From 036599bdfa4c10d69c1bcae407fb75ea841fa834 Mon Sep 17 00:00:00 2001

From: Numan Siddique <nusiddiq@redhat.com>

Date: Thu, 5 Sep 2019 00:15:38 +0530

Subject: [PATCH 3/4] Learn the mac binding only if required

OVN has the actions - put_arp and put_nd to learn the mac bindings from the

ARP/ND packets. These actions update the Southbound MAC_Binding table.

These actions translates to controller actions. Whenever pinctrl thread

receives such packets, it wakes up the main ovn-controller thread.

If the MAC_Binding table is already upto date, this results

in unnecessary CPU cyles. There are some security implications as well.

A rogue VM can flood broadcast ARP request/reply packets and this

could cause DoS issues. A physical switch may send periodic GARPs

and these packets hit ovn-controllers.

This patch solves these problems by learning the mac bindings only if

required. There is no need to apply the put_arp/put_nd action if the

Southbound MAC_Binding row is upto date.

New actions - lookup_arp and lookup_nd are added which looks up the

IP, MAC pair in the mac_binding table and stores the result in a

register. 1 if lookup is successful, 0 otherwise.

ovn-northd adds 2 new stages - LOOKUP_NEIGHBOR and LEARN_NEIGHBOR before

IP_INPUT in the router ingress pipeline.c. The LOOKUP_NEIGHBOR stage

adds flows to do the lookup in the mac_binding table and the LEARN_NEIGHBOR

adds flows to learn the neighbors only if require.

The lflow module of ovn-controller adds OF flows in table 67 (OFTABLE_MAC_LOOKUP)

for each mac_binding entry with the match reg0 = ip && eth.src = mac with

the action - load:1->reg10[6]

Eg:

table=31, priority=100,arp,reg0=0xaca8006f,reg14=0x3,metadata=0x3,dl_src=00:44:00:00:00:04

          actions=load:1->NXM_NX_REG10[6]

This patch should also address the issue reported in 'Reported-at'

Reported-at: https://bugzilla.redhat.com/1729846

Reported-by: Haidong Li <haili@redhat.com>

CC: Han ZHou <hzhou8@ebay.com>

CC: Dumitru Ceara <dceara@redhat.com>

Acked-by: Han ZHou <hzhou8@ebay.com>

Tested-by: Dumitru Ceara <dceara@redhat.com>

Signed-off-by: Numan Siddique <nusiddiq@redhat.com>

---

 include/ovn/actions.h        |  13 ++

 include/ovn/logical-fields.h |   4 +

 ovn/controller/lflow.c       |  37 ++++-

 ovn/controller/lflow.h       |   1 +

 ovn/lib/actions.c            | 114 ++++++++++++++

 ovn/northd/ovn-northd.8.xml  | 212 ++++++++++++++++---------

 ovn/northd/ovn-northd.c      | 205 ++++++++++++++-----------

 ovn/ovn-architecture.7.xml   |  18 +++

 ovn/ovn-sb.xml               |  57 +++++++

 ovn/utilities/ovn-trace.c    |  69 +++++++++

 tests/ovn.at                 | 290 ++++++++++++++++++++++++++++++++++-

 tests/test-ovn.c             |   1 +

 12 files changed, 844 insertions(+), 177 deletions(-)

diff --git a/include/ovn/actions.h b/include/ovn/actions.h

index 145f27f25..4e2f4d28d 100644

--- a/include/ovn/actions.h

+++ b/include/ovn/actions.h

@@ -73,8 +73,10 @@ struct ovn_extend_table;

     OVNACT(ND_NA_ROUTER,      ovnact_nest)            \

     OVNACT(GET_ARP,           ovnact_get_mac_bind)    \

     OVNACT(PUT_ARP,           ovnact_put_mac_bind)    \

+    OVNACT(LOOKUP_ARP,        ovnact_lookup_mac_bind) \

     OVNACT(GET_ND,            ovnact_get_mac_bind)    \

     OVNACT(PUT_ND,            ovnact_put_mac_bind)    \

+    OVNACT(LOOKUP_ND,         ovnact_lookup_mac_bind) \

     OVNACT(PUT_DHCPV4_OPTS,   ovnact_put_opts)        \

     OVNACT(PUT_DHCPV6_OPTS,   ovnact_put_opts)        \

     OVNACT(SET_QUEUE,         ovnact_set_queue)       \

@@ -266,6 +268,15 @@ struct ovnact_put_mac_bind {

     struct expr_field mac;      /* 48-bit Ethernet address. */

 };

+/* OVNACT_LOOKUP_ARP, OVNACT_LOOKUP_ND. */

+struct ovnact_lookup_mac_bind {

+    struct ovnact ovnact;

+    struct expr_field dst;      /* 1-bit destination field. */

+    struct expr_field port;     /* Logical port name. */

+    struct expr_field ip;       /* 32-bit or 128-bit IP address. */

+    struct expr_field mac;      /* 48-bit Ethernet address. */

+};

+

 struct ovnact_gen_option {

     const struct gen_opts_map *option;

     struct expr_constant_set value;

@@ -628,6 +639,8 @@ struct ovnact_encode_params {

     uint8_t output_ptable;      /* OpenFlow table for 'output' to resubmit. */

     uint8_t mac_bind_ptable;    /* OpenFlow table for 'get_arp'/'get_nd' to

                                    resubmit. */

+    uint8_t mac_lookup_ptable;  /* OpenFlow table for

+                                   'lookup_arp'/'lookup_nd' to resubmit. */

 };

 void ovnacts_encode(const struct ovnact[], size_t ovnacts_len,

diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h

index 9bac8e027..9b7c34fb7 100644

--- a/include/ovn/logical-fields.h

+++ b/include/ovn/logical-fields.h

@@ -56,6 +56,7 @@ enum mff_log_flags_bits {

     MLF_FORCE_SNAT_FOR_LB_BIT = 3,

     MLF_LOCAL_ONLY_BIT = 4,

     MLF_NESTED_CONTAINER_BIT = 5,

+    MLF_LOOKUP_MAC_BIT = 6,

 };

 /* MFF_LOG_FLAGS_REG flag assignments */

@@ -84,6 +85,9 @@ enum mff_log_flags {

     /* Indicate that a packet was received from a nested container. */

     MLF_NESTED_CONTAINER = (1 << MLF_NESTED_CONTAINER_BIT),

+

+    /* Indicate that the lookup in the mac binding table was successful. */

+    MLF_LOOKUP_MAC = (1 << MLF_LOOKUP_MAC_BIT),

 };

 /* OVN logical fields

diff --git a/ovn/controller/lflow.c b/ovn/controller/lflow.c

index 1aafafb33..733564fd1 100644

--- a/ovn/controller/lflow.c

+++ b/ovn/controller/lflow.c

@@ -687,6 +687,7 @@ consider_logical_flow(

         .egress_ptable = OFTABLE_LOG_EGRESS_PIPELINE,

         .output_ptable = output_ptable,

         .mac_bind_ptable = OFTABLE_MAC_BINDING,

+        .mac_lookup_ptable = OFTABLE_MAC_LOOKUP,

     };

     ovnacts_encode(ovnacts.data, ovnacts.size, &ep, &ofpacts);

     ovnacts_free(ovnacts.data, ovnacts.size);

@@ -777,7 +778,9 @@ consider_neighbor_flow(struct ovsdb_idl_index *sbrec_port_binding_by_name,

         return;

     }

-    struct match match = MATCH_CATCHALL_INITIALIZER;

+    struct match get_arp_match = MATCH_CATCHALL_INITIALIZER;

+    struct match lookup_arp_match = MATCH_CATCHALL_INITIALIZER;

+

     if (strchr(b->ip, '.')) {

         ovs_be32 ip;

         if (!ip_parse(b->ip, &ip)) {

@@ -785,7 +788,9 @@ consider_neighbor_flow(struct ovsdb_idl_index *sbrec_port_binding_by_name,

             VLOG_WARN_RL(&rl, "bad 'ip' %s", b->ip);

             return;

         }

-        match_set_reg(&match, 0, ntohl(ip));

+        match_set_reg(&get_arp_match, 0, ntohl(ip));

+        match_set_reg(&lookup_arp_match, 0, ntohl(ip));

+        match_set_dl_type(&lookup_arp_match, htons(ETH_TYPE_ARP));

