-
Bug
-
Resolution: Unresolved
-
None
-
unspecified
-
None
-
Operating System: All
Platform: All
-
7400
If ietf ACL defined has range set for both source port and destination port, then incorrect flows get installed in the openvswitch.
I defined 4 ACLs
1. enpoint-ssh-client – sprange [0, 0] , dprange [22,22]
2. endpoint-ssh-server – sprange [22, 22] , dprange[0,0]
3. endpoint-http-client – sprange[1024,65535] , dprange[80, 80]
4. endpoint-http-server – sprange [80, 80] , dprange[1024, 65535]
The flows installed for in server for Rule 4 are incorrect
tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=1024 actions=push_nsh,.....,output:2
The flows got installed as expected in client Node for both rules 1 and 3
tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=80 actions=push_nsh,....,output:2
tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=22 actions=push_nsh,....,output:2
The flows got installed as expected in server for rule 2
tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_src=22 actions=push_nsh,....,output:2
Detail configuration and Flow dumps below
IETF classifiers.
{
"access-lists": {
"acl": [
{
"acl-type": "ietf-access-control-list:ipv4-acl",
"acl-name": "Endpoint-ssh-server",
"access-list-entries": {
"ace": [
{
"rule-name": "ssh",
"matches": {
"protocol": 6,
"source-port-range":
,
"destination-port-range":
,
"destination-ipv4-network": "192.168.2.0/24",
"source-ipv4-network": "192.168.2.0/24"
},
"actions":
}
]
}
},
{
"acl-type": "ietf-access-control-list:ipv4-acl",
"acl-name": "Endpoint-ssh-client",
"access-list-entries": {
"ace": [
{
"rule-name": "ssh",
"matches": {
"protocol": 6,
"source-port-range":
,
"destination-port-range":
,
"destination-ipv4-network": "192.168.2.0/24",
"source-ipv4-network": "192.168.2.0/24"
},
"actions":
}
]
}
},
{
"acl-type": "ietf-access-control-list:ipv4-acl",
"acl-name": "Endpoint-http-client",
"access-list-entries": {
"ace": [
{
"rule-name": "webmail",
"matches": {
"protocol": 6,
"source-port-range":
,
"destination-port-range":
,
"destination-ipv4-network": "192.168.2.0/24",
"source-ipv4-network": "192.168.2.0/24"
},
"actions":
}
]
}
},
{
"acl-type": "ietf-access-control-list:ipv4-acl",
"acl-name": "Endpoint-http-server",
"access-list-entries": {
"ace": [
{
"rule-name": "webmail",
"matches": {
"protocol": 6,
"source-port-range":
,
"destination-port-range":
,
"destination-ipv4-network": "192.168.2.0/24",
"source-ipv4-network": "192.168.2.0/24"
},
"actions":
}
]
}
}
]
}
}
------------------------------
service function classifier
{
"service-function-classifiers": {
"service-function-classifier": [
{
"name": "scl1",
"scl-service-function-forwarder": [
],
"acl":
},
{
"name": "scl4",
"scl-service-function-forwarder": [
],
"acl":
},
{
"name": "scl2",
"scl-service-function-forwarder": [
],
"acl":
},
{
"name": "scl3",
"scl-service-function-forwarder": [
],
"acl":
}
]
}
}
----------------
service function forwarder
{
"service-function-forwarders": {
"service-function-forwarder": [
{
"name": "Node05-SFF1",
"service-node": "Node05-SN-Client",
"sff-data-plane-locator": [
{
"name": "Node05-SFF1-1-dpl",
"data-plane-locator":
,
"service-function-forwarder-ovs:ovs-options":
}
],
"service-function-forwarder-ovs:ovs-bridge":
},
{
"name": "Node06-SFF1",
"service-function-dictionary": [
{
"name": "SF2",
"sff-sf-data-plane-locator":
},
{
"name": "SF3",
"sff-sf-data-plane-locator":
},
{
"name": "SF1",
"sff-sf-data-plane-locator":
