> On Tue, Jan 9, 2024 at 8:59 AM Lorenzo Bianconi
> <[email protected]> wrote:
> >
> > > On Fri, Dec 22, 2023 at 11:27 AM Lorenzo Bianconi
> > > <[email protected]> wrote:
> > > >
> > > > Introduce specif flows for E/W ICMPv{4,6} packets if tunnelled packets
> > > > do not fit path MTU. This patch enable PMTUD for East/West Geneve
> > > > traffic.
> > > >
> > > > Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2241711
> > > > Signed-off-by: Lorenzo Bianconi <[email protected]>
> > >
> > > Hi Lorenzo,
> > >
> > > Thanks for the patch. Please see below for a few comments.
> >
> > Hi Numan,
> >
> > thx for the review. Few comments inline.
> >
> > Regards,
> > Lorenzo
> >
> > >
> > >
> > [...]
> > > > +/* Following flows are used to manage traffic redirected by the kernel
> > > > + * (e.g. ICMP errors packets) that enter the cluster from the geneve
> > > > ports
> > > > + */
> > > > +static void
> > > > +build_lrouter_icmp_packet_toobig_admin_flows(
> > > > + struct ovn_port *op, struct hmap *lflows,
> > > > + struct ds *match, struct ds *actions)
> > > > +{
> > > > + ovs_assert(op->nbrp);
> > > > +
> > > > + if (is_l3dgw_port(op)) {
> > > > + ds_clear(match);
> > > > + ds_put_format(match,
> > > > + "((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
> > > > + " (ip6 && icmp6.type == 2 && icmp6.code == 0))
> > > > && "
> > > > + "eth.dst == %s && !is_chassis_resident(%s)",
> > > > + op->nbrp->mac, op->cr_port->json_key);
> > > > + ds_clear(actions);
> > > > + ds_put_format(actions, "outport = inport; inport = %s; next;",
> > > > + op->json_key);
> > > > + ovn_lflow_add(lflows, op->od, S_ROUTER_IN_ADMISSION, 120,
> > > > + ds_cstr(match), ds_cstr(actions));
> > > > + }
> > > > +
> > > > + /* default flow */
> > > > + ovn_lflow_add(lflows, op->od, S_ROUTER_IN_ADMISSION, 110,
> > > > + "(ip4 && icmp4.type == 3 && icmp4.code == 4) || "
> > > > + "(ip6 && icmp6.type == 2 && icmp6.code == 0)",
> > > > "next; ");
> > > > +}
> > > > +
> > >
> > > I don't think there is a need for default flow. If I understand
> > > correctly, we are trying to handle
> > > the scenario when the kernel generates the icmp needs frag error
> > > packet. For the normal case i.e icmp
> > > needs a frag error packet not generated by the kernel, it should
> > > continue the normal flow.
> >
> > Reviewing the code I think it is wrong, but for icmp error "packet too big"
> > traffic hitting a gw router port I think we need a 'default' flow since if
> > the
> > port is "local" to the hv we need to set the inport from the l3dgw_port
> > port to
> > the regular router one. Do you agree? (We need this flow just if
> > is_l3dgw_port() is true).
>
> I don't understand your point. For the scenario you mentioned about
> icmp error "packet too big" packet, who generates it ?
> Is it generated by the local kernel due to route mtu exception ?
>
> If the port is local to the hypervisor, then the original packet will
> never go out of the tunnel.
>
> In my testing, I've one router port which has gateway chassis set and
> I see the below logical flows added by this patch
>
> ---
> table=0 (lr_in_admission ), priority=120 , match=(((ip4 &&
> icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> icmp6.code == 0)) && eth.dst == 00:11:22:00:ff:01 &&
> !is_chassis_resident("cr-lr0-public")), action=(outport = inport;
> inport = "lr0-public"; next;)
> table=0 (lr_in_admission ), priority=110 , match=((ip4 &&
> icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> icmp6.code == 0)), action=(next; )
> ---
>
> If the packet matches the first flow with priority 120, then the
> outport/inport is set properly by the actions and it goes to the next
> table. But if the packet doesn't hit the first flow or if that flow
> is not installed
> because is_chassis_resident("cr-lr0-public") is true, then the packet
> will continue with the remaining matches in the "lr_in_admission"
> table and will advance to the next stage.
> So we don't need that flow.
Hi Numan,
reading my previous email I think I have not been very clear, sorry for that :(
Let's assume N/S traffic and an ICMP error message 'packet too big'
not generated locally (let's say from a device outside the cluster).
In table OFTABLE_PHY_TO_LOG we resumbit this packet to table
OFTABLE_LOG_INGRESS_PIPELINE.
What I mean is for this packet we need a flow to set inport from
'cr-lr0-public' to
'lr0-public' since in this case since we are not hitting the flows you reported
above, right?
Am I missing something?
>
>
> >
> > >
> > >
> > > > +static void
> > > > +build_lswitch_icmp_packet_toobig_admin_flows(
> > > > + struct ovn_port *op, struct hmap *lflows,
> > > > + struct ds *match, struct ds *actions)
> > > > +{
> > > > + ovs_assert(op->nbsp);
> > > > +
> > > > + if (lsp_is_router(op->nbsp)) {
> > > > + return;
> > > > + }
> > > > +
> > > > + struct ovn_datapath *od = op->od;
> > > > + for (int i = 0; i < od->n_router_ports; i++) {
> > > > + struct ovn_port *peer = od->router_ports[i]->peer;
> > > > + if (!peer) {
> > > > + continue;
> > > > + }
> > > > +
> > > > + ds_clear(match);
> > > > + char *rp_port =
> > > > + is_l3dgw_port(peer) ? peer->cr_port->json_key :
> > > > peer->json_key;
> > > > + ds_put_format(match,
> > > > + "((ip4 && icmp4.type == 3 && icmp4.code == 4) ||"
> > > > + " (ip6 && icmp6.type == 2 && icmp6.code == 0))
> > > > && "
> > > > + "eth.dst == %s && !is_chassis_resident(%s)",
> > > > + peer->nbrp->mac, rp_port);
> > > > + ds_clear(actions);
> > > > + ds_put_format(actions, "outport = %s; inport = %s; output;",
> > > > + od->router_ports[i]->json_key, op->json_key);
> > > > + ovn_lflow_add(lflows, od, S_SWITCH_IN_CHECK_PORT_SEC, 120,
> > > > + ds_cstr(match), ds_cstr(actions));
> > > > + }
> > >
> > > I think with this we will end up adding two logical flows for every
> > > logical port in the logical switch.
> > > I don't think that's necessary.
> > >
> > > I think we should add the logical flow only for logical switch ports
> > > of type router.
> > > The function should return immediately if !lsp_is_router(op->nbsp).
> >
> > ack, agree. I will fix it.
> >
> > >
> > > I think you can also match on the "inport == <lrp" in the first
> > > logical flow of this function.
> >
> > If we use the inport as match I think it is hard to distinguish between the
> > locally generated ICMP 'packet too big' traffic (generated by the kernel)
> > and
> > ICMP 'packet too big' sent by a remote node. Am I wrong or am I missing
> > something?
>
> You don't need to distinguish between the two. You just need to figure out
> if the icmp error 'packet too big' is generated locally by geneve or NOT.
yes
>
> If the icmp error packet was actually received from the tunnel,
> then the packet will continue with the pipeline. Only in the case where
> kernel generates the icmp error packet due to route mtu exception, the inport
> will be "lrp".
I do not think we can use inport for vxlan tunnels, right? In physical_run() we
just set the outport from tunnel_id for vxlan. Can we just use eth.dst in this
case too?
>
>
> >
> > >
> > > Also I don't think there is a need for the default flow below.
> > > The below logical flow by-passes the port security check which could
> > > be exploited by a rogue pod/VM.
> >
> > ack, I will fix it.
> >
>
> >
> > > Let me know if my suggestions don't work.
> > >
> > > Thanks
> > > Numan
> > >
> > >
> > > > +
> > > > + /* default flow */
> > > > + ovn_lflow_add(lflows, op->od, S_SWITCH_IN_CHECK_PORT_SEC, 110,
> > > > + "(ip4 && icmp4.type == 3 && icmp4.code == 4) || "
> > > > + "(ip6 && icmp6.type == 2 && icmp6.code == 0)",
> > > > "next; ");
> > > > +}
> > > > +
> > > > static void
> > > > build_lrouter_force_snat_flows_op(struct ovn_port *op,
> > > > struct hmap *lflows,
> > > > @@ -16161,6 +16230,7 @@ build_lswitch_and_lrouter_iterate_by_lsp(struct
> > > > ovn_port *op,
> > > > build_lswitch_dhcp_options_and_response(op, lflows, meter_groups);
> > > > build_lswitch_external_port(op, lflows);
> > > > build_lswitch_ip_unicast_lookup(op, lflows, actions, match);
> > > > + build_lswitch_icmp_packet_toobig_admin_flows(op, lflows, match,
> > > > actions);
> > > >
> > > > /* Build Logical Router Flows. */
> > > > build_ip_routing_flows_for_router_type_lsp(op, lr_ports, lflows);
> > > > @@ -16197,6 +16267,8 @@ build_lswitch_and_lrouter_iterate_by_lrp(struct
> > > > ovn_port *op,
> > > > &lsi->match, &lsi->actions,
> > > > lsi->meter_groups);
> > > > build_lrouter_force_snat_flows_op(op, lsi->lflows, &lsi->match,
> > > > &lsi->actions);
> > > > + build_lrouter_icmp_packet_toobig_admin_flows(op, lsi->lflows,
> > > > &lsi->match,
> > > > + &lsi->actions);
> > > > }
> > > >
> > > > static void *
> > > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> > > > index 97718821f..85576a845 100644
> > > > --- a/northd/ovn-northd.8.xml
> > > > +++ b/northd/ovn-northd.8.xml
> > > > @@ -372,6 +372,20 @@
> > > >
> > > > <h3>Ingress Table 1: Ingress Port Security - Apply</h3>
> > > >
> > > > + <p>
> > > > + For each logical switch port <var>P</var> a priority-120 flow
> > > > that
> > > > + matches icmp{4,6} error 'packet too big' and <code>eth.dst ==
> > > > + <var>D</var> &&
> > > > !is_chassis_resident(<var>RP</var>)</code> where
> > > > + <var>D</var> is the peer logical router port <var>RP</var> mac
> > > > address,
> > > > + stores <var>RP</var> peer port as outport, stores <var>P</var>
> > > > as inport
> > > > + and forward the packet to the egress pipeline.
> > > > + </p>
> > > > +
> > > > + <p>
> > > > + This table adds a priority-110 flow that matches icmp{4,6} error
> > > > 'packet
> > > > + too big' to forward the packet to the next stage in the pipeline.
> > > > + </p>
> > > > +
> > > > <p>
> > > > This table drops the packets if the port security check failed
> > > > in the previous stage i.e the register bit
> > > > @@ -2463,6 +2477,21 @@ output;
> > > > (LBs, NAT).
> > > > </p>
> > > >
> > > > + <p>
> > > > + For each gateway port <var>GW</var> on a distributed logical
> > > > router
> > > > + a priority-120 flow that matches icmp{4,6} error 'packet too
> > > > big' and
> > > > + <code>eth.dst == <var>D</var> &&
> > > > !is_chassis_resident(<var>
> > > > + cr-GW</var>)</code> where <var>D</var> is the gateway port
> > > > mac
> > > > + address and <var>cr-GW</var> is the chassis resident port of
> > > > + <var>GW</var>, swap inport and outport and stores
> > > > <var>GW</var>
> > > > + as inport.
> > > > + </p>
> > > > +
> > > > + <p>
> > > > + This table adds a priority-110 flow that matches icmp{4,6}
> > > > error 'packet
> > > > + too big' to forward the packet to the next stage in the
> > > > pipeline.
> > > > + </p>
> > > > +
> > > > <p>
> > > > For a distributed logical router or for gateway router where
> > > > the port is configured with <code>options:gateway_mtu</code>
> > > > diff --git a/tests/multinode.at b/tests/multinode.at
> > > > index 2b199b4bc..772134b7d 100644
> > > > --- a/tests/multinode.at
> > > > +++ b/tests/multinode.at
> > > > @@ -42,7 +42,6 @@ M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c
> > > > 3 -i 0.3 -w 2 10.0.0.4 | F
> > > > 3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > > ])
> > > >
> > > > -
> > > > # Create the second logical switch with one port
> > > > check multinode_nbctl ls-add sw1
> > > > check multinode_nbctl lsp-add sw1 sw1-port1
> > > > @@ -72,3 +71,350 @@ M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q
> > > > -c 3 -i 0.3 -w 2 20.0.0.3 | F
> > > > ])
> > > >
> > > > AT_CLEANUP
> > > > +
> > > > +AT_SETUP([ovn multinode pmtu - distributed router])
> > > > +
>
> The test case added here will also run for the branch-23.03 and it will fail.
>
> You need to skip this test for "multinode tests branch-22.03".
>
> Check this commit (which was reverted) to skip this test for
> branch-22.03 -
> https://github.com/ovn-org/ovn/commit/450e41e783bfa69e4f9d6c80f6bcb01147d5cfe1
acj, I will fix it.
Regards,
Lorenzo
>
> Please add the changes in "ovn-fake-multinode-tests.yml" of the above
> commit to this patch.
>
>
> Thanks
> Numan
>
>
> > > > +# Check that ovn-fake-multinode setup is up and running
> > > > +check_fake_multinode_setup
> > > > +
> > > > +# Delete the multinode NB and OVS resources before starting the test.
> > > > +cleanup_multinode_resources
> > > > +
> > > > +m_as ovn-chassis-1 ip link del sw0p1-p
> > > > +m_as ovn-chassis-2 ip link del sw0p2-p
> > > > +m_as ovn-chassis-2 ip link del sw1p1-p
> > > > +
> > > > +# Reset geneve tunnels
> > > > +for c in ovn-chassis-1 ovn-chassis-2 ovn-gw-1
> > > > +do
> > > > + m_as $c ovs-vsctl set open . external-ids:ovn-encap-type=geneve
> > > > +done
> > > > +
> > > > +OVS_WAIT_UNTIL([m_as ovn-chassis-1 ip link show | grep -q genev_sys])
> > > > +OVS_WAIT_UNTIL([m_as ovn-chassis-2 ip link show | grep -q genev_sys])
> > > > +OVS_WAIT_UNTIL([m_as ovn-gw-1 ip link show | grep -q genev_sys])
> > > > +
> > > > +# Test East-West switching
> > > > +check multinode_nbctl ls-add sw0
> > > > +check multinode_nbctl lsp-add sw0 sw0-port1
> > > > +check multinode_nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:03
> > > > 10.0.0.3 1000::3"
> > > > +check multinode_nbctl lsp-add sw0 sw0-port2
> > > > +check multinode_nbctl lsp-set-addresses sw0-port2 "50:54:00:00:00:04
> > > > 10.0.0.4 1000::4"
> > > > +
> > > > +m_as ovn-chassis-1 /data/create_fake_vm.sh sw0-port1 sw0p1
> > > > 50:54:00:00:00:03 10.0.0.3 24 10.0.0.1 1000::3/64 1000::a
> > > > +m_as ovn-chassis-2 /data/create_fake_vm.sh sw0-port2 sw0p2
> > > > 50:54:00:00:00:04 10.0.0.4 24 10.0.0.1 1000::4/64 1000::a
> > > > +
> > > > +m_wait_for_ports_up
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > > 10.0.0.4 | FORMAT_PING], \
> > > > +[0], [dnl
> > > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > > +])
> > > > +
> > > > +# Create the second logical switch with one port
> > > > +check multinode_nbctl ls-add sw1
> > > > +check multinode_nbctl lsp-add sw1 sw1-port1
> > > > +check multinode_nbctl lsp-set-addresses sw1-port1 "40:54:00:00:00:03
> > > > 20.0.0.3 2000::3"
> > > > +
> > > > +# Create a logical router and attach both logical switches
> > > > +check multinode_nbctl lr-add lr0
> > > > +check multinode_nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01
> > > > 10.0.0.1/24 1000::a/64
> > > > +check multinode_nbctl lsp-add sw0 sw0-lr0
> > > > +check multinode_nbctl lsp-set-type sw0-lr0 router
> > > > +check multinode_nbctl lsp-set-addresses sw0-lr0 router
> > > > +check multinode_nbctl lsp-set-options sw0-lr0 router-port=lr0-sw0
> > > > +
> > > > +check multinode_nbctl lrp-add lr0 lr0-sw1 00:00:00:00:ff:02
> > > > 20.0.0.1/24 2000::a/64
> > > > +check multinode_nbctl lsp-add sw1 sw1-lr0
> > > > +check multinode_nbctl lsp-set-type sw1-lr0 router
> > > > +check multinode_nbctl lsp-set-addresses sw1-lr0 router
> > > > +check multinode_nbctl lsp-set-options sw1-lr0 router-port=lr0-sw1
> > > > +
> > > > +m_as ovn-chassis-2 /data/create_fake_vm.sh sw1-port1 sw1p1
> > > > 40:54:00:00:00:03 20.0.0.3 24 20.0.0.1 2000::3/64 2000::a
> > > > +
> > > > +# create exteranl connection for N/S traffic
> > > > +check multinode_nbctl ls-add public
> > > > +check multinode_nbctl lsp-add public ln-lublic
> > > > +check multinode_nbctl lsp-set-type ln-lublic localnet
> > > > +check multinode_nbctl lsp-set-addresses ln-lublic unknown
> > > > +check multinode_nbctl lsp-set-options ln-lublic network_name=public
> > > > +
> > > > +check multinode_nbctl lrp-add lr0 lr0-public 00:11:22:00:ff:01
> > > > 172.20.0.100/24
> > > > +check multinode_nbctl lsp-add public public-lr0
> > > > +check multinode_nbctl lsp-set-type public-lr0 router
> > > > +check multinode_nbctl lsp-set-addresses public-lr0 router
> > > > +check multinode_nbctl lsp-set-options public-lr0 router-port=lr0-public
> > > > +check multinode_nbctl lrp-set-gateway-chassis lr0-public ovn-gw-1 10
> > > > +check multinode_nbctl lr-route-add lr0 0.0.0.0/0 172.20.0.1
> > > > +
> > > > +check multinode_nbctl lr-nat-add lr0 snat 172.20.0.100 10.0.0.0/24
> > > > +check multinode_nbctl lr-nat-add lr0 snat 172.20.0.100 20.0.0.0/24
> > > > +
> > > > +# create some ACLs
> > > > +check multinode_nbctl acl-add sw0 from-lport 1002 'ip4 || ip6'
> > > > allow-related
> > > > +check multinode_nbctl acl-add sw1 from-lport 1002 'ip4 || ip6'
> > > > allow-related
> > > > +
> > > > +m_as ovn-gw-1 ip netns add ovn-ext0
> > > > +m_as ovn-gw-1 ovs-vsctl add-port br-ex ext0 -- set interface ext0
> > > > type=internal
> > > > +m_as ovn-gw-1 ip link set ext0 netns ovn-ext0
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip link set ext0 up
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip addr add 172.20.0.1/24 dev ext0
> > > > +
> > > > +m_as ovn-gw-1 ovs-vsctl add-port br-ex ext1 -- set interface ext1
> > > > type=internal
> > > > +m_as ovn-gw-1 ip link set ext1 netns ovn-ext0
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip link set ext1 up
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip addr add 172.20.1.1/24 dev ext1
> > > > +
> > > > +m_as ovn-gw-1 ip netns add ovn-ext2
> > > > +m_as ovn-gw-1 ovs-vsctl add-port br-ex ext2 -- set interface ext2
> > > > type=internal
> > > > +m_as ovn-gw-1 ip link set ext2 netns ovn-ext2
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext2 ip link set ext2 up
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext2 ip addr add 172.20.1.2/24 dev ext2
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext2 ip route add default via
> > > > 172.20.1.1 dev ext2
> > > > +
> > > > +m_as ovn-gw-1 ovs-vsctl set open .
> > > > external-ids:ovn-bridge-mappings=public:br-ex
> > > > +m_as ovn-chassis-1 ovs-vsctl set open .
> > > > external-ids:ovn-bridge-mappings=public:br-ex
> > > > +m_as ovn-chassis-2 ovs-vsctl set open .
> > > > external-ids:ovn-bridge-mappings=public:br-ex
> > > > +
> > > > +m_wait_for_ports_up sw1-port1
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > > 20.0.0.3 | FORMAT_PING], \
> > > > +[0], [dnl
> > > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > > +])
> > > > +
> > > > +# Change ptmu for the geneve tunnel
> > > > +m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1200 dev eth1
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 5 -s 1300 -M do
> > > > 20.0.0.3 2>&1 |grep -q "message too long, mtu=1142"])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24
> > > > dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > > 10.0.0.1 dev sw0p1])
> > > > +
> > > > +m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1400 dev eth1
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping6 -c 5 -s 1450 -M do
> > > > 2000::3 2>&1 |grep -q "message too long, mtu: 1342"])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > > 172.20.1.2 | FORMAT_PING], \
> > > > +[0], [dnl
> > > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > > +])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-gw-1], [ovn-ext0], [ip link set dev ext1 mtu
> > > > 1000])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 10 -s 1300 -M do
> > > > 172.20.1.2 2>&1 |grep -q "mtu = 1000"])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > > 172.20.1.2 | FORMAT_PING], \
> > > > +[0], [dnl
> > > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > > +])
> > > > +
> > > > +# Create vxlan tunnels
> > > > +for c in ovn-chassis-1 ovn-chassis-2 ovn-gw-1
> > > > +do
> > > > + m_as $c ovs-vsctl set open . external-ids:ovn-encap-type=vxlan
> > > > +done
> > > > +
> > > > +OVS_WAIT_UNTIL([m_as ovn-chassis-1 ip link show | grep -q vxlan_sys])
> > > > +OVS_WAIT_UNTIL([m_as ovn-chassis-2 ip link show | grep -q vxlan_sys])
> > > > +OVS_WAIT_UNTIL([m_as ovn-gw-1 ip link show | grep -q vxlan_sys])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24
> > > > dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > > 10.0.0.1 dev sw0p1])
> > > > +
> > > > +m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1200 dev eth1
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > > 20.0.0.3 | FORMAT_PING], \
> > > > +[0], [dnl
> > > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > > +])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 5 -s 1300 -M do
> > > > 20.0.0.3 2>&1 |grep -q "message too long, mtu=1150"])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24
> > > > dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > > 10.0.0.1 dev sw0p1])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-gw-1], [ovn-ext0], [ip link set dev ext1 mtu
> > > > 1100])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > > 172.20.1.2 | FORMAT_PING], \
> > > > +[0], [dnl
> > > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > > +])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 20 -i 0.5 -s 1300
> > > > -M do 172.20.1.2 2>&1 |grep -q "mtu = 1150"])
> > > > +
> > > > +AT_CLEANUP
> > > > +
> > > > +AT_SETUP([ovn multinode pmtu - gw_router_port])
> > > > +
> > > > +# Check that ovn-fake-multinode setup is up and running
> > > > +check_fake_multinode_setup
> > > > +
> > > > +# Delete the multinode NB and OVS resources before starting the test.
> > > > +cleanup_multinode_resources
> > > > +
> > > > +m_as ovn-chassis-1 ip link del sw0p1-p
> > > > +m_as ovn-chassis-2 ip link del sw0p2-p
> > > > +m_as ovn-chassis-2 ip link del sw1p1-p
> > > > +
> > > > +# Reset geneve tunnels
> > > > +for c in ovn-chassis-1 ovn-chassis-2 ovn-gw-1
> > > > +do
> > > > + m_as $c ovs-vsctl set open . external-ids:ovn-encap-type=geneve
> > > > +done
> > > > +
> > > > +OVS_WAIT_UNTIL([m_as ovn-chassis-1 ip link show | grep -q genev_sys])
> > > > +OVS_WAIT_UNTIL([m_as ovn-chassis-2 ip link show | grep -q genev_sys])
> > > > +OVS_WAIT_UNTIL([m_as ovn-gw-1 ip link show | grep -q genev_sys])
> > > > +
> > > > +# Test East-West switching
> > > > +check multinode_nbctl ls-add sw0
> > > > +check multinode_nbctl lsp-add sw0 sw0-port1
> > > > +check multinode_nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:03
> > > > 10.0.0.3 1000::3"
> > > > +check multinode_nbctl lsp-add sw0 sw0-port2
> > > > +check multinode_nbctl lsp-set-addresses sw0-port2 "50:54:00:00:00:04
> > > > 10.0.0.4 1000::4"
> > > > +
> > > > +m_as ovn-chassis-1 /data/create_fake_vm.sh sw0-port1 sw0p1
> > > > 50:54:00:00:00:03 10.0.0.3 24 10.0.0.1 1000::3/64 1000::a
> > > > +m_as ovn-chassis-2 /data/create_fake_vm.sh sw0-port2 sw0p2
> > > > 50:54:00:00:00:04 10.0.0.4 24 10.0.0.1 1000::4/64 1000::a
> > > > +
> > > > +m_wait_for_ports_up
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > > 10.0.0.4 | FORMAT_PING], \
> > > > +[0], [dnl
> > > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > > +])
> > > > +
> > > > +# Create the second logical switch with one port
> > > > +check multinode_nbctl ls-add sw1
> > > > +check multinode_nbctl lsp-add sw1 sw1-port1
> > > > +check multinode_nbctl lsp-set-addresses sw1-port1 "40:54:00:00:00:03
> > > > 20.0.0.3 2000::3"
> > > > +
> > > > +# Create a logical router and attach both logical switches
> > > > +check multinode_nbctl lr-add lr0
