Re: [ovs-dev] [PATCH ovn] tests: Fix failing test case - "Port security lflows"

2022-05-19 Thread Mark Michelson 

Thanks for the quick fix on this Numan. I went ahead and pushed it to main.

On 5/19/22 16:17, num...@ovn.org wrote:

From: Numan Siddique 

Also added a few comments in the port security related functions
in controller/lflow.c

Fixes: 94974a02bfd5("northd: Add generic port security logical flows.")
Signed-off-by: Numan Siddique 
---
  controller/lflow.c  | 16 +++-
  tests/ovn-northd.at |  2 +-
  2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/controller/lflow.c b/controller/lflow.c
index e968231492..7a3419305a 100644
--- a/controller/lflow.c
+++ b/controller/lflow.c
@@ -2731,7 +2731,13 @@ lflow_handle_flows_for_lport(const struct 
sbrec_port_binding *pb,
  return false;
  }
  
-/* Program the port security flows. */

+/* Program the port security flows.
+ * Note: All the port security OF rules are added using the 'uuid'
+ * of the port binding.  Right now port binding 'uuid' is used in
+ * the logical flow table (l_ctx_out->flow_table) only for port
+ * security flows.  Later if new flows are added using the
+ * port binding'uuid', then this function should handle it properly.
+ */
  ofctrl_remove_flows(l_ctx_out->flow_table, &pb->header_.uuid);
  
  if (pb->n_port_security && shash_find(l_ctx_in->binding_lports,

@@ -3399,6 +3405,10 @@ build_out_port_sec_ip4_flows(const struct 
sbrec_port_binding *pb,
  struct ovn_desired_flow_table *flow_table)
  {
  if (!ps_addr->n_ipv4_addrs && !ps_addr->n_ipv6_addrs) {
+ /* No IPv4 and no IPv6 addresses in the port security.
+  * Both IPv4 and IPv6 traffic should be delivered to the
+  * lport. build_out_port_sec_no_ip_flows() takes care of
+  * adding the required flow(s) to allow. */
  return;
  }
  
@@ -3493,6 +3503,10 @@ build_out_port_sec_ip6_flows(const struct sbrec_port_binding *pb,

  struct ovn_desired_flow_table *flow_table)
  {
  if (!ps_addr->n_ipv4_addrs && !ps_addr->n_ipv6_addrs) {
+/* No IPv4 and no IPv6 addresses in the port security.
+ * Both IPv4 and IPv6 traffic should be delivered to the
+ * lport. build_out_port_sec_no_ip_flows() takes care of
+ * adding the required flow(s) to allow. */
  return;
  }
  
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at

index 0912e3bec4..5bd0935e72 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -7404,8 +7404,8 @@ AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 
's/table=./table=?/' ], [
table=? (ls_in_check_port_sec), priority=100  , match=(eth.src[[40]]), 
action=(drop;)
table=? (ls_in_check_port_sec), priority=100  , match=(vlan.present), 
action=(drop;)
table=? (ls_in_check_port_sec), priority=50   , match=(1), 
action=(reg0[[15]] = check_in_port_sec(); next;)
-  table=? (ls_in_check_port_sec), priority=50   , match=(inport == "sw0p1"), 
action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);)
table=? (ls_in_check_port_sec), priority=70   , match=(inport == 
"localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
+  table=? (ls_in_check_port_sec), priority=70   , match=(inport == "sw0p1"), 
action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);)
table=? (ls_in_check_port_sec), priority=70   , match=(inport == "sw0p2"), 
action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
table=? (ls_in_apply_port_sec), priority=0, match=(1), action=(next;)
table=? (ls_in_apply_port_sec), priority=50   , match=(reg0[[15]] == 1), 
action=(drop;)



___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH ovn] tests: Fix failing test case - "Port security lflows"

2022-05-19 Thread numans 
From: Numan Siddique 

Also added a few comments in the port security related functions
in controller/lflow.c

Fixes: 94974a02bfd5("northd: Add generic port security logical flows.")
Signed-off-by: Numan Siddique 
---
 controller/lflow.c  | 16 +++-
 tests/ovn-northd.at |  2 +-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/controller/lflow.c b/controller/lflow.c
index e968231492..7a3419305a 100644
--- a/controller/lflow.c
+++ b/controller/lflow.c
@@ -2731,7 +2731,13 @@ lflow_handle_flows_for_lport(const struct 
sbrec_port_binding *pb,
 return false;
 }
 
-/* Program the port security flows. */
+/* Program the port security flows.
+ * Note: All the port security OF rules are added using the 'uuid'
+ * of the port binding.  Right now port binding 'uuid' is used in
+ * the logical flow table (l_ctx_out->flow_table) only for port
+ * security flows.  Later if new flows are added using the
+ * port binding'uuid', then this function should handle it properly.
+ */
 ofctrl_remove_flows(l_ctx_out->flow_table, &pb->header_.uuid);
 
 if (pb->n_port_security && shash_find(l_ctx_in->binding_lports,
@@ -3399,6 +3405,10 @@ build_out_port_sec_ip4_flows(const struct 
sbrec_port_binding *pb,
 struct ovn_desired_flow_table *flow_table)
 {
 if (!ps_addr->n_ipv4_addrs && !ps_addr->n_ipv6_addrs) {
+ /* No IPv4 and no IPv6 addresses in the port security.
+  * Both IPv4 and IPv6 traffic should be delivered to the
+  * lport. build_out_port_sec_no_ip_flows() takes care of
+  * adding the required flow(s) to allow. */
 return;
 }
 
@@ -3493,6 +3503,10 @@ build_out_port_sec_ip6_flows(const struct 
sbrec_port_binding *pb,
 struct ovn_desired_flow_table *flow_table)
 {
 if (!ps_addr->n_ipv4_addrs && !ps_addr->n_ipv6_addrs) {
+/* No IPv4 and no IPv6 addresses in the port security.
+ * Both IPv4 and IPv6 traffic should be delivered to the
+ * lport. build_out_port_sec_no_ip_flows() takes care of
+ * adding the required flow(s) to allow. */
 return;
 }
 
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 0912e3bec4..5bd0935e72 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -7404,8 +7404,8 @@ AT_CHECK([cat sw0flows | grep -e port_sec | sort | sed 
's/table=./table=?/' ], [
   table=? (ls_in_check_port_sec), priority=100  , match=(eth.src[[40]]), 
action=(drop;)
   table=? (ls_in_check_port_sec), priority=100  , match=(vlan.present), 
action=(drop;)
   table=? (ls_in_check_port_sec), priority=50   , match=(1), 
action=(reg0[[15]] = check_in_port_sec(); next;)
-  table=? (ls_in_check_port_sec), priority=50   , match=(inport == "sw0p1"), 
action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);)
   table=? (ls_in_check_port_sec), priority=70   , match=(inport == 
"localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
+  table=? (ls_in_check_port_sec), priority=70   , match=(inport == "sw0p1"), 
action=(reg0[[14]] = 1; next(pipeline=ingress, table=16);)
   table=? (ls_in_check_port_sec), priority=70   , match=(inport == "sw0p2"), 
action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
   table=? (ls_in_apply_port_sec), priority=0, match=(1), action=(next;)
   table=? (ls_in_apply_port_sec), priority=50   , match=(reg0[[15]] == 1), 
action=(drop;)
-- 
2.35.3

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev