[ovs-build] Passed: ovsrobot/ovn#126 (series_130289 - e8147bb)

[Travis CI]

Build Update for ovsrobot/ovn
-------------------------------------

Build: #126
Status: Passed

Duration: 49 mins and 54 secs
Commit: e8147bb (series_130289)
Author: Numan Siddique
Message: Learn the mac binding only if required

OVN has the actions - put_arp and put_nd to learn the mac bindings from the
ARP/ND packets. These actions update the Southbound MAC_Binding table.
These actions translates to controller actions. Whenever pinctrl thread
receives such packets, it wakes up the main ovn-controller thread.
If the MAC_Binding table is already upto date, this results
in unnecessary CPU cyles. There are some security implications as well.
A rogue VM can flood broadcast ARP request/reply packets and this
could cause DoS issues. A physical switch may send periodic GARPs
and these packets hit ovn-controllers.

This patch solves these problems by learning the mac bindings only if
required. There is no need to apply the put_arp/put_nd action if the
Southbound MAC_Binding row is upto date.

A new action - lookup_arp and lookup_nd is added which looks up the
IP, MAC pair in the mac_binding table and updates the eth.dst if
the entry is present, else eth.dst is set to 00:00:00:00:00:00.

ovn-northd adds 2 new stages - lookup_arp and put_arp before ip_input
in the router ingress pipeline.

The logical flows looks something like:

table=1 (lr_in_lookup_arp), priority=100  , match=(arp),
         action=(xxreg1[0..47] = eth.dst;
         lookup_arp(inport, arp.spa, arp.sha);
         xxreg0[0..47] = eth.dst; eth.dst = xxreg1[0..47]; next;)

table=1 (lr_in_lookup_arp), priority=0    , match=(1), action=(next;)
...
table=2 (lr_in_put_arp   ), priority=100  ,
         match=(arp.op == 2 && xxreg0[0..47] == 00:00:00:00:00:00),
         action=(put_arp(inport, arp.spa, arp.sha);)
table=2 (lr_in_put_arp   ), priority=90   , match=(arp.op == 2), action=(drop;)
table=2 (lr_in_put_arp   ), priority=0    , match=(1), action=(next;)

The lflow module of ovn-controller adds OF flows in table 31 (OFTABLE_MAC_LOOKUP)
for each mac_binding entry with the match reg0 = ip && eth.src = mac with
the action - eth.dst = mac

Eg:
table=31, priority=100,arp,reg0=0xaca8006f,reg14=0x3,metadata=0x3,dl_src=00:44:00:00:00:04
          actions=mod_dl_dst:00:44:00:00:00:04

This patch should also address the issue reported in 'Reported-at'

Reported-at: https://bugzilla.redhat.com/1729846
Reported-by: Haidong Li <haili at redhat.com>
CC: Han ZHou <hzhou8 at ebay.com>
CC: Dumitru Ceara <dceara at redhat.com>
Signed-off-by: Numan Siddique <nusiddiq at redhat.com>
Signed-off-by: 0-day Robot <robot at bytheb.org>

View the changeset: https://github.com/ovsrobot/ovn/compare/ab568488db21^...e8147bbc9b35

View the full build log and details: https://travis-ci.com/ovsrobot/ovn/builds/127096598?utm_medium=notification&utm_source=email

--

You can unsubscribe from build emails from the ovsrobot/ovn repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=9136199&utm_medium=notification&utm_source=email.
Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification&utm_source=email.
Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-build/attachments/20190912/74220746/attachment.html>