Skip to content

Commit

Permalink
Currently Policy is enabled based on references to SG/network-policy
Browse files Browse the repository at this point in the history 
refs. now it is changed to Policy will be enabled by default.
In case of 'policy disable' flag is explicitly checked on the
VMI, then services like BGPaaS/link local service etc that require flows
to function. for this flow creation explicitly policy is enabled for nh
of Default Gateway ip, dns server ip & link local service ip's.
closes-bug: #1636574
(cherry picked from commit f36cdbf)

Change-Id: I668ec8c9f8191cd2bd20124aa3b6dfa3876d4346
  • Loading branch information
@jayaramsatya
jayaramsatya committed Nov 18, 2016
1 parent 6ea15fc commit e50cddd
Show file tree
Hide file tree
Showing 8 changed files with 41 additions and 80 deletions.
41 changes: 18 additions & 23 deletions src/vnsw/agent/oper/test/test_intf.cc
View file
Expand Up @@ -845,8 +845,8 @@ TEST_F(IntfTest, VmPortPolicy_1) {
CfgIntfSync(2, "cfg-vnet2", 1, 1, "vrf5", "1.1.1.2");
client->WaitForIdle();
EXPECT_TRUE(client->PortNotifyWait(2));
EXPECT_FALSE(VmPortPolicyEnable(1));
EXPECT_FALSE(VmPortPolicyEnable(2));
EXPECT_TRUE(VmPortPolicyEnable(1));
EXPECT_TRUE(VmPortPolicyEnable(2));

client->Reset();
NovaDel(1);
Expand Down Expand Up @@ -901,8 +901,8 @@ TEST_F(IntfTest, VmPortPolicy_2) {
EXPECT_TRUE(client->PortNotifyWait(2));
EXPECT_TRUE(VmPortActive(1));
EXPECT_TRUE(VmPortActive(2));
EXPECT_TRUE(VmPortPolicyDisable(1));
EXPECT_TRUE(VmPortPolicyDisable(2));
EXPECT_FALSE(VmPortPolicyDisable(1));
EXPECT_FALSE(VmPortPolicyDisable(2));

client->Reset();
AclAddReq(1);
Expand Down Expand Up @@ -934,8 +934,8 @@ TEST_F(IntfTest, VmPortPolicy_2) {
WAIT_FOR(100, 1000, (Agent::GetInstance()->vn_table()->Size() == 1U));
WAIT_FOR(100, 1000, (Agent::GetInstance()->acl_table()->Size() == 0U));
// Ports already notified. So, they still have policy disabled
EXPECT_TRUE(VmPortPolicyDisable(1));
EXPECT_TRUE(VmPortPolicyDisable(2));
EXPECT_FALSE(VmPortPolicyDisable(1));
EXPECT_FALSE(VmPortPolicyDisable(2));

client->Reset();
NovaDel(1);
Expand Down Expand Up @@ -1018,7 +1018,7 @@ TEST_F(IntfTest, VmPortFloatingIp_1) {
EXPECT_TRUE(client->PortNotifyWait(1));
EXPECT_TRUE(VmPortFloatingIpCount(1, 0));
EXPECT_TRUE(VmPortActive(1));
EXPECT_TRUE(VmPortPolicyDisable(1));
EXPECT_FALSE(VmPortPolicyDisable(1));
EXPECT_FALSE(RouteFind("vrf2", "2.2.2.2", 32));

client->Reset();
Expand Down Expand Up @@ -1093,7 +1093,7 @@ TEST_F(IntfTest, VmPortFloatingIpPolicy_1) {
VnAddReq(1, "vn1");
CfgIntfSync(1, "cfg-vnet1", 1, 1, "vrf1", "1.1.1.1");
client->WaitForIdle();
EXPECT_TRUE(VmPortPolicyDisable(1));
EXPECT_FALSE(VmPortPolicyDisable(1));

