On Thu, Jan 22, 2026 at 7:15 PM Mark Michelson <[email protected]> wrote:
> Hi Ales, I have one small note below. With it fixed: > > Acked-by: Mark Michelson <[email protected]> > > On Thu, Jan 22, 2026 at 9:28 AM Ales Musil via dev > <[email protected]> wrote: > > > > The default drop was disabled due to bug in OvS which was fixed > > already as this is working down to 24.03 which uses version 3.3. > > > > Fixes: 8cab00bdb581 ("ovn-controller: Add OF rules for port security.") > > Signed-off-by: Ales Musil <[email protected]> > > --- > > controller/lflow.c | 16 +--------------- > > tests/ovn.at | 6 +++--- > > 2 files changed, 4 insertions(+), 18 deletions(-) > > > > diff --git a/controller/lflow.c b/controller/lflow.c > > index 784a0d2dd..b0998e605 100644 > > --- a/controller/lflow.c > > +++ b/controller/lflow.c > > @@ -2435,26 +2435,12 @@ build_in_port_sec_default_flows(const struct > sbrec_port_binding *pb, > > * match - "inport == pb->logical_port && icmp6 && icmp6.code == > 135" > > * action - "port_sec_failed = 0;" > > * description: "Default allow all IPv6 NS packets" > > This comment has the wrong action and description. The flow now drops > IPv6 NS packets and sets port_sec_failed = 1. > > > - * note: This is a hack for now. Ideally we should do default drop. > > - * There seems to be a bug in ovs-vswitchd which needs further > > - * investigation. > > - * > > - * Eg. If there are below OF rules in the same table > > - * (1) > priority=90,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135, > > - * icmp_code=0,nd_sll=fa:16:3e:94:05:98 > > - * actions=load:0->NXM_NX_REG10[12] > > - * (2) > priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135, > > - * icmp_code=0 actions=load:1->NXM_NX_REG10[12] > > - * > > - * An IPv6 NS packet with nd_sll = fa:16:3e:94:05:98 is matching on > the > > - * second prio-80 flow instead of the first one. > > + * note: "Higher priority flows are added to allow the legit NS > packets. > > */ > > match_set_dl_type(m, htons(ETH_TYPE_IPV6)); > > match_set_nw_proto(m, IPPROTO_ICMPV6); > > match_set_nw_ttl(m, 255); > > match_set_icmp_type(m, 135); > > - build_port_sec_allow_action(ofpacts); /*TODO: Change this to > > - * > build_port_sec_deny_action(). */ > > ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 80, > > pb->header_.uuid.parts[0], m, ofpacts, > > &pb->header_.uuid); > > diff --git a/tests/ovn.at b/tests/ovn.at > > index b5547bcd1..d5ee90e17 100644 > > --- a/tests/ovn.at > > +++ b/tests/ovn.at > > @@ -35603,7 +35603,7 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC, > priority=80,reg14=0x$sw0p1_key,metadata=0x > > check_port_sec_offlows hv1 OFTABLE_CHK_IN_PORT_SEC > > > > echo " table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=80,arp,reg14=0x$sw0p1_key,metadata=0x1 > actions=load:0x1->NXM_NX_REG10[[12]] > > - table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135 > actions=load:0->NXM_NX_REG10[[12]] > > + table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135 > actions=load:0x1->NXM_NX_REG10[[12]] > > table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136 > actions=load:0x1->NXM_NX_REG10[[12]] > > table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=90,arp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,arp_sha=00:00:00:00:00:03 > actions=load:0->NXM_NX_REG10[[12]] > > table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=90,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 > actions=load:0->NXM_NX_REG10[[12]] > > @@ -35639,7 +35639,7 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC, > priority=80,reg14=0x$sw0p1_key,metadata=0x > > check_port_sec_offlows hv1 OFTABLE_CHK_IN_PORT_SEC > > > > echo " table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=80,arp,reg14=0x$sw0p1_key,metadata=0x1 > actions=load:0x1->NXM_NX_REG10[[12]] > > - table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135 > actions=load:0->NXM_NX_REG10[[12]] > > + table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=135 > actions=load:0x1->NXM_NX_REG10[[12]] > > table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=80,icmp6,reg14=0x$sw0p1_key,metadata=0x1,nw_ttl=255,icmp_type=136 > actions=load:0x1->NXM_NX_REG10[[12]] > > table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=90,arp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:03,arp_spa=10.0.0.3,arp_sha=00:00:00:00:00:03 > actions=load:0->NXM_NX_REG10[[12]] > > table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=90,arp,reg14=0x$sw0p1_key,metadata=0x1,dl_src=00:00:00:00:00:13,arp_spa=10.0.0.13,arp_sha=00:00:00:00:00:13 > actions=load:0->NXM_NX_REG10[[12]] > > @@ -35716,7 +35716,7 @@ echo " table=OFTABLE_CHK_IN_PORT_SEC, > priority=80,reg14=0x$sw0p2_key,metadata=0x > > check_port_sec_offlows hv2 OFTABLE_CHK_IN_PORT_SEC > > > > echo " table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=80,arp,reg14=0x$sw0p2_key,metadata=0x1 > actions=load:0x1->NXM_NX_REG10[[12]] > > - table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=80,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135 > actions=load:0->NXM_NX_REG10[[12]] > > + table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=80,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=135 > actions=load:0x1->NXM_NX_REG10[[12]] > > table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=80,icmp6,reg14=0x$sw0p2_key,metadata=0x1,nw_ttl=255,icmp_type=136 > actions=load:0x1->NXM_NX_REG10[[12]] > > table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=90,arp,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,arp_spa=10.0.0.4,arp_sha=00:00:00:00:00:04 > actions=load:0->NXM_NX_REG10[[12]] > > table=OFTABLE_CHK_IN_PORT_SEC_ND, > priority=90,arp,reg14=0x$sw0p2_key,metadata=0x1,dl_src=00:00:00:00:00:04,arp_spa=20.0.0.4,arp_sha=00:00:00:00:00:04 > actions=load:0->NXM_NX_REG10[[12]] > > -- > > 2.52.0 > > > > _______________________________________________ > > dev mailing list > > [email protected] > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > Thank you Mark, I have addressed the nit, went ahead and merged this into main and backported all the way down to 24.03. Regards, Ales _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
