> Ensure ICMP or ICMPv6 Time Exceeded replies are generated only
> on the resident chassis.
I guess this patch is correct since we can confuse the ToR switch if we
send the ICMPv{4,6} TTL Exceeded error message from different ports but
I guess you still need to document new flows.
Regards,
Lorenzo
>
> Signed-off-by: Lucas Vargas Dias <[email protected]>
> ---
> northd/northd.c | 4 ++++
> tests/ovn-northd.at | 4 ++--
> 2 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/northd/northd.c b/northd/northd.c
> index e70738a16..3107e14eb 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -16820,6 +16820,8 @@ build_lrouter_ipv4_default_ttl_expired_flows(
> ds_clear(&ip_ds);
> if (lrp_is_l3dgw(op)) {
> ds_put_cstr(&ip_ds, "ip4.dst <-> ip4.src");
> + ds_put_format(match, "is_chassis_resident(%s) && ",
> + op->cr_port->json_key);
> } else {
> ds_put_format(&ip_ds, "ip4.dst = ip4.src; ip4.src = %s",
> op->lrp_networks.ipv4_addrs[i].addr_s);
> @@ -16896,6 +16898,8 @@ build_lrouter_ipv6_default_ttl_expired_flows(
> ds_clear(&ip_ds);
> if (lrp_is_l3dgw(op)) {
> ds_put_cstr(&ip_ds, "ip6.dst <-> ip6.src");
> + ds_put_format(match, "is_chassis_resident(%s) && ",
> + op->cr_port->json_key);
> } else {
> ds_put_format(&ip_ds, "ip6.dst = ip6.src; ip6.src = %s",
> op->lrp_networks.ipv6_addrs[i].addr_s);
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index c88b865eb..39084a286 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -14357,9 +14357,9 @@ AT_CHECK([grep "lr_in_ip_input" lr0flows |
> ovn_strip_lflows], [0], [dnl
> table=??(lr_in_ip_input ), priority=30 , match=(inport == "lr0-sw0"
> && ip6 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp6 {eth.dst <->
> eth.src; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 254;
> icmp6.type = 3; /* Time exceeded */ icmp6.code = 0; /* TTL exceeded in
> transit */ outport = "lr0-sw0"; flags.loopback = 1; output; };)
> table=??(lr_in_ip_input ), priority=30 , match=(inport == "lr0-sw1"
> && ip4 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp4 {eth.dst <->
> eth.src; icmp4.type = 11; /* Time exceeded */ icmp4.code = 0; /* TTL exceeded
> in transit */ ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 254; outport =
> "lr0-sw1"; flags.loopback = 1; output; };)
> table=??(lr_in_ip_input ), priority=30 , match=(inport == "lr0-sw1"
> && ip6 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp6 {eth.dst <->
> eth.src; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff03; ip.ttl = 254;
> icmp6.type = 3; /* Time exceeded */ icmp6.code = 0; /* TTL exceeded in
> transit */ outport = "lr0-sw1"; flags.loopback = 1; output; };)
> - table=??(lr_in_ip_input ), priority=31 , match=(inport ==
> "lr0-public" && ip4 && ip4.src == 172.168.0.0/24 && ip.ttl == {0, 1} &&
> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time
> exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst <-> ip4.src
> ; ip.ttl = 254; outport = "lr0-public"; flags.loopback = 1; output; };)
> table=??(lr_in_ip_input ), priority=31 , match=(inport == "lr0-sw0"
> && ip4 && ip4.src == 10.0.0.0/24 && ip.ttl == {0, 1} && !ip.later_frag),
> action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */
> icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = ip4.src; ip4.src =
> 10.0.0.1 ; ip.ttl = 254; outport = "lr0-sw0"; flags.loopback = 1; output; };)
> table=??(lr_in_ip_input ), priority=31 , match=(inport == "lr0-sw1"
> && ip4 && ip4.src == 20.0.0.0/24 && ip.ttl == {0, 1} && !ip.later_frag),
> action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */
> icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = ip4.src; ip4.src =
> 20.0.0.1 ; ip.ttl = 254; outport = "lr0-sw1"; flags.loopback = 1; output; };)
> + table=??(lr_in_ip_input ), priority=31 ,
> match=(is_chassis_resident("cr-lr0-public") && inport == "lr0-public" && ip4
> && ip4.src == 172.168.0.0/24 && ip.ttl == {0, 1} && !ip.later_frag),
> action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */
> icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst <-> ip4.src ; ip.ttl =
> 254; outport = "lr0-public"; flags.loopback = 1; output; };)
> table=??(lr_in_ip_input ), priority=32 , match=(ip.ttl == {0, 1} &&
> !ip.later_frag && (ip4.mcast || ip6.mcast)), action=(drop;)
> table=??(lr_in_ip_input ), priority=50 , match=(eth.bcast),
> action=(drop;)
> table=??(lr_in_ip_input ), priority=60 , match=(ip4.dst ==
> {10.0.0.1}), action=(drop;)
> @@ -14539,9 +14539,9 @@ AT_CHECK([grep "lr_in_ip_input" lr0flows |
> ovn_strip_lflows], [0], [dnl
> table=??(lr_in_ip_input ), priority=30 , match=(inport == "lr0-sw0"
> && ip6 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp6 {eth.dst <->
> eth.src; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 254;
> icmp6.type = 3; /* Time exceeded */ icmp6.code = 0; /* TTL exceeded in
> transit */ outport = "lr0-sw0"; flags.loopback = 1; output; };)
> table=??(lr_in_ip_input ), priority=30 , match=(inport == "lr0-sw1"
> && ip4 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp4 {eth.dst <->
> eth.src; icmp4.type = 11; /* Time exceeded */ icmp4.code = 0; /* TTL exceeded
> in transit */ ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 254; outport =
> "lr0-sw1"; flags.loopback = 1; output; };)
> table=??(lr_in_ip_input ), priority=30 , match=(inport == "lr0-sw1"
> && ip6 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp6 {eth.dst <->
> eth.src; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff03; ip.ttl = 254;
> icmp6.type = 3; /* Time exceeded */ icmp6.code = 0; /* TTL exceeded in
> transit */ outport = "lr0-sw1"; flags.loopback = 1; output; };)
> - table=??(lr_in_ip_input ), priority=31 , match=(inport ==
> "lr0-public" && ip4 && ip4.src == 172.168.0.0/24 && ip.ttl == {0, 1} &&
> !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time
> exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst <-> ip4.src
> ; ip.ttl = 254; outport = "lr0-public"; flags.loopback = 1; output; };)
> table=??(lr_in_ip_input ), priority=31 , match=(inport == "lr0-sw0"
> && ip4 && ip4.src == 10.0.0.0/24 && ip.ttl == {0, 1} && !ip.later_frag),
> action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */
> icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = ip4.src; ip4.src =
> 10.0.0.1 ; ip.ttl = 254; outport = "lr0-sw0"; flags.loopback = 1; output; };)
> table=??(lr_in_ip_input ), priority=31 , match=(inport == "lr0-sw1"
> && ip4 && ip4.src == 20.0.0.0/24 && ip.ttl == {0, 1} && !ip.later_frag),
> action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */
> icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = ip4.src; ip4.src =
> 20.0.0.1 ; ip.ttl = 254; outport = "lr0-sw1"; flags.loopback = 1; output; };)
> + table=??(lr_in_ip_input ), priority=31 ,
> match=(is_chassis_resident("cr-lr0-public") && inport == "lr0-public" && ip4
> && ip4.src == 172.168.0.0/24 && ip.ttl == {0, 1} && !ip.later_frag),
> action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */
> icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst <-> ip4.src ; ip.ttl =
> 254; outport = "lr0-public"; flags.loopback = 1; output; };)
> table=??(lr_in_ip_input ), priority=32 , match=(ip.ttl == {0, 1} &&
> !ip.later_frag && (ip4.mcast || ip6.mcast)), action=(drop;)
> table=??(lr_in_ip_input ), priority=50 , match=(eth.bcast),
> action=(drop;)
> table=??(lr_in_ip_input ), priority=60 , match=(ip4.dst ==
> {10.0.0.1}), action=(drop;)
> --
> 2.43.0
>
>
> --
>
>
>
>
> _'Esta mensagem é direcionada apenas para os endereços constantes no
> cabeçalho inicial. Se você não está listado nos endereços constantes no
> cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa
> mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas estão
> imediatamente anuladas e proibidas'._
>
>
> * **'Apesar do Magazine Luiza tomar
> todas as precauções razoáveis para assegurar que nenhum vírus esteja
> presente nesse e-mail, a empresa não poderá aceitar a responsabilidade por
> quaisquer perdas ou danos causados por esse e-mail ou por seus anexos'.*
>
>
>
> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
