Re: [ovs-dev] [PATCH ovn] Use correct nw_ttl=255 to match against legit NAs

Mark Michelson Wed, 06 Sep 2023 07:48:17 -0700

Thanks Ales and Ihar,

I applied this change to all branches from main back to 22.09.


On 9/5/23 06:45, Ales Musil wrote:

On Wed, Aug 30, 2023 at 3:23 AM Ihar Hrachyshka <[email protected]> wrote:

RFC 4861 (Neighbor Discovery for IP version 6) requires that Hop Limit
is set to 255, but the flows we generated for 135 and 136 erroneously
used 225.

Fixes: 8cab00bdb581 ("ovn-controller: Add OF rules for port security.")
Signed-off-by: Ihar Hrachyshka <[email protected]>
---
  controller/lflow.c |  6 +++---
  tests/ovn.at       | 34 +++++++++++++++++-----------------
  2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/controller/lflow.c b/controller/lflow.c
index bc5f73279..f70080e8e 100644
--- a/controller/lflow.c
+++ b/controller/lflow.c
@@ -2535,10 +2535,10 @@ build_in_port_sec_default_flows(const struct
sbrec_port_binding *pb,
       *       investigation.
       *
       * Eg.  If there are below OF rules in the same table
-     * (1)
priority=90,icmp6,reg14=0x1,metadata=0x1,nw_ttl=225,icmp_type=135,
+     * (1)
priority=90,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135,
       *     icmp_code=0,nd_sll=fa:16:3e:94:05:98
       *     actions=load:0->NXM_NX_REG10[12]
-     * (2)
priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=225,icmp_type=135,
+     * (2)
priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135,
       *     icmp_code=0 actions=load:1->NXM_NX_REG10[12]
       *
       * An IPv6 NS packet with nd_sll = fa:16:3e:94:05:98 is matching on
the
@@ -2823,7 +2823,7 @@ build_in_port_sec_nd_flows(const struct
sbrec_port_binding *pb,
      reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);
      match_set_dl_type(m, htons(ETH_TYPE_IPV6));
      match_set_nw_proto(m, IPPROTO_ICMPV6);
-    match_set_nw_ttl(m, 225);
+    match_set_nw_ttl(m, 255);
      match_set_icmp_type(m, 135);
      match_set_icmp_code(m, 0);

diff --git a/tests/ovn.at b/tests/ovn.at
index bb5cbf0b9..7c61a2d5b 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -34139,10 +34139,10 @@ echo " table=74,
priority=80,arp,reg14=0x$sw0p1_key,metadata=0x1 actions=load:0x
   table=74,
priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135
actions=load:0->NXM_NX_REG10[[12]]
   table=74,
priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136
actions=load:0x1->NXM_NX_REG10[[12]]
   table=74,
priority=90,arp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,arp_sha=00:00:00:00:00:03
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:03
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:03
actions=load:0->NXM_NX_REG10[[12]]" > hv1_t74_flows.expected
+ table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:03
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:03
actions=load:0->NXM_NX_REG10[[12]]" > hv1_t74_flows.expected

  check_port_sec_offlows hv1 74

@@ -34176,12 +34176,12 @@ echo " table=74,
priority=80,arp,reg14=0x$sw0p1_key,metadata=0x1 actions=load:0x
   table=74,
priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136
actions=load:0x1->NXM_NX_REG10[[12]]
   table=74,
priority=90,arp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,arp_spa=10.0.0.3,arp_sha=00:00:00:00:00:03
actions=load:0->NXM_NX_REG10[[12]]
   table=74,
priority=90,arp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,arp_spa=10.0.0.13,arp_sha=00:00:00:00:00:13
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:03
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:03
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:13
actions=load:0->NXM_NX_REG10[[12]]" > hv1_t74_flows.expected
+ table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:03
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:03
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:13
actions=load:0->NXM_NX_REG10[[12]]" > hv1_t74_flows.expected

  check_port_sec_offlows hv1 74

@@ -34260,13 +34260,13 @@ echo " table=74,
priority=80,arp,reg14=0x$sw0p2_key,metadata=0x1 actions=load:0x
   table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,icmp_type=136,icmp_code=0,nd_target=2000::/64,nd_tll=00:00:00:00:00:04
actions=load:0->NXM_NX_REG10[[12]]
   table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,icmp_type=136,icmp_code=0,nd_target=aef0::4,nd_tll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
   table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:13,icmp_type=136,icmp_code=0,nd_target=aef0::4,nd_tll=00:00:00:00:00:13
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:04
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:13,nd_tll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:13,nd_tll=00:00:00:00:00:13
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:4,nd_tll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
- table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=225,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:4,nd_tll=00:00:00:00:00:04
actions=load:0->NXM_NX_REG10[[12]]" > hv2_t74_flows.expected
+ table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:04
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:13
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:13,nd_tll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:13,nd_tll=00:00:00:00:00:13
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:4,nd_tll=00:00:00:00:00:00
actions=load:0->NXM_NX_REG10[[12]]
+ table=74,
priority=90,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:4,nd_tll=00:00:00:00:00:04
actions=load:0->NXM_NX_REG10[[12]]" > hv2_t74_flows.expected

  check_port_sec_offlows hv2 74

--
2.38.1

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Looks good to me, thanks!

Acked-by: Ales Musil <[email protected]>


_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH ovn] Use correct nw_ttl=255 to match against legit NAs

Reply via email to