On Fri, May 27, 2016 at 11:53 AM, Flavio Fernandes <fla...@flaviof.com> wrote:
> When responding to icmp echo requests (aka ping) packets, the logical > router should not restrict responses based on the inport. > > Example diagram: > > vm: IP1.1 (subnet1) > logical_router: IP1.2 (subnet1) and IP2.2 (subnet2) > > vm -------[subnet1]------- logical_router -------[subnet2] > <IP1.1> <IP1.2> <IP2.2> > > vm should be able to ping <IP2.2>, even though it is an address > of a subnet that can only be reached through L3 routing. > > Reference to the mailing list thread: > http://openvswitch.org/pipermail/discuss/2016-May/021172.html > > --- > Changes v1->v2: > - Add unit test. > > Changes v2->v3: > - Code review feedback from Russell Bryant > - Fix comment section on how vm can ping ip2.2 > > Changes v3->v4: > - Rebase > - Resolve open discussion on ttl: it is a non-issue > Thanks Ben P and Darrell B! > Ref: http://openvswitch.org/pipermail/dev/2016-May/071773.html > > Changes v4->v5: > - Rebase > - Fix typos and inconsistencies in ovn icmp test > > Signed-off-by: Flavio Fernandes <fla...@flaviof.com> > Tested-by: Flavio Fernandes <fla...@flaviof.com> > --- > Tested by creating 2 tenants, each with a logical router, and multiple vms over multiple subnets. the script used is available here: https://gist.githubusercontent.com/anonymous/6b45e06adb7899139d7f45918230a683/raw/87abc63e3f5f935a40a65ae029ab49c98ea3b8a0/gistify829919.txt To create tenant 2, I changed the following environent variables and called the script a second time, like this: $ cd <somedir> $ wget -O createL3TenantAndVms.sh \ https://gist.githubusercontent.com/anonymous/6b45e06adb7899139d7f45918230a683/raw/87abc63e3f5f935a40a65ae029ab49c98ea3b8a0/gistify829919.txt $ chmod 755 ./createL3TenantAndVms.sh $ ./createL3TenantAndVms.sh $ export TNT_ID=2 ; export SUBNETS_PER_TENANT=3 ; export VMS_PER_SUBNET=1 $ ./createL3TenantAndVms.sh The vms of the same tenant are able to ping each other and all the ip addresses of the tenant logical router. Output of that test is shown here: <https://gist.github.com/bc620c5b574570947fc35c4ae64ea427> https://gist.github.com/bc620c5b574570947fc35c4ae64ea427 vagrant@devstack-control:~$ cd ~/devstack/ vagrant@devstack-control:~/devstack$ source openrc admin admin WARNING: setting legacy OS_TENANT_NAME to support cli tools. vagrant@devstack-control:~/devstack$ nova hypervisor-list +----+---------------------+-------+---------+ | ID | Hypervisor hostname | State | Status | +----+---------------------+-------+---------+ | 1 | devstack-control | up | enabled | | 2 | devstack-compute-1 | up | enabled | | 3 | devstack-compute-2 | up | enabled | +----+---------------------+-------+---------+ vagrant@devstack-control:~/devstack$ nova list --all-tenants +--------------------------------------+---------------+----------------------------------+--------+------------+-------------+--------------+ | ID | Name | Tenant ID | Status | Task State | Power State | Networks | +--------------------------------------+---------------+----------------------------------+--------+------------+-------------+--------------+ | 3442906a-04ff-47d2-ad76-378003e4d7c7 | tnt1_net1_vm1 | d0cb7e62276c4e56b4f61dcc24b8aae0 | ACTIVE | - | Running | net1=1.0.0.2 | | 448428c1-4820-427e-9df5-81b901582bf6 | tnt1_net1_vm2 | d0cb7e62276c4e56b4f61dcc24b8aae0 | ACTIVE | - | Running | net1=1.0.0.3 | | 134e0b93-36e2-4e51-8eab-ec8f539bcc7c | tnt1_net2_vm1 | d0cb7e62276c4e56b4f61dcc24b8aae0 | ACTIVE | - | Running | net2=2.0.0.2 | | 4a7e841e-54e5-444b-86ef-60f9dd824fb1 | tnt1_net2_vm2 | d0cb7e62276c4e56b4f61dcc24b8aae0 | ACTIVE | - | Running | net2=2.0.0.3 | | da3dc54f-5238-4e8a-91f8-9ab9cf0469de | tnt2_net1_vm1 | edaf46d40a894cc7870a8ef72da48139 | ACTIVE | - | Running | net1=1.0.0.2 | | cda6d775-55fe-4b74-b132-e0c43bcdd75d | tnt2_net2_vm1 | edaf46d40a894cc7870a8ef72da48139 | ACTIVE | - | Running | net2=2.0.0.2 | | 53ac4a3e-b148-48de-8f2b-7a184607b136 | tnt2_net3_vm1 | edaf46d40a894cc7870a8ef72da48139 | ACTIVE | - | Running | net3=3.0.0.2 | +--------------------------------------+---------------+----------------------------------+--------+------------+-------------+--------------+ vagrant@devstack-control:~/devstack$ nova list --all-tenants --fields=name ; \ > for vm in $(nova list --all-tenants --fields=name | sed -n '4,$p' | awk '{if ($4 != "") {print $2}}') ; do \ > echo -n "$vm " ; \ > nova show $vm | grep hypervisor_hostname | awk '{if ($4 != "") {print "|", $4}}' ; \ > done +--------------------------------------+---------------+ | ID | Name | +--------------------------------------+---------------+ | 3442906a-04ff-47d2-ad76-378003e4d7c7 | tnt1_net1_vm1 | | 448428c1-4820-427e-9df5-81b901582bf6 | tnt1_net1_vm2 | | 134e0b93-36e2-4e51-8eab-ec8f539bcc7c | tnt1_net2_vm1 | | 4a7e841e-54e5-444b-86ef-60f9dd824fb1 | tnt1_net2_vm2 | | da3dc54f-5238-4e8a-91f8-9ab9cf0469de | tnt2_net1_vm1 | | cda6d775-55fe-4b74-b132-e0c43bcdd75d | tnt2_net2_vm1 | | 53ac4a3e-b148-48de-8f2b-7a184607b136 | tnt2_net3_vm1 | +--------------------------------------+---------------+ 3442906a-04ff-47d2-ad76-378003e4d7c7 | devstack-compute-2 448428c1-4820-427e-9df5-81b901582bf6 | devstack-compute-1 134e0b93-36e2-4e51-8eab-ec8f539bcc7c | devstack-control 4a7e841e-54e5-444b-86ef-60f9dd824fb1 | devstack-compute-2 da3dc54f-5238-4e8a-91f8-9ab9cf0469de | devstack-compute-1 cda6d775-55fe-4b74-b132-e0c43bcdd75d | devstack-compute-2 53ac4a3e-b148-48de-8f2b-7a184607b136 | devstack-compute-1 vagrant@devstack-control:~/devstack$ vagrant@devstack-control:~/devstack$ sudo ip netns qdhcp-c48ea971-8363-4919-9041-5d6137a3cd58 qdhcp-bf1cd64a-ec5f-41e8-a96c-cee9e8dcfd76 qdhcp-48549342-a1c5-4811-96e2-f52bcd2d5c11 qdhcp-0495c62d-bb15-47a2-aad8-e8f5ca87b242 qdhcp-cdfabe6f-8ba7-4a23-8f8f-ca0aa4de97ac vagrant@devstack-control:~/devstack$ vagrant@devstack-control:~/devstack$ vagrant@devstack-control:~/devstack$ sudo ip netns exec $(sudo ip netns | head -1) bash root@devstack-control:~/devstack# ip a s 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 14: tap91fc44b4-1b: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:b6:3a:e8 brd ff:ff:ff:ff:ff:ff inet 3.0.0.1/24 brd 3.0.0.255 scope global tap91fc44b4-1b valid_lft forever preferred_lft forever inet 169.254.169.254/16 brd 169.254.255.255 scope global tap91fc44b4-1b valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:feb6:3ae8/64 scope link valid_lft forever preferred_lft forever root@devstack-control:~/devstack# ssh cirros@3.0.0.2 The authenticity of host '3.0.0.2 (3.0.0.2)' can't be established. RSA key fingerprint is 8e:de:a8:ca:38:1a:b8:c5:b3:be:1d:fd:f6:ca:33:ee. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '3.0.0.2' (RSA) to the list of known hosts. cirros@3.0.0.2's password: cubswin:) $ ip routedefault via 3.0.0.254 dev eth0 3.0.0.0/24 dev eth0 src 3.0.0.2 169.254.169.254 via 3.0.0.1 dev eth0 $ ping -c 1 3.0.0.254 PING 3.0.0.254 (3.0.0.254): 56 data bytes 64 bytes from 3.0.0.254: seq=0 ttl=254 time=7.803 ms --- 3.0.0.254 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 7.803/7.803/7.803 ms $ ping -c 1 2.0.0.254 PING 2.0.0.254 (2.0.0.254): 56 data bytes 64 bytes from 2.0.0.254: seq=0 ttl=254 time=4.377 ms --- 2.0.0.254 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 4.377/4.377/4.377 ms $ ping -c 1 1.0.0.254 PING 1.0.0.254 (1.0.0.254): 56 data bytes 64 bytes from 1.0.0.254: seq=0 ttl=254 time=3.370 ms --- 1.0.0.254 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 3.370/3.370/3.370 ms $ ping -c 1 1.0.0.1 PING 1.0.0.1 (1.0.0.1): 56 data bytes 64 bytes from 1.0.0.1: seq=0 ttl=63 time=5.156 ms --- 1.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 5.156/5.156/5.156 ms $ ping -c 1 1.0.0.2 PING 1.0.0.2 (1.0.0.2): 56 data bytes 64 bytes from 1.0.0.2: seq=0 ttl=63 time=7.277 ms --- 1.0.0.2 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 7.277/7.277/7.277 ms $ ping -c 1 1.0.0.3 ; # this should not work, since there is no 1.0.0.3 in tenant 2 PING 1.0.0.3 (1.0.0.3): 56 data bytes --- 1.0.0.3 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss $ === Logical flows: https://gist.github.com/13006b63e4f2eaa8ae90f82213aac74b vagrant@devstack-control:~/devstack$ sudo ovn-sbctl lflow-list Datapath: 0aa0b872-1e30-4f6f-820e-074df26ca1fc Pipeline: ingress table=0(ls_in_port_sec_l2), priority= 100, match=(eth.src[40]), action=(drop;) table=0(ls_in_port_sec_l2), priority= 100, match=(vlan.present), action=(drop;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "145889e2-9869-40f3-b719-bfa5dc2a7f6d"), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6"), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && eth.src == {fa:16:3e:01:bb:84}), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && eth.src == {fa:16:3e:8c:35:40}), action=(next;) table=1(ls_in_port_sec_ip), priority= 90, match=(inport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && eth.src == fa:16:3e:01:bb:84 && ip4.src == {0.0.0.0, 1.0.0.3}), action=(next;) table=1(ls_in_port_sec_ip), priority= 90, match=(inport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && eth.src == fa:16:3e:8c:35:40 && ip4.src == {0.0.0.0, 1.0.0.2}), action=(next;) table=1(ls_in_port_sec_ip), priority= 80, match=(inport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && eth.src == fa:16:3e:01:bb:84 && ip), action=(drop;) table=1(ls_in_port_sec_ip), priority= 80, match=(inport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && eth.src == fa:16:3e:8c:35:40 && ip), action=(drop;) table=1(ls_in_port_sec_ip), priority= 0, match=(1), action=(next;) table=2(ls_in_port_sec_nd), priority= 90, match=(inport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && eth.src == fa:16:3e:01:bb:84 && arp.sha == fa:16:3e:01:bb:84 && (arp.spa == 1.0.0.3 )), action=(next;) table=2(ls_in_port_sec_nd), priority= 90, match=(inport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && eth.src == fa:16:3e:8c:35:40 && arp.sha == fa:16:3e:8c:35:40 && (arp.spa == 1.0.0.2 )), action=(next;) table=2(ls_in_port_sec_nd), priority= 80, match=(inport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && (arp || nd)), action=(drop;) table=2(ls_in_port_sec_nd), priority= 80, match=(inport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && (arp || nd)), action=(drop;) table=2(ls_in_port_sec_nd), priority= 0, match=(1), action=(next;) table=3( ls_in_pre_acl), priority= 110, match=(ip && inport == "41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6"), action=(next;) table=3( ls_in_pre_acl), priority= 100, match=(ip), action=(ct_next;) table=3( ls_in_pre_acl), priority= 0, match=(1), action=(next;) table=4( ls_in_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv), action=(next;) table=4( ls_in_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(next;) table=4( ls_in_acl), priority=65535, match=(ct.inv), action=(drop;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && ip4)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && ip6)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && ip4)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && ip6)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(inport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && ip4 && (ip4.dst == 255.255.255.255 || ip4.dst == 1.0.0.0/24) && udp && udp.src == 68 && udp.dst == 67), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(inport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && ip4 && (ip4.dst == 255.255.255.255 || ip4.dst == 1.0.0.0/24) && udp && udp.src == 68 && udp.dst == 67), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2001, match=(inport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && ip), action=(drop;) table=4( ls_in_acl), priority= 2001, match=(inport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && ip), action=(drop;) table=4( ls_in_acl), priority= 1, match=(ip), action=(ct_commit; next;) table=4( ls_in_acl), priority= 0, match=(1), action=(next;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 1.0.0.1 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:15:a8:12; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:15:a8:12; arp.tpa = arp.spa; arp.spa = 1.0.0.1; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 1.0.0.2 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:8c:35:40; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:8c:35:40; arp.tpa = arp.spa; arp.spa = 1.0.0.2; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 1.0.0.254 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:5f:31:77; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:5f:31:77; arp.tpa = arp.spa; arp.spa = 1.0.0.254; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 1.0.0.3 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:01:bb:84; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:01:bb:84; arp.tpa = arp.spa; arp.spa = 1.0.0.3; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 0, match=(1), action=(next;) table=6( ls_in_l2_lkup), priority= 100, match=(eth.mcast), action=(outport = "_MC_flood"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:01:bb:84), action=(outport = "a4181a4d-9315-40dd-a1c1-f1e645b9abf3"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:15:a8:12), action=(outport = "145889e2-9869-40f3-b719-bfa5dc2a7f6d"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:5f:31:77), action=(outport = "41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:8c:35:40), action=(outport = "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77"; output;) Datapath: 0aa0b872-1e30-4f6f-820e-074df26ca1fc Pipeline: egress table=0( ls_out_pre_acl), priority= 110, match=(ip && outport == "41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6"), action=(next;) table=0( ls_out_pre_acl), priority= 100, match=(ip), action=(ct_next;) table=0( ls_out_pre_acl), priority= 0, match=(1), action=(next;) table=1( ls_out_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv), action=(next;) table=1( ls_out_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(next;) table=1( ls_out_acl), priority=65535, match=(ct.inv), action=(drop;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && ip4 && ip4.src == 0.0.0.0/0 && icmp4)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst >= 1 && tcp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst >= 1 && udp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && ip4 && ip4.src == 0.0.0.0/0 && icmp4)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst >= 1 && tcp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst >= 1 && udp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(outport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && ip4 && ip4.src == 1.0.0.0/24 && udp && udp.src == 67 && udp.dst == 68), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(outport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && ip4 && ip4.src == 1.0.0.0/24 && udp && udp.src == 67 && udp.dst == 68), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2001, match=(outport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && ip), action=(drop;) table=1( ls_out_acl), priority= 2001, match=(outport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && ip), action=(drop;) table=1( ls_out_acl), priority= 1, match=(ip), action=(ct_commit; next;) table=1( ls_out_acl), priority= 0, match=(1), action=(next;) table=2(ls_out_port_sec_ip), priority= 90, match=(outport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && eth.dst == fa:16:3e:01:bb:84 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 1.0.0.3}), action=(next;) table=2(ls_out_port_sec_ip), priority= 90, match=(outport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && eth.dst == fa:16:3e:8c:35:40 