On 2/10/26 10:23 AM, Ales Musil via dev wrote: > The ARP packet would unconditionally move to the next stage > to check if it's allowed unlike the ND packet which would be > checked against source MAC address before moving on. Make sure > that this is consistent and add generic flows for ND NA/NS to > move into next table too. > > Signed-off-by: Ales Musil <[email protected]> > ---
Hi Ales, This looks logically equivalent to the effect of the code before your patch. I see why it's relevant for patch 3/3 so: Acked-by: Dumitru Ceara <[email protected]> Thanks, Dumitru > v7: New addition. > --- > controller/lflow.c | 46 +++++++++++++++++++++++++++++++--------------- > tests/ovn.at | 18 ++++++++++++------ > 2 files changed, 43 insertions(+), 21 deletions(-) > > diff --git a/controller/lflow.c b/controller/lflow.c > index b6be5c630..049b6eaa9 100644 > --- a/controller/lflow.c > +++ b/controller/lflow.c > @@ -2418,6 +2418,37 @@ build_in_port_sec_default_flows(const struct > sbrec_port_binding *pb, > pb->header_.uuid.parts[0], m, ofpacts, > &pb->header_.uuid); > > + /* ND checking is done in the next table. So just advance > + * the arp packets to the next table. > + * > + * Add the below logical flow equivalent OF rules in 'in_port_sec_nd' > table > + * priority: 95 > + * match - "inport == pb->logical_port && icmp6 && icmp6.code == 135" > + * action - "resubmit(,PORT_SEC_ND_TABLE);" > + */ > + match_set_dl_type(m, htons(ETH_TYPE_IPV6)); > + match_set_nw_proto(m, IPPROTO_ICMPV6); > + match_set_nw_ttl(m, 255); > + match_set_icmp_type(m, 135); > + build_port_sec_adv_nd_check(ofpacts); > + ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 95, > + pb->header_.uuid.parts[0], m, ofpacts, > + &pb->header_.uuid); > + > + /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd' > table > + * priority: 95 > + * match - "inport == pb->logical_port && icmp6 && icmp6.code == 136" > + * action - "resubmit(,PORT_SEC_ND_TABLE);" > + */ > + match_set_dl_type(m, htons(ETH_TYPE_IPV6)); > + match_set_nw_proto(m, IPPROTO_ICMPV6); > + match_set_nw_ttl(m, 255); > + match_set_icmp_type(m, 136); > + build_port_sec_adv_nd_check(ofpacts); > + ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 95, > + pb->header_.uuid.parts[0], m, ofpacts, > + &pb->header_.uuid); > + > /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd' > table > * priority: 80 > * match - "inport == pb->logical_port && arp" > @@ -2693,21 +2724,6 @@ build_in_port_sec_ip6_flows(const struct > sbrec_port_binding *pb, > ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90, > pb->header_.uuid.parts[0], m, ofpacts, > &pb->header_.uuid); > - > - /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd' > - * table. > - * priority: 90 > - * match - "inport == pb->port && eth.src == ps_addr.ea && > - * ip6.src == :: && ip6.dst == ff02::/16 && icmp6 && > - * icmp6.code == 0 && icmp6.type == 135" > - * action - "next;" > - * description: "Advance the packet for Neighbor solicit check" > - */ > - build_port_sec_adv_nd_check(ofpacts); > - match_set_icmp_type(m, 135); > - ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90, > - pb->header_.uuid.parts[0], m, ofpacts, > - &pb->header_.uuid); > } > > /* Adds the OF rules to allow IPv6 Neigh discovery packet in > diff --git a/tests/ovn.at b/tests/ovn.at > index 802e6d0da..6a4efef97 100644 > --- a/tests/ovn.at > +++ b/tests/ovn.at > @@ -36005,7 +36005,9 @@ check ovn-nbctl --wait=hv lsp-set-port-security sw0p1 > "00:00:00:00:00:03" > > echo " table=OFTABLE_CHK_IN_PORT_SEC, > priority=80,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key > actions=load:0x1->NXM_NX_REG10[[12]] > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,dl_src=00:00:00:00:00:03 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > - table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,arp,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > > hv1_t${in_port_sec}_flows.expected > + table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,arp,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > + table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > + table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > > hv1_t${in_port_sec}_flows.expected > > check_port_sec_offlows hv1 OFTABLE_CHK_IN_PORT_SEC > > @@ -36041,7 +36043,9 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC, > priority=80,reg14=0x$sw0p1_key,metadata=0x > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,ip,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_src=10.0.0.13 > actions=load:0->NXM_NX_REG10[[12]] > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,udp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 > actions=load:0->NXM_NX_REG10[[12]] > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,udp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 > actions=load:0->NXM_NX_REG10[[12]] > - table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,arp,reg14=0x$sw0p1_key,metadata=0x1 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > > hv1_t${in_port_sec}_flows.expected > + table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,arp,reg14=0x$sw0p1_key,metadata=0x1 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > + table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > + table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > > hv1_t${in_port_sec}_flows.expected > > check_port_sec_offlows hv1 OFTABLE_CHK_IN_PORT_SEC > > @@ -36106,10 +36110,8 @@ check_port_sec_offlows hv1 OFTABLE_CHK_OUT_PORT_SEC > #hv2 ovn-controller should program flows. > echo " table=OFTABLE_CHK_IN_PORT_SEC, > priority=80,reg14=0x$sw0p2_key,metadata=0x1 > actions=load:0x1->NXM_NX_REG10[[12]] > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 > actions=load:0->NXM_NX_REG10[[12]] > - table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 > actions=load:0->NXM_NX_REG10[[12]] > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 > actions=load:0->NXM_NX_REG10[[12]] > - table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 > actions=load:0->NXM_NX_REG10[[12]] > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,ip,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_src=10.0.0.4 > actions=load:0->NXM_NX_REG10[[12]] > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,ip,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_src=20.0.0.4 > actions=load:0->NXM_NX_REG10[[12]] > @@ -36120,7 +36122,9 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC, > priority=80,reg14=0x$sw0p2_key,metadata=0x > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,ipv6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=aef0::4 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,ipv6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=fe80::200:ff:fe00:13 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,udp,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 > actions=load:0->NXM_NX_REG10[[12]] > - table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,arp,reg14=0x$sw0p2_key,metadata=0x1 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > > hv2_t${in_port_sec}_flows.expected > + table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,arp,reg14=0x$sw0p2_key,metadata=0x1 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > + table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,icmp6,reg14=0x$sw0p2_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > + table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,icmp6,reg14=0x$sw0p2_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > > hv2_t${in_port_sec}_flows.expected > > check_port_sec_offlows hv2 OFTABLE_CHK_IN_PORT_SEC > > @@ -36192,7 +36196,9 @@ check_port_sec_offlows hv1 OFTABLE_CHK_OUT_PORT_SEC > > echo " table=OFTABLE_CHK_IN_PORT_SEC, > priority=80,reg14=0x$sw0p2_key,metadata=0x1 > actions=load:0x1->NXM_NX_REG10[[12]] > table=OFTABLE_CHK_IN_PORT_SEC, > priority=90,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > - table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,arp,reg14=0x$sw0p2_key,metadata=0x1 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > > hv2_t${in_port_sec}_flows.expected > + table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,arp,reg14=0x$sw0p2_key,metadata=0x1 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > + table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,icmp6,reg14=0x$sw0p2_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) > + table=OFTABLE_CHK_IN_PORT_SEC, > priority=95,icmp6,reg14=0x$sw0p2_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136 > actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > > hv2_t${in_port_sec}_flows.expected > > check_port_sec_offlows hv2 OFTABLE_CHK_IN_PORT_SEC > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
