Fix no ACCEPT event can get for security group logging
Currently, we cannot get ACCEPT packet log because there are some changed related to ovs firewall code since ovs firewall logging has been merged. Regarding to performance perspective, we only log first accepted packet. So we only need to forward first accepted packet of each connection session to table 91 and table 92. So this patch fixes these issues. Closes-Bug: #1782576 Change-Id: Ib6ced838a7ec6d5c459a8475318556001c31bdf0
This commit is contained in:
parent
1779a86712
commit
ced78395a7
|
@ -207,25 +207,25 @@ solicitation and neighbour advertisement.
|
|||
|
||||
::
|
||||
|
||||
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=130 actions=resubmit(,91)
|
||||
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=131 actions=resubmit(,91)
|
||||
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=132 actions=resubmit(,91)
|
||||
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=135 actions=resubmit(,91)
|
||||
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=136 actions=resubmit(,91)
|
||||
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=130 actions=resubmit(,91)
|
||||
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=131 actions=resubmit(,91)
|
||||
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=132 actions=resubmit(,91)
|
||||
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=135 actions=resubmit(,91)
|
||||
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=136 actions=resubmit(,91)
|
||||
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=130 actions=NORMAL
|
||||
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=131 actions=NORMAL
|
||||
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=132 actions=NORMAL
|
||||
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=135 actions=NORMAL
|
||||
table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=136 actions=NORMAL
|
||||
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=130 actions=NORMAL
|
||||
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=131 actions=NORMAL
|
||||
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=132 actions=NORMAL
|
||||
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=135 actions=NORMAL
|
||||
table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=136 actions=NORMAL
|
||||
|
||||
Following rules implement arp spoofing protection
|
||||
|
||||
::
|
||||
|
||||
table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:a4:22:10,arp_spa=192.168.0.1 actions=resubmit(,91)
|
||||
table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:8c:84:13,arp_spa=10.0.0.1 actions=resubmit(,91)
|
||||
table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:24:57:c7,arp_spa=192.168.0.2 actions=resubmit(,91)
|
||||
table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:8c:84:14,arp_spa=10.1.0.0/24 actions=resubmit(,91)
|
||||
table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:a4:22:10,arp_spa=192.168.0.1 actions=NORMAL
|
||||
table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:8c:84:13,arp_spa=10.0.0.1 actions=NORMAL
|
||||
table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:24:57:c7,arp_spa=192.168.0.2 actions=NORMAL
|
||||
table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:8c:84:14,arp_spa=10.1.0.0/24 actions=NORMAL
|
||||
|
||||
DHCP and DHCPv6 traffic is allowed to instance but DHCP servers are blocked on
|
||||
instances.
|
||||
|
@ -288,10 +288,10 @@ allowed.
|
|||
|
||||
::
|
||||
|
||||
table=72, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=resubmit(,91)
|
||||
table=72, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=resubmit(,91)
|
||||
table=72, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=resubmit(,91)
|
||||
table=72, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=resubmit(,91)
|
||||
table=72, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=NORMAL
|
||||
table=72, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=NORMAL
|
||||
table=72, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=NORMAL
|
||||
table=72, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=NORMAL
|
||||
|
||||
In the following flows are marked established connections that weren't matched
|
||||
in the previous flows, which means they don't have accepting security group
|
||||
|
@ -317,8 +317,8 @@ remaining egress connections are sent to normal switching.
|
|||
table=73, priority=100,reg6=0x284,dl_dst=fa:16:3e:8c:84:14 actions=load:0x2->NXM_NX_REG5[],resubmit(,81)
|
||||
table=73, priority=90,ct_state=+new-est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15]),resubmit(,91)
|
||||
table=73, priority=90,ct_state=+new-est,reg5=0x2 actions=ct(commit,zone=NXM_NX_REG6[0..15]),resubmit(,91)
|
||||
table=73, priority=80,reg5=0x1 actions=resubmit(,91)
|
||||
table=73, priority=80,reg5=0x2 actions=resubmit(,91)
|
||||
table=73, priority=80,reg5=0x1 actions=NORMAL
|
||||
table=73, priority=80,reg5=0x2 actions=NORMAL
|
||||
table=73, priority=0 actions=drop
|
||||
|
||||
``table 81`` is similar to ``table 71``, allows basic ingress traffic for
|
||||
|
@ -328,22 +328,22 @@ port. Not tracked packets are sent to obtain conntrack information.
|
|||
|
||||
::
|
||||
|
||||
table=81, priority=100,arp,reg5=0x1 actions=strip_vlan,output:1,resubmit(,92)
|
||||
table=81, priority=100,arp,reg5=0x2 actions=strip_vlan,output:2,resubmit(,92)
|
||||
table=81, priority=100,icmp6,reg5=0x1,icmp_type=130 actions=strip_vlan,output:1,resubmit(,92)
|
||||
table=81, priority=100,icmp6,reg5=0x1,icmp_type=131 actions=strip_vlan,output:1,resubmit(,92)
|
||||
table=81, priority=100,icmp6,reg5=0x1,icmp_type=132 actions=strip_vlan,output:1,resubmit(,92)
|
||||
table=81, priority=100,icmp6,reg5=0x1,icmp_type=135 actions=strip_vlan,output:1,resubmit(,92)
|
||||
table=81, priority=100,icmp6,reg5=0x1,icmp_type=136 actions=strip_vlan,output:1,resubmit(,92)
|
||||
table=81, priority=100,icmp6,reg5=0x2,icmp_type=130 actions=strip_vlan,output:2,resubmit(,92)
|
||||
table=81, priority=100,icmp6,reg5=0x2,icmp_type=131 actions=strip_vlan,output:2,resubmit(,92)
|
||||
table=81, priority=100,icmp6,reg5=0x2,icmp_type=132 actions=strip_vlan,output:2,resubmit(,92)
|
||||
table=81, priority=100,icmp6,reg5=0x2,icmp_type=135 actions=strip_vlan,output:2,resubmit(,92)
|
||||
table=81, priority=100,icmp6,reg5=0x2,icmp_type=136 actions=strip_vlan,output:2,resubmit(,92)
|
||||
table=81, priority=95,udp,reg5=0x1,tp_src=67,tp_dst=68 actions=strip_vlan,output:1,resubmit(,92)
|
||||
table=81, priority=95,udp6,reg5=0x1,tp_src=547,tp_dst=546 actions=strip_vlan,output:1,resubmit(,92)
|
||||
table=81, priority=95,udp,reg5=0x2,tp_src=67,tp_dst=68 actions=strip_vlan,output:2,resubmit(,92)
|
||||
table=81, priority=95,udp6,reg5=0x2,tp_src=547,tp_dst=546 actions=strip_vlan,output:2,resubmit(,92)
|
||||
table=81, priority=100,arp,reg5=0x1 actions=strip_vlan,output:1
|
||||
table=81, priority=100,arp,reg5=0x2 actions=strip_vlan,output:2
|
||||
table=81, priority=100,icmp6,reg5=0x1,icmp_type=130 actions=strip_vlan,output:1
|
||||
table=81, priority=100,icmp6,reg5=0x1,icmp_type=131 actions=strip_vlan,output:1
|
||||
table=81, priority=100,icmp6,reg5=0x1,icmp_type=132 actions=strip_vlan,output:1
|
||||
table=81, priority=100,icmp6,reg5=0x1,icmp_type=135 actions=strip_vlan,output:1
|
||||
table=81, priority=100,icmp6,reg5=0x1,icmp_type=136 actions=strip_vlan,output:1
|
||||
table=81, priority=100,icmp6,reg5=0x2,icmp_type=130 actions=strip_vlan,output:2
|
||||
table=81, priority=100,icmp6,reg5=0x2,icmp_type=131 actions=strip_vlan,output:2
|
||||
table=81, priority=100,icmp6,reg5=0x2,icmp_type=132 actions=strip_vlan,output:2
|
||||
table=81, priority=100,icmp6,reg5=0x2,icmp_type=135 actions=strip_vlan,output:2
|
||||
table=81, priority=100,icmp6,reg5=0x2,icmp_type=136 actions=strip_vlan,output:2
|
||||
table=81, priority=95,udp,reg5=0x1,tp_src=67,tp_dst=68 actions=strip_vlan,output:1
|
||||
table=81, priority=95,udp6,reg5=0x1,tp_src=547,tp_dst=546 actions=strip_vlan,output:1
|
||||
table=81, priority=95,udp,reg5=0x2,tp_src=67,tp_dst=68 actions=strip_vlan,output:2
|
||||
table=81, priority=95,udp6,reg5=0x2,tp_src=547,tp_dst=546 actions=strip_vlan,output:2
|
||||
table=81, priority=90,ct_state=-trk,ip,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
|
||||
table=81, priority=90,ct_state=-trk,ipv6,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
|
||||
table=81, priority=90,ct_state=-trk,ip,reg5=0x2 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
|
||||
|
@ -368,7 +368,7 @@ them.
|
|||
table=82, priority=71,ct_state=+new-est,ip,reg6=0x284,nw_src=10.0.0.1 actions=conjunction(19,1/2)
|
||||
table=82, priority=71,ct_state=+est-rel-rpl,icmp,reg5=0x2 actions=conjunction(18,2/2)
|
||||
table=82, priority=71,ct_state=+new-est,icmp,reg5=0x2 actions=conjunction(19,2/2)
|
||||
table=82, priority=71,conj_id=18,ct_state=+est-rel-rpl,ip,reg5=0x2 actions=strip_vlan,output:2,resubmit(,92)
|
||||
table=82, priority=71,conj_id=18,ct_state=+est-rel-rpl,ip,reg5=0x2 actions=strip_vlan,output:2
|
||||
table=82, priority=71,conj_id=19,ct_state=+new-est,ip,reg5=0x2 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:2,resubmit(,92)
|
||||
table=82, priority=50,ct_state=+inv+trk actions=resubmit(,93)
|
||||
|
||||
|
@ -437,10 +437,10 @@ same as in ``table 72``.
|
|||
|
||||
table=82, priority=50,ct_mark=0x1,reg5=0x1 actions=resubmit(,93)
|
||||
table=82, priority=50,ct_mark=0x1,reg5=0x2 actions=resubmit(,93)
|
||||
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1,resubmit(,92)
|
||||
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2,resubmit(,92)
|
||||
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1,resubmit(,92)
|
||||
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2,resubmit(,92)
|
||||
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1
|
||||
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2
|
||||
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1
|
||||
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2
|
||||
table=82, priority=40,ct_state=-est,reg5=0x1 actions=resubmit(,93)
|
||||
table=82, priority=40,ct_state=+est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[]))
|
||||
table=82, priority=40,ct_state=-est,reg5=0x2 actions=resubmit(,93)
|
||||
|
@ -468,6 +468,8 @@ receives copies of those packets and therefore default action is ``drop``.
|
|||
Finally, packets sent to ``table 93`` were filtered by the firewall and should
|
||||
be dropped. Default action is ``drop`` in this table.
|
||||
|
||||
In regard to the performance perspective, please note that only the first accepted
|
||||
packet of each connection session will go to ``table 91`` and ``table 92``.
|
||||
|
||||
Future work
|
||||
-----------
|
||||
|
|
|
@ -709,8 +709,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
dl_type=constants.ETHERTYPE_IPV6,
|
||||
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
||||
icmp_type=icmp_type,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
actions='normal'
|
||||
)
|
||||
|
||||
def _initialize_egress_no_port_security(self, port_id):
|
||||
|
@ -744,9 +743,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
table=ovs_consts.ACCEPT_OR_INGRESS_TABLE,
|
||||
priority=80,
|
||||
reg_port=ovs_port.ofport,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
|
||||
actions='normal'
|
||||
)
|
||||
|
||||
def _remove_egress_no_port_security(self, port_id):
|
||||
|
@ -781,8 +778,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
dl_src=mac_addr,
|
||||
dl_type=constants.ETHERTYPE_ARP,
|
||||
arp_spa=ip_addr,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
actions='normal'
|
||||
)
|
||||
self._add_flow(
|
||||
table=ovs_consts.BASE_EGRESS_TABLE,
|
||||
|
@ -897,8 +893,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
table=ovs_consts.ACCEPT_OR_INGRESS_TABLE,
|
||||
priority=80,
|
||||
reg_port=port.ofport,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
actions='normal'
|
||||
)
|
||||
|
||||
def _initialize_tracked_egress(self, port):
|
||||
|
@ -929,8 +924,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
ct_mark=ovsfw_consts.CT_MARK_NORMAL,
|
||||
reg_port=port.ofport,
|
||||
ct_zone=port.vlan_tag,
|
||||
actions='resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE)
|
||||
actions='normal'
|
||||
)
|
||||
self._add_flow(
|
||||
table=ovs_consts.RULES_EGRESS_TABLE,
|
||||
|
@ -961,9 +955,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
dl_type=constants.ETHERTYPE_IPV6,
|
||||
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
||||
icmp_type=icmp_type,
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
|
||||
def _initialize_ingress(self, port):
|
||||
|
@ -973,9 +965,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
priority=100,
|
||||
dl_type=constants.ETHERTYPE_ARP,
|
||||
reg_port=port.ofport,
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
self._initialize_ingress_ipv6_icmp(port)
|
||||
|
||||
|
@ -991,9 +981,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
nw_proto=lib_const.PROTO_NUM_UDP,
|
||||
tp_src=src_port,
|
||||
tp_dst=dst_port,
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
|
||||
# Track untracked
|
||||
|
@ -1043,9 +1031,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
ct_state=state,
|
||||
ct_mark=ovsfw_consts.CT_MARK_NORMAL,
|
||||
ct_zone=port.vlan_tag,
|
||||
actions='output:{:d},resubmit(,{:d})'.format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
self._add_flow(
|
||||
table=ovs_consts.RULES_INGRESS_TABLE,
|
||||
|
|
|
@ -201,9 +201,7 @@ def populate_flow_common(direction, flow_template, port):
|
|||
"""Initialize common flow fields."""
|
||||
if direction == n_consts.INGRESS_DIRECTION:
|
||||
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
|
||||
flow_template['actions'] = "output:{:d},resubmit(,{:d})".format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||
flow_template['actions'] = "output:{:d}".format(port.ofport)
|
||||
elif direction == n_consts.EGRESS_DIRECTION:
|
||||
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
|
||||
# Traffic can be both ingress and egress, check that no ingress rules
|
||||
|
@ -332,8 +330,11 @@ def create_accept_flows(flow):
|
|||
flow['ct_state'] = CT_STATES[1]
|
||||
if flow['table'] == ovs_consts.RULES_INGRESS_TABLE:
|
||||
flow['actions'] = (
|
||||
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}'.format(
|
||||
ovsfw_consts.REG_NET, flow['actions']))
|
||||
'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},'
|
||||
'resubmit(,{:d})'.format(
|
||||
ovsfw_consts.REG_NET, flow['actions'],
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||
)
|
||||
result.append(flow)
|
||||
return result
|
||||
|
||||
|
|
|
@ -332,8 +332,7 @@ class OVSFirewallLoggingDriver(log_ext.LoggingDriver):
|
|||
self.delete_port_flows_log(of_port_log, log_id)
|
||||
|
||||
def _log_accept_flow(self, **flow):
|
||||
# log first packet
|
||||
flow['ct_state'] = ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED
|
||||
# log first accepted packet
|
||||
flow['table'] = OVS_FW_TO_LOG_TABLES[flow['table']]
|
||||
flow['actions'] = 'controller'
|
||||
self._add_flow(**flow)
|
||||
|
|
|
@ -185,8 +185,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
|||
rule = {'protocol': constants.PROTO_NUM_TCP}
|
||||
expected_flows = [{
|
||||
'table': ovs_consts.RULES_INGRESS_TABLE,
|
||||
'actions': 'output:1,resubmit(,%d)' % (
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
'actions': 'output:1',
|
||||
'nw_proto': constants.PROTO_NUM_TCP,
|
||||
}]
|
||||
self._test_create_protocol_flows_helper(
|
||||
|
@ -392,12 +391,12 @@ class TestCreateConjFlows(base.BaseTestCase):
|
|||
flows[0]['ct_state'])
|
||||
self.assertEqual(ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
|
||||
flows[1]['ct_state'])
|
||||
self.assertEqual("output:{:d},resubmit(,{:d})".format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
self.assertEqual("output:{:d}".format(port.ofport),
|
||||
flows[0]['actions'])
|
||||
self.assertEqual("ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}".format(
|
||||
ovsfw_consts.REG_NET, flows[0]['actions']),
|
||||
self.assertEqual("ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},"
|
||||
"resubmit(,{:d})".format(
|
||||
ovsfw_consts.REG_NET, flows[0]['actions'],
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE),
|
||||
flows[1]['actions'])
|
||||
|
||||
for f in flows:
|
||||
|
|
|
@ -18,7 +18,6 @@ from neutron_lib import constants
|
|||
from oslo_config import cfg
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
||||
from neutron.common import constants as n_const
|
||||
from neutron.objects.logapi import logging_resource as log_object
|
||||
from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \
|
||||
|
@ -174,7 +173,6 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
|
|||
mock.call(
|
||||
actions='controller',
|
||||
cookie=accept_cookie.id,
|
||||
ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
|
||||
reg5=self.port_ofport,
|
||||
dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP),
|
||||
nw_proto=constants.PROTO_NUM_TCP,
|
||||
|
@ -185,7 +183,6 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
|
|||
mock.call(
|
||||
actions='controller',
|
||||
cookie=accept_cookie.id,
|
||||
ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
|
||||
reg5=self.port_ofport,
|
||||
dl_type="0x{:04x}".format(n_const.ETHERTYPE_IPV6),
|
||||
priority=70,
|
||||
|
@ -195,7 +192,6 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
|
|||
mock.call(
|
||||
actions='controller',
|
||||
cookie=accept_cookie.id,
|
||||
ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
|
||||
reg5=self.port_ofport,
|
||||
dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP),
|
||||
nw_proto=constants.PROTO_NUM_UDP,
|
||||
|
@ -273,7 +269,6 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
|
|||
mock.call(
|
||||
actions='controller',
|
||||
cookie=accept_cookie.id,
|
||||
ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
|
||||
reg5=self.port_ofport,
|
||||
dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP),
|
||||
nw_proto=constants.PROTO_NUM_TCP,
|
||||
|
|
Loading…
Reference in New Issue