     } else {

         struct in6_addr ip6;

         if (!ipv6_parse(b->ip, &ip6)) {

@@ -795,17 +800,35 @@ consider_neighbor_flow(struct ovsdb_idl_index *sbrec_port_binding_by_name,

         }

         ovs_be128 value;

         memcpy(&value, &ip6, sizeof(value));

-        match_set_xxreg(&match, 0, ntoh128(value));

+        match_set_xxreg(&get_arp_match, 0, ntoh128(value));

+

+        match_set_xxreg(&lookup_arp_match, 0, ntoh128(value));

+        match_set_dl_type(&lookup_arp_match, htons(ETH_TYPE_IPV6));

+        match_set_nw_proto(&lookup_arp_match, 58);

+        match_set_icmp_code(&lookup_arp_match, 0);

     }

-    match_set_metadata(&match, htonll(pb->datapath->tunnel_key));

-    match_set_reg(&match, MFF_LOG_OUTPORT - MFF_REG0, pb->tunnel_key);

+    match_set_metadata(&get_arp_match, htonll(pb->datapath->tunnel_key));

+    match_set_reg(&get_arp_match, MFF_LOG_OUTPORT - MFF_REG0, pb->tunnel_key);

+

+    match_set_metadata(&lookup_arp_match, htonll(pb->datapath->tunnel_key));

+    match_set_reg(&lookup_arp_match, MFF_LOG_INPORT - MFF_REG0,

+                  pb->tunnel_key);

     uint64_t stub[1024 / 8];

     struct ofpbuf ofpacts = OFPBUF_STUB_INITIALIZER(stub);

     put_load(mac.ea, sizeof mac.ea, MFF_ETH_DST, 0, 48, &ofpacts);

-    ofctrl_add_flow(flow_table, OFTABLE_MAC_BINDING, 100, 0, &match, &ofpacts,

-                    &b->header_.uuid);

+    ofctrl_add_flow(flow_table, OFTABLE_MAC_BINDING, 100, 0, &get_arp_match,

+                    &ofpacts, &b->header_.uuid);

+

+    ofpbuf_clear(&ofpacts);

+    uint8_t value = 1;

+    put_load(&value, sizeof value, MFF_LOG_FLAGS, MLF_LOOKUP_MAC_BIT, 1,

+             &ofpacts);

+    match_set_dl_src(&lookup_arp_match, mac);

+    ofctrl_add_flow(flow_table, OFTABLE_MAC_LOOKUP, 100, 0, &lookup_arp_match,

+                    &ofpacts, &b->header_.uuid);

+

     ofpbuf_uninit(&ofpacts);

 }

diff --git a/ovn/controller/lflow.h b/ovn/controller/lflow.h

index 4e1086eb6..9cb2afb86 100644

--- a/ovn/controller/lflow.h

+++ b/ovn/controller/lflow.h

@@ -65,6 +65,7 @@ struct uuid;

 #define OFTABLE_SAVE_INPORT          64

 #define OFTABLE_LOG_TO_PHY           65

 #define OFTABLE_MAC_BINDING          66

+#define OFTABLE_MAC_LOOKUP           67

 /* The number of tables for the ingress and egress pipelines. */

 #define LOG_PIPELINE_LEN 24

diff --git a/ovn/lib/actions.c b/ovn/lib/actions.c

index 0bb76cb27..45f8715cf 100644

--- a/ovn/lib/actions.c

+++ b/ovn/lib/actions.c

@@ -1607,6 +1607,112 @@ ovnact_put_mac_bind_free(struct ovnact_put_mac_bind *put_mac OVS_UNUSED)

 {

 }

+static void format_lookup_mac(const struct ovnact_lookup_mac_bind *lookup_mac,

+                              struct ds *s, const char *name)

+{

+    expr_field_format(&lookup_mac->dst, s);

+    ds_put_format(s, " = %s(", name);

+    expr_field_format(&lookup_mac->port, s);

+    ds_put_cstr(s, ", ");

+    expr_field_format(&lookup_mac->ip, s);

+    ds_put_cstr(s, ", ");

+    expr_field_format(&lookup_mac->mac, s);

+    ds_put_cstr(s, ");");

+}

+

+static void

+format_LOOKUP_ARP(const struct ovnact_lookup_mac_bind *lookup_mac,

+                         struct ds *s)

+{

+    format_lookup_mac(lookup_mac, s, "lookup_arp");

