On 06/10/2021 16:28, mh...@redhat.com wrote: > From: Mohammad Heib <mh...@redhat.com> > > When the ovn controller receives an ip packet that targets a lport that has > ACL > rule to reject ip packets, the controller will reply with TCP_RST or icmp4/6 > unreachable packet > to notify the sender that the destination is not available. > > In turn, the receiver host will receive the notification packet and handle it > as a normal IP packet > and if the receiver host is part of the same logical-switch/port-group or has > IP reject ACL rule > it will send TCP_RST or icmp4/6 unreachable packet replying to the TCP_RST or > icmp4/6 unreachable > packet we received and here we will enter to an infinity loop of replying > about replying which > will consume high CPU. > > To avoid such scenarios this patch proposes to drop/ignore TCP_RST or icmp4/6 > unreachable packets > that received on lport that has IP reject ACL rules. > > Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1934011 > Fixes: 64f8c9e9f ("actions: Add a new OVN action - reject {}.") > Signed-off-by: Mohammad Heib <mh...@redhat.com>
Looks good. Could you add a test? _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
