Re: [ovs-dev] [PATCH ovn v3 1/4] lflow: Add missing match on eth.src for ND port security.

[Ales Musil via dev]

On Mon, Feb 2, 2026 at 5:13 PM Jacob Tanenbaum <jtane...@redhat.com> wrote:

>
>
> On Mon, Feb 2, 2026 at 4:00 AM Ales Musil via dev <ovs-dev@openvswitch.org>
> wrote:
>
>> Add missing match for the eth source MAC in ND port secuirty.
>>
>> Fixes: 8cab00bdb581 ("ovn-controller: Add OF rules for port security.")
>> Signed-off-by: Ales Musil <amu...@redhat.com>
>> ---
>>  controller/lflow.c |  1 +
>>  tests/ovn.at       | 38 +++++++++++++++++++++-----------------
>>  2 files changed, 22 insertions(+), 17 deletions(-)
>>
>> diff --git a/controller/lflow.c b/controller/lflow.c
>> index 915b24269..bab422a9c 100644
>> --- a/controller/lflow.c
>> +++ b/controller/lflow.c
>> @@ -2714,6 +2714,7 @@ build_in_port_sec_nd_flows(const struct
>> sbrec_port_binding *pb,
>>      reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);
>>      match_set_dl_type(m, htons(ETH_TYPE_IPV6));
>>      match_set_nw_proto(m, IPPROTO_ICMPV6);
>> +    match_set_dl_src(m, ps_addr->ea);
>>      match_set_nw_ttl(m, 255);
>>      match_set_icmp_type(m, 135);
>>      match_set_icmp_code(m, 0);
>> diff --git a/tests/ovn.at b/tests/ovn.at
>> index 4d15d4a62..8ffe469c8 100644
>> --- a/tests/ovn.at
>> +++ b/tests/ovn.at
>> @@ -35612,10 +35612,10 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=80,arp,reg14=0x$sw0p1_key,meta
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135
>> actions=load:0x1->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136
>> actions=load:0x1->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,arp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,arp_sha=00:00:00:00:00:03
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:03
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:03
>> actions=load:0->NXM_NX_REG10[[12]]" > hv1_t${in_port_sec_nd}_flows.expected
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:03
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:03
>> actions=load:0->NXM_NX_REG10[[12]]" > hv1_t${in_port_sec_nd}_flows.expected
>>
>>  check_port_sec_offlows hv1 OFTABLE_CHK_IN_PORT_SEC_ND
>>
>> @@ -35649,12 +35649,14 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=80,arp,reg14=0x$sw0p1_key,meta
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136
>> actions=load:0x1->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,arp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,arp_spa=10.0.0.3,arp_sha=00:00:00:00:00:03
>> actions=load:0->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,arp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,arp_spa=10.0.0.13,arp_sha=00:00:00:00:00:13
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:03
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:03
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:13
>> actions=load:0->NXM_NX_REG10[[12]]" > hv1_t${in_port_sec_nd}_flows.expected
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:03
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:03
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:13
>> actions=load:0->NXM_NX_REG10[[12]]" > hv1_t${in_port_sec_nd}_flows.expected
>>
>>  check_port_sec_offlows hv1 OFTABLE_CHK_IN_PORT_SEC_ND
>>
>> @@ -35721,25 +35723,27 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC,
>> priority=80,reg14=0x$sw0p2_key,metadata=0x
>>
>>  check_port_sec_offlows hv2 OFTABLE_CHK_IN_PORT_SEC
>>
>> +echo "HerE"
>>
> looks like you left a print debug here
>

Ah I did, thanks.


>  echo " table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=80,arp,reg14=0x$sw0p2_key,metadata=0x1
>> actions=load:0x1->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=80,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135
>> actions=load:0x1->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=80,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136
>> actions=load:0x1->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,arp,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,arp_spa=10.0.0.4,arp_sha=00:00:00:00:00:04
>> actions=load:0->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,arp,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,arp_spa=20.0.0.4,arp_sha=00:00:00:00:00:04
>> actions=load:0->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,arp,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,arp_spa=
>> 30.0.0.0/16,arp_sha=00:00:00:00:00:04 actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:04
>> actions=load:0->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=1000::4,nd_tll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=1000::4,nd_tll=00:00:00:00:00:04
>> actions=load:0->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=2000::/64,nd_tll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=2000::/64,nd_tll=00:00:00:00:00:04
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:4,nd_tll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:4,nd_tll=00:00:00:00:00:04
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
>> actions=load:0->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=aef0::4,nd_tll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>>   table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=aef0::4,nd_tll=00:00:00:00:00:13
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:04
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:13,nd_tll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:13,nd_tll=00:00:00:00:00:13
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:4,nd_tll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> - table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:4,nd_tll=00:00:00:00:00:04
>> actions=load:0->NXM_NX_REG10[[12]]" > hv2_t${in_port_sec_nd}_flows.expected
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:13,nd_tll=00:00:00:00:00:00
>> actions=load:0->NXM_NX_REG10[[12]]
>> + table=OFTABLE_CHK_IN_PORT_SEC_ND,
>> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:13,nd_tll=00:00:00:00:00:13
>> actions=load:0->NXM_NX_REG10[[12]]" > hv2_t${in_port_sec_nd}_flows.expected
>>
>>  check_port_sec_offlows hv2 OFTABLE_CHK_IN_PORT_SEC_ND
>>
>> --
>> 2.52.0
>>
>> _______________________________________________
>> dev mailing list
>> d...@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>
>>
> besides the print debug left in looks good
>
>
> Acked-by: Jacob Tanenbaum <jtane...@redhat.com>
>
>
One note please also reply to the mailing list not only to the author.

Regards,
Ales
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev