diff --git a/doc/source/contributor/internals/openvswitch_firewall.rst b/doc/source/contributor/internals/openvswitch_firewall.rst index 64a8df367c6..3b49c08f733 100644 --- a/doc/source/contributor/internals/openvswitch_firewall.rst +++ b/doc/source/contributor/internals/openvswitch_firewall.rst @@ -207,25 +207,25 @@ solicitation and neighbour advertisement. :: - table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=130 actions=resubmit(,91) - table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=131 actions=resubmit(,91) - table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=132 actions=resubmit(,91) - table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=135 actions=resubmit(,91) - table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=136 actions=resubmit(,91) - table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=130 actions=resubmit(,91) - table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=131 actions=resubmit(,91) - table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=132 actions=resubmit(,91) - table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=135 actions=resubmit(,91) - table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=136 actions=resubmit(,91) + table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=130 actions=NORMAL + table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=131 actions=NORMAL + table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=132 actions=NORMAL + table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=135 actions=NORMAL + table=71, priority=95,icmp6,reg5=0x1,in_port=1,icmp_type=136 actions=NORMAL + table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=130 actions=NORMAL + table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=131 actions=NORMAL + table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=132 actions=NORMAL + table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=135 actions=NORMAL + table=71, priority=95,icmp6,reg5=0x2,in_port=2,icmp_type=136 actions=NORMAL Following rules implement arp spoofing protection :: - table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:a4:22:10,arp_spa=192.168.0.1 actions=resubmit(,91) - table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:8c:84:13,arp_spa=10.0.0.1 actions=resubmit(,91) - table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:24:57:c7,arp_spa=192.168.0.2 actions=resubmit(,91) - table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:8c:84:14,arp_spa=10.1.0.0/24 actions=resubmit(,91) + table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:a4:22:10,arp_spa=192.168.0.1 actions=NORMAL + table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:8c:84:13,arp_spa=10.0.0.1 actions=NORMAL + table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:24:57:c7,arp_spa=192.168.0.2 actions=NORMAL + table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:8c:84:14,arp_spa=10.1.0.0/24 actions=NORMAL DHCP and DHCPv6 traffic is allowed to instance but DHCP servers are blocked on instances. @@ -288,10 +288,10 @@ allowed. :: - table=72, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=resubmit(,91) - table=72, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=resubmit(,91) - table=72, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=resubmit(,91) - table=72, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=resubmit(,91) + table=72, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=NORMAL + table=72, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=NORMAL + table=72, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=NORMAL + table=72, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=NORMAL In the following flows are marked established connections that weren't matched in the previous flows, which means they don't have accepting security group @@ -317,8 +317,8 @@ remaining egress connections are sent to normal switching. table=73, priority=100,reg6=0x284,dl_dst=fa:16:3e:8c:84:14 actions=load:0x2->NXM_NX_REG5[],resubmit(,81) table=73, priority=90,ct_state=+new-est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15]),resubmit(,91) table=73, priority=90,ct_state=+new-est,reg5=0x2 actions=ct(commit,zone=NXM_NX_REG6[0..15]),resubmit(,91) - table=73, priority=80,reg5=0x1 actions=resubmit(,91) - table=73, priority=80,reg5=0x2 actions=resubmit(,91) + table=73, priority=80,reg5=0x1 actions=NORMAL + table=73, priority=80,reg5=0x2 actions=NORMAL table=73, priority=0 actions=drop ``table 81`` is similar to ``table 71``, allows basic ingress traffic for @@ -328,22 +328,22 @@ port. Not tracked packets are sent to obtain conntrack information. :: - table=81, priority=100,arp,reg5=0x1 actions=strip_vlan,output:1,resubmit(,92) - table=81, priority=100,arp,reg5=0x2 actions=strip_vlan,output:2,resubmit(,92) - table=81, priority=100,icmp6,reg5=0x1,icmp_type=130 actions=strip_vlan,output:1,resubmit(,92) - table=81, priority=100,icmp6,reg5=0x1,icmp_type=131 actions=strip_vlan,output:1,resubmit(,92) - table=81, priority=100,icmp6,reg5=0x1,icmp_type=132 actions=strip_vlan,output:1,resubmit(,92) - table=81, priority=100,icmp6,reg5=0x1,icmp_type=135 actions=strip_vlan,output:1,resubmit(,92) - table=81, priority=100,icmp6,reg5=0x1,icmp_type=136 actions=strip_vlan,output:1,resubmit(,92) - table=81, priority=100,icmp6,reg5=0x2,icmp_type=130 actions=strip_vlan,output:2,resubmit(,92) - table=81, priority=100,icmp6,reg5=0x2,icmp_type=131 actions=strip_vlan,output:2,resubmit(,92) - table=81, priority=100,icmp6,reg5=0x2,icmp_type=132 actions=strip_vlan,output:2,resubmit(,92) - table=81, priority=100,icmp6,reg5=0x2,icmp_type=135 actions=strip_vlan,output:2,resubmit(,92) - table=81, priority=100,icmp6,reg5=0x2,icmp_type=136 actions=strip_vlan,output:2,resubmit(,92) - table=81, priority=95,udp,reg5=0x1,tp_src=67,tp_dst=68 actions=strip_vlan,output:1,resubmit(,92) - table=81, priority=95,udp6,reg5=0x1,tp_src=547,tp_dst=546 actions=strip_vlan,output:1,resubmit(,92) - table=81, priority=95,udp,reg5=0x2,tp_src=67,tp_dst=68 actions=strip_vlan,output:2,resubmit(,92) - table=81, priority=95,udp6,reg5=0x2,tp_src=547,tp_dst=546 actions=strip_vlan,output:2,resubmit(,92) + table=81, priority=100,arp,reg5=0x1 actions=strip_vlan,output:1 + table=81, priority=100,arp,reg5=0x2 actions=strip_vlan,output:2 + table=81, priority=100,icmp6,reg5=0x1,icmp_type=130 actions=strip_vlan,output:1 + table=81, priority=100,icmp6,reg5=0x1,icmp_type=131 actions=strip_vlan,output:1 + table=81, priority=100,icmp6,reg5=0x1,icmp_type=132 actions=strip_vlan,output:1 + table=81, priority=100,icmp6,reg5=0x1,icmp_type=135 actions=strip_vlan,output:1 + table=81, priority=100,icmp6,reg5=0x1,icmp_type=136 actions=strip_vlan,output:1 + table=81, priority=100,icmp6,reg5=0x2,icmp_type=130 actions=strip_vlan,output:2 + table=81, priority=100,icmp6,reg5=0x2,icmp_type=131 actions=strip_vlan,output:2 + table=81, priority=100,icmp6,reg5=0x2,icmp_type=132 actions=strip_vlan,output:2 + table=81, priority=100,icmp6,reg5=0x2,icmp_type=135 actions=strip_vlan,output:2 + table=81, priority=100,icmp6,reg5=0x2,icmp_type=136 actions=strip_vlan,output:2 + table=81, priority=95,udp,reg5=0x1,tp_src=67,tp_dst=68 actions=strip_vlan,output:1 + table=81, priority=95,udp6,reg5=0x1,tp_src=547,tp_dst=546 actions=strip_vlan,output:1 + table=81, priority=95,udp,reg5=0x2,tp_src=67,tp_dst=68 actions=strip_vlan,output:2 + table=81, priority=95,udp6,reg5=0x2,tp_src=547,tp_dst=546 actions=strip_vlan,output:2 table=81, priority=90,ct_state=-trk,ip,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15]) table=81, priority=90,ct_state=-trk,ipv6,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15]) table=81, priority=90,ct_state=-trk,ip,reg5=0x2 actions=ct(table=82,zone=NXM_NX_REG6[0..15]) @@ -368,7 +368,7 @@ them. table=82, priority=71,ct_state=+new-est,ip,reg6=0x284,nw_src=10.0.0.1 actions=conjunction(19,1/2) table=82, priority=71,ct_state=+est-rel-rpl,icmp,reg5=0x2 actions=conjunction(18,2/2) table=82, priority=71,ct_state=+new-est,icmp,reg5=0x2 actions=conjunction(19,2/2) - table=82, priority=71,conj_id=18,ct_state=+est-rel-rpl,ip,reg5=0x2 actions=strip_vlan,output:2,resubmit(,92) + table=82, priority=71,conj_id=18,ct_state=+est-rel-rpl,ip,reg5=0x2 actions=strip_vlan,output:2 table=82, priority=71,conj_id=19,ct_state=+new-est,ip,reg5=0x2 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:2,resubmit(,92) table=82, priority=50,ct_state=+inv+trk actions=resubmit(,93) @@ -437,10 +437,10 @@ same as in ``table 72``. table=82, priority=50,ct_mark=0x1,reg5=0x1 actions=resubmit(,93) table=82, priority=50,ct_mark=0x1,reg5=0x2 actions=resubmit(,93) - table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1,resubmit(,92) - table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2,resubmit(,92) - table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1,resubmit(,92) - table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2,resubmit(,92) + table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1 + table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2 + table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1 + table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2 table=82, priority=40,ct_state=-est,reg5=0x1 actions=resubmit(,93) table=82, priority=40,ct_state=+est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[])) table=82, priority=40,ct_state=-est,reg5=0x2 actions=resubmit(,93) @@ -468,6 +468,8 @@ receives copies of those packets and therefore default action is ``drop``. Finally, packets sent to ``table 93`` were filtered by the firewall and should be dropped. Default action is ``drop`` in this table. +In regard to the performance perspective, please note that only the first accepted +packet of each connection session will go to ``table 91`` and ``table 92``. Future work ----------- diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py index d6a1e684221..41456604918 100644 --- a/neutron/agent/linux/openvswitch_firewall/firewall.py +++ b/neutron/agent/linux/openvswitch_firewall/firewall.py @@ -709,8 +709,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): dl_type=constants.ETHERTYPE_IPV6, nw_proto=lib_const.PROTO_NUM_IPV6_ICMP, icmp_type=icmp_type, - actions='resubmit(,%d)' % ( - ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE) + actions='normal' ) def _initialize_egress_no_port_security(self, port_id): @@ -744,9 +743,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): table=ovs_consts.ACCEPT_OR_INGRESS_TABLE, priority=80, reg_port=ovs_port.ofport, - actions='resubmit(,%d)' % ( - ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE) - + actions='normal' ) def _remove_egress_no_port_security(self, port_id): @@ -781,8 +778,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): dl_src=mac_addr, dl_type=constants.ETHERTYPE_ARP, arp_spa=ip_addr, - actions='resubmit(,%d)' % ( - ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE) + actions='normal' ) self._add_flow( table=ovs_consts.BASE_EGRESS_TABLE, @@ -897,8 +893,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): table=ovs_consts.ACCEPT_OR_INGRESS_TABLE, priority=80, reg_port=port.ofport, - actions='resubmit(,%d)' % ( - ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE) + actions='normal' ) def _initialize_tracked_egress(self, port): @@ -929,8 +924,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): ct_mark=ovsfw_consts.CT_MARK_NORMAL, reg_port=port.ofport, ct_zone=port.vlan_tag, - actions='resubmit(,%d)' % ( - ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE) + actions='normal' ) self._add_flow( table=ovs_consts.RULES_EGRESS_TABLE, @@ -961,9 +955,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): dl_type=constants.ETHERTYPE_IPV6, nw_proto=lib_const.PROTO_NUM_IPV6_ICMP, icmp_type=icmp_type, - actions='output:{:d},resubmit(,{:d})'.format( - port.ofport, - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE), + actions='output:{:d}'.format(port.ofport) ) def _initialize_ingress(self, port): @@ -973,9 +965,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): priority=100, dl_type=constants.ETHERTYPE_ARP, reg_port=port.ofport, - actions='output:{:d},resubmit(,{:d})'.format( - port.ofport, - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE), + actions='output:{:d}'.format(port.ofport) ) self._initialize_ingress_ipv6_icmp(port) @@ -991,9 +981,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): nw_proto=lib_const.PROTO_NUM_UDP, tp_src=src_port, tp_dst=dst_port, - actions='output:{:d},resubmit(,{:d})'.format( - port.ofport, - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE), + actions='output:{:d}'.format(port.ofport) ) # Track untracked @@ -1043,9 +1031,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): ct_state=state, ct_mark=ovsfw_consts.CT_MARK_NORMAL, ct_zone=port.vlan_tag, - actions='output:{:d},resubmit(,{:d})'.format( - port.ofport, - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE) + actions='output:{:d}'.format(port.ofport) ) self._add_flow( table=ovs_consts.RULES_INGRESS_TABLE, diff --git a/neutron/agent/linux/openvswitch_firewall/rules.py b/neutron/agent/linux/openvswitch_firewall/rules.py index 2c13e89f42b..7d93e371b49 100644 --- a/neutron/agent/linux/openvswitch_firewall/rules.py +++ b/neutron/agent/linux/openvswitch_firewall/rules.py @@ -201,9 +201,7 @@ def populate_flow_common(direction, flow_template, port): """Initialize common flow fields.""" if direction == n_consts.INGRESS_DIRECTION: flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE - flow_template['actions'] = "output:{:d},resubmit(,{:d})".format( - port.ofport, - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE) + flow_template['actions'] = "output:{:d}".format(port.ofport) elif direction == n_consts.EGRESS_DIRECTION: flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE # Traffic can be both ingress and egress, check that no ingress rules @@ -332,8 +330,11 @@ def create_accept_flows(flow): flow['ct_state'] = CT_STATES[1] if flow['table'] == ovs_consts.RULES_INGRESS_TABLE: flow['actions'] = ( - 'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}'.format( - ovsfw_consts.REG_NET, flow['actions'])) + 'ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s},' + 'resubmit(,{:d})'.format( + ovsfw_consts.REG_NET, flow['actions'], + ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE) + ) result.append(flow) return result diff --git a/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py b/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py index b5f41ead905..029e9db1b84 100644 --- a/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py +++ b/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py @@ -332,8 +332,7 @@ class OVSFirewallLoggingDriver(log_ext.LoggingDriver): self.delete_port_flows_log(of_port_log, log_id) def _log_accept_flow(self, **flow): - # log first packet - flow['ct_state'] = ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED + # log first accepted packet flow['table'] = OVS_FW_TO_LOG_TABLES[flow['table']] flow['actions'] = 'controller' self._add_flow(**flow) diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py index ef3c571bdfa..2a720504f39 100644 --- a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py +++ b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py @@ -185,8 +185,7 @@ class TestCreateProtocolFlows(base.BaseTestCase): rule = {'protocol': constants.PROTO_NUM_TCP} expected_flows = [{ 'table': ovs_consts.RULES_INGRESS_TABLE, - 'actions': 'output:1,resubmit(,%d)' % ( - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE), + 'actions': 'output:1', 'nw_proto': constants.PROTO_NUM_TCP, }] self._test_create_protocol_flows_helper( @@ -392,12 +391,12 @@ class TestCreateConjFlows(base.BaseTestCase): flows[0]['ct_state']) self.assertEqual(ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED, flows[1]['ct_state']) - self.assertEqual("output:{:d},resubmit(,{:d})".format( - port.ofport, - ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE), + self.assertEqual("output:{:d}".format(port.ofport), flows[0]['actions']) - self.assertEqual("ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}".format( - ovsfw_consts.REG_NET, flows[0]['actions']), + self.assertEqual("ct(commit,zone=NXM_NX_REG{:d}[0..15]),{:s}," + "resubmit(,{:d})".format( + ovsfw_consts.REG_NET, flows[0]['actions'], + ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE), flows[1]['actions']) for f in flows: diff --git a/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py b/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py index 5f77072b12c..fc1fee64c84 100644 --- a/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py +++ b/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py @@ -18,7 +18,6 @@ from neutron_lib import constants from oslo_config import cfg from oslo_utils import uuidutils -from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts from neutron.common import constants as n_const from neutron.objects.logapi import logging_resource as log_object from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \ @@ -174,7 +173,6 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase): mock.call( actions='controller', cookie=accept_cookie.id, - ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED, reg5=self.port_ofport, dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP), nw_proto=constants.PROTO_NUM_TCP, @@ -185,7 +183,6 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase): mock.call( actions='controller', cookie=accept_cookie.id, - ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED, reg5=self.port_ofport, dl_type="0x{:04x}".format(n_const.ETHERTYPE_IPV6), priority=70, @@ -195,7 +192,6 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase): mock.call( actions='controller', cookie=accept_cookie.id, - ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED, reg5=self.port_ofport, dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP), nw_proto=constants.PROTO_NUM_UDP, @@ -273,7 +269,6 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase): mock.call( actions='controller', cookie=accept_cookie.id, - ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED, reg5=self.port_ofport, dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP), nw_proto=constants.PROTO_NUM_TCP,