|
If ietf ACL defined has range set for both source port and destination port, then incorrect flows get installed in the openvswitch.
I defined 4 ACLs
1. enpoint-ssh-client – sprange [0, 0] , dprange [22,22]
2. endpoint-ssh-server – sprange [22, 22] , dprange[0,0]
3. endpoint-http-client – sprange[1024,65535] , dprange[80, 80]
4. endpoint-http-server – sprange [80, 80] , dprange[1024, 65535]
The flows installed for in server for Rule 4 are incorrect
tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=1024 actions=push_nsh,.....,output:2
The flows got installed as expected in client Node for both rules 1 and 3
tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=80 actions=push_nsh,....,output:2
tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=22 actions=push_nsh,....,output:2
The flows got installed as expected in server for rule 2
tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_src=22 actions=push_nsh,....,output:2
Detail configuration and Flow dumps below
IETF classifiers.
{
"access-lists": {
"acl": [
{
"acl-type": "ietf-access-control-list:ipv4-acl",
"acl-name": "Endpoint-ssh-server",
"access-list-entries": {
"ace": [
{
"rule-name": "ssh",
"matches": {
"protocol": 6,
"source-port-range":
{
"lower-port": 22,
"upper-port": 22
}
,
"destination-port-range":
{
"lower-port": 0,
"upper-port": 0
}
,
"destination-ipv4-network": "192.168.2.0/24",
"source-ipv4-network": "192.168.2.0/24"
},
"actions":
{
"service-function-acl:rendered-service-path": "RSP-Node06-SFC2-Reverse"
}
}
]
}
},
{
"acl-type": "ietf-access-control-list:ipv4-acl",
"acl-name": "Endpoint-ssh-client",
"access-list-entries": {
"ace": [
{
"rule-name": "ssh",
"matches": {
"protocol": 6,
"source-port-range":
{
"lower-port": 0,
"upper-port": 0
}
,
"destination-port-range":
{
"lower-port": 22,
"upper-port": 22
}
,
"destination-ipv4-network": "192.168.2.0/24",
"source-ipv4-network": "192.168.2.0/24"
},
"actions":
{
"service-function-acl:rendered-service-path": "RSP-Node06-SFC2"
}
}
]
}
},
{
"acl-type": "ietf-access-control-list:ipv4-acl",
"acl-name": "Endpoint-http-client",
"access-list-entries": {
"ace": [
{
"rule-name": "webmail",
"matches": {
"protocol": 6,
"source-port-range":
{
"lower-port": 1024,
"upper-port": 65535
}
,
"destination-port-range":
{
"lower-port": 80,
"upper-port": 80
}
,
"destination-ipv4-network": "192.168.2.0/24",
"source-ipv4-network": "192.168.2.0/24"
},
"actions":
{
"service-function-acl:rendered-service-path": "RSP-Node06-SFC1"
}
}
]
}
},
{
"acl-type": "ietf-access-control-list:ipv4-acl",
"acl-name": "Endpoint-http-server",
"access-list-entries": {
"ace": [
{
"rule-name": "webmail",
"matches": {
"protocol": 6,
"source-port-range":
{
"lower-port": 80,
"upper-port": 80
}
,
"destination-port-range":
{
"lower-port": 1024,
"upper-port": 65535
}
,
"destination-ipv4-network": "192.168.2.0/24",
"source-ipv4-network": "192.168.2.0/24"
},
"actions":
{
"service-function-acl:rendered-service-path": "RSP-Node06-SFC1-Reverse"
}
}
]
}
}
]
}
}
------------------------------
service function classifier
{
"service-function-classifiers": {
"service-function-classifier": [
{
"name": "scl1",
"scl-service-function-forwarder": [
{
"name": "Node05-SFF2",
"interface": "veth-br"
}
],
"acl":
{
"type": "ietf-access-control-list:ipv4-acl",
"name": "Endpoint-http-server"
}
},
{
"name": "scl4",
"scl-service-function-forwarder": [
{
"name": "Node05-SFF1",
"interface": "veth-br"
}
],
"acl":
{
"type": "ietf-access-control-list:ipv4-acl",
"name": "Endpoint-ssh-client"
}
},
{
"name": "scl2",
"scl-service-function-forwarder": [
{
"name": "Node05-SFF2",
"interface": "veth-br"
}
],
"acl":
{
"type": "ietf-access-control-list:ipv4-acl",
"name": "Endpoint-ssh-server"
}
},
{
"name": "scl3",
"scl-service-function-forwarder": [
{
"name": "Node05-SFF1",
"interface": "veth-br"
}
],
"acl":
{
"type": "ietf-access-control-list:ipv4-acl",
"name": "Endpoint-http-client"
}
}
]
}
}
----------------
service function forwarder
{
"service-function-forwarders": {
"service-function-forwarder": [
{
"name": "Node05-SFF1",
"service-node": "Node05-SN-Client",
"sff-data-plane-locator": [
{
"name": "Node05-SFF1-1-dpl",
"data-plane-locator":
{
"transport": "service-locator:vxlan-gpe",
"ip": "172.16.9.32",
"port": 6633
}
,
"service-function-forwarder-ovs:ovs-options":
{
"nshc4": "flow",
"nshc3": "flow",
"nshc2": "flow",
"nsi": "flow",
"nshc1": "flow",
"exts": "gpe",
"remote-ip": "flow",
"key": "flow",
"dst-port": "6633",
"nsp": "flow"
}
}
],
"service-function-forwarder-ovs:ovs-bridge":
{
"bridge-name": "br-sfc"
}
},
{
"name": "Node06-SFF1",
"service-function-dictionary": [
{
"name": "SF2",
"sff-sf-data-plane-locator":
{
"sf-dpl-name": "SF2-dpl",
"sff-dpl-name": "Node06-SFF1-2-dpl"
}
},
{
"name": "SF3",
"sff-sf-data-plane-locator":
{
"sf-dpl-name": "SF3-dpl",
"sff-dpl-name": "Node06-SFF1-3-dpl"
}
},
{
"name": "SF1",
"sff-sf-data-plane-locator":
{
"sf-dpl-name": "SF1-dpl",
"sff-dpl-name": "Node06-SFF1-1-dpl"
}
}
],
"service-node": "Node06-SN-SFF",
"sff-data-plane-locator": [
{
"name": "Node06-SFF1-2-dpl",
"data-plane-locator":
{
"transport": "service-locator:vxlan-gpe",
"ip": "172.16.9.23",
"port": 6633
}
,
"service-function-forwarder-ovs:ovs-options":
{
"nshc4": "flow",
"nshc3": "flow",
"nshc2": "flow",
"nsi": "flow",
"nshc1": "flow",
"exts": "gpe",
"remote-ip": "flow",
"key": "flow",
"dst-port": "6633",
"nsp": "flow"
}
},
{
"name": "Node06-SFF1-3-dpl",
"data-plane-locator":
{
"transport": "service-locator:vxlan-gpe",
"ip": "172.16.9.23",
"port": 6633
}
,
"service-function-forwarder-ovs:ovs-options":
{
"nshc4": "flow",
"nshc3": "flow",
"nshc2": "flow",
"nsi": "flow",
"nshc1": "flow",
"exts": "gpe",
"remote-ip": "flow",
"key": "flow",
"dst-port": "6633",
"nsp": "flow"
}
},
{
"name": "Node06-SFF1-1-dpl",
"data-plane-locator":
{
"transport": "service-locator:vxlan-gpe",
"ip": "172.16.9.23",
"port": 6633
}
,
"service-function-forwarder-ovs:ovs-options":
{
"nshc4": "flow",
"nshc3": "flow",
"nshc2": "flow",
"nsi": "flow",
"nshc1": "flow",
"exts": "gpe",
"remote-ip": "flow",
"key": "flow",
"dst-port": "6633",
"nsp": "flow"
}
}
],
"service-function-forwarder-ovs:ovs-bridge":
{
"bridge-name": "br-sfc"
}
},
{
"name": "Node05-SFF2",
"service-node": "Node05-SN-Server",
"sff-data-plane-locator": [
{
"name": "Node05-SFF2-1-dpl",
"data-plane-locator":
{
"transport": "service-locator:vxlan-gpe",
"ip": "172.16.9.42",
"port": 6633
}
,
"service-function-forwarder-ovs:ovs-options":
{
"nshc4": "flow",
"nshc3": "flow",
"nshc2": "flow",
"nsi": "flow",
"nshc1": "flow",
"exts": "gpe",
"remote-ip": "flow",
"key": "flow",
"dst-port": "6633",
"nsp": "flow"
}
}
],
"service-function-forwarder-ovs:ovs-bridge":
{
"bridge-name": "br-sfc"
}
}
]
}
}
--------
Flow DUMP on Node05-SFF1 i.e Client Node
serro@ubuntu-node5-testvm1:~$ sudo ovs-ofctl dump-flows br-sfc
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=386.967s, table=0, n_packets=0, n_bytes=0, idle_age=386, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=80 actions=push_nsh,load:0x1->NXM_NX_NSH_MDTYPE[],load:0x3->NXM_NX_NSH_NP[],load:0x273->NXM_NX_NSP[0..23],load:0xff->NXM_NX_NSI[],load:0x1->NXM_NX_NSH_C1[],load:0x2->NXM_NX_NSH_C2[],load:0x3->NXM_NX_NSH_C3[],load:0x4->NXM_NX_NSH_C4[],load:0x4->NXM_NX_TUN_GPE_NP[],load:0xac100917->NXM_NX_TUN_IPV4_DST[],output:2
cookie=0x0, duration=386.388s, table=0, n_packets=0, n_bytes=0, idle_age=386, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=22 actions=push_nsh,load:0x1->NXM_NX_NSH_MDTYPE[],load:0x3->NXM_NX_NSH_NP[],load:0x27c->NXM_NX_NSP[0..23],load:0xff->NXM_NX_NSI[],load:0x1->NXM_NX_NSH_C1[],load:0x2->NXM_NX_NSH_C2[],load:0x3->NXM_NX_NSH_C3[],load:0x4->NXM_NX_NSH_C4[],load:0x4->NXM_NX_TUN_GPE_NP[],load:0xac100917->NXM_NX_TUN_IPV4_DST[],output:2
cookie=0x0, duration=386.915s, table=0, n_packets=0, n_bytes=0, idle_age=386, priority=1000,nsi=253,nsp=8389235 actions=pop_nsh,output:1
cookie=0x0, duration=386.345s, table=0, n_packets=0, n_bytes=0, idle_age=386, priority=1000,nsi=252,nsp=8389244 actions=pop_nsh,output:1
cookie=0x14, duration=386.425s, table=0, n_packets=0, n_bytes=0, idle_age=387, priority=5 actions=resubmit(,1)
--------------------
Flow dump on Node05-SFF2 i,e Server Node
serro@ubuntu-node5-testvm2:~$ sudo ovs-ofctl dump-flows br-sfc
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=473.375s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_src=22 actions=push_nsh,load:0x1->NXM_NX_NSH_MDTYPE[],load:0x3->NXM_NX_NSH_NP[],load:0x80027c->NXM_NX_NSP[0..23],load:0xff->NXM_NX_NSI[],load:0x1->NXM_NX_NSH_C1[],load:0x2->NXM_NX_NSH_C2[],load:0x3->NXM_NX_NSH_C3[],load:0x4->NXM_NX_NSH_C4[],load:0x4->NXM_NX_TUN_GPE_NP[],load:0xac100917->NXM_NX_TUN_IPV4_DST[],output:2
cookie=0x0, duration=473.321s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=1000,nsi=252,nsp=636 actions=pop_nsh,output:1
cookie=0x0, duration=473.121s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=1000,nsi=253,nsp=627 actions=pop_nsh,output:1
cookie=0x0, duration=473.172s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=1024 actions=push_nsh,load:0x1->NXM_NX_NSH_MDTYPE[],load:0x3->NXM_NX_NSH_NP[],load:0x800273->NXM_NX_NSP[0..23],load:0xff->NXM_NX_NSI[],load:0x1->NXM_NX_NSH_C1[],load:0x2->NXM_NX_NSH_C2[],load:0x3->NXM_NX_NSH_C3[],load:0x4->NXM_NX_NSH_C4[],load:0x4->NXM_NX_TUN_GPE_NP[],load:0xac100917->NXM_NX_TUN_IPV4_DST[],output:2
cookie=0x14, duration=473.223s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=5 actions=resubmit(,1)
|