+}

+

+static void

+format_LOOKUP_ND(const struct ovnact_lookup_mac_bind *lookup_mac,

+                        struct ds *s)

+{

+    format_lookup_mac(lookup_mac, s, "lookup_nd");

+}

+

+static void

+encode_lookup_mac(const struct ovnact_lookup_mac_bind *lookup_mac,

+                  enum mf_field_id ip_field,

+                  const struct ovnact_encode_params *ep,

+                  struct ofpbuf *ofpacts)

+{

+    const struct arg args[] = {

+        { expr_resolve_field(&lookup_mac->port), MFF_LOG_INPORT },

+        { expr_resolve_field(&lookup_mac->ip), ip_field },

+        { expr_resolve_field(&lookup_mac->mac),  MFF_ETH_SRC},

+    };

+

+    encode_setup_args(args, ARRAY_SIZE(args), ofpacts);

+

+    struct mf_subfield dst = expr_resolve_field(&lookup_mac->dst);

+    ovs_assert(dst.field);

+

+    put_load(0, MFF_LOG_FLAGS, MLF_LOOKUP_MAC_BIT, 1, ofpacts);

+    emit_resubmit(ofpacts, ep->mac_lookup_ptable);

+

+    struct ofpact_reg_move *orm = ofpact_put_REG_MOVE(ofpacts);

+    orm->dst = dst;

+    orm->src.field = mf_from_id(MFF_LOG_FLAGS);

+    orm->src.ofs = MLF_LOOKUP_MAC_BIT;

+    orm->src.n_bits = 1;

+

+    encode_restore_args(args, ARRAY_SIZE(args), ofpacts);

+}

+

+static void

+encode_LOOKUP_ARP(const struct ovnact_lookup_mac_bind *lookup_mac,

+                  const struct ovnact_encode_params *ep,

+                  struct ofpbuf *ofpacts)

+{

+    encode_lookup_mac(lookup_mac, MFF_REG0, ep, ofpacts);

+}

+

+static void

+encode_LOOKUP_ND(const struct ovnact_lookup_mac_bind *lookup_mac,

+                        const struct ovnact_encode_params *ep,

+                        struct ofpbuf *ofpacts)

+{

+    encode_lookup_mac(lookup_mac, MFF_XXREG0, ep, ofpacts);

+}

+

+static void

+parse_lookup_mac_bind(struct action_context *ctx,

+                      const struct expr_field *dst,

+                      int width,

+                      struct ovnact_lookup_mac_bind *lookup_mac)

+{

+    /* Validate that the destination is a 1-bit, modifiable field. */

+    char *error = expr_type_check(dst, 1, true);

+    if (error) {

+        lexer_error(ctx->lexer, "%s", error);

+        free(error);

+        return;

+    }

+

+    lexer_get(ctx->lexer); /* Skip lookup_arp/lookup_nd. */

+    lexer_get(ctx->lexer); /* Skip '('. * */

+

+    action_parse_field(ctx, 0, false, &lookup_mac->port);

+    lexer_force_match(ctx->lexer, LEX_T_COMMA);

+    action_parse_field(ctx, width, false, &lookup_mac->ip);

+    lexer_force_match(ctx->lexer, LEX_T_COMMA);

+    action_parse_field(ctx, 48, false, &lookup_mac->mac);

+    lexer_force_match(ctx->lexer, LEX_T_RPAREN);

+    lookup_mac->dst = *dst;

+}

+

+static void

+ovnact_lookup_mac_bind_free(

+    struct ovnact_lookup_mac_bind *lookup_mac OVS_UNUSED)

+{

+

+}

+

+

 static void

 parse_gen_opt(struct action_context *ctx, struct ovnact_gen_option *o,

               const struct hmap *gen_opts, const char *opts_type)

@@ -2722,6 +2828,14 @@ parse_set_action(struct action_context *ctx)

                 && lexer_lookahead(ctx->lexer) == LEX_T_LPAREN) {

             parse_check_pkt_larger(ctx, &lhs,

                                    ovnact_put_CHECK_PKT_LARGER(ctx->ovnacts));

+        } else if (!strcmp(ctx->lexer->token.s, "lookup_arp")