// ACL first followed by interface
VnAddReq(1, "vn1", 1, "vrf1");
Expand Down Expand Up @@ -2603,13 +2603,13 @@ TEST_F(IntfTest, IntfStaticRoute_3) {
const NextHop *nh;
nh = RouteGet("vrf1", static_route[0].addr_,
static_route[0].plen_)->GetActiveNextHop();
EXPECT_FALSE(nh->PolicyEnabled());
EXPECT_TRUE(nh->PolicyEnabled());

EXPECT_TRUE(RouteFind("vrf1", static_route[1].addr_,
static_route[1].plen_));
nh = RouteGet("vrf1", static_route[1].addr_,
static_route[1].plen_)->GetActiveNextHop();
EXPECT_FALSE(nh->PolicyEnabled());
EXPECT_TRUE(nh->PolicyEnabled());

//Add a acl to interface and verify NH policy changes
AddAcl("Acl", 1, "vn1", "vn1", "pass");
Expand Down Expand Up @@ -3322,7 +3322,7 @@ TEST_F(IntfTest, Layer2Mode_1) {
client->WaitForIdle();
EXPECT_TRUE(client->PortNotifyWait(1));
const VmInterface *vm_intf = static_cast<const VmInterface *>(VmPortGet(1));
EXPECT_TRUE(vm_intf->policy_enabled() == false);
EXPECT_FALSE(vm_intf->policy_enabled() == false);
EXPECT_TRUE(vm_intf->IsL2Active() == true);

const MacAddress mac("00:00:00:00:00:01");
Expand Down Expand Up @@ -3378,26 +3378,24 @@ TEST_F(IntfTest, Layer2Mode_2) {

//Make the VN as layer2 only
//EVPN route should be added with IP set to 0
//Interface should be policy disabled
AddL2Vn("vn1", 1);
client->WaitForIdle();
EXPECT_TRUE(vm_intf->policy_enabled() == false);
EXPECT_FALSE(vm_intf->policy_enabled() == false);
EXPECT_TRUE(vm_intf->IsL2Active() == true);
EXPECT_TRUE(vm_intf->dhcp_enable_config() == true);

evpn_rt = EvpnRouteGet("vrf1", mac, zero_ip,
vm_intf->ethernet_tag());
EXPECT_TRUE(evpn_rt != NULL);
EXPECT_TRUE(evpn_rt->GetActiveNextHop()->PolicyEnabled() == false);
EXPECT_FALSE(evpn_rt->GetActiveNextHop()->PolicyEnabled() == false);
uint32_t label = vm_intf->l2_label();
MplsLabel *mpls_label = GetActiveLabel(MplsLabel::VPORT_NH, label);
EXPECT_TRUE(mpls_label->nexthop()->PolicyEnabled() == false);
EXPECT_FALSE(mpls_label->nexthop()->PolicyEnabled() == false);
evpn_rt = EvpnRouteGet("vrf1", mac, ip, vm_intf->ethernet_tag());
EXPECT_TRUE(evpn_rt == NULL);
WAIT_FOR(100, 1000, (RouteFind("vrf1", "8.1.1.1", 32) == false));

//Verify L3 route gets added
//and policy get enabled
AddVn("vn1", 1);
client->WaitForIdle();
EXPECT_TRUE(vm_intf->policy_enabled() == true);
Expand Down Expand Up @@ -3452,10 +3450,9 @@ TEST_F(IntfTest, Layer2Mode_3) {

//Make the VN as layer2 only
//EVPN route should be added with IP set to 0
//Interface should be policy disabled
AddL2Vn("vn1", 1);
client->WaitForIdle();
EXPECT_TRUE(vm_intf->policy_enabled() == false);
EXPECT_FALSE(vm_intf->policy_enabled() == false);
EXPECT_TRUE(vm_intf->IsL2Active() == true);

evpn_rt = EvpnRouteGet("vrf1", mac, zero_ip,
Expand All @@ -3466,7 +3463,6 @@ TEST_F(IntfTest, Layer2Mode_3) {
EXPECT_FALSE(RouteFindV6("vrf1", addr, 128));