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 1.0.0.2}), action=(next;) table=2(ls_out_port_sec_ip), priority= 80, match=(outport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && eth.dst == fa:16:3e:01:bb:84 && ip), action=(drop;) table=2(ls_out_port_sec_ip), priority= 80, match=(outport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && eth.dst == fa:16:3e:8c:35:40 && ip), action=(drop;) table=2(ls_out_port_sec_ip), priority= 0, match=(1), action=(next;) table=3(ls_out_port_sec_l2), priority= 100, match=(eth.mcast), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "145889e2-9869-40f3-b719-bfa5dc2a7f6d"), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6"), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "a4181a4d-9315-40dd-a1c1-f1e645b9abf3" && eth.dst == {fa:16:3e:01:bb:84}), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "edc3e9f8-1e02-48d0-a89e-d0e2ac50fa77" && eth.dst == {fa:16:3e:8c:35:40}), action=(output;) Datapath: 11c8238a-c3d6-4659-80cf-26024101bcad Pipeline: ingress table=0(ls_in_port_sec_l2), priority= 100, match=(eth.src[40]), action=(drop;) table=0(ls_in_port_sec_l2), priority= 100, match=(vlan.present), action=(drop;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "7c4b8a30-ad9a-425e-81af-ce041f24d67c"), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "91fc44b4-1b41-441c-b75c-8cc79f6b45aa"), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "cedd01ff-9625-42e8-827b-231e7a94929c" && eth.src == {fa:16:3e:32:0f:3f}), action=(next;) table=1(ls_in_port_sec_ip), priority= 90, match=(inport == "cedd01ff-9625-42e8-827b-231e7a94929c" && eth.src == fa:16:3e:32:0f:3f && ip4.src == {0.0.0.0, 3.0.0.2}), action=(next;) table=1(ls_in_port_sec_ip), priority= 80, match=(inport == "cedd01ff-9625-42e8-827b-231e7a94929c" && eth.src == fa:16:3e:32:0f:3f && ip), action=(drop;) table=1(ls_in_port_sec_ip), priority= 0, match=(1), action=(next;) table=2(ls_in_port_sec_nd), priority= 90, match=(inport == "cedd01ff-9625-42e8-827b-231e7a94929c" && eth.src == fa:16:3e:32:0f:3f && arp.sha == fa:16:3e:32:0f:3f && (arp.spa == 3.0.0.2 )), action=(next;) table=2(ls_in_port_sec_nd), priority= 80, match=(inport == "cedd01ff-9625-42e8-827b-231e7a94929c" && (arp || nd)), action=(drop;) table=2(ls_in_port_sec_nd), priority= 0, match=(1), action=(next;) table=3( ls_in_pre_acl), priority= 110, match=(ip && inport == "7c4b8a30-ad9a-425e-81af-ce041f24d67c"), action=(next;) table=3( ls_in_pre_acl), priority= 100, match=(ip), action=(ct_next;) table=3( ls_in_pre_acl), priority= 0, match=(1), action=(next;) table=4( ls_in_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv), action=(next;) table=4( ls_in_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(next;) table=4( ls_in_acl), priority=65535, match=(ct.inv), action=(drop;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "cedd01ff-9625-42e8-827b-231e7a94929c" && ip4)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "cedd01ff-9625-42e8-827b-231e7a94929c" && ip6)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(inport == "cedd01ff-9625-42e8-827b-231e7a94929c" && ip4 && (ip4.dst == 255.255.255.255 || ip4.dst == 3.0.0.0/24) && udp && udp.src == 68 && udp.dst == 67), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2001, match=(inport == "cedd01ff-9625-42e8-827b-231e7a94929c" && ip), action=(drop;) table=4( ls_in_acl), priority= 1, match=(ip), action=(ct_commit; next;) table=4( ls_in_acl), priority= 0, match=(1), action=(next;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 3.0.0.1 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:b6:3a:e8; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:b6:3a:e8; arp.tpa = arp.spa; arp.spa = 3.0.0.1; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 3.0.0.2 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:32:0f:3f; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:32:0f:3f; arp.tpa = arp.spa; arp.spa = 3.0.0.2; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 3.0.0.254 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:de:0a:13; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:de:0a:13; arp.tpa = arp.spa; arp.spa = 3.0.0.254; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 0, match=(1), action=(next;) table=6( ls_in_l2_lkup), priority= 100, match=(eth.mcast), action=(outport = "_MC_flood"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:32:0f:3f), action=(outport = "cedd01ff-9625-42e8-827b-231e7a94929c"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:b6:3a:e8), action=(outport = "91fc44b4-1b41-441c-b75c-8cc79f6b45aa"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:de:0a:13), action=(outport = "7c4b8a30-ad9a-425e-81af-ce041f24d67c"; output;) Datapath: 11c8238a-c3d6-4659-80cf-26024101bcad Pipeline: egress table=0( ls_out_pre_acl), priority= 110, match=(ip && outport == "7c4b8a30-ad9a-425e-81af-ce041f24d67c"), action=(next;) table=0( ls_out_pre_acl), priority= 100, match=(ip), action=(ct_next;) table=0( ls_out_pre_acl), priority= 0, match=(1), action=(next;) table=1( ls_out_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv), action=(next;) table=1( ls_out_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(next;) table=1( ls_out_acl), priority=65535, match=(ct.inv), action=(drop;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "cedd01ff-9625-42e8-827b-231e7a94929c" && ip4 && ip4.src == 0.0.0.0/0 && icmp4)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "cedd01ff-9625-42e8-827b-231e7a94929c" && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst >= 1 && tcp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "cedd01ff-9625-42e8-827b-231e7a94929c" && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst >= 1 && udp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(outport == "cedd01ff-9625-42e8-827b-231e7a94929c" && ip4 && ip4.src == 3.0.0.0/24 && udp && udp.src == 67 && udp.dst == 68), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2001, match=(outport == "cedd01ff-9625-42e8-827b-231e7a94929c" && ip), action=(drop;) table=1( ls_out_acl), priority= 1, match=(ip), action=(ct_commit; next;) table=1( ls_out_acl), priority= 0, match=(1), action=(next;) table=2(ls_out_port_sec_ip), priority= 90, match=(outport == "cedd01ff-9625-42e8-827b-231e7a94929c" && eth.dst == fa:16:3e:32:0f:3f && ip4.dst == {255.255.255.255, 224.0.0.0/4, 3.0.0.2}), action=(next;) table=2(ls_out_port_sec_ip), priority= 80, match=(outport == "cedd01ff-9625-42e8-827b-231e7a94929c" && eth.dst == fa:16:3e:32:0f:3f && ip), action=(drop;) table=2(ls_out_port_sec_ip), priority= 0, match=(1), action=(next;) table=3(ls_out_port_sec_l2), priority= 100, match=(eth.mcast), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "7c4b8a30-ad9a-425e-81af-ce041f24d67c"), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "91fc44b4-1b41-441c-b75c-8cc79f6b45aa"), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "cedd01ff-9625-42e8-827b-231e7a94929c" && eth.dst == {fa:16:3e:32:0f:3f}), action=(output;) Datapath: 19f243d2-bb17-4b59-a46c-b73a05be974e Pipeline: ingress table=0( lr_in_admission), priority= 100, match=(vlan.present || eth.src[40]), action=(drop;) table=0( lr_in_admission), priority= 50, match=((eth.mcast || eth.dst == fa:16:3e:5f:31:77) && inport == "lrp-41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6"), action=(next;) table=0( lr_in_admission), priority= 50, match=((eth.mcast || eth.dst == fa:16:3e:ce:83:a3) && inport == "lrp-7d2e9e9d-002c-4dca-b97f-073f3a9dde3a"), action=(next;) table=1( lr_in_ip_input), priority= 100, match=(ip4.mcast || ip4.src == 255.255.255.255 || ip4.src == 127.0.0.0/8 || ip4.dst == 127.0.0.0/8 || ip4.src == 0.0.0.0/8 || ip4.dst == 0.0.0.0/8), action=(drop;) table=1( lr_in_ip_input), priority= 100, match=(ip4.src == {1.0.0.254, 1.0.0.255}), action=(drop;) table=1( lr_in_ip_input), priority= 100, match=(ip4.src == {2.0.0.254, 2.0.0.255}), action=(drop;) table=1( lr_in_ip_input), priority= 90, match=((ip4.dst == 1.0.0.254 || ip4.dst == 1.0.0.255) && icmp4.type == 8 && icmp4.code == 0), action=(ip4.dst = ip4.src; ip4.src = 1.0.0.254; ip.ttl = 255; icmp4.type = 0; inport = ""; /* Allow sending out inport. */ next; ) table=1( lr_in_ip_input), priority= 90, match=((ip4.dst == 2.0.0.254 || ip4.dst == 2.0.0.255) && icmp4.type == 8 && icmp4.code == 0), action=(ip4.dst = ip4.src; ip4.src = 2.0.0.254; ip.ttl = 255; icmp4.type = 0; inport = ""; /* Allow sending out inport. */ next; ) table=1( lr_in_ip_input), priority= 90, match=(arp.op == 2), action=(put_arp(inport, arp.spa, arp.sha);) table=1( lr_in_ip_input), priority= 90, match=(inport == "lrp-41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6" && arp.tpa == 1.0.0.254 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:5f:31:77; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:5f:31:77; arp.tpa = arp.spa; arp.spa = 1.0.0.254; outport = "lrp-41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6"; inport = ""; /* Allow sending out inport. */ output;) table=1( lr_in_ip_input), priority= 90, match=(inport == "lrp-7d2e9e9d-002c-4dca-b97f-073f3a9dde3a" && arp.tpa == 2.0.0.254 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:ce:83:a3; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:ce:83:a3; arp.tpa = arp.spa; arp.spa = 2.0.0.254; outport = "lrp-7d2e9e9d-002c-4dca-b97f-073f3a9dde3a"; inport = ""; /* Allow sending out inport. */ output;) table=1( lr_in_ip_input), priority= 60, match=(ip4.dst == 1.0.0.254), action=(drop;) table=1( lr_in_ip_input), priority= 60, match=(ip4.dst == 2.0.0.254), action=(drop;) table=1( lr_in_ip_input), priority= 50, match=(eth.bcast), action=(drop;) table=1( lr_in_ip_input), priority= 50, match=(ip4.mcast), action=(drop;) table=1( lr_in_ip_input), priority= 30, match=(ip4 && ip.ttl == {0, 1}), action=(drop;) table=1( lr_in_ip_input), priority= 0, match=(1), action=(next;) table=2(lr_in_ip_routing), priority= 24, match=(ip4.dst == 1.0.0.0/255.255.255.0), action=(ip.ttl--; reg0 = ip4.dst; reg1 = 1.0.0.254; eth.src = fa:16:3e:5f:31:77; outport = "lrp-41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6"; next;) table=2(lr_in_ip_routing), priority= 24, match=(ip4.dst == 2.0.0.0/255.255.255.0), action=(ip.ttl--; reg0 = ip4.dst; reg1 = 2.0.0.254; eth.src = fa:16:3e:ce:83:a3; outport = "lrp-7d2e9e9d-002c-4dca-b97f-073f3a9dde3a"; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6" && reg0 == 1.0.0.1), action=(eth.dst = fa:16:3e:15:a8:12; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6" && reg0 == 1.0.0.2), action=(eth.dst = fa:16:3e:8c:35:40; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6" && reg0 == 1.0.0.254), action=(eth.dst = fa:16:3e:5f:31:77; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6" && reg0 == 1.0.0.3), action=(eth.dst = fa:16:3e:01:bb:84; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-7d2e9e9d-002c-4dca-b97f-073f3a9dde3a" && reg0 == 2.0.0.1), action=(eth.dst = fa:16:3e:93:77:87; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-7d2e9e9d-002c-4dca-b97f-073f3a9dde3a" && reg0 == 2.0.0.2), action=(eth.dst = fa:16:3e:df:d2:99; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-7d2e9e9d-002c-4dca-b97f-073f3a9dde3a" && reg0 == 2.0.0.254), action=(eth.dst = fa:16:3e:ce:83:a3; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-7d2e9e9d-002c-4dca-b97f-073f3a9dde3a" && reg0 == 2.0.0.3), action=(eth.dst = fa:16:3e:ed:39:73; next;) table=3(lr_in_arp_resolve), priority= 0, match=(1), action=(get_arp(outport, reg0); next;) table=4(lr_in_arp_request), priority= 100, match=(eth.dst == 00:00:00:00:00:00), action=(arp { eth.dst = ff:ff:ff:ff:ff:ff; arp.spa = reg1; arp.op = 1; output; };) table=4(lr_in_arp_request), priority= 0, match=(1), action=(output;) Datapath: 19f243d2-bb17-4b59-a46c-b73a05be974e Pipeline: egress table=0( lr_out_delivery), priority= 100, match=(outport == "lrp-41948f0d-b1c0-4c69-af1f-9e3fdb3b22f6"), action=(output;) table=0( lr_out_delivery), priority= 100, match=(outport == "lrp-7d2e9e9d-002c-4dca-b97f-073f3a9dde3a"), action=(output;) Datapath: 58e1b687-7824-4add-922e-c56c8fbc1e34 Pipeline: ingress table=0(ls_in_port_sec_l2), priority= 100, match=(eth.src[40]), action=(drop;) table=0(ls_in_port_sec_l2), priority= 100, match=(vlan.present), action=(drop;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "782ddf69-d24f-476f-8349-9d748a306eab"), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && eth.src == {fa:16:3e:03:4c:72}), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "90d33d89-4e2b-461b-94a1-89318d8a4e56"), action=(next;) table=1(ls_in_port_sec_ip), priority= 90, match=(inport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && eth.src == fa:16:3e:03:4c:72 && ip4.src == {0.0.0.0, 1.0.0.2}), action=(next;) table=1(ls_in_port_sec_ip), priority= 80, match=(inport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && eth.src == fa:16:3e:03:4c:72 && ip), action=(drop;) table=1(ls_in_port_sec_ip), priority= 0, match=(1), action=(next;) table=2(ls_in_port_sec_nd), priority= 90, match=(inport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && eth.src == fa:16:3e:03:4c:72 && arp.sha == fa:16:3e:03:4c:72 && (arp.spa == 1.0.0.2 )), action=(next;) table=2(ls_in_port_sec_nd), priority= 80, match=(inport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && (arp || nd)), action=(drop;) table=2(ls_in_port_sec_nd), priority= 0, match=(1), action=(next;) table=3( ls_in_pre_acl), priority= 110, match=(ip && inport == "90d33d89-4e2b-461b-94a1-89318d8a4e56"), action=(next;) table=3( ls_in_pre_acl), priority= 100, match=(ip), action=(ct_next;) table=3( ls_in_pre_acl), priority= 0, match=(1), action=(next;) table=4( ls_in_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv), action=(next;) table=4( ls_in_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(next;) table=4( ls_in_acl), priority=65535, match=(ct.inv), action=(drop;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && ip4)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && ip6)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(inport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && ip4 && (ip4.dst == 255.255.255.255 || ip4.dst == 1.0.0.0/24) && udp && udp.src == 68 && udp.dst == 67), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2001, match=(inport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && ip), action=(drop;) table=4( ls_in_acl), priority= 1, match=(ip), action=(ct_commit; next;) table=4( ls_in_acl), priority= 0, match=(1), action=(next;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 1.0.0.1 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:ea:11:6f; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:ea:11:6f; arp.tpa = arp.spa; arp.spa = 1.0.0.1; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 1.0.0.2 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:03:4c:72; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:03:4c:72; arp.tpa = arp.spa; arp.spa = 1.0.0.2; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 1.0.0.254 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:3e:c8:08; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:3e:c8:08; arp.tpa = arp.spa; arp.spa = 1.0.0.254; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 0, match=(1), action=(next;) table=6( ls_in_l2_lkup), priority= 100, match=(eth.mcast), action=(outport = "_MC_flood"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:03:4c:72), action=(outport = "8f05ae8c-0cdd-416c-8bf0-306734eb1833"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:3e:c8:08), action=(outport = "90d33d89-4e2b-461b-94a1-89318d8a4e56"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:ea:11:6f), action=(outport = "782ddf69-d24f-476f-8349-9d748a306eab"; output;) Datapath: 