Em seg., 25 de mai. de 2026 às 09:52, Lucas Vargas Dias < [email protected]> escreveu:
> Hi Ales, > > Thank you for your review. > > Em qua., 13 de mai. de 2026 às 05:16, Ales Musil <[email protected]> > escreveu: > >> >> >> On Thu, Apr 30, 2026 at 10:23 PM Lucas Vargas Dias via dev < >> [email protected]> wrote: >> >>> Optimize logical flow generation for NAT with distributed gateway ports >>> by removing duplicate >>> priority 90/91 flows and consolidating ARP/ND flow creation in >>> build_lrouter_nat_arp_nd_flow(). >>> Add chassis residency filtering for l3dgw ports so ARP/ND responses are >>> generated only on the >>> correct gateway chassis, reducing flow count while preserving behavior. >>> >>> Signed-off-by: Lucas Vargas Dias <[email protected]> >>> --- >>> >> >> Hi Lucas, >> >> thank you for the patch, I have a few comments down below. >> >> >>> northd/northd.c | 36 +++++++++++++---------- >>> tests/ovn-northd.at | 70 +++++++-------------------------------------- >>> 2 files changed, 31 insertions(+), 75 deletions(-) >>> >>> diff --git a/northd/northd.c b/northd/northd.c >>> index 0b52db6cf..20546af6c 100644 >>> --- a/northd/northd.c >>> +++ b/northd/northd.c >>> @@ -14026,6 +14026,7 @@ build_lrouter_nd_flow(const struct ovn_datapath >>> *od, struct ovn_port *op, >>> >>> static void >>> build_lrouter_nat_arp_nd_flow(const struct ovn_datapath *od, >>> + struct ovn_port *op, >>> struct ovn_nat *nat_entry, >>> struct lflow_table *lflows, >>> const struct shash *meter_groups, >>> @@ -14033,16 +14034,20 @@ build_lrouter_nat_arp_nd_flow(const struct >>> ovn_datapath *od, >>> { >>> struct lport_addresses *ext_addrs = &nat_entry->ext_addrs; >>> const struct nbrec_nat *nat = nat_entry->nb; >>> + if (op && lrp_is_l3dgw(op) && (!op->peer || !op->peer->cr_port)) { >>> >> >> The second portion cannot ever happen right? >> I think it can be simplified to (op && lrp_is_l3dgw(op)). >> >> > Actually, it can happen, you can configure the following: > > ovn-nbctl set logical_router lr options:chassis=hv1 And configure gateway chassis in lrp > >> + return; >>> + } >>> >>> + op = NULL; >>> >> >> I would prefer to just pass the NULL directly into >> the function then instead of the op = NULL assign. >> > > I agree > >> >> >>> if (nat_entry_is_v6(nat_entry)) { >>> - build_lrouter_nd_flow(od, NULL, "nd_na", >>> + build_lrouter_nd_flow(od, op, "nd_na", >>> ext_addrs->ipv6_addrs[0].addr_s, >>> ext_addrs->ipv6_addrs[0].sn_addr_s, >>> REG_INPORT_ETH_ADDR, NULL, false, 90, >>> &nat->header_, lflows, meter_groups, >>> lflow_ref); >>> } else { >>> - build_lrouter_arp_flow(od, NULL, >>> + build_lrouter_arp_flow(od, op, >>> ext_addrs->ipv4_addrs[0].addr_s, >>> REG_INPORT_ETH_ADDR, NULL, false, 90, >>> &nat->header_, lflows, >>> @@ -14113,23 +14118,12 @@ build_lrouter_port_nat_arp_nd_flow(struct >>> ovn_port *op, >>> mac_s, &match, false, 92, >>> &nat->header_, lflows, meter_groups, >>> lflow_ref); >>> - build_lrouter_nd_flow(op->od, op, "nd_na", >>> - ext_addrs->ipv6_addrs[0].addr_s, >>> - ext_addrs->ipv6_addrs[0].sn_addr_s, >>> - mac_s, NULL, true, 91, >> >> - &nat->header_, lflows, meter_groups, >>> - lflow_ref); >>> } else { >>> build_lrouter_arp_flow(op->od, op, >>> ext_addrs->ipv4_addrs[0].addr_s, >>> mac_s, &match, false, 92, >>> &nat->header_, lflows, >>> lflow_ref); >>> - build_lrouter_arp_flow(op->od, op, >>> - ext_addrs->ipv4_addrs[0].addr_s, >>> - mac_s, NULL, true, 91, >>> - &nat->header_, lflows, >>> - lflow_ref); >>> >> >> Those two were the only ones that actually >> called "build_lrouter_nd_flow" and "build_lrouter_arp_flow" >> with drop=true, so we can remove the drop argument completely. >> >> > I agree > > >> } >>> >>> ds_destroy(&match); >>> @@ -16846,6 +16840,8 @@ build_lrouter_ipv4_default_ttl_expired_flows( >>> ds_clear(&ip_ds); >>> if (lrp_is_l3dgw(op)) { >>> ds_put_cstr(&ip_ds, "ip4.dst <-> ip4.src"); >>> + ds_put_format(match, "is_chassis_resident(%s) && ", >>> + op->cr_port->json_key); >>> >> >> This change is not mentioned in the