On Tue, Feb 10, 2026 at 5:10 PM Ales Musil <[email protected]> wrote:
> > > On Tue, Feb 10, 2026 at 4:00 PM Ilya Maximets <[email protected]> wrote: > >> On 2/10/26 3:49 PM, Ales Musil wrote: >> > >> > >> > On Tue, Feb 10, 2026 at 3:43 PM Ilya Maximets <[email protected] >> <mailto:[email protected]>> wrote: >> > >> > On 2/10/26 10:23 AM, Ales Musil via dev wrote: >> > > The ARP packet would unconditionally move to the next stage >> > > to check if it's allowed unlike the ND packet which would be >> > > checked against source MAC address before moving on. Make sure >> > > that this is consistent and add generic flows for ND NA/NS to >> > > move into next table too. >> > > >> > > Signed-off-by: Ales Musil <[email protected] <mailto: >> [email protected]>> >> > > --- >> > > v7: New addition. >> > > --- >> > > controller/lflow.c | 46 >> +++++++++++++++++++++++++++++++--------------- >> > > tests/ovn.at <http://ovn.at> | 18 ++++++++++++------ >> > > 2 files changed, 43 insertions(+), 21 deletions(-) >> > > >> > > diff --git a/controller/lflow.c b/controller/lflow.c >> > > index b6be5c630..049b6eaa9 100644 >> > > --- a/controller/lflow.c >> > > +++ b/controller/lflow.c >> > > @@ -2418,6 +2418,37 @@ build_in_port_sec_default_flows(const >> struct sbrec_port_binding *pb, >> > > pb->header_.uuid.parts[0], m, ofpacts, >> > > &pb->header_.uuid); >> > > >> > > + /* ND checking is done in the next table. So just advance >> > > + * the arp packets to the next table. >> > > + * >> > > + * Add the below logical flow equivalent OF rules in >> 'in_port_sec_nd' table >> > > + * priority: 95 >> > > + * match - "inport == pb->logical_port && icmp6 && >> icmp6.code == 135" >> > > + * action - "resubmit(,PORT_SEC_ND_TABLE);" >> > > + */ >> > > + match_set_dl_type(m, htons(ETH_TYPE_IPV6)); >> > > + match_set_nw_proto(m, IPPROTO_ICMPV6); >> > > + match_set_nw_ttl(m, 255); >> > > + match_set_icmp_type(m, 135); >> > > + build_port_sec_adv_nd_check(ofpacts); >> > > + ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 95, >> > > + pb->header_.uuid.parts[0], m, ofpacts, >> > > + &pb->header_.uuid); >> > > + >> > > + /* Add the below logical flow equivalent OF rules in >> 'in_port_sec_nd' table >> > > + * priority: 95 >> > > + * match - "inport == pb->logical_port && icmp6 && >> icmp6.code == 136" >> > > + * action - "resubmit(,PORT_SEC_ND_TABLE);" >> > > + */ >> > > + match_set_dl_type(m, htons(ETH_TYPE_IPV6)); >> > > + match_set_nw_proto(m, IPPROTO_ICMPV6); >> > > + match_set_nw_ttl(m, 255); >> > > + match_set_icmp_type(m, 136); >> > > + build_port_sec_adv_nd_check(ofpacts); >> > > + ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 95, >> > > + pb->header_.uuid.parts[0], m, ofpacts, >> > > + &pb->header_.uuid); >> > > + >> > > /* Add the below logical flow equivalent OF rules in >> 'in_port_sec_nd' table >> > > * priority: 80 >> > > * match - "inport == pb->logical_port && arp" >> > > @@ -2693,21 +2724,6 @@ build_in_port_sec_ip6_flows(const struct >> sbrec_port_binding *pb, >> > > ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90, >> > > pb->header_.uuid.parts[0], m, ofpacts, >> > > &pb->header_.uuid); >> > > - >> > > - /* Add the below logical flow equivalent OF rules in >> 'in_port_sec_nd' >> > > - * table. >> > > - * priority: 90 >> > > - * match - "inport == pb->port && eth.src == ps_addr.ea && >> > > - * ip6.src == :: && ip6.dst == ff02::/16 && icmp6 && >> > > - * icmp6.code == 0 && icmp6.type == 135" >> > > - * action - "next;" >> > > - * description: "Advance the packet for Neighbor solicit >> check" >> > > - */ >> > > - build_port_sec_adv_nd_check(ofpacts); >> > > - match_set_icmp_type(m, 135); >> > > - ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90, >> > > - pb->header_.uuid.parts[0], m, ofpacts, >> > > - &pb->header_.uuid); >> > > } >> > > >> > > /* Adds the OF rules to allow IPv6 Neigh discovery packet in >> > > diff --git a/tests/ovn.at <http://ovn.at> b/tests/ovn.at < >> http://ovn.at> >> > > index 802e6d0da..6a4efef97 100644 >> > > --- a/tests/ovn.at <http://ovn.at> >> > > +++ b/tests/ovn.at <http://ovn.at> >> > > @@ -36005,7 +36005,9 @@ check ovn-nbctl --wait=hv >> lsp-set-port-security sw0p1 "00:00:00:00:00:03" >> > > >> > > echo " table=OFTABLE_CHK_IN_PORT_SEC, >> priority=80,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key >> actions=load:0x1->NXM_NX_REG10[[12]] >> > > table=OFTABLE_CHK_IN_PORT_SEC, >> priority=90,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,dl_src=00:00:00:00:00:03 >> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) >> > >> > Should this flow now auto-allow instead of a resubmit? >> > >> > All the flows in OFTABLE_CHK_IN_PORT_SEC_ND are more >> > strict than the arp/icmp6 flows in FTABLE_CHK_IN_PORT_SEC, >> > so if there was no match in FTABLE_CHK_IN_PORT_SEC, there >> > will not be in the OFTABLE_CHK_IN_PORT_SEC_ND. >> > >> > >> > I'm slightly confused, that particular flow didn't change, what >> > change is treatment for ND packets which should be the same as >> > the ARP one, does that make sense? >> >> So, before this patch: >> 1. ARP is handled at priority 95. >> 2. ND is checked via resubmit on the priority 90 flow above. >> >> After this patch: >> 1. Both ARP and ND are handled at priority 95. >> 2. ARp/ND doesn't reach the flow at priority 90. >> >> So, there is no need anymore for the priority 90 flow to resubmit >> into the OFTABLE_CHK_IN_PORT_SEC_ND. Or am I missing something? >> > > Ok I understand now. > > unfortunately there is another bug that doesn't affect VRRP > in any way, but will require this flow to be intact. I will be posting > that separately. > > >> > >> > >> > >> > > - table=OFTABLE_CHK_IN_PORT_SEC, >> priority=95,arp,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key >> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > >> hv1_t${in_port_sec}_flows.expected >> > > + table=OFTABLE_CHK_IN_PORT_SEC, >> priority=95,arp,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key >> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) >> > > + table=OFTABLE_CHK_IN_PORT_SEC, >> priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=135 >> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND) >> > > + table=OFTABLE_CHK_IN_PORT_SEC, >> priority=95,icmp6,reg14=0x$sw0p1_key,metadata=0x$sw0_dp_key,nw_ttl=255,icmp_type=136 >> actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)" > >> hv1_t${in_port_sec}_flows.expected >> >> I have realized there is a mistake in a way we allow ND after this patch. I will send a new revision dropping this. Regards, Ales _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
