On Tue, Jan 9, 2024 at 8:59 AM Lorenzo Bianconi
<[email protected]> wrote:
>
> > On Fri, Dec 22, 2023 at 11:27 AM Lorenzo Bianconi
> > <[email protected]> wrote:
> > >
> > > Introduce specif flows for E/W ICMPv{4,6} packets if tunnelled packets
> > > do not fit path MTU. This patch enable PMTUD for East/West Geneve traffic.
> > >
> > > Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2241711
> > > Signed-off-by: Lorenzo Bianconi <[email protected]>
> >
> > Hi Lorenzo,
> >
> > Thanks for the patch. Please see below for a few comments.
>
> Hi Numan,
>
> thx for the review. Few comments inline.
>
> Regards,
> Lorenzo
>
> >
> >
> [...]
> > > +/* Following flows are used to manage traffic redirected by the kernel
> > > + * (e.g. ICMP errors packets) that enter the cluster from the geneve
> > > ports
> > > + */
> > > +static void
> > > +build_lrouter_icmp_packet_toobig_admin_flows(
> > > + struct ovn_port *op, struct hmap *lflows,
> > > + struct ds *match, struct ds *actions)
> > > +{
> > > + ovs_assert(op->nbrp);
> > > +
> > > + if (is_l3dgw_port(op)) {
> > > + ds_clear(match);
> > > + ds_put_format(match,
> > > + "((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
> > > + " (ip6 && icmp6.type == 2 && icmp6.code == 0)) && "
> > > + "eth.dst == %s && !is_chassis_resident(%s)",
> > > + op->nbrp->mac, op->cr_port->json_key);
> > > + ds_clear(actions);
> > > + ds_put_format(actions, "outport = inport; inport = %s; next;",
> > > + op->json_key);
> > > + ovn_lflow_add(lflows, op->od, S_ROUTER_IN_ADMISSION, 120,
> > > + ds_cstr(match), ds_cstr(actions));
> > > + }
> > > +
> > > + /* default flow */
> > > + ovn_lflow_add(lflows, op->od, S_ROUTER_IN_ADMISSION, 110,
> > > + "(ip4 && icmp4.type == 3 && icmp4.code == 4) || "
> > > + "(ip6 && icmp6.type == 2 && icmp6.code == 0)", "next;
> > > ");
> > > +}
> > > +
> >
> > I don't think there is a need for default flow. If I understand
> > correctly, we are trying to handle
> > the scenario when the kernel generates the icmp needs frag error
> > packet. For the normal case i.e icmp
> > needs a frag error packet not generated by the kernel, it should
> > continue the normal flow.
>
> Reviewing the code I think it is wrong, but for icmp error "packet too big"
> traffic hitting a gw router port I think we need a 'default' flow since if the
> port is "local" to the hv we need to set the inport from the l3dgw_port port
> to
> the regular router one. Do you agree? (We need this flow just if
> is_l3dgw_port() is true).
I don't understand your point. For the scenario you mentioned about
icmp error "packet too big" packet, who generates it ?
Is it generated by the local kernel due to route mtu exception ?
If the port is local to the hypervisor, then the original packet will
never go out of the tunnel.
In my testing, I've one router port which has gateway chassis set and
I see the below logical flows added by this patch
---
table=0 (lr_in_admission ), priority=120 , match=(((ip4 &&
icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
icmp6.code == 0)) && eth.dst == 00:11:22:00:ff:01 &&
!is_chassis_resident("cr-lr0-public")), action=(outport = inport;
inport = "lr0-public"; next;)
table=0 (lr_in_admission ), priority=110 , match=((ip4 &&
icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
icmp6.code == 0)), action=(next; )
---
If the packet matches the first flow with priority 120, then the
outport/inport is set properly by the actions and it goes to the next
table. But if the packet doesn't hit the first flow or if that flow
is not installed
because is_chassis_resident("cr-lr0-public") is true, then the packet
will continue with the remaining matches in the "lr_in_admission"
table and will advance to the next stage.
So we don't need that flow.
>
> >
> >
> > > +static void
> > > +build_lswitch_icmp_packet_toobig_admin_flows(
> > > + struct ovn_port *op, struct hmap *lflows,
> > > + struct ds *match, struct ds *actions)
> > > +{
> > > + ovs_assert(op->nbsp);
> > > +
> > > + if (lsp_is_router(op->nbsp)) {
> > > + return;
> > > + }
> > > +
> > > + struct ovn_datapath *od = op->od;
> > > + for (int i = 0; i < od->n_router_ports; i++) {
> > > + struct ovn_port *peer = od->router_ports[i]->peer;
> > > + if (!peer) {
> > > + continue;
> > > + }
> > > +
> > > + ds_clear(match);
> > > + char *rp_port =
> > > + is_l3dgw_port(peer) ? peer->cr_port->json_key :
> > > peer->json_key;
> > > + ds_put_format(match,
> > > + "((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
> > > + " (ip6 && icmp6.type == 2 && icmp6.code == 0)) && "
> > > + "eth.dst == %s && !is_chassis_resident(%s)",
> > > + peer->nbrp->mac, rp_port);
> > > + ds_clear(actions);
> > > + ds_put_format(actions, "outport = %s; inport = %s; output;",
> > > + od->router_ports[i]->json_key, op->json_key);
> > > + ovn_lflow_add(lflows, od, S_SWITCH_IN_CHECK_PORT_SEC, 120,
> > > + ds_cstr(match), ds_cstr(actions));
> > > + }
> >
> > I think with this we will end up adding two logical flows for every
> > logical port in the logical switch.
