[ovs-dev] [PATCH ovn] ovn-northd: Don't add arp responder flows for lports with 'unknown' address.

Han Zhou zhouhan at gmail.com
Thu Mar 19 16:20:54 UTC 2020


On Thu, Mar 19, 2020 at 5:27 AM <numans at ovn.org> wrote:
>
> From: Numan Siddique <numans at ovn.org>
>
> If a logical port has 'unknown' address, it means it can send and receive
> packet with any IP and MAC and generally port security is not set for
> such logical ports. If an lport has addresses set to - ["MAC1 IP1",
unknown],
> right now we add arp responder flows for IP1 and respond MAC1 in the arp
> response. But it's possible that the VIF of the logical port can use the
IP1
> with a different MAC. This patch supports this usecase. When another
logical port
> sends ARP request for IP1, the VIF of the logical port will anyway
respond.
>
> Reported-by: Maciej Józefczyk <mjozefcz at redhat.com>
> Signed-off-by: Numan Siddique <numans at ovn.org>
> ---
>  northd/ovn-northd.8.xml |  5 +++--
>  northd/ovn-northd.c     | 13 ++++++++-----
>  tests/ovn.at            | 16 ++++++++++++----
>  3 files changed, 23 insertions(+), 11 deletions(-)
>
> diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> index 9b44720d1..7d03cbc83 100644
> --- a/northd/ovn-northd.8.xml
> +++ b/northd/ovn-northd.8.xml
> @@ -699,8 +699,9 @@ output;
>
>          <p>
>            These flows are omitted for logical ports (other than router
ports or
> -          <code>localport</code> ports) that are down and for logical
ports of
> -          type <code>virtual</code>.
> +          <code>localport</code> ports) that are down, for logical ports
of
> +          type <code>virtual</code> and for logical ports with 'unknown'
> +          address set.
>          </p>
>        </li>
>
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index 4f94680b5..f648d2ea7 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -1152,7 +1152,7 @@ struct ovn_port {
>
>      bool derived; /* Indicates whether this is an additional port
>                     * derived from nbsp or nbrp. */
> -
> +    bool has_unknown; /* If the addresses have 'unknown' defined. */
>      /* The port's peer:
>       *
>       *     - A switch port S of type "router" has a router port R as a
peer,
> @@ -2059,8 +2059,11 @@ join_logical_ports(struct northd_context *ctx,
>                  op->lsp_addrs
>                      = xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses);
>                  for (size_t j = 0; j < nbsp->n_addresses; j++) {
> -                    if (!strcmp(nbsp->addresses[j], "unknown")
> -                        || !strcmp(nbsp->addresses[j], "router")) {
> +                    if (!strcmp(nbsp->addresses[j], "unknown")) {
> +                        op->has_unknown = true;
> +                        continue;
> +                    }
> +                    if (!strcmp(nbsp->addresses[j], "router")) {
>                          continue;
>                      }
>                      if (is_dynamic_lsp_address(nbsp->addresses[j])) {
> @@ -6127,7 +6130,7 @@ build_lswitch_flows(struct hmap *datapaths, struct
hmap *ports,
>          } else {
>              /*
>               * Add ARP/ND reply flows if either the
> -             *  - port is up or
> +             *  - port is up and it doesn't have 'unknown' address
defined or
>               *  - port type is router or
>               *  - port type is localport
>               */
> @@ -6136,7 +6139,7 @@ build_lswitch_flows(struct hmap *datapaths, struct
hmap *ports,
>                  continue;
>              }
>
> -            if (lsp_is_external(op->nbsp)) {
> +            if (lsp_is_external(op->nbsp) || op->has_unknown) {
>                  continue;
>              }
>
> diff --git a/tests/ovn.at b/tests/ovn.at
> index 8cdbad743..1b6073ff0 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -1758,11 +1758,13 @@ for is in 1 2 3; do
>                  sip=`ip_to_hex 192 168 0 $is$js`
>                  tip=`ip_to_hex 192 168 0 $id$jd`
>                  tip_unknown=`ip_to_hex 11 11 11 11`
> +                reply_ha=;
>                  if test $d != $s; then
> -                    reply_ha=f000000000$d
> -                else
> -                    reply_ha=
> +                    if test $jd != 1; then
> +                        reply_ha=f000000000$d
> +                    fi
>                  fi
> +
>                  test_arp $s f000000000$s $sip $tip $reply_ha
  #9
>                  test_arp $s f000000000$s $sip $tip_unknown
  #10
>
> @@ -2199,7 +2201,13 @@ for s in 1 2 3; do
>          sip=192.168.0.$s
>          tip=192.168.0.$d
>          tip_unknown=11.11.11.11
> -        if test $d != $s; then reply_ha=f0:00:00:00:00:0$d; else
reply_ha=; fi
> +        reply_ha=;
> +        if test $d != $s; then
> +            if test $d != 1; then
> +                reply_ha=f0:00:00:00:00:0$d;
> +            fi
> +        fi
> +
>          test_arp $s f0:00:00:00:00:0$s $sip $tip $reply_ha
  #9
>          test_arp $s f0:00:00:00:00:0$s $sip $tip_unknown
  #10
>
> --
> 2.24.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Acked-by: Han Zhou <hzhou at ovn.org>


More information about the dev mailing list