commit message and >> is kind of unrelated, was that done on purpose? If so it should >> its own commit and explanation. >> > > Actually, I forgot to mention, but the idea is to add chassis residency > filtering. > >> >> >>> } else { >>> ds_put_format(&ip_ds, "ip4.dst = ip4.src; ip4.src = %s", >>> op->lrp_networks.ipv4_addrs[i].addr_s); >>> @@ -16922,6 +16918,8 @@ build_lrouter_ipv6_default_ttl_expired_flows( >>> ds_clear(&ip_ds); >>> if (lrp_is_l3dgw(op)) { >>> ds_put_cstr(&ip_ds, "ip6.dst <-> ip6.src"); >>> + ds_put_format(match, "is_chassis_resident(%s) && ", >>> + op->cr_port->json_key); >>> } else { >>> ds_put_format(&ip_ds, "ip6.dst = ip6.src; ip6.src = %s", >>> op->lrp_networks.ipv6_addrs[i].addr_s); >>> @@ -17141,7 +17139,11 @@ build_lrouter_arp_nd_for_datapath(const struct >>> ovn_datapath *od, >>> if (nat_entry->type == SNAT) { >>> continue; >>> } >>> - build_lrouter_nat_arp_nd_flow(od, nat_entry, lflows, >>> meter_groups, >>> + struct ovn_port *op = NULL; >>> + if (nat_entry->l3dgw_port) { >>> + op = nat_entry->l3dgw_port; >>> + } >>> + build_lrouter_nat_arp_nd_flow(od, op, nat_entry, lflows, >>> meter_groups, >>> >> >> Unless I'm missing something the whole port is NULL, and the if can be >> skipped, >> instead, the nat_entry->l3dgw_port can be passed directly into the >> function call. >> >> I agree > > > Regards, > Lucas > > >> lflow_ref); >>> } >>> >>> @@ -17157,7 +17159,11 @@ build_lrouter_arp_nd_for_datapath(const struct >>> ovn_datapath *od, >>> struct ovn_nat *nat_entry = >>> CONTAINER_OF(ovs_list_front(&snat_ip->snat_entries), >>> struct ovn_nat, ext_addr_list_node); >>> - build_lrouter_nat_arp_nd_flow(od, nat_entry, lflows, >>> meter_groups, >>> + struct ovn_port *op = NULL; >>> + if (nat_entry->l3dgw_port) { >>> + op = nat_entry->l3dgw_port; >>> + } >>> + build_lrouter_nat_arp_nd_flow(od, op, nat_entry, lflows, >>> meter_groups, >>> lflow_ref); >>> >> >> Same here. >> >> >>> } >>> } >>> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at >>> index 1d7bd6c28..f065dda35 100644 >>> --- a/tests/ovn-northd.at >>> +++ b/tests/ovn-northd.at >>> @@ -2185,18 +2185,6 @@ action=(xreg0[[0..47]] = 00:00:00:00:01:00; next;) >>> # Priority 90 flows (per router). >>> AT_CHECK_UNQUOTED([ovn-sbctl lflow-list | grep -E >>> "lr_in_ip_input.*priority=90" | grep "arp\|nd" | ovn_strip_lflows], [0], >>> [dnl >>> table=??(lr_in_ip_input ), priority=90 , dnl >>> -match=(arp.op == 1 && arp.tpa == 43.43.43.150), dnl >>> -action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP >>> reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; >>> outport = inport; flags.loopback = 1; output;) >>> - table=??(lr_in_ip_input ), priority=90 , dnl >>> -match=(arp.op == 1 && arp.tpa == 43.43.43.2), dnl >>> -action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP >>> reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; >>> outport = inport; flags.loopback = 1; output;) >>> - table=??(lr_in_ip_input ), priority=90 , dnl >>> -match=(arp.op == 1 && arp.tpa == 43.43.43.3), dnl >>> -action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP >>> reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; >>> outport = inport; flags.loopback = 1; output;) >>> - table=??(lr_in_ip_input ), priority=90 , dnl >>> -match=(arp.op == 1 && arp.tpa == 43.43.43.4), dnl >>> -action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP >>> reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; >>> outport = inport; flags.loopback = 1; output;) >>> - table=??(lr_in_ip_input ), priority=90 , dnl >>> match=(inport == "lrp" && arp.op == 1 && arp.tpa == \$${lb_as_v4}), dnl >>> action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP >>> reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; >>> outport = inport; flags.loopback = 1; output;) >>> table=??