mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-22 01:51:26 +00:00
Code Issues Releases Wiki Activity
ovs/tests/classifier.at

625 lines
28 KiB
Plaintext
Raw Permalink Normal View History

tests: Break monolithic classifier test into subtests. This makes it easier to see which tests are taking up a lot of time, and to see which ones actually fail if any of them do.
2010-05-26 12:48:32 -07:00
AT_BANNER([flow classifier unit tests])
m4_foreach(
[testname],
[[empty],
[destroy-null],
[single-rule],
[rule-replacement],
classifier: Rewrite. The old classifier was not adaptive: it required knowing the structure of the flows that were likely to be in use to get good performance. It is likely that it degenerated to linear search in any real-world case. This new classifier is adaptive and should perform better in the real world.
2010-11-03 11:00:58 -07:00
[many-rules-in-one-list],
test-classifier: Test versioning features. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2015-06-11 15:53:43 -07:00
[versioned many-rules-in-one-list],
tests: Break monolithic classifier test into subtests. This makes it easier to see which tests are taking up a lot of time, and to see which ones actually fail if any of them do.
2010-05-26 12:48:32 -07:00
[many-rules-in-one-table],
test-classifier: Test versioning features. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2015-06-11 15:53:43 -07:00
[versioned many-rules-in-one-table],
classifier: Rewrite. The old classifier was not adaptive: it required knowing the structure of the flows that were likely to be in use to get good performance. It is likely that it degenerated to linear search in any real-world case. This new classifier is adaptive and should perform better in the real world.
2010-11-03 11:00:58 -07:00
[many-rules-in-two-tables],
test-classifier: Test versioning features. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2015-06-11 15:53:43 -07:00
[versioned many-rules-in-two-tables],
[many-rules-in-five-tables],
[versioned many-rules-in-five-tables]],
tests: Break monolithic classifier test into subtests. This makes it easier to see which tests are taking up a lot of time, and to see which ones actually fail if any of them do.
2010-05-26 12:48:32 -07:00
[AT_SETUP([flow classifier - m4_bpatsubst(testname, [-], [ ])])
test-classifier: Test versioning features. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2015-06-11 15:53:43 -07:00
AT_CHECK([ovstest test-classifier m4_bpatsubst(testname, [versioned], [--versioned])], [0], [], [])
tests: Break monolithic classifier test into subtests. This makes it easier to see which tests are taking up a lot of time, and to see which ones actually fail if any of them do.
2010-05-26 12:48:32 -07:00
AT_CLEANUP])])
Introduce sparse flows and masks, to reduce memory usage and improve speed. A cls_rule is 324 bytes on i386 now. The cost of a flow table lookup is currently proportional to this size, which is going to continue to grow. However, the required cost of a flow table lookup, with the classifier that we currently use, is only proportional to the number of bits that a rule actually matches. This commit implements that optimization by replacing the match inside "struct cls_rule" by a sparse representation. This reduces struct cls_rule to 100 bytes on i386. There is still some headroom for further optimization following this commit: - I suspect that adding an 'n' member to struct miniflow would make miniflow operations faster, since popcount() has some cost. - It's probably possible to replace the "struct minimatch" in cls_rule by just a "struct miniflow", since the cls_rule's cls_table has a copy of the minimask. - Some of the miniflow operations aren't well-optimized. Signed-off-by: Ben Pfaff <blp@nicira.com>
2012-09-04 12:43:53 -07:00
tests: classifier: Add a stress test for prefixes reconfiguration. This test is reusing the benchmark infrastructure, but it has some pre-defined parameters, so it's easier to run in the test suite. The benchmark code is adjusted to start another thread that does prefix updates continuously in a loop and the lookup threads are updated to be able to enter quiescent state periodically, so the reconfiguration can proceed. This test is a reproducer for the crashes fixed in the previous commit. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-05-16 23:25:17 +02:00
AT_BANNER([flow classifier stress tests])
AT_SETUP([flow classifier - prefixes reconfiguration stress test])
AT_CHECK([ovstest test-classifier stress-prefixes], [0], [stdout])
AT_CLEANUP
Introduce sparse flows and masks, to reduce memory usage and improve speed. A cls_rule is 324 bytes on i386 now. The cost of a flow table lookup is currently proportional to this size, which is going to continue to grow. However, the required cost of a flow table lookup, with the classifier that we currently use, is only proportional to the number of bits that a rule actually matches. This commit implements that optimization by replacing the match inside "struct cls_rule" by a sparse representation. This reduces struct cls_rule to 100 bytes on i386. There is still some headroom for further optimization following this commit: - I suspect that adding an 'n' member to struct miniflow would make miniflow operations faster, since popcount() has some cost. - It's probably possible to replace the "struct minimatch" in cls_rule by just a "struct miniflow", since the cls_rule's cls_table has a copy of the minimask. - Some of the miniflow operations aren't well-optimized. Signed-off-by: Ben Pfaff <blp@nicira.com>
2012-09-04 12:43:53 -07:00
AT_BANNER([miniflow unit tests])
m4_foreach(
[testname],
[[miniflow],
[minimask_has_extra],
[minimask_combine]],
[AT_SETUP([miniflow - m4_bpatsubst(testname, [-], [ ])])
unit-test: Link 29 test programs into ovstest Improve link speed by linking 29 test programs into ovstest. On my machine, running the following command against a fully built tree: $ touch lib/random.c; time make Improve the overall build time from 7 seconds to 3.5 seconds. Signed-off-by: Andy Zhou <azhou@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2014-04-01 00:47:01 -07:00
AT_CHECK([ovstest test-classifier testname], [0], [], [])
Introduce sparse flows and masks, to reduce memory usage and improve speed. A cls_rule is 324 bytes on i386 now. The cost of a flow table lookup is currently proportional to this size, which is going to continue to grow. However, the required cost of a flow table lookup, with the classifier that we currently use, is only proportional to the number of bits that a rule actually matches. This commit implements that optimization by replacing the match inside "struct cls_rule" by a sparse representation. This reduces struct cls_rule to 100 bytes on i386. There is still some headroom for further optimization following this commit: - I suspect that adding an 'n' member to struct miniflow would make miniflow operations faster, since popcount() has some cost. - It's probably possible to replace the "struct minimatch" in cls_rule by just a "struct miniflow", since the cls_rule's cls_table has a copy of the minimask. - Some of the miniflow operations aren't well-optimized. Signed-off-by: Ben Pfaff <blp@nicira.com>
2012-09-04 12:43:53 -07:00
AT_CLEANUP])])
Classifier: Staged subtable matching. Subtable lookup is performed in ranges defined for struct flow, starting from metadata (registers, in_port, etc.), then L2 header, L3, and finally L4 ports. Whenever it is found that there are no matches in the current subtable, the rest of the subtable can be skipped. The rationale of this logic is that as many fields as possible can remain wildcarded. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
2013-11-19 17:31:29 -08:00
AT_BANNER([flow classifier lookup segmentation])
AT_SETUP([flow classifier - lookup segmentation])
OVS_VSWITCHD_START
tests: Change ADD_OF_PORTS from macro to shell function. This reduces the size of the generated testsuite and makes it possible to pass arguments that vary at runtime instead of at the time of translation from .at to shell script. Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-26 16:23:30 -08:00
add_of_ports br0 1 2 3
Classifier: Staged subtable matching. Subtable lookup is performed in ranges defined for struct flow, starting from metadata (registers, in_port, etc.), then L2 header, L3, and finally L4 ports. Whenever it is found that there are no matches in the current subtable, the rest of the subtable can be skipped. The rationale of this logic is that as many fields as possible can remain wildcarded. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
2013-11-19 17:31:29 -08:00
AT_DATA([flows.txt], [dnl
table=0 in_port=1 priority=16,tcp,nw_dst=10.1.0.0/255.255.0.0,action=output(3)
table=0 in_port=1 priority=32,tcp,nw_dst=10.1.2.15,action=output(2)
table=0 in_port=1 priority=33,tcp,nw_dst=10.1.2.15,tp_dst=80,action=drop
table=0 in_port=1 priority=0,ip,action=drop
table=0 in_port=2 priority=16,tcp,nw_dst=192.168.0.0/255.255.0.0,action=output(1)
table=0 in_port=2 priority=0,ip,action=drop
table=0 in_port=3 priority=16,tcp,nw_src=10.1.0.0/255.255.0.0,action=output(1)
table=0 in_port=3 priority=0,ip,action=drop
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=2,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
Adding nsh.at for NSH unit tests First basic NSH test case implemented and working. Unconditionally show matched packet_type in megaflows, even when matching on eth. Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-08-05 13:41:09 +08:00
[Megaflow: recirc_id=0,eth,tcp,in_port=2,nw_dst=192.168.0.0/16,nw_frag=no
Classifier: Staged subtable matching. Subtable lookup is performed in ranges defined for struct flow, starting from metadata (registers, in_port, etc.), then L2 header, L3, and finally L4 ports. Whenever it is found that there are no matches in the current subtable, the rest of the subtable can be skipped. The rationale of this logic is that as many fields as possible can remain wildcarded. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
2013-11-19 17:31:29 -08:00
