|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
From d64f501d787571a50eb2e5380947d1d0a3e2ca74 Mon Sep 17 00:00:00 2001
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
From: Numan Siddique <numans@ovn.org>
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
Date: Thu, 11 Jun 2020 18:44:41 +0530
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
Subject: [PATCH] northd: By pass IPv6 Router Adv and Router Solicitation
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
packets from ACL stages.
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
We already add below logical flows to by pass IPv6 Neighbor discovery packets
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
from in/out ACL stage.
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
table=6 (ls_in_acl ), priority=65535, match=(nd), action=(next;)
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
table=4 (ls_out_acl ), priority=65535, match=(nd), action=(next;)
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
This patch also adds nd_rs and nd_ra to these logical flows. Without these
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
the IPv6 Router Adv packets generated by ovn-controller are dropped if
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
CMS has configured ACLs.
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
Reported-by: Jakub Libosvar <jlibosva@redhat.com>
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
Signed-off-by: Numan Siddique <numans@ovn.org>
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
(cherry-picked from upstream master commit 90e5971018277ab0f383a56f59ffcfe17466a2c6)
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
Change-Id: I33fcb3032fe946f2b2333a8cf2791af75dceaf44
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
---
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
northd/ovn-northd.8.xml | 6 ++++++
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
northd/ovn-northd.c | 6 ++++--
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
2 files changed, 10 insertions(+), 2 deletions(-)
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
index dc56de273..081536ab4 100644
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
--- a/northd/ovn-northd.8.xml
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
+++ b/northd/ovn-northd.8.xml
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
@@ -439,6 +439,12 @@
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
ACL re-allow this connection.
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
+
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
+ A priority-65535 flow that allows IPv6 Neighbor solicitation,
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
+ Neighbor discover, Router solicitation and Router advertisement
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
+ packets.
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
+
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
+
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
A priority 34000 logical flow is added for each logical switch datapath
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
with the match eth.dst = E to allow the service
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
index cffe3de17..fc250318f 100644
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
--- a/northd/ovn-northd.c
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
+++ b/northd/ovn-northd.c
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
@@ -5390,8 +5390,10 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
/* Ingress and Egress ACL Table (Priority 65535).
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
*
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
* Not to do conntrack on ND packets. */
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
- ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "nd", "next;");
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
- ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "nd", "next;");
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
+ "nd || nd_ra || nd_rs", "next;");
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
+ "nd || nd_ra || nd_rs", "next;");
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
}
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
/* Ingress or Egress ACL Table (Various priorities). */
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
--
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
2.26.2
|
|
![](https://seccdn.libravatar.org/avatar/9f69e5506e4129d785dd941b957b1020fbb478ad8ba5b4f1b38b37f719bf13be?s=16&d=retro) |
773311 |
|