We can't downgrade to OF1.0 and expect inconsistent CT actions be silently disgarded. Instead, datapath flow install fails, so it is better to flag inconsistent CT actions as hard errors.
Signed-off-by: Jarno Rajahalme <ja...@ovn.org> --- lib/ofp-actions.c | 7 +++++-- tests/ofproto-dpif.at | 40 ++++++++++++++++++++-------------------- tests/ovs-ofctl.at | 46 +++++++++++++++++++++++----------------------- 3 files changed, 48 insertions(+), 45 deletions(-) diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c index f896f98..19e47fb 100644 --- a/lib/ofp-actions.c +++ b/lib/ofp-actions.c @@ -7033,7 +7033,10 @@ ofpact_check__(enum ofputil_protocol *usable_protocols, struct ofpact *a, if (!dl_type_is_ip_any(flow->dl_type) || (flow->ct_state & CS_INVALID && oc->flags & NX_CT_F_COMMIT) || (oc->alg == IPPORT_FTP && flow->nw_proto != IPPROTO_TCP)) { - inconsistent_match(usable_protocols); + /* We can't downgrade to OF1.0 and expect inconsistent CT actions + * be silently disgarded. Instead, datapath flow install fails, so + * it is better to flag inconsistent CT actions as hard errors. */ + return OFPERR_OFPBAC_MATCH_INCONSISTENT; } if (oc->zone_src.field) { @@ -7052,7 +7055,7 @@ ofpact_check__(enum ofputil_protocol *usable_protocols, struct ofpact *a, (on->range_af == AF_INET && flow->dl_type != htons(ETH_TYPE_IP)) || (on->range_af == AF_INET6 && flow->dl_type != htons(ETH_TYPE_IPV6))) { - inconsistent_match(usable_protocols); + return OFPERR_OFPBAC_MATCH_INCONSISTENT; } return 0; } diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at index e2b983f..7b5972d 100644 --- a/tests/ofproto-dpif.at +++ b/tests/ofproto-dpif.at @@ -8396,7 +8396,7 @@ add_of_ports br0 1 2 AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg vconn:info ofproto_dpif:info]) AT_DATA([flows.txt], [dnl -ct_state=-trk,action=ct(table=0,zone=0) +ipv6,ct_state=-trk,action=ct(table=0,zone=0) ct_state=+trk,action=controller ]) @@ -8407,14 +8407,14 @@ AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl -P nxt_packet_in --detach --no AT_CHECK([ovs-appctl time/stop]) -AT_CHECK([ovs-appctl netdev-dummy/receive p2 'eth(src=80:88:88:88:88:88,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=192.168.0.1,tip=192.168.0.2,op=1,sha=50:54:00:00:00:05,tha=00:00:00:00:00:00)']) +AT_CHECK([ovs-appctl netdev-dummy/receive p2 '0060970769ea0000860580da86dd6000000000203afffe80000000000000020086fffe0580dafe80000000000000026097fffe0769ea870068bd00000000fe80000000000000026097fffe0769ea01010000860580da']) OVS_WAIT_UNTIL([test `wc -l < ofctl_monitor.log` -ge 1]) OVS_WAIT_UNTIL([ovs-appctl -t ovs-ofctl exit]) AT_CHECK([cat ofctl_monitor.log], [0], [dnl -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=inv|trk,in_port=2 (via action) data_len=42 (unbuffered) -arp,vlan_tci=0x0000,dl_src=80:88:88:88:88:88,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=192.168.0.1,arp_tpa=192.168.0.2,arp_op=1,arp_sha=50:54:00:00:00:05,arp_tha=00:00:00:00:00:00 +NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=86 ct_state=inv|trk,in_port=2 (via action) data_len=86 (unbuffered) +icmp6,vlan_tci=0x0000,dl_src=00:00:86:05:80:da,dl_dst=00:60:97:07:69:ea,ipv6_src=fe80::200:86ff:fe05:80da,ipv6_dst=fe80::260:97ff:fe07:69ea,ipv6_label=0x00000,nw_tos=0,nw_ecn=0,nw_ttl=255,icmp_type=135,icmp_code=0,nd_target=fe80::260:97ff:fe07:69ea,nd_sll=00:00:86:05:80:da,nd_tll=00:00:00:00:00:00 icmp6_csum:68bd ]) OVS_VSWITCHD_STOP @@ -8545,8 +8545,8 @@ AT_DATA([flows.txt], [dnl dnl Table 0 dnl table=0,priority=100,arp,action=normal -table=0,priority=10,in_port=1,udp,action=ct(commit,table=1) -table=0,priority=10,in_port=2,action=ct(table=1) +table=0,priority=10,ip,in_port=1,udp,action=ct(commit,table=1) +table=0,priority=10,ip,in_port=2,action=ct(table=1) table=0,priority=1,action=drop dnl dnl Table 1 @@ -8596,12 +8596,12 @@ dnl Allow new connections on p1->p2. Allow only established connections p2->p1 AT_DATA([flows.txt], [dnl dnl Table 0 dnl -table=0,priority=100,arp,action=normal -table=0,priority=10,in_port=1,udp,tp_src=1,action=ct(commit,exec(set_field:1->ct_mark)),controller -table=0,priority=10,in_port=1,udp,tp_src=3,action=ct(commit,exec(set_field:3->ct_mark)),controller -table=0,priority=10,in_port=1,udp,tp_src=5,action=ct(commit,exec(set_field:5->ct_mark)),controller -table=0,priority=10,in_port=2,actions=ct(table=1) -table=0,priority=1,action=drop +table=0,arp,action=normal +table=0,ip,in_port=1,udp,tp_src=1,action=ct(commit,exec(set_field:1->ct_mark)),controller +table=0,ip,in_port=1,udp,tp_src=3,action=ct(commit,exec(set_field:3->ct_mark)),controller +table=0,ip,in_port=1,udp,tp_src=5,action=ct(commit,exec(set_field:5->ct_mark)),controller +table=0,ip,in_port=2,actions=ct(table=1) +table=0,priority=0,action=drop dnl dnl Table 1 dnl @@ -8657,10 +8657,10 @@ dnl Allow new connections on p1->p2. Allow only established connections p2->p1 AT_DATA([flows.txt], [dnl dnl Table 0 dnl -table=0,priority=100,arp,action=normal -table=0,priority=10,in_port=1,udp,tp_src=1,action=ct(commit,exec(set_field:000000000000000001->ct_label)) -table=0,priority=10,in_port=1,udp,tp_src=3,action=ct(commit,exec(set_field:000000000000000002->ct_label)) -table=0,priority=10,in_port=2,actions=ct(table=1) +table=0,arp,action=normal +table=0,ip,in_port=1,udp,tp_src=1,action=ct(commit,exec(set_field:000000000000000001->ct_label)) +table=0,ip,in_port=1,udp,tp_src=3,action=ct(commit,exec(set_field:000000000000000002->ct_label)) +table=0,ip,in_port=2,actions=ct(table=1) dnl dnl Table 1 dnl @@ -8714,10 +8714,10 @@ dnl subtables are visited, meaning consistent megaflows. dnl dnl Table 0 dnl -table=0,priority=100,arp,action=normal -table=0,priority=10,in_port=1,udp,tp_src=1,action=ct(commit,exec(set_field:1->ct_label)),2 -table=0,priority=10,in_port=2,actions=ct(table=1) -table=0,priority=1,action=drop +table=0,arp,action=normal +table=0,ip,in_port=1,udp,tp_src=1,action=ct(commit,exec(set_field:1->ct_label)),2 +table=0,ip,in_port=2,actions=ct(table=1) +table=0,priority=0,action=drop dnl dnl Table 1 dnl diff --git a/tests/ovs-ofctl.at b/tests/ovs-ofctl.at index da7b262..0e6b92c 100644 --- a/tests/ovs-ofctl.at +++ b/tests/ovs-ofctl.at @@ -190,23 +190,23 @@ sctp actions=drop in_port=0 actions=resubmit:0 actions=sample(probability=12345,collector_set_id=23456,obs_domain_id=34567,obs_point_id=45678) actions=sample(probability=12345,collector_set_id=23456,obs_domain_id=34567,obs_point_id=45678,sampling_port=56789) -actions=ct(nat) -actions=ct(commit,nat(dst)) -actions=ct(commit,nat(src)) -actions=ct(commit,nat(src=10.0.0.240,random)) -actions=ct(commit,nat(src=10.0.0.240:32768-65535,random)) -actions=ct(commit,nat(dst=10.0.0.128-10.0.0.254,hash)) -actions=ct(commit,nat(src=10.0.0.240-10.0.0.254:32768-65535,persistent)) -actions=ct(commit,nat(src=fe80::20c:29ff:fe88:a18b,random