From: Zong Kai LI <zealo...@gmail.com> This patch updates ND symbols in logical-fields - "nd", "nd.target", "nd.sll" and "nd.tll" to describe more clear about "icmp6.type" predicate.
It adds new symbols: - "nd_rs" - to match Router Solicitation messages - "nd_ra" - to match Router Advertisement messages Co-authored-by: Numan Siddique <nusid...@redhat.com> Signed-off-by: Zongkai LI <zealo...@gmail.com> Signed-off-by: Numan Siddique <nusid...@redhat.com> --- ovn/lib/logical-fields.c | 18 ++++++++++++++---- ovn/northd/ovn-northd.c | 10 ++++++---- ovn/ovn-sb.xml | 4 +++- tests/ovn.at | 2 +- 4 files changed, 24 insertions(+), 10 deletions(-) diff --git a/ovn/lib/logical-fields.c b/ovn/lib/logical-fields.c index 26e336f..f8837f2 100644 --- a/ovn/lib/logical-fields.c +++ b/ovn/lib/logical-fields.c @@ -178,14 +178,24 @@ ovn_init_symtab(struct shash *symtab) expr_symtab_add_field(symtab, "arp.tha", MFF_ARP_THA, "arp", false); expr_symtab_add_predicate(symtab, "nd", - "icmp6.type == {135, 136} && icmp6.code == 0 && ip.ttl == 255"); + "icmp6.type == {133, 134, 135, 136} " + "&& icmp6.code == 0 && ip.ttl == 255"); + expr_symtab_add_predicate(symtab, "nd_rs", + "icmp6.type == 133 && icmp6.code == 0 && ip.ttl == 255"); + expr_symtab_add_predicate(symtab, "nd_ra", + "icmp6.type == 134 && icmp6.code == 0 && ip.ttl == 255"); expr_symtab_add_predicate(symtab, "nd_ns", "icmp6.type == 135 && icmp6.code == 0 && ip.ttl == 255"); expr_symtab_add_predicate(symtab, "nd_na", "icmp6.type == 136 && icmp6.code == 0 && ip.ttl == 255"); - expr_symtab_add_field(symtab, "nd.target", MFF_ND_TARGET, "nd", false); - expr_symtab_add_field(symtab, "nd.sll", MFF_ND_SLL, "nd_ns", false); - expr_symtab_add_field(symtab, "nd.tll", MFF_ND_TLL, "nd_na", false); + expr_symtab_add_field(symtab, "nd.target", MFF_ND_TARGET, + "icmp6.type == {135, 136} " + "&& icmp6.code == 0 && ip.ttl == 255", false); + expr_symtab_add_field(symtab, "nd.sll", MFF_ND_SLL, + "icmp6.type == {133, 134, 135} " + "&& icmp6.code == 0 && ip.ttl == 255", false); + expr_symtab_add_field(symtab, "nd.tll", MFF_ND_TLL, + "icmp6.type == 136 && icmp6.code == 0 && ip.ttl == 255", false); expr_symtab_add_predicate(symtab, "tcp", "ip.proto == 6"); expr_symtab_add_field(symtab, "tcp.src", MFF_TCP_SRC, "tcp", false); diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index be3b371..b9a4b5e 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -2140,9 +2140,10 @@ build_port_security_ipv6_nd_flow( struct ds *match, struct eth_addr ea, struct ipv6_netaddr *ipv6_addrs, int n_ipv6_addrs) { - ds_put_format(match, " && ip6 && nd && ((nd.sll == "ETH_ADDR_FMT" || " - "nd.sll == "ETH_ADDR_FMT") || ((nd.tll == "ETH_ADDR_FMT" || " - "nd.tll == "ETH_ADDR_FMT")", ETH_ADDR_ARGS(eth_addr_zero), + ds_put_format(match, " && (nd_ns || nd_na) && ((nd.sll == "ETH_ADDR_FMT + " || nd.sll == "ETH_ADDR_FMT") || ((nd.tll == "ETH_ADDR_FMT + " || nd.tll == "ETH_ADDR_FMT")", + ETH_ADDR_ARGS(eth_addr_zero), ETH_ADDR_ARGS(ea), ETH_ADDR_ARGS(eth_addr_zero), ETH_ADDR_ARGS(ea)); if (!n_ipv6_addrs) { @@ -2270,7 +2271,8 @@ build_port_security_nd(struct ovn_port *op, struct hmap *lflows) } ds_clear(&match); - ds_put_format(&match, "inport == %s && (arp || nd)", op->json_key); + ds_put_format(&match, "inport == %s && (arp || nd_ns || nd_na)", + op->json_key); ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND, 80, ds_cstr(&match), "drop;"); ds_destroy(&match); diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml index b22d1ac..db33c31 100644 --- a/ovn/ovn-sb.xml +++ b/ovn/ovn-sb.xml @@ -905,7 +905,9 @@ <li><code>ip.later_frag</code> expands to <code>ip.frag[1]</code></li> <li><code>ip.first_frag</code> expands to <code>ip.is_frag && !ip.later_frag</code></li> <li><code>arp</code> expands to <code>eth.type == 0x806</code></li> - <li><code>nd</code> expands to <code>icmp6.type == {135, 136} && icmp6.code == 0 && ip.ttl == 255</code></li> + <li><code>nd</code> expands to <code>icmp6.type == {133, 134, 135, 136} && icmp6.code == 0 && ip.ttl == 255</code></li> + <li><code>nd_rs</code> expands to <code>icmp6.type == 133 && icmp6.code == 0 && ip.ttl == 255</code></li> + <li><code>nd_ra</code> expands to <code>icmp6.type == 134 && icmp6.code == 0 && ip.ttl == 255</code></li> <li><code>nd_ns</code> expands to <code>icmp6.type == 135 && icmp6.code == 0 && ip.ttl == 255</code></li> <li><code>nd_na</code> expands to <code>icmp6.type == 136 && icmp6.code == 0 && ip.ttl == 255</code></li> <li><code>tcp</code> expands to <code>ip.proto == 6</code></li> diff --git a/tests/ovn.at b/tests/ovn.at index efcbd91..9133304 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -993,7 +993,7 @@ get_nd(xxreg0, ip6.dst); # put_nd put_nd(inport, nd.target, nd.sll); encodes as push:NXM_NX_XXREG0[],push:NXM_OF_ETH_SRC[],push:NXM_NX_ND_SLL[],push:NXM_NX_ND_TARGET[],pop:NXM_NX_XXREG0[],pop:NXM_OF_ETH_SRC[],controller(userdata=00.00.00.04.00.00.00.00),pop:NXM_OF_ETH_SRC[],pop:NXM_NX_XXREG0[] - has prereqs ((icmp6.type == 0x87 && eth.type == 0x86dd && ip.proto == 0x3a && (eth.type == 0x800 || eth.type == 0x86dd)) || (icmp6.type == 0x88 && eth.type == 0x86dd && ip.proto == 0x3a && (eth.type == 0x800 || eth.type == 0x86dd))) && icmp6.code == 0 && eth.type == 0x86dd && ip.proto == 0x3a && (eth.type == 0x800 || eth.type == 0x86dd) && ip.ttl == 0xff && (eth.type == 0x800 || eth.type == 0x86dd) && icmp6.type == 0x87 && eth.type == 0x86dd && ip.proto == 0x3a && (eth.type == 0x800 || eth.type == 0x86dd) && icmp6.code == 0 && eth.type == 0x86dd && ip.proto == 0x3a && (eth.type == 0x800 || eth.type == 0x86dd) && ip.ttl == 0xff && (eth.type == 0x800 || eth.type == 0x86dd) + has prereqs ((icmp6.type == 0x87 && eth.type == 0x86dd && ip.proto == 0x3a && (eth.type == 0x800 || eth.type == 0x86dd)) || (icmp6.type == 0x88 && eth.type == 0x86dd && ip.proto == 0x3a && (eth.type == 0x800 || eth.type == 0x86dd))) && icmp6.code == 0 && eth.type == 0x86dd && ip.proto == 0x3a && (eth.type == 0x800 || eth.type == 0x86dd) && ip.ttl == 0xff && (eth.type == 0x800 || eth.type == 0x86dd) && ((icmp6.type == 0x85 && eth.type == 0x86dd && ip.proto == 0x3a && (eth.type == 0x800 || eth.type == 0x86dd)) || (icmp6.type == 0x86 && eth.type == 0x86dd && ip.proto == 0x3a && (eth.type == 0x800 || eth.type == 0x86dd)) || (icmp6.type == 0x87 && eth.type == 0x86dd && ip.proto == 0x3a && (eth.type == 0x800 || eth.type == 0x86dd))) && icmp6.code == 0 && eth.type == 0x86dd && ip.proto == 0x3a && (eth.type == 0x800 || eth.type == 0x86dd) && ip.ttl == 0xff && (eth.type == 0x800 || eth.type == 0x86dd) # put_dhcpv6_opts reg1[0] = put_dhcpv6_opts(ia_addr = ae70::4, server_id = 00:00:00:00:10:02); -- 2.9.4 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev