|
 |
bbaaef |
From d6d98d46254435b0ce0507d694f37b401bd91b30 Mon Sep 17 00:00:00 2001
|
|
|
bbaaef |
From: Numan Siddique <numans@ovn.org>
|
|
|
bbaaef |
Date: Thu, 11 Jun 2020 18:44:41 +0530
|
|
|
bbaaef |
Subject: [PATCH 2/2] northd: By pass IPv6 Router Adv and Router Solicitation
|
|
|
bbaaef |
packets from ACL stages.
|
|
|
bbaaef |
|
|
|
bbaaef |
We already add below logical flows to by pass IPv6 Neighbor discovery packets
|
|
|
bbaaef |
from in/out ACL stage.
|
|
|
bbaaef |
|
|
|
bbaaef |
table=6 (ls_in_acl ), priority=65535, match=(nd), action=(next;)
|
|
|
bbaaef |
table=4 (ls_out_acl ), priority=65535, match=(nd), action=(next;)
|
|
|
bbaaef |
|
|
|
bbaaef |
This patch also adds nd_rs and nd_ra to these logical flows. Without these
|
|
|
bbaaef |
the IPv6 Router Adv packets generated by ovn-controller are dropped if
|
|
|
bbaaef |
CMS has configured ACLs.
|
|
|
bbaaef |
|
|
|
bbaaef |
Reported-by: Jakub Libosvar <jlibosva@redhat.com>
|
|
|
bbaaef |
Signed-off-by: Numan Siddique <numans@ovn.org>
|
|
|
bbaaef |
Acked-by: Mark Michelson <mmichels@redhat.com>
|
|
|
bbaaef |
|
|
|
bbaaef |
(cherry-picked from upstream master commit 90e5971018277ab0f383a56f59ffcfe17466a2c6)
|
|
|
bbaaef |
|
|
|
bbaaef |
Change-Id: I33fcb3032fe946f2b2333a8cf2791af75dceaf44
|
|
|
bbaaef |
---
|
|
|
bbaaef |
ovn/northd/ovn-northd.8.xml | 6 ++++++
|
|
|
bbaaef |
ovn/northd/ovn-northd.c | 6 ++++--
|
|
|
bbaaef |
2 files changed, 10 insertions(+), 2 deletions(-)
|
|
|
bbaaef |
|
|
|
bbaaef |
diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
|
|
|
bbaaef |
index 95b826944..3fb811bf6 100644
|
|
|
bbaaef |
--- a/ovn/northd/ovn-northd.8.xml
|
|
|
bbaaef |
+++ b/ovn/northd/ovn-northd.8.xml
|
|
|
bbaaef |
@@ -421,6 +421,12 @@
|
|
|
bbaaef |
ACL re-allow this connection.
|
|
|
bbaaef |
|
|
|
bbaaef |
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+ A priority-65535 flow that allows IPv6 Neighbor solicitation,
|
|
|
bbaaef |
+ Neighbor discover, Router solicitation and Router advertisement
|
|
|
bbaaef |
+ packets.
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+
|
|
|
bbaaef |
|
|
|
bbaaef |
A priority 34000 logical flow is added for each logical switch datapath
|
|
|
bbaaef |
with the match eth.dst = E to allow the service
|
|
|
bbaaef |
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
|
|
|
bbaaef |
index b3561f986..ab5c291c7 100644
|
|
|
bbaaef |
--- a/ovn/northd/ovn-northd.c
|
|
|
bbaaef |
+++ b/ovn/northd/ovn-northd.c
|
|
|
bbaaef |
@@ -5217,8 +5217,10 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
|
|
|
bbaaef |
/* Ingress and Egress ACL Table (Priority 65535).
|
|
|
bbaaef |
*
|
|
|
bbaaef |
* Not to do conntrack on ND packets. */
|
|
|
bbaaef |
- ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "nd", "next;");
|
|
|
bbaaef |
- ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "nd", "next;");
|
|
|
bbaaef |
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
|
|
|
bbaaef |
+ "nd || nd_ra || nd_rs", "next;");
|
|
|
bbaaef |
+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
|
|
|
bbaaef |
+ "nd || nd_ra || nd_rs", "next;");
|
|
|
bbaaef |
}
|
|
|
bbaaef |
|
|
|
bbaaef |
/* Ingress or Egress ACL Table (Various priorities). */
|
|
|
bbaaef |
--
|
|
|
bbaaef |
2.26.2
|
|
|
bbaaef |
|