Re: [ovs-dev] [PATCH ovn] northd: By pass IPv6 Router Adv and Router Solicitation packets from ACL stages.

Thu, 11 Jun 2020 07:44:17 -0700 

Hi Numan,
I was a bit surprised to find that "nd" did not cover "nd_rs" and "nd_ra" packets already. Is there a reason not to expand the scope of "nd" to cover ICMP6 type 133 and 134? 

On 6/11/20 9:14 AM, num...@ovn.org wrote:

From: Numan Siddique <num...@ovn.org>

We already add below logical flows to by pass IPv6 Neighbor discovery packets
from in/out ACL stage.

table=6 (ls_in_acl          ), priority=65535, match=(nd), action=(next;)
table=4 (ls_out_acl         ), priority=65535, match=(nd), action=(next;)

This patch also adds nd_rs and nd_ra to these logical flows. Without these
the IPv6 Router Adv packets generated by ovn-controller are dropped if
CMS has configured ACLs.

Reported-by: Jakub Libosvar <jlibo...@redhat.com>
Signed-off-by: Numan Siddique <num...@ovn.org>
---
  northd/ovn-northd.8.xml | 6 ++++++
  northd/ovn-northd.c     | 6 ++++--
  2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index 7281eeecc..a7639f33a 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -467,6 +467,12 @@
          ACL re-allow this connection.
        </li>

  
+      <li>

+        A priority-65535 flow that allows IPv6 Neighbor solicitation,
+        Neighbor discover, Router solicitation and Router advertisement
+        packets.
+      </li>
+
        <li>
          A priority 34000 logical flow is added for each logical switch 
datapath
          with the match <code>eth.dst = <var>E</var></code> to allow the 
service
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 0fc62bf91..b8c9e9325 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -5389,8 +5389,10 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
          /* Ingress and Egress ACL Table (Priority 65535).
           *
           * Not to do conntrack on ND packets. */
-        ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "nd", "next;");
-        ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "nd", "next;");
+        ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
+                      "nd || nd_ra || nd_rs", "next;");
+        ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
+                      "nd || nd_ra || nd_rs", "next;");
      }

  
      /* Ingress or Egress ACL Table (Various priorities). */




_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev






















					Reply via email to