)) -actions=ct(commit,nat(src=fe80::20c:29ff:fe88:1-fe80::20c:29ff:fe88:a18b,random)) -actions=ct(commit,nat(src=[fe80::20c:29ff:fe88:1]-[fe80::20c:29ff:fe88:a18b]:255-4096,random)) -actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),alg=ftp) +ip,actions=ct(nat) +ip,actions=ct(commit,nat(dst)) +ip,actions=ct(commit,nat(src)) +ip,actions=ct(commit,nat(src=10.0.0.240,random)) +ip,actions=ct(commit,nat(src=10.0.0.240:32768-65535,random)) +ip,actions=ct(commit,nat(dst=10.0.0.128-10.0.0.254,hash)) +ip,actions=ct(commit,nat(src=10.0.0.240-10.0.0.254:32768-65535,persistent)) +ipv6,actions=ct(commit,nat(src=fe80::20c:29ff:fe88:a18b,random)) +ipv6,actions=ct(commit,nat(src=fe80::20c:29ff:fe88:1-fe80::20c:29ff:fe88:a18b,random)) +ipv6,actions=ct(commit,nat(src=[fe80::20c:29ff:fe88:1]-[fe80::20c:29ff:fe88:a18b]:255-4096,random)) +tcp,actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),alg=ftp) ]]) AT_CHECK([ovs-ofctl parse-flows flows.txt ], [0], [stdout]) AT_CHECK([[sed 's/ (xid=0x[0-9a-fA-F]*)//' stdout]], [0], -[[usable protocols: OpenFlow10,NXM +[[usable protocols: any chosen protocol: OpenFlow10-table_id OFPT_FLOW_MOD: ADD tcp,tp_src=123 actions=FLOOD OFPT_FLOW_MOD: ADD in_port=LOCAL,dl_vlan=9,dl_src=00:0a:e4:25:6b:b0 actions=drop @@ -221,17 +221,17 @@ OFPT_FLOW_MOD: ADD sctp actions=drop OFPT_FLOW_MOD: ADD in_port=0 actions=resubmit:0 OFPT_FLOW_MOD: ADD actions=sample(probability=12345,collector_set_id=23456,obs_domain_id=34567,obs_point_id=45678) OFPT_FLOW_MOD: ADD actions=sample(probability=12345,collector_set_id=23456,obs_domain_id=34567,obs_point_id=45678,sampling_port=56789) -OFPT_FLOW_MOD: ADD actions=ct(nat) -OFPT_FLOW_MOD: ADD actions=ct(commit,nat(dst)) -OFPT_FLOW_MOD: ADD actions=ct(commit,nat(src)) -OFPT_FLOW_MOD: ADD actions=ct(commit,nat(src=10.0.0.240,random)) -OFPT_FLOW_MOD: ADD actions=ct(commit,nat(src=10.0.0.240:32768-65535,random)) -OFPT_FLOW_MOD: ADD actions=ct(commit,nat(dst=10.0.0.128-10.0.0.254,hash)) -OFPT_FLOW_MOD: ADD actions=ct(commit,nat(src=10.0.0.240-10.0.0.254:32768-65535,persistent)) -OFPT_FLOW_MOD: ADD actions=ct(commit,nat(src=fe80::20c:29ff:fe88:a18b,random)) -OFPT_FLOW_MOD: ADD actions=ct(commit,nat(src=fe80::20c:29ff:fe88:1-fe80::20c:29ff:fe88:a18b,random)) -OFPT_FLOW_MOD: ADD actions=ct(commit,nat(src=[fe80::20c:29ff:fe88:1]-[fe80::20c:29ff:fe88:a18b]:255-4096,random)) -OFPT_FLOW_MOD: ADD actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),alg=ftp) +OFPT_FLOW_MOD: ADD ip actions=ct(nat) +OFPT_FLOW_MOD: ADD ip actions=ct(commit,nat(dst)) +OFPT_FLOW_MOD: ADD ip actions=ct(commit,nat(src)) +OFPT_FLOW_MOD: ADD ip actions=ct(commit,nat(src=10.0.0.240,random)) +OFPT_FLOW_MOD: ADD ip actions=ct(commit,nat(src=10.0.0.240:32768-65535,random)) +OFPT_FLOW_MOD: ADD ip actions=ct(commit,nat(dst=10.0.0.128-10.0.0.254,hash)) +OFPT_FLOW_MOD: ADD ip actions=ct(commit,nat(src=10.0.0.240-10.0.0.254:32768-65535,persistent)) +OFPT_FLOW_MOD: ADD ipv6 actions=ct(commit,nat(src=fe80::20c:29ff:fe88:a18b,random)) +OFPT_FLOW_MOD: ADD ipv6 actions=ct(commit,nat(src=fe80::20c:29ff:fe88:1-fe80::20c:29ff:fe88:a18b,random)) +OFPT_FLOW_MOD: ADD ipv6 actions=ct(commit,nat(src=[fe80::20c:29ff:fe88:1]-[fe80::20c:29ff:fe88:a18b]:255-4096,random)) +OFPT_FLOW_MOD: ADD tcp actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),alg=ftp) ]]) AT_CLEANUP -- 2.1.4 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev