ic: Fix denylist for IPv6 with same prefix length.

Fix the prefix filter function as the return condition when IPv6
prefixes have same length.
New calc uses the denylist prefix mask to compare prefix and
denylist prefix.
Without this fix if denylist filter has
2003:db08::/64 and it exists a route to 2003:db88, this route
is blocked because the calc for IPv6 doesn't check if they have
the same prefix lenght.
AND operator between prefix and denylist prefix will be
2003:db08::/68 in this example (2003:db88::/64 & 2003:db08::64)

Signed-off-by: Lucas Vargas Dias <lucas.vdias@luizalabs.com>
Signed-off-by: Dumitru Ceara <dceara@redhat.com>
(cherry picked from commit c4f248a)

ic/ovn-ic.c

@@ -1071,13 +1071,10 @@ prefix_is_deny_listed(const struct smap *nb_options,
                 continue;
             }
         } else {
-            struct in6_addr mask = ipv6_create_mask(plen);
-            /* First calculate the difference between bl_prefix and prefix, so
-             * use the bl mask to ensure prefixes are correctly validated.
-             * e.g.: 2005:1734:5678::/50 is a subnet of 2005:1234::/21 */
-            struct in6_addr m_prefixes = ipv6_addr_bitand(prefix, &bl_prefix);
-            struct in6_addr m_prefix = ipv6_addr_bitand(&m_prefixes, &mask);
-            struct in6_addr m_bl_prefix = ipv6_addr_bitand(&bl_prefix, &mask);
+            struct in6_addr bl_mask = ipv6_create_mask(bl_plen);
+            struct in6_addr m_prefix = ipv6_addr_bitand(prefix, &bl_mask);
+            struct in6_addr m_bl_prefix = ipv6_addr_bitand(&bl_prefix,
+                                                           &bl_mask);
             if (!ipv6_addr_equals(&m_prefix, &m_bl_prefix)) {
                 continue;
             }

tests/ovn-ic.at

@@ -1413,7 +1413,7 @@ for i in 1 2; do
     check ovn-nbctl set nb_global . options:ic-route-adv=true
     # Enable denylist single filter for IPv6
     check ovn-nbctl set nb_global . options:ic-route-denylist=" \
-            2003:db8:1::/64,2004:aaaa::/32,2005:1234::/21"
+            2003:db08:1::/64,2004:aaaa::/32,2005:1234::/21"
 
     check ovn-ic-nbctl --wait=sb sync
     # Create LRP and connect to TS
@@ -1430,7 +1430,10 @@ for i in 1 2; do
 
     # Create denylisted LRPs and connect to TS
     check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext$i \
-            11:11:11:11:11:1$i 2003:db8:1::$i/64
+            11:11:11:11:11:1$i 2003:db88:1::$i/64
+
+    check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext1$i \
+            11:11:11:11:12:1$i 2003:db08:1::$i/64
 
     check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext2$i \
             22:22:22:22:22:2$i 2004:aaaa:bbb::$i/48
@@ -1449,6 +1452,7 @@ check ovn-ic-nbctl --wait=sb sync
 AT_CHECK([ovn_as az1 ovn-nbctl lr-route-list lr1 |
     awk '/learned/{print $1, $2}' ], [0], [dnl
 2002:db8:1::/64 2001:db8:1::2
+2003:db88:1::/64 2001:db8:1::2
 2005:1834:5678::/50 2001:db8:1::2
 ])
 
@@ -1464,7 +1468,8 @@ check ovn-ic-nbctl --wait=sb sync
 AT_CHECK([ovn_as az1 ovn-nbctl lr-route-list lr1 |
     awk '/learned/{print $1, $2}' | sort ], [0], [dnl
 2002:db8:1::/64 2001:db8:1::2
-2003:db8:1::/64 2001:db8:1::2
+2003:db08:1::/64 2001:db8:1::2
+2003:db88:1::/64 2001:db8:1::2
 2004:aaaa:bbb::/48 2001:db8:1::2
 2005:1734:5678::/50 2001:db8:1::2
 2005:1834:5678::/50 2001:db8:1::2
@@ -1474,7 +1479,7 @@ for i in 1 2; do
     ovn_as az$i
 
     check ovn-nbctl set nb_global . \
-            options:ic-route-denylist="2003:db8:1::/64,2004:db8:1::/64"
+            options:ic-route-denylist="2003:db88:1::/64,2004:db8:1::/64"
 
     # Create an 'extra' denylisted LRP and connect to TS
     check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext5$i \
@@ -1485,6 +1490,7 @@ check ovn-ic-nbctl --wait=sb sync
 AT_CHECK([ovn_as az1 ovn-nbctl lr-route-list lr1 |
     awk '/learned/{print $1, $2}' | sort ], [0], [dnl
 2002:db8:1::/64 2001:db8:1::2
+2003:db08:1::/64 2001:db8:1::2
 2004:aaaa:bbb::/48 2001:db8:1::2
 2005:1734:5678::/50 2001:db8:1::2
 2005:1834:5678::/50 2001:db8:1::2