Re: [ovs-dev] [PATCH ovn] controller: Add missing nw_ttl field to match against legit NAs.

Wed, 14 Jan 2026 08:15:59 -0800 

Hi, I pushed this change to main and all branches back to
branch-24.03. Thanks again for your contribution!

On Tue, Jan 13, 2026 at 4:00 PM Mark Michelson <[email protected]> wrote:
>
> Hi, thanks for contributing your patch!
>
> Aside from the errors reported by checkpatch,
> Acked-by: Mark Michelson <[email protected]>
>
> There is no need to submit a v2 of your patch. When this is merged,
> the committer will fix the checkpatch errors.
>
> On Thu, Jan 8, 2026 at 9:30 PM Jun Gu <[email protected]> wrote:
> >
> > From: "jun.gu" <[email protected]>
> >
> > When an ICMPv6 packet with icmp_type=128 and icmp_code=0 traverses
> > the OFTABLE_CHK_IN_PORT_SEC_ND table, the nd_target and nd_tll fields
> > will be included in the megaflow. This causes the revalidator to
> > invalidate the flow, which in turn triggers an upcall. The root cause
> > is that the final-stage map is included in the wildcards during
> > classifier rule lookup.
> >
> > By adding the missing nw_ttl field to the OpenFlow rule, the previous
> > three stage maps-metadata, L2, and L3-are only included in the
> > wildcards. As a result, the nd_target and nd_tll fields are excluded
> > from the megaflow, preventing unnecessary revalidation and upcalls.
> >
> > Fixes: 8cab00b ("ovn-controller: Add OF rules for port security.")
> > Reported-at: 
> > https://mail.openvswitch.org/pipermail/ovs-discuss/2025-December/053889.html
> > Signed-off-by: Jun Gu <[email protected]>
> > ---
> >  controller/lflow.c |  1 +
> >  tests/ovn.at       | 12 ++++++------
> >  2 files changed, 7 insertions(+), 6 deletions(-)
> >
> > diff --git a/controller/lflow.c b/controller/lflow.c
> > index e84fb2486..784a0d2dd 100644
> > --- a/controller/lflow.c
> > +++ b/controller/lflow.c
> > @@ -2773,6 +2773,7 @@ build_in_port_sec_nd_flows(const struct 
> > sbrec_port_binding *pb,
> >              match_set_dl_src(m, ps_addr->ea);
> >              match_set_dl_type(m, htons(ETH_TYPE_IPV6));
> >              match_set_nw_proto(m, IPPROTO_ICMPV6);
> > +            match_set_nw_ttl(m, 255);
> >              match_set_icmp_type(m, 136);
> >              match_set_icmp_code(m, 0);
> >              match_set_arp_tha(m, eth_addr_zero);
> > diff --git a/tests/ovn.at b/tests/ovn.at
> > index 58127f0d3..2b3d893d0 100644
> > --- a/tests/ovn.at
> > +++ b/tests/ovn.at
> > @@ -35687,12 +35687,12 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=80,arp,reg14=0x$sw0p2_key,meta
> >   table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,arp,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,arp_spa=10.0.0.4,arp_sha=00:00:00:00:00:04
> >  actions=load:0->NXM_NX_REG10[[12]]
> >   table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,arp,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,arp_spa=20.0.0.4,arp_sha=00:00:00:00:00:04
> >  actions=load:0->NXM_NX_REG10[[12]]
> >   table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,arp,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,arp_spa=30.0.0.0/16,arp_sha=00:00:00:00:00:04
> >  actions=load:0->NXM_NX_REG10[[12]]
> > - table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,icmp_type=136,icmp_code=0,nd_target=1000::4,nd_tll=00:00:00:00:00:00
> >  actions=load:0->NXM_NX_REG10[[12]]
> > - table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,icmp_type=136,icmp_code=0,nd_target=1000::4,nd_tll=00:00:00:00:00:04
> >  actions=load:0->NXM_NX_REG10[[12]]
> > - table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,icmp_type=136,icmp_code=0,nd_target=2000::/64,nd_tll=00:00:00:00:00:00
> >  actions=load:0->NXM_NX_REG10[[12]]
> > - table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,icmp_type=136,icmp_code=0,nd_target=2000::/64,nd_tll=00:00:00:00:00:04
> >  actions=load:0->NXM_NX_REG10[[12]]
> > - table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,icmp_type=136,icmp_code=0,nd_target=aef0::4,nd_tll=00:00:00:00:00:00
> >  actions=load:0->NXM_NX_REG10[[12]]
> > - table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,icmp_type=136,icmp_code=0,nd_target=aef0::4,nd_tll=00:00:00:00:00:13
> >  actions=load:0->NXM_NX_REG10[[12]]
> > + table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=1000::4,nd_tll=00:00:00:00:00:00
> >  actions=load:0->NXM_NX_REG10[[12]]
> > + table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=1000::4,nd_tll=00:00:00:00:00:04
> >  actions=load:0->NXM_NX_REG10[[12]]
> > + table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=2000::/64,nd_tll=00:00:00:00:00:00
> >  actions=load:0->NXM_NX_REG10[[12]]
> > + table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=2000::/64,nd_tll=00:00:00:00:00:04
> >  actions=load:0->NXM_NX_REG10[[12]]
> > + table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=aef0::4,nd_tll=00:00:00:00:00:00
> >  actions=load:0->NXM_NX_REG10[[12]]
> > + table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=aef0::4,nd_tll=00:00:00:00:00:13
> >  actions=load:0->NXM_NX_REG10[[12]]
> >   table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
> >  actions=load:0->NXM_NX_REG10[[12]]
> >   table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:04
> >  actions=load:0->NXM_NX_REG10[[12]]
> >   table=OFTABLE_CHK_IN_PORT_SEC_ND, 
> > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
> >  actions=load:0->NXM_NX_REG10[[12]]
> > --
> > 2.34.1
> >
> > _______________________________________________
> > dev mailing list
> > [email protected]
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to