On 5/6/26 10:33 AM, Mairtin O'Loingsigh wrote:
> On Mon, May 04, 2026 at 09:05:40AM +0200, Dumitru Ceara wrote:
>> Hi Mairtin,
>>
>> Thanks for the review!
>>
>> On 4/29/26 10:28 AM, Mairtin O'Loingsigh wrote:
>>> On Fri, Apr 24, 2026 at 05:35:58PM +0200, Dumitru Ceara via dev wrote:
>>>> The ARP/ND responder stage (ls_in_arp_rsp) unconditionally
>>>> bypassed all traffic arriving from localnet ports via a
>>>> priority-100 "next;" flow. This caused broadcast ARP/ND
>>>> requests from the physical network to be flooded to every
>>>> logical switch port instead of being handled by proxy
>>>> ARP/ND. On switches with ~200+ ports the resulting
>>>> multicast replication exceeded the OVS 4K resubmit limit,
>>>> dropping the packets and breaking connectivity.
>>>>
>>>> Replace the bypass with a targeted mechanism:
>>>>
>>>> - In ls_in_lookup_fdb, set flags.localnet = 1 for
>>>> packets arriving from localnet ports (P50 fallback;
>>>> the existing P100 FDB-learning flow already sets this
>>>> flag when FDB learning is enabled).
>>>>
>>>> - In the P50 ARP/ND reply flows, append the condition
>>>> "((flags.localnet == 1 && is_chassis_resident(port))
>>>> || flags.localnet == 0)" on switches that have
>>>> localnet ports.
>>>>
>>>> This ensures that ARP/ND requests from localnet are only
>>>> answered on the chassis hosting the target VIF, preventing
>>>> both the flood and duplicate replies from multiple
>>>> hypervisors. VIF-to-VIF proxy ARP/ND is unchanged because
>>>> flags.localnet is 0 for non-localnet-sourced traffic.
>>>>
>>>> Fixes: f763a3273b84 ("ovn: Avoid ARP responder for packets from localnet
>>>> port")
>>>> Reported-at: https://redhat.atlassian.net/browse/FDP-3436
>>>> Assisted-by: Claude Opus 4.6, Claude Code
>>>> Signed-off-by: Dumitru Ceara <[email protected]>
>>>> ---
>>
>> [...]
>>
>>>>
>>>> +/* On switches with localnet ports, restrict ARP/ND replies for
>>>> + * localnet-sourced requests to the chassis hosting the target VIF
>>>> + * (preventing duplicate replies from every hypervisor). Non-localnet
>>>> + * requests (VIF-to-VIF) are answered unconditionally as before. */
>>>> +static void
>>>> +build_lswitch_arp_nd_local_resp_match(struct ds *match,
>>>> + const struct ovn_port *op)
>>>> +{
>>>> + if (!ls_has_localnet_port(op->od)) {
>>>> + return;
>>>> + }
>>>> +
>>>> + ds_put_format(match,
>>>> + " && ((flags.localnet == 1 && is_chassis_resident(%s))"
>>>> + " || flags.localnet == 0)", op->json_key);
>>> nit: spacing
>>
>> I had actually done this on purpose to make it a bit more visible that "
>> || flags.localnet == 0" is part of the condition in parenthesis. But I
>> have no strong preference in the end. Please let me know if you still
>> would like me to change it.
>>
>>>> +}
>>>> +
>>
>> [...]
>>
>>>>
>>> LGTM. Just one small nit.
>>>
>>> Acked-by: Mairtin O'Loingsigh <[email protected]>
>>>
>>
>> Regards,
>> Dumitru
>>
>
> This spacing does look more readable. No need to change.
>
Hi Mairtin,
Thanks for the confirmation! Applied to main and all stable branches
down to 24.03.
Regards,
Dumitru
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
