[SFC-183] Incorrect Flows get installed in OVS, if ACL has ranges defined for both source port and destination port Created: 16/Dec/16  Updated: 19/Oct/17

Status: Open
Project: sfc
Component/s: General
Affects Version/s: unspecified
Fix Version/s: None

Type: Bug
Reporter: Swati Deshpande Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All


External issue ID: 7400

 Description   

If ietf ACL defined has range set for both source port and destination port, then incorrect flows get installed in the openvswitch.

I defined 4 ACLs

1. enpoint-ssh-client – sprange [0, 0] , dprange [22,22]
2. endpoint-ssh-server – sprange [22, 22] , dprange[0,0]

3. endpoint-http-client – sprange[1024,65535] , dprange[80, 80]
4. endpoint-http-server – sprange [80, 80] , dprange[1024, 65535]

The flows installed for in server for Rule 4 are incorrect

tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=1024 actions=push_nsh,.....,output:2

The flows got installed as expected in client Node for both rules 1 and 3

tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=80 actions=push_nsh,....,output:2

tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=22 actions=push_nsh,....,output:2

The flows got installed as expected in server for rule 2

tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_src=22 actions=push_nsh,....,output:2

Detail configuration and Flow dumps below

IETF classifiers.
{
"access-lists": {
"acl": [
{
"acl-type": "ietf-access-control-list:ipv4-acl",
"acl-name": "Endpoint-ssh-server",
"access-list-entries": {
"ace": [
{
"rule-name": "ssh",
"matches": {
"protocol": 6,
"source-port-range":

{ "lower-port": 22, "upper-port": 22 }

,
"destination-port-range":

{ "lower-port": 0, "upper-port": 0 }

,
"destination-ipv4-network": "192.168.2.0/24",
"source-ipv4-network": "192.168.2.0/24"
},
"actions":

{ "service-function-acl:rendered-service-path": "RSP-Node06-SFC2-Reverse" }

}
]
}
},
{
"acl-type": "ietf-access-control-list:ipv4-acl",
"acl-name": "Endpoint-ssh-client",
"access-list-entries": {
"ace": [
{
"rule-name": "ssh",
"matches": {
"protocol": 6,
"source-port-range":

{ "lower-port": 0, "upper-port": 0 }

,
"destination-port-range":

{ "lower-port": 22, "upper-port": 22 }

,
"destination-ipv4-network": "192.168.2.0/24",
"source-ipv4-network": "192.168.2.0/24"
},
"actions":

{ "service-function-acl:rendered-service-path": "RSP-Node06-SFC2" }

}
]
}
},
{
"acl-type": "ietf-access-control-list:ipv4-acl",
"acl-name": "Endpoint-http-client",
"access-list-entries": {
"ace": [
{
"rule-name": "webmail",
"matches": {
"protocol": 6,
"source-port-range":

{ "lower-port": 1024, "upper-port": 65535 }

,
"destination-port-range":

{ "lower-port": 80, "upper-port": 80 }

,
"destination-ipv4-network": "192.168.2.0/24",
"source-ipv4-network": "192.168.2.0/24"
},
"actions":

{ "service-function-acl:rendered-service-path": "RSP-Node06-SFC1" }

}
]
}
},
{
"acl-type": "ietf-access-control-list:ipv4-acl",
"acl-name": "Endpoint-http-server",
"access-list-entries": {
"ace": [
{
"rule-name": "webmail",
"matches": {
"protocol": 6,
"source-port-range":

{ "lower-port": 80, "upper-port": 80 }

,
"destination-port-range":

{ "lower-port": 1024, "upper-port": 65535 }

,
"destination-ipv4-network": "192.168.2.0/24",
"source-ipv4-network": "192.168.2.0/24"
},
"actions":

{ "service-function-acl:rendered-service-path": "RSP-Node06-SFC1-Reverse" }

}
]
}
}
]
}
}

------------------------------

service function classifier

{
"service-function-classifiers": {
"service-function-classifier": [
{
"name": "scl1",
"scl-service-function-forwarder": [

{ "name": "Node05-SFF2", "interface": "veth-br" }

],
"acl":

{ "type": "ietf-access-control-list:ipv4-acl", "name": "Endpoint-http-server" }

},
{
"name": "scl4",
"scl-service-function-forwarder": [

{ "name": "Node05-SFF1", "interface": "veth-br" }

],
"acl":

{ "type": "ietf-access-control-list:ipv4-acl", "name": "Endpoint-ssh-client" }

},
{
"name": "scl2",
"scl-service-function-forwarder": [

{ "name": "Node05-SFF2", "interface": "veth-br" }

],
"acl":

{ "type": "ietf-access-control-list:ipv4-acl", "name": "Endpoint-ssh-server" }

},
{
"name": "scl3",
"scl-service-function-forwarder": [

{ "name": "Node05-SFF1", "interface": "veth-br" }

],
"acl":

{ "type": "ietf-access-control-list:ipv4-acl", "name": "Endpoint-http-client" }

}
]
}
}

----------------

service function forwarder

{
"service-function-forwarders": {
"service-function-forwarder": [
{
"name": "Node05-SFF1",
"service-node": "Node05-SN-Client",
"sff-data-plane-locator": [
{
"name": "Node05-SFF1-1-dpl",
"data-plane-locator":

{ "transport": "service-locator:vxlan-gpe", "ip": "172.16.9.32", "port": 6633 }

,
"service-function-forwarder-ovs:ovs-options":

{ "nshc4": "flow", "nshc3": "flow", "nshc2": "flow", "nsi": "flow", "nshc1": "flow", "exts": "gpe", "remote-ip": "flow", "key": "flow", "dst-port": "6633", "nsp": "flow" }

}
],
"service-function-forwarder-ovs:ovs-bridge":

{ "bridge-name": "br-sfc" }

},
{
"name": "Node06-SFF1",
"service-function-dictionary": [
{
"name": "SF2",
"sff-sf-data-plane-locator":

{ "sf-dpl-name": "SF2-dpl", "sff-dpl-name": "Node06-SFF1-2-dpl" }

},
{
"name": "SF3",
"sff-sf-data-plane-locator":

{ "sf-dpl-name": "SF3-dpl", "sff-dpl-name": "Node06-SFF1-3-dpl" }

},
{
"name": "SF1",
"sff-sf-data-plane-locator":

{ "sf-dpl-name": "SF1-dpl", "sff-dpl-name": "Node06-SFF1-1-dpl" }

}
],
"service-node": "Node06-SN-SFF",
"sff-data-plane-locator": [
{
"name": "Node06-SFF1-2-dpl",
"data-plane-locator":

{ "transport": "service-locator:vxlan-gpe", "ip": "172.16.9.23", "port": 6633 }

,
"service-function-forwarder-ovs:ovs-options":

{ "nshc4": "flow", "nshc3": "flow", "nshc2": "flow", "nsi": "flow", "nshc1": "flow", "exts": "gpe", "remote-ip": "flow", "key": "flow", "dst-port": "6633", "nsp": "flow" }

},
{
"name": "Node06-SFF1-3-dpl",
"data-plane-locator":

{ "transport": "service-locator:vxlan-gpe", "ip": "172.16.9.23", "port": 6633 }

,
"service-function-forwarder-ovs:ovs-options":

{ "nshc4": "flow", "nshc3": "flow", "nshc2": "flow", "nsi": "flow", "nshc1": "flow", "exts": "gpe", "remote-ip": "flow", "key": "flow", "dst-port": "6633", "nsp": "flow" }

},
{
"name": "Node06-SFF1-1-dpl",
"data-plane-locator":

{ "transport": "service-locator:vxlan-gpe", "ip": "172.16.9.23", "port": 6633 }

,
"service-function-forwarder-ovs:ovs-options":

{ "nshc4": "flow", "nshc3": "flow", "nshc2": "flow", "nsi": "flow", "nshc1": "flow", "exts": "gpe", "remote-ip": "flow", "key": "flow", "dst-port": "6633", "nsp": "flow" }

}
],
"service-function-forwarder-ovs:ovs-bridge":

{ "bridge-name": "br-sfc" }

},
{
"name": "Node05-SFF2",
"service-node": "Node05-SN-Server",
"sff-data-plane-locator": [
{
"name": "Node05-SFF2-1-dpl",
"data-plane-locator":

{ "transport": "service-locator:vxlan-gpe", "ip": "172.16.9.42", "port": 6633 }

,
"service-function-forwarder-ovs:ovs-options":

{ "nshc4": "flow", "nshc3": "flow", "nshc2": "flow", "nsi": "flow", "nshc1": "flow", "exts": "gpe", "remote-ip": "flow", "key": "flow", "dst-port": "6633", "nsp": "flow" }

}
],
"service-function-forwarder-ovs:ovs-bridge":

{ "bridge-name": "br-sfc" }

}
]
}
}
--------

Flow DUMP on Node05-SFF1 i.e Client Node

serro@ubuntu-node5-testvm1:~$ sudo ovs-ofctl dump-flows br-sfc
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=386.967s, table=0, n_packets=0, n_bytes=0, idle_age=386, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=80 actions=push_nsh,load:0x1->NXM_NX_NSH_MDTYPE[],load:0x3->NXM_NX_NSH_NP[],load:0x273->NXM_NX_NSP[0..23],load:0xff->NXM_NX_NSI[],load:0x1->NXM_NX_NSH_C1[],load:0x2->NXM_NX_NSH_C2[],load:0x3->NXM_NX_NSH_C3[],load:0x4->NXM_NX_NSH_C4[],load:0x4->NXM_NX_TUN_GPE_NP[],load:0xac100917->NXM_NX_TUN_IPV4_DST[],output:2
cookie=0x0, duration=386.388s, table=0, n_packets=0, n_bytes=0, idle_age=386, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=22 actions=push_nsh,load:0x1->NXM_NX_NSH_MDTYPE[],load:0x3->NXM_NX_NSH_NP[],load:0x27c->NXM_NX_NSP[0..23],load:0xff->NXM_NX_NSI[],load:0x1->NXM_NX_NSH_C1[],load:0x2->NXM_NX_NSH_C2[],load:0x3->NXM_NX_NSH_C3[],load:0x4->NXM_NX_NSH_C4[],load:0x4->NXM_NX_TUN_GPE_NP[],load:0xac100917->NXM_NX_TUN_IPV4_DST[],output:2
cookie=0x0, duration=386.915s, table=0, n_packets=0, n_bytes=0, idle_age=386, priority=1000,nsi=253,nsp=8389235 actions=pop_nsh,output:1
cookie=0x0, duration=386.345s, table=0, n_packets=0, n_bytes=0, idle_age=386, priority=1000,nsi=252,nsp=8389244 actions=pop_nsh,output:1
cookie=0x14, duration=386.425s, table=0, n_packets=0, n_bytes=0, idle_age=387, priority=5 actions=resubmit(,1)

--------------------

Flow dump on Node05-SFF2 i,e Server Node

serro@ubuntu-node5-testvm2:~$ sudo ovs-ofctl dump-flows br-sfc
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=473.375s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_src=22 actions=push_nsh,load:0x1->NXM_NX_NSH_MDTYPE[],load:0x3->NXM_NX_NSH_NP[],load:0x80027c->NXM_NX_NSP[0..23],load:0xff->NXM_NX_NSI[],load:0x1->NXM_NX_NSH_C1[],load:0x2->NXM_NX_NSH_C2[],load:0x3->NXM_NX_NSH_C3[],load:0x4->NXM_NX_NSH_C4[],load:0x4->NXM_NX_TUN_GPE_NP[],load:0xac100917->NXM_NX_TUN_IPV4_DST[],output:2
cookie=0x0, duration=473.321s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=1000,nsi=252,nsp=636 actions=pop_nsh,output:1
cookie=0x0, duration=473.121s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=1000,nsi=253,nsp=627 actions=pop_nsh,output:1
cookie=0x0, duration=473.172s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=1000,tcp,in_port=1,nw_src=192.168.2.0/24,nw_dst=192.168.2.0/24,tp_dst=1024 actions=push_nsh,load:0x1->NXM_NX_NSH_MDTYPE[],load:0x3->NXM_NX_NSH_NP[],load:0x800273->NXM_NX_NSP[0..23],load:0xff->NXM_NX_NSI[],load:0x1->NXM_NX_NSH_C1[],load:0x2->NXM_NX_NSH_C2[],load:0x3->NXM_NX_NSH_C3[],load:0x4->NXM_NX_NSH_C4[],load:0x4->NXM_NX_TUN_GPE_NP[],load:0xac100917->NXM_NX_TUN_IPV4_DST[],output:2
cookie=0x14, duration=473.223s, table=0, n_packets=0, n_bytes=0, idle_age=473, priority=5 actions=resubmit(,1)


Generated at Wed Feb 07 20:38:51 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.