58e1b687-7824-4add-922e-c56c8fbc1e34 Pipeline: egress table=0( ls_out_pre_acl), priority= 110, match=(ip && outport == "90d33d89-4e2b-461b-94a1-89318d8a4e56"), action=(next;) table=0( ls_out_pre_acl), priority= 100, match=(ip), action=(ct_next;) table=0( ls_out_pre_acl), priority= 0, match=(1), action=(next;) table=1( ls_out_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv), action=(next;) table=1( ls_out_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(next;) table=1( ls_out_acl), priority=65535, match=(ct.inv), action=(drop;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && ip4 && ip4.src == 0.0.0.0/0 && icmp4)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst >= 1 && tcp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst >= 1 && udp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(outport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && ip4 && ip4.src == 1.0.0.0/24 && udp && udp.src == 67 && udp.dst == 68), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2001, match=(outport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && ip), action=(drop;) table=1( ls_out_acl), priority= 1, match=(ip), action=(ct_commit; next;) table=1( ls_out_acl), priority= 0, match=(1), action=(next;) table=2(ls_out_port_sec_ip), priority= 90, match=(outport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && eth.dst == fa:16:3e:03:4c:72 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 1.0.0.2}), action=(next;) table=2(ls_out_port_sec_ip), priority= 80, match=(outport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && eth.dst == fa:16:3e:03:4c:72 && ip), action=(drop;) table=2(ls_out_port_sec_ip), priority= 0, match=(1), action=(next;) table=3(ls_out_port_sec_l2), priority= 100, match=(eth.mcast), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "782ddf69-d24f-476f-8349-9d748a306eab"), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "8f05ae8c-0cdd-416c-8bf0-306734eb1833" && eth.dst == {fa:16:3e:03:4c:72}), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "90d33d89-4e2b-461b-94a1-89318d8a4e56"), action=(output;) Datapath: c48e8037-dbe6-45bc-afc7-f5c6f662eadf Pipeline: ingress table=0(ls_in_port_sec_l2), priority= 100, match=(eth.src[40]), action=(drop;) table=0(ls_in_port_sec_l2), priority= 100, match=(vlan.present), action=(drop;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && eth.src == {fa:16:3e:b2:12:b2}), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "2fa1ccea-d337-404c-b638-094717a46e81"), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "8c2f0b04-8647-4f79-83eb-a9e03648951c"), action=(next;) table=1(ls_in_port_sec_ip), priority= 90, match=(inport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && eth.src == fa:16:3e:b2:12:b2 && ip4.src == {0.0.0.0, 2.0.0.2}), action=(next;) table=1(ls_in_port_sec_ip), priority= 80, match=(inport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && eth.src == fa:16:3e:b2:12:b2 && ip), action=(drop;) table=1(ls_in_port_sec_ip), priority= 0, match=(1), action=(next;) table=2(ls_in_port_sec_nd), priority= 90, match=(inport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && eth.src == fa:16:3e:b2:12:b2 && arp.sha == fa:16:3e:b2:12:b2 && (arp.spa == 2.0.0.2 )), action=(next;) table=2(ls_in_port_sec_nd), priority= 80, match=(inport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && (arp || nd)), action=(drop;) table=2(ls_in_port_sec_nd), priority= 0, match=(1), action=(next;) table=3( ls_in_pre_acl), priority= 110, match=(ip && inport == "2fa1ccea-d337-404c-b638-094717a46e81"), action=(next;) table=3( ls_in_pre_acl), priority= 100, match=(ip), action=(ct_next;) table=3( ls_in_pre_acl), priority= 0, match=(1), action=(next;) table=4( ls_in_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv), action=(next;) table=4( ls_in_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(next;) table=4( ls_in_acl), priority=65535, match=(ct.inv), action=(drop;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && ip4)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && ip6)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(inport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && ip4 && (ip4.dst == 255.255.255.255 || ip4.dst == 2.0.0.0/24) && udp && udp.src == 68 && udp.dst == 67), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2001, match=(inport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && ip), action=(drop;) table=4( ls_in_acl), priority= 1, match=(ip), action=(ct_commit; next;) table=4( ls_in_acl), priority= 0, match=(1), action=(next;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 2.0.0.1 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:22:5d:59; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:22:5d:59; arp.tpa = arp.spa; arp.spa = 2.0.0.1; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 2.0.0.2 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:b2:12:b2; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:b2:12:b2; arp.tpa = arp.spa; arp.spa = 2.0.0.2; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 2.0.0.254 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:57:67:69; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:57:67:69; arp.tpa = arp.spa; arp.spa = 2.0.0.254; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 0, match=(1), action=(next;) table=6( ls_in_l2_lkup), priority= 100, match=(eth.mcast), action=(outport = "_MC_flood"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:22:5d:59), action=(outport = "8c2f0b04-8647-4f79-83eb-a9e03648951c"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:57:67:69), action=(outport = "2fa1ccea-d337-404c-b638-094717a46e81"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:b2:12:b2), action=(outport = "24d679c7-9d0c-4b73-94c8-7052a95c07dc"; output;) Datapath: c48e8037-dbe6-45bc-afc7-f5c6f662eadf Pipeline: egress table=0( ls_out_pre_acl), priority= 110, match=(ip && outport == "2fa1ccea-d337-404c-b638-094717a46e81"), action=(next;) table=0( ls_out_pre_acl), priority= 100, match=(ip), action=(ct_next;) table=0( ls_out_pre_acl), priority= 0, match=(1), action=(next;) table=1( ls_out_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv), action=(next;) table=1( ls_out_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(next;) table=1( ls_out_acl), priority=65535, match=(ct.inv), action=(drop;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && ip4 && ip4.src == 0.0.0.0/0 && icmp4)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst >= 1 && tcp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst >= 1 && udp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(outport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && ip4 && ip4.src == 2.0.0.0/24 && udp && udp.src == 67 && udp.dst == 68), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2001, match=(outport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && ip), action=(drop;) table=1( ls_out_acl), priority= 1, match=(ip), action=(ct_commit; next;) table=1( ls_out_acl), priority= 0, match=(1), action=(next;) table=2(ls_out_port_sec_ip), priority= 90, match=(outport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && eth.dst == fa:16:3e:b2:12:b2 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 2.0.0.2}), action=(next;) table=2(ls_out_port_sec_ip), priority= 80, match=(outport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && eth.dst == fa:16:3e:b2:12:b2 && ip), action=(drop;) table=2(ls_out_port_sec_ip), priority= 0, match=(1), action=(next;) table=3(ls_out_port_sec_l2), priority= 100, match=(eth.mcast), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "24d679c7-9d0c-4b73-94c8-7052a95c07dc" && eth.dst == {fa:16:3e:b2:12:b2}), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "2fa1ccea-d337-404c-b638-094717a46e81"), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "8c2f0b04-8647-4f79-83eb-a9e03648951c"), action=(output;) Datapath: d132f5bf-fcb4-47eb-823d-66b59cac41ea Pipeline: ingress table=0( lr_in_admission), priority= 100, match=(vlan.present || eth.src[40]), action=(drop;) table=0( lr_in_admission), priority= 50, match=((eth.mcast || eth.dst == fa:16:3e:3e:c8:08) && inport == "lrp-90d33d89-4e2b-461b-94a1-89318d8a4e56"), action=(next;) table=0( lr_in_admission), priority= 50, match=((eth.mcast || eth.dst == fa:16:3e:57:67:69) && inport == "lrp-2fa1ccea-d337-404c-b638-094717a46e81"), action=(next;) table=0( lr_in_admission), priority= 50, match=((eth.mcast || eth.dst == fa:16:3e:de:0a:13) && inport == "lrp-7c4b8a30-ad9a-425e-81af-ce041f24d67c"), action=(next;) table=1( lr_in_ip_input), priority= 100, match=(ip4.mcast || ip4.src == 255.255.255.255 || ip4.src == 127.0.0.0/8 || ip4.dst == 127.0.0.0/8 || ip4.src == 0.0.0.0/8 || ip4.dst == 0.0.0.0/8), action=(drop;) table=1( lr_in_ip_input), priority= 100, match=(ip4.src == {1.0.0.254, 1.0.0.255}), action=(drop;) table=1( lr_in_ip_input), priority= 100, match=(ip4.src == {2.0.0.254, 2.0.0.255}), action=(drop;) table=1( lr_in_ip_input), priority= 100, match=(ip4.src == {3.0.0.254, 3.0.0.255}), action=(drop;) table=1( lr_in_ip_input), priority= 90, match=((ip4.dst == 1.0.0.254 || ip4.dst == 1.0.0.255) && icmp4.type == 8 && icmp4.code == 0), action=(ip4.dst = ip4.src; ip4.src = 1.0.0.254; ip.ttl = 255; icmp4.type = 0; inport = ""; /* Allow sending out inport. */ next; ) table=1( lr_in_ip_input), priority= 90, match=((ip4.dst == 2.0.0.254 || ip4.dst == 2.0.0.255) && icmp4.type == 8 && icmp4.code == 0), action=(ip4.dst = ip4.src; ip4.src = 2.0.0.254; ip.ttl = 255; icmp4.type = 0; inport = ""; /* Allow sending out inport. */ next; ) table=1( lr_in_ip_input), priority= 90, match=((ip4.dst == 3.0.0.254 || ip4.dst == 3.0.0.255) && icmp4.type == 8 && icmp4.code == 0), action=(ip4.dst = ip4.src; ip4.src = 3.0.0.254; ip.ttl = 255; icmp4.type = 0; inport = ""; /* Allow sending out inport. */ next; ) table=1( lr_in_ip_input), priority= 90, match=(arp.op == 2), action=(put_arp(inport, arp.spa, arp.sha);) table=1( lr_in_ip_input), priority= 90, match=(inport == "lrp-2fa1ccea-d337-404c-b638-094717a46e81" && arp.tpa == 2.0.0.254 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:57:67:69; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:57:67:69; arp.tpa = arp.spa; arp.spa = 2.0.0.254; outport = "lrp-2fa1ccea-d337-404c-b638-094717a46e81"; inport = ""; /* Allow sending out inport. */ output;) table=1( lr_in_ip_input), priority= 90, match=(inport == "lrp-7c4b8a30-ad9a-425e-81af-ce041f24d67c" && arp.tpa == 3.0.0.254 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:de:0a:13; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:de:0a:13; arp.tpa = arp.spa; arp.spa = 3.0.0.254; outport = "lrp-7c4b8a30-ad9a-425e-81af-ce041f24d67c"; inport = ""; /* Allow sending out inport. */ output;) table=1( lr_in_ip_input), priority= 90, match=(inport == "lrp-90d33d89-4e2b-461b-94a1-89318d8a4e56" && arp.tpa == 1.0.0.254 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:3e:c8:08; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:3e:c8:08; arp.tpa = arp.spa; arp.spa = 1.0.0.254; outport = "lrp-90d33d89-4e2b-461b-94a1-89318d8a4e56"; inport = ""; /* Allow sending out inport. */ output;) table=1( lr_in_ip_input), priority= 60, match=(ip4.dst == 1.0.0.254), action=(drop;) table=1( lr_in_ip_input), priority= 60, match=(ip4.dst == 2.0.0.254), action=(drop;) table=1( lr_in_ip_input), priority= 60, match=(ip4.dst == 3.0.0.254), action=(drop;) table=1( lr_in_ip_input), priority= 50, match=(eth.bcast), action=(drop;) table=1( lr_in_ip_input), priority= 50, match=(ip4.mcast), action=(drop;) table=1( lr_in_ip_input), priority= 30, match=(ip4 && ip.ttl == {0, 1}), action=(drop;) table=1( lr_in_ip_input), priority= 0, match=(1), action=(next;) table=2(lr_in_ip_routing), priority= 24, match=(ip4.dst == 1.0.0.0/255.255.255.0), action=(ip.ttl--; reg0 = ip4.dst; reg1 = 1.0.0.254; eth.src = fa:16:3e:3e:c8:08; outport = "lrp-90d33d89-4e2b-461b-94a1-89318d8a4e56"; next;) table=2(lr_in_ip_routing), priority= 24, match=(ip4.dst == 2.0.0.0/255.255.255.0), action=(ip.ttl--; reg0 = ip4.dst; reg1 = 2.0.0.254; eth.src = fa:16:3e:57:67:69; outport = "lrp-2fa1ccea-d337-404c-b638-094717a46e81"; next;) table=2(lr_in_ip_routing), priority= 24, match=(ip4.dst == 3.0.0.0/255.255.255.0), action=(ip.ttl--; reg0 = ip4.dst; reg1 = 3.0.0.254; eth.src = fa:16:3e:de:0a:13; outport = "lrp-7c4b8a30-ad9a-425e-81af-ce041f24d67c"; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-2fa1ccea-d337-404c-b638-094717a46e81" && reg0 == 2.0.0.1), action=(eth.dst = fa:16:3e:22:5d:59; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-2fa1ccea-d337-404c-b638-094717a46e81" && reg0 == 2.0.0.2), action=(eth.dst = fa:16:3e:b2:12:b2; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-2fa1ccea-d337-404c-b638-094717a46e81" && reg0 == 2.0.0.254), action=(eth.dst = fa:16:3e:57:67:69; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-7c4b8a30-ad9a-425e-81af-ce041f24d67c" && reg0 == 3.0.0.1), action=(eth.dst = fa:16:3e:b6:3a:e8; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-7c4b8a30-ad9a-425e-81af-ce041f24d67c" && reg0 == 3.0.0.2), action=(eth.dst = fa:16:3e:32:0f:3f; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-7c4b8a30-ad9a-425e-81af-ce041f24d67c" && reg0 == 3.0.0.254), action=(eth.dst = fa:16:3e:de:0a:13; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-90d33d89-4e2b-461b-94a1-89318d8a4e56" && reg0 == 1.0.0.1), action=(eth.dst = fa:16:3e:ea:11:6f; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-90d33d89-4e2b-461b-94a1-89318d8a4e56" && reg0 == 1.0.0.2), action=(eth.dst = fa:16:3e:03:4c:72; next;) table=3(lr_in_arp_resolve), priority= 100, match=(outport == "lrp-90d33d89-4e2b-461b-94a1-89318d8a4e56" && reg0 == 1.0.0.254), action=(eth.dst = fa:16:3e:3e:c8:08; next;) table=3(lr_in_arp_resolve), priority= 0, match=(1), action=(get_arp(outport, reg0); next;) table=4(lr_in_arp_request), priority= 100, match=(eth.dst == 00:00:00:00:00:00), action=(arp { eth.dst = ff:ff:ff:ff:ff:ff; arp.spa = reg1; arp.op = 1; output; };) table=4(lr_in_arp_request), priority= 0, match=(1), action=(output;) Datapath: d132f5bf-fcb4-47eb-823d-66b59cac41ea Pipeline: egress table=0( lr_out_delivery), priority= 100, match=(outport == "lrp-2fa1ccea-d337-404c-b638-094717a46e81"), action=(output;) table=0( lr_out_delivery), priority= 100, match=(outport == "lrp-7c4b8a30-ad9a-425e-81af-ce041f24d67c"), action=(output;) table=0( lr_out_delivery), priority= 100, match=(outport == "lrp-90d33d89-4e2b-461b-94a1-89318d8a4e56"), action=(output;) Datapath: f1e59629-d8b3-47b3-af52-9363984b347c Pipeline: ingress table=0(ls_in_port_sec_l2), priority= 100, match=(eth.src[40]), action=(drop;) table=0(ls_in_port_sec_l2), priority= 100, match=(vlan.present), action=(drop;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && eth.src == {fa:16:3e:df:d2:99}), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "7d2e9e9d-002c-4dca-b97f-073f3a9dde3a"), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "9bd0b3af-aee8-4c11-ab4a-a41ac4a49e85"), action=(next;) table=0(ls_in_port_sec_l2), priority= 50, match=(inport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && eth.src == {fa:16:3e:ed:39:73}), action=(next;) table=1(ls_in_port_sec_ip), priority= 90, match=(inport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && eth.src == fa:16:3e:df:d2:99 && ip4.src == {0.0.0.0, 2.0.0.2}), action=(next;) table=1(ls_in_port_sec_ip), priority= 90, match=(inport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && eth.src == fa:16:3e:ed:39:73 && ip4.src == {0.0.0.0, 2.0.0.3}), action=(next;) table=1(ls_in_port_sec_ip), priority= 80, match=(inport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && eth.src == fa:16:3e:df:d2:99 && ip), action=(drop;) table=1(ls_in_port_sec_ip), priority= 80, match=(inport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && eth.src == fa:16:3e:ed:39:73 && ip), action=(drop;) table=1(ls_in_port_sec_ip), priority= 0, match=(1), action=(next;) table=2(ls_in_port_sec_nd), priority= 90, match=(inport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && eth.src == fa:16:3e:df:d2:99 && arp.sha == fa:16:3e:df:d2:99 && (arp.spa == 2.0.0.2 )), action=(next;) table=2(ls_in_port_sec_nd), priority= 90, match=(inport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && eth.src == fa:16:3e:ed:39:73 && arp.sha == fa:16:3e:ed:39:73 && (arp.spa == 2.0.0.3 )), action=(next;) table=2(ls_in_port_sec_nd), priority= 80, match=(inport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && (arp || nd)), action=(drop;) table=2(ls_in_port_sec_nd), priority= 80, match=(inport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && (arp || nd)), action=(drop;) table=2(ls_in_port_sec_nd), priority= 0, match=(1), action=(next;) table=3( ls_in_pre_acl), priority= 110, match=(ip && inport == "7d2e9e9d-002c-4dca-b97f-073f3a9dde3a"), action=(next;) table=3( ls_in_pre_acl), priority= 100, match=(ip), action=(ct_next;) table=3( ls_in_pre_acl), priority= 0, match=(1), action=(next;) table=4( ls_in_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv), action=(next;) table=4( ls_in_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(next;) table=4( ls_in_acl), priority=65535, match=(ct.inv), action=(drop;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && ip4)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && ip6)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && ip4)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(ct.new && (inport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && ip6)), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(inport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && ip4 && (ip4.dst == 255.255.255.255 || ip4.dst == 2.0.0.0/24) && udp && udp.src == 68 && udp.dst == 67), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2002, match=(inport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && ip4 && (ip4.dst == 255.255.255.255 || ip4.dst == 2.0.0.0/24) && udp && udp.src == 68 && udp.dst == 67), action=(ct_commit; next;) table=4( ls_in_acl), priority= 2001, match=(inport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && ip), action=(drop;) table=4( ls_in_acl), priority= 2001, match=(inport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && ip), action=(drop;) table=4( ls_in_acl), priority= 1, match=(ip), action=(ct_commit; next;) table=4( ls_in_acl), priority= 0, match=(1), action=(next;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 2.0.0.1 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:93:77:87; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:93:77:87; arp.tpa = arp.spa; arp.spa = 2.0.0.1; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 2.0.0.2 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:df:d2:99; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:df:d2:99; arp.tpa = arp.spa; arp.spa = 2.0.0.2; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 2.0.0.254 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:ce:83:a3; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:ce:83:a3; arp.tpa = arp.spa; arp.spa = 2.0.0.254; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 50, match=(arp.tpa == 2.0.0.3 && arp.op == 1), action=(eth.dst = eth.src; eth.src = fa:16:3e:ed:39:73; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = fa:16:3e:ed:39:73; arp.tpa = arp.spa; arp.spa = 2.0.0.3; outport = inport; inport = ""; /* Allow sending out inport. */ output;) table=5( ls_in_arp_rsp), priority= 0, match=(1), action=(next;) table=6( ls_in_l2_lkup), priority= 100, match=(eth.mcast), action=(outport = "_MC_flood"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:93:77:87), action=(outport = "9bd0b3af-aee8-4c11-ab4a-a41ac4a49e85"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:ce:83:a3), action=(outport = "7d2e9e9d-002c-4dca-b97f-073f3a9dde3a"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:df:d2:99), action=(outport = "084c3170-9f80-4490-8621-1d8ec4779f6b"; output;) table=6( ls_in_l2_lkup), priority= 50, match=(eth.dst == fa:16:3e:ed:39:73), action=(outport = "a1e828e4-f4e5-4783-8daf-bef5c1703a12"; output;) Datapath: f1e59629-d8b3-47b3-af52-9363984b347c Pipeline: egress table=0( ls_out_pre_acl), priority= 110, match=(ip && outport == "7d2e9e9d-002c-4dca-b97f-073f3a9dde3a"), action=(next;) table=0( ls_out_pre_acl), priority= 100, match=(ip), action=(ct_next;) table=0( ls_out_pre_acl), priority= 0, match=(1), action=(next;) table=1( ls_out_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv), action=(next;) table=1( ls_out_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(next;) table=1( ls_out_acl), priority=65535, match=(ct.inv), action=(drop;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && ip4 && ip4.src == 0.0.0.0/0 && icmp4)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst >= 1 && tcp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst >= 1 && udp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && ip4 && ip4.src == 0.0.0.0/0 && icmp4)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst >= 1 && tcp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(ct.new && (outport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst >= 1 && udp.dst <= 65535)), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(outport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && ip4 && ip4.src == 2.0.0.0/24 && udp && udp.src == 67 && udp.dst == 68), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2002, match=(outport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && ip4 && ip4.src == 2.0.0.0/24 && udp && udp.src == 67 && udp.dst == 68), action=(ct_commit; next;) table=1( ls_out_acl), priority= 2001, match=(outport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && ip), action=(drop;) table=1( ls_out_acl), priority= 2001, match=(outport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && ip), action=(drop;) table=1( ls_out_acl), priority= 1, match=(ip), action=(ct_commit; next;) table=1( ls_out_acl), priority= 0, match=(1), action=(next;) table=2(ls_out_port_sec_ip), priority= 90, match=(outport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && eth.dst == fa:16:3e:df:d2:99 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 2.0.0.2}), action=(next;) table=2(ls_out_port_sec_ip), priority= 90, match=(outport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && eth.dst == fa:16:3e:ed:39:73 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 2.0.0.3}), action=(next;) table=2(ls_out_port_sec_ip), priority= 80, match=(outport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && eth.dst == fa:16:3e:df:d2:99 && ip), action=(drop;) table=2(ls_out_port_sec_ip), priority= 80, match=(outport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && eth.dst == fa:16:3e:ed:39:73 && ip), action=(drop;) table=2(ls_out_port_sec_ip), priority= 0, match=(1), action=(next;) table=3(ls_out_port_sec_l2), priority= 100, match=(eth.mcast), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "084c3170-9f80-4490-8621-1d8ec4779f6b" && eth.dst == {fa:16:3e:df:d2:99}), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "7d2e9e9d-002c-4dca-b97f-073f3a9dde3a"), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "9bd0b3af-aee8-4c11-ab4a-a41ac4a49e85"), action=(output;) table=3(ls_out_port_sec_l2), priority= 50, match=(outport == "a1e828e4-f4e5-4783-8daf-bef5c1703a12" && eth.dst == {fa:16:3e:ed:39:73}), action=(output;) > ovn/northd/ovn-northd.c | 9 ++- > tests/ovn.at | 175 > ++++++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 181 insertions(+), 3 