}
],
"service-node": "Node06-SN-SFF",
"sff-data-plane-locator": [
{
"name": "Node06-SFF1-2-dpl",
"data-plane-locator":
,
"service-function-forwarder-ovs:ovs-options":
},
{
"name": "Node06-SFF1-3-dpl",
"data-plane-locator":
,
"service-function-forwarder-ovs:ovs-options":
},
{
"name": "Node06-SFF1-1-dpl",
"data-plane-locator":
,
"service-function-forwarder-ovs:ovs-options":
}
],
"service-function-forwarder-ovs:ovs-bridge":
},
{
"name": "Node05-SFF2",
"service-node": "Node05-SN-Server",
"sff-data-plane-locator": [
{
"name": "Node05-SFF2-1-dpl",
"data-plane-locator":
,
"service-function-forwarder-ovs:ovs-options":
}
],
"service-function-forwarder-ovs:ovs-bridge":
}
]
}
}
--------
Flow DUMP on Node05-SFF1 i.e Client Node
serro@ubuntu-node5-testvm1:~$ sudo ovs-ofctl dump-flows br-sfc
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=386.967s, table=0, n_packets=0, n_bytes=0, idle_age=386, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=80 actions=push_nsh,load:0x1->NXM_NX_NSH_MDTYPE[],load:0x3->NXM_NX_NSH_NP[],load:0x273->NXM_NX_NSP[0..23],load:0xff->NXM_NX_NSI[],load:0x1->NXM_NX_NSH_C1[],load:0x2->NXM_NX_NSH_C2[],load:0x3->NXM_NX_NSH_C3[],load:0x4->NXM_NX_NSH_C4[],load:0x4->NXM_NX_TUN_GPE_NP[],load:0xac100917->NXM_NX_TUN_IPV4_DST[],output:2
cookie=0x0, duration=386.388s, table=0, n_packets=0, n_bytes=0, idle_age=386, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=22 actions=push_nsh,load:0x1->NXM_NX_NSH_MDTYPE[],load:0x3->NXM_NX_NSH_NP[],load:0x27c->NXM_NX_NSP[0..23],load:0xff->NXM_NX_NSI[],load:0x1->NXM_NX_NSH_C1[],load:0x2->NXM_NX_NSH_C2[],load:0x3->NXM_NX_NSH_C3[],load:0x4->NXM_NX_NSH_C4[],load:0x4->NXM_NX_TUN_GPE_NP[],load:0xac100917->NXM_NX_TUN_IPV4_DST[],output:2
cookie=0x0, duration=386.915s, table=0, n_packets=0, n_bytes=0, idle_age=386, priority=1000,nsi=253,nsp=8389235 actions=pop_nsh,output:1
cookie=0x0, duration=386.345s, table=0, n_packets=0, n_bytes=0, idle_age=386, priority=1000,nsi=252,nsp=8389244 actions=pop_nsh,output:1
cookie=0x14, duration=386.425s, table=0, n_packets=0, n_bytes=0, idle_age=387, priority=5 actions=resubmit(,1)
--------------------
Flow dump on Node05-SFF2 i,e Server Node
serro@ubuntu-node5-testvm2:~$ sudo ovs-ofctl dump-flows br-sfc
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=473.375s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_src=22 actions=push_nsh,load:0x1->NXM_NX_NSH_MDTYPE[],load:0x3->NXM_NX_NSH_NP[],load:0x80027c->NXM_NX_NSP[0..23],load:0xff->NXM_NX_NSI[],load:0x1->NXM_NX_NSH_C1[],load:0x2->NXM_NX_NSH_C2[],load:0x3->NXM_NX_NSH_C3[],load:0x4->NXM_NX_NSH_C4[],load:0x4->NXM_NX_TUN_GPE_NP[],load:0xac100917->NXM_NX_TUN_IPV4_DST[],output:2
cookie=0x0, duration=473.321s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=1000,nsi=252,nsp=636 actions=pop_nsh,output:1
cookie=0x0, duration=473.121s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=1000,nsi=253,nsp=627 actions=pop_nsh,output:1
cookie=0x0, duration=473.172s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=1024 actions=push_nsh,load:0x1->NXM_NX_NSH_MDTYPE[],load:0x3->NXM_NX_NSH_NP[],load:0x800273->NXM_NX_NSP[0..23],load:0xff->NXM_NX_NSI[],load:0x1->NXM_NX_NSH_C1[],load:0x2->NXM_NX_NSH_C2[],load:0x3->NXM_NX_NSH_C3[],load:0x4->NXM_NX_NSH_C4[],load:0x4->NXM_NX_TUN_GPE_NP[],load:0xac100917->NXM_NX_TUN_IPV4_DST[],output:2
cookie=0x14, duration=473.223s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=5 actions=resubmit(,1)