On 8/8/24 20:00, Ilya Maximets wrote:
> MLD flows are added to pipelines unconditionally in order to avoid
> sending such traffic through conntrack. The problem is that these
> matches turn into matches on ip6.dst that end up as exact matches in
> datapath flows. This means a separate datapath flow per destination
> IP address. This may cause significant performance issues in setups
> where traffic for many different IP addresses is passing through.
> Since network protocol is stored further in the packet, it is evaluated
> after checking the IP addresses, and so having a match on ip.proto
> doesn't save us in this scenario.
>
> MLD packets are all supposed to be multicast packets and so they all
> should have multicast destination ethernet addresses. Add the missing
> eth.mcast6 match to all such packets. This ensures that non-multicast
> traffic will quickly fail the OpenFlow lookup on such rules and the bits
> from higher layers will not be added to the match criteria in datapath
> flows. This also ensures that OVN doesn't handle incorrect MLD packets.
>
> There are still ND responder flows that can add extra matches for IPv6
> addresses, but they can be disabled or handled by other means.
>
> IGMP did not check for IP address being multicast for some reason, so
> it didn't cause issues for IPv4 traffic. But let's fix it as well.
>
> Tests were using incorrect multicast addresses, fixed now.
>
> Fixes: 677a3ba4d66b ("ovn: Add MLD support.")
> Signed-off-by: Ilya Maximets <[email protected]>
> ---
> lib/logical-fields.c | 7 ++++---
> tests/ovn.at | 23 +++++++++++++++++------
> 2 files changed, 21 insertions(+), 9 deletions(-)
Recheck-request: github-robot-_Build_and_Test
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