(lr_in_ip_input ), priority=90 , dnl >>> @@ -2225,19 +2213,10 @@ match=(inport == "lrp-public" && nd_ns && >>> nd.target == \$${lb_as_v6} && is_chass >>> action=(nd_na { eth.src = xreg0[[0..47]]; ip6.src = nd.target; nd.tll = >>> xreg0[[0..47]]; outport = inport; flags.loopback = 1; output; };) >>> ]) >>> >>> -# Priority 91 drop flows (per distributed gw port), if port is not >>> resident. >>> -AT_CHECK([ovn-sbctl lflow-list | grep -E "lr_in_ip_input.*priority=91" >>> | grep "arp\|nd" | ovn_strip_lflows], [0], [dnl >>> - table=??(lr_in_ip_input ), priority=91 , dnl >>> -match=(inport == "lrp-public" && arp.op == 1 && arp.tpa == >>> 43.43.43.150), action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , dnl >>> -match=(inport == "lrp-public" && arp.op == 1 && arp.tpa == 43.43.43.2), >>> dnl >>> -action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , dnl >>> -match=(inport == "lrp-public" && arp.op == 1 && arp.tpa == 43.43.43.3), >>> dnl >>> -action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , dnl >>> -match=(inport == "lrp-public" && arp.op == 1 && arp.tpa == 43.43.43.4), >>> dnl >>> -action=(drop;) >>> +# Priority 85 drop using the default drop from table lr_in_ip_input. >>> +AT_CHECK([ovn-sbctl lflow-list | grep -E "lr_in_ip_input.*priority=85" >>> | grep "arp\|nd" | ovn_strip_lflows], [0], [dnl >>> + table=??(lr_in_ip_input ), priority=85 , dnl >>> +match=(arp || nd), action=(drop;) >>> ]) >>> >>> # Priority 92 ARP/NS responders (per distributed gw port), if port is >>> resident. >>> @@ -8762,13 +8741,8 @@ check ovn-nbctl --wait=sb sync >>> ovn-sbctl dump-flows DR > lrflows >>> AT_CAPTURE_FILE([lrflows]) >>> >>> -AT_CHECK([grep lr_in_ip_input lrflows | grep arp | grep -e 172.16.1.10 >>> -e 10.0.0.10 -e 192.168.0.10 | ovn_strip_lflows], [0], [dnl >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 10.0.0.10), action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; >>> arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; >>> arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;) >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 172.16.1.10), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 192.168.0.10), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "DR-S1" && arp.op == 1 && arp.tpa == 172.16.1.10), action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "DR-S2" && arp.op == 1 && arp.tpa == 10.0.0.10), action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "DR-S3" && arp.op == 1 && arp.tpa == 192.168.0.10), action=(drop;) >>> +AT_CHECK([grep lr_in_ip_input lrflows | grep arp | grep -e 172.16.1.10 >>> -e 10.0.0.10 -e 192.168.0.10 -e drop| ovn_strip_lflows], [0], [dnl >>> + table=??(lr_in_ip_input ), priority=85 , match=(arp || nd), >>> action=(drop;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "DR-S1" && arp.op == 1 && arp.tpa == 172.16.1.10 && >>> is_chassis_resident("cr-DR-S1")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "DR-S2" && arp.op == 1 && arp.tpa == 10.0.0.10 && >>> is_chassis_resident("cr-DR-S2")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "DR-S3" && arp.op == 1 && arp.tpa == 192.168.0.10 && >>> is_chassis_resident("cr-DR-S3")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> @@ -8810,12 +8784,8 @@ check ovn-nbctl --wait=sb sync >>> ovn-sbctl dump-flows DR > lrflows >>> AT_CAPTURE_FILE([lrflows]) >>> >>> -AT_CHECK([grep lr_in_ip_input lrflows | grep arp | grep -e 172.16.1.10 >>> -e 10.0.0.10 | ovn_strip_lflows], [0], [dnl >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 10.0.0.10), action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; >>> arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; >>> arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;) >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 172.16.1.10), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "DR-S1" && arp.op == 1 && arp.tpa == 172.16.1.10), action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "DR-S2" && arp.op == 1 && arp.tpa == 10.0.0.10), action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "DR-S3" && arp.op == 1 && arp.tpa == 172.16.1.10), action=(drop;) >>> +AT_CHECK([grep lr_in_ip_input lrflows | grep arp | grep -e 172.16.1.10 >>> -e 10.0.0.10 -e drop| ovn_strip_lflows], [0], [dnl >>> + table=??(lr_in_ip_input ), priority=85 , match=(arp || nd), >>> action=(drop;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "DR-S1" && arp.op == 1 && arp.tpa == 172.16.1.10 && >>> is_chassis_resident("cr-DR-S1")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "DR-S2" && arp.op == 1 && arp.tpa == 10.0.0.10 && >>> is_chassis_resident("cr-DR-S2")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "DR-S3" && arp.op == 1 && arp.tpa == 172.16.1.10 && >>> is_chassis_resident("cr-DR-S3")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> @@ -8849,12 +8819,6 @@ ovn-sbctl dump-flows DR > lrflows >>> AT_CAPTURE_FILE([lrflows]) >>> >>> AT_CHECK([grep lr_in_ip_input lrflows | grep arp | grep -e 172.16.1.10 >>> -e 10.0.0.10 -e 192.168.0.10 | ovn_strip_lflows], [0], [dnl >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 10.0.0.10), action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; >>> arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; >>> arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;) >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 172.16.1.10), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 192.168.0.10), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "DR-S1" && arp.op == 1 && arp.tpa == 172.16.1.10), action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "DR-S2" && arp.op == 1 && arp.tpa == 10.0.0.10), action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "DR-S3" && arp.op == 1 && arp.tpa == 192.168.0.10), action=(drop;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "DR-S1" && arp.op == 1 && arp.tpa == 172.16.1.10 && >>> is_chassis_resident("cr-DR-S1")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "DR-S2" && arp.op == 1 && arp.tpa == 10.0.0.10 && >>> is_chassis_resident("cr-DR-S2")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "DR-S3" && arp.op == 1 && arp.tpa == 192.168.0.10 && >>> is_chassis_resident("cr-DR-S3")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> @@ -14245,9 +14209,9 @@ AT_CHECK([grep "lr_in_ip_input" lr0flows | >>> ovn_strip_lflows], [0], [dnl >>> table=??(lr_in_ip_input ), priority=30 , match=(inport == >>> "lr0-sw0" && ip6 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp6 >>> {eth.dst <-> eth.src; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; >>> ip.ttl = 254; icmp6.type = 3; /* Time exceeded */ icmp6.code = 0; /* TTL >>> exceeded in transit */ outport = "lr0-sw0"; flags.loopback = 1; output; };) >>> table=??(lr_in_ip_input ), priority=30 , match=(inport == >>> "lr0-sw1" && ip4 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp4 >>> {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */ icmp4.code = 0; >>> /* TTL exceeded in transit */ ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl >>> = 254; outport = "lr0-sw1"; flags.loopback = 1; output; };) >>> table=??(lr_in_ip_input ), priority=30 , match=(inport == >>> "lr0-sw1" && ip6 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp6 >>> {eth.dst <-> eth.src; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff03; >>> ip.ttl = 254; icmp6.type = 3; /* Time exceeded */ icmp6.code = 0; /* TTL >>> exceeded in transit */ outport = "lr0-sw1"; flags.loopback = 1; output; };) >>> - table=??(lr_in_ip_input ), priority=31 , match=(inport == >>> "lr0-public" && ip4 && ip4.src == 172.168.0.0/24 && ip.ttl == {0, 1} && >>> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >>> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst <-> >>> ip4.src ; ip.ttl = 254; outport = "lr0-public"; flags.loopback = 1; output; >>> };) >>> table=??(lr_in_ip_input ), priority=31 , match=(inport == >>> "lr0-sw0" && ip4 && ip4.src == 10.0.0.0/24 && ip.ttl == {0, 1} && >>> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >>> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = >>> ip4.src; ip4.src = 10.0.0.1 ; ip.ttl = 254; outport = "lr0-sw0"; >>> flags.loopback = 1; output; };) >>> table=??(lr_in_ip_input ), priority=31 , match=(inport == >>> "lr0-sw1" && ip4 && ip4.src == 20.0.0.0/24 && ip.ttl == {0, 1} && >>> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >>> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = >>> ip4.src; ip4.src = 20.0.0.1 ; ip.ttl = 254; outport = "lr0-sw1"; >>> flags.loopback = 1; output; };) >>> + table=??(lr_in_ip_input ), priority=31 , >>> match=(is_chassis_resident("cr-lr0-public") && inport == "lr0-public" && >>> ip4 && ip4.src == 172.168.0.0/24 && ip.ttl == {0, 1} && >>> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >>> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst <-> >>> ip4.src ; ip.ttl = 254; outport = "lr0-public"; flags.loopback = 1; output; >>> };) >>> table=??(lr_in_ip_input ), priority=32 , match=(ip.ttl == {0, >>> 1} && !ip.later_frag && (ip4.mcast || ip6.mcast)), action=(drop;) >>> table=??(lr_in_ip_input ), priority=50 , match=(eth.bcast), >>> action=(drop;) >>> table=??(lr_in_ip_input ), priority=60 , match=(ip4.dst == >>> {10.0.0.1}), action=(drop;) >>> @@ -14260,9 +14224,6 @@ AT_CHECK([grep "lr_in_ip_input" lr0flows | >>> ovn_strip_lflows], [0], [dnl >>> table=??(lr_in_ip_input ), priority=83 , >>> match=(ip6.mcast_rsvd), action=(drop;) >>> table=??(lr_in_ip_input ), priority=84 , match=(nd_rs || >>> nd_ra), action=(next;) >>> table=??(lr_in_ip_input ), priority=85 , match=(arp || nd), >>> action=(drop;) >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 172.168.0.100), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 172.168.0.110), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 172.168.0.120), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> table=??(lr_in_ip_input ), priority=90 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.10 && arp.spa == >>> 172.168.0.0/24 && is_chassis_resident("cr-lr0-public")), >>> action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP >>> reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa; >>> outport = inport; flags.loopback = 1; output;) >>> table=??(lr_in_ip_input ), priority=90 , match=(inport == >>> "lr0-public" && ip6.dst == {fe80::200:ff:fe00:ff02, ff02::1:ff00:ff02} && >>> nd_ns && nd.target == fe80::200:ff:fe00:ff02 && >>> is_chassis_resident("cr-lr0-public")), action=(nd_na_router { eth.src = >>> xreg0[[0..47]]; ip6.src = nd.target; nd.tll = xreg0[[0..47]]; outport = >>> inport; flags.loopback = 1; output; };) >>> table=??(lr_in_ip_input ), priority=90 , match=(inport == >>> "lr0-sw0" && arp.op == 1 && arp.tpa == 10.0.0.1 && arp.spa == >>> 10.0.0.0/24), action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; >>> arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; >>> arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;) >>> @@ -14275,9 +14236,6 @@ AT_CHECK([grep "lr_in_ip_input" lr0flows | >>> ovn_strip_lflows], [0], [dnl >>> table=??(lr_in_ip_input ), priority=90 , match=(ip6.dst == >>> fe80::200:ff:fe00:ff01 && icmp6.type == 128 && icmp6.code == 0), >>> action=(ip6.dst <-> ip6.src; ip.ttl = 255; icmp6.type = 129; flags.loopback >>> = 1; next; ) >>> table=??(lr_in_ip_input ), priority=90 , match=(ip6.dst == >>> fe80::200:ff:fe00:ff02 && icmp6.type == 128 && icmp6.code == 0), >>> action=(ip6.dst <-> ip6.src; ip.ttl = 255; icmp6.type = 129; flags.loopback >>> = 1; next; ) >>> table=??(lr_in_ip_input ), priority=90 , match=(ip6.dst == >>> fe80::200:ff:fe00:ff03 && icmp6.type == 128 && icmp6.code == 0), >>> action=(ip6.dst <-> ip6.src; ip.ttl = 255; icmp6.type = 129; flags.loopback >>> = 1; next; ) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.100), action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.110), action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.120), action=(drop;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.100 && >>> is_chassis_resident("cr-lr0-public")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.110 && >>> is_chassis_resident("sw0-port1")), action=(eth.dst = eth.src; eth.src = >>> 30:54:00:00:00:03; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> 30:54:00:00:00:03; arp.tpa <-> arp.spa; outport = inport; flags.loopback = >>> 1; output;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.120 && >>> is_chassis_resident("cr-lr0-public")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> @@ -14372,10 +14330,6 @@ AT_CHECK([grep -Fe "172.168.0.110" -e >>> "172.168.0.120" -e "10.0.0.3" -e "20.0.0.3 >>> table=??(lr_in_dnat ), priority=100 , match=(ip && ip4.dst >>> == 172.168.0.110 && inport == "lr0-public"), action=(ct_dnat(10.0.0.3);) >>> table=??(lr_in_dnat ), priority=100 , match=(ip && ip4.dst >>> == 172.168.0.120 && inport == "lr0-public" && >>> is_chassis_resident("cr-lr0-public")), action=(ct_dnat(20.0.0.3);) >>> table=??(lr_in_gw_redirect ), priority=100 , match=(ip4.src == >>> 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("sw0-port1")), >>> action=(eth.src = 30:54:00:00:00:03; reg5 = 172.168.0.110; next;) >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 172.168.0.110), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 172.168.0.120), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.110), action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.120), action=(drop;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.110 && >>> is_chassis_resident("sw0-port1")), action=(eth.dst = eth.src; eth.src = >>> 30:54:00:00:00:03; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> 30:54:00:00:00:03; arp.tpa <-> arp.spa; outport = inport; flags.loopback = >>> 1; output;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.120 && >>> is_chassis_resident("cr-lr0-public")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> table=??(lr_in_unsnat ), priority=100 , match=(ip && ip4.dst >>> == 172.168.0.110 && inport == "lr0-public"), action=(ct_snat;) >>> @@ -14431,9 +14385,9 @@ AT_CHECK([grep "lr_in_ip_input" lr0flows | >>> ovn_strip_lflows], [0], [dnl >>> table=??(lr_in_ip_input ), priority=30 , match=(inport == >>> "lr0-sw0" && ip6 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp6 >>> {eth.dst <-> eth.src; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; >>> ip.ttl = 254; icmp6.type = 3; /* Time exceeded */ icmp6.code = 0; /* TTL >>> exceeded in transit */ outport = "lr0-sw0"; flags.loopback = 1; output; };) >>> table=??(lr_in_ip_input ), priority=30 , match=(inport == >>> "lr0-sw1" && ip4 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp4 >>> {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */ icmp4.code = 0; >>> /* TTL exceeded in transit */ ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl >>> = 254; outport = "lr0-sw1"; flags.loopback = 1; output; };) >>> table=??(lr_in_ip_input ), priority=30 , match=(inport == >>> "lr0-sw1" && ip6 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp6 >>> {eth.dst <-> eth.src; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff03; >>> ip.ttl = 254; icmp6.type = 3; /* Time exceeded */ icmp6.code = 0; /* TTL >>> exceeded in transit */ outport = "lr0-sw1"; flags.loopback = 1; output; };) >>> - table=??(lr_in_ip_input ), priority=31 , match=(inport == >>> "lr0-public" && ip4 && ip4.src == 172.168.0.0/24 && ip.ttl == {0, 1} && >>> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >>> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst <-> >>> ip4.src ; ip.ttl = 254; outport = "lr0-public"; flags.loopback = 1; output; >>> };) >>> table=??(lr_in_ip_input ), priority=31 , match=(inport == >>> "lr0-sw0" && ip4 && ip4.src == 10.0.0.0/24 && ip.ttl == {0, 1} && >>> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >>> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = >>> ip4.src; ip4.src = 10.0.0.1 ; ip.ttl = 254; outport = "lr0-sw0"; >>> flags.loopback = 1; output; };) >>> table=??(lr_in_ip_input ), priority=31 , match=(inport == >>> "lr0-sw1" && ip4 && ip4.src == 20.0.0.0/24 && ip.ttl == {0, 1} && >>> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >>> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = >>> ip4.src; ip4.src = 20.0.0.1 ; ip.ttl = 254; outport = "lr0-sw1"; >>> flags.loopback = 1; output; };) >>> + table=??(lr_in_ip_input ), priority=31 , >>> match=(is_chassis_resident("cr-lr0-public") && inport == "lr0-public" && >>> ip4 && ip4.src == 172.168.0.0/24 && ip.ttl == {0, 1} && >>> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* >>> Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst <-> >>> ip4.src ; ip.ttl = 254; outport = "lr0-public"; flags.loopback = 1; output; >>> };) >>> table=??(lr_in_ip_input ), priority=32 , match=(ip.ttl == {0, >>> 1} && !ip.later_frag && (ip4.mcast || ip6.mcast)), action=(drop;) >>> table=??(lr_in_ip_input ), priority=50 , match=(eth.bcast), >>> action=(drop;) >>> table=??(lr_in_ip_input ), priority=60 , match=(ip4.dst == >>> {10.0.0.1}), action=(drop;) >>> @@ -14618,10 +14572,6 @@ AT_CHECK([grep -Fe "172.168.0.110" -e >>> "172.168.0.120" -e "10.0.0.3" -e "20.0.0.3 >>> table=??(lr_in_dnat ), priority=100 , match=(ip && ip4.dst >>> == 172.168.0.110 && inport == "lr0-public"), action=(ct_dnat(10.0.0.3);) >>> table=??(lr_in_dnat ), priority=100 , match=(ip && ip4.dst >>> == 172.168.0.120 && inport == "lr0-public" && >>> is_chassis_resident("cr-lr0-public")), action=(ct_dnat(20.0.0.3);) >>> table=??(lr_in_gw_redirect ), priority=100 , match=(ip4.src == >>> 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("sw0-port1")), >>> action=(eth.src = 30:54:00:00:00:03; reg5 = 172.168.0.110; next;) >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 172.168.0.110), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> - table=??(lr_in_ip_input ), priority=90 , match=(arp.op == 1 && >>> arp.tpa == 172.168.0.120), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.110), action=(drop;) >>> - table=??(lr_in_ip_input ), priority=91 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.120), action=(drop;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.110 && >>> is_chassis_resident("sw0-port1")), action=(eth.dst = eth.src; eth.src = >>> 30:54:00:00:00:03; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> 30:54:00:00:00:03; arp.tpa <-> arp.spa; outport = inport; flags.loopback = >>> 1; output;) >>> table=??(lr_in_ip_input ), priority=92 , match=(inport == >>> "lr0-public" && arp.op == 1 && arp.tpa == 172.168.0.120 && >>> is_chassis_resident("cr-lr0-public")), action=(eth.dst = eth.src; eth.src = >>> xreg0[[0..47]]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = >>> xreg0[[0..47]]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; >>> output;) >>> table=??(lr_in_unsnat ), priority=100 , match=(ip && ip4.dst >>> == 172.168.0.110 && inport == "lr0-public"), action=(ct_snat;) >>> -- >>> 2.43.0 >>> >>> >>> -- >>> >>> >>> >>> >>> _'Esta mensagem é direcionada apenas para os endereços constantes no >>> cabeçalho inicial. Se você não está listado nos endereços constantes no >>> cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa >>> mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas >>> estão >>> imediatamente anuladas e proibidas'._ >>> >>> >>> * **'Apesar do Magazine Luiza tomar >>> todas as precauções razoáveis para assegurar que nenhum vírus esteja >>> presente nesse e-mail, a empresa não poderá aceitar a responsabilidade >>> por >>> quaisquer perdas ou danos causados por esse e-mail ou por seus anexos'.* >>> >>> >>> >>> _______________________________________________ >>> dev mailing list >>> [email protected] >>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>> >>> >> Regards, >> Ales >> > -- _‘Esta mensagem é direcionada apenas para os endereços constantes no cabeçalho inicial. Se você não está listado nos endereços constantes no cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas estão imediatamente anuladas e proibidas’._ * **‘Apesar do Magazine Luiza tomar todas as precauções razoáveis para assegurar que nenhum vírus esteja presente nesse e-mail, a empresa não poderá aceitar a responsabilidade por quaisquer perdas ou danos causados por esse e-mail ou por seus anexos’.* _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
