth.dst == 00:00:00:00:00:02 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.0.0.4/24}": Value contains unmasked 1-bits. -- Thats the reason I am calling 'is_host_part_zero()' and putting the prefix only if host part is zero. > --Justin > > > > ___ > > dev mailing list > > dev@openvswitch.org > > http://openvswitch.org/mailman/listinfo/dev > > ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
Re: [ovs-dev] [PATCH] ovn-northd: Handle IPv4 addresses with prefixes in lport port security
I think you might be able to write a slightly simpler patch by using ip_format_masked() like the following: -=-=-=-=-=-=-=-=-=- diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 4b1d611..890b17c 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -1179,8 +1179,11 @@ build_port_security_nd(struct ovn_port *op, struct hmap * if (ps.n_ipv4_addrs) { ds_put_cstr(, " && ("); for (size_t i = 0; i < ps.n_ipv4_addrs; i++) { -ds_put_format(, "arp.spa == "IP_FMT" || ", - IP_ARGS(ps.ipv4_addrs[i].addr)); +ds_put_cstr(, "arp.spa == "); +ip_format_masked(ps.ipv4_addrs[i].addr, + be32_prefix_mask(ps.ipv4_addrs[i].plen), + ); +ds_put_cstr(, " || "); } ds_chomp(, ' '); ds_chomp(, '|'); @@ -1264,7 +1267,10 @@ build_port_security_ip(enum ovn_pipeline pipeline, struct } for (int i = 0; i < ps.n_ipv4_addrs; i++) { -ds_put_format(, IP_FMT", ", IP_ARGS(ps.ipv4_addrs[i].addr +ip_format_masked(ps.ipv4_addrs[i].addr, + be32_prefix_mask(ps.ipv4_addrs[i].plen), + ); +ds_put_cstr(, ", "); } /* Replace ", " by "}". */ -=-=-=-=-=-=-=-=-=- What do you think? --Justin > On Apr 6, 2016, at 8:18 AM, Numan Siddiquewrote: > > Initial implementation of port security, missed out this feature. > > Reported-by: Na Zhu > Reported-at: https://bugs.launchpad.net/networking-ovn/+bug/1564414 > Signed-off-by: Numan Siddique > --- > ovn/northd/ovn-northd.c | 31 --- > tests/ovn.at| 19 +++ > 2 files changed, 47 insertions(+), 3 deletions(-) > > diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c > index 4b1d611..975ca23 100644 > --- a/ovn/northd/ovn-northd.c > +++ b/ovn/northd/ovn-northd.c > @@ -1048,6 +1048,16 @@ extract_lport_addresses(char *address, struct > lport_addresses *laddrs, > return true; > } > > +static inline bool > +is_host_part_zero(ovs_be32 ip4, unsigned int plen) > +{ > +ovs_be32 mask = be32_prefix_mask(plen); > +if (plen != 32 && (ip4 & mask) == ip4) { > +return true; > +} > +return false; > +} > + > /* Appends port security constraints on L2 address field 'eth_addr_field' > * (e.g. "eth.src" or "eth.dst") to 'match'. 'port_security', with > * 'n_port_security' elements, is the collection of port_security constraints > @@ -1179,8 +1189,15 @@ build_port_security_nd(struct ovn_port *op, struct > hmap *lflows) > if (ps.n_ipv4_addrs) { > ds_put_cstr(, " && ("); > for (size_t i = 0; i < ps.n_ipv4_addrs; i++) { > -ds_put_format(, "arp.spa == "IP_FMT" || ", > - IP_ARGS(ps.ipv4_addrs[i].addr)); > +if (is_host_part_zero(ps.ipv4_addrs[i].addr, > + ps.ipv4_addrs[i].plen)) { > +ds_put_format(, "arp.spa == "IP_FMT"/%d || ", > + IP_ARGS(ps.ipv4_addrs[i].addr), > + ps.ipv4_addrs[i].plen); > +} else { > +ds_put_format(, "arp.spa == "IP_FMT" || ", > + IP_ARGS(ps.ipv4_addrs[i].addr)); > +} > } > ds_chomp(, ' '); > ds_chomp(, '|'); > @@ -1264,7 +1281,15 @@ build_port_security_ip(enum ovn_pipeline pipeline, > struct ovn_port *op, > } > > for (int i = 0; i < ps.n_ipv4_addrs; i++) { > -ds_put_format(, IP_FMT", ", > IP_ARGS(ps.ipv4_addrs[i].addr)); > +if (is_host_part_zero(ps.ipv4_addrs[i].addr, > + ps.ipv4_addrs[i].plen)) { > +ds_put_format(, IP_FMT"/%d, ", > + IP_ARGS(ps.ipv4_addrs[i].addr), > + ps.ipv4_addrs[i].plen); > +} else { > +ds_put_format(, IP_FMT", ", > + IP_ARGS(ps.ipv4_addrs[i].addr)); > +} > } > > /* Replace ", " by "}". */ > diff --git a/tests/ovn.at b/tests/ovn.at > index 22121e1..441dd2b 100644 > --- a/tests/ovn.at > +++ b/tests/ovn.at > @@ -1930,6 +1930,25 @@ for i in 1 2 3; do > test_ipv6 ${i}3 f${i}${i}3 f021 $sip $tip > done > > +# configure lport13 to send and received IPv4 packets with an address range > +ovn-nbctl lport-set-port-security lp13 "f0:00:00:00:00:13 192.168.0.13 >
Re: [ovs-dev] [PATCH] ovn-northd: Handle IPv4 addresses with prefixes in lport port security
"dev" <dev-boun...@openvswitch.org> wrote on 04/06/2016 10:18:57 AM: > From: Numan Siddique <nusid...@redhat.com> > To: ovs dev <dev@openvswitch.org> > Date: 04/06/2016 10:19 AM > Subject: [ovs-dev] [PATCH] ovn-northd: Handle IPv4 addresses with > prefixes in lport port security > Sent by: "dev" <dev-boun...@openvswitch.org> > > Initial implementation of port security, missed out this feature. > > Reported-by: Na Zhu <na...@cn.ibm.com> > Reported-at: https://bugs.launchpad.net/networking-ovn/+bug/1564414 > Signed-off-by: Numan Siddique <nusid...@redhat.com> > --- Acked-by: Ryan Moats <rmo...@us.ibm.com> ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
[ovs-dev] [PATCH] ovn-northd: Handle IPv4 addresses with prefixes in lport port security
Initial implementation of port security, missed out this feature. Reported-by: Na ZhuReported-at: https://bugs.launchpad.net/networking-ovn/+bug/1564414 Signed-off-by: Numan Siddique --- ovn/northd/ovn-northd.c | 31 --- tests/ovn.at| 19 +++ 2 files changed, 47 insertions(+), 3 deletions(-) diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 4b1d611..975ca23 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -1048,6 +1048,16 @@ extract_lport_addresses(char *address, struct lport_addresses *laddrs, return true; } +static inline bool +is_host_part_zero(ovs_be32 ip4, unsigned int plen) +{ +ovs_be32 mask = be32_prefix_mask(plen); +if (plen != 32 && (ip4 & mask) == ip4) { +return true; +} +return false; +} + /* Appends port security constraints on L2 address field 'eth_addr_field' * (e.g. "eth.src" or "eth.dst") to 'match'. 'port_security', with * 'n_port_security' elements, is the collection of port_security constraints @@ -1179,8 +1189,15 @@ build_port_security_nd(struct ovn_port *op, struct hmap *lflows) if (ps.n_ipv4_addrs) { ds_put_cstr(, " && ("); for (size_t i = 0; i < ps.n_ipv4_addrs; i++) { -ds_put_format(, "arp.spa == "IP_FMT" || ", - IP_ARGS(ps.ipv4_addrs[i].addr)); +if (is_host_part_zero(ps.ipv4_addrs[i].addr, + ps.ipv4_addrs[i].plen)) { +ds_put_format(, "arp.spa == "IP_FMT"/%d || ", + IP_ARGS(ps.ipv4_addrs[i].addr), + ps.ipv4_addrs[i].plen); +} else { +ds_put_format(, "arp.spa == "IP_FMT" || ", + IP_ARGS(ps.ipv4_addrs[i].addr)); +} } ds_chomp(, ' '); ds_chomp(, '|'); @@ -1264,7 +1281,15 @@ build_port_security_ip(enum ovn_pipeline pipeline, struct ovn_port *op, } for (int i = 0; i < ps.n_ipv4_addrs; i++) { -ds_put_format(, IP_FMT", ", IP_ARGS(ps.ipv4_addrs[i].addr)); +if (is_host_part_zero(ps.ipv4_addrs[i].addr, + ps.ipv4_addrs[i].plen)) { +ds_put_format(, IP_FMT"/%d, ", + IP_ARGS(ps.ipv4_addrs[i].addr), + ps.ipv4_addrs[i].plen); +} else { +ds_put_format(, IP_FMT", ", + IP_ARGS(ps.ipv4_addrs[i].addr)); +} } /* Replace ", " by "}". */ diff --git a/tests/ovn.at b/tests/ovn.at index 22121e1..441dd2b 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -1930,6 +1930,25 @@ for i in 1 2 3; do test_ipv6 ${i}3 f${i}${i}3 f021 $sip $tip done +# configure lport13 to send and received IPv4 packets with an address range +ovn-nbctl lport-set-port-security lp13 "f0:00:00:00:00:13 192.168.0.13 10.0.0.0/24" + +sip=`ip_to_hex 10 0 0 14` +tip=`ip_to_hex 192 168 0 23` +# IPv4 packet from lport13 with src ip 10.0.0.14 destined to lport23 +# with dst ip 192.168.0.23 should be allowed +test_ip 13 f013 f023 $sip $tip 23 + +sip=`ip_to_hex 192 168 0 33` +tip=`ip_to_hex 10 0 0 15` +# IPv4 packet from lport33 with src ip 192.168.0.33 destined to lport13 +# with dst ip 10.0.0.15 should be received by lport13 +test_ip 33 f033 f013 $sip $tip 13 + +sip=`ip_to_hex 10 0 0 13` +tip=`ip_to_hex 192 168 0 22` +# arp packet with inner ip 10.0.0.13 should be allowed for lport13 +test_arp 13 f013 f013 $sip $tip 0 f022 # Allow some time for packet forwarding. -- 2.5.5 ___ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev