On 2/10/26 3:49 PM, Ales Musil wrote:
>
>
> On Tue, Feb 10, 2026 at 3:43 PM Ilya Maximets <[email protected]
> <mailto:[email protected]>> wrote:
>
> On 2/10/26 10:23 AM, Ales Musil via dev wrote:
> > The ARP packet would unconditionally move to the next stage
> > to check if it's allowed unlike the ND packet which would be
> > checked against source MAC address before moving on. Make sure
> > that this is consistent and add generic flows for ND NA/NS to
> > move into next table too.
> >
> > Signed-off-by: Ales Musil <[email protected] <mailto:[email protected]>>
> > ---
> > v7: New addition.
> > ---
> > controller/lflow.c | 46 +++++++++++++++++++++++++++++++---------------
> > tests/ovn.at <http://ovn.at> | 18 ++++++++++++------
> > 2 files changed, 43 insertions(+), 21 deletions(-)
> >
> > diff --git a/controller/lflow.c b/controller/lflow.c
> > index b6be5c630..049b6eaa9 100644
> > --- a/controller/lflow.c
> > +++ b/controller/lflow.c
> > @@ -2418,6 +2418,37 @@ build_in_port_sec_default_flows(const struct
> sbrec_port_binding *pb,
> > pb->header_.uuid.parts[0], m, ofpacts,
> > &pb->header_.uuid);
> >
> > + /* ND checking is done in the next table. So just advance
> > + * the arp packets to the next table.
> > + *
> > + * Add the below logical flow equivalent OF rules in
> 'in_port_sec_nd' table
> > + * priority: 95
> > + * match - "inport == pb->logical_port && icmp6 && icmp6.code ==
> 135"
> > + * action - "resubmit(,PORT_SEC_ND_TABLE);"
> > + */
> > + match_set_dl_type(m, htons(ETH_TYPE_IPV6));
> > + match_set_nw_proto(m, IPPROTO_ICMPV6);
> > + match_set_nw_ttl(m, 255);
> > + match_set_icmp_type(m, 135);
> > + build_port_sec_adv_nd_check(ofpacts);
> > + ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 95,
> > + pb->header_.uuid.parts[0], m, ofpacts,
> > + &pb->header_.uuid);
> > +
> > + /* Add the below logical flow equivalent OF rules in
> 'in_port_sec_nd' table
> > + * priority: 95
> > + * match - "inport == pb->logical_port && icmp6 && icmp6.code ==
> 136"
> > + * action - "resubmit(,PORT_SEC_ND_TABLE);"
> > + */
> > + match_set_dl_type(m, htons(ETH_TYPE_IPV6));
> > + match_set_nw_proto(m, IPPROTO_ICMPV6);
> > + match_set_nw_ttl(m, 255);
> > + match_set_icmp_type(m, 136);
> > + build_port_sec_adv_nd_check(ofpacts);
> > + ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 95,
> > + pb->header_.uuid.parts[0], m, ofpacts,
> > + &pb->header_.uuid);
> > +
> > /* Add the below logical flow equivalent OF rules in
> 'in_port_sec_nd' table
> > * priority: 80
> > * match - "inport == pb->logical_port && arp"
> > @@ -2693,21 +2724,6 @@ build_in_port_sec_ip6_flows(const struct
> sbrec_port_binding *pb,
> > ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90,
> > pb->header_.uuid.parts[0], m, ofpacts,
> > &pb->header_.uuid);
> > -
> > - /* Add the below logical flow equivalent OF rules in
> 'in_port_sec_nd'
> > - * table.
> > - * priority: 90
> > - * match - "inport == pb->port && eth.src == ps_addr.ea &&
> > - * ip6.src == :: && ip6.dst == ff02::/16 && icmp6 &&
> > - * icmp6.code == 0 && icmp6.type == 135"
> > - * action - "next;"
> > - * description: "Advance the packet for Neighbor solicit check"
> > - */
> > - build_port_sec_adv_nd_check(ofpacts);
> > - match_set_icmp_type(m, 135);
> > - ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90,
> > - pb->header_.uuid.parts[0], m, ofpacts,
> > - &pb->header_.uuid);
> > }
> >
> > /* Adds the OF rules to allow IPv6 Neigh discovery packet in
> > diff --git a/tests/ovn.at <http://ovn.at> b/tests/ovn.at <http://ovn.at>
> > index 802e6d0da..6a4efef97 100644
> > --- a/tests/ovn.at <http://ovn.at>
> > +++ b/tests/ovn.at <http://ovn.at>
> > @@ -36005,7 +36005,9 @@ check ovn-nbctl --wait=hv lsp-set-port-security
> sw0p1 "00:00:00:00:00:03"
> >
> > echo " table=OFTABLE_CHK_IN_PORT_SEC,
> priority=80,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key
> actions=load:0x1->NXM_NX_REG10[[12]]
> > table=OFTABLE_CHK_IN_PORT_SEC,
> priority=90,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,dl_src=00:00:00:00:00:03
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
>
> Should this flow now auto-allow instead of a resubmit?
>
> All the flows in OFTABLE_CHK_IN_PORT_SEC_ND are more
> strict than the arp/icmp6 flows in FTABLE_CHK_IN_PORT_SEC,
> so if there was no match in FTABLE_CHK_IN_PORT_SEC, there
> will not be in the OFTABLE_CHK_IN_PORT_SEC_ND.
>
>
> I'm slightly confused, that particular flow didn't change, what
> change is treatment for ND packets which should be the same as
> the ARP one, does that make sense?
So, before this patch:
1. ARP is handled at priority 95.
2. ND is checked via resubmit on the priority 90 flow above.
After this patch:
1. Both ARP and ND are handled at priority 95.
2. ARp/ND doesn't reach the flow at priority 90.
So, there is no need anymore for the priority 90 flow to resubmit
into the OFTABLE_CHK_IN_PORT_SEC_ND. Or am I missing something?
>
>
>
> > - table=OFTABLE_CHK_IN_PORT_SEC,
> priority=95,arp,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" >
> hv1_t${in_port_sec}_flows.expected
> > + table=OFTABLE_CHK_IN_PORT_SEC,
> priority=95,arp,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
> > + table=OFTABLE_CHK_IN_PORT_SEC,
> priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)
> > + table=OFTABLE_CHK_IN_PORT_SEC,
> priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136
> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" >
> hv1_t${in_port_sec}_flows.expected
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
