> On 2/4/26 5:21 PM, Lorenzo Bianconi via dev wrote: > > Do not forward ethernet packets with unknown ether type (0x05ff) to > > router pipeline. > > Hi, Lorenzo. Thanks for the patch!
Hi Ilya, thx for the review. > > It would be nice to have some explanation here on why we need to drop > these early before it reaches the router pipeline. > > This patch may also use some test cases. ack, I will add it in v2 > > One more thought below. > > > > > Reported-at: https://issues.redhat.com/browse/FDP-1908 > > Signed-off-by: Lorenzo Bianconi <[email protected]> > > --- > > northd/northd.c | 9 +++++++++ > > northd/ovn-northd.8.xml | 5 +++++ > > 2 files changed, 14 insertions(+) > > > > diff --git a/northd/northd.c b/northd/northd.c > > index b4bb4ba6d..539567ba7 100644 > > --- a/northd/northd.c > > +++ b/northd/northd.c > > @@ -5947,6 +5947,15 @@ build_lswitch_port_sec_op(struct ovn_port *op, > > struct lflow_table *lflows, > > return; > > } > > > > + if (lsp_is_router(op->nbsp)) { > > + ds_clear(match); > > + ds_put_format(match, "outport == %s && eth.type == 0x%04x", > > + op->json_key, OFP_DL_TYPE_NOT_ETH_TYPE); > > + ovn_lflow_add(lflows, op->od, S_SWITCH_OUT_APPLY_PORT_SEC, 150, > > + ds_cstr(match), debug_drop_action(), op->lflow_ref, > > + WITH_DESC("Packet with unknown ether type")); > > + } > > + > > ds_clear(match); > > ds_clear(actions); > > ds_put_format(match, "inport == %s", op->json_key); > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > > index 279d81f35..fe1dc4dc0 100644 > > --- a/northd/ovn-northd.8.xml > > +++ b/northd/ovn-northd.8.xml > > @@ -2816,6 +2816,11 @@ output; > > </p> > > > > <ul> > > + <li> > > + For router ports, a priority 150 flow to drop ethernet packets with > > + unknown ether type (0x05ff). > > This does align with what I originally reported, but seeing more cases > of random traffic being resubmitted to all routers recently, I wonder > if we should take a default-deny approach here and instead of dropping > specific ethertypes that we know cannot be routed by the logical router, > drop everything that is not arp, ip or ipv6 instead. WDYT? > > This could potentially be done by restricting the default forwarding > rule in build_lswitch_destination_lookup_bmcast() to arp, ip and ipv6. ack, I will look into it. Do you think we should have knob to enable/disable this behaviour? Regards, Lorenzo > > Unicast traffic generally doesn't cause any issues for OVN and we may > let the router pipeline deal with it (drop). > > An example of the other type of traffic I witnessed was ethernet > multicast traffic with dl_type=0x8918 that some network appliances are > using for loop detection. > > Best regards, Ilya Maximets. >
_______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