//Verify L3 route gets added
//and policy get enabled
AddVn("vn1", 1);
client->WaitForIdle();
EXPECT_TRUE(vm_intf->IsL2Active() == true);
Expand Down Expand Up @@ -3668,19 +3664,18 @@ TEST_F(IntfTest, MultipleIp2) {

//Make the VN as layer2 only
//EVPN route should be added with IP set to 0
//Interface should be policy disabled
AddL2Vn("vn1", 1);
client->WaitForIdle();
EXPECT_TRUE(vm_intf->policy_enabled() == false);
EXPECT_FALSE(vm_intf->policy_enabled() == false);
EXPECT_TRUE(vm_intf->IsL2Active() == true);

evpn_rt = EvpnRouteGet("vrf1", mac, zero_ip,
vm_intf->ethernet_tag());
EXPECT_TRUE(evpn_rt != NULL);
EXPECT_TRUE(evpn_rt->GetActiveNextHop()->PolicyEnabled() == false);
EXPECT_FALSE(evpn_rt->GetActiveNextHop()->PolicyEnabled() == false);
uint32_t label = vm_intf->l2_label();
MplsLabel *mpls_label = GetActiveLabel(MplsLabel::VPORT_NH, label);
EXPECT_TRUE(mpls_label->nexthop()->PolicyEnabled() == false);
EXPECT_FALSE(mpls_label->nexthop()->PolicyEnabled() == false);

//VN is on l2 only mode, verify ip + mac evpn route is deleted
evpn_rt = EvpnRouteGet("vrf1", mac, ip, vm_intf->ethernet_tag());
Expand Down
2 changes: 1 addition & 1 deletion src/vnsw/agent/oper/test/test_intf_policy.cc
View file
Expand Up @@ -391,7 +391,7 @@ TEST_F(PolicyTest, IntfPolicyDisable_Fip) {
EXPECT_TRUE(VmPortActive(input, 0));
const VmInterface *intf = VmInterfaceGet(input[0].intf_id);
EXPECT_TRUE(intf != NULL);
EXPECT_FALSE(intf->policy_enabled());
EXPECT_TRUE(intf->policy_enabled());

//Create a VN for floating-ip
client->Reset();
Expand Down
45 changes: 4 additions & 41 deletions src/vnsw/agent/oper/vm_interface.cc
View file
Expand Up @@ -2587,51 +2587,14 @@ bool VmInterface::WaitForTraffic() const {
return rt->FindPath(peer_.get())->path_preference().wait_for_traffic();
}

// Compute if policy is to be enabled on the interface
// Policy is disabled only if user explicitly sets disable policy.
// If user changes to disable policy. only policy will be enabled in case of
// link local services & BGP as a service.
bool VmInterface::PolicyEnabled() const {
if (disable_policy_) {
return false;
}

// Policy not supported for fabric ports
if (fabric_port_) {
return false;
}

if (layer3_forwarding_ == false) {
return false;
}

if (vn_.get() && vn_->IsAclSet()) {
return true;
}

// Floating-IP list and SG List can have entries in del_pending state
// Look for entries in non-del-pending state
FloatingIpSet::iterator fip_it = floating_ip_list_.list_.begin();
while (fip_it != floating_ip_list_.list_.end()) {
if (fip_it->del_pending_ == false) {
return true;
}
fip_it++;
}

SecurityGroupEntrySet::iterator sg_it = sg_list_.list_.begin();
while (sg_it != sg_list_.list_.end()) {
if (sg_it->del_pending_ == false) {
return true;
}
sg_it++;
}

VrfAssignRuleSet::iterator vrf_it = vrf_assign_rule_list_.list_.begin();
while (vrf_it != vrf_assign_rule_list_.list_.end()) {
if (vrf_it->del_pending_ == false) {
return true;
}
vrf_it++;
}
return false;
return true;
}

