[NIC-25] NIC block action is not working in redirect. Created: 03/Mar/16  Updated: 19/Oct/17

Status: Confirmed
Project: nic
Component/s: General
Affects Version/s: unspecified
Fix Version/s: None

Type: Bug
Reporter: Vinothkumar Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

External issue ID: 5455

 Description   

Not able to block the traffic, which has allowed the traffic between the end points in redirect action.

 Comments   
Comment by Saket Mahajani [ 03/Mar/16 ]

This is due to both ALLOW and BLOCK related flows having the same priority. This is because today we aren't listening on the resolved policies from the composed graph but rather on the intent additions. We are currently working on listening to the graph edges to push the resolved policies instead.

Comment by Vinothkumar [ 04/Mar/16 ]

Just elaborating this cause of the bug,

Description:

Step 1 : Creating a redirect intent, testing an dump flows in mininet. and found that flows are written each switch's, and traffic is allowing between the end points.

Ex: intent:add -f 00:00:00:00:00:01 -t 00:00:00:00:00:05 -a REDIRECT -s srvc1

Dump-flow:

      • s1 ------------------------------------------------------------------------
        NXST_FLOW reply (xid=0x4):
        cookie=0x1, duration=581.583s, table=0, n_packets=232, n_bytes=19720, idle_age=2, priority=9500,dl_type=0x88cc actions=CONTROLLER:65535
        cookie=0x1, duration=581.583s, table=0, n_packets=0, n_bytes=0, idle_age=581, priority=10000,arp actions=CONTROLLER:65535,NORMAL
      • s2 ------------------------------------------------------------------------
        NXST_FLOW reply (xid=0x4):
        cookie=0x2, duration=581.599s, table=0, n_packets=232, n_bytes=19720, idle_age=2, priority=9500,dl_type=0x88cc actions=CONTROLLER:65535
        cookie=0x2, duration=581.599s, table=0, n_packets=0, n_bytes=0, idle_age=581, priority=10000,arp actions=CONTROLLER:65535,NORMAL
      • s3 ------------------------------------------------------------------------
        NXST_FLOW reply (xid=0x4):
        cookie=0x3, duration=581.608s, table=0, n_packets=337, n_bytes=28645, idle_age=2, priority=9500,dl_type=0x88cc actions=CONTROLLER:65535
      • s4 ------------------------------------------------------------------------
        NXST_FLOW reply (xid=0x4):
        cookie=0x4, duration=581.622s, table=0, n_packets=337, n_bytes=28645, idle_age=2, priority=9500,dl_type=0x88cc actions=CONTROLLER:65535
        ===========================================
        Step 2: Creating a block intent, testing an dump flows in mininet. and found that flows are written each switch's for drop action. and subsequently existing flows were exist which has written in during the redirect action. Due to this still the traffic is allowing between the end points.

Ex: intent:add -f 00:00:00:00:00:01 -t 00:00:00:00:00:05 -a block

mininet> dpctl dump-flows

      • s1 ------------------------------------------------------------------------
        NXST_FLOW reply (xid=0x4):
        cookie=0x0, duration=16.848s, table=0, n_packets=0, n_bytes=0, idle_age=16, pri
        ority=9000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:05 actions=drop
        cookie=0x0, duration=84.604s, table=0, n_packets=6, n_bytes=588, idle_age=78, p
        riority=9000,in_port=1,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:05 actions
        =output:4
        cookie=0x0, duration=84.677s, table=0, n_packets=6, n_bytes=588, idle_age=78, p
        riority=9000,in_port=3,dl_src=00:00:00:00:00:05,dl_dst=00:00:00:00:00:01 actions
        =output:1
        cookie=0x1, duration=685.065s, table=0, n_packets=274, n_bytes=23290, idle_age=
        0, priority=9500,dl_type=0x88cc actions=CONTROLLER:65535
        cookie=0x1, duration=685.065s, table=0, n_packets=4, n_bytes=168, idle_age=78,
        priority=10000,arp actions=CONTROLLER:65535,NORMAL
      • s2 ------------------------------------------------------------------------
        NXST_FLOW reply (xid=0x4):
        cookie=0x0, duration=16.866s, table=0, n_packets=0, n_bytes=0, idle_age=16, pri
        ority=9000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:05 actions=drop
        cookie=0x0, duration=84.625s, table=0, n_packets=6, n_bytes=588, idle_age=78, p
        riority=9000,in_port=5,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:05 actions
        =output:3
        cookie=0x0, duration=84.726s, table=0, n_packets=6, n_bytes=588, idle_age=78, p
        riority=9000,in_port=3,dl_src=00:00:00:00:00:05,dl_dst=00:00:00:00:00:01 actions
        =output:4
        cookie=0x2, duration=685.076s, table=0, n_packets=274, n_bytes=23290, idle_age=
        0, priority=9500,dl_type=0x88cc actions=CONTROLLER:65535
        cookie=0x2, duration=685.076s, table=0, n_packets=4, n_bytes=168, idle_age=78,
        priority=10000,arp actions=CONTROLLER:65535,NORMAL
      • s3 ------------------------------------------------------------------------
        NXST_FLOW reply (xid=0x4):
        cookie=0x0, duration=16.845s, table=0, n_packets=0, n_bytes=0, idle_age=16, pri
        ority=9000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:05 actions=drop
        cookie=0x0, duration=84.582s, table=0, n_packets=6, n_bytes=588, idle_age=78, p
        riority=9000,in_port=2,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:05 actions
        =output:3
        cookie=0x3, duration=685.08s, table=0, n_packets=400, n_bytes=34000, idle_age=0
        , priority=9500,dl_type=0x88cc actions=CONTROLLER:65535
      • s4 ------------------------------------------------------------------------
        NXST_FLOW reply (xid=0x4):
        cookie=0x0, duration=16.868s, table=0, n_packets=0, n_bytes=0, idle_age=16, pri
        ority=9000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:05 actions=drop
        cookie=0x0, duration=84.662s, table=0, n_packets=6, n_bytes=588, idle_age=78, p
        riority=9000,in_port=3,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:05 actions
        =output:1
        cookie=0x4, duration=685.088s, table=0, n_packets=400, n_bytes=34000, idle_age=
        0, priority=9500,dl_type=0x88cc actions=CONTROLLER:65535
        mininet>
Generated at Wed Feb 07 20:26:01 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.