On Tue, Aug 21, 2018 at 04:24:27PM -0700, Han Zhou wrote: > On Tue, Aug 21, 2018 at 3:38 PM Ben Pfaff <b...@ovn.org> wrote: > > > > On Tue, Aug 21, 2018 at 03:03:16PM -0700, Han Zhou wrote: > > > On Tue, Aug 21, 2018 at 11:36 AM Ben Pfaff <b...@ovn.org> wrote: > > > > > > > > On Sun, Aug 19, 2018 at 10:27:30PM -0700, Han Zhou wrote: > > > > > Currently ovn LR datapath responds ARP requests even if the ARP > > > > > requestor's src IP doesn't belong to the LR port's subnets. This > > > > > may generate unnecessary ARP responses and there could also be > > > > > security concerns. This patch restricts the ARP response only if > > > > > the requestor's IP matches the LR port's subnets. > > > > > > > > > > Signed-off-by: Han Zhou <hzh...@ebay.com> > > > > > > > > Thanks, this series seems fine and the tests pass, so I applied it to > > > > master. > > > > > > Thanks Ben. Shall we backport to at least 2.9 and 2.10? Without this, > GARP > > > request won't work for mac-binding update. > > > > How much of a problem is it in practice? The patch series was the first > > I'd heard of the problem. > > The first patch in this series may not be critical, but the second one > regarding GARP is quite important IMHO, since GARP request is very commonly > used for announcing IP-MAC bindings. > In practice, there are 2 common cases that will have problem: > > 1) When IP-MAC bindings update in the external network behind OVN GW. The > IPs are usually default next hop GW of OVN logical routers, or next hop of > some static routes in OVN. There is a good chance that these bindings > change after device replacement/upgrade etc. These are not frequent > operations, but once it happens it will be a big impact. Someone has to > debug this and finally delete the stale mac-binding entries manually from > SB DB, so that traffic can go through the new device. > > 2) When nested workloads are running behind OVN logical ports, such as, > running containers inside VMs. If we don't use child port feature, we'd > rely on mac-binding for container's IP to be accessible. If the > implementation of the container orchestration system uses GARP request to > update the neighbors, then it won't work without the GARP patch. There is a > workaround in this case - change the container orchestration system > implementation to use ARP reply to update the neighbors, but it would be > better if OVN supports the general scenario.
Thanks a lot for the explanation. This applied cleanly and built as far back as branch-2.8, so I backported as far as that. _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
