If the router has a snat rule and it's external ip isn't lrp address,
when the arp request from other router for this external ip, will
be drop, because of this external ip use same mac address as lrp, so
can not forward to MC_FLOOD.
Fixes: 32f5ebb06226 ("ovn-northd: Limit ARP/ND broadcast domain whenever
possible.")
Reported-at: https://github.com/ovn-org/ovn/issues/209
Signed-off-by: Daniel Ding <[email protected]>
---
northd/northd.c | 31 +++++++++++++++++++++++++++++++
tests/ovn-northd.at | 12 ++++++++++++
2 files changed, 43 insertions(+)
diff --git a/northd/northd.c b/northd/northd.c
index e9cb906e2..2e6764d7b 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -9004,6 +9004,37 @@ build_lswitch_rport_arp_req_flows(struct ovn_port *op,
}
}
+ struct shash_node *snat_snode;
+ SHASH_FOR_EACH (snat_snode, &op->od->snat_ips) {
+ struct ovn_snat_ip *snat_ip = snat_snode->data;
+
+ if (ovs_list_is_empty(&snat_ip->snat_entries)) {
+ continue;
+ }
+
+ struct ovn_nat *nat_entry =
+ CONTAINER_OF(ovs_list_front(&snat_ip->snat_entries),
+ struct ovn_nat, ext_addr_list_node);
+ const struct nbrec_nat *nat = nat_entry->nb;
+
+ /* Check if the ovn port has a network configured on which we could
+ * expect ARP requests/NS for the DNAT external_ip.
+ */
+ if (nat_entry_is_v6(nat_entry)) {
+ if (!sset_contains(&op->od->lb_ips->ips_v6, nat->external_ip)) {
+ build_lswitch_rport_arp_req_flow(
+ nat->external_ip, AF_INET6, sw_op, sw_od, 80, lflows,
+ stage_hint);
+ }
+ } else {
+ if (!sset_contains(&op->od->lb_ips->ips_v4, nat->external_ip)) {
+ build_lswitch_rport_arp_req_flow(
+ nat->external_ip, AF_INET, sw_op, sw_od, 80, lflows,
+ stage_hint);
+ }
+ }
+ }
+
for (size_t i = 0; i < op->lrp_networks.n_ipv4_addrs; i++) {
build_lswitch_rport_arp_req_flow(
op->lrp_networks.ipv4_addrs[i].addr_s, AF_INET, sw_op, sw_od, 80,
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 5c9da811f..953e0d829 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -5084,6 +5084,7 @@ AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed
's/table=../table=??/' | sort],
table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
table=??(ls_in_l2_lkup ), priority=75 , match=(eth.src ==
{00:00:00:00:01:01} && (arp.op == 1 || rarp.op == 3 || nd_ns)), action=(outport
= "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 10.0.0.100), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
+ table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 10.0.0.200), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 192.168.1.1), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
nd_ns && nd.target == fe80::200:ff:fe00:101), action=(clone {outport =
"ls1-ro1"; output; }; outport = "_MC_flood_l2"; output;)
])
@@ -5098,6 +5099,7 @@ AT_CHECK([grep "ls_in_l2_lkup" ls2_lflows | sed
's/table=../table=??/' | sort],
table=??(ls_in_l2_lkup ), priority=75 , match=(eth.src ==
{00:00:00:00:02:01} && (arp.op == 1 || rarp.op == 3 || nd_ns)), action=(outport
= "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 192.168.2.1), action=(clone {outport = "ls2-ro2";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 20.0.0.100), action=(clone {outport = "ls2-ro2";
output; }; outport = "_MC_flood_l2"; output;)
+ table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 20.0.0.200), action=(clone {outport = "ls2-ro2";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
nd_ns && nd.target == fe80::200:ff:fe00:201), action=(clone {outport =
"ls2-ro2"; output; }; outport = "_MC_flood_l2"; output;)
])
@@ -5118,8 +5120,10 @@ AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed
's/table=../table=??/' | sort],
table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
table=??(ls_in_l2_lkup ), priority=75 , match=(eth.src ==
{00:00:00:00:01:01} && (arp.op == 1 || rarp.op == 3 || nd_ns)), action=(outport
= "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 10.0.0.100), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
+ table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 10.0.0.200), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 192.168.1.1), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 30.0.0.100), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
+ table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 30.0.0.200), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
nd_ns && nd.target == fe80::200:ff:fe00:101), action=(clone {outport =
"ls1-ro1"; output; }; outport = "_MC_flood_l2"; output;)
])
@@ -5133,7 +5137,9 @@ AT_CHECK([grep "ls_in_l2_lkup" ls2_lflows | sed
's/table=../table=??/' | sort],
table=??(ls_in_l2_lkup ), priority=75 , match=(eth.src ==
{00:00:00:00:02:01} && (arp.op == 1 || rarp.op == 3 || nd_ns)), action=(outport
= "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 192.168.2.1), action=(clone {outport = "ls2-ro2";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 20.0.0.100), action=(clone {outport = "ls2-ro2";
output; }; outport = "_MC_flood_l2"; output;)
+ table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 20.0.0.200), action=(clone {outport = "ls2-ro2";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 40.0.0.100), action=(clone {outport = "ls2-ro2";
output; }; outport = "_MC_flood_l2"; output;)
+ table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 40.0.0.200), action=(clone {outport = "ls2-ro2";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
nd_ns && nd.target == fe80::200:ff:fe00:201), action=(clone {outport =
"ls2-ro2"; output; }; outport = "_MC_flood_l2"; output;)
])
@@ -5151,9 +5157,11 @@ AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed
's/table=../table=??/' | sort],
table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
table=??(ls_in_l2_lkup ), priority=75 , match=(eth.src ==
{00:00:00:00:01:01} && (arp.op == 1 || rarp.op == 3 || nd_ns)), action=(outport
= "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 10.0.0.100), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
+ table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 10.0.0.200), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 192.168.1.1), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 192.168.1.100), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 30.0.0.100), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
+ table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 30.0.0.200), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
nd_ns && nd.target == fe80::200:ff:fe00:101), action=(clone {outport =
"ls1-ro1"; output; }; outport = "_MC_flood_l2"; output;)
])
@@ -5169,9 +5177,11 @@ AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed
's/table=../table=??/' | sort],
table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
table=??(ls_in_l2_lkup ), priority=75 , match=(eth.src ==
{00:00:00:00:01:01} && (arp.op == 1 || rarp.op == 3 || nd_ns)), action=(outport
= "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 10.0.0.100), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
+ table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 10.0.0.200), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 192.168.1.1), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 192.168.1.100), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 30.0.0.100), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
+ table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 30.0.0.200), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
nd_ns && nd.target == fe80::200:ff:fe00:101), action=(clone {outport =
"ls1-ro1"; output; }; outport = "_MC_flood_l2"; output;)
])
@@ -5193,9 +5203,11 @@ AT_CHECK([grep "ls_in_l2_lkup" ls1_lflows | sed
's/table=../table=??/' | sort],
table=??(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
table=??(ls_in_l2_lkup ), priority=75 , match=(eth.src ==
{00:00:00:00:01:01} && (arp.op == 1 || rarp.op == 3 || nd_ns)), action=(outport
= "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 10.0.0.100), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
+ table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 10.0.0.200), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 192.168.1.1), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 192.168.1.100), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 30.0.0.100), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
+ table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
arp.op == 1 && arp.tpa == 30.0.0.200), action=(clone {outport = "ls1-ro1";
output; }; outport = "_MC_flood_l2"; output;)
table=??(ls_in_l2_lkup ), priority=80 , match=(flags[[1]] == 0 &&
nd_ns && nd.target == fe80::200:ff:fe00:101), action=(clone {outport =
"ls1-ro1"; output; }; outport = "_MC_flood_l2"; output;)
])
--
2.43.0
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
