On 4/20/20 5:13 PM, Numan Siddique wrote: > On Sat, Apr 18, 2020 at 3:24 AM Dumitru Ceara <[email protected]> wrote: >> >> Neighbor solicitation packets for router owned IPs are replied to in >> table IN_IP_INPUT at a higher priority than flows relay IPv6 multicast >> traffic when needed. All other NS/NA packets received at this point can >> be safely dropped. >> >> However, router advertisement and router solicitation packets are >> processed at a later stage, in ND_RA_OPTIONS/ND_RA_RESPONSE. These >> packets need to be allowed in table IN_IP_INPUT. >> >> Commit 677a3ba4d66b incorrectly allowed all IPv6 multicast traffic >> destined to all-nodes in table IN_IP_INPUT. Instead, only ND_RA and >> ND_RS packets should be allowed. All others were either already >> processed or should be dropped. If multicast relay is enabled then IPv6 >> multicast traffic that's not destined to reserved groups should also be >> allowed. >> >> Furthermore, router solicitation and advertisement packets that don't >> get processed in tables ND_RA_OPTIONS/ND_RA_RESPONSE should be dropped >> in IN_IP_ROUTING because they should never be routed. >> >> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1825334 >> Reported-by: Jakub Libosvar <[email protected]> >> Fixes: 677a3ba4d66b ("ovn: Add MLD support.") >> Signed-off-by: Dumitru Ceara <[email protected]> >> --- >> northd/ovn-northd.8.xml | 49 >> ++++++++++++++++++++++++++++++++----------------- >> northd/ovn-northd.c | 43 ++++++++++++++++++++++++++++++------------- >> 2 files changed, 62 insertions(+), 30 deletions(-) > > Thanks Dumitru for the fix. > I tested locally too and confirm that IPv6 RA packets which entered > the router pipeline > are dropped. > > I applied this patch to master and branch-20.03. > > Thanks > Numan >
Thanks Numan! I'll also try to send a patch soon to add a unit test for this issue. Regards, Dumitru _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
