Hi Ales, Thank you for your review.
Em qua., 13 de mai. de 2026 às 05:16, Ales Musil <[email protected]> escreveu: > > > On Thu, Apr 30, 2026 at 10:23 PM Lucas Vargas Dias via dev < > [email protected]> wrote: > >> Optimize logical flow generation for NAT with distributed gateway ports >> by removing duplicate >> priority 90/91 flows and consolidating ARP/ND flow creation in >> build_lrouter_nat_arp_nd_flow(). >> Add chassis residency filtering for l3dgw ports so ARP/ND responses are >> generated only on the >> correct gateway chassis, reducing flow count while preserving behavior. >> >> Signed-off-by: Lucas Vargas Dias <[email protected]> >> --- >> > > Hi Lucas, > > thank you for the patch, I have a few comments down below. > > >> northd/northd.c | 36 +++++++++++++---------- >> tests/ovn-northd.at | 70 +++++++-------------------------------------- >> 2 files changed, 31 insertions(+), 75 deletions(-) >> >> diff --git a/northd/northd.c b/northd/northd.c >> index 0b52db6cf..20546af6c 100644 >> --- a/northd/northd.c >> +++ b/northd/northd.c >> @@ -14026,6 +14026,7 @@ build_lrouter_nd_flow(const struct ovn_datapath >> *od, struct ovn_port *op, >> >> static void >> build_lrouter_nat_arp_nd_flow(const struct ovn_datapath *od, >> + struct ovn_port *op, >> struct ovn_nat *nat_entry, >> struct lflow_table *lflows, >> const struct shash *meter_groups, >> @@ -14033,16 +14034,20 @@ build_lrouter_nat_arp_nd_flow(const struct >> ovn_datapath *od, >> { >> struct lport_addresses *ext_addrs = &nat_entry->ext_addrs; >> const struct nbrec_nat *nat = nat_entry->nb; >> + if (op && lrp_is_l3dgw(op) && (!op->peer || !op->peer->cr_port)) { >> > > The second portion cannot ever happen right? > I think it can be simplified to (op && lrp_is_l3dgw(op)). > > Actually, it can happen, you can configure the following: > + return; >> + } >> >> + op = NULL; >> > > I would prefer to just pass the NULL directly into > the function then instead of the op = NULL assign. > I agree > > >> if (nat_entry_is_v6(nat_entry)) { >> - build_lrouter_nd_flow(od, NULL, "nd_na", >> + build_lrouter_nd_flow(od, op, "nd_na", >> ext_addrs->ipv6_addrs[0].addr_s, >> ext_addrs->ipv6_addrs[0].sn_addr_s, >> REG_INPORT_ETH_ADDR, NULL, false, 90, >> &nat->header_, lflows, meter_groups, >> lflow_ref); >> } else { >> - build_lrouter_arp_flow(od, NULL, >> + build_lrouter_arp_flow(od, op, >> ext_addrs->ipv4_addrs[0].addr_s, >> REG_INPORT_ETH_ADDR, NULL, false, 90, >> &nat->header_, lflows, >> @@ -14113,23 +14118,12 @@ build_lrouter_port_nat_arp_nd_flow(struct >> ovn_port *op, >> mac_s, &match, false, 92, >> &nat->header_, lflows, meter_groups, >> lflow_ref); >> - build_lrouter_nd_flow(op->od, op, "nd_na", >> - ext_addrs->ipv6_addrs[0].addr_s, >> - ext_addrs->ipv6_addrs[0].sn_addr_s, >> - mac_s, NULL, true, 91, > > - &nat->header_, lflows, meter_groups, >> - lflow_ref); >> } else { >> build_lrouter_arp_flow(op->od, op, >> ext_addrs->ipv4_addrs[0].addr_s, >> mac_s, &match, false, 92, >> &nat->header_, lflows, >> lflow_ref); >> - build_lrouter_arp_flow(op->od, op, >> - ext_addrs->ipv4_addrs[0].addr_s, >> - mac_s, NULL, true, 91, >> - &nat->header_, lflows, >> - lflow_ref); >> > > Those two were the only ones that actually > called "build_lrouter_nd_flow" and "build_lrouter_arp_flow" > with drop=true, so we can remove the drop argument completely. > > I agree > } >> >> ds_destroy(&match); >> @@ -16846,6 +16840,8 @@ build_lrouter_ipv4_default_ttl_expired_flows( >> ds_clear(&ip_ds); >> if (lrp_is_l3dgw(op)) { >> ds_put_cstr(&ip_ds, "ip4.dst <-> ip4.src"); >> + ds_put_format(match, "is_chassis_resident(%s) && ", >> + op->cr_port->json_key); >> > > This change is not mentioned in the commit message and > is kind of unrelated, was that done on purpose? If so it should > its own commit and explanation. > Actually, I forgot to mention, but the idea is to add chassis residency filtering. > > >> } else { >> ds_put_format(&ip_ds, "ip4.dst = ip4.src; ip4.src = %s", >> op->lrp_networks.ipv4_addrs[i].addr_s); >> @@ -16922,6 +16918,8 @@ build_lrouter_ipv6_default_ttl_expired_flows( >> ds_clear(&ip_ds); >> if (lrp_is_l3dgw(op)) { >> ds_put_cstr(&ip_ds, "ip6.dst <-> ip6.src"); >> + ds_put_format(match, "is_chassis_resident(%s) && ", >> + op->cr_port->json_key); >> } else { >> ds_put_format(&ip_ds, "ip6.dst = ip6.src; ip6.src = %s", >> op->lrp_networks.ipv6_addrs[i].addr_s); >> @@ -17141,7 +17139,11 @@ build_lrouter_arp_nd_for_datapath(const struct >> ovn_datapath *od, >> if (nat_entry->type == SNAT) { >> continue; >> } >> - build_lrouter_nat_arp_nd_flow(od, nat_entry, lflows, >> meter_groups, >> + struct ovn_port *op = NULL; >> + if (nat_entry->l3dgw_port) { >> + op = nat_entry->l3dgw_port; >> + } >> + build_lrouter_nat_arp_nd_flow(od, op, nat_entry, lflows, >> meter_groups, >> > > Unless I'm missing something the whole port is NULL, and the if can be > skipped, > instead, the nat_entry->l3dgw_port can be passed directly into the > function call. > > I agree Regards, Lucas > lflow_ref); >> } >> >> @@ -17157,7 +17159,11 @@ build_lrouter_arp_nd_for_datapath(const struct >> ovn_datapath *od, >> struct ovn_nat *nat_entry = >> CONTAINER_OF(ovs_list_front(&snat_ip->snat_entries), >> struct ovn_nat, ext_addr_list_node); >> - build_lrouter_nat_arp_nd_flow(od, nat_entry, lflows, >> meter_groups, >> + struct ovn_port *op = NULL; >> + if (nat_entry->l3dgw_port) { >> + op = nat_entry->l3dgw_port; >> + } >> + build_lrouter_nat_arp_nd_flow(od, op, nat_entry, lflows, >> meter_groups, >> lflow_ref); >> > > Same here. > > >> } >> } >> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at >> index 1d7bd6c28..f065dda35 100644 >> --- a/tests/ovn-northd.at >> +++ b/tests/ovn-northd.at >> @@ -2185,18 +2185,6 @@ action=(xreg0[[0..47]] = 00:00:00:00:01:00; next;) >> # Priority 90 flows (per router). >> AT_CHECK_UNQUOTED([ovn-sbctl lflow-list | grep -E >> "lr_in_ip_input.*priority=90" | grep "arp\|nd" | ovn_strip_lflows], [0], >> [dnl >> table=??(lr_in_ip_input ), priority=90 , dnl >> -match=(arp.op == 1 && arp.tpa == 43.43.43.150), dnl >> -action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP >> reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; >> outport = inport; flags.loopback = 1; output;) >> - table=??(lr_in_ip_input ), priority=90 , dnl >> -match=(arp.op == 1 && arp.tpa == 43.43.43.2), dnl >> -action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP >> reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; >> outport = inport; flags.loopback = 1; output;) >> - table=??(lr_in_ip_input ), priority=90 , dnl >> -match=(arp.op == 1 && arp.tpa == 43.43.43.3), dnl >> -action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP >> reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; >> outport = inport; flags.loopback = 1; output;) >> - table=??(lr_in_ip_input ), priority=90 , dnl >> -match=(arp.op == 1 && arp.tpa == 43.43.43.4), dnl >> -action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP >> reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; >> outport = inport; flags.loopback = 1; output;) >> - table=??(lr_in_ip_input ), priority=90 , dnl >> match=(inport == "lrp" && arp.op == 1 && arp.tpa == \$${lb_as_v4}), dnl >> action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP >> reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; >> outport = inport; flags.loopback = 1; output;) >> table=??(lr_in_ip_input ), priority=90 , dnl >> @@ -2225,19 +2213,10 @@ match=(inport == "lrp-public" && nd_ns && >> nd.target == \$${lb_as_v6} && is_chass >> action=(nd_na { eth.src = xreg0[[0..47]]; ip6.src = nd.target; nd.tll = >> xreg0[[0..47]]; outport = inport; flags.loopback = 1; output; };) >> ]) >> >> -# Priority 91 drop flows (per distributed gw port), if port is not >> resident. >> -AT_CHECK([ovn-sbctl lflow-list | grep -E "lr_in_ip_input.