Currently Policy is enabled based on references to SG/network-policy

refs. now it is changed to Policy will be enabled by default. In case of 'policy disable' flag is explicitly checked on the VMI, then services like BGPaaS/link local service etc that require flows to function. for this flow creation explicitly policy is enabled for nh of Default Gateway ip, dns server ip & link local service ip's. Change-Id: I870d194d19392c51bb33e0e48f9b4cbfc99ac4b1 closes-bug: #1636574 (cherry picked from commit f36cdbf)
Juniper · Nov 4, 2016 · 97f465d · 97f465d
1 parent 79fccc8
commit 97f465d
Show file tree

Hide file tree

Showing 9 changed files with 42 additions and 89 deletions.
diff --git a/src/vnsw/agent/oper/test/test_intf.cc b/src/vnsw/agent/oper/test/test_intf.cc
@@ -845,8 +845,8 @@ TEST_F(IntfTest, VmPortPolicy_1) {
     CfgIntfSync(2, "cfg-vnet2", 1, 1, "vrf5", "1.1.1.2");
     client->WaitForIdle();
     EXPECT_TRUE(client->PortNotifyWait(2));
-    EXPECT_FALSE(VmPortPolicyEnable(1));
-    EXPECT_FALSE(VmPortPolicyEnable(2));
+    EXPECT_TRUE(VmPortPolicyEnable(1));
+    EXPECT_TRUE(VmPortPolicyEnable(2));
 
     client->Reset();
     NovaDel(1);
@@ -901,8 +901,8 @@ TEST_F(IntfTest, VmPortPolicy_2) {
     EXPECT_TRUE(client->PortNotifyWait(2));
     EXPECT_TRUE(VmPortActive(1));
     EXPECT_TRUE(VmPortActive(2));
-    EXPECT_TRUE(VmPortPolicyDisable(1));
-    EXPECT_TRUE(VmPortPolicyDisable(2));
+    EXPECT_FALSE(VmPortPolicyDisable(1));
+    EXPECT_FALSE(VmPortPolicyDisable(2));
 
     client->Reset();
     AclAddReq(1);
@@ -934,8 +934,8 @@ TEST_F(IntfTest, VmPortPolicy_2) {
     WAIT_FOR(100, 1000, (Agent::GetInstance()->vn_table()->Size() == 1U));
     WAIT_FOR(100, 1000, (Agent::GetInstance()->acl_table()->Size() == 0U));
     // Ports already notified. So, they still have policy disabled
-    EXPECT_TRUE(VmPortPolicyDisable(1));
-    EXPECT_TRUE(VmPortPolicyDisable(2));
+    EXPECT_FALSE(VmPortPolicyDisable(1));
+    EXPECT_FALSE(VmPortPolicyDisable(2));
 
     client->Reset();
     NovaDel(1);
@@ -1018,7 +1018,7 @@ TEST_F(IntfTest, VmPortFloatingIp_1) {
     EXPECT_TRUE(client->PortNotifyWait(1));
     EXPECT_TRUE(VmPortFloatingIpCount(1, 0));
     EXPECT_TRUE(VmPortActive(1));
-    EXPECT_TRUE(VmPortPolicyDisable(1));
+    EXPECT_FALSE(VmPortPolicyDisable(1));
     EXPECT_FALSE(RouteFind("vrf2", "2.2.2.2", 32));
 
     client->Reset();
@@ -1093,7 +1093,7 @@ TEST_F(IntfTest, VmPortFloatingIpPolicy_1) {
     VnAddReq(1, "vn1");
     CfgIntfSync(1, "cfg-vnet1", 1, 1, "vrf1", "1.1.1.1");
     client->WaitForIdle();
-    EXPECT_TRUE(VmPortPolicyDisable(1));
+    EXPECT_FALSE(VmPortPolicyDisable(1));
 
     // ACL first followed by interface
     VnAddReq(1, "vn1", 1, "vrf1");
@@ -2656,13 +2656,13 @@ TEST_F(IntfTest, IntfStaticRoute_3) {
    const NextHop *nh;
    nh = RouteGet("vrf1", static_route[0].addr_,
                  static_route[0].plen_)->GetActiveNextHop();
-   EXPECT_FALSE(nh->PolicyEnabled());
+   EXPECT_TRUE(nh->PolicyEnabled());
 
    EXPECT_TRUE(RouteFind("vrf1", static_route[1].addr_,
                          static_route[1].plen_));
    nh = RouteGet("vrf1", static_route[1].addr_,
            static_route[1].plen_)->GetActiveNextHop();
-   EXPECT_FALSE(nh->PolicyEnabled());
+   EXPECT_TRUE(nh->PolicyEnabled());
 
    //Add a acl to interface and verify NH policy changes
    AddAcl("Acl", 1, "vn1", "vn1", "pass");
@@ -3375,7 +3375,7 @@ TEST_F(IntfTest, Layer2Mode_1) {
     client->WaitForIdle();
     EXPECT_TRUE(client->PortNotifyWait(1));
     const VmInterface *vm_intf = static_cast<const VmInterface *>(VmPortGet(1));
-    EXPECT_TRUE(vm_intf->policy_enabled() == false);
+    EXPECT_FALSE(vm_intf->policy_enabled() == false);
     EXPECT_TRUE(vm_intf->IsL2Active() == true);
 
     const MacAddress mac("00:00:00:00:00:01");
@@ -3436,26 +3436,24 @@ TEST_F(IntfTest, Layer2Mode_2) {
 
     //Make the VN as layer2 only
     //EVPN route should be added with IP set to 0
-    //Interface should be policy disabled
     AddL2Vn("vn1", 1);
     client->WaitForIdle();
-    EXPECT_TRUE(vm_intf->policy_enabled() == false);
+    EXPECT_FALSE(vm_intf->policy_enabled() == false);
     EXPECT_TRUE(vm_intf->IsL2Active() == true);
     EXPECT_TRUE(vm_intf->dhcp_enable_config() == true);
 
     evpn_rt = EvpnRouteGet("vrf1", mac, zero_ip,
                            vm_intf->ethernet_tag());
     EXPECT_TRUE(evpn_rt != NULL);
-    EXPECT_TRUE(evpn_rt->GetActiveNextHop()->PolicyEnabled() == false);
+    EXPECT_FALSE(evpn_rt->GetActiveNextHop()->PolicyEnabled() == false);
     uint32_t label = vm_intf->l2_label();
     MplsLabel *mpls_label = GetActiveLabel(MplsLabel::VPORT_NH, label);
-    EXPECT_TRUE(mpls_label->nexthop()->PolicyEnabled() == false);
+    EXPECT_FALSE(mpls_label->nexthop()->PolicyEnabled() == false);
     evpn_rt = EvpnRouteGet("vrf1", mac, ip, vm_intf->ethernet_tag());
     EXPECT_TRUE(evpn_rt == NULL);
     WAIT_FOR(100, 1000, (RouteFind("vrf1", "8.1.1.1", 32) == false));
 
     //Verify L3 route gets added
-    //and policy get enabled
     AddVn("vn1", 1);
     client->WaitForIdle();
     EXPECT_TRUE(vm_intf->policy_enabled() == true);
@@ -3518,10 +3516,9 @@ TEST_F(IntfTest, Layer2Mode_3) {
 
     //Make the VN as layer2 only
     //EVPN route should be added with IP set to 0
-    //Interface should be policy disabled
     AddL2Vn("vn1", 1);
     client->WaitForIdle();
-    EXPECT_TRUE(vm_intf->policy_enabled() == false);
+    EXPECT_FALSE(vm_intf->policy_enabled() == false);
     EXPECT_TRUE(vm_intf->IsL2Active() == true);
 
     evpn_rt = EvpnRouteGet("vrf1", mac, zero_ip,
@@ -3532,7 +3529,6 @@ TEST_F(IntfTest, Layer2Mode_3) {
     EXPECT_FALSE(RouteFindV6("vrf1", addr, 128));
 
     //Verify L3 route gets added
-    //and policy get enabled
     AddVn("vn1", 1);
     client->WaitForIdle();
     EXPECT_TRUE(vm_intf->IsL2Active() == true);
@@ -3760,19 +3756,18 @@ TEST_F(IntfTest, MultipleIp2) {
 