// VN is in VXLAN mode if,
Expand Down
7 changes: 5 additions & 2 deletions src/vnsw/agent/oper/vn.cc
View file
Expand Up @@ -911,7 +911,7 @@ bool VnTable::IpamChangeNotify(std::vector<VnIpam> &old_ipam,
if (gateway_changed) {
if (IsGwHostRouteRequired()) {
UpdateHostRoute((*it_old).default_gw,
(*it_new).default_gw, vn, false);
(*it_new).default_gw, vn, true);
}
}
if (service_address_changed) {
Expand Down Expand Up @@ -985,8 +985,11 @@ void VnTable::AddIPAMRoutes(VnEntry *vn, VnIpam &ipam) {
if (vrf->GetName() == agent()->linklocal_vrf_name()) {
return;
}
// Allways policy will be enabled for default Gateway and
// Dns server to create flows for BGP as service even
// though explicit disable policy config form user.
if (IsGwHostRouteRequired())
AddHostRoute(vn, ipam.default_gw, false);
AddHostRoute(vn, ipam.default_gw, true);
AddHostRoute(vn, ipam.dns_server, true);
AddSubnetRoute(vn, ipam);
ipam.installed = true;
Expand Down
12 changes: 6 additions & 6 deletions src/vnsw/agent/pkt/test/egress-flow.xml
View file
Expand Up @@ -38,10 +38,10 @@
<flow name="l2-vxlan-udp-to-vm-vxlan-1" uuid="1" vrf="vrf1" nh="11" sip="1.1.1.2"
dip="1.1.1.1" proto="udp" sport="1" dport="1" svn="__UNKNOWN__"
dvn="vn1" action="deny"/>
<flow name="l2-gre-udp-to-vm-gre-1" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.2"
<flow name="l2-gre-udp-to-vm-gre-1" uuid="1" vrf="vrf1" nh="14" sip="1.1.1.2"
dip="1.1.1.1" proto="udp" sport="1" dport="2" svn="__UNKNOWN__"
dvn="vn1" action="deny"/>
<flow name="l3-gre-udp-to-vm-1" uuid="1" vrf="vrf1" nh="16" sip="1.1.1.2"
<flow name="l3-gre-udp-to-vm-1" uuid="1" vrf="vrf1" nh="15" sip="1.1.1.2"
dip="1.1.1.1" proto="udp" sport="1" dport="3" svn="__UNKNOWN__"
dvn="vn1" action="deny"/>
</validate>
Expand Down Expand Up @@ -76,10 +76,10 @@
<flow name="l2-udp-to-vm-vxlan-1" uuid="1" vrf="vrf1" nh="11" sip="1.1.1.2"
dip="1.1.1.1" proto="udp" sport="1" dport="11" svn="vn1"
dvn="vn1" action="pass"/>
<flow name="l2-udp-to-vm-gre-1" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.2"
<flow name="l2-udp-to-vm-gre-1" uuid="1" vrf="vrf1" nh="14" sip="1.1.1.2"
dip="1.1.1.1" proto="udp" sport="1" dport="12" svn="vn1"
dvn="vn1" action="pass"/>
<flow name="l3-udp-to-vm-1" uuid="1" vrf="vrf1" nh="16" sip="1.1.1.2"
<flow name="l3-udp-to-vm-1" uuid="1" vrf="vrf1" nh="15" sip="1.1.1.2"
dip="1.1.1.1" proto="udp" sport="1" dport="13" svn="vn1"
dvn="vn1" action="pass"/>
</validate>
Expand Down Expand Up @@ -108,13 +108,13 @@
<flow name="l3-udp-to-fat-flow-1" uuid="1" vrf="vrf1" nh="25" sip="1.1.1.3"
dip="1.1.1.2" proto="udp" sport="53" dport="0" svn="vn1"
dvn="vn1" action="pass"/>
<flow name="l3-udp-to-fat-flow-2" uuid="1" vrf="vrf1" nh="17" sip="1.1.1.2"
<flow name="l3-udp-to-fat-flow-2" uuid="1" vrf="vrf1" nh="18" sip="1.1.1.2"
dip="1.1.1.3" proto="udp" sport="0" dport="53" svn="vn1"
dvn="vn1" action="pass"/>
<flow name="l3-udp-to-fat-flow-1" uuid="1" vrf="vrf1" nh="25" sip="1.1.1.3"
dip="1.1.1.2" proto="udp" sport="0" dport="10" svn="vn1"
dvn="vn1" action="pass"/>
<flow name="l3-udp-to-fat-flow-2" uuid="1" vrf="vrf1" nh="17" sip="1.1.1.2"
<flow name="l3-udp-to-fat-flow-2" uuid="1" vrf="vrf1" nh="18" sip="1.1.1.2"
dip="1.1.1.3" proto="udp" sport="10" dport="0" svn="vn1"
dvn="vn1" action="pass"/>
</validate>
Expand Down
4 changes: 2 additions & 2 deletions src/vnsw/agent/pkt/test/flow-export.xml
View file
Expand Up @@ -39,10 +39,10 @@
<validate name="validate-3">
<flow name="l2-udp-from-vm-2" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.1"
dip="1.1.1.2" proto="udp" sport="1" dport="11" svn="vn1"
dvn="vn1" action="pass" rpf_nh="14"/>
dvn="vn1" action="pass" rpf_nh="13"/>
<flow name="l2-udp-from-vm-2" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.1"
dip="1.1.1.2" proto="udp" sport="1" dport="12" svn="vn1"
dvn="vn1" action="pass" rpf_nh="14"/>
dvn="vn1" action="pass" rpf_nh="13"/>
</validate>