> > I don't think that's necessary.
> >
> > I think we should add the logical flow only for logical switch ports
> > of type router.
> > The function should return immediately if !lsp_is_router(op->nbsp).
>
> ack, agree. I will fix it.
>
> >
> > I think you can also match on the "inport == <lrp" in the first
> > logical flow of this function.
>
> If we use the inport as match I think it is hard to distinguish between the
> locally generated ICMP 'packet too big' traffic (generated by the kernel) and
> ICMP 'packet too big' sent by a remote node. Am I wrong or am I missing
> something?
You don't need to distinguish between the two. You just need to figure out
if the icmp error 'packet too big' is generated locally by geneve or NOT.
If the icmp error packet was actually received from the tunnel,
then the packet will continue with the pipeline. Only in the case where
kernel generates the icmp error packet due to route mtu exception, the inport
will be "lrp".
>
> >
> > Also I don't think there is a need for the default flow below.
> > The below logical flow by-passes the port security check which could
> > be exploited by a rogue pod/VM.
>
> ack, I will fix it.
>
>
> > Let me know if my suggestions don't work.
> >
> > Thanks
> > Numan
> >
> >
> > > +
> > > + /* default flow */
> > > + ovn_lflow_add(lflows, op->od, S_SWITCH_IN_CHECK_PORT_SEC, 110,
> > > + "(ip4 && icmp4.type == 3 && icmp4.code == 4) || "
> > > + "(ip6 && icmp6.type == 2 && icmp6.code == 0)", "next;
> > > ");
> > > +}
> > > +
> > > static void
> > > build_lrouter_force_snat_flows_op(struct ovn_port *op,
> > > struct hmap *lflows,
> > > @@ -16161,6 +16230,7 @@ build_lswitch_and_lrouter_iterate_by_lsp(struct
> > > ovn_port *op,
> > > build_lswitch_dhcp_options_and_response(op, lflows, meter_groups);
> > > build_lswitch_external_port(op, lflows);
> > > build_lswitch_ip_unicast_lookup(op, lflows, actions, match);
> > > + build_lswitch_icmp_packet_toobig_admin_flows(op, lflows, match,
> > > actions);
> > >
> > > /* Build Logical Router Flows. */
> > > build_ip_routing_flows_for_router_type_lsp(op, lr_ports, lflows);
> > > @@ -16197,6 +16267,8 @@ build_lswitch_and_lrouter_iterate_by_lrp(struct
> > > ovn_port *op,
> > > &lsi->match, &lsi->actions,
> > > lsi->meter_groups);
> > > build_lrouter_force_snat_flows_op(op, lsi->lflows, &lsi->match,
> > > &lsi->actions);
> > > + build_lrouter_icmp_packet_toobig_admin_flows(op, lsi->lflows,
> > > &lsi->match,
> > > + &lsi->actions);
> > > }
> > >
> > > static void *
> > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> > > index 97718821f..85576a845 100644
> > > --- a/northd/ovn-northd.8.xml
> > > +++ b/northd/ovn-northd.8.xml
> > > @@ -372,6 +372,20 @@
> > >
> > > <h3>Ingress Table 1: Ingress Port Security - Apply</h3>
> > >
> > > + <p>
> > > + For each logical switch port <var>P</var> a priority-120 flow that
> > > + matches icmp{4,6} error 'packet too big' and <code>eth.dst ==
> > > + <var>D</var> && !is_chassis_resident(<var>RP</var>)</code>
> > > where
> > > + <var>D</var> is the peer logical router port <var>RP</var> mac
> > > address,
> > > + stores <var>RP</var> peer port as outport, stores <var>P</var> as
> > > inport
> > > + and forward the packet to the egress pipeline.
> > > + </p>
> > > +
> > > + <p>
> > > + This table adds a priority-110 flow that matches icmp{4,6} error
> > > 'packet
> > > + too big' to forward the packet to the next stage in the pipeline.
> > > + </p>
> > > +
> > > <p>
> > > This table drops the packets if the port security check failed
> > > in the previous stage i.e the register bit
> > > @@ -2463,6 +2477,21 @@ output;
> > > (LBs, NAT).
> > > </p>
> > >
> > > + <p>
> > > + For each gateway port <var>GW</var> on a distributed logical
> > > router
> > > + a priority-120 flow that matches icmp{4,6} error 'packet too
> > > big' and
> > > + <code>eth.dst == <var>D</var> &&
> > > !is_chassis_resident(<var>
> > > + cr-GW</var>)</code> where <var>D</var> is the gateway port mac
> > > + address and <var>cr-GW</var> is the chassis resident port of
> > > + <var>GW</var>, swap inport and outport and stores <var>GW</var>
> > > + as inport.
> > > + </p>
> > > +
> > > + <p>
> > > + This table adds a priority-110 flow that matches icmp{4,6}
> > > error 'packet
> > > + too big' to forward the packet to the next stage in the
> > > pipeline.
> > > + </p>
> > > +
> > > <p>
> > > For a distributed logical router or for gateway router where
> > > the port is configured with <code>options:gateway_mtu</code>
> > > diff --git a/tests/multinode.at b/tests/multinode.at
> > > index 2b199b4bc..772134b7d 100644
> > > --- a/tests/multinode.at
> > > +++ b/tests/multinode.at
> > > @@ -42,7 +42,6 @@ M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3
> > > -i 0.3 -w 2 10.0.0.4 | F
> > > 3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > ])
> > >
> > > -
> > > # Create the second logical switch with one port
> > > check multinode_nbctl ls-add sw1
> > > check multinode_nbctl lsp-add sw1 sw1-port1
> > > @@ -72,3 +71,350 @@ M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c
> > > 3 -i 0.3 -w 2 20.0.0.3 | F
> > > ])
> > >
> > > AT_CLEANUP
> > > +
> > > +AT_SETUP([ovn multinode pmtu - distributed router])
> > > +
The test case added here will also run for the branch-23.03 and it will fail.
You need to skip this test for "multinode tests branch-22.03".
Check this commit (which was reverted) to skip this test for
branch-22.03 -
https://github.com/ovn-org/ovn/commit/450e41e783bfa69e4f9d6c80f6bcb01147d5cfe1
Please add the changes in "ovn-fake-multinode-tests.yml" of the above
commit to this patch.
Thanks
Numan
> > > +# Check that ovn-fake-multinode setup is up and running
> > > +check_fake_multinode_setup
> > > +
> > > +# Delete the multinode NB and OVS resources before starting the test.
> > > +cleanup_multinode_resources
> > > +
> > > +m_as ovn-chassis-1 ip link del sw0p1-p
> > > +m_as ovn-chassis-2 ip link del sw0p2-p
> > > +m_as ovn-chassis-2 ip link del sw1p1-p
> > > +
> > > +# Reset geneve tunnels
> > > +for c in ovn-chassis-1 ovn-chassis-2 ovn-gw-1
> > > +do
> > > + m_as $c ovs-vsctl set open . external-ids:ovn-encap-type=geneve
> > > +done
> > > +
> > > +OVS_WAIT_UNTIL([m_as ovn-chassis-1 ip link show | grep -q genev_sys])
> > > +OVS_WAIT_UNTIL([m_as ovn-chassis-2 ip link show | grep -q genev_sys])
> > > +OVS_WAIT_UNTIL([m_as ovn-gw-1 ip link show | grep -q genev_sys])
> > > +
> > > +# Test East-West switching
> > > +check multinode_nbctl ls-add sw0
> > > +check multinode_nbctl lsp-add sw0 sw0-port1
> > > +check multinode_nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:03
> > > 10.0.0.3 1000::3"
> > > +check multinode_nbctl lsp-add sw0 sw0-port2
> > > +check multinode_nbctl lsp-set-addresses sw0-port2 "50:54:00:00:00:04
> > > 10.0.0.4 1000::4"
> > > +
> > > +m_as ovn-chassis-1 /data/create_fake_vm.sh sw0-port1 sw0p1
> > > 50:54:00:00:00:03 10.0.0.3 24 10.0.0.1 1000::3/64 1000::a
> > > +m_as ovn-chassis-2 /data/create_fake_vm.sh sw0-port2 sw0p2
> > > 50:54:00:00:00:04 10.0.0.4 24 10.0.0.1 1000::4/64 1000::a
> > > +
> > > +m_wait_for_ports_up
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > 10.0.0.4 | FORMAT_PING], \
> > > +[0], [dnl
> > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > +])
> > > +
> > > +# Create the second logical switch with one port
> > > +check multinode_nbctl ls-add sw1
> > > +check multinode_nbctl lsp-add sw1 sw1-port1
> > > +check multinode_nbctl lsp-set-addresses sw1-port1 "40:54:00:00:00:03
> > > 20.0.0.3 2000::3"
> > > +
> > > +# Create a logical router and attach both logical switches
> > > +check multinode_nbctl lr-add lr0
> > > +check multinode_nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01 10.0.0.1/24
> > > 1000::a/64
> > > +check multinode_nbctl lsp-add sw0 sw0-lr0
> > > +check multinode_nbctl lsp-set-type sw0-lr0 router
> > > +check multinode_nbctl lsp-set-addresses sw0-lr0 router
> > > +check multinode_nbctl lsp-set-options sw0-lr0 router-port=lr0-sw0
> > > +
> > > +check multinode_nbctl lrp-add lr0 lr0-sw1 00:00:00:00:ff:02 20.0.0.1/24
> > > 2000::a/64
> > > +check multinode_nbctl lsp-add sw1 sw1-lr0
> > > +check multinode_nbctl lsp-set-type sw1-lr0 router
> > > +check multinode_nbctl lsp-set-addresses sw1-lr0 router
> > > +check multinode_nbctl lsp-set-options sw1-lr0 router-port=lr0-sw1
> > > +
> > > +m_as ovn-chassis-2 /data/create_fake_vm.sh sw1-port1 sw1p1
> > > 40:54:00:00:00:03 20.0.0.3 24 20.0.0.1 2000::3/64 2000::a
> > > +
> > > +# create exteranl connection for N/S traffic
> > > +check multinode_nbctl ls-add public
> > > +check multinode_nbctl lsp-add public ln-lublic
> > > +check multinode_nbctl lsp-set-type ln-lublic localnet
> > > +check multinode_nbctl lsp-set-addresses ln-lublic unknown
> > > +check multinode_nbctl lsp-set-options ln-lublic network_name=public
> > > +
> > > +check multinode_nbctl lrp-add lr0 lr0-public 00:11:22:00:ff:01
> > > 172.20.0.100/24
> > > +check multinode_nbctl lsp-add public public-lr0
> > > +check multinode_nbctl lsp-set-type public-lr0 router
> > > +check multinode_nbctl lsp-set-addresses public-lr0 router
> > > +check multinode_nbctl lsp-set-options public-lr0 router-port=lr0-public
> > > +check multinode_nbctl lrp-set-gateway-chassis lr0-public ovn-gw-1 10
> > > +check multinode_nbctl lr-route-add lr0 0.0.0.0/0 172.20.0.1
> > > +
> > > +check multinode_nbctl lr-nat-add lr0 snat 172.20.0.100 10.0.0.0/24
> > > +check multinode_nbctl lr-nat-add lr0 snat 172.20.0.100 20.0.0.0/24
> > > +
> > > +# create some ACLs
> > > +check multinode_nbctl acl-add sw0 from-lport 1002 'ip4 || ip6'
> > > allow-related
> > > +check multinode_nbctl acl-add sw1 from-lport 1002 'ip4 || ip6'
> > > allow-related
> > > +
> > > +m_as ovn-gw-1 ip netns add ovn-ext0
> > > +m_as ovn-gw-1 ovs-vsctl add-port br-ex ext0 -- set interface ext0
> > > type=internal
> > > +m_as ovn-gw-1 ip link set ext0 netns ovn-ext0
> > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip link set ext0 up
> > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip addr add 172.20.0.1/24 dev ext0
> > > +
> > > +m_as ovn-gw-1 ovs-vsctl add-port br-ex ext1 -- set interface ext1
> > > type=internal
> > > +m_as ovn-gw-1 ip link set ext1 netns ovn-ext0
> > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip link set ext1 up
> > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip addr add 172.20.1.1/24 dev ext1
> > > +
> > > +m_as ovn-gw-1 ip netns add ovn-ext2
> > > +m_as ovn-gw-1 ovs-vsctl add-port br-ex ext2 -- set interface ext2
> > > type=internal
> > > +m_as ovn-gw-1 ip link set ext2 netns ovn-ext2
> > > +m_as ovn-gw-1 ip netns exec ovn-ext2 ip link set ext2 up
> > > +m_as ovn-gw-1 ip netns exec ovn-ext2 ip addr add 172.20.1.2/24 dev ext2
> > > +m_as ovn-gw-1 ip netns exec ovn-ext2 ip route add default via 172.20.1.1
> > > dev ext2
> > > +
> > > +m_as ovn-gw-1 ovs-vsctl set open .
> > > external-ids:ovn-bridge-mappings=public:br-ex
> > > +m_as ovn-chassis-1 ovs-vsctl set open .
> > > external-ids:ovn-bridge-mappings=public:br-ex
> > > +m_as ovn-chassis-2 ovs-vsctl set open .
> > > external-ids:ovn-bridge-mappings=public:br-ex
> > > +
> > > +m_wait_for_ports_up sw1-port1
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > 20.0.0.3 | FORMAT_PING], \
> > > +[0], [dnl
> > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > +])
> > > +
> > > +# Change ptmu for the geneve tunnel
> > > +m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1200 dev eth1
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 5 -s 1300 -M do
> > > 20.0.0.3 2>&1 |grep -q "message too long, mtu=1142"])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24 dev
> > > sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > 10.0.0.1 dev sw0p1])
> > > +
> > > +m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1400 dev eth1
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping6 -c 5 -s 1450 -M do
> > > 2000::3 2>&1 |grep -q "message too long, mtu: 1342"])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > 172.20.1.2 | FORMAT_PING], \
> > > +[0], [dnl
> > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > +])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-gw-1], [ovn-ext0], [ip link set dev ext1 mtu 1000])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 10 -s 1300 -M do
> > > 172.20.1.2 2>&1 |grep -q "mtu = 1000"])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > 172.20.1.2 | FORMAT_PING], \
> > > +[0], [dnl
> > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > +])
> > > +
> > > +# Create vxlan tunnels
> > > +for c in ovn-chassis-1 ovn-chassis-2 ovn-gw-1
> > > +do
> > > + m_as $c ovs-vsctl set open . external-ids:ovn-encap-type=vxlan
> > > +done
> > > +
> > > +OVS_WAIT_UNTIL([m_as ovn-chassis-1 ip link show | grep -q vxlan_sys])
> > > +OVS_WAIT_UNTIL([m_as ovn-chassis-2 ip link show | grep -q vxlan_sys])
> > > +OVS_WAIT_UNTIL([m_as ovn-gw-1 ip link show | grep -q vxlan_sys])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24 dev
> > > sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > 10.0.0.1 dev sw0p1])
> > > +
> > > +m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1200 dev eth1
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > 20.0.0.3 | FORMAT_PING], \
> > > +[0], [dnl
> > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > +])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 5 -s 1300 -M do
> > > 20.0.0.3 2>&1 |grep -q "message too long, mtu=1150"])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24 dev
> > > sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > 10.0.0.1 dev sw0p1])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-gw-1], [ovn-ext0], [ip link set dev ext1 mtu 1100])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > 172.20.1.2 | FORMAT_PING], \
> > > +[0], [dnl
> > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > +])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 20 -i 0.5 -s 1300 -M
> > > do 172.20.1.2 2>&1 |grep -q "mtu = 1150"])
> > > +
> > > +AT_CLEANUP
> > > +
> > > +AT_SETUP([ovn multinode pmtu - gw_router_port])
> > > +
> > > +# Check that ovn-fake-multinode setup is up and running
> > > +check_fake_multinode_setup
> > > +
> > > +# Delete the multinode NB and OVS resources before starting the test.
> > > +cleanup_multinode_resources
> > > +
> > > +m_as ovn-chassis-1 ip link del sw0p1-p
> > > +m_as ovn-chassis-2 ip link del sw0p2-p
> > > +m_as ovn-chassis-2 ip link del sw1p1-p
> > > +
> > > +# Reset geneve tunnels
> > > +for c in ovn-chassis-1 ovn-chassis-2 ovn-gw-1
> > > +do
> > > + m_as $c ovs-vsctl set open . external-ids:ovn-encap-type=geneve
> > > +done
> > > +
> > > +OVS_WAIT_UNTIL([m_as ovn-chassis-1 ip link show | grep -q genev_sys])
> > > +OVS_WAIT_UNTIL([m_as ovn-chassis-2 ip link show | grep -q genev_sys])
> > > +OVS_WAIT_UNTIL([m_as ovn-gw-1 ip link show | grep -q genev_sys])
> > > +
> > > +# Test East-West switching
> > > +check multinode_nbctl ls-add sw0
> > > +check multinode_nbctl lsp-add sw0 sw0-port1
> > > +check multinode_nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:03
> > > 10.0.0.3 1000::3"
> > > +check multinode_nbctl lsp-add sw0 sw0-port2
> > > +check multinode_nbctl lsp-set-addresses sw0-port2 "50:54:00:00:00:04
> > > 10.0.0.4 1000::4"
> > > +
> > > +m_as ovn-chassis-1 /data/create_fake_vm.sh sw0-port1 sw0p1
> > > 50:54:00:00:00:03 10.0.0.3 24 10.0.0.1 1000::3/64 1000::a