*priority=91" | >> grep "arp\|nd" | ovn_strip_lflows], [0], [dnl >> - table=??(lr_in_ip_input ), priority=91 , dnl >> -match=(inport == "lrp-public" && arp.op == 1 && arp.tpa == >> 43.43.43.150), action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , dnl >> -match=(inport == "lrp-public" && arp.op == 1 && arp.tpa == 43.43.43.2), >> dnl >> -action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , dnl >> -match=(inport == "lrp-public" && arp.op == 1 && arp.tpa == 43.43.43.3), >> dnl >> -action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , dnl >> -match=(inport == "lrp-public" && arp.op == 1 && arp.tpa == 43.43.43.4), >> dnl >> -action=(drop;) >> +# Priority 85 drop using the default drop from table lr_in_ip_input. >> +AT_CHECK([ovn-sbctl lflow-list | grep -E "lr_in_ip_input.*priority=85" | >> grep "arp\|nd" | ovn_strip_lflows], [0], [dnl >> + table=??(lr_in_ip_input ), priority=85 , dnl >> +match=(arp || nd), action=(drop;) >> ]) >> >> # Priority 92 ARP/NS responders (per distributed gw port), if port is >> resident. >> @@ -8762,13 +8741,8 @@ check ovn-nbctl --wait=sb sync >> ovn-sbctl dump-flows DR > lrflows >> AT_CAPTURE_FILE([lrflows]) >> >> -AT_CHECK([grep lr_in_ip_input lrflows | grep arp | grep -e 172.16.1.10 >> -e 10.0.0.10 -e 192.168.0.10 | ovn_strip_lflows], [0], [dnl >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 10.0.0.10), action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; >> arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; >> arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;) >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 172.16.1.10), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 192.168.0.10), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "DR-S1" && arp.op == 1 && arp.tpa == 172.16.1.10), action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "DR-S2" && arp.op == 1 && arp.tpa == 10.0.0.10), action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "DR-S3" && arp.op == 1 && arp.tpa == 192.168.0.10), action=(drop;) >> +AT_CHECK([grep lr_in_ip_input lrflows | grep arp | grep -e 172.16.1.10 >> -e 10.0.0.10 -e 192.168.0.10 -e drop| ovn_strip_lflows], [0], [dnl >> + table=??(lr_in_ip_input ), priority=85 , match=(arp || nd), >> action=(drop;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "DR-S1" && arp.op == 1 && arp.tpa == 172.16.1.10 && >> is_chassis_resident("cr-DR-S1")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "DR-S2" && arp.op == 1 && arp.tpa == 10.0.0.10 && >> is_chassis_resident("cr-DR-S2")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "DR-S3" && arp.op == 1 && arp.tpa == 192.168.0.10 && >> is_chassis_resident("cr-DR-S3")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> @@ -8810,12 +8784,8 @@ check ovn-nbctl --wait=sb sync >> ovn-sbctl dump-flows DR > lrflows >> AT_CAPTURE_FILE([lrflows]) >> >> -AT_CHECK([grep lr_in_ip_input lrflows | grep arp | grep -e 172.16.1.10 >> -e 10.0.0.10 | ovn_strip_lflows], [0], [dnl >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 10.0.0.10), action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; >> arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; >> arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;) >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 172.16.1.10), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "DR-S1" && arp.op == 1 && arp.tpa == 172.16.1.10), action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "DR-S2" && arp.op == 1 && arp.tpa == 10.0.0.10), action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "DR-S3" && arp.op == 1 && arp.tpa == 172.16.1.10), action=(drop;) >> +AT_CHECK([grep lr_in_ip_input lrflows | grep arp | grep -e 172.16.1.10 >> -e 10.0.0.10 -e drop| ovn_strip_lflows], [0], [dnl >> + table=??(lr_in_ip_input ), priority=85 , match=(arp || nd), >> action=(drop;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "DR-S1" && arp.op == 1 && arp.tpa == 172.16.1.10 && >> is_chassis_resident("cr-DR-S1")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "DR-S2" && arp.op == 1 && arp.tpa == 10.0.0.10 && >> is_chassis_resident("cr-DR-S2")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "DR-S3" && arp.op == 1 && arp.tpa == 172.16.1.10 && >> is_chassis_resident("cr-DR-S3")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> @@ -8849,12 +8819,6 @@ ovn-sbctl dump-flows DR > lrflows >> AT_CAPTURE_FILE([lrflows]) >> >> AT_CHECK([grep lr_in_ip_input lrflows | grep arp | grep -e 172.16.1.10 >> -e 10.0.0.10 -e 192.168.0.10 | ovn_strip_lflows], [0], [dnl >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 10.0.0.10), action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; >> arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; >> arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;) >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 172.16.1.10), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 192.168.0.10), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "DR-S1" && arp.op == 1 && arp.tpa == 172.16.1.10), action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "DR-S2" && arp.op == 1 && arp.tpa == 10.0.0.10), action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "DR-S3" && arp.op == 1 && arp.tpa == 192.168.0.10), action=(drop;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "DR-S1" && arp.op == 1 && arp.tpa == 172.16.1.10 && >> is_chassis_resident("cr-DR-S1")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "DR-S2" && arp.op == 1 && arp.tpa == 10.0.0.10 && >> is_chassis_resident("cr-DR-S2")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "DR-S3" && arp.op == 1 && arp.tpa == 192.168.0.10 && >> is_chassis_resident("cr-DR-S3")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> @@ -14245,9 +14209,9 @@ AT_CHECK([grep "lr_in_ip_input" lr0flows | >> ovn_strip_lflows], [0], [dnl >> table=??(lr_in_ip_input ), priority=30 , match=(inport == >> "lr0-sw0" && ip6 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp6 >> {eth.dst <-> eth.src; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; >> ip.ttl = 254; icmp6.type = 3; /* Time exceeded */ icmp6.code = 0; /* TTL >> exceeded in transit */ outport = "lr0-sw0"; flags.loopback = 1; output; };) >> table=??(lr_in_ip_input ), priority=30 , match=(inport == >> "lr0-sw1" && ip4 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp4 >> {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */ icmp4.code = 0; >> /* TTL exceeded in transit */ ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl >> = 254; outport = "lr0-sw1"; flags.loopback = 1; output; };) >> table=??(lr_in_ip_input ), priority=30 , match=(inport == >> "lr0-sw1" && ip6 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp6 >> {eth.dst <-> eth.src; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff03; >> ip.ttl = 254; icmp6.type = 3; /* Time exceeded */ icmp6.code = 0; /* TTL >> exceeded in transit */ outport = "lr0-sw1"; flags.loopback = 1; output; };) >> - table=??(lr_in_ip_input ), priority=31 , match=(inport == >> "lr0-public" && ip4 && ip4.src == 172.168.0.0/24 && ip.ttl == {0, 1} && >> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst <-> >> ip4.src ; ip.ttl = 254; outport = "lr0-public"; flags.loopback = 1; output; >> };) >> table=??(lr_in_ip_input ), priority=31 , match=(inport == >> "lr0-sw0" && ip4 && ip4.src == 10.0.0.0/24 && ip.ttl == {0, 1} && >> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = >> ip4.src; ip4.src = 10.0.0.1 ; ip.ttl = 254; outport = "lr0-sw0"; >> flags.loopback = 1; output; };) >> table=??(lr_in_ip_input ), priority=31 , match=(inport == >> "lr0-sw1" && ip4 && ip4.src == 20.0.0.0/24 && ip.ttl == {0, 1} && >> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = >> ip4.src; ip4.src = 20.0.0.1 ; ip.ttl = 254; outport = "lr0-sw1"; >> flags.loopback = 1; output; };) >> + table=??(lr_in_ip_input ), priority=31 , >> match=(is_chassis_resident("cr-lr0-public") && inport == "lr0-public" && >> ip4 && ip4.src == 172.168.0.0/24 && ip.ttl == {0, 1} && !ip.later_frag), >> action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */ >> icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst <-> ip4.src ; ip.ttl >> = 254; outport = "lr0-public"; flags.loopback = 1; output; };) >> table=??(lr_in_ip_input ), priority=32 , match=(ip.ttl == {0, 1} >> && !ip.later_frag && (ip4.mcast || ip6.mcast)), action=(drop;) >> table=??(lr_in_ip_input ), priority=50 , match=(eth.bcast), >> action=(drop;) >> table=??(lr_in_ip_input ), priority=60 , match=(ip4.dst == >> {10.0.0.1}), action=(drop;) >> @@ -14260,9 +14224,6 @@ AT_CHECK([grep "lr_in_ip_input" lr0flows | >> ovn_strip_lflows], [0], [dnl >> table=??(lr_in_ip_input ), priority=83 , match=(ip6.mcast_rsvd), >> action=(drop;) >> table=??(lr_in_ip_input ), priority=84 , match=(nd_rs || nd_ra), >> action=(next;) >> table=??(lr_in_ip_input ), priority=85 , match=(arp || nd), >> action=(drop;) >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 172.168.0.100), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 172.168.0.110), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 172.168.0.120), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> table=??(lr_in_ip_input ), priority=90 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.10 && arp.spa == >> 172.168.0.0/24 && is_chassis_resident("cr-lr0-public")), action=(eth.dst >> = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = >> arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; >> flags.loopback = 1; output;) >> table=??(lr_in_ip_input ), priority=90 , match=(inport == >> "lr0-public" && ip6.dst == {fe80::200:ff:fe00:ff02, ff02::1:ff00:ff02} && >> nd_ns && nd.target == fe80::200:ff:fe00:ff02 && >> is_chassis_resident("cr-lr0-public")), action=(nd_na_router { eth.src = >> xreg0[[0..47]]; ip6.src = nd.target; nd.tll = xreg0[[0..47]]; outport = >> inport; flags.loopback = 1; output; };) >> table=??(lr_in_ip_input ), priority=90 , match=(inport == >> "lr0-sw0" && arp.op == 1 && arp.tpa == 10.0.0.1 && arp.spa == 10.0.0.0/24), >> action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP >> reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; >> outport = inport; flags.loopback = 1; output;) >> @@ -14275,9 +14236,6 @@ AT_CHECK([grep "lr_in_ip_input" lr0flows | >> ovn_strip_lflows], [0], [dnl >> table=??(lr_in_ip_input ), priority=90 , match=(ip6.dst == >> fe80::200:ff:fe00:ff01 && icmp6.type == 128 && icmp6.code == 0), >> action=(ip6.dst <-> ip6.src; ip.ttl = 255; icmp6.type = 129; flags.loopback >> = 1; next; ) >> table=??(lr_in_ip_input ), priority=90 , match=(ip6.dst == >> fe80::200:ff:fe00:ff02 && icmp6.type == 128 && icmp6.code == 0), >> action=(ip6.dst <-> ip6.src; ip.ttl = 255; icmp6.type = 129; flags.loopback >> = 1; next; ) >> table=??(lr_in_ip_input ), priority=90 , match=(ip6.dst == >> fe80::200:ff:fe00:ff03 && icmp6.type == 128 && icmp6.code == 0), >> action=(ip6.dst <-> ip6.src; ip.ttl = 255; icmp6.type = 129; flags.loopback >> = 1; next; ) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.100), action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.110), action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.120), action=(drop;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.100 && >> is_chassis_resident("cr-lr0-public")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.110 && >> is_chassis_resident("sw0-port1")), action=(eth.dst = eth.src; eth.src = >> 30:54:00:00:00:03; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> 30:54:00:00:00:03; arp.tpa <-> arp.spa; outport = inport; flags.loopback = >> 1; output;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.120 && >> is_chassis_resident("cr-lr0-public")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> @@ -14372,10 +14330,6 @@ AT_CHECK([grep -Fe "172.168.0.110" -e >> "172.168.0.120" -e "10.0.0.3" -e "20.0.0.3 >> table=??(lr_in_dnat ), priority=100 , match=(ip && ip4.dst == >> 172.168.0.110 && inport == "lr0-public"), action=(ct_dnat(10.0.0.3);) >> table=??(lr_in_dnat ), priority=100 , match=(ip && ip4.dst == >> 172.168.0.120 && inport == "lr0-public" && >> is_chassis_resident("cr-lr0-public")), action=(ct_dnat(20.0.0.3);) >> table=??(lr_in_gw_redirect ), priority=100 , match=(ip4.src == >> 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("sw0-port1")), >> action=(eth.src = 30:54:00:00:00:03; reg5 = 172.168.0.110; next;) >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 172.168.0.110), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 172.168.0.120), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.110), action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.120), action=(drop;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.110 && >> is_chassis_resident("sw0-port1")), action=(eth.dst = eth.src; eth.src = >> 30:54:00:00:00:03; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> 30:54:00:00:00:03; arp.tpa <-> arp.spa; outport = inport; flags.loopback = >> 1; output;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.120 && >> is_chassis_resident("cr-lr0-public")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> table=??(lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == >> 172.168.0.110 && inport == "lr0-public"), action=(ct_snat;) >> @@ -14431,9 +14385,9 @@ AT_CHECK([grep "lr_in_ip_input" lr0flows | >> ovn_strip_lflows], [0], [dnl >> table=??(lr_in_ip_input ), priority=30 , match=(inport == >> "lr0-sw0" && ip6 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp6 >> {eth.dst <-> eth.src; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; >> ip.ttl = 254; icmp6.type = 3; /* Time exceeded */ icmp6.code = 0; /* TTL >> exceeded in transit */ outport = "lr0-sw0"; flags.loopback = 1; output; };) >> table=??(lr_in_ip_input ), priority=30 , match=(inport == >> "lr0-sw1" && ip4 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp4 >> {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */ icmp4.code = 0; >> /* TTL exceeded in transit */ ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl >> = 254; outport = "lr0-sw1"; flags.loopback = 1; output; };) >> table=??(lr_in_ip_input ), priority=30 , match=(inport == >> "lr0-sw1" && ip6 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp6 >> {eth.dst <-> eth.src; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff03; >> ip.ttl = 254; icmp6.type = 3; /* Time exceeded */ icmp6.code = 0; /* TTL >> exceeded in transit */ outport = "lr0-sw1"; flags.loopback = 1; output; };) >> - table=??(lr_in_ip_input ), priority=31 , match=(inport == >> "lr0-public" && ip4 && ip4.src == 172.168.0.0/24 && ip.ttl == {0, 1} && >> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst <-> >> ip4.src ; ip.ttl = 254; outport = "lr0-public"; flags.loopback = 1; output; >> };) >> table=??(lr_in_ip_input ), priority=31 , match=(inport == >> "lr0-sw0" && ip4 && ip4.src == 10.0.0.0/24 && ip.ttl == {0, 1} && >> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = >> ip4.src; ip4.src = 10.0.0.1 ; ip.ttl = 254; outport = "lr0-sw0"; >> flags.loopback = 1; output; };) >> table=??(lr_in_ip_input ), priority=31 , match=(inport == >> "lr0-sw1" && ip4 && ip4.src == 20.0.0.0/24 && ip.ttl == {0, 1} && >> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = >> ip4.src; ip4.src = 20.0.0.1 ; ip.ttl = 254; outport = "lr0-sw1"; >> flags.loopback = 1; output; };) >> + table=??(lr_in_ip_input ), priority=31 , >> match=(is_chassis_resident("cr-lr0-public") && inport == "lr0-public" && >> ip4 && ip4.src == 172.168.0.0/24 && ip.ttl == {0, 1} && !ip.later_frag), >> action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */ >> icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst <-> ip4.src ; ip.ttl >> = 254; outport = "lr0-public"; flags.loopback = 1; output; };) >> table=??(lr_in_ip_input ), priority=32 , match=(ip.ttl == {0, 1} >> && !ip.later_frag && (ip4.mcast || ip6.mcast)), action=(drop;) >> table=??(lr_in_ip_input ), priority=50 , match=(eth.bcast), >> action=(drop;) >> table=??(lr_in_ip_input ), priority=60 , match=(ip4.dst == >> {10.0.0.1}), action=(drop;) >> @@ -14618,10 +14572,6 @@ AT_CHECK([grep -Fe "172.168.0.110" -e >> "172.168.0.120" -e "10.0.0.3" -e "20.0.0.3 >> table=??(lr_in_dnat ), priority=100 , match=(ip && ip4.dst == >> 172.168.0.110 && inport == "lr0-public"), action=(ct_dnat(10.0.0.3);) >> table=??(lr_in_dnat ), priority=100 , match=(ip && ip4.dst == >> 172.168.0.120 && inport == "lr0-public" && >> is_chassis_resident("cr-lr0-public")), action=(ct_dnat(20.0.0.3);) >> table=??(lr_in_gw_redirect ), priority=100 , match=(ip4.src == >> 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("sw0-port1")), >> action=(eth.src = 30:54:00:00:00:03; reg5 = 172.168.0.110; next;) >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 172.168.0.110), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >> arp.tpa == 172.168.0.120), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.110), action=(drop;) >> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.120), action=(drop;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.110 && >> is_chassis_resident("sw0-port1")), action=(eth.dst = eth.src; eth.src = >> 30:54:00:00:00:03; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> 30:54:00:00:00:03; arp.tpa <-> arp.spa; outport = inport; flags.loopback = >> 1; output;) >> table=??(lr_in_ip_input ), priority=92 , match=(inport == >> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.120 && >> is_chassis_resident("cr-lr0-public")), action=(eth.dst = eth.src; eth.src = >> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >> output;) >> table=??(lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == >> 172.168.0.110 && inport == "lr0-public"), action=(ct_snat;) >> -- >> 2.43.0 >> >> >> -- >> >> >> >> >> _'Esta mensagem é direcionada apenas para os endereços constantes no >> cabeçalho inicial. Se você não está listado nos endereços constantes no >> cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa >> mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas >> estão >> imediatamente anuladas e proibidas'._ >> >> >> * **'Apesar do Magazine Luiza tomar >> todas as precauções razoáveis para assegurar que nenhum vírus esteja >> presente nesse e-mail, a empresa não poderá aceitar a responsabilidade >> por >> quaisquer perdas ou danos causados por esse e-mail ou por seus anexos'.* >> >> >> >> _______________________________________________ >> dev mailing list >> [email protected] >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >> >> > Regards, > Ales > -- _‘Esta mensagem é direcionada apenas para os endereços constantes no cabeçalho inicial. Se você não está listado nos endereços constantes no cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas estão imediatamente anuladas e proibidas’._ * **‘Apesar do Magazine Luiza tomar todas as precauções razoáveis para assegurar que nenhum vírus esteja presente nesse e-mail, a empresa não poderá aceitar a responsabilidade por quaisquer perdas ou danos causados por esse e-mail ou por seus anexos’.* _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
