northd, controller: Add CoPP for SVC monitor

The SVC monitor was exposed without any limitation. Add CoPP for the SVC monitor flow, which adds a way for CMSs to limit the traffic that this flow accepts. Signed-off-by: Ales Musil <amusil@redhat.com>
ovn-org · Aug 29, 2023 · 3297ea6 · 3297ea6
1 parent 55400ec
commit 3297ea6
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 5 deletions.
diff --git a/lib/copp.c b/lib/copp.c
@@ -38,6 +38,7 @@ static char *copp_proto_names[COPP_PROTO_MAX] = {
     [COPP_ND_RA_OPTS]    = "nd-ra-opts",
     [COPP_TCP_RESET]     = "tcp-reset",
     [COPP_REJECT]        = "reject",
+    [COPP_SVC_MONITOR]   = "svc-monitor",
     [COPP_BFD]           = "bfd",
 };
 

diff --git a/lib/copp.h b/lib/copp.h
@@ -37,6 +37,7 @@ enum copp_proto {
     COPP_TCP_RESET,
     COPP_BFD,
     COPP_REJECT,
+    COPP_SVC_MONITOR,
     COPP_PROTO_MAX,
     COPP_PROTO_INVALID = COPP_PROTO_MAX,
 };

diff --git a/northd/northd.c b/northd/northd.c
@@ -8423,9 +8423,11 @@ build_lswitch_destination_lookup_bmcast(struct ovn_datapath *od,
 {
     if (od->nbs) {
 
-        ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 110,
-                      "eth.dst == $svc_monitor_mac && (tcp || icmp || icmp6)",
-                      "handle_svc_check(inport);");
+        ovn_lflow_metered(lflows, od, S_SWITCH_IN_L2_LKUP, 110, "eth.dst == "
+                          "$svc_monitor_mac && (tcp || icmp || icmp6)",
+                          "handle_svc_check(inport);",
+                          copp_meter_get(COPP_SVC_MONITOR, od->nbs->copp,
+                                         meter_groups));
 
         struct mcast_switch_info *mcast_sw_info = &od->mcast_info.sw;
 

diff --git a/ovn-nb.xml b/ovn-nb.xml
@@ -420,6 +420,10 @@
     <column name="meters" key="reject">
       Rate limiting meter for packets that trigger a reject action
     </column>
+    <column name="meters" key="svc-monitor">
+      Rate limiting meter for packets that are arriving to service
+      monitor MAC address.
+    </column>
     <column name="external_ids">
       See <em>External IDs</em> at the beginning of this document.
     </column>

diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
@@ -3362,7 +3362,7 @@ AT_CHECK([ovn-sbctl list logical_flow | grep trigger_event -A 2 | grep -q meter0
 
 # let's try to add an usupported protocol "dhcp"
 AT_CHECK([ovn-nbctl --wait=hv copp-add copp5 dhcp meter1],[1],[],[dnl
-ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject.
+ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject, svc-monitor.
 ])
 
 #Let's try to add a valid protocol to an unknown datapath

diff --git a/tests/system-ovn.at b/tests/system-ovn.at
@@ -7019,6 +7019,23 @@ OVS_WAIT_UNTIL([
 ])
 kill $(pidof tcpdump)
 
+check ovn-nbctl set nb_global . options:svc_monitor_mac="33:33:33:33:33:33"
+check ovn-nbctl meter-add svc-meter drop 1 pktps 0
+check ovn-nbctl --wait=hv copp-add copp4 svc-monitor svc-meter
+check ovn-nbctl --wait=hv ls-copp-add copp4 sw0
+check ovn-appctl -t ovn-controller vlog/set vconn:dbg
+AT_CHECK([ovn-nbctl copp-list copp4], [0], [dnl
+svc-monitor: svc-meter
+])
+
+ip netns exec sw01 scapy -H <<-EOF
+p = Ether(dst="33:33:33:33:33:33", src="f0:00:00:01:02:03") /\
+    IP(dst="192.168.1.100", src="192.168.1.2") / TCP(dport=1234, sport=1234)
+sendp(p, iface='sw01', loop=0, verbose=0, count=20)
+EOF
+
+OVS_WAIT_UNTIL([test "1" = "$(grep -c "dl_dst=33:33:33:33:33:33" ovn-controller.log)"])
+
 kill $(pidof ovn-controller)
 
 as ovn-sb
@@ -7032,7 +7049,8 @@ OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
 
 as
 OVS_TRAFFIC_VSWITCHD_STOP(["/.*error receiving.*/d
-/.*terminating with signal 15.*/d"])
+/.*terminating with signal 15.*/d
+/.*Service monitor not found/d"])
 
 AT_CLEANUP
 ])