> > > > +check multinode_nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01
> > > > 10.0.0.1/24 1000::a/64
> > > > +check multinode_nbctl lsp-add sw0 sw0-lr0
> > > > +check multinode_nbctl lsp-set-type sw0-lr0 router
> > > > +check multinode_nbctl lsp-set-addresses sw0-lr0 router
> > > > +check multinode_nbctl lsp-set-options sw0-lr0 router-port=lr0-sw0
> > > > +
> > > > +check multinode_nbctl lrp-add lr0 lr0-sw1 00:00:00:00:ff:02
> > > > 20.0.0.1/24 2000::a/64
> > > > +check multinode_nbctl lsp-add sw1 sw1-lr0
> > > > +check multinode_nbctl lsp-set-type sw1-lr0 router
> > > > +check multinode_nbctl lsp-set-addresses sw1-lr0 router
> > > > +check multinode_nbctl lsp-set-options sw1-lr0 router-port=lr0-sw1
> > > > +
> > > > +m_as ovn-chassis-2 /data/create_fake_vm.sh sw1-port1 sw1p1
> > > > 40:54:00:00:00:03 20.0.0.3 24 20.0.0.1 2000::3/64 2000::a
> > > > +
> > > > +# create exteranl connection for N/S traffic
> > > > +check multinode_nbctl ls-add public
> > > > +check multinode_nbctl lsp-add public ln-lublic
> > > > +check multinode_nbctl lsp-set-type ln-lublic localnet
> > > > +check multinode_nbctl lsp-set-addresses ln-lublic unknown
> > > > +check multinode_nbctl lsp-set-options ln-lublic network_name=public
> > > > +
> > > > +check multinode_nbctl lrp-add lr0 lr0-public 00:11:22:00:ff:01
> > > > 172.20.0.100/24
> > > > +check multinode_nbctl lsp-add public public-lr0
> > > > +check multinode_nbctl lsp-set-type public-lr0 router
> > > > +check multinode_nbctl lsp-set-addresses public-lr0 router
> > > > +check multinode_nbctl lsp-set-options public-lr0 router-port=lr0-public
> > > > +check multinode_nbctl lrp-set-gateway-chassis lr0-public ovn-gw-1 10
> > > > +check multinode_nbctl lr-route-add lr0 0.0.0.0/0 172.20.0.1
> > > > +
> > > > +check multinode_nbctl lr-nat-add lr0 snat 172.20.0.100 10.0.0.0/24
> > > > +check multinode_nbctl lr-nat-add lr0 snat 172.20.0.100 20.0.0.0/24
> > > > +
> > > > +check multinode_nbctl lrp-set-gateway-chassis lr0-sw0 ovn-chassis-1 10
> > > > +check multinode_nbctl lrp-set-gateway-chassis lr0-sw1 ovn-chassis-2 10
> > > > +
> > > > +# create some ACLs
> > > > +check multinode_nbctl acl-add sw0 from-lport 1002 'ip4 || ip6'
> > > > allow-related
> > > > +check multinode_nbctl acl-add sw1 from-lport 1002 'ip4 || ip6'
> > > > allow-related
> > > > +
> > > > +m_as ovn-gw-1 ip netns add ovn-ext0
> > > > +m_as ovn-gw-1 ovs-vsctl add-port br-ex ext0 -- set interface ext0
> > > > type=internal
> > > > +m_as ovn-gw-1 ip link set ext0 netns ovn-ext0
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip link set ext0 up
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip addr add 172.20.0.1/24 dev ext0
> > > > +
> > > > +m_as ovn-gw-1 ovs-vsctl add-port br-ex ext1 -- set interface ext1
> > > > type=internal
> > > > +m_as ovn-gw-1 ip link set ext1 netns ovn-ext0
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip link set ext1 up
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext0 ip addr add 172.20.1.1/24 dev ext1
> > > > +
> > > > +m_as ovn-gw-1 ip netns add ovn-ext2
> > > > +m_as ovn-gw-1 ovs-vsctl add-port br-ex ext2 -- set interface ext2
> > > > type=internal
> > > > +m_as ovn-gw-1 ip link set ext2 netns ovn-ext2
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext2 ip link set ext2 up
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext2 ip addr add 172.20.1.2/24 dev ext2
> > > > +m_as ovn-gw-1 ip netns exec ovn-ext2 ip route add default via
> > > > 172.20.1.1 dev ext2
> > > > +
> > > > +m_as ovn-gw-1 ovs-vsctl set open .
> > > > external-ids:ovn-bridge-mappings=public:br-ex
> > > > +m_as ovn-chassis-1 ovs-vsctl set open .
> > > > external-ids:ovn-bridge-mappings=public:br-ex
> > > > +m_as ovn-chassis-2 ovs-vsctl set open .
> > > > external-ids:ovn-bridge-mappings=public:br-ex
> > > > +
> > > > +m_wait_for_ports_up sw1-port1
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > > 20.0.0.3 | FORMAT_PING], \
> > > > +[0], [dnl
> > > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > > +])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24
> > > > dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > > 10.0.0.1 dev sw0p1])
> > > > +
> > > > +m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1200 dev eth1
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 5 -s 1300 -M do
> > > > 20.0.0.3 2>&1 |grep -q "message too long, mtu=1142"])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24
> > > > dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > > 10.0.0.1 dev sw0p1])
> > > > +
> > > > +m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1400 dev eth1
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping6 -c 5 -s 1450 -M do
> > > > 2000::3 2>&1 |grep -q "message too long, mtu: 1342"])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24
> > > > dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > > 10.0.0.1 dev sw0p1])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > > 172.20.1.2 | FORMAT_PING], \
> > > > +[0], [dnl
> > > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > > +])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-gw-1], [ovn-ext0], [ip link set dev ext1 mtu
> > > > 1100])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 20 -i 0.5 -s 1300