     //Make the VN as layer2 only
     //EVPN route should be added with IP set to 0
-    //Interface should be policy disabled
     AddL2Vn("vn1", 1);
     client->WaitForIdle();
-    EXPECT_TRUE(vm_intf->policy_enabled() == false);
+    EXPECT_FALSE(vm_intf->policy_enabled() == false);
     EXPECT_TRUE(vm_intf->IsL2Active() == true);
 
     evpn_rt = EvpnRouteGet("vrf1", mac, zero_ip,
                            vm_intf->ethernet_tag());
     EXPECT_TRUE(evpn_rt != NULL);
-    EXPECT_TRUE(evpn_rt->GetActiveNextHop()->PolicyEnabled() == false);
+    EXPECT_FALSE(evpn_rt->GetActiveNextHop()->PolicyEnabled() == false);
     uint32_t label = vm_intf->l2_label();
     MplsLabel *mpls_label = GetActiveLabel(MplsLabel::VPORT_NH, label);
-    EXPECT_TRUE(mpls_label->nexthop()->PolicyEnabled() == false);
+    EXPECT_FALSE(mpls_label->nexthop()->PolicyEnabled() == false);
 
     //VN is on l2 only mode, verify ip + mac evpn route is deleted
     evpn_rt = EvpnRouteGet("vrf1", mac, ip, vm_intf->ethernet_tag());

diff --git a/src/vnsw/agent/oper/test/test_intf_policy.cc b/src/vnsw/agent/oper/test/test_intf_policy.cc
@@ -388,7 +388,7 @@ TEST_F(PolicyTest, IntfPolicyDisable_Fip) {
     EXPECT_TRUE(VmPortActive(input, 0));
     const VmInterface *intf = VmInterfaceGet(input[0].intf_id);
     EXPECT_TRUE(intf != NULL);
-    EXPECT_FALSE(intf->policy_enabled());
+    EXPECT_TRUE(intf->policy_enabled());
 
     //Create a VN for floating-ip
     client->Reset();

diff --git a/src/vnsw/agent/oper/vm_interface.cc b/src/vnsw/agent/oper/vm_interface.cc
@@ -2822,59 +2822,14 @@ bool VmInterface::WaitForTraffic() const {
      return rt->FindPath(peer_.get())->path_preference().wait_for_traffic();
 }
 
-// Compute if policy is to be enabled on the interface
+// Policy is disabled only if user explicitly sets disable policy.
+// If user changes to disable policy. only policy will be enabled in case of
+// link local services & BGP as a service.
 bool VmInterface::PolicyEnabled() const {
     if (disable_policy_) {
         return false;
     }
-
-    // Policy not supported for fabric ports
-    if (fabric_port_) {
-        return false;
-    }
-
-    if (layer3_forwarding_ == false) {
-        return false;
-    }
-
-    if (vn_.get() && vn_->IsAclSet()) {
-        return true;
-    }
-
-    // Floating-IP list, Alias-IP list and SG List can have entries in
-    // del_pending state Look for entries in non-del-pending state
-    FloatingIpSet::iterator fip_it = floating_ip_list_.list_.begin();
-    while (fip_it != floating_ip_list_.list_.end()) {
-        if (fip_it->del_pending_ == false) {
-            return true;
-        }
-        fip_it++;
-    }
-
-    AliasIpSet::iterator aip_it = alias_ip_list_.list_.begin();
-    while (aip_it != alias_ip_list_.list_.end()) {
-        if (aip_it->del_pending_ == false) {
-            return true;
-        }
-        aip_it++;
-    }
-
-    SecurityGroupEntrySet::iterator sg_it = sg_list_.list_.begin();
-    while (sg_it != sg_list_.list_.end()) {
-        if (sg_it->del_pending_ == false) {
-            return true;
-        }
-        sg_it++;
-    }
-
-    VrfAssignRuleSet::iterator vrf_it = vrf_assign_rule_list_.list_.begin();
-    while (vrf_it != vrf_assign_rule_list_.list_.end()) {
-        if (vrf_it->del_pending_ == false) {
-            return true;
-        }
-        vrf_it++;
-    }
-    return false;
+    return true;
 }
 
 // VN is in VXLAN mode if,

diff --git a/src/vnsw/agent/oper/vn.cc b/src/vnsw/agent/oper/vn.cc
@@ -971,7 +971,7 @@ bool VnTable::IpamChangeNotify(std::vector<VnIpam> &old_ipam,
                 if (gateway_changed) {
                     if (IsGwHostRouteRequired()) {
                         UpdateHostRoute((*it_old).default_gw,
-                                        (*it_new).default_gw, vn, false);
+                                        (*it_new).default_gw, vn, true);
                     }
                 }
                 if (service_address_changed) {
@@ -1045,8 +1045,11 @@ void VnTable::AddIPAMRoutes(VnEntry *vn, VnIpam &ipam) {
         if (vrf->GetName() == agent()->linklocal_vrf_name()) {
             return;
         }
+        // Allways policy will be enabled for default Gateway and
+        // Dns server to create flows for BGP as service even
+        // though explicit disable policy config form user.
         if (IsGwHostRouteRequired())
-            AddHostRoute(vn, ipam.default_gw, false);
+            AddHostRoute(vn, ipam.default_gw, true);
         AddHostRoute(vn, ipam.dns_server, true);
         AddSubnetRoute(vn, ipam);
         ipam.installed = true;

diff --git a/src/vnsw/agent/pkt/test/egress-flow.xml b/src/vnsw/agent/pkt/test/egress-flow.xml
@@ -38,10 +38,10 @@
         <flow name="l2-vxlan-udp-to-vm-vxlan-1" uuid="1" vrf="vrf1" nh="11" sip="1.1.1.2"
          dip="1.1.1.1" proto="udp" sport="1" dport="1" svn="__UNKNOWN__"
          dvn="vn1" action="deny"/>
-        <flow name="l2-gre-udp-to-vm-gre-1" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.2"
+        <flow name="l2-gre-udp-to-vm-gre-1" uuid="1" vrf="vrf1" nh="14" sip="1.1.1.2"
          dip="1.1.1.1" proto="udp" sport="1" dport="2" svn="__UNKNOWN__"
          dvn="vn1" action="deny"/>
-        <flow name="l3-gre-udp-to-vm-1" uuid="1" vrf="vrf1" nh="16" sip="1.1.1.2"
+        <flow name="l3-gre-udp-to-vm-1" uuid="1" vrf="vrf1" nh="15" sip="1.1.1.2"
          dip="1.1.1.1" proto="udp" sport="1" dport="3" svn="__UNKNOWN__"
          dvn="vn1" action="deny"/>
     </validate>
@@ -76,10 +76,10 @@
         <flow name="l2-udp-to-vm-vxlan-1" uuid="1" vrf="vrf1" nh="11" sip="1.1.1.2"
          dip="1.1.1.1" proto="udp" sport="1" dport="11" svn="vn1"
          dvn="vn1" action="pass"/> 
-        <flow name="l2-udp-to-vm-gre-1" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.2"
+        <flow name="l2-udp-to-vm-gre-1" uuid="1" vrf="vrf1" nh="14" sip="1.1.1.2"
          dip="1.1.1.1" proto="udp" sport="1" dport="12" svn="vn1"
          dvn="vn1" action="pass"/> 
-        <flow name="l3-udp-to-vm-1" uuid="1" vrf="vrf1" nh="16" sip="1.1.1.2"
+        <flow name="l3-udp-to-vm-1" uuid="1" vrf="vrf1" nh="15" sip="1.1.1.2"
          dip="1.1.1.1" proto="udp" sport="1" dport="13" svn="vn1"
          dvn="vn1" action="pass"/> 
     </validate>
@@ -108,13 +108,13 @@
         <flow name="l3-udp-to-fat-flow-1" uuid="1" vrf="vrf1" nh="25" sip="1.1.1.3"
          dip="1.1.1.2" proto="udp" sport="53" dport="0" svn="vn1"
          dvn="vn1" action="pass"/>
-        <flow name="l3-udp-to-fat-flow-2" uuid="1" vrf="vrf1" nh="17" sip="1.1.1.2"
+        <flow name="l3-udp-to-fat-flow-2" uuid="1" vrf="vrf1" nh="18" sip="1.1.1.2"
          dip="1.1.1.3" proto="udp" sport="0" dport="53" svn="vn1"
          dvn="vn1" action="pass"/>
         <flow name="l3-udp-to-fat-flow-1" uuid="1" vrf="vrf1" nh="25" sip="1.1.1.3"
          dip="1.1.1.2" proto="udp" sport="0" dport="10" svn="vn1"
          dvn="vn1" action="pass"/>
-        <flow name="l3-udp-to-fat-flow-2" uuid="1" vrf="vrf1" nh="17" sip="1.1.1.2"
+        <flow name="l3-udp-to-fat-flow-2" uuid="1" vrf="vrf1" nh="18" sip="1.1.1.2"
          dip="1.1.1.3" proto="udp" sport="10" dport="0" svn="vn1"
          dvn="vn1" action="pass"/>
     </validate>

diff --git a/src/vnsw/agent/pkt/test/flow-export.xml b/src/vnsw/agent/pkt/test/flow-export.xml
@@ -39,10 +39,10 @@
     <validate name="validate-3">
         <flow name="l2-udp-from-vm-2" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.1"
          dip="1.1.1.2" proto="udp" sport="1" dport="11" svn="vn1"
-         dvn="vn1" action="pass" rpf_nh="14"/>
+         dvn="vn1" action="pass" rpf_nh="13"/>
         <flow name="l2-udp-from-vm-2" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.1"
          dip="1.1.1.2" proto="udp" sport="1" dport="12" svn="vn1"
-         dvn="vn1" action="pass" rpf_nh="14"/>
+         dvn="vn1" action="pass" rpf_nh="13"/>
     </validate>
 
     <flow-export name="l2-udp-from-vm-2" uuid="1" vrf="vrf1" nh="13"

diff --git a/src/vnsw/agent/pkt/test/ingress-flow.xml b/src/vnsw/agent/pkt/test/ingress-flow.xml
@@ -56,10 +56,10 @@
     <validate name="validate-3">
         <flow name="l2-udp-from-vm-2" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.1"
          dip="1.1.1.2" proto="udp" sport="1" dport="11" svn="vn1"
-         dvn="vn1" action="pass" rpf_nh="14"/>
+         dvn="vn1" action="pass" rpf_nh="13"/>
         <flow name="l2-udp-from-vm-2" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.1"
          dip="1.1.1.2" proto="udp" sport="1" dport="12" svn="vn1"
-         dvn="vn1" action="pass" rpf_nh="14"/>
+         dvn="vn1" action="pass" rpf_nh="13"/>
     </validate>
 
     <virtual-machine-interface nova="1"

diff --git a/src/vnsw/agent/pkt/test/rpf-flow.xml b/src/vnsw/agent/pkt/test/rpf-flow.xml
@@ -81,13 +81,13 @@
          dvn="vn1" action="pass" rpf_nh="2"/>
         <flow name="l2-udp-from-vm-flow1" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.4"
          dip="1.1.1.5" proto="udp" sport="1" dport="12" svn="vn1"
-         dvn="vn1" action="pass" rpf_nh="14"/>
+         dvn="vn1" action="pass" rpf_nh="13"/>
         <flow name="l3-udp-from-vm" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.4"
          dip="1.1.1.5" proto="udp" sport="1" dport="11" svn="vn1"
-         dvn="vn1" action="pass" rpf_nh="14"/>
+         dvn="vn1" action="pass" rpf_nh="13"/>
         <flow name="l3-udp-from-ecmp-vm" uuid="1" vrf="vrf1" nh="23" sip="1.1.1.6"
          dip="1.1.1.2" proto="udp" sport="1" dport="14" svn="vn1"
-         dvn="vn1" action="pass" rpf_nh="15"/>
+         dvn="vn1" action="pass" rpf_nh="16"/>
     </validate>
 
     <!-- Update SG of the interface and verify RPF NH gets

diff --git a/src/vnsw/agent/test/test_ecmp_nh.cc b/src/vnsw/agent/test/test_ecmp_nh.cc
@@ -173,7 +173,7 @@ TEST_F(EcmpNhTest, EcmpNH_1) {
     EXPECT_TRUE(nh->GetType() == NextHop::COMPOSITE);
     comp_nh = static_cast<const CompositeNH *>(nh);
     EXPECT_TRUE(comp_nh->ComponentNHCount() == 5);
-    EXPECT_TRUE(comp_nh->PolicyEnabled() == false);
+    EXPECT_FALSE(comp_nh->PolicyEnabled() == false);
 
     DeleteVmportEnv(input1, 5, true);
     client->WaitForIdle();