<flow-export name="l2-udp-from-vm-2" uuid="1" vrf="vrf1" nh="13"
Expand Down
4 changes: 2 additions & 2 deletions src/vnsw/agent/pkt/test/ingress-flow.xml
View file
Expand Up @@ -56,10 +56,10 @@
<validate name="validate-3">
<flow name="l2-udp-from-vm-2" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.1"
dip="1.1.1.2" proto="udp" sport="1" dport="11" svn="vn1"
dvn="vn1" action="pass" rpf_nh="14"/>
dvn="vn1" action="pass" rpf_nh="13"/>
<flow name="l2-udp-from-vm-2" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.1"
dip="1.1.1.2" proto="udp" sport="1" dport="12" svn="vn1"
dvn="vn1" action="pass" rpf_nh="14"/>
dvn="vn1" action="pass" rpf_nh="13"/>
</validate>

<virtual-machine-interface nova="1"
Expand Down
6 changes: 3 additions & 3 deletions src/vnsw/agent/pkt/test/rpf-flow.xml
View file
Expand Up @@ -81,13 +81,13 @@
dvn="vn1" action="pass" rpf_nh="2"/>
<flow name="l2-udp-from-vm-flow1" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.4"
dip="1.1.1.5" proto="udp" sport="1" dport="12" svn="vn1"
dvn="vn1" action="pass" rpf_nh="14"/>
dvn="vn1" action="pass" rpf_nh="13"/>
<flow name="l3-udp-from-vm" uuid="1" vrf="vrf1" nh="13" sip="1.1.1.4"
dip="1.1.1.5" proto="udp" sport="1" dport="11" svn="vn1"
dvn="vn1" action="pass" rpf_nh="14"/>
dvn="vn1" action="pass" rpf_nh="13"/>
<flow name="l3-udp-from-ecmp-vm" uuid="1" vrf="vrf1" nh="23" sip="1.1.1.6"
dip="1.1.1.2" proto="udp" sport="1" dport="14" svn="vn1"
dvn="vn1" action="pass" rpf_nh="15"/>
dvn="vn1" action="pass" rpf_nh="16"/>
</validate>

<!-- Update SG of the interface and verify RPF NH gets
Expand Down

0 comments on commit e50cddd

Please sign in to comment.