adding the list back On Fri, Oct 29, 2021 at 10:04 AM 鲁 成 <lucheng0...@outlook.com> wrote:
> When it come to me, I think LSP with address "fa:16:3e:b3:c0:e5 > 192.168.111.42" and unknown > unknown it means port can send traffic with any mac address > > But for address "fa:16:3e:b3:c0:e5”, maybe we should make an arp reply for > this address, don’t you think? > This used to be the former behavior but we hit use cases where a VM could send traffic from a particular port with that IP address (192.168.111.42 in your example) but a different MAC. An example of this use case is NIC teaming where an IP fails over to a different port but the MAC address is different. The patch that changed this behavior is here: https://patchwork.ozlabs.org/patch/1258152/ Hope it helps! daniel > > Thanks > > 从 Windows 版邮件 <https://go.microsoft.com/fwlink/?LinkId=550986>发送 > > > > *发件人: *Daniel Alvarez Sanchez <dalva...@redhat.com> > *发送时间: *Friday, October 29, 2021 3:58 PM > *收件人: *鲁 成 <lucheng0...@outlook.com> > *抄送: *b...@openvswitch.org > *主题: *Re: [ovs-discuss] OVN LSP with a unknown in address will not build > arp response lflows > > > > Hi, > > > > On Fri, Oct 29, 2021 at 5:50 AM 鲁 成 <lucheng0...@outlook.com> wrote: > > *Environment info:* > OVN 21.06 > > OVS 2.12.0 > > *Reproduction:* > 1. Create a port with neutronclient assign it to a node and close port > security group > > 2. Create a ovs port and add it to br-int, and set interface iface-id same > as neutron port uuid > > After it Neutron will create a LSP in OVN NB, and append unknow into LSP’s > address field > > Check it in script[1] > > > > Port info: > ()[root@ovn-tool-0 /]# ovn-nbctl find Logical_Switch_Port > name=6a8064f9-f2cc-407d-b8da-345c6a216cb3 > > _uuid : 88fd1a84-8695-4cef-b916-45531edaf0db > > addresses : ["fa:16:3e:b3:c0:e5 192.168.111.42", unknown] > > dhcpv4_options : 1a8ca1af-519c-4aa2-b3a3-cc74955dee1f > > dhcpv6_options : [] > > dynamic_addresses : [] > > enabled : true > > external_ids : {"neutron:cidrs"="192.168.111.42/24", > "neutron:device_id"="", "neutron:device_owner"="", > "neutron:network_name"=neutron-6ac00688-422f-4a4f-99ae-b092b2d87f7b, > "neutron:port_name"=lc-tap-2, > "neutron:project_id"="498e2a96e4cc4edeb0c525a081dd6830", > "neutron:revision_number"="4", "neutron:security_group_ids"=""} > > ha_chassis_group : [] > > name : "6a8064f9-f2cc-407d-b8da-345c6a216cb3" > > options : {mcast_flood_reports="true", > requested-chassis=node-1.domain.tld} > > parent_name : [] > > port_security : [] > > tag : [] > > tag_request : [] > > type : "" > > up : false > > > > *Results:* > OVN will not build arp responder lfows for this LSP > > > > > > I believe that this is the expected behavior as you disable port security, > meaning that the traffic from that port can come from any MAC address (it's > unknown to OVN). Hence, it is up to the VM/container/whatever to reply to > ARP requests and OVN should not reply on its behalf. > > > > Hope this helps. > > > > Thanks! > > daniel > > > > > > > > *Script:* > > [1]: > > #!/usr/bin/bash > > > > # Create port > > # neutron port-create --name lucheng-tap > --binding:host_id=node-3.domain.tld share_net > > > > HOST="" > > MAC="" > > > > get_port_info() { > > source openrc > > port_id="$1" > > HOST=$(neutron port-show -F binding:host_id -f value "$port_id") > > MAC=$(neutron port-show -F mac_address -f value "$port_id") > > ip_info=$(neutron port-show -F fixed_ips -f value "$port_id") > > echo Port "$port_id" Mac: "$MAC" HOST: "$HOST" > > echo IP Info: "$ip_info" > > } > > > > create_ns() { > > port_id="$1" > > iface_name="lc-tap-${port_id:0:8}" > > netns_name="lc-vm-${port_id:0:8}" > > ssh "$HOST" ovs-vsctl add-port br-int "$iface_name" \ > > -- set Interface "$iface_name" type=internal \ > > -- set Interface "$iface_name" external_ids:iface-id="$port_id" \ > > -- set Interface "$iface_name" external_ids:attached-mac="$MAC" \ > > -- set Interface "$iface_name" external_ids:iface-status=active > > > > ssh "$HOST" ip netns add "$netns_name" > > ssh "$HOST" ip l set dev "$iface_name" address "$MAC" > > ssh "$HOST" ip l set "$iface_name" netns "$netns_name" > > ssh "$HOST" ip netns exec "$netns_name" ip l set lo up > > ssh "$HOST" ip netns exec "$netns_name" ip l set "$iface_name" up > > } > > > > main() { > > get_port_info "$1" > > create_ns "$1" > > } > > > > main $@ > > neutron port-update --no-security-groups [port uuid] > > neutron port-update --port_security_enabled=false [port uuid] > > > > *What I found:* > > When try to build_lswitch_arp_nd_responder_known_ips in ovn northd, it > will skip LSP, which has unknow flag. > > static void > > build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, > > struct hmap *lflows, > > struct hmap *ports, > > struct ds *actions, > > struct ds *match) > > { > > ... > > if (lsp_is_external(op->nbsp) || op->has_unknown) { > > return; > > } > > > > 从 Windows 版邮件 <https://go.microsoft.com/fwlink/?LinkId=550986>发送 > > > > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > > >
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss