On 20 Feb 2024, at 23:35, Ilya Maximets wrote:
> Local IP is taken into account only in case of IPv4 address, IPv6
> source is not checked. That leads to source being ignored during the
> route lookup and ultimately packets encapsulated with a source IP
> found during a route lookup, which is likely the wrong one.
>
> Even worse, after encapsulation we have a difference between the
> tunnel metadata that contains a correct source IP and the generated
> actions that used a wrong source IP. This means that if there are
> OpenFlow rules in a bridge where packet goes after encapsulation,
> we may match on rules that do not correspond to the actual packet
> we have.
>
> Add the check for IPv6 source address before the route lookup.
>
> Tests added to check that we're actually using the configured local_ip
> as a source address in the packet. Also adding the same test for IPv4,
> since apparently we don't have any tests covering this functionality
> for userspace tunnels.
>
> This issue also affects the case where source address is set via
> OpenFlow, e.g. 'set_filed:2001:beef::88->tun_ipv6_src', but it's just
> a different way of populating the tunnel metadata that doesn't depend
> on a tunnel to be native or kernel one. So, not adding extra tests
> for this case for now.
>
> Fixes: 8e4e45887ec3 ("ofproto-dpif-xlate: makes OVS native tunneling honor
> tunnel-specified source addresses")
> Reported-at:
> https://mail.openvswitch.org/pipermail/ovs-discuss/2024-February/052938.html
> Reported-by: Derrick Lim <derrick....@rakuten.com>
> Signed-off-by: Ilya Maximets <i.maxim...@ovn.org>
Thanks for the patch, the changes look good to me and the tests are passing.
Acked-by: Eelco Chaudron <echau...@redhat.com>
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