deletions(-) > > diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c > index 44e9430..987601f 100644 > --- a/ovn/northd/ovn-northd.c > +++ b/ovn/northd/ovn-northd.c > @@ -1892,11 +1892,14 @@ build_lrouter_flows(struct hmap *datapaths, struct > hmap *ports, > free(match); > > /* ICMP echo reply. These flows reply to ICMP echo requests > - * received for the router's IP address. */ > + * received for the router's IP address. Since packets only > + * get here as part of the logical router datapath, the inport > + * (i.e. the incoming locally attached net) does not matter. > + * The ip.ttl also does not matter (RFC1812 section 4.2.2.9) */ > match = xasprintf( > - "inport == %s && (ip4.dst == "IP_FMT" || ip4.dst == "IP_FMT") > && " > + "(ip4.dst == "IP_FMT" || ip4.dst == "IP_FMT") && " > "icmp4.type == 8 && icmp4.code == 0", > - op->json_key, IP_ARGS(op->ip), IP_ARGS(op->bcast)); > + IP_ARGS(op->ip), IP_ARGS(op->bcast)); > char *actions = xasprintf( > "ip4.dst = ip4.src; " > "ip4.src = "IP_FMT"; " > diff --git a/tests/ovn.at b/tests/ovn.at > index e6ac1d7..31e9b96 100644 > --- a/tests/ovn.at > +++ b/tests/ovn.at > @@ -2611,3 +2611,178 @@ OVS_APP_EXIT_AND_WAIT([ovs-vswitchd]) > OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > > AT_CLEANUP > + > +AT_SETUP([ovn -- icmp_reply: 1 HVs, 2 LSs, 1 lport/LS, 1 LR]) > +AT_KEYWORDS([router-icmp-reply]) > +AT_SKIP_IF([test $HAVE_PYTHON = no]) > +ovn_start > + > +# Logical network: > +# One LR - R1 has switch ls1 (191.168.1.0/24) connected to it, > +# and has switch ls2 (172.16.1.0/24) connected to it. > + > +ovn-nbctl create Logical_Router name=R1 > + > +ovn-nbctl lswitch-add ls1 > +ovn-nbctl lswitch-add ls2 > + > +# Connect ls1 to R1 > +ovn-nbctl -- --id=@lrp create Logical_Router_port name=ls1 \ > +network=192.168.1.1/24 mac=\"00:00:00:01:02:f1\" -- add Logical_Router > R1 \ > +ports @lrp -- lport-add ls1 rp-ls1 > + > +ovn-nbctl set Logical_port rp-ls1 type=router options:router-port=ls1 \ > +addresses=\"00:00:00:01:02:f1\" > + > +# Connect ls2 to R1 > +ovn-nbctl -- --id=@lrp create Logical_Router_port name=ls2 \ > +network=172.16.1.1/24 mac=\"00:00:00:01:02:f2\" -- add Logical_Router R1 > \ > +ports @lrp -- lport-add ls2 rp-ls2 > + > +ovn-nbctl set Logical_port rp-ls2 type=router options:router-port=ls2 \ > +addresses=\"00:00:00:01:02:f2\" > + > +# Create logical port ls1-lp1 in ls1 > +ovn-nbctl lport-add ls1 ls1-lp1 \ > +-- lport-set-addresses ls1-lp1 "00:00:00:01:02:03 192.168.1.2" > + > +# Create logical port ls2-lp1 in ls2 > +ovn-nbctl lport-add ls2 ls2-lp1 \ > +-- lport-set-addresses ls2-lp1 "00:00:00:01:02:04 172.16.1.2" > + > +# Create one hypervisor and create OVS ports corresponding to logical > ports. > +net_add n1 > + > +sim_add hv1 > +as hv1 > +ovs-vsctl add-br br-phys > +ovn_attach n1 br-phys 192.168.0.1 > +ovs-vsctl -- add-port br-int vif1 -- \ > + set interface vif1 external-ids:iface-id=ls1-lp1 \ > + options:tx_pcap=hv1/vif1-tx.pcap \ > + options:rxq_pcap=hv1/vif1-rx.pcap \ > + ofport-request=1 > + > +ovs-vsctl -- add-port br-int vif2 -- \ > + set interface vif2 external-ids:iface-id=ls2-lp1 \ > + options:tx_pcap=hv1/vif2-tx.pcap \ > + options:rxq_pcap=hv1/vif2-rx.pcap \ > + ofport-request=1 > + > + > +# Allow some time for ovn-northd and ovn-controller to catch up. > +# XXX This should be more systematic. > +sleep 1 > + > + > +ip_to_hex() { > + printf "%02x%02x%02x%02x" "$@" > +} > +trim_zeros() { > + sed 's/\(00\)\{1,\}$//' > +} > +for i in 1 2; do > + : > vif$i.expected > +done > +# test_ipv4_icmp_request INPORT ETH_SRC ETH_DST IPV4_SRC IPV4_DST > IP_CHKSUM ICMP_CHKSUM [EXP_IP_CHKSUM EXP_ICMP_CHKSUM] > +# > +# Causes a packet to be received on INPORT. The packet is an ICMPv4 > +# request with ETH_SRC, ETH_DST, IPV4_SRC, IPV4_DST, IP_CHSUM and > +# ICMP_CHKSUM as specified. If EXP_IP_CHKSUM and EXP_ICMP_CHKSUM are > +# provided, then it should be the ip and icmp checksums of the packet > +# responded; otherwise, no reply is expected. > +# In the absence of an ip checksum calculation helpers, this relies > +# on the caller to provide the checksums for the ip and icmp headers. > +# XXX This should be more systematic. > +# > +# INPORT is an lport number, e.g. 11 for vif11. > +# ETH_SRC and ETH_DST are each 12 hex digits. > +# IPV4_SRC and IPV4_DST are each 8 hex digits. > +# IP_CHSUM and ICMP_CHKSUM are each 4 hex digits. > +# EXP_IP_CHSUM and EXP_ICMP_CHKSUM are each 4 hex digits. > +test_ipv4_icmp_request() { > + local inport=$1 eth_src=$2 eth_dst=$3 ipv4_src=$4 ipv4_dst=$5 > ip_chksum=$6 icmp_chksum=$7 > + local exp_ip_chksum=$8 exp_icmp_chksum=$9 > + shift; shift; shift; shift; shift; shift; shift > + shift; shift > + > + # Use ttl to exercise section 4.2.2.9 of RFC1812 > + local ip_ttl=01 > + local icmp_id=5fbf > + local icmp_seq=0001 > + local icmp_data=$(seq 1 56 | xargs printf "%02x") > + local icmp_type_code_request=0800 > + local > icmp_payload=${icmp_type_code_request}${icmp_chksum}${icmp_id}${icmp_seq}${icmp_data} > + local > packet=${eth_dst}${eth_src}08004500005400004000${ip_ttl}01${ip_chksum}${ipv4_src}${ipv4_dst}${icmp_payload} > + > + as hv1 ovs-appctl netdev-dummy/receive vif$inport $packet > + if test X$exp_icmp_chksum != X; then > + # Expect to receive the reply, if any. In same port where packet > was sent. > + # Note: src and dst fields are expected to be reversed. > + local icmp_type_code_response=0000 > + local reply_icmp_ttl=fe > + local > reply_icmp_payload=${icmp_type_code_response}${exp_icmp_chksum}${icmp_id}${icmp_seq}${icmp_data} > + local > reply=${eth_src}${eth_dst}08004500005400004000${reply_icmp_ttl}01${exp_ip_chksum}${ipv4_dst}${ipv4_src}${reply_icmp_payload} > + echo $reply >> vif$inport.expected > + fi > +} > + > +# Send ping packet to router's ip addresses, from each of the 2 logical > ports. > +rtr_l1_ip=$(ip_to_hex 192 168 1 1) > +rtr_l2_ip=$(ip_to_hex 172 16 1 1) > +l1_ip=$(ip_to_hex 192 168 1 2) > +l2_ip=$(ip_to_hex 172 16 1 2) > + > +# Ping router ip address that is on same subnet as the logical port > +test_ipv4_icmp_request 1 000000010203 0000000102f1 $l1_ip $rtr_l1_ip 0000 > 8510 02ff 8d10 > +test_ipv4_icmp_request 2 000000010204 0000000102f2 $l2_ip $rtr_l2_ip 0000 > 8510 02ff 8d10 > + > +# Ping router ip address that is on the other side of the logical ports > +test_ipv4_icmp_request 1 000000010203 0000000102f1 $l1_ip $rtr_l2_ip 0000 > 8510 02ff 8d10 > +test_ipv4_icmp_request 2 000000010204 0000000102f2 $l2_ip $rtr_l1_ip 0000 > 8510 02ff 8d10 > + > +echo "---------NB dump-----" > +ovn-nbctl show > +echo "---------------------" > +ovn-nbctl list logical_router > +echo "---------------------" > +ovn-nbctl list logical_router_port > +echo "---------------------" > + > +echo "---------SB dump-----" > +ovn-sbctl list datapath_binding > +echo "---------------------" > +ovn-sbctl list logical_flow > +echo "---------------------" > + > +echo "------ hv1 dump ----------" > +as hv1 ovs-ofctl dump-flows br-int > + > +# Now check the packets actually received against the ones expected. > +for inport in 1 2; do > + file=hv1/vif${inport}-tx.pcap > + echo $file > + $PYTHON "$top_srcdir/utilities/ovs-pcap.in" $file | trim_zeros > > received.packets > + cat vif$inport.expected | trim_zeros > expout > + AT_CHECK([cat received.packets], [0], [expout]) > +done > + > +as hv1 > +OVS_APP_EXIT_AND_WAIT([ovn-controller]) > +OVS_APP_EXIT_AND_WAIT([ovs-vswitchd]) > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > + > +as ovn-sb > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > + > +as ovn-nb > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > + > +as northd > +OVS_APP_EXIT_AND_WAIT([ovn-northd]) > + > +as main > +OVS_APP_EXIT_AND_WAIT([ovs-vswitchd]) > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > + > +AT_CLEANUP > -- > 1.9.1 > > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
