On 2/4/26 5:21 PM, Lorenzo Bianconi via dev wrote: > Do not forward ethernet packets with unknown ether type (0x05ff) to > router pipeline.
Hi, Lorenzo. Thanks for the patch! It would be nice to have some explanation here on why we need to drop these early before it reaches the router pipeline. This patch may also use some test cases. One more thought below. > > Reported-at: https://issues.redhat.com/browse/FDP-1908 > Signed-off-by: Lorenzo Bianconi <[email protected]> > --- > northd/northd.c | 9 +++++++++ > northd/ovn-northd.8.xml | 5 +++++ > 2 files changed, 14 insertions(+) > > diff --git a/northd/northd.c b/northd/northd.c > index b4bb4ba6d..539567ba7 100644 > --- a/northd/northd.c > +++ b/northd/northd.c > @@ -5947,6 +5947,15 @@ build_lswitch_port_sec_op(struct ovn_port *op, struct > lflow_table *lflows, > return; > } > > + if (lsp_is_router(op->nbsp)) { > + ds_clear(match); > + ds_put_format(match, "outport == %s && eth.type == 0x%04x", > + op->json_key, OFP_DL_TYPE_NOT_ETH_TYPE); > + ovn_lflow_add(lflows, op->od, S_SWITCH_OUT_APPLY_PORT_SEC, 150, > + ds_cstr(match), debug_drop_action(), op->lflow_ref, > + WITH_DESC("Packet with unknown ether type")); > + } > + > ds_clear(match); > ds_clear(actions); > ds_put_format(match, "inport == %s", op->json_key); > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > index 279d81f35..fe1dc4dc0 100644 > --- a/northd/ovn-northd.8.xml > +++ b/northd/ovn-northd.8.xml > @@ -2816,6 +2816,11 @@ output; > </p> > > <ul> > + <li> > + For router ports, a priority 150 flow to drop ethernet packets with > + unknown ether type (0x05ff). This does align with what I originally reported, but seeing more cases of random traffic being resubmitted to all routers recently, I wonder if we should take a default-deny approach here and instead of dropping specific ethertypes that we know cannot be routed by the logical router, drop everything that is not arp, ip or ipv6 instead. WDYT? This could potentially be done by restricting the default forwarding rule in build_lswitch_destination_lookup_bmcast() to arp, ip and ipv6. Unicast traffic generally doesn't cause any issues for OVN and we may let the router pipeline deal with it (drop). An example of the other type of traffic I witnessed was ethernet multicast traffic with dl_type=0x8918 that some network appliances are using for loop detection. Best regards, Ilya Maximets. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