Datapath actions: 1
])
tests/classifier: Make test work in big-endian systems. Change a test so that the result will be the same in both little-endian and big-endian systems by editing the test case so that only one bit differs. Reported-by: Mijo Safradin <mijo@linux.vnet.ibm.com> Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2014-12-08 10:10:07 -08:00
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=11.1.2.15,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80'], [0], [stdout])
Classifier: Staged subtable matching. Subtable lookup is performed in ranges defined for struct flow, starting from metadata (registers, in_port, etc.), then L2 header, L3, and finally L4 ports. Whenever it is found that there are no matches in the current subtable, the rest of the subtable can be skipped. The rationale of this logic is that as many fields as possible can remain wildcarded. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
2013-11-19 17:31:29 -08:00
AT_CHECK([tail -2 stdout], [0],
Adding nsh.at for NSH unit tests First basic NSH test case implemented and working. Unconditionally show matched packet_type in megaflows, even when matching on eth. Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-08-05 13:41:09 +08:00
[Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=11.0.0.0/8,nw_frag=no
Classifier: Staged subtable matching. Subtable lookup is performed in ranges defined for struct flow, starting from metadata (registers, in_port, etc.), then L2 header, L3, and finally L4 ports. Whenever it is found that there are no matches in the current subtable, the rest of the subtable can be skipped. The rationale of this logic is that as many fields as possible can remain wildcarded. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
2013-11-19 17:31:29 -08:00
Datapath actions: drop
])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=10.1.2.15,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
Adding nsh.at for NSH unit tests First basic NSH test case implemented and working. Unconditionally show matched packet_type in megaflows, even when matching on eth. Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-08-05 13:41:09 +08:00
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_dst=10.1.2.15,nw_frag=no,tp_dst=80
Classifier: Staged subtable matching. Subtable lookup is performed in ranges defined for struct flow, starting from metadata (registers, in_port, etc.), then L2 header, L3, and finally L4 ports. Whenever it is found that there are no matches in the current subtable, the rest of the subtable can be skipped. The rationale of this logic is that as many fields as possible can remain wildcarded. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
2013-11-19 17:31:29 -08:00
Datapath actions: drop
])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=10.1.2.15,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
Adding nsh.at for NSH unit tests First basic NSH test case implemented and working. Unconditionally show matched packet_type in megaflows, even when matching on eth. Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-08-05 13:41:09 +08:00
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_dst=10.1.2.15,nw_frag=no,tp_dst=0x40/0xfff0
Classifier: Staged subtable matching. Subtable lookup is performed in ranges defined for struct flow, starting from metadata (registers, in_port, etc.), then L2 header, L3, and finally L4 ports. Whenever it is found that there are no matches in the current subtable, the rest of the subtable can be skipped. The rationale of this logic is that as many fields as possible can remain wildcarded. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
2013-11-19 17:31:29 -08:00
Datapath actions: 2
])
OVS_VSWITCHD_STOP
AT_CLEANUP
Classifier: Track address prefixes. Add a prefix tree (trie) structure for tracking the used address space, enabling skipping classifier tables containing longer masks than necessary for an address field value in a packet header being classified. This enables less unwildcarding for datapath flows in parts of the address space without host routes. Trie lookup is interwoven to the staged lookup, so that a trie is searched only when the configured trie field becomes relevant for the lookup. The trie lookup results are retained so that each trie is checked at most once for each classifier lookup. This implementation tracks the number of rules at each address prefix for the whole classifier. More aggressive table skipping would be possible by maintaining lists of tables that have prefixes at the lengths encountered on tree traversal, or by maintaining separate tries for subsets of rules separated by metadata fields. Prefix tracking is configured via OVSDB. A new column "prefixes" is added to the database table "Flow_Table". "prefixes" is a set of string values listing the field names for which prefix lookup should be used. As of now, the fields for which prefix lookup can be enabled are: - tun_id, tun_src, tun_dst - nw_src, nw_dst (or aliases ip_src and ip_dst) - ipv6_src, ipv6_dst There is a maximum number of fields that can be enabled for any one flow table. Currently this limit is 3. Examples: ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \ --id=@N1 create Flow_Table name=table0 ovs-vsctl set Bridge br0 flow_tables:1=@N1 -- \ --id=@N1 create Flow_Table name=table1 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src ovs-vsctl set Flow_Table table1 prefixes=[] Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2013-12-11 11:07:01 -08:00
classifier: Fix missing masks on a final stage with ports trie. Flow lookup doesn't include masks of the final stage in a resulting flow wildcards in case that stage had L4 ports match. Only the result of ports trie lookup is added to the mask. It might be sufficient in many cases, but it's not correct, because ports trie is not how we decided that the packet didn't match in this subtable. In fact, we used a full subtable mask in order to determine that, so all the subtable mask bits has to be added. Ports trie can still be used to adjust ports' mask, but it is not sufficient to determine that the packet didn't match. Assuming we have following 2 OpenFlow rules on the bridge: table=0, priority=10,tcp,tp_dst=80,tcp_flags=+psh actions=drop table=0, priority=0 actions=output(1) The first high priority rule supposed to drop all the TCP data traffic sent on port 80. The handshake, however, is allowed for forwarding. Both 'tcp_flags' and 'tp_dst' are on the final stage in the flow. Since the stage mask from that stage is not incorporated into the flow wildcards and only ports mask is getting updated, we have the following megaflow for the SYN packet that has no match on 'tcp_flags': $ ovs-appctl ofproto/trace br0 "in_port=br0,tcp,tp_dst=80,tcp_flags=syn" Megaflow: recirc_id=0,eth,tcp,in_port=LOCAL,nw_frag=no,tp_dst=80 Datapath actions: 1 If this flow is getting installed into datapath flow table, all the packets for port 80, regardless of TCP flags, will be forwarded. Incorporating all the looked at bits from the final stage into the stages map in order to get all the necessary wildcards. Ports mask has to be updated as a last step, because it doesn't cover the full 64-bit slot in the flowmap. With this change, in the example above, OVS is producing correct flow wildcards including match on TCP flags: Megaflow: recirc_id=0,eth,tcp,in_port=LOCAL,nw_frag=no,tp_dst=80,tcp_flags=-psh Datapath actions: 1 This way only -psh packets will be forwarded, as expected. This issue affects all other fields on stage 4, not only TCP flags. Tests included to cover tcp_flags, nd_target and ct_tp_src/dst. First two are frequently used, ct ones are sharing the same flowmap slot with L4 ports, so important to test. Before the pre-computation of stage masks, flow wildcards were updated during lookup, so there was no issue. The bits of the final stage was lost with introduction of 'stages_map'. Recent adjustment of segment boundaries exposed 'tcp_flags' to the issue. Reported-at: https://github.com/openvswitch/ovs-issues/issues/272 Fixes: ca44218515f0 ("classifier: Adjust segment boundary to execute prerequisite processing.") Fixes: fa2fdbf8d0c1 ("classifier: Pre-compute stage masks.") Acked-by: Aaron Conole <aconole@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2023-02-17 21:09:59 +01:00
AT_SETUP([flow classifier - lookup segmentation - final stage])
OVS_VSWITCHD_START
add_of_ports br0 1 2 3
AT_DATA([flows.txt], [dnl
table=0 in_port=1 priority=33,tcp,tp_dst=80,tcp_flags=+psh,action=output(2)
table=0 in_port=1 priority=0,ip,action=drop
table=0 in_port=2 priority=16,icmp6,nw_ttl=255,icmp_type=135,icmp_code=0,nd_target=1000::1 ,action=output(1)
table=0 in_port=2 priority=0,ip,action=drop
table=0 in_port=3 action=resubmit(,1)
table=1 in_port=3 priority=45,ct_state=+trk+rpl,ct_nw_proto=6,ct_tp_src=3/0x1,tcp,tp_dst=80,tcp_flags=+psh,action=output(2)
table=1 in_port=3 priority=10,ip,action=drop
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=syn'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh
Datapath actions: drop
])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=syn|ack'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh
Datapath actions: drop
])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=ack|psh'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=+psh
Datapath actions: 2
])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=80,tcp_flags=-psh
Datapath actions: drop
])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=0x40/0xfff0,tcp_flags=-psh
Datapath actions: drop
])
dnl Having both the port and the tcp flags in the resulting megaflow below
dnl is redundant, but that is how ports trie logic is implemented.
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=81'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_frag=no,tp_dst=81,tcp_flags=-psh
Datapath actions: drop
])
dnl nd_target is redundant in the megaflow below and it is also not relevant
dnl for an icmp reply. Datapath may discard that match, but it is OK as long
dnl as we have prerequisites (icmp_type) in the match as well.
AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=128,icmpv6_code=0"], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x80/0xfc,nd_target=::
Datapath actions: drop
])
AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0"], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=::
Datapath actions: drop
])
AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0,nd_target=1000::1"], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=1000::1
Datapath actions: 1
])
AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=2,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,nw_ttl=255,icmpv6_type=135,icmpv6_code=0,nd_target=1000::2"], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,icmp6,in_port=2,nw_ttl=255,nw_frag=no,icmp_type=0x87/0xff,icmp_code=0x0/0xff,nd_target=1000::2
Datapath actions: drop
])
dnl Check that ports' mask doesn't affect ct ports.
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=3,ct_state=trk|rpl,ct_nw_proto=6,ct_tp_src=3,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80,tcp_flags=psh'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,ct_state=+rpl+trk,ct_nw_proto=6,ct_tp_src=0x1/0x1,eth,tcp,in_port=3,nw_frag=no,tp_dst=80,tcp_flags=+psh
Datapath actions: 2
])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=3,ct_state=trk|rpl,ct_nw_proto=6,ct_tp_src=3,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79,tcp_flags=psh'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,ct_state=+rpl+trk,ct_nw_proto=6,ct_tp_src=0x1/0x1,eth,tcp,in_port=3,nw_frag=no,tp_dst=0x40/0xfff0,tcp_flags=+psh
Datapath actions: drop
])
OVS_VSWITCHD_STOP
AT_CLEANUP
Classifier: Track address prefixes. Add a prefix tree (trie) structure for tracking the used address space, enabling skipping classifier tables containing longer masks than necessary for an address field value in a packet header being classified. This enables less unwildcarding for datapath flows in parts of the address space without host routes. Trie lookup is interwoven to the staged lookup, so that a trie is searched only when the configured trie field becomes relevant for the lookup. The trie lookup results are retained so that each trie is checked at most once for each classifier lookup. This implementation tracks the number of rules at each address prefix for the whole classifier. More aggressive table skipping would be possible by maintaining lists of tables that have prefixes at the lengths encountered on tree traversal, or by maintaining separate tries for subsets of rules separated by metadata fields. Prefix tracking is configured via OVSDB. A new column "prefixes" is added to the database table "Flow_Table". "prefixes" is a set of string values listing the field names for which prefix lookup should be used. As of now, the fields for which prefix lookup can be enabled are: - tun_id, tun_src, tun_dst - nw_src, nw_dst (or aliases ip_src and ip_dst) - ipv6_src, ipv6_dst There is a maximum number of fields that can be enabled for any one flow table. Currently this limit is 3. Examples: ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \ --id=@N1 create Flow_Table name=table0 ovs-vsctl set Bridge br0 flow_tables:1=@N1 -- \ --id=@N1 create Flow_Table name=table1 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src ovs-vsctl set Flow_Table table1 prefixes=[] Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2013-12-11 11:07:01 -08:00
AT_BANNER([flow classifier prefix lookup])
AT_SETUP([flow classifier - prefix lookup])
OVS_VSWITCHD_START
tests: Change ADD_OF_PORTS from macro to shell function. This reduces the size of the generated testsuite and makes it possible to pass arguments that vary at runtime instead of at the time of translation from .at to shell script. Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-26 16:23:30 -08:00
add_of_ports br0 1 2 3
Classifier: Track address prefixes. Add a prefix tree (trie) structure for tracking the used address space, enabling skipping classifier tables containing longer masks than necessary for an address field value in a packet header being classified. This enables less unwildcarding for datapath flows in parts of the address space without host routes. Trie lookup is interwoven to the staged lookup, so that a trie is searched only when the configured trie field becomes relevant for the lookup. The trie lookup results are retained so that each trie is checked at most once for each classifier lookup. This implementation tracks the number of rules at each address prefix for the whole classifier. More aggressive table skipping would be possible by maintaining lists of tables that have prefixes at the lengths encountered on tree traversal, or by maintaining separate tries for subsets of rules separated by metadata fields. Prefix tracking is configured via OVSDB. A new column "prefixes" is added to the database table "Flow_Table". "prefixes" is a set of string values listing the field names for which prefix lookup should be used. As of now, the fields for which prefix lookup can be enabled are: - tun_id, tun_src, tun_dst - nw_src, nw_dst (or aliases ip_src and ip_dst) - ipv6_src, ipv6_dst There is a maximum number of fields that can be enabled for any one flow table. Currently this limit is 3. Examples: ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \ --id=@N1 create Flow_Table name=table0 ovs-vsctl set Bridge br0 flow_tables:1=@N1 -- \ --id=@N1 create Flow_Table name=table1 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src ovs-vsctl set Flow_Table table1 prefixes=[] Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2013-12-11 11:07:01 -08:00
AT_CHECK([ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- --id=@N1 create Flow_Table name=t0], [0], [ignore], [])
AT_DATA([flows.txt], [dnl
table=0 in_port=1 priority=16,tcp,nw_dst=10.1.0.0/255.255.0.0,action=output(3)
table=0 in_port=1 priority=32,tcp,nw_dst=10.1.2.0/255.255.255.0,tp_src=79,action=output(2)
table=0 in_port=1 priority=33,tcp,nw_dst=10.1.2.15,tp_dst=80,action=drop
lib/classifier: Use a prefix tree to optimize ports wildcarding. Using a prefix tree (aka 'trie') for transport ports matching produces less specific (more wildcarded) datapath megaflows. Each subtable that matches on transport ports has it's own ports trie. This trie is consulted only after a failing lookup to determine the number of bits that need to be unwildcarded to guarantee that any packet that should match on any of the other rules will not match this megaflow. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ethan Jackson <ethan@nicira.com>
2014-04-30 14:09:08 -07:00
table=0 in_port=1 priority=33,tcp,nw_dst=10.1.2.15,tp_dst=8080,action=output(2)
table=0 in_port=1 priority=33,tcp,nw_dst=10.1.2.15,tp_dst=192,action=output(2)
Classifier: Track address prefixes. Add a prefix tree (trie) structure for tracking the used address space, enabling skipping classifier tables containing longer masks than necessary for an address field value in a packet header being classified. This enables less unwildcarding for datapath flows in parts of the address space without host routes. Trie lookup is interwoven to the staged lookup, so that a trie is searched only when the configured trie field becomes relevant for the lookup. The trie lookup results are retained so that each trie is checked at most once for each classifier lookup. This implementation tracks the number of rules at each address prefix for the whole classifier. More aggressive table skipping would be possible by maintaining lists of tables that have prefixes at the lengths encountered on tree traversal, or by maintaining separate tries for subsets of rules separated by metadata fields. Prefix tracking is configured via OVSDB. A new column "prefixes" is added to the database table "Flow_Table". "prefixes" is a set of string values listing the field names for which prefix lookup should be used. As of now, the fields for which prefix lookup can be enabled are: - tun_id, tun_src, tun_dst - nw_src, nw_dst (or aliases ip_src and ip_dst) - ipv6_src, ipv6_dst There is a maximum number of fields that can be enabled for any one flow table. Currently this limit is 3. Examples: ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \ --id=@N1 create Flow_Table name=table0 ovs-vsctl set Bridge br0 flow_tables:1=@N1 -- \ --id=@N1 create Flow_Table name=table1 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src ovs-vsctl set Flow_Table table1 prefixes=[] Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2013-12-11 11:07:01 -08:00
table=0 in_port=1 priority=0,ip,action=drop
table=0 in_port=2 priority=16,tcp,nw_dst=192.168.0.0/255.255.0.0,action=output(1)
table=0 in_port=2 priority=0,ip,action=drop
table=0 in_port=3 priority=16,tcp,nw_src=10.1.0.0/255.255.0.0,action=output(1)
table=0 in_port=3 priority=0,ip,action=drop
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
Use prefix trie lookup for IPv4 by default. Unless otherwise configured, the prefix trie lookup is enabled for IPv4 destination and source address fields. A new keyword "none" is accepted as the value of "prefixes" in the OVSDB Flow_Table column. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ethan Jackson <ethan@nicira.com>
2014-05-16 12:51:11 -07:00
# nw_dst and nw_src should be on by default
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
Adding nsh.at for NSH unit tests First basic NSH test case implemented and working. Unconditionally show matched packet_type in megaflows, even when matching on eth. Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-08-05 13:41:09 +08:00
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_dst=192.168.0.0/16,nw_frag=no
Use prefix trie lookup for IPv4 by default. Unless otherwise configured, the prefix trie lookup is enabled for IPv4 destination and source address fields. A new keyword "none" is accepted as the value of "prefixes" in the OVSDB Flow_Table column. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ethan Jackson <ethan@nicira.com>
2014-05-16 12:51:11 -07:00
Datapath actions: drop
])
AT_CHECK([ovs-vsctl set Flow_Table t0 prefixes=ipv6_label], [0])
classifier: Increase the maximum number of prefixes (tries). Today users can enable prefix matches for tun_id, tun_src, tun_dst, ip_src, ip_dst, ipv6_src and ipv6_dst. However, they are limited to only 3 of these enabled at the same time. This means that if our flow table is handling both IPv4 and IPv6 traffic, we can't optimize all the addresses, we'll either have to split IPv4 and IPv6 rules into separate tables or sacrifice one of the fields, as we can select only 3 out of 4 fields (ip_src, ip_dst, ipv6_src and ipv6_dst). The maximum number of tries is a little arbitrary. Increasing it will slightly increase memory usage and may take a couple extra processing cycles, but should not change classification results, so should be reasonable. Actually enabling more prefixes will consume more memory and reduce efficiency of a single flow classification, but that's a trade user can make knowing the traffic pattern and how their particular flow table looks like. While efficiency of a single flow classification may go down, the overall performance of the system may be significantly improved by having way less datapath flows with wider matches. The number of tunnels in a typical setup is not that high, so I'm not sure if it makes sense to increase the limit higher. At the same time combined IPv4 + IPv6 handling is pretty common. For example, that's the case with OVN. Tests in ofproto-dpif.at cover IPv4 and IPv6 address classification separately, and these fields can't overlap, so not adding any new tests. Acked-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-11-15 14:20:43 +01:00
AT_CHECK([ovs-vsctl set Flow_Table t0 prefixes=nw_dst,nw_src,tun_dst,tun_src,ipv6_src], [1], [],
[ovs-vsctl: nw_dst,nw_src,tun_dst,tun_src,ipv6_src: 5 value(s) specified but the maximum number is 4
Use prefix trie lookup for IPv4 by default. Unless otherwise configured, the prefix trie lookup is enabled for IPv4 destination and source address fields. A new keyword "none" is accepted as the value of "prefixes" in the OVSDB Flow_Table column. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ethan Jackson <ethan@nicira.com>
2014-05-16 12:51:11 -07:00
])
AT_CHECK([ovs-vsctl set Flow_Table t0 prefixes=nw_dst,nw_dst], [1], [],
[ovs-vsctl: nw_dst,nw_dst: set contains duplicate value
])
AT_CHECK([ovs-vsctl set Flow_Table t0 prefixes=nw_dst], [0])
Classifier: Track address prefixes. Add a prefix tree (trie) structure for tracking the used address space, enabling skipping classifier tables containing longer masks than necessary for an address field value in a packet header being classified. This enables less unwildcarding for datapath flows in parts of the address space without host routes. Trie lookup is interwoven to the staged lookup, so that a trie is searched only when the configured trie field becomes relevant for the lookup. The trie lookup results are retained so that each trie is checked at most once for each classifier lookup. This implementation tracks the number of rules at each address prefix for the whole classifier. More aggressive table skipping would be possible by maintaining lists of tables that have prefixes at the lengths encountered on tree traversal, or by maintaining separate tries for subsets of rules separated by metadata fields. Prefix tracking is configured via OVSDB. A new column "prefixes" is added to the database table "Flow_Table". "prefixes" is a set of string values listing the field names for which prefix lookup should be used. As of now, the fields for which prefix lookup can be enabled are: - tun_id, tun_src, tun_dst - nw_src, nw_dst (or aliases ip_src and ip_dst) - ipv6_src, ipv6_dst There is a maximum number of fields that can be enabled for any one flow table. Currently this limit is 3. Examples: ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \ --id=@N1 create Flow_Table name=table0 ovs-vsctl set Bridge br0 flow_tables:1=@N1 -- \ --id=@N1 create Flow_Table name=table1 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src ovs-vsctl set Flow_Table table1 prefixes=[] Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2013-12-11 11:07:01 -08:00
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
Adding nsh.at for NSH unit tests First basic NSH test case implemented and working. Unconditionally show matched packet_type in megaflows, even when matching on eth. Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-08-05 13:41:09 +08:00
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_dst=192.168.0.0/16,nw_frag=no
Classifier: Track address prefixes. Add a prefix tree (trie) structure for tracking the used address space, enabling skipping classifier tables containing longer masks than necessary for an address field value in a packet header being classified. This enables less unwildcarding for datapath flows in parts of the address space without host routes. Trie lookup is interwoven to the staged lookup, so that a trie is searched only when the configured trie field becomes relevant for the lookup. The trie lookup results are retained so that each trie is checked at most once for each classifier lookup. This implementation tracks the number of rules at each address prefix for the whole classifier. More aggressive table skipping would be possible by maintaining lists of tables that have prefixes at the lengths encountered on tree traversal, or by maintaining separate tries for subsets of rules separated by metadata fields. Prefix tracking is configured via OVSDB. A new column "prefixes" is added to the database table "Flow_Table". "prefixes" is a set of string values listing the field names for which prefix lookup should be used. As of now, the fields for which prefix lookup can be enabled are: - tun_id, tun_src, tun_dst - nw_src, nw_dst (or aliases ip_src and ip_dst) - ipv6_src, ipv6_dst There is a maximum number of fields that can be enabled for any one flow table. Currently this limit is 3. Examples: ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \ --id=@N1 create Flow_Table name=table0 ovs-vsctl set Bridge br0 flow_tables:1=@N1 -- \ --id=@N1 create Flow_Table name=table1 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src ovs-vsctl set Flow_Table table1 prefixes=[] Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2013-12-11 11:07:01 -08:00
Datapath actions: drop
])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=2,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
Adding nsh.at for NSH unit tests First basic NSH test case implemented and working. Unconditionally show matched packet_type in megaflows, even when matching on eth. Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-08-05 13:41:09 +08:00
[Megaflow: recirc_id=0,eth,tcp,in_port=2,nw_dst=192.168.0.0/16,nw_frag=no
Classifier: Track address prefixes. Add a prefix tree (trie) structure for tracking the used address space, enabling skipping classifier tables containing longer masks than necessary for an address field value in a packet header being classified. This enables less unwildcarding for datapath flows in parts of the address space without host routes. Trie lookup is interwoven to the staged lookup, so that a trie is searched only when the configured trie field becomes relevant for the lookup. The trie lookup results are retained so that each trie is checked at most once for each classifier lookup. This implementation tracks the number of rules at each address prefix for the whole classifier. More aggressive table skipping would be possible by maintaining lists of tables that have prefixes at the lengths encountered on tree traversal, or by maintaining separate tries for subsets of rules separated by metadata fields. Prefix tracking is configured via OVSDB. A new column "prefixes" is added to the database table "Flow_Table". "prefixes" is a set of string values listing the field names for which prefix lookup should be used. As of now, the fields for which prefix lookup can be enabled are: - tun_id, tun_src, tun_dst - nw_src, nw_dst (or aliases ip_src and ip_dst) - ipv6_src, ipv6_dst There is a maximum number of fields that can be enabled for any one flow table. Currently this limit is 3. Examples: ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \ --id=@N1 create Flow_Table name=table0 ovs-vsctl set Bridge br0 flow_tables:1=@N1 -- \ --id=@N1 create Flow_Table name=table1 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src ovs-vsctl set Flow_Table table1 prefixes=[] Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2013-12-11 11:07:01 -08:00
Datapath actions: 1
])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=10.1.2.15,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=80'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
Adding nsh.at for NSH unit tests First basic NSH test case implemented and working. Unconditionally show matched packet_type in megaflows, even when matching on eth. Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-08-05 13:41:09 +08:00
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_dst=10.1.2.15,nw_frag=no,tp_dst=80
Classifier: Track address prefixes. Add a prefix tree (trie) structure for tracking the used address space, enabling skipping classifier tables containing longer masks than necessary for an address field value in a packet header being classified. This enables less unwildcarding for datapath flows in parts of the address space without host routes. Trie lookup is interwoven to the staged lookup, so that a trie is searched only when the configured trie field becomes relevant for the lookup. The trie lookup results are retained so that each trie is checked at most once for each classifier lookup. This implementation tracks the number of rules at each address prefix for the whole classifier. More aggressive table skipping would be possible by maintaining lists of tables that have prefixes at the lengths encountered on tree traversal, or by maintaining separate tries for subsets of rules separated by metadata fields. Prefix tracking is configured via OVSDB. A new column "prefixes" is added to the database table "Flow_Table". "prefixes" is a set of string values listing the field names for which prefix lookup should be used. As of now, the fields for which prefix lookup can be enabled are: - tun_id, tun_src, tun_dst - nw_src, nw_dst (or aliases ip_src and ip_dst) - ipv6_src, ipv6_dst There is a maximum number of fields that can be enabled for any one flow table. Currently this limit is 3. Examples: ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \ --id=@N1 create Flow_Table name=table0 ovs-vsctl set Bridge br0 flow_tables:1=@N1 -- \ --id=@N1 create Flow_Table name=table1 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src ovs-vsctl set Flow_Table table1 prefixes=[] Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2013-12-11 11:07:01 -08:00
Datapath actions: drop
])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=10.1.2.15,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
Adding nsh.at for NSH unit tests First basic NSH test case implemented and working. Unconditionally show matched packet_type in megaflows, even when matching on eth. Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-08-05 13:41:09 +08:00
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_dst=10.1.2.15,nw_frag=no,tp_src=0x0/0xffc0,tp_dst=0x40/0xfff0
Classifier: Track address prefixes. Add a prefix tree (trie) structure for tracking the used address space, enabling skipping classifier tables containing longer masks than necessary for an address field value in a packet header being classified. This enables less unwildcarding for datapath flows in parts of the address space without host routes. Trie lookup is interwoven to the staged lookup, so that a trie is searched only when the configured trie field becomes relevant for the lookup. The trie lookup results are retained so that each trie is checked at most once for each classifier lookup. This implementation tracks the number of rules at each address prefix for the whole classifier. More aggressive table skipping would be possible by maintaining lists of tables that have prefixes at the lengths encountered on tree traversal, or by maintaining separate tries for subsets of rules separated by metadata fields. Prefix tracking is configured via OVSDB. A new column "prefixes" is added to the database table "Flow_Table". "prefixes" is a set of string values listing the field names for which prefix lookup should be used. As of now, the fields for which prefix lookup can be enabled are: - tun_id, tun_src, tun_dst - nw_src, nw_dst (or aliases ip_src and ip_dst) - ipv6_src, ipv6_dst There is a maximum number of fields that can be enabled for any one flow table. Currently this limit is 3. Examples: ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \ --id=@N1 create Flow_Table name=table0 ovs-vsctl set Bridge br0 flow_tables:1=@N1 -- \ --id=@N1 create Flow_Table name=table1 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src ovs-vsctl set Flow_Table table1 prefixes=[] Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2013-12-11 11:07:01 -08:00
Datapath actions: 3
])
Use prefix trie lookup for IPv4 by default. Unless otherwise configured, the prefix trie lookup is enabled for IPv4 destination and source address fields. A new keyword "none" is accepted as the value of "prefixes" in the OVSDB Flow_Table column. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ethan Jackson <ethan@nicira.com>
2014-05-16 12:51:11 -07:00
AT_CHECK([ovs-vsctl set Flow_Table t0 prefixes=none], [0])
AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=10.1.3.16,nw_proto=6,nw_tos=0,nw_ttl=128,tp_src=8,tp_dst=79'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
Adding nsh.at for NSH unit tests First basic NSH test case implemented and working. Unconditionally show matched packet_type in megaflows, even when matching on eth. Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-08-05 13:41:09 +08:00
[Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_dst=10.1.3.16,nw_frag=no
Use prefix trie lookup for IPv4 by default. Unless otherwise configured, the prefix trie lookup is enabled for IPv4 destination and source address fields. A new keyword "none" is accepted as the value of "prefixes" in the OVSDB Flow_Table column. Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ethan Jackson <ethan@nicira.com>
2014-05-16 12:51:11 -07:00
Datapath actions: 3
])
Classifier: Track address prefixes. Add a prefix tree (trie) structure for tracking the used address space, enabling skipping classifier tables containing longer masks than necessary for an address field value in a packet header being classified. This enables less unwildcarding for datapath flows in parts of the address space without host routes. Trie lookup is interwoven to the staged lookup, so that a trie is searched only when the configured trie field becomes relevant for the lookup. The trie lookup results are retained so that each trie is checked at most once for each classifier lookup. This implementation tracks the number of rules at each address prefix for the whole classifier. More aggressive table skipping would be possible by maintaining lists of tables that have prefixes at the lengths encountered on tree traversal, or by maintaining separate tries for subsets of rules separated by metadata fields. Prefix tracking is configured via OVSDB. A new column "prefixes" is added to the database table "Flow_Table". "prefixes" is a set of string values listing the field names for which prefix lookup should be used. As of now, the fields for which prefix lookup can be enabled are: - tun_id, tun_src, tun_dst - nw_src, nw_dst (or aliases ip_src and ip_dst) - ipv6_src, ipv6_dst There is a maximum number of fields that can be enabled for any one flow table. Currently this limit is 3. Examples: ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \ --id=@N1 create Flow_Table name=table0 ovs-vsctl set Bridge br0 flow_tables:1=@N1 -- \ --id=@N1 create Flow_Table name=table1 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src ovs-vsctl set Flow_Table table1 prefixes=[] Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2013-12-11 11:07:01 -08:00
OVS_VSWITCHD_STOP(["/'prefixes' with incompatible field: ipv6_label/d"])
AT_CLEANUP
classifier: Add support for conjunctive matches. A "conjunctive match" allows higher-level matches in the flow table, such as set membership matches, without causing a cross-product explosion for multidimensional matches. Please refer to the documentation that this commit adds to ovs-ofctl(8) for a better explanation, including an example. Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
2015-01-11 13:25:24 -08:00
ofproto: Enable address prefix tracking for IPv6 by default. It is common to have flow tables with OpenFlow rules for both IPv4 and IPv6 traffic at the same time. One major example is OVN. Today only IPv4 addresses and L4 ports are prefix matched by default. Since recently, it's possible to turn on the optimization for all 4 fields at the same time (nw_dst, nw_src, ipv6_dst and ipv6_src), but it is an inconvenience for users. IPv6 configurations become more and more common in the real world, so having IPv6 tables not optimized by default is not good. Enable prefix tree lookups for IPv6 addresses by default in addition to IPv4. This change increases memory consumption slightly as well as takes a few extra cycles per flow to create and later iterate over additional prefix trees. However, IPv4 and IPv6 matches are mutually exclusive, so performance overhead should be minimal, especially in comparison with the benefits this configuration brings to IPv6 setups reducing the number of datapath flows by default. A new test added to check that defaults are working as expected. Acked-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-11-15 14:20:44 +01:00
AT_SETUP([flow classifier - prefix lookup defaults])
OVS_VSWITCHD_START
add_of_ports br0 1 2 3
AT_DATA([flows.txt], [dnl
table=0 in_port=1 priority=16,tcp,nw_src=10.2.0.0/16,nw_dst=10.1.0.0/255.255.0.0,action=output(3)
table=0 in_port=1 priority=33,tcp,nw_src=10.2.2.14,nw_dst=10.1.2.15,tp_dst=80,action=drop
table=0 in_port=1 priority=33,tcp,nw_src=10.2.2.14,nw_dst=10.1.2.15,tp_dst=8080,action=output(2)
table=0 in_port=1 priority=16,tcp,nw_src=192.168.0.0/15,nw_dst=192.168.0.0/255.255.0.0,action=output(3)
table=0 in_port=1 priority=0,ip,action=drop
table=0 in_port=1 priority=16,tcp6,ipv6_src=aaaa:bbbb:c:d:e:f::/96,ipv6_dst=aaaa:bbbb:c:d:a:f:0000:0000/96,action=output(3)
table=0 in_port=1 priority=33,tcp6,ipv6_src=aaaa:bbbb:c:d:e:f:1:2,ipv6_dst=aaaa:bbbb:c:d:a:f:1:2,tp_dst=80,action=drop
table=0 in_port=1 priority=33,tcp6,ipv6_src=aaaa:bbbb:c:d:e:f:1:2,ipv6_dst=aaaa:bbbb:c:d:a:f:1:2,tp_dst=8080,action=output(2)
table=0 in_port=1 priority=16,tcp6,ipv6_src=cccc:dddd:a:b:c:c::/95,ipv6_dst=cccc:dddd:a:b:c:c::/95,action=output(3)
table=0 in_port=1 priority=0,ip6,action=drop
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
dnl nw_dst and nw_src should be on by default.
AT_CHECK([ovs-appctl ofproto/trace br0 \
'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,
nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,
tp_src=8,tp_dst=80'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0], [dnl
Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_src=192.168.0.0/15,nw_dst=192.168.0.0/16,nw_frag=no
Datapath actions: 3
])
dnl ipv6_dst and ipv6_src should also be on by default.
AT_CHECK([ovs-appctl ofproto/trace br0 \
'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x86dd,
ipv6_src=cccc:dddd:a:b:c:d:7:8,ipv6_dst=cccc:dddd:a:b:c:d:7:9,
nw_proto=6,nw_tos=0,nw_ttl=128,
tp_src=8,tp_dst=80'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0], [dnl
Megaflow: recirc_id=0,eth,tcp6,in_port=1,ipv6_src=cccc:dddd:a:b:c:c::/95,ipv6_dst=cccc:dddd:a:b:c:c::/95,nw_frag=no
Datapath actions: 3
])
dnl Turn optimizations off and check that we fall back to exact match.