> > > +m_as ovn-chassis-2 /data/create_fake_vm.sh sw0-port2 sw0p2
> > > 50:54:00:00:00:04 10.0.0.4 24 10.0.0.1 1000::4/64 1000::a
> > > +
> > > +m_wait_for_ports_up
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > 10.0.0.4 | FORMAT_PING], \
> > > +[0], [dnl
> > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > +])
> > > +
> > > +# Create the second logical switch with one port
> > > +check multinode_nbctl ls-add sw1
> > > +check multinode_nbctl lsp-add sw1 sw1-port1
> > > +check multinode_nbctl lsp-set-addresses sw1-port1 "40:54:00:00:00:03
> > > 20.0.0.3 2000::3"
> > > +
> > > +# Create a logical router and attach both logical switches
> > > +check multinode_nbctl lr-add lr0
> > > +check multinode_nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01 10.0.0.1/24
> > > 1000::a/64
> > > +check multinode_nbctl lsp-add sw0 sw0-lr0
> > > +check multinode_nbctl lsp-set-type sw0-lr0 router
> > > +check multinode_nbctl lsp-set-addresses sw0-lr0 router
> > > +check multinode_nbctl lsp-set-options sw0-lr0 router-port=lr0-sw0
> > > +
> > > +check multinode_nbctl lrp-add lr0 lr0-sw1 00:00:00:00:ff:02 20.0.0.1/24
> > > 2000::a/64
> > > +check multinode_nbctl lsp-add sw1 sw1-lr0
> > > +check multinode_nbctl lsp-set-type sw1-lr0 router
> > > +check multinode_nbctl lsp-set-addresses sw1-lr0 router
> > > +check multinode_nbctl lsp-set-options sw1-lr0 router-port=lr0-sw1
> > > +
> > > +m_as ovn-chassis-2 /data/create_fake_vm.sh sw1-port1 sw1p1
> > > 40:54:00:00:00:03 20.0.0.3 24 20.0.0.1 2000::3/64 2000::a
> > > +
> > > +# create exteranl connection for N/S traffic
> > > +check multinode_nbctl ls-add public
> > > +check multinode_nbctl lsp-add public ln-lublic
> > > +check multinode_nbctl lsp-set-type ln-lublic localnet
> > > +check multinode_nbctl lsp-set-addresses ln-lublic unknown
> > > +check multinode_nbctl lsp-set-options ln-lublic network_name=public
> > > +
> > > +check multinode_nbctl lrp-add lr0 lr0-public 00:11:22:00:ff:01
> > > 172.20.0.100/24
> > > +check multinode_nbctl lsp-add public public-lr0
> > > +check multinode_nbctl lsp-set-type public-lr0 router
> > > +check multinode_nbctl lsp-set-addresses public-lr0 router
> > > +check multinode_nbctl lsp-set-options public-lr0 router-port=lr0-public
> > > +check multinode_nbctl lrp-set-gateway-chassis lr0-public ovn-gw-1 10
> > > +check multinode_nbctl lr-route-add lr0 0.0.0.0/0 172.20.0.1
> > > +
> > > +check multinode_nbctl lr-nat-add lr0 snat 172.20.0.100 10.0.0.0/24
> > > +check multinode_nbctl lr-nat-add lr0 snat 172.20.0.100 20.0.0.0/24
> > > +
> > > +check multinode_nbctl lrp-set-gateway-chassis lr0-sw0 ovn-chassis-1 10
> > > +check multinode_nbctl lrp-set-gateway-chassis lr0-sw1 ovn-chassis-2 10
> > > +
> > > +# create some ACLs
> > > +check multinode_nbctl acl-add sw0 from-lport 1002 'ip4 || ip6'
> > > allow-related
> > > +check multinode_nbctl acl-add sw1 from-lport 1002 'ip4 || ip6'
> > > allow-related
> > > +
> > > +m_as ovn-gw-1 ip netns add ovn-ext0
> > > +m_as ovn-gw-1 ovs-vsctl add-port br-ex ext0 -- set interface ext0
> > > type=internal
> > > +m_as ovn-gw-1 ip link set ext0 netns ovn-ext0
> > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip link set ext0 up
> > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip addr add 172.20.0.1/24 dev ext0
> > > +
> > > +m_as ovn-gw-1 ovs-vsctl add-port br-ex ext1 -- set interface ext1
> > > type=internal
> > > +m_as ovn-gw-1 ip link set ext1 netns ovn-ext0
> > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip link set ext1 up
> > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip addr add 172.20.1.1/24 dev ext1
> > > +
> > > +m_as ovn-gw-1 ip netns add ovn-ext2
> > > +m_as ovn-gw-1 ovs-vsctl add-port br-ex ext2 -- set interface ext2
> > > type=internal
> > > +m_as ovn-gw-1 ip link set ext2 netns ovn-ext2
> > > +m_as ovn-gw-1 ip netns exec ovn-ext2 ip link set ext2 up
> > > +m_as ovn-gw-1 ip netns exec ovn-ext2 ip addr add 172.20.1.2/24 dev ext2
> > > +m_as ovn-gw-1 ip netns exec ovn-ext2 ip route add default via 172.20.1.1
> > > dev ext2
> > > +
> > > +m_as ovn-gw-1 ovs-vsctl set open .
> > > external-ids:ovn-bridge-mappings=public:br-ex
> > > +m_as ovn-chassis-1 ovs-vsctl set open .
> > > external-ids:ovn-bridge-mappings=public:br-ex
> > > +m_as ovn-chassis-2 ovs-vsctl set open .
> > > external-ids:ovn-bridge-mappings=public:br-ex
> > > +
> > > +m_wait_for_ports_up sw1-port1
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > 20.0.0.3 | FORMAT_PING], \
> > > +[0], [dnl
> > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > +])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24 dev
> > > sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > 10.0.0.1 dev sw0p1])
> > > +
> > > +m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1200 dev eth1
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 5 -s 1300 -M do
> > > 20.0.0.3 2>&1 |grep -q "message too long, mtu=1142"])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24 dev
> > > sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > 10.0.0.1 dev sw0p1])
> > > +
> > > +m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1400 dev eth1
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping6 -c 5 -s 1450 -M do
> > > 2000::3 2>&1 |grep -q "message too long, mtu: 1342"])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24 dev
> > > sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > 10.0.0.1 dev sw0p1])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > 172.20.1.2 | FORMAT_PING], \
> > > +[0], [dnl
> > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > +])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-gw-1], [ovn-ext0], [ip link set dev ext1 mtu 1100])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 20 -i 0.5 -s 1300 -M
> > > do 172.20.1.2 2>&1 |grep -q "mtu = 1100"])
> > > +
> > > +# Create vxlan tunnels
> > > +for c in ovn-chassis-1 ovn-chassis-2 ovn-gw-1
> > > +do
> > > + m_as $c ovs-vsctl set open . external-ids:ovn-encap-type=vxlan
> > > +done
> > > +
> > > +OVS_WAIT_UNTIL([m_as ovn-chassis-1 ip link show | grep -q vxlan_sys])
> > > +OVS_WAIT_UNTIL([m_as ovn-chassis-2 ip link show | grep -q vxlan_sys])
> > > +OVS_WAIT_UNTIL([m_as ovn-gw-1 ip link show | grep -q vxlan_sys])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24 dev
> > > sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > 10.0.0.1 dev sw0p1])
> > > +
> > > +m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1200 dev eth1
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > 20.0.0.3 | FORMAT_PING], \
> > > +[0], [dnl
> > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > +])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 5 -s 1300 -M do
> > > 20.0.0.3 2>&1 |grep -q "message too long, mtu=1150"])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24 dev
> > > sw0p1])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > 10.0.0.1 dev sw0p1])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-gw-1], [ovn-ext0], [ip link set dev ext1 mtu 1100])
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > 172.20.1.2 | FORMAT_PING], \
> > > +[0], [dnl
> > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > +])
> > > +
> > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 20 -i 0.5 -s 1300 -M
> > > do 172.20.1.2 2>&1 |grep -q "mtu = 1150"])
> > > +
> > > +AT_CLEANUP
> > > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> > > index a267daca2..223e53991 100644
> > > --- a/tests/ovn-northd.at
> > > +++ b/tests/ovn-northd.at
> > > @@ -6492,6 +6492,9 @@ AT_CAPTURE_FILE([lrflows])
> > >
> > > # Check the flows in lr_in_admission stage
> > > AT_CHECK([grep lr_in_admission lrflows | grep cr-DR | sort], [0], [dnl
> > > + table=0 (lr_in_admission ), priority=120 , match=(((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)) && eth.dst == 02:ac:10:01:00:01 &&
> > > !is_chassis_resident("cr-DR-S1")), action=(outport = inport; inport =
> > > "DR-S1"; next;)
> > > + table=0 (lr_in_admission ), priority=120 , match=(((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)) && eth.dst == 03:ac:10:01:00:01 &&
> > > !is_chassis_resident("cr-DR-S2")), action=(outport = inport; inport =
> > > "DR-S2"; next;)
> > > + table=0 (lr_in_admission ), priority=120 , match=(((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)) && eth.dst == 04:ac:10:01:00:01 &&
> > > !is_chassis_resident("cr-DR-S3")), action=(outport = inport; inport =
> > > "DR-S3"; next;)
> > > table=0 (lr_in_admission ), priority=50 , match=(eth.dst ==
> > > 02:ac:10:01:00:01 && inport == "DR-S1" &&
> > > is_chassis_resident("cr-DR-S1")), action=(xreg0[[0..47]] =
> > > 02:ac:10:01:00:01; next;)
> > > table=0 (lr_in_admission ), priority=50 , match=(eth.dst ==
> > > 03:ac:10:01:00:01 && inport == "DR-S2" &&
> > > is_chassis_resident("cr-DR-S2")), action=(xreg0[[0..47]] =
> > > 03:ac:10:01:00:01; next;)
> > > table=0 (lr_in_admission ), priority=50 , match=(eth.dst ==
> > > 04:ac:10:01:00:01 && inport == "DR-S3" &&
> > > is_chassis_resident("cr-DR-S3")), action=(xreg0[[0..47]] =
> > > 04:ac:10:01:00:01; next;)
> > > @@ -6551,6 +6554,7 @@ AT_CAPTURE_FILE([lrflows])
> > >
> > > # Check the flows in lr_in_admission stage
> > > AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed
> > > 's/table=../table=??/' | sort], [0], [dnl
> > > + table=??(lr_in_admission ), priority=120 , match=(((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)) && eth.dst == 00:00:00:00:00:01 &&
> > > !is_chassis_resident("cr-lrp1")), action=(outport = inport; inport =
> > > "lrp1"; next;)
> > > table=??(lr_in_admission ), priority=50 , match=(eth.dst ==
> > > 00:00:00:00:00:01 && inport == "lrp1" && is_chassis_resident("cr-lrp1")),
> > > action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;)
> > > table=??(lr_in_admission ), priority=50 , match=(eth.mcast &&
> > > inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;)
