Modify SG flows which let packets of relative connections pass

In current implement, SG flows don't match packets with both new and rel CT flag, or packets with both est and rel CT flag, so those packets will be dropped. This patch will fix this problem. Change-Id: I5b725742bacc48a7d9e5597fcc1f67e786ee5c0d Closes-Bug: #1586369 (cherry picked from commit 231633a652)
2016-05-28 14:35:44 +08:00 · 2016-05-28 14:35:44 +08:00 · 232722dfa3
parent 002f0424a9
commit 232722dfa3
2 changed files with 64 additions and 15 deletions
--- a/dragonflow/controller/sg_app.py
+++ b/dragonflow/controller/sg_app.py
@ -716,6 +716,7 @@ class SGApp(DFlowApp):
            goto_table_id = const.SERVICES_CLASSIFICATION_TABLE

        parser = self.get_datapath().ofproto_parser
+        ofproto = self.get_datapath().ofproto

        # defaults of sg-table to drop packet
        drop_inst = None
@ -739,9 +740,11 @@ class SGApp(DFlowApp):
             match=match)

        # rel state, pass
-        match = parser.OFPMatch(ct_state=(const.CT_STATE_TRK |
-                                          const.CT_STATE_REL,
-                                          SG_CT_STATE_MASK))
+        ct_related_not_new_flag = const.CT_STATE_TRK | const.CT_STATE_REL
+        ct_related_mask = const.CT_STATE_TRK | const.CT_STATE_REL | \
+            const.CT_STATE_NEW | const.CT_STATE_INV
+        match = parser.OFPMatch(ct_state=(ct_related_not_new_flag,
+                                          ct_related_mask))
        self.mod_flow(
             self.get_datapath(),
             inst=goto_inst,
@ -749,6 +752,28 @@ class SGApp(DFlowApp):
             priority=const.PRIORITY_CT_STATE,
             match=match)

+        ct_related_new_flag = const.CT_STATE_TRK | const.CT_STATE_REL | \
+            const.CT_STATE_NEW
+        match = parser.OFPMatch(eth_type=ether.ETH_TYPE_IP,
+                                ct_state=(ct_related_new_flag,
+                                          ct_related_mask))
+        actions = [parser.NXActionCT(actions=[],
+                                     alg=0,
+                                     flags=const.CT_FLAG_COMMIT,
+                                     recirc_table=goto_table_id,
+                                     zone_ofs_nbits=15,
+                                     zone_src=const.CT_ZONE_REG)]
+        action_inst = self.get_datapath(). \
+            ofproto_parser.OFPInstructionActions(
+            ofproto.OFPIT_APPLY_ACTIONS, actions)
+        inst = [action_inst]
+        self.mod_flow(
+             self.get_datapath(),
+             inst=inst,
+             table_id=table_id,
+             priority=const.PRIORITY_CT_STATE,
+             match=match)
+
        # inv state, drop
        invalid_ct_state_flag = const.CT_STATE_TRK | const.CT_STATE_INV
        match = parser.OFPMatch(ct_state=(invalid_ct_state_flag,
--- a/dragonflow/tests/fullstack/test_sg_flows.py
+++ b/dragonflow/tests/fullstack/test_sg_flows.py
@ -74,10 +74,24 @@ class TestOVSFlowsForSecurityGroup(test_base.DFTestBase):
            flow=flow, direction=direction,
            ct_state_match='-new+est-rel-inv+trk')

-    def _is_conntrack_relative_pass_flow(self, flow, direction):
+    def _is_conntrack_relative_not_new_pass_flow(self, flow, direction):
        return self._is_conntrack_pass_flow(
            flow=flow, direction=direction,
-            ct_state_match='-new-est+rel-inv+trk')
+            ct_state_match='-new+rel-inv+trk')
+
+    def _is_conntrack_relative_new_pass_flow(self, flow, direction):
+        if direction == 'ingress':
+            table = const.INGRESS_SECURITY_GROUP_TABLE
+        else:
+            table = const.EGRESS_SECURITY_GROUP_TABLE
+
+        if (flow['table'] == str(table)) and \
+                (flow['priority'] == str(const.PRIORITY_CT_STATE)) and \
+                ('+new+rel-inv+trk' in flow['match']) and \
+                ('ct(commit,table' in flow['actions']):
+            return True
+
+        return False

    def _is_conntrack_invalid_drop_flow(self, flow, direction):
        if direction == 'ingress':
@ -187,8 +201,10 @@ class TestOVSFlowsForSecurityGroup(test_base.DFTestBase):
        found_egress_default_drop_flow = False
        found_ingress_conntrack_established_pass_flow = False
        found_egress_conntrack_established_pass_flow = False
-        found_ingress_conntrack_relative_pass_flow = False
-        found_egress_conntrack_relative_pass_flow = False
+        found_ingress_conntrack_relative_not_new_pass_flow = False
+        found_egress_conntrack_relative_not_new_pass_flow = False
+        found_ingress_conntrack_relative_new_pass_flow = False
+        found_egress_conntrack_relative_new_pass_flow = False
        found_ingress_conntrack_invalied_drop_flow = False
        found_egress_conntrack_invalied_drop_flow = False

@ -209,12 +225,18 @@ class TestOVSFlowsForSecurityGroup(test_base.DFTestBase):
            elif self._is_conntrack_established_pass_flow(flow=flow,
                                                          direction='egress'):
                found_egress_conntrack_established_pass_flow = True
-            elif self._is_conntrack_relative_pass_flow(flow=flow,
-                                                       direction='ingress'):
-                found_ingress_conntrack_relative_pass_flow = True
-            elif self._is_conntrack_relative_pass_flow(flow=flow,
-                                                       direction='egress'):
-                found_egress_conntrack_relative_pass_flow = True
+            elif self._is_conntrack_relative_not_new_pass_flow(
+                    flow=flow, direction='ingress'):
+                found_ingress_conntrack_relative_not_new_pass_flow = True
+            elif self._is_conntrack_relative_not_new_pass_flow(
+                    flow=flow, direction='egress'):
+                found_egress_conntrack_relative_not_new_pass_flow = True
+            elif self._is_conntrack_relative_new_pass_flow(
+                    flow=flow, direction='ingress'):
+                found_ingress_conntrack_relative_new_pass_flow = True
+            elif self._is_conntrack_relative_new_pass_flow(
+                    flow=flow, direction='egress'):
+                found_egress_conntrack_relative_new_pass_flow = True
            elif self._is_conntrack_invalid_drop_flow(flow=flow,
                                                      direction='ingress'):
                found_ingress_conntrack_invalied_drop_flow = True
@ -230,8 +252,10 @@ class TestOVSFlowsForSecurityGroup(test_base.DFTestBase):
        self.assertTrue(found_egress_default_drop_flow)
        self.assertTrue(found_ingress_conntrack_established_pass_flow)
        self.assertTrue(found_egress_conntrack_established_pass_flow)
-        self.assertTrue(found_ingress_conntrack_relative_pass_flow)
-        self.assertTrue(found_egress_conntrack_relative_pass_flow)
+        self.assertTrue(found_ingress_conntrack_relative_not_new_pass_flow)
+        self.assertTrue(found_egress_conntrack_relative_not_new_pass_flow)
+        self.assertTrue(found_ingress_conntrack_relative_new_pass_flow)
+        self.assertTrue(found_egress_conntrack_relative_new_pass_flow)
        self.assertTrue(found_ingress_conntrack_invalied_drop_flow)
        self.assertTrue(found_egress_conntrack_invalied_drop_flow)