[ovs-dev] [PATCH ovn] northd: By pass IPv6 Router Adv and Router Solicitation packets from ACL stages.

Mark Michelson mmichels at redhat.com
Thu Jun 11 14:43:14 UTC 2020


Hi Numan,

I was a bit surprised to find that "nd" did not cover "nd_rs" and 
"nd_ra" packets already. Is there a reason not to expand the scope of 
"nd" to cover ICMP6 type 133 and 134?

On 6/11/20 9:14 AM, numans at ovn.org wrote:
> From: Numan Siddique <numans at ovn.org>
> 
> We already add below logical flows to by pass IPv6 Neighbor discovery packets
> from in/out ACL stage.
> 
> table=6 (ls_in_acl          ), priority=65535, match=(nd), action=(next;)
> table=4 (ls_out_acl         ), priority=65535, match=(nd), action=(next;)
> 
> This patch also adds nd_rs and nd_ra to these logical flows. Without these
> the IPv6 Router Adv packets generated by ovn-controller are dropped if
> CMS has configured ACLs.
> 
> Reported-by: Jakub Libosvar <jlibosva at redhat.com>
> Signed-off-by: Numan Siddique <numans at ovn.org>
> ---
>   northd/ovn-northd.8.xml | 6 ++++++
>   northd/ovn-northd.c     | 6 ++++--
>   2 files changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> index 7281eeecc..a7639f33a 100644
> --- a/northd/ovn-northd.8.xml
> +++ b/northd/ovn-northd.8.xml
> @@ -467,6 +467,12 @@
>           ACL re-allow this connection.
>         </li>
>   
> +      <li>
> +        A priority-65535 flow that allows IPv6 Neighbor solicitation,
> +        Neighbor discover, Router solicitation and Router advertisement
> +        packets.
> +      </li>
> +
>         <li>
>           A priority 34000 logical flow is added for each logical switch datapath
>           with the match <code>eth.dst = <var>E</var></code> to allow the service
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index 0fc62bf91..b8c9e9325 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -5389,8 +5389,10 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
>           /* Ingress and Egress ACL Table (Priority 65535).
>            *
>            * Not to do conntrack on ND packets. */
> -        ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "nd", "next;");
> -        ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "nd", "next;");
> +        ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
> +                      "nd || nd_ra || nd_rs", "next;");
> +        ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
> +                      "nd || nd_ra || nd_rs", "next;");
>       }
>   
>       /* Ingress or Egress ACL Table (Various priorities). */
> 



More information about the dev mailing list