Re: [ovs-dev] [PATCH ovn v7 1/3] lflow: Make the port security ND flows consistent with ARP flows.

Tue, 10 Feb 2026 06:44:42 -0800 

On 2/10/26 10:23 AM, Ales Musil via dev wrote:
> The ARP packet would unconditionally move to the next stage
> to check if it's allowed unlike the ND packet which would be
> checked against source MAC address before moving on. Make sure
> that this is consistent and add generic flows for ND NA/NS to
> move into next table too.
> 
> Signed-off-by: Ales Musil <[email protected]>
> ---
> v7: New addition.
> ---
>  controller/lflow.c | 46 +++++++++++++++++++++++++++++++---------------
>  tests/ovn.at       | 18 ++++++++++++------
>  2 files changed, 43 insertions(+), 21 deletions(-)
> 
> diff --git a/controller/lflow.c b/controller/lflow.c
> index b6be5c630..049b6eaa9 100644
> --- a/controller/lflow.c
> +++ b/controller/lflow.c
> @@ -2418,6 +2418,37 @@ build_in_port_sec_default_flows(const struct 
> sbrec_port_binding *pb,
>                      pb->header_.uuid.parts[0], m, ofpacts,
>                      &pb->header_.uuid);
>  
> +    /* ND checking is done in the next table. So just advance
> +     * the arp packets to the next table.
> +     *
> +     * Add the below logical flow equivalent OF rules in 'in_port_sec_nd' 
> table
> +     * priority: 95
> +     * match - "inport == pb->logical_port && icmp6 && icmp6.code == 135"
> +     * action - "resubmit(,PORT_SEC_ND_TABLE);"
> +     */
> +    match_set_dl_type(m, htons(ETH_TYPE_IPV6));
> +    match_set_nw_proto(m, IPPROTO_ICMPV6);
> +    match_set_nw_ttl(m, 255);
> +    match_set_icmp_type(m, 135);
> +    build_port_sec_adv_nd_check(ofpacts);
> +    ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 95,
> +                    pb->header_.uuid.parts[0], m, ofpacts,
> +                    &pb->header_.uuid);
> +
> +    /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd' 
> table
> +     * priority: 95
> +     * match - "inport == pb->logical_port && icmp6 && icmp6.code == 136"
> +     * action - "resubmit(,PORT_SEC_ND_TABLE);"
> +     */
> +    match_set_dl_type(m, htons(ETH_TYPE_IPV6));
> +    match_set_nw_proto(m, IPPROTO_ICMPV6);
> +    match_set_nw_ttl(m, 255);
> +    match_set_icmp_type(m, 136);
> +    build_port_sec_adv_nd_check(ofpacts);
> +    ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 95,
> +                    pb->header_.uuid.parts[0], m, ofpacts,
> +                    &pb->header_.uuid);
> +
>      /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd' 
> table
>       * priority: 80
>       * match - "inport == pb->logical_port && arp"
> @@ -2693,21 +2724,6 @@ build_in_port_sec_ip6_flows(const struct 
> sbrec_port_binding *pb,
>      ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90,
>                      pb->header_.uuid.parts[0], m, ofpacts,
>                      &pb->header_.uuid);
> -
> -    /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd'
> -     * table.
> -     * priority: 90
> -     * match - "inport == pb->port && eth.src == ps_addr.ea &&
> -     *          ip6.src == :: && ip6.dst == ff02::/16 && icmp6 &&
> -     *          icmp6.code == 0 && icmp6.type == 135"
> -     * action - "next;"
> -     * description: "Advance the packet for Neighbor solicit check"
> -     */
> -    build_port_sec_adv_nd_check(ofpacts);
> -    match_set_icmp_type(m, 135);
> -    ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90,
> -                    pb->header_.uuid.parts[0], m, ofpacts,
> -                    &pb->header_.uuid);
>  }
>  
>  /* Adds the OF rules to allow IPv6 Neigh discovery packet in
> diff --git a/tests/ovn.at b/tests/ovn.at
> index 802e6d0da..6a4efef97 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -36005,7 +36005,9 @@ check ovn-nbctl --wait=hv lsp-set-port-security sw0p1 
> "00:00:00:00:00:03"
>  
>  echo " table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=80,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key 
> actions=load:0x1->NXM_NX_REG10[[12]]
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,dl_src=00:00:00:00:00:03
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)

Should this flow now auto-allow instead of a resubmit?

All the flows in OFTABLE_CHK_IN_PORT_SEC_ND are more
strict than the arp/icmp6 flows in FTABLE_CHK_IN_PORT_SEC,
so if there was no match in FTABLE_CHK_IN_PORT_SEC, there
will not be in the OFTABLE_CHK_IN_PORT_SEC_ND.

> - table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,arp,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key 
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > 
> hv1_t${in_port_sec}_flows.expected
> + table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,arp,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key 
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
> + table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
> + table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > 
> hv1_t${in_port_sec}_flows.expected
>  
>  check_port_sec_offlows hv1 OFTABLE_CHK_IN_PORT_SEC
>  
> @@ -36041,7 +36043,9 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=80,reg14=0x$sw0p1_key,metadata=0x
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,ip,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_src=10.0.0.13
>  actions=load:0->NXM_NX_REG10[[12]]
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,udp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67
>  actions=load:0->NXM_NX_REG10[[12]]
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,udp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67
>  actions=load:0->NXM_NX_REG10[[12]]
> - table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,arp,reg14=0x$sw0p1_key,metadata=0x1 
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > 
> hv1_t${in_port_sec}_flows.expected
> + table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,arp,reg14=0x$sw0p1_key,metadata=0x1 
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
> + table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
> + table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > 
> hv1_t${in_port_sec}_flows.expected
>  
>  check_port_sec_offlows hv1 OFTABLE_CHK_IN_PORT_SEC
>  
> @@ -36106,10 +36110,8 @@ check_port_sec_offlows hv1 OFTABLE_CHK_OUT_PORT_SEC
>  #hv2 ovn-controller should program flows.
>  echo " table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=80,reg14=0x$sw0p2_key,metadata=0x1 
> actions=load:0x1->NXM_NX_REG10[[12]]
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0
>  actions=load:0->NXM_NX_REG10[[12]]
> - table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0
>  actions=load:0->NXM_NX_REG10[[12]]
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0
>  actions=load:0->NXM_NX_REG10[[12]]
> - table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0
>  actions=load:0->NXM_NX_REG10[[12]]
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,ip,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_src=10.0.0.4
>  actions=load:0->NXM_NX_REG10[[12]]
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,ip,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_src=20.0.0.4
>  actions=load:0->NXM_NX_REG10[[12]]
> @@ -36120,7 +36122,9 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=80,reg14=0x$sw0p2_key,metadata=0x
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,ipv6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=aef0::4
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,ipv6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,ipv6_src=fe80::200:ff:fe00:13
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,udp,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67
>  actions=load:0->NXM_NX_REG10[[12]]
> - table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,arp,reg14=0x$sw0p2_key,metadata=0x1 
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > 
> hv2_t${in_port_sec}_flows.expected
> + table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,arp,reg14=0x$sw0p2_key,metadata=0x1 
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
> + table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,icmp6,reg14=0x$sw0p2_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
> + table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,icmp6,reg14=0x$sw0p2_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > 
> hv2_t${in_port_sec}_flows.expected
>  
>  check_port_sec_offlows hv2 OFTABLE_CHK_IN_PORT_SEC
>  
> @@ -36192,7 +36196,9 @@ check_port_sec_offlows hv1 OFTABLE_CHK_OUT_PORT_SEC
>  
>  echo " table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=80,reg14=0x$sw0p2_key,metadata=0x1 
> actions=load:0x1->NXM_NX_REG10[[12]]
>   table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=90,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04 
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
> - table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,arp,reg14=0x$sw0p2_key,metadata=0x1 
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" >  
> hv2_t${in_port_sec}_flows.expected
> + table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,arp,reg14=0x$sw0p2_key,metadata=0x1 
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
> + table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,icmp6,reg14=0x$sw0p2_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
> + table=OFTABLE_CHK_IN_PORT_SEC, 
> priority=95,icmp6,reg14=0x$sw0p2_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136
>  actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" >  
> hv2_t${in_port_sec}_flows.expected
>  
>  check_port_sec_offlows hv2 OFTABLE_CHK_IN_PORT_SEC
>  

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to