diff --git a/dragonflow/controller/sg_app.py b/dragonflow/controller/sg_app.py index 0698bac61..478d275a7 100644 --- a/dragonflow/controller/sg_app.py +++ b/dragonflow/controller/sg_app.py @@ -716,6 +716,7 @@ class SGApp(DFlowApp): goto_table_id = const.SERVICES_CLASSIFICATION_TABLE parser = self.get_datapath().ofproto_parser + ofproto = self.get_datapath().ofproto # defaults of sg-table to drop packet drop_inst = None @@ -739,9 +740,11 @@ class SGApp(DFlowApp): match=match) # rel state, pass - match = parser.OFPMatch(ct_state=(const.CT_STATE_TRK | - const.CT_STATE_REL, - SG_CT_STATE_MASK)) + ct_related_not_new_flag = const.CT_STATE_TRK | const.CT_STATE_REL + ct_related_mask = const.CT_STATE_TRK | const.CT_STATE_REL | \ + const.CT_STATE_NEW | const.CT_STATE_INV + match = parser.OFPMatch(ct_state=(ct_related_not_new_flag, + ct_related_mask)) self.mod_flow( self.get_datapath(), inst=goto_inst, @@ -749,6 +752,28 @@ class SGApp(DFlowApp): priority=const.PRIORITY_CT_STATE, match=match) + ct_related_new_flag = const.CT_STATE_TRK | const.CT_STATE_REL | \ + const.CT_STATE_NEW + match = parser.OFPMatch(eth_type=ether.ETH_TYPE_IP, + ct_state=(ct_related_new_flag, + ct_related_mask)) + actions = [parser.NXActionCT(actions=[], + alg=0, + flags=const.CT_FLAG_COMMIT, + recirc_table=goto_table_id, + zone_ofs_nbits=15, + zone_src=const.CT_ZONE_REG)] + action_inst = self.get_datapath(). \ + ofproto_parser.OFPInstructionActions( + ofproto.OFPIT_APPLY_ACTIONS, actions) + inst = [action_inst] + self.mod_flow( + self.get_datapath(), + inst=inst, + table_id=table_id, + priority=const.PRIORITY_CT_STATE, + match=match) + # inv state, drop invalid_ct_state_flag = const.CT_STATE_TRK | const.CT_STATE_INV match = parser.OFPMatch(ct_state=(invalid_ct_state_flag, diff --git a/dragonflow/tests/fullstack/test_sg_flows.py b/dragonflow/tests/fullstack/test_sg_flows.py index 6050f848e..8d3ea288f 100644 --- a/dragonflow/tests/fullstack/test_sg_flows.py +++ b/dragonflow/tests/fullstack/test_sg_flows.py @@ -74,10 +74,24 @@ class TestOVSFlowsForSecurityGroup(test_base.DFTestBase): flow=flow, direction=direction, ct_state_match='-new+est-rel-inv+trk') - def _is_conntrack_relative_pass_flow(self, flow, direction): + def _is_conntrack_relative_not_new_pass_flow(self, flow, direction): return self._is_conntrack_pass_flow( flow=flow, direction=direction, - ct_state_match='-new-est+rel-inv+trk') + ct_state_match='-new+rel-inv+trk') + + def _is_conntrack_relative_new_pass_flow(self, flow, direction): + if direction == 'ingress': + table = const.INGRESS_SECURITY_GROUP_TABLE + else: + table = const.EGRESS_SECURITY_GROUP_TABLE + + if (flow['table'] == str(table)) and \ + (flow['priority'] == str(const.PRIORITY_CT_STATE)) and \ + ('+new+rel-inv+trk' in flow['match']) and \ + ('ct(commit,table' in flow['actions']): + return True + + return False def _is_conntrack_invalid_drop_flow(self, flow, direction): if direction == 'ingress': @@ -187,8 +201,10 @@ class TestOVSFlowsForSecurityGroup(test_base.DFTestBase): found_egress_default_drop_flow = False found_ingress_conntrack_established_pass_flow = False found_egress_conntrack_established_pass_flow = False - found_ingress_conntrack_relative_pass_flow = False - found_egress_conntrack_relative_pass_flow = False + found_ingress_conntrack_relative_not_new_pass_flow = False + found_egress_conntrack_relative_not_new_pass_flow = False + found_ingress_conntrack_relative_new_pass_flow = False + found_egress_conntrack_relative_new_pass_flow = False found_ingress_conntrack_invalied_drop_flow = False found_egress_conntrack_invalied_drop_flow = False @@ -209,12 +225,18 @@ class TestOVSFlowsForSecurityGroup(test_base.DFTestBase): elif self._is_conntrack_established_pass_flow(flow=flow, direction='egress'): found_egress_conntrack_established_pass_flow = True - elif self._is_conntrack_relative_pass_flow(flow=flow, - direction='ingress'): - found_ingress_conntrack_relative_pass_flow = True - elif self._is_conntrack_relative_pass_flow(flow=flow, - direction='egress'): - found_egress_conntrack_relative_pass_flow = True + elif self._is_conntrack_relative_not_new_pass_flow( + flow=flow, direction='ingress'): + found_ingress_conntrack_relative_not_new_pass_flow = True + elif self._is_conntrack_relative_not_new_pass_flow( + flow=flow, direction='egress'): + found_egress_conntrack_relative_not_new_pass_flow = True + elif self._is_conntrack_relative_new_pass_flow( + flow=flow, direction='ingress'): + found_ingress_conntrack_relative_new_pass_flow = True + elif self._is_conntrack_relative_new_pass_flow( + flow=flow, direction='egress'): + found_egress_conntrack_relative_new_pass_flow = True elif self._is_conntrack_invalid_drop_flow(flow=flow, direction='ingress'): found_ingress_conntrack_invalied_drop_flow = True @@ -230,8 +252,10 @@ class TestOVSFlowsForSecurityGroup(test_base.DFTestBase): self.assertTrue(found_egress_default_drop_flow) self.assertTrue(found_ingress_conntrack_established_pass_flow) self.assertTrue(found_egress_conntrack_established_pass_flow) - self.assertTrue(found_ingress_conntrack_relative_pass_flow) - self.assertTrue(found_egress_conntrack_relative_pass_flow) + self.assertTrue(found_ingress_conntrack_relative_not_new_pass_flow) + self.assertTrue(found_egress_conntrack_relative_not_new_pass_flow) + self.assertTrue(found_ingress_conntrack_relative_new_pass_flow) + self.assertTrue(found_egress_conntrack_relative_new_pass_flow) self.assertTrue(found_ingress_conntrack_invalied_drop_flow) self.assertTrue(found_egress_conntrack_invalied_drop_flow)