On Wed, Aug 30, 2023 at 3:23 AM Ihar Hrachyshka <[email protected]> wrote:
> RFC 4861 (Neighbor Discovery for IP version 6) requires that Hop Limit
> is set to 255, but the flows we generated for 135 and 136 erroneously
> used 225.
>
> Fixes: 8cab00bdb581 ("ovn-controller: Add OF rules for port security.")
> Signed-off-by: Ihar Hrachyshka <[email protected]>
> ---
> controller/lflow.c | 6 +++---
> tests/ovn.at | 34 +++++++++++++++++-----------------
> 2 files changed, 20 insertions(+), 20 deletions(-)
>
> diff --git a/controller/lflow.c b/controller/lflow.c
> index bc5f73279..f70080e8e 100644
> --- a/controller/lflow.c
> +++ b/controller/lflow.c
> @@ -2535,10 +2535,10 @@ build_in_port_sec_default_flows(const struct
> sbrec_port_binding *pb,
> * investigation.
> *
> * Eg. If there are below OF rules in the same table
> - * (1)
> priority=90,icmp6,reg14=0x1,metadata=0x1,nw_ttl=225,icmp_type=135,
> + * (1)
> priority=90,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135,
> * icmp_code=0,nd_sll=fa:16:3e:94:05:98
> * actions=load:0->NXM_NX_REG10[12]
> - * (2)
> priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=225,icmp_type=135,
> + * (2)
> priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135,
> * icmp_code=0 actions=load:1->NXM_NX_REG10[12]
> *
> * An IPv6 NS packet with nd_sll = fa:16:3e:94:05:98 is matching on
> the
> @@ -2823,7 +2823,7 @@ build_in_port_sec_nd_flows(const struct
> sbrec_port_binding *pb,
> reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);
> match_set_dl_type(m, htons(ETH_TYPE_IPV6));
> match_set_nw_proto(m, IPPROTO_ICMPV6);
> - match_set_nw_ttl(m, 225);
> + match_set_nw_ttl(m, 255);
> match_set_icmp_type(m, 135);
> match_set_icmp_code(m, 0);
>
> diff --git a/tests/ovn.at b/tests/ovn.at
> index bb5cbf0b9..7c61a2d5b 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -34139,10 +34139,10 @@ echo " table=74,
> priority=80,arp,reg14=0x$sw0p1_key,metadata=0x1 actions=load:0x
> table=74,
> priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135
> actions=load:0->NXM_NX_REG10[[12]]
> table=74,
> priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136
> actions=load:0x1->NXM_NX_REG10[[12]]
> table=74,
> priority=90,arp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,arp_sha=00:00:00:00:00:03
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:03
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:03
> actions=load:0->NXM_NX_REG10[[12]]" > hv1_t74_flows.expected
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:03
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:03
> actions=load:0->NXM_NX_REG10[[12]]" > hv1_t74_flows.expected
>
> check_port_sec_offlows hv1 74
>
> @@ -34176,12 +34176,12 @@ echo " table=74,
> priority=80,arp,reg14=0x$sw0p1_key,metadata=0x1 actions=load:0x
> table=74,
> priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136
> actions=load:0x1->NXM_NX_REG10[[12]]
> table=74,
> priority=90,arp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,arp_spa=10.0.0.3,arp_sha=00:00:00:00:00:03
> actions=load:0->NXM_NX_REG10[[12]]
> table=74,
> priority=90,arp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,arp_spa=10.0.0.13,arp_sha=00:00:00:00:00:13
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:03
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:03
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:13
> actions=load:0->NXM_NX_REG10[[12]]" > hv1_t74_flows.expected
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:03
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:03
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:13
> actions=load:0->NXM_NX_REG10[[12]]" > hv1_t74_flows.expected
>
> check_port_sec_offlows hv1 74
>
> @@ -34260,13 +34260,13 @@ echo " table=74,
> priority=80,arp,reg14=0x$sw0p2_key,metadata=0x1 actions=load:0x
> table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,icmp_type=136,icmp_code=0,nd_target=2000::/64,nd_tll=00:00:00:00:00:04
> actions=load:0->NXM_NX_REG10[[12]]
> table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,icmp_type=136,icmp_code=0,nd_target=aef0::4,nd_tll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,icmp_type=136,icmp_code=0,nd_target=aef0::4,nd_tll=00:00:00:00:00:13
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:04
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:13,nd_tll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:13,nd_tll=00:00:00:00:00:13
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:4,nd_tll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> - table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:4,nd_tll=00:00:00:00:00:04
> actions=load:0->NXM_NX_REG10[[12]]" > hv2_t74_flows.expected
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:04
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:13,nd_tll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:13,nd_tll=00:00:00:00:00:13
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:4,nd_tll=00:00:00:00:00:00
> actions=load:0->NXM_NX_REG10[[12]]
> + table=74,
> priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:4,nd_tll=00:00:00:00:00:04
> actions=load:0->NXM_NX_REG10[[12]]" > hv2_t74_flows.expected
>
> check_port_sec_offlows hv2 74
>
> --
> 2.38.1
>
> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Looks good to me, thanks!
Acked-by: Ales Musil <[email protected]>
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
[email protected] IM: amusil
<https://red.ht/sig>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
