Modify SG flows which let packets of relative connections pass
In current implement, SG flows don't match packets with both new
and rel CT flag, or packets with both est and rel CT flag, so
those packets will be dropped. This patch will fix this problem.
Change-Id: I5b725742bacc48a7d9e5597fcc1f67e786ee5c0d
Closes-Bug: #1586369
(cherry picked from commit 231633a652
)
This commit is contained in:
parent
002f0424a9
commit
232722dfa3
|
@ -716,6 +716,7 @@ class SGApp(DFlowApp):
|
|||
goto_table_id = const.SERVICES_CLASSIFICATION_TABLE
|
||||
|
||||
parser = self.get_datapath().ofproto_parser
|
||||
ofproto = self.get_datapath().ofproto
|
||||
|
||||
# defaults of sg-table to drop packet
|
||||
drop_inst = None
|
||||
|
@ -739,9 +740,11 @@ class SGApp(DFlowApp):
|
|||
match=match)
|
||||
|
||||
# rel state, pass
|
||||
match = parser.OFPMatch(ct_state=(const.CT_STATE_TRK |
|
||||
const.CT_STATE_REL,
|
||||
SG_CT_STATE_MASK))
|
||||
ct_related_not_new_flag = const.CT_STATE_TRK | const.CT_STATE_REL
|
||||
ct_related_mask = const.CT_STATE_TRK | const.CT_STATE_REL | \
|
||||
const.CT_STATE_NEW | const.CT_STATE_INV
|
||||
match = parser.OFPMatch(ct_state=(ct_related_not_new_flag,
|
||||
ct_related_mask))
|
||||
self.mod_flow(
|
||||
self.get_datapath(),
|
||||
inst=goto_inst,
|
||||
|
@ -749,6 +752,28 @@ class SGApp(DFlowApp):
|
|||
priority=const.PRIORITY_CT_STATE,
|
||||
match=match)
|
||||
|
||||
ct_related_new_flag = const.CT_STATE_TRK | const.CT_STATE_REL | \
|
||||
const.CT_STATE_NEW
|
||||
match = parser.OFPMatch(eth_type=ether.ETH_TYPE_IP,
|
||||
ct_state=(ct_related_new_flag,
|
||||
ct_related_mask))
|
||||
actions = [parser.NXActionCT(actions=[],
|
||||
alg=0,
|
||||
flags=const.CT_FLAG_COMMIT,
|
||||
recirc_table=goto_table_id,
|
||||
zone_ofs_nbits=15,
|
||||
zone_src=const.CT_ZONE_REG)]
|
||||
action_inst = self.get_datapath(). \
|
||||
ofproto_parser.OFPInstructionActions(
|
||||
ofproto.OFPIT_APPLY_ACTIONS, actions)
|
||||
inst = [action_inst]
|
||||
self.mod_flow(
|
||||
self.get_datapath(),
|
||||
inst=inst,
|
||||
table_id=table_id,
|
||||
priority=const.PRIORITY_CT_STATE,
|
||||
match=match)
|
||||
|
||||
# inv state, drop
|
||||
invalid_ct_state_flag = const.CT_STATE_TRK | const.CT_STATE_INV
|
||||
match = parser.OFPMatch(ct_state=(invalid_ct_state_flag,
|
||||
|
|
|
@ -74,10 +74,24 @@ class TestOVSFlowsForSecurityGroup(test_base.DFTestBase):
|
|||
flow=flow, direction=direction,
|
||||
ct_state_match='-new+est-rel-inv+trk')
|
||||
|
||||
def _is_conntrack_relative_pass_flow(self, flow, direction):
|
||||
def _is_conntrack_relative_not_new_pass_flow(self, flow, direction):
|
||||
return self._is_conntrack_pass_flow(
|
||||
flow=flow, direction=direction,
|
||||
ct_state_match='-new-est+rel-inv+trk')
|
||||
ct_state_match='-new+rel-inv+trk')
|
||||
|
||||
def _is_conntrack_relative_new_pass_flow(self, flow, direction):
|
||||
if direction == 'ingress':
|
||||
table = const.INGRESS_SECURITY_GROUP_TABLE
|
||||
else:
|
||||
table = const.EGRESS_SECURITY_GROUP_TABLE
|
||||
|
||||
if (flow['table'] == str(table)) and \
|
||||
(flow['priority'] == str(const.PRIORITY_CT_STATE)) and \
|
||||
('+new+rel-inv+trk' in flow['match']) and \
|
||||
('ct(commit,table' in flow['actions']):
|
||||
return True
|
||||
|
||||
return False
|
||||
|
||||
def _is_conntrack_invalid_drop_flow(self, flow, direction):
|
||||
if direction == 'ingress':
|
||||
|
@ -187,8 +201,10 @@ class TestOVSFlowsForSecurityGroup(test_base.DFTestBase):
|
|||
found_egress_default_drop_flow = False
|
||||
found_ingress_conntrack_established_pass_flow = False
|
||||
found_egress_conntrack_established_pass_flow = False
|
||||
found_ingress_conntrack_relative_pass_flow = False
|
||||
found_egress_conntrack_relative_pass_flow = False
|
||||
found_ingress_conntrack_relative_not_new_pass_flow = False
|
||||
found_egress_conntrack_relative_not_new_pass_flow = False
|
||||
found_ingress_conntrack_relative_new_pass_flow = False
|
||||
found_egress_conntrack_relative_new_pass_flow = False
|
||||
found_ingress_conntrack_invalied_drop_flow = False
|
||||
found_egress_conntrack_invalied_drop_flow = False
|
||||
|
||||
|
@ -209,12 +225,18 @@ class TestOVSFlowsForSecurityGroup(test_base.DFTestBase):
|
|||
elif self._is_conntrack_established_pass_flow(flow=flow,
|
||||
direction='egress'):
|
||||
found_egress_conntrack_established_pass_flow = True
|
||||
elif self._is_conntrack_relative_pass_flow(flow=flow,
|
||||
direction='ingress'):
|
||||
found_ingress_conntrack_relative_pass_flow = True
|
||||
elif self._is_conntrack_relative_pass_flow(flow=flow,
|
||||
direction='egress'):
|
||||
found_egress_conntrack_relative_pass_flow = True
|
||||
elif self._is_conntrack_relative_not_new_pass_flow(
|
||||
flow=flow, direction='ingress'):
|
||||
found_ingress_conntrack_relative_not_new_pass_flow = True
|
||||
elif self._is_conntrack_relative_not_new_pass_flow(
|
||||
flow=flow, direction='egress'):
|
||||
found_egress_conntrack_relative_not_new_pass_flow = True
|
||||
elif self._is_conntrack_relative_new_pass_flow(
|
||||
flow=flow, direction='ingress'):
|
||||
found_ingress_conntrack_relative_new_pass_flow = True
|
||||
elif self._is_conntrack_relative_new_pass_flow(
|
||||
flow=flow, direction='egress'):
|
||||
found_egress_conntrack_relative_new_pass_flow = True
|
||||
elif self._is_conntrack_invalid_drop_flow(flow=flow,
|
||||
direction='ingress'):
|
||||
found_ingress_conntrack_invalied_drop_flow = True
|
||||
|
@ -230,8 +252,10 @@ class TestOVSFlowsForSecurityGroup(test_base.DFTestBase):
|
|||
self.assertTrue(found_egress_default_drop_flow)
|
||||
self.assertTrue(found_ingress_conntrack_established_pass_flow)
|
||||
self.assertTrue(found_egress_conntrack_established_pass_flow)
|
||||
self.assertTrue(found_ingress_conntrack_relative_pass_flow)
|
||||
self.assertTrue(found_egress_conntrack_relative_pass_flow)
|
||||
self.assertTrue(found_ingress_conntrack_relative_not_new_pass_flow)
|
||||
self.assertTrue(found_egress_conntrack_relative_not_new_pass_flow)
|
||||
self.assertTrue(found_ingress_conntrack_relative_new_pass_flow)
|
||||
self.assertTrue(found_egress_conntrack_relative_new_pass_flow)
|
||||
self.assertTrue(found_ingress_conntrack_invalied_drop_flow)
|
||||
self.assertTrue(found_egress_conntrack_invalied_drop_flow)
|
||||
|
||||
|
|
Loading…
Reference in New Issue