On 11/14/25 5:59 PM, Ales Musil wrote:
> The dynamically learned FBDs were using idle_timeout configured to
> the same value as fdb_age_threshold for given LS. This could cause
> an issue when the traffic was originated only from OVN, without the
> reply the flow would be used, but OVN could be just blackholing
> traffic.
>
> Switch to hard_timeout instead, that means the flow will be removed
> after the specified timeout regardless of the usage, however
> this is still better than the blackhole that isn't recoverable.
> Without the FDB we would flood instead, which might happen during the
> period when hard_timeout expires before the workload replies back to
> populate the FDB again.
>
> Fixes: 53e0d5ac2a74 ("controller: Learn EVPN workload FDB from the ingress
> traffic.")
> Signed-off-by: Ales Musil <[email protected]>
> ---
Looks good to me, thanks!
Acked-by: Dumitru Ceara <[email protected]>
> controller/physical.c | 2 +-
> tests/system-ovn.at | 6 +++---
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/controller/physical.c b/controller/physical.c
> index 6ac5dcd3f..2c314b7da 100644
> --- a/controller/physical.c
> +++ b/controller/physical.c
> @@ -2965,7 +2965,7 @@ physical_consider_evpn_binding(const struct
> evpn_binding *binding,
> ol->flags = NX_LEARN_F_DELETE_LEARNED;
> ol->priority = 150;
> ol->table_id = OFTABLE_GET_REMOTE_FDB;
> - ol->idle_timeout = binding->fdb_age_threshold;
> + ol->hard_timeout = binding->fdb_age_threshold;
>
> /* Match the learned flow on the same metadata. */
> ol_spec = ofpbuf_put_zeros(ofpacts, sizeof *ol_spec);
> diff --git a/tests/system-ovn.at b/tests/system-ovn.at
> index 76f73d96e..167281785 100644
> --- a/tests/system-ovn.at
> +++ b/tests/system-ovn.at
> @@ -18653,9 +18653,9 @@ check ovn-nbctl --wait=hv set logical_switch ls-evpn
> other_config:fdb_age_thresh
> ovs-ofctl dump-flows br-int table=OFTABLE_LEARN_REMOTE_FDB
> AT_CHECK_UNQUOTED([ovs-ofctl dump-flows br-int
> table=OFTABLE_LEARN_REMOTE_FDB | grep priority | \
> awk '{print $7, $8}' | strip_cookie | sort], [0], [dnl
> -priority=100,reg14=0x80000001,metadata=0x$dp_key
> actions=learn(table=OFTABLE_GET_REMOTE_FDB,idle_timeout=300,priority=150,delete_learned,OXM_OF_METADATA[[]],NXM_OF_ETH_DST[[]]=NXM_OF_ETH_SRC[[]],load:NXM_NX_REG14[[]]->NXM_NX_REG1[[]])
> -priority=100,reg14=0x80000002,metadata=0x$dp_key
> actions=learn(table=OFTABLE_GET_REMOTE_FDB,idle_timeout=300,priority=150,delete_learned,OXM_OF_METADATA[[]],NXM_OF_ETH_DST[[]]=NXM_OF_ETH_SRC[[]],load:NXM_NX_REG14[[]]->NXM_NX_REG1[[]])
> -priority=100,reg14=0x80000003,metadata=0x$dp_key
> actions=learn(table=OFTABLE_GET_REMOTE_FDB,idle_timeout=300,priority=150,delete_learned,OXM_OF_METADATA[[]],NXM_OF_ETH_DST[[]]=NXM_OF_ETH_SRC[[]],load:NXM_NX_REG14[[]]->NXM_NX_REG1[[]])
> +priority=100,reg14=0x80000001,metadata=0x$dp_key
> actions=learn(table=OFTABLE_GET_REMOTE_FDB,hard_timeout=300,priority=150,delete_learned,OXM_OF_METADATA[[]],NXM_OF_ETH_DST[[]]=NXM_OF_ETH_SRC[[]],load:NXM_NX_REG14[[]]->NXM_NX_REG1[[]])
> +priority=100,reg14=0x80000002,metadata=0x$dp_key
> actions=learn(table=OFTABLE_GET_REMOTE_FDB,hard_timeout=300,priority=150,delete_learned,OXM_OF_METADATA[[]],NXM_OF_ETH_DST[[]]=NXM_OF_ETH_SRC[[]],load:NXM_NX_REG14[[]]->NXM_NX_REG1[[]])
> +priority=100,reg14=0x80000003,metadata=0x$dp_key
> actions=learn(table=OFTABLE_GET_REMOTE_FDB,hard_timeout=300,priority=150,delete_learned,OXM_OF_METADATA[[]],NXM_OF_ETH_DST[[]]=NXM_OF_ETH_SRC[[]],load:NXM_NX_REG14[[]]->NXM_NX_REG1[[]])
> priority=150,reg14=0x80000001,metadata=0x$dp_key,dl_src=f0:00:0f:16:10:50
> actions=drop
> priority=150,reg14=0x80000002,metadata=0x$dp_key,dl_src=f0:00:0f:16:10:60
> actions=drop
> priority=150,reg14=0x80000003,metadata=0x$dp_key,dl_src=00:00:00:00:00:01
> actions=drop
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
