The ARP packet would unconditionally move to the next stage to check if it's allowed unlike the ND packet which would be checked against source MAC address before moving on. Make sure that this is consistent and add generic flows for ND NA/NS to move into next table too.
Signed-off-by: Ales Musil <[email protected]> --- v7: New addition. --- controller/lflow.c | 46 +++++++++++++++++++++++++++++++--------------- tests/ovn.at | 18 ++++++++++++------ 2 files changed, 43 insertions(+), 21 deletions(-) diff --git a/controller/lflow.c b/controller/lflow.c index b6be5c630..049b6eaa9 100644 --- a/controller/lflow.c +++ b/controller/lflow.c @@ -2418,6 +2418,37 @@ build_in_port_sec_default_flows(const struct sbrec_port_binding *pb, pb->header_.uuid.parts[0], m, ofpacts, &pb->header_.uuid); + /* ND checking is done in the next table. So just advance + * the arp packets to the next table. + * + * Add the below logical flow equivalent OF rules in 'in_port_sec_nd' table + * priority: 95 + * match - "inport == pb->logical_port && icmp6 && icmp6.code == 135" + * action - "resubmit(,PORT_SEC_ND_TABLE);" + */ + match_set_dl_type(m, htons(ETH_TYPE_IPV6)); + match_set_nw_proto(m, IPPROTO_ICMPV6); + match_set_nw_ttl(m, 255); + match_set_icmp_type(m, 135); + build_port_sec_adv_nd_check(ofpacts); + ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 95, + pb->header_.uuid.parts[0], m, ofpacts, + &pb->header_.uuid); + + /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd' table + * priority: 95 + * match - "inport == pb->logical_port && icmp6 && icmp6.code == 136" + * action - "resubmit(,PORT_SEC_ND_TABLE);" + */ + match_set_dl_type(m, htons(ETH_TYPE_IPV6)); + match_set_nw_proto(m, IPPROTO_ICMPV6); + match_set_nw_ttl(m, 255); + match_set_icmp_type(m, 136); + build_port_sec_adv_nd_check(ofpacts); + ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 95, + pb->header_.uuid.parts[0], m, ofpacts, + &pb->header_.uuid); + /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd' table * priority: 80 * match - "inport == pb->logical_port && arp" @@ -2693,21 +2724,6 @@ build_in_port_sec_ip6_flows(const struct sbrec_port_binding *pb, ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90, pb->header_.uuid.parts[0], m, ofpacts, &pb->header_.uuid); - - /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd' - * table. - * priority: 90 - * match - "inport == pb->port && eth.src == ps_addr.ea && - * ip6.src == :: && ip6.dst == ff02::/16 && icmp6 && - * icmp6.code == 0 && icmp6.type == 135" - * action - "next;" - * description: "Advance the packet for Neighbor solicit check" - */ - build_port_sec_adv_nd_check(ofpacts); - match_set_icmp_type(m, 135); - ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90, - pb->header_.uuid.parts[0], m, ofpacts, - &pb->header_.uuid); } /* Adds the OF rules to allow IPv6 Neigh discovery packet in diff --git a/tests/ovn.at b/tests/ovn.at index 802e6d0da..6a4efef97 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -36005,7 +36005,9 @@ check ovn-nbctl --wait=hv lsp-set-port-security sw0p1 "00:00:00:00:00:03" echo " table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key actions=load:0x1->NXM_NX_REG10[[12]] table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,dl_src=00:00:00:00:00:03 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) - table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > hv1_t${in_port_sec}_flows.expected + table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) + table=OFTABLE_CHK_IN_PORT_SEC, priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) + table=OFTABLE_CHK_IN_PORT_SEC, priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > hv1_t${in_port_sec}_flows.expected check_port_sec_offlows hv1 OFTABLE_CHK_IN_PORT_SEC @@ -36041,7 +36043,9 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x$sw0p1_key,metadata=0x table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_src=10.0.0.13 actions=load:0->NXM_NX_REG10[[12]] table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]] table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]] - table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x$sw0p1_key,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > hv1_t${in_port_sec}_flows.expected + table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x$sw0p1_key,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) + table=OFTABLE_CHK_IN_PORT_SEC, priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) + table=OFTABLE_CHK_IN_PORT_SEC, priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > hv1_t${in_port_sec}_flows.expected check_port_sec_offlows hv1 OFTABLE_CHK_IN_PORT_SEC @@ -36106,10 +36110,8 @@ check_port_sec_offlows hv1 OFTABLE_CHK_OUT_PORT_SEC #hv2 ovn-controller should program flows. echo " table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x$sw0p2_key,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]] table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]] - table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]] table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]] - table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]] table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_src=10.0.0.4 actions=load:0->NXM_NX_REG10[[12]] table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_src=20.0.0.4 actions=load:0->NXM_NX_REG10[[12]] @@ -36120,7 +36122,9 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x$sw0p2_key,metadata=0x table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=aef0::4 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=fe80::200:ff:fe00:13 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]] - table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x$sw0p2_key,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > hv2_t${in_port_sec}_flows.expected + table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x$sw0p2_key,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) + table=OFTABLE_CHK_IN_PORT_SEC, priority=95,icmp6,reg14=0x$sw0p2_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) + table=OFTABLE_CHK_IN_PORT_SEC, priority=95,icmp6,reg14=0x$sw0p2_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > hv2_t${in_port_sec}_flows.expected check_port_sec_offlows hv2 OFTABLE_CHK_IN_PORT_SEC @@ -36192,7 +36196,9 @@ check_port_sec_offlows hv1 OFTABLE_CHK_OUT_PORT_SEC echo " table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x$sw0p2_key,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]] table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) - table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x$sw0p2_key,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > hv2_t${in_port_sec}_flows.expected + table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x$sw0p2_key,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) + table=OFTABLE_CHK_IN_PORT_SEC, priority=95,icmp6,reg14=0x$sw0p2_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) + table=OFTABLE_CHK_IN_PORT_SEC, priority=95,icmp6,reg14=0x$sw0p2_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > hv2_t${in_port_sec}_flows.expected check_port_sec_offlows hv2 OFTABLE_CHK_IN_PORT_SEC -- 2.53.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
