diff --git a/northd/northd.c b/northd/northd.c index b01e40ecda..2a4d96dfc2 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -6065,6 +6065,31 @@ skip_port_from_conntrack(const struct ovn_datapath *od, struct ovn_port *op, free(egress_match); } +static void +build_stateless_for_lb_filter(const struct ovn_datapath *od, + const struct nbrec_acl *acl, + struct lflow_table *lflows, + struct lflow_ref *lflow_ref) +{ + const char *action = REGBIT_ACL_VERDICT_ALLOW" = 1;" + REGBIT_CONNTRACK_COMMIT" = 1; next;"; + if (!strcmp(acl->direction, "from-lport")) { + ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 65532, + acl->match, "next;", &acl->header_, + lflow_ref); + ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_ACL_EVAL, + 65532, acl->match, action, &acl->header_, + lflow_ref); + } else { + ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 65532, + acl->match, "next;", &acl->header_, + lflow_ref); + ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_ACL_EVAL, + 65532, acl->match, action, &acl->header_, + lflow_ref); + } +} + static void build_stateless_filter(const struct ovn_datapath *od, const struct nbrec_acl *acl, @@ -6095,10 +6120,17 @@ build_stateless_filters(const struct ovn_datapath *od, struct lflow_table *lflows, struct lflow_ref *lflow_ref) { + bool skip_stateless = smap_get_bool(&od->nbs->other_config, + "skip_stateless", false); + for (size_t i = 0; i < od->nbs->n_acls; i++) { const struct nbrec_acl *acl = od->nbs->acls[i]; if (!strcmp(acl->action, "allow-stateless")) { - build_stateless_filter(od, acl, lflows, lflow_ref); + if (skip_stateless) { + build_stateless_for_lb_filter(od, acl, lflows, lflow_ref); + } else { + build_stateless_filter(od, acl, lflows, lflow_ref); + } } } @@ -6114,7 +6146,11 @@ build_stateless_filters(const struct ovn_datapath *od, const struct nbrec_acl *acl = ls_pg_rec->nb_pg->acls[i]; if (!strcmp(acl->action, "allow-stateless")) { - build_stateless_filter(od, acl, lflows, lflow_ref); + if (skip_stateless) { + build_stateless_for_lb_filter(od, acl, lflows, lflow_ref); + } else { + build_stateless_filter(od, acl, lflows, lflow_ref); + } } } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 4b86f432db..a29ae1086e 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -795,6 +795,14 @@ to 0, which means disabled. + + For the correct operation of the load balancer, when using stateless + ACLs and for the load balancer on the logical switch that matches these + rules, enable this option. Without this option, packets governed + by stateless ACLs will be processed as stateless and LB will not work. + + diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 21d9d63ab8..38524b06ae 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -14384,3 +14384,74 @@ AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_out_acl_action | grep priority=500 | AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD_NO_HV([ +AT_SETUP([ACL with skip_stateless option]) +ovn_start + +check ovn-nbctl ls-add ls1 + +check ovn-nbctl --wait=sb acl-add ls1 to-lport 100 1 allow-stateless +check ovn-nbctl --wait=sb acl-add ls1 from-lport 150 1 allow-stateless +ovn-sbctl dump-flows ls1 > sw0flows + +AT_CHECK([grep -e "ls_in_pre_acl" -e "ls_out_pre_acl" sw0flows | ovn_strip_lflows], [0], [dnl + table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) + table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) +]) + +check ovn-nbctl lb-add lb1 10.0.0.10:80 10.0.0.3:80 +check ovn-nbctl --wait=sb ls-lb-add ls1 lb1 + +ovn-sbctl dump-flows ls1 > ls1flows +AT_CHECK([grep -e "ls_in_pre_acl" -e "ls_out_pre_acl" ls1flows | ovn_strip_lflows], [0], [dnl + table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) + table=??(ls_in_pre_acl ), priority=1150 , match=(1), action=(reg0[[16]] = 1; next;) + table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) + table=??(ls_out_pre_acl ), priority=1100 , match=(1), action=(reg0[[16]] = 1; next;) +]) + +AT_CHECK([grep "ls_out_acl_eval" ls1flows | ovn_strip_lflows], [0], [dnl + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1100 , match=((1)), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) +]) + +ovn-nbctl set logical-switch ls1 other_config:skip_stateless=true + +ovn-sbctl dump-flows ls1 > ls1flows + +AT_CHECK([grep -e "ls_in_pre_acl" -e "ls_out_pre_acl" ls1flows | ovn_strip_lflows], [0], [dnl + table=??(ls_in_pre_acl ), priority=0 , match=(1), action=(next;) + table=??(ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) + table=??(ls_in_pre_acl ), priority=65532, match=(1), action=(next;) + table=??(ls_out_pre_acl ), priority=0 , match=(1), action=(next;) + table=??(ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) + table=??(ls_out_pre_acl ), priority=65532, match=(1), action=(next;) +]) + +AT_CHECK([grep "ls_out_acl_eval" ls1flows | ovn_strip_lflows], [0], [dnl + table=??(ls_out_acl_eval ), priority=0 , match=(1), action=(next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[[1]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=1100 , match=((1)), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;) + table=??(ls_out_acl_eval ), priority=65532, match=(1), action=(reg8[[16]] = 1;reg0[[1]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[[17]] = 1; next;) + table=??(ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;) +]) + +AT_CLEANUP +]) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 19ec1eb8df..ac0d287648 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -9839,6 +9839,42 @@ sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl AT_CHECK([ovs-appctl dpctl/flush-conntrack]) +#add skip_stateless options on ls +check ovn-nbctl set logical_switch foo other_config skip_stateless=true +check ovn-nbctl set logical_switch bar other_config skip_stateless=true + +# Wait for ovn-controller to catch up. +ovn-nbctl --wait=hv sync + +OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-groups br-int | \ +grep 'nat(dst=192.168.2.2:80)']) +zone_id=$(ovn-appctl -t ovn-controller ct-zone-list | grep foo1 | cut -d ' ' -f2) + +OVS_START_L7([bar1], [http]) + +AT_CHECK([ip netns exec foo1 wget 192.168.2.2 -t 3 -T 1], [0], [ignore], [ignore]) + +# check conntrack zone has tcp entry +AT_CHECK([ovs-appctl dpctl/dump-conntrack zone=$zone_id | \ +FORMAT_CT(192.168.1.2) | \ +sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl +tcp,orig=(src=192.168.1.2,dst=192.168.2.2,sport=,dport=),reply=(src=192.168.2.2,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=) +]) + +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + +# now check with VIP +AT_CHECK([ip netns exec foo1 wget 30.30.30.30 -t 3 -T 1], [0], [ignore], [ignore]) + +# check conntrack zone has tcp entry +AT_CHECK([ovs-appctl dpctl/dump-conntrack zone=$zone_id | \ +FORMAT_CT(30.30.30.30) | \ +sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl +tcp,orig=(src=192.168.1.2,dst=30.30.30.30,sport=,dport=),reply=(src=192.168.2.2,dst=192.168.1.2,sport=,dport=),zone=,mark=2,protoinfo=(state=) +]) + +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + OVS_APP_EXIT_AND_WAIT([ovn-controller]) as ovn-sb @@ -9983,6 +10019,42 @@ sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl AT_CHECK([ovs-appctl dpctl/flush-conntrack]) +check ovn-nbctl set logical_switch foo other_config skip_stateless=true +check ovn-nbctl set logical_switch bar other_config skip_stateless=true + +# Wait for ovn-controller to catch up. +ovn-nbctl --wait=hv sync + +OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-groups br-int | \ +grep 'nat(dst=\[[fd12::2\]]:80)']) + +zone_id=$(ovn-appctl -t ovn-controller ct-zone-list | grep foo1 | cut -d ' ' -f2) + +OVS_START_L7([bar1], [http6]) +AT_CHECK([ip netns exec foo1 wget http://[[fd12::2]] -t 3 -T 1], [0], [ignore], [ignore]) + +# check conntrack zone has tcp entry +AT_CHECK([ovs-appctl dpctl/dump-conntrack zone=$zone_id | \ +FORMAT_CT(fd12::2) | grep -v fe80 | \ +sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl +tcp,orig=(src=fd11::2,dst=fd12::2,sport=,dport=),reply=(src=fd12::2,dst=fd11::2,sport=,dport=),zone=,protoinfo=(state=) +]) + +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + +# now check with VIP +AT_CHECK([ip netns exec foo1 wget http://[[fd30::2]] -t 3 -T 1], [0], [ignore], [ignore]) + +# check conntrack zone has tcp entry +AT_CHECK([ovs-appctl dpctl/dump-conntrack zone=$zone_id | \ +FORMAT_CT(fd30::2) | grep -v fe80 | \ +sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl +tcp,orig=(src=fd11::2,dst=fd30::2,sport=,dport=),reply=(src=fd12::2,dst=fd11::2,sport=,dport=),zone=,mark=2,protoinfo=(state=) +]) + +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + +# OVS_APP_EXIT_AND_WAIT([ovn-controller]) as ovn-sb