AT_CHECK([ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- \
--id=@N1 create Flow_Table name=t0], [0], [ignore])
AT_CHECK([ovs-vsctl set Flow_Table t0 prefixes=none])
AT_CHECK([ovs-appctl ofproto/trace br0 \
'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,
nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,nw_tos=0,nw_ttl=128,
tp_src=8,tp_dst=80'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0], [dnl
Megaflow: recirc_id=0,eth,tcp,in_port=1,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_frag=no
Datapath actions: 3
])
AT_CHECK([ovs-appctl ofproto/trace br0 \
'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x86dd,
ipv6_src=cccc:dddd:a:b:c:d:7:8,ipv6_dst=cccc:dddd:a:b:c:d:7:9,
nw_proto=6,nw_tos=0,nw_ttl=128,
tp_src=8,tp_dst=80'], [0], [stdout])
AT_CHECK([tail -2 stdout], [0], [dnl
Megaflow: recirc_id=0,eth,tcp6,in_port=1,ipv6_src=cccc:dddd:a:b:c:d:7:8,ipv6_dst=cccc:dddd:a:b:c:d:7:9,nw_frag=no
Datapath actions: 3
])
OVS_VSWITCHD_STOP
AT_CLEANUP
classifier: Adjust segment boundary to execute prerequisite processing. During flow processing, the flow wildcards are checked as a series of stages, and these stages are intended to carry dependencies in a single direction. But when the neighbor discovery processing, for example, was executed there is an incorrect dependency chain - we need fields from stage 4 to determine whether we need fields from stage 3. We can build a set of flow rules to demonstrate this: table=0,priority=100,ipv6,ipv6_src=1000::/10 actions=resubmit(,1) table=0,priority=0 actions=NORMAL table=1,priority=110,ipv6,ipv6_dst=1000::3 actions=resubmit(,2) table=1,priority=100,ipv6,ipv6_dst=1000::4 actions=resubmit(,2) table=1,priority=0 actions=NORMAL table=2,priority=120,icmp6,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=10:de:ad:be:ef:10 actions=NORMAL table=2,priority=100,tcp actions=NORMAL table=2,priority=100,icmp6 actions=NORMAL table=2,priority=0 actions=NORMAL With this set of flows, any IPv6 packet that executes through this pipeline will have the corresponding nd_sll field flagged as required match for classification even if that field doesn't make sense in such a context (for example, TCP packets). When the corresponding flow is installed into the kernel datapath, this field is not reflected when the revalidator executes the dump stage (see net/openvswitch/flow_netlink.c for more details). During the sweep stage, revalidator will compare the dumped WC with a generated WC - these will mismatch because the generated WC will match on the Neighbor Discovery fields, while the datapath WC will not match on these fields. We will then invalidate the flow and as a side effect force an upcall. By redefining the boundary, we shift these fields to the l4 subtable, and cause masks to be generated matching just the requisite fields. The list of fields being shifted: struct in6_addr nd_target; struct eth_addr arp_sha; struct eth_addr arp_tha; ovs_be16 tcp_flags; ovs_be16 pad2; struct ovs_key_nsh nsh; A standout field would be tcp_flags moving from l3 subtable matches to the l4 subtable matches. This reverts a partial performance optimization in the case of stateless firewalling. The tcp_flags field might have been a good candidate to retain in the l3 segment, but it got overloaded with ICMPv6 ND matching, and therefore we can't preserve this kind of optimization. Two other approaches were considered - moving the nd_target field alone and collapsing the l3/l4 segments into a single subtable for matching. Moving any field individually introduces ABI mismatch, and doesn't completely address the problems with other neighbor discovery related fields (such as nd_sll/nd_tll). Collapsing the two subtables creates an issue with datapath flow explosion, since the l3 and l4 fields will be unwildcarded together (this can be seen with some of the existing classifier tests). A simple test is added to showcase the behavior. Fixes: 476f36e83bc5 ("Classifier: Staged subtable matching.") Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2081773 Reported-by: Numan Siddique <nusiddiq@redhat.com> Suggested-by: Ilya Maximets <i.maximets@ovn.org> Signed-off-by: Aaron Conole <aconole@redhat.com> Acked-by: Eelco Chaudron <echaudro@redhat.com> Acked-by: Cian Ferriter <cian.ferriter@intel.com> Tested-by: Numan Siddique <numans@ovn.org> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2022-05-24 17:35:23 -04:00
AT_SETUP([flow classifier - ipv6 ND dependency])
OVS_VSWITCHD_START
add_of_ports br0 1 2
AT_DATA([flows.txt], [dnl
table=0,priority=100,ipv6,ipv6_src=1000::/10 actions=resubmit(,1)
table=0,priority=0 actions=NORMAL
table=1,priority=110,ipv6,ipv6_dst=1000::3 actions=resubmit(,2)
table=1,priority=100,ipv6,ipv6_dst=1000::4 actions=resubmit(,2)
table=1,priority=0 actions=NORMAL
table=2,priority=120,icmp6,nw_ttl=255,icmp_type=135,icmp_code=0,nd_target=1000::1 actions=NORMAL
table=2,priority=100,tcp actions=NORMAL
table=2,priority=100,icmp6 actions=NORMAL
table=2,priority=0 actions=NORMAL
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
# test ICMPv6 echo request (which should have no nd_target field)
AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,eth_src=f6:d2:b0:19:5e:7b,eth_dst=d2:49:19:91:78:fe,dl_type=0x86dd,ipv6_src=1000::3,ipv6_dst=1000::4,nw_proto=58,icmpv6_type=128,icmpv6_code=0"], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,icmp6,in_port=1,dl_src=f6:d2:b0:19:5e:7b,dl_dst=d2:49:19:91:78:fe,ipv6_src=1000::/10,ipv6_dst=1000::4,nw_ttl=0,nw_frag=no
Datapath actions: 100,2
])
OVS_VSWITCHD_STOP
AT_CLEANUP
classifier: Add support for conjunctive matches. A "conjunctive match" allows higher-level matches in the flow table, such as set membership matches, without causing a cross-product explosion for multidimensional matches. Please refer to the documentation that this commit adds to ovs-ofctl(8) for a better explanation, including an example. Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
2015-01-11 13:25:24 -08:00
AT_BANNER([conjunctive match])
AT_SETUP([single conjunctive match])
OVS_VSWITCHD_START
tests: Change ADD_OF_PORTS from macro to shell function. This reduces the size of the generated testsuite and makes it possible to pass arguments that vary at runtime instead of at the time of translation from .at to shell script. Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-26 16:23:30 -08:00
add_of_ports br0 1 2 3 4 5
classifier: Add support for conjunctive matches. A "conjunctive match" allows higher-level matches in the flow table, such as set membership matches, without causing a cross-product explosion for multidimensional matches. Please refer to the documentation that this commit adds to ovs-ofctl(8) for a better explanation, including an example. Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
2015-01-11 13:25:24 -08:00
AT_DATA([flows.txt], [dnl
conj_id=1,actions=3
priority=100,ip,ip_src=10.0.0.1,actions=conjunction(1,1/2)
priority=100,ip,ip_src=10.0.0.4,actions=conjunction(1,1/2)
priority=100,ip,ip_src=10.0.0.6,actions=conjunction(1,1/2)
priority=100,ip,ip_src=10.0.0.7,actions=conjunction(1,1/2)
priority=100,ip,ip_dst=10.0.0.2,actions=conjunction(1,2/2)
priority=100,ip,ip_dst=10.0.0.5,actions=conjunction(1,2/2)
priority=100,ip,ip_dst=10.0.0.7,actions=conjunction(1,2/2)
priority=100,ip,ip_dst=10.0.0.8,actions=conjunction(1,2/2)
priority=100,ip,ip_src=10.0.0.1,ip_dst=10.0.0.4,actions=4
priority=100,ip,ip_src=10.0.0.3,ip_dst=10.0.0.5,actions=5
priority=0 actions=2
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
for src in 0 1 2 3 4 5 6 7; do
for dst in 0 1 2 3 4 5 6 7; do
if test $src$dst = 14; then
out=4
elif test $src$dst = 35; then
out=5
else
out=2
case $src in [[1467]]) case $dst in [[2578]]) out=3 ;; esac ;; esac
fi
AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x0800,nw_src=10.0.0.$src,nw_dst=10.0.0.$dst"], [0], [stdout])
AT_CHECK_UNQUOTED([tail -1 stdout], [0], [Datapath actions: $out
])
ofproto-dpif-trace: Improve conjunctive match tracing. A conjunctive flow consists of two or more multiple flows with conjunction actions. When input to the ofproto/trace command matches a conjunctive flow, it outputs flows of all dimensions. Acked-by: Simon Horman <horms@ovn.org> Signed-off-by: Nobuhiro MIKI <nmiki@yahoo-corp.jp> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2023-11-15 18:47:33 +09:00
dnl Check detailed output for conjunctive match.
if test $out = 3; then
AT_CHECK_UNQUOTED([cat stdout | grep conj\\. | sort], [0], [dnl
-> conj. priority=100,ip,nw_dst=10.0.0.$dst
-> conj. priority=100,ip,nw_src=10.0.0.$src
])
fi
classifier: Add support for conjunctive matches. A "conjunctive match" allows higher-level matches in the flow table, such as set membership matches, without causing a cross-product explosion for multidimensional matches. Please refer to the documentation that this commit adds to ovs-ofctl(8) for a better explanation, including an example. Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
2015-01-11 13:25:24 -08:00
done
done
OVS_VSWITCHD_STOP
AT_CLEANUP
AT_SETUP([multiple conjunctive match])
OVS_VSWITCHD_START
tests: Change ADD_OF_PORTS from macro to shell function. This reduces the size of the generated testsuite and makes it possible to pass arguments that vary at runtime instead of at the time of translation from .at to shell script. Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-26 16:23:30 -08:00
add_of_ports br0 1 2 3 4 5
classifier: Add support for conjunctive matches. A "conjunctive match" allows higher-level matches in the flow table, such as set membership matches, without causing a cross-product explosion for multidimensional matches. Please refer to the documentation that this commit adds to ovs-ofctl(8) for a better explanation, including an example. Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
2015-01-11 13:25:24 -08:00
AT_DATA([flows.txt], [dnl
conj_id=1,actions=1
conj_id=2,actions=2
conj_id=3,actions=3
priority=5,ip,ip_src=20.0.0.0/8,actions=conjunction(1,1/2),conjunction(2,1/2)
priority=5,ip,ip_src=10.1.0.0/16,actions=conjunction(1,1/2),conjunction(3,2/3)
priority=5,ip,ip_src=10.2.0.0/16,actions=conjunction(1,1/2),conjunction(2,1/2)
priority=5,ip,ip_src=10.1.3.0/24,actions=conjunction(1,1/2),conjunction(3,2/3)
priority=5,ip,ip_src=10.1.4.5/32,actions=conjunction(1,1/2),conjunction(2,1/2)
priority=5,ip,ip_dst=20.0.0.0/8,actions=conjunction(1,2/2)
priority=5,ip,ip_dst=10.1.0.0/16,actions=conjunction(1,2/2)
priority=5,ip,ip_dst=10.2.0.0/16,actions=conjunction(1,2/2)
priority=5,ip,ip_dst=10.1.3.0/24,actions=conjunction(1,2/2)
priority=5,ip,ip_dst=10.1.4.5/32,actions=conjunction(1,2/2)
priority=5,ip,ip_dst=30.0.0.0/8,actions=conjunction(2,2/2),conjunction(3,1/3)
priority=5,ip,ip_dst=40.5.0.0/16,actions=conjunction(2,2/2),conjunction(3,1/3)
priority=5,tcp,tcp_dst=80,actions=conjunction(3,3/3)
priority=5,tcp,tcp_dst=443,actions=conjunction(3,3/3)
priority=5,tcp,tcp_src=80,actions=conjunction(3,3/3)
priority=5,tcp,tcp_src=443,actions=conjunction(3,3/3)
priority=0,actions=4
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
for a0 in \
'1 20.0.0.1' \
'2 10.1.0.1' \
'3 10.2.0.1' \
'4 10.1.3.1' \
'5 10.1.4.5' \
'6 1.2.3.4'
do
for b0 in \
'1 20.0.0.1' \
'2 10.1.0.1' \
'3 10.2.0.1' \
'4 10.1.3.1' \
'5 10.1.4.5' \
'6 30.0.0.1' \
'7 40.5.0.1' \
'8 1.2.3.4'
do
for c0 in '1 80' '2 443' '3 8080'; do
for d0 in '1 80' '2 443' '3 8080'; do
set $a0; a=$1 ip_src=$2
set $b0; b=$1 ip_dst=$2
set $c0; c=$1 tcp_src=$2
set $d0; d=$1 tcp_dst=$2
case $a$b$c$d in
[[12345]][[12345]]??) out=1 ;;
[[135]][[67]]??) out=2 ;;
[[24]][[67]][[12]]? | [[24]][[67]]?[[12]]) out=3 ;;
*) out=4
esac
AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=5,dl_type=0x0800,nw_proto=6,nw_src=$ip_src,nw_dst=$ip_dst,tcp_src=$tcp_src,tcp_dst=$tcp_dst"], [0], [stdout])
AT_CHECK_UNQUOTED([tail -1 stdout], [0], [Datapath actions: $out
])
done
done
done
done
OVS_VSWITCHD_STOP
AT_CLEANUP
# In conjunctive match, we can find some soft matches that turn out not to be a
# real match. Usually, that's the end of the road--there is no real match.
# But if there is a flow identical to one of the flows that was a soft match,
# except with a lower priority, then we have to try again with that lower
# priority flow. This test checks this special case.
AT_SETUP([conjunctive match priority fallback])
OVS_VSWITCHD_START
tests: Change ADD_OF_PORTS from macro to shell function. This reduces the size of the generated testsuite and makes it possible to pass arguments that vary at runtime instead of at the time of translation from .at to shell script. Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-26 16:23:30 -08:00
add_of_ports br0 1 2 3 4 5 6 7
classifier: Add support for conjunctive matches. A "conjunctive match" allows higher-level matches in the flow table, such as set membership matches, without causing a cross-product explosion for multidimensional matches. Please refer to the documentation that this commit adds to ovs-ofctl(8) for a better explanation, including an example. Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
2015-01-11 13:25:24 -08:00
AT_DATA([flows.txt], [dnl
conj_id=1,actions=1
conj_id=3,actions=3
priority=5,ip,ip_src=10.0.0.1,actions=conjunction(1,1/2)
priority=5,ip,ip_src=10.0.0.2,actions=conjunction(1,1/2)
priority=5,ip,ip_dst=10.0.0.1,actions=conjunction(1,2/2)
priority=5,ip,ip_dst=10.0.0.2,actions=conjunction(1,2/2)
priority=5,ip,ip_dst=10.0.0.3,actions=conjunction(1,2/2)
priority=4,ip,ip_src=10.0.0.3,ip_dst=10.0.0.2,actions=2
priority=3,ip,ip_src=10.0.0.1,actions=conjunction(3,1/2)
priority=3,ip,ip_src=10.0.0.3,actions=conjunction(3,1/2)
priority=3,ip,ip_dst=10.0.0.2,actions=conjunction(3,2/2)
priority=3,ip,ip_dst=10.0.0.3,actions=conjunction(3,2/2)
priority=3,ip,ip_dst=10.0.0.4,actions=conjunction(3,2/2)
priority=2,ip,ip_dst=10.0.0.1,actions=4
priority=1,ip,ip_src=10.0.0.1,ip_dst=10.0.0.5,actions=5
priority=0,actions=6
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
for src in 0 1 2 3; do
for dst in 0 1 2 3 4 5; do
case $src$dst in
[[12]][[123]]) out=1 ;;
32) out=2 ;;
[[13]][[234]]) out=3 ;;
treewide: Convert leading tabs to spaces. It's always been OVS coding style to use spaces rather than tabs for indentation, but some tabs have snuck in over time. This commit converts them to spaces. Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org>
2018-05-25 17:11:07 -07:00
?1) out=4 ;;
classifier: Add support for conjunctive matches. A "conjunctive match" allows higher-level matches in the flow table, such as set membership matches, without causing a cross-product explosion for multidimensional matches. Please refer to the documentation that this commit adds to ovs-ofctl(8) for a better explanation, including an example. Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
2015-01-11 13:25:24 -08:00
15) out=5 ;;
*) out=6
esac
AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=7,dl_type=0x0800,nw_src=10.0.0.$src,nw_dst=10.0.0.$dst"], [0], [stdout])
AT_CHECK_UNQUOTED([tail -1 stdout], [0], [Datapath actions: $out
])
done
done
OVS_VSWITCHD_STOP
AT_CLEANUP
ofp-actions: Support mixing "conjunction" and "note" actions. It doesn't make sense to mix "conjunction" actions with most other kinds of actions. That's because flows with "conjunction" actions aren't ever actually executed, so any actions mixed up with them would never do anything useful. "note" actions are a little different because they never do anything useful anyway: they are just there to allow a controller to annotate flows. It makes as much sense to annotate a flow with "conjunction" actions as it does to annotate any other flow, so this commit makes this possible. Requested-by: Soner Sevinc <sevincs@vmware.com> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Andy Zhou <azhou@nicira.com>
2015-06-26 08:14:15 -07:00
AT_SETUP([conjunctive match and other actions])
OVS_VSWITCHD_START
# It's OK to use "conjunction" actions with "note" actions.
AT_CHECK([ovs-ofctl add-flow br0 'actions=conjunction(3,1/2),note:41.42.43.44.45.46'])
AT_CHECK([ovs-ofctl add-flow br0 'actions=note:41.42.43.44.45.46,conjunction(3,1/2)'])
