[ovs-dev] [PATCH] OVN: add ICMPv6 time exceeded support to OVN logical router

[Lorenzo Bianconi]

Using icmp6 action, send an ICMPv6 time exceeded frame whenever
an OVN logical router receives an IPv6 packets whose TTL has
expired (ip.ttl == {0, 1})

Signed-off-by: Lorenzo Bianconi <lorenzo.bianc...@redhat.com>
---
 ovn/northd/ovn-northd.8.xml | 12 +++++++++++-
 ovn/northd/ovn-northd.c     | 31 +++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index 4d0bab476..08e0325a0 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -1383,7 +1383,8 @@ nd_na {
           address is <var>A</var>, a priority-40 flow with match <code>inport
           == <var>P</var> &amp;&amp; ip.ttl == {0, 1} &amp;&amp;
           !ip.later_frag</code> matches packets whose TTL has expired, with the
-          following actions to send an ICMP time exceeded reply:
+          following actions to send an ICMP time exceeded reply for IPv4 and
+          IPv6 respectively:
         </p>
 
         <pre>
@@ -1395,6 +1396,15 @@ icmp4 {
     ip.ttl = 255;
     next;
 };
+
+icmp6 {
+    icmp6.type = 3; /* Time exceeded. */
+    icmp6.code = 0;  /* TTL exceeded in transit. */
+    ip6.dst = ip6.src;
+    ip6.src = <var>A</var>;
+    ip.ttl = 255;
+    next;
+};
         </pre>
       </li>
 
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 2febf7b8e..8ed0c4987 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -5328,6 +5328,37 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap 
*ports,
                           ds_cstr(&match), action);
             }
         }
+
+        /* ICMPv6 time exceeded */
+        for (int i = 0; i < op->lrp_networks.n_ipv6_addrs; i++) {
+            /* skip link-local address */
+            if (in6_is_lla(&op->lrp_networks.ipv6_addrs[i].network)) {
+                continue;
+            }
+
+            ds_clear(&match);
+            ds_clear(&actions);
+
+            ds_put_format(&match,
+                          "inport == %s && ip6 && "
+                          "ip6.src == %s/%d && "
+                          "ip.ttl == {0, 1} && !ip.later_frag",
+                          op->json_key,
+                          op->lrp_networks.ipv6_addrs[i].network_s,
+                          op->lrp_networks.ipv6_addrs[i].plen);
+            ds_put_format(&actions,
+                          "icmp6 {"
+                          "eth.dst <-> eth.src; "
+                          "ip6.dst = ip6.src; "
+                          "ip6.src = %s; "
+                          "ip.ttl = 255; "
+                          "icmp6.type = 3; /* Time exceeded */ "
+                          "icmp6.code = 0; /* TTL exceeded in transit */ "
+                          "next; };",
+                          op->lrp_networks.ipv6_addrs[i].addr_s);
+            ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 40,
+                          ds_cstr(&match), ds_cstr(&actions));
+        }
     }
 
     /* NAT, Defrag and load balancing. */
-- 
2.17.1

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev