search

kytos-ng / mef_eline

Kytos NApp to create and manage point-to-point L2 circuits
https://kytos-ng.github.io/api/mef_eline.html
MIT License
0 stars 8 forks source link

During an EVC update it's not checking if a UNI is conflicting (or shared with other EVCs), it can overwrite another EVC ingress flows #323

Closed viniarck closed 6 months ago

viniarck commented 1 year ago

I was reviewing some implementation details for the upcoming vlan range feature, and just realized that currently we do have a mechanism to avoid allowing overlapping UNIs (interface + tag) with _is_duplicated_evc(evc), but this method is only being called on POST /v2/evc/, so on PATCH /v2/evc/{{circuit_id}}, if you set an overlapping tag value it'll accept, which should be invalid, since it'd be leaking the same access vlan on different EVCs, which would also ended up overwriting the flows.

Notice that during update, it's also changing a reference, so to verify if it's overlapping a copy might be needed (until we start also verifying if the tags are also available in the UNI with the is_valid, but that is only being used for NNI for some reason, probably technical debt)

How to reproduce

{
  "name": "evpl",
  "service_level": 6,
  "dynamic_backup_path": true,
  "uni_a": {
    "interface_id": "00:00:00:00:00:00:00:01:1",
    "tag": {
      "tag_type": 1,
      "value": 10
    }
  },
  "uni_z": {
    "interface_id": "00:00:00:00:00:00:00:03:1",
    "tag": {
      "tag_type": 1,
      "value": 10
    }
  }
}
{
  "name": "evpl2",
  "service_level": 6,
  "dynamic_backup_path": true,
  "uni_a": {
    "interface_id": "00:00:00:00:00:00:00:01:1",
    "tag": {
      "tag_type": 1,
      "value": 11
    }
  },
  "uni_z": {
    "interface_id": "00:00:00:00:00:00:00:03:1",
    "tag": {
      "tag_type": 1,
      "value": 11
    }
  }
}
{
    "uni_a": {
        "interface_id": "00:00:00:00:00:00:00:01:1",
        "tag": {
        "tag_type": 1,
        "value": 10
        }
    } 
}
❯ sudo ovs-ofctl -O OpenFlow13 dump-flows s1
 cookie=0xac00000000000001, duration=64.375s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=50000,dl_src=ee:ee:ee:ee:ee:03 actions=CONTROLLER:65535
 cookie=0xac00000000000001, duration=64.355s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=50000,dl_src=ee:ee:ee:ee:ee:02 actions=CONTROLLER:65535
 cookie=0xaa14aa28bb55ed46, duration=44.571s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=20000,in_port="s1-eth1",dl_vlan=10 actions=set_field:4106->vlan_vid,push_vlan:0x88a8
,set_field:4097->vlan_vid,output:"s1-eth4"
 cookie=0xaa14aa28bb55ed46, duration=44.567s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=20000,in_port="s1-eth4",dl_vlan=1 actions=pop_vlan,output:"s1-eth1"
 cookie=0xaa14aa28bb55ed46, duration=44.471s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=20000,in_port="s1-eth3",dl_vlan=1 actions=pop_vlan,output:"s1-eth1"
 cookie=0xaac015101cea9f4a, duration=16.826s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=20000,in_port="s1-eth1",dl_vlan=11 actions=set_field:4107->vlan_vid,push_vlan:0x88a8
,set_field:4098->vlan_vid,output:"s1-eth4"
 cookie=0xaac015101cea9f4a, duration=16.825s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=20000,in_port="s1-eth4",dl_vlan=2 actions=pop_vlan,output:"s1-eth1"
 cookie=0xaac015101cea9f4a, duration=16.721s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=20000,in_port="s1-eth3",dl_vlan=2 actions=pop_vlan,output:"s1-eth1"
 cookie=0xab00000000000001, duration=64.734s, table=0, n_packets=44, n_bytes=1848, send_flow_rem priority=1000,dl_vlan=3799,dl_type=0x88cc actions=CONTROLLER:65535

After the update:

❯ sudo ovs-ofctl -O OpenFlow13 dump-flows s1
 cookie=0xac00000000000001, duration=327.658s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=50000,dl_src=ee:ee:ee:ee:ee:03 actions=CONTROLLER:65535
 cookie=0xac00000000000001, duration=327.638s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=50000,dl_src=ee:ee:ee:ee:ee:02 actions=CONTROLLER:65535
 cookie=0xaa14aa28bb55ed46, duration=307.850s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=20000,in_port="s1-eth4",dl_vlan=1 actions=pop_vlan,output:"s1-eth1"
 cookie=0xaa14aa28bb55ed46, duration=307.754s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=20000,in_port="s1-eth3",dl_vlan=1 actions=pop_vlan,output:"s1-eth1"
 cookie=0xaac015101cea9f4a, duration=99.862s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=20000,in_port="s1-eth4",dl_vlan=3 actions=pop_vlan,output:"s1-eth1"
 cookie=0xaac015101cea9f4a, duration=99.762s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=20000,in_port="s1-eth3",dl_vlan=3 actions=pop_vlan,output:"s1-eth1"
 cookie=0xaa14aa28bb55ed46, duration=26.851s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=20000,in_port="s1-eth1",dl_vlan=10 actions=set_field:4106->vlan_vid,push_vlan:0x88a8
,set_field:4097->vlan_vid,output:"s1-eth4"
 cookie=0xab00000000000001, duration=328.017s, table=0, n_packets=218, n_bytes=9156, send_flow_rem priority=1000,dl_vlan=3799,dl_type=0x88cc actions=CONTROLLER:65535
viniarck commented 6 months ago

This is no longer an issue:

{
    "description": "KytosTagsAreNotAvailable, The tags [[2223, 2223]] are not available in 00:00:00:00:00:00:00:01:1",
    "code": 400
}