# It's not OK to use "conjunction" actions with other types of actions.
AT_CHECK([ovs-ofctl '-vPATTERN:console:%c|%p|%m' add-flow br0 'actions=output:1,conjunction(3,1/2)'], [1], [], [dnl
ofp-actions: Improve error messages for verification failures in parsing. Verification can fail for a variety of reasons but the code here always reported "Incorrect instruction ordering". Acked-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2019-04-30 09:19:16 -07:00
ovs-ofctl: "conjunction" actions may be used along with "note" but not any other kind of action (such as the "output" action used here)
ofp-actions: Support mixing "conjunction" and "note" actions. It doesn't make sense to mix "conjunction" actions with most other kinds of actions. That's because flows with "conjunction" actions aren't ever actually executed, so any actions mixed up with them would never do anything useful. "note" actions are a little different because they never do anything useful anyway: they are just there to allow a controller to annotate flows. It makes as much sense to annotate a flow with "conjunction" actions as it does to annotate any other flow, so this commit makes this possible. Requested-by: Soner Sevinc <sevincs@vmware.com> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Andy Zhou <azhou@nicira.com>
2015-06-26 08:14:15 -07:00
])
AT_CHECK([ovs-ofctl '-vPATTERN:console:%c|%p|%m' add-flow br0 'actions=conjunction(3,1/2),output:1'], [1], [], [dnl
ofp-actions: Improve error messages for verification failures in parsing. Verification can fail for a variety of reasons but the code here always reported "Incorrect instruction ordering". Acked-by: Numan Siddique <nusiddiq@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2019-04-30 09:19:16 -07:00
ovs-ofctl: "conjunction" actions may be used along with "note" but not any other kind of action (such as the "output" action used here)
ofp-actions: Support mixing "conjunction" and "note" actions. It doesn't make sense to mix "conjunction" actions with most other kinds of actions. That's because flows with "conjunction" actions aren't ever actually executed, so any actions mixed up with them would never do anything useful. "note" actions are a little different because they never do anything useful anyway: they are just there to allow a controller to annotate flows. It makes as much sense to annotate a flow with "conjunction" actions as it does to annotate any other flow, so this commit makes this possible. Requested-by: Soner Sevinc <sevincs@vmware.com> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Andy Zhou <azhou@nicira.com>
2015-06-26 08:14:15 -07:00
])
OVS_VSWITCHD_STOP
AT_CLEANUP
flow: Support extra padding length. Although not required, padding can be optionally added until the packet length is MTU bytes. A packet with extra padding currently fails sanity checks. Vulnerability: CVE-2020-35498 Fixes: fa8d9001a624 ("miniflow_extract: Properly handle small IP packets.") Reported-by: Joakim Hindersson <joakim.hindersson@elastx.se> Acked-by: Ilya Maximets <i.maximets@ovn.org> Signed-off-by: Flavio Leitner <fbl@sysclose.org> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2020-10-26 16:03:19 -03:00
ofproto-dpif-trace: Improve conjunctive match tracing. A conjunctive flow consists of two or more multiple flows with conjunction actions. When input to the ofproto/trace command matches a conjunctive flow, it outputs flows of all dimensions. Acked-by: Simon Horman <horms@ovn.org> Signed-off-by: Nobuhiro MIKI <nmiki@yahoo-corp.jp> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2023-11-15 18:47:33 +09:00
AT_SETUP([conjunctive match with same priority])
OVS_VSWITCHD_START
add_of_ports br0 1 2
AT_DATA([flows.txt], [dnl
conj_id=1,actions=2
conj_id=2,actions=drop
priority=10,ip,ip_dst=10.0.0.1,actions=conjunction(1,1/2)
priority=10,ip,ip_src=10.0.0.2,actions=conjunction(1,2/2)
priority=10,ip,ip_dst=10.0.0.3,actions=conjunction(2,1/2)
priority=10,ip,in_port=1,actions=conjunction(2,2/2)
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
# Check that "priority=10,ip,in_port=1,actions=conjunction(2,2/2)" is
# correctly excluded from the output.
AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x0800,nw_dst=10.0.0.1,nw_src=10.0.0.2" | grep conj\\. | sort], [0], [dnl
-> conj. priority=10,ip,nw_dst=10.0.0.1
-> conj. priority=10,ip,nw_src=10.0.0.2
])
OVS_VSWITCHD_STOP
AT_CLEANUP
AT_SETUP([conjunctive match with metadata])
OVS_VSWITCHD_START
AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"])
AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=1,len=8}->tun_metadata1"])
AT_DATA([flows.txt], [dnl
conj_id=7,actions=drop
priority=5,tun_metadata0=0x1,actions=conjunction(7,1/2)
priority=5,tun_metadata1=0x2,actions=conjunction(7,2/2)
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
# Check that tunnel metadata is included in the output.
AT_CHECK([ovs-appctl ofproto/trace br0 "tun_metadata0=0x1,tun_metadata1=0x2,in_port=br0" | grep conj\\. | sort], [0], [dnl
-> conj. priority=5,tun_metadata0=0x1
-> conj. priority=5,tun_metadata1=0x2
])
OVS_VSWITCHD_STOP
AT_CLEANUP
AT_SETUP([conjunctive match with or without port map])
OVS_VSWITCHD_START
add_of_ports br0 1 2
AT_DATA([flows.txt], [dnl
conj_id=1,actions=drop
conj_id=2,actions=drop
priority=10,ip,actions=conjunction(1,1/2),conjunction(2,1/2)
priority=10,in_port=p1,actions=conjunction(1,2/2)
priority=10,in_port=p2,actions=conjunction(1,2/2)
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
AT_CHECK([ovs-appctl ofproto/trace br0 "ip,in_port=p1" --names | grep conj\\. | sort], [0], [dnl
-> conj. priority=10,in_port=p1
-> conj. priority=10,ip
])
AT_CHECK([ovs-appctl ofproto/trace br0 "ip,in_port=p2" | grep conj\\. | sort], [0], [dnl
-> conj. priority=10,in_port=2
-> conj. priority=10,ip
])
OVS_VSWITCHD_STOP
AT_CLEANUP
AT_SETUP([conjunctive match with resubmit])
OVS_VSWITCHD_START
add_of_ports br0 1 2
AT_DATA([flows.txt], [dnl
conj_id=1,actions=resubmit(,2)
priority=10,ip,actions=conjunction(1,1/2)
priority=10,in_port=p1,actions=conjunction(1,2/2)
priority=10,in_port=p2,actions=conjunction(1,2/2)
table=2,conj_id=7,actions=resubmit(,3)
table=2,priority=20,ip,actions=conjunction(7,1/2)
table=2,priority=20,in_port=p1,actions=conjunction(7,2/2)
table=2,priority=20,in_port=p2,actions=conjunction(7,2/2)
table=3,actions=drop
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
# Check that conj_flows are reset for each table and that they are output
# exactly once.
AT_CHECK([ovs-appctl ofproto/trace br0 "ip,in_port=p1" --names | grep conj\\. | sort], [0], [dnl
-> conj. priority=10,in_port=p1
-> conj. priority=10,ip
-> conj. priority=20,in_port=p1
-> conj. priority=20,ip
])
OVS_VSWITCHD_STOP
AT_CLEANUP
flow: Support extra padding length. Although not required, padding can be optionally added until the packet length is MTU bytes. A packet with extra padding currently fails sanity checks. Vulnerability: CVE-2020-35498 Fixes: fa8d9001a624 ("miniflow_extract: Properly handle small IP packets.") Reported-by: Joakim Hindersson <joakim.hindersson@elastx.se> Acked-by: Ilya Maximets <i.maximets@ovn.org> Signed-off-by: Flavio Leitner <fbl@sysclose.org> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2020-10-26 16:03:19 -03:00
# Flow classifier a packet with excess of padding.
AT_SETUP([flow classifier - packet with extra padding])
OVS_VSWITCHD_START
add_of_ports br0 1 2
AT_DATA([flows.txt], [dnl
priority=5,ip,ip_dst=1.1.1.1,actions=1
priority=5,ip,ip_dst=1.1.1.2,actions=2
priority=0,actions=drop
])
AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
packet=00020202020000010101010008004500001c00010000401176cc01010101010101020d6a00350008ee3a
AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 $packet] , [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
Datapath actions: 2
])
# normal packet plus 255 bytes of padding (8bit padding).
# 255 * 2 = 510
padding=$(printf '%*s' 510 | tr ' ' '0')
AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}] , [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
Datapath actions: 2
])
# normal packet plus padding up to 65535 bytes of length (16bit limit).
# 65535 - 43 = 65492
# 65492 * 2 = 130984
padding=$(printf '%*s' 130984 | tr ' ' '0')
AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}], [0], [stdout])
AT_CHECK([tail -2 stdout], [0],
[Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
Datapath actions: 2
])
OVS_VSWITCHD_STOP
AT_CLEANUP
Reference in New Issue Copy Permalink