[ovs-dev] [PATCH ovn] Disable ARP/NA responders for vlan-passthru switches

Numan Siddique numans at ovn.org
Tue Jun 22 13:23:21 UTC 2021


On Tue, Jun 15, 2021 at 8:40 PM Ihar Hrachyshka <ihrachys at redhat.com> wrote:
>
> When vlan-passthru is on, VIFs may attach different VLAN tags. In this
> case, VIFs are not guaranteed to belong to the same L2 broadcast domain.
> Because of that, we don't know if a peer port on the switch has the same
> tag used and should not allow the local responder to generate neighbour
> traffic. Instead, pass ARP and ND requests to the peer port owner and
> allow it to reply, if needed.
>
> Signed-off-by: Ihar Hrachyshka <ihrachys at redhat.com>

Thanks.  I applied this patch to the main branch.

Documentation was missing in ovn-nb.xml fo this change.  I added that and a few
below additions to the test case before pusing.

-------
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index 4074646029..21ae0ca603 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -1072,8 +1072,10 @@ output;
           <code>localport</code> ports) that are down (unless <code>
           ignore_lsp_down</code> is configured as true in <code>options</code>
           column of <code>NB_Global</code> table of the <code>Northbound</code>
-          database), for logical ports of type <code>virtual</code> and for
-          logical ports with 'unknown' address set.
+          database), for logical ports of type <code>virtual</code>, for
+          logical ports with 'unknown' address set and for logical ports of
+          a logical switch configured with
+          <code>other_config:vlan-passthru=true</code>.
         </p>
       </li>

diff --git a/tests/ovn.at b/tests/ovn.at
index c182fe5f9c..773b94a830 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -3193,9 +3193,17 @@ for i in 1 2; do
                                   options:tx_pcap=vif$i-tx.pcap \
                                   options:rxq_pcap=vif$i-rx.pcap \
                                   ofport-request=$i
-    OVS_WAIT_UNTIL([test x`ovn-nbctl lsp-get-up lsp$i` = xup])
 done

+wait_for_ports_up
+
+ovn-sbctl dump-flows ls > lsflows
+AT_CAPTURE_FILE([lsflows])
+
+AT_CHECK([grep -w "ls_in_arp_rsp" lsflows | sort], [0], [dnl
+  table=16(ls_in_arp_rsp      ), priority=0    , match=(1), action=(next;)
+])
+
 test_arp() {
     local inport=$1 outport=$2 sha=$3 spa=$4 tpa=$5 reply_ha=$6
     tag=8100fefe
@@ -3239,9 +3247,17 @@ for i in 1 2; do
                                   options:tx_pcap=vif$i-tx.pcap \
                                   options:rxq_pcap=vif$i-rx.pcap \
                                   ofport-request=$i
-    OVS_WAIT_UNTIL([test x`ovn-nbctl lsp-get-up lsp$i` = xup])
 done

+wait_for_ports_up
+
+ovn-sbctl dump-flows ls > lsflows
+AT_CAPTURE_FILE([lsflows])
+
+AT_CHECK([grep -w "ls_in_arp_rsp" lsflows | sort], [0], [dnl
+  table=16(ls_in_arp_rsp      ), priority=0    , match=(1), action=(next;)
+])
+
 test_nd_na() {
     local inport=$1 outport=$2 sha=$3 spa=$4 tpa=$5 reply_ha=$6
     tag=8100fefe

------

Thanks
Numan

> ---
>  northd/ovn-northd.c  |  4 ++
>  northd/ovn_northd.dl |  6 ++-
>  tests/ovn.at         | 96 ++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 104 insertions(+), 2 deletions(-)
>
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index d872f6a3c..08673cc06 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -7018,6 +7018,10 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op,
>                  return;
>              }
>
> +            if (is_vlan_transparent(op->od)) {
> +                return;
> +            }
> +
>              for (size_t i = 0; i < op->n_lsp_addrs; i++) {
>                  for (size_t j = 0; j < op->lsp_addrs[i].n_ipv4_addrs; j++) {
>                      ds_clear(match);
> diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl
> index 3afa80a3b..a09aea6ee 100644
> --- a/northd/ovn_northd.dl
> +++ b/northd/ovn_northd.dl
> @@ -3309,7 +3309,8 @@ for (CheckLspIsUp[check_lsp_is_up]) {
>              ((lsp_is_up(lsp) or not check_lsp_is_up)
>               or lsp.__type == "router" or lsp.__type == "localport") and
>              lsp.__type != "external" and lsp.__type != "virtual" and
> -            not lsp.addresses.contains("unknown"))
> +            not lsp.addresses.contains("unknown") and
> +            not sw.is_vlan_transparent)
>      {
>          var __match = "arp.tpa == ${addr.addr} && arp.op == 1" in
>          {
> @@ -3359,7 +3360,8 @@ for (SwitchPortIPv6Address(.port = &SwitchPort{.lsp = lsp, .json_name = json_nam
>                             .ea = ea, .addr = addr)
>       if lsp.is_enabled() and
>          (lsp_is_up(lsp) or lsp.__type == "router" or lsp.__type == "localport") and
> -        lsp.__type != "external" and lsp.__type != "virtual")
> +        lsp.__type != "external" and lsp.__type != "virtual" and
> +        not sw.is_vlan_transparent)
>  {
>      var __match = "nd_ns && ip6.dst == {${addr.addr}, ${addr.solicited_node()}} && nd.target == ${addr.addr}" in
>      var actions = "${if (lsp.__type == \"router\") \"nd_na_router\" else \"nd_na\"} { "
> diff --git a/tests/ovn.at b/tests/ovn.at
> index f26894ce4..37e5fd9af 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -3169,6 +3169,102 @@ OVN_CLEANUP([hv-1],[hv-2])
>  AT_CLEANUP
>  ])
>
> +OVN_FOR_EACH_NORTHD([
> +AT_SETUP([ovn -- VLAN transparency, passthru=true, ARP responder disabled])
> +ovn_start
> +
> +net_add net
> +check ovs-vsctl add-br br-phys
> +ovn_attach net br-phys 192.168.0.1
> +
> +check ovn-nbctl ls-add ls
> +check ovn-nbctl --wait=sb add Logical-Switch ls other_config vlan-passthru=true
> +
> +for i in 1 2; do
> +    check ovn-nbctl lsp-add ls lsp$i
> +    check ovn-nbctl lsp-set-addresses lsp$i "f0:00:00:00:00:0$i 10.0.0.$i"
> +done
> +
> +for i in 1 2; do
> +    check ovs-vsctl add-port br-int vif$i -- set Interface vif$i external-ids:iface-id=lsp$i \
> +                                  options:tx_pcap=vif$i-tx.pcap \
> +                                  options:rxq_pcap=vif$i-rx.pcap \
> +                                  ofport-request=$i
> +    OVS_WAIT_UNTIL([test x`ovn-nbctl lsp-get-up lsp$i` = xup])
> +done
> +
> +test_arp() {
> +    local inport=$1 outport=$2 sha=$3 spa=$4 tpa=$5 reply_ha=$6
> +    tag=8100fefe
> +    local request=ffffffffffff${sha}${tag}08060001080006040001${sha}${spa}ffffffffffff${tpa}
> +    ovs-appctl netdev-dummy/receive vif$inport $request
> +    echo $request >> $outport.expected
> +
> +    local reply=${sha}${reply_ha}${tag}08060001080006040002${reply_ha}${tpa}${sha}${spa}
> +    ovs-appctl netdev-dummy/receive vif$outport $reply
> +    echo $reply >> $inport.expected
> +}
> +
> +test_arp 1 2 f00000000001 0a000001 0a000002 f00000000002
> +test_arp 2 1 f00000000002 0a000002 0a000001 f00000000001
> +
> +for i in 1 2; do
> +    OVN_CHECK_PACKETS([vif$i-tx.pcap], [$i.expected])
> +done
> +
> +AT_CLEANUP
> +])
> +
> +OVN_FOR_EACH_NORTHD([
> +AT_SETUP([ovn -- VLAN transparency, passthru=true, ND/NA responder disabled])
> +ovn_start
> +
> +net_add net
> +check ovs-vsctl add-br br-phys
> +ovn_attach net br-phys 192.168.0.1
> +
> +check ovn-nbctl ls-add ls
> +check ovn-nbctl --wait=sb add Logical-Switch ls other_config vlan-passthru=true
> +
> +for i in 1 2; do
> +    check ovn-nbctl lsp-add ls lsp$i
> +    check ovn-nbctl lsp-set-addresses lsp$i "f0:00:00:00:00:0$i fe00::$i"
> +done
> +
> +for i in 1 2; do
> +    check ovs-vsctl add-port br-int vif$i -- set Interface vif$i external-ids:iface-id=lsp$i \
> +                                  options:tx_pcap=vif$i-tx.pcap \
> +                                  options:rxq_pcap=vif$i-rx.pcap \
> +                                  ofport-request=$i
> +    OVS_WAIT_UNTIL([test x`ovn-nbctl lsp-get-up lsp$i` = xup])
> +done
> +
> +test_nd_na() {
> +    local inport=$1 outport=$2 sha=$3 spa=$4 tpa=$5 reply_ha=$6
> +    tag=8100fefe
> +    icmp_type=87
> +    local request=ffffffffffff${sha}${tag}86dd6000000000183aff${spa}ff0200000000000000000001ff${tpa: -6}${icmp_type}007ea100000000${tpa}
> +    ovs-appctl netdev-dummy/receive vif$inport $request
> +    echo $request >> $outport.expected
> +    echo $request
> +
> +    icmp_type=88
> +    local reply=${sha}${reply_ha}${tag}86dd6000000000183aff${tpa}${spa}${icmp_type}003da540000000${tpa}
> +    ovs-appctl netdev-dummy/receive vif$outport $reply
> +    echo $reply >> $inport.expected
> +    echo $reply
> +}
> +
> +test_nd_na 1 2 f00000000001 fe000000000000000000000000000001 fe000000000000000000000000000002 f00000000002
> +test_nd_na 2 1 f00000000002 fe000000000000000000000000000002 fe000000000000000000000000000001 f00000000001
> +
> +for i in 1 2; do
> +    OVN_CHECK_PACKETS([vif$i-tx.pcap], [$i.expected])
> +done
> +
> +AT_CLEANUP
> +])
> +
>  OVN_FOR_EACH_NORTHD([
>  AT_SETUP([ovn -- VLAN transparency, passthru=true, multiple hosts])
>  ovn_start
> --
> 2.31.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>


More information about the dev mailing list