[ovs-dev] [PATCH v2 3/3] OVN: add protocol unreachable support to OVN router ports

Mon Jun 18 11:56:00 UTC 2018

Add priority-70 flows to generate ICMP protocol unreachable messages
in reply to packets directed to the router's IP address on IP protocols
other than UDP, TCP, and ICMP

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
---
 ovn/northd/ovn-northd.8.xml |  4 ----
 ovn/northd/ovn-northd.c     | 14 ++++++++++++++
 tests/ovn.at                |  1 +
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index 18a481b3d..cfd35115e 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -1342,10 +1342,6 @@ nd_na {
         <p>
           These flows should not match IP fragments with nonzero offset.
         </p>
-
-        <p>
-          Details TBD.  Not yet implemented.
-        </p>
       </li>
 
       <li>
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 27d7aab06..7777b83f5 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -5175,6 +5175,20 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
                         "next; };";
             ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 80,
                           ds_cstr(&match), action);
+
+            ds_clear(&match);
+            ds_put_format(&match,
+                          "ip4 && ip4.dst == %s && !ip.later_frag",
+                          op->lrp_networks.ipv4_addrs[i].addr_s);
+            action = "icmp4 {"
+                        "eth.dst <-> eth.src; "
+                        "ip4.dst <-> ip4.src; "
+                        "ip.ttl = 255; "
+                        "icmp4.type = 3; "
+                        "icmp4.code = 2; "
+                        "next; };";
+            ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 70,
+                          ds_cstr(&match), action);
         }
 
         ds_clear(&match);
diff --git a/tests/ovn.at b/tests/ovn.at
index 4648a303c..6553d17c6 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -10444,6 +10444,7 @@ OVN_POPULATE_ARP
 ovn-nbctl --wait=hv sync
 
 test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) $(ip_to_hex 192 168 1 254) 11 0000 7dae fcfc 0303
+test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1) $(ip_to_hex 192 168 1 254) 84 0000 7dae fcfd 0302
 OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])
 
 test_tcp_syn_packet 2 2 000000000002 00000000ff02 $(ip_to_hex 192 168 2 1) $(ip_to_hex 192 168 2 254) 0000 8b40 3039 0000 7bae 4486
-- 
2.17.1