> > > ])
> > > @@ -6572,6 +6576,7 @@ AT_CAPTURE_FILE([lrflows])
> > >
> > > # Check the flows in lr_in_admission stage
> > > AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed
> > > 's/table=../table=??/' | sort], [0], [dnl
> > > + table=??(lr_in_admission ), priority=120 , match=(((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)) && eth.dst == 00:00:00:00:00:01 &&
> > > !is_chassis_resident("cr-lrp1")), action=(outport = inport; inport =
> > > "lrp1"; next;)
> > > table=??(lr_in_admission ), priority=50 , match=(eth.dst ==
> > > 00:00:00:00:00:01 && inport == "lrp1"), action=(xreg0[[0..47]] =
> > > 00:00:00:00:00:01; next;)
> > > table=??(lr_in_admission ), priority=50 , match=(eth.mcast &&
> > > inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;)
> > > ])
> > > @@ -6590,6 +6595,7 @@ AT_CAPTURE_FILE([lrflows])
> > >
> > > # Check the flows in lr_in_admission stage
> > > AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed
> > > 's/table=../table=??/' | sort], [0], [dnl
> > > + table=??(lr_in_admission ), priority=120 , match=(((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)) && eth.dst == 00:00:00:00:00:01 &&
> > > !is_chassis_resident("cr-lrp1")), action=(outport = inport; inport =
> > > "lrp1"; next;)
> > > table=??(lr_in_admission ), priority=50 , match=(eth.dst ==
> > > 00:00:00:00:00:01 && inport == "lrp1" && is_chassis_resident("cr-lrp1")),
> > > action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;)
> > > table=??(lr_in_admission ), priority=50 , match=(eth.mcast &&
> > > inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;)
> > > ])
> > > @@ -8343,6 +8349,9 @@ AT_CHECK([cat sw0flows | grep -e port_sec -e
> > > ls_in_l2_lkup -e ls_in_l2_unknown |
> > > sort | sed 's/table=../table=??/' ], [0], [dnl
> > > table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> > > action=(drop;)
> > > table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
> > > action=(drop;)
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > table=??(ls_in_check_port_sec), priority=50 , match=(1),
> > > action=(reg0[[15]] = check_in_port_sec(); next;)
> > > table=??(ls_in_apply_port_sec), priority=0 , match=(1),
> > > action=(next;)
> > > table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] ==
> > > 1), action=(drop;)
> > > @@ -8369,6 +8378,9 @@ AT_CHECK([cat sw0flows | grep -e port_sec -e
> > > ls_in_l2_lkup -e ls_in_l2_unknown |
> > > sort | sed 's/table=../table=??/' ], [0], [dnl
> > > table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> > > action=(drop;)
> > > table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
> > > action=(drop;)
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > table=??(ls_in_check_port_sec), priority=50 , match=(1),
> > > action=(reg0[[15]] = check_in_port_sec(); next;)
> > > table=??(ls_in_apply_port_sec), priority=0 , match=(1),
> > > action=(next;)
> > > table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] ==
> > > 1), action=(drop;)
> > > @@ -8396,6 +8408,9 @@ sort | sed 's/table=../table=??/' ], [0], [dnl
> > > table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> > > action=(drop;)
> > > table=??(ls_in_check_port_sec), priority=100 , match=(inport ==
> > > "sw0p1"), action=(reg0[[15]] = 1; next;)
> > > table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
> > > action=(drop;)
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > table=??(ls_in_check_port_sec), priority=50 , match=(1),
> > > action=(reg0[[15]] = check_in_port_sec(); next;)
> > > table=??(ls_in_apply_port_sec), priority=0 , match=(1),
> > > action=(next;)
> > > table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] ==
> > > 1), action=(drop;)
> > > @@ -8422,6 +8437,9 @@ sort | sed 's/table=../table=??/' ], [0], [dnl
> > > table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> > > action=(drop;)
> > > table=??(ls_in_check_port_sec), priority=100 , match=(inport ==
> > > "sw0p1"), action=(reg0[[15]] = 1; next;)
> > > table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
> > > action=(drop;)
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > table=??(ls_in_check_port_sec), priority=50 , match=(1),
> > > action=(reg0[[15]] = check_in_port_sec(); next;)
> > > table=??(ls_in_check_port_sec), priority=70 , match=(inport ==
> > > "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec(); next;)
> > > table=??(ls_in_apply_port_sec), priority=0 , match=(1),
> > > action=(next;)
> > > @@ -8451,6 +8469,9 @@ AT_CHECK([cat sw0flows | grep -e port_sec -e
> > > ls_in_l2_lkup -e ls_in_l2_unknown |
> > > sort | sed 's/table=../table=??/' ], [0], [dnl
> > > table=??(ls_in_check_port_sec), priority=100 , match=(eth.src[[40]]),
> > > action=(drop;)
> > > table=??(ls_in_check_port_sec), priority=100 , match=(vlan.present),
> > > action=(drop;)
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > icmp6.code == 0)), action=(next; )
> > > table=??(ls_in_check_port_sec), priority=50 , match=(1),
> > > action=(reg0[[15]] = check_in_port_sec(); next;)
> > > table=??(ls_in_check_port_sec), priority=70 , match=(inport ==
> > > "localnetport"), action=(set_queue(10); reg0[[15]] = check_in_port_sec();
> > > next;)
> > > table=??(ls_in_check_port_sec), priority=70 , match=(inport ==
> > > "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=17);)
> > > --
> > > 2.43.0
> > >
> > >
> > > _______________________________________________
> > > dev mailing list
> > > [email protected]
> > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> > >
> >
> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