> > > > -M do 172.20.1.2 2>&1 |grep -q "mtu = 1100"])
> > > > +
> > > > +# Create vxlan tunnels
> > > > +for c in ovn-chassis-1 ovn-chassis-2 ovn-gw-1
> > > > +do
> > > > + m_as $c ovs-vsctl set open . external-ids:ovn-encap-type=vxlan
> > > > +done
> > > > +
> > > > +OVS_WAIT_UNTIL([m_as ovn-chassis-1 ip link show | grep -q vxlan_sys])
> > > > +OVS_WAIT_UNTIL([m_as ovn-chassis-2 ip link show | grep -q vxlan_sys])
> > > > +OVS_WAIT_UNTIL([m_as ovn-gw-1 ip link show | grep -q vxlan_sys])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24
> > > > dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > > 10.0.0.1 dev sw0p1])
> > > > +
> > > > +m_as ovn-chassis-1 ip route change 170.168.0.0/16 mtu 1200 dev eth1
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > > 20.0.0.3 | FORMAT_PING], \
> > > > +[0], [dnl
> > > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > > +])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 5 -s 1300 -M do
> > > > 20.0.0.3 2>&1 |grep -q "message too long, mtu=1150"])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route flush dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add 10.0.0.0/24
> > > > dev sw0p1])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ip route add default via
> > > > 10.0.0.1 dev sw0p1])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-gw-1], [ovn-ext0], [ip link set dev ext1 mtu
> > > > 1100])
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -q -c 3 -i 0.3 -w 2
> > > > 172.20.1.2 | FORMAT_PING], \
> > > > +[0], [dnl
> > > > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > > > +])
> > > > +
> > > > +M_NS_CHECK_EXEC([ovn-chassis-1], [sw0p1], [ping -c 20 -i 0.5 -s 1300
> > > > -M do 172.20.1.2 2>&1 |grep -q "mtu = 1150"])
> > > > +
> > > > +AT_CLEANUP
> > > > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> > > > index a267daca2..223e53991 100644
> > > > --- a/tests/ovn-northd.at
> > > > +++ b/tests/ovn-northd.at
> > > > @@ -6492,6 +6492,9 @@ AT_CAPTURE_FILE([lrflows])
> > > >
> > > > # Check the flows in lr_in_admission stage
> > > > AT_CHECK([grep lr_in_admission lrflows | grep cr-DR | sort], [0], [dnl
> > > > + table=0 (lr_in_admission ), priority=120 , match=(((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)) && eth.dst == 02:ac:10:01:00:01 &&
> > > > !is_chassis_resident("cr-DR-S1")), action=(outport = inport; inport =
> > > > "DR-S1"; next;)
> > > > + table=0 (lr_in_admission ), priority=120 , match=(((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)) && eth.dst == 03:ac:10:01:00:01 &&
> > > > !is_chassis_resident("cr-DR-S2")), action=(outport = inport; inport =
> > > > "DR-S2"; next;)
> > > > + table=0 (lr_in_admission ), priority=120 , match=(((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)) && eth.dst == 04:ac:10:01:00:01 &&
> > > > !is_chassis_resident("cr-DR-S3")), action=(outport = inport; inport =
> > > > "DR-S3"; next;)
> > > > table=0 (lr_in_admission ), priority=50 , match=(eth.dst ==
> > > > 02:ac:10:01:00:01 && inport == "DR-S1" &&
> > > > is_chassis_resident("cr-DR-S1")), action=(xreg0[[0..47]] =
> > > > 02:ac:10:01:00:01; next;)
> > > > table=0 (lr_in_admission ), priority=50 , match=(eth.dst ==
> > > > 03:ac:10:01:00:01 && inport == "DR-S2" &&
> > > > is_chassis_resident("cr-DR-S2")), action=(xreg0[[0..47]] =
> > > > 03:ac:10:01:00:01; next;)
> > > > table=0 (lr_in_admission ), priority=50 , match=(eth.dst ==
> > > > 04:ac:10:01:00:01 && inport == "DR-S3" &&
> > > > is_chassis_resident("cr-DR-S3")), action=(xreg0[[0..47]] =
> > > > 04:ac:10:01:00:01; next;)
> > > > @@ -6551,6 +6554,7 @@ AT_CAPTURE_FILE([lrflows])
> > > >
> > > > # Check the flows in lr_in_admission stage
> > > > AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed
> > > > 's/table=../table=??/' | sort], [0], [dnl
> > > > + table=??(lr_in_admission ), priority=120 , match=(((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)) && eth.dst == 00:00:00:00:00:01 &&
> > > > !is_chassis_resident("cr-lrp1")), action=(outport = inport; inport =
> > > > "lrp1"; next;)
> > > > table=??(lr_in_admission ), priority=50 , match=(eth.dst ==
> > > > 00:00:00:00:00:01 && inport == "lrp1" &&
> > > > is_chassis_resident("cr-lrp1")), action=(xreg0[[0..47]] =
> > > > 00:00:00:00:00:01; next;)
> > > > table=??(lr_in_admission ), priority=50 , match=(eth.mcast &&
> > > > inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;)
> > > > ])
> > > > @@ -6572,6 +6576,7 @@ AT_CAPTURE_FILE([lrflows])
> > > >
> > > > # Check the flows in lr_in_admission stage
> > > > AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed
> > > > 's/table=../table=??/' | sort], [0], [dnl
> > > > + table=??(lr_in_admission ), priority=120 , match=(((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)) && eth.dst == 00:00:00:00:00:01 &&
> > > > !is_chassis_resident("cr-lrp1")), action=(outport = inport; inport =
> > > > "lrp1"; next;)
> > > > table=??(lr_in_admission ), priority=50 , match=(eth.dst ==
> > > > 00:00:00:00:00:01 && inport == "lrp1"), action=(xreg0[[0..47]] =
> > > > 00:00:00:00:00:01; next;)
> > > > table=??(lr_in_admission ), priority=50 , match=(eth.mcast &&
> > > > inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;)
> > > > ])
> > > > @@ -6590,6 +6595,7 @@ AT_CAPTURE_FILE([lrflows])
> > > >
> > > > # Check the flows in lr_in_admission stage
> > > > AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed
> > > > 's/table=../table=??/' | sort], [0], [dnl
> > > > + table=??(lr_in_admission ), priority=120 , match=(((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)) && eth.dst == 00:00:00:00:00:01 &&
> > > > !is_chassis_resident("cr-lrp1")), action=(outport = inport; inport =
> > > > "lrp1"; next;)
> > > > table=??(lr_in_admission ), priority=50 , match=(eth.dst ==
> > > > 00:00:00:00:00:01 && inport == "lrp1" &&
> > > > is_chassis_resident("cr-lrp1")), action=(xreg0[[0..47]] =
> > > > 00:00:00:00:00:01; next;)
> > > > table=??(lr_in_admission ), priority=50 , match=(eth.mcast &&
> > > > inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;)
> > > > ])
> > > > @@ -8343,6 +8349,9 @@ AT_CHECK([cat sw0flows | grep -e port_sec -e
> > > > ls_in_l2_lkup -e ls_in_l2_unknown |
> > > > sort | sed 's/table=../table=??/' ], [0], [dnl
> > > > table=??(ls_in_check_port_sec), priority=100 ,
> > > > match=(eth.src[[40]]), action=(drop;)
> > > > table=??(ls_in_check_port_sec), priority=100 ,
> > > > match=(vlan.present), action=(drop;)
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > table=??(ls_in_check_port_sec), priority=50 , match=(1),
> > > > action=(reg0[[15]] = check_in_port_sec(); next;)
> > > > table=??(ls_in_apply_port_sec), priority=0 , match=(1),
> > > > action=(next;)
> > > > table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] ==
> > > > 1), action=(drop;)
> > > > @@ -8369,6 +8378,9 @@ AT_CHECK([cat sw0flows | grep -e port_sec -e
> > > > ls_in_l2_lkup -e ls_in_l2_unknown |
> > > > sort | sed 's/table=../table=??/' ], [0], [dnl
> > > > table=??(ls_in_check_port_sec), priority=100 ,
> > > > match=(eth.src[[40]]), action=(drop;)
> > > > table=??(ls_in_check_port_sec), priority=100 ,
> > > > match=(vlan.present), action=(drop;)
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > table=??(ls_in_check_port_sec), priority=50 , match=(1),
> > > > action=(reg0[[15]] = check_in_port_sec(); next;)
> > > > table=??(ls_in_apply_port_sec), priority=0 , match=(1),
> > > > action=(next;)
> > > > table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] ==
> > > > 1), action=(drop;)
> > > > @@ -8396,6 +8408,9 @@ sort | sed 's/table=../table=??/' ], [0], [dnl
> > > > table=??(ls_in_check_port_sec), priority=100 ,
> > > > match=(eth.src[[40]]), action=(drop;)
> > > > table=??(ls_in_check_port_sec), priority=100 , match=(inport ==
> > > > "sw0p1"), action=(reg0[[15]] = 1; next;)
> > > > table=??(ls_in_check_port_sec), priority=100 ,
> > > > match=(vlan.present), action=(drop;)
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > table=??(ls_in_check_port_sec), priority=50 , match=(1),
> > > > action=(reg0[[15]] = check_in_port_sec(); next;)
> > > > table=??(ls_in_apply_port_sec), priority=0 , match=(1),
> > > > action=(next;)
> > > > table=??(ls_in_apply_port_sec), priority=50 , match=(reg0[[15]] ==
> > > > 1), action=(drop;)
> > > > @@ -8422,6 +8437,9 @@ sort | sed 's/table=../table=??/' ], [0], [dnl
> > > > table=??(ls_in_check_port_sec), priority=100 ,
> > > > match=(eth.src[[40]]), action=(drop;)
> > > > table=??(ls_in_check_port_sec), priority=100 , match=(inport ==
> > > > "sw0p1"), action=(reg0[[15]] = 1; next;)
> > > > table=??(ls_in_check_port_sec), priority=100 ,
> > > > match=(vlan.present), action=(drop;)
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > table=??(ls_in_check_port_sec), priority=50 , match=(1),
> > > > action=(reg0[[15]] = check_in_port_sec(); next;)
> > > > table=??(ls_in_check_port_sec), priority=70 , match=(inport ==
> > > > "sw0p2"), action=(set_queue(10); reg0[[15]] = check_in_port_sec();
> > > > next;)
> > > > table=??(ls_in_apply_port_sec), priority=0 , match=(1),
> > > > action=(next;)
> > > > @@ -8451,6 +8469,9 @@ AT_CHECK([cat sw0flows | grep -e port_sec -e
> > > > ls_in_l2_lkup -e ls_in_l2_unknown |
> > > > sort | sed 's/table=../table=??/' ], [0], [dnl
> > > > table=??(ls_in_check_port_sec), priority=100 ,
> > > > match=(eth.src[[40]]), action=(drop;)
> > > > table=??(ls_in_check_port_sec), priority=100 ,
> > > > match=(vlan.present), action=(drop;)
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > + table=??(ls_in_check_port_sec), priority=110 , match=((ip4 &&
> > > > icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 &&
> > > > icmp6.code == 0)), action=(next; )
> > > > table=??(ls_in_check_port_sec), priority=50 , match=(1),
> > > > action=(reg0[[15]] = check_in_port_sec(); next;)
> > > > table=??(ls_in_check_port_sec), priority=70 , match=(inport ==
> > > > "localnetport"), action=(set_queue(10); reg0[[15]] =
> > > > check_in_port_sec(); next;)
> > > > table=??(ls_in_check_port_sec), priority=70 , match=(inport ==
> > > > "sw0p1"), action=(reg0[[14]] = 1; next(pipeline=ingress, table=17);)
> > > > --
> > > > 2.43.0
> > > >
> > > >
> > > > _______________________________________________
> > > > dev mailing list
> > > > [email protected]
> > > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> > > >
> > >
> > _______________________________________________
> > dev mailing list
> > [email protected]
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