+                && lexer_lookahead(ctx->lexer) == LEX_T_LPAREN) {

+            parse_lookup_mac_bind(ctx, &lhs, 32,

+                                  ovnact_put_LOOKUP_ARP(ctx->ovnacts));

+        } else if (!strcmp(ctx->lexer->token.s, "lookup_nd")

+                && lexer_lookahead(ctx->lexer) == LEX_T_LPAREN) {

+            parse_lookup_mac_bind(ctx, &lhs, 128,

+                                  ovnact_put_LOOKUP_ND(ctx->ovnacts));

         } else {

             parse_assignment_action(ctx, false, &lhs;;

         }

diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml

index ec2b6454c..ec9020d2a 100644

--- a/ovn/northd/ovn-northd.8.xml

+++ b/ovn/northd/ovn-northd.8.xml

@@ -1223,7 +1223,126 @@ output;

       Other packets are implicitly dropped.

-    
Ingress Table 1: IP Input

+    
Ingress Table 1: Neighbor lookup

+

+    

+      For ARP and IPv6 Neighbor Discovery packets, this table looks into the

+      <ref db="OVN_Southbound" table="MAC_Binding"/> records to determine

+      if OVN needs to learn the mac bindings. Following flows are added:

+    

+

+    

+      

+        

+          For each router port P that owns IP address A,

+          which belongs to subnet S with prefix length L,

+          a priority-100 flow is added which matches

+          inport == P &&

+          arp.spa == S/L && arp.op == 1

+          (ARP request) with the

+          following actions:

+        

+

+        

+reg9[4] = lookup_arp(inport, arp.spa, arp.sha);

+next;

+        

+

+        

+          If the logical router port P is a distributed gateway

+          router port, additional match

+          is_chassis_resident(cr-P) is added so that

+          the resident gateway chassis handles the neighbor lookup.

+        

+      

+

+      

+        

+          A priority-100 flow which matches on ARP reply packets and applies

+          the actions:

+        

+

+        

+reg9[4] = lookup_arp(inport, arp.spa, arp.sha);

+next;

+        

+      

+

+      

+        

+          A priority-100 flow which matches on IPv6 Neighbor Discovery

+          advertisement packet and applies the actions:

+        

+

+        

+reg9[4] = lookup_nd(inport, nd.target, nd.tll);

+next;

+        

+      

+

+      

+        

+          A priority-100 flow which matches on IPv6 Neighbor Discovery

+          solicitation packet and applies the actions:

+        

+

+        

+reg9[4] = lookup_nd(inport, ip6.src, nd.sll);

+next;

+        

+      

+

+      

+        A priority-0 fallback flow that matches all packets and applies

+        the action reg9[5] = 1; next;

+        advancing the packet to the next table.

+      

+    

+

+    
Ingress Table 2: Neighbor learning

+

+    

+      This table adds flows to learn the mac bindings from the ARP and

+      IPv6 Neighbor Solicitation/Advertisement packets if ARP/ND lookup

+      failed in the previous table.

+    

+

+    

+      reg9[4] will be 1 if the lookup_arp/lookup_nd

+      in the previous table was successful.

+    

+

+    

+      reg9[5] will be 1 if there was no need to do the lookup.

+    

+

+    

+      

+        A priority-100 flow with the match

+        reg9[4] == 1 || reg9[5] == 1 and advances the packet

+        to the next table as there is no need to learn the neighbor.

+      

+

+      

+        A priority-90 flow with the match arp and

+        applies the action

+        put_arp(inport, arp.spa, arp.sha); next;

+      

+

+      

+        A priority-90 flow with the match nd_na and

+        applies the action

+        put_nd(inport, nd.target, nd.tll); next;

+      

+

+      

+        A priority-90 flow with the match nd_ns and

+        applies the action

+        put_nd(inport, ip6.src, nd.sll); next;

+      

+    

+

+    
Ingress Table 3: IP Input

       This table is the core of the logical router datapath functionality.  It

@@ -1320,8 +1439,7 @@ next;

-          These flows reply to ARP requests for the router's own IP address

-          and populates mac binding table of the logical router port.

+          These flows reply to ARP requests for the router's own IP address.

           The ARP requests are handled only if the requestor's IP belongs

           to the same subnets of the logical router port.

           For each router port P that owns IP address A,

@@ -1334,7 +1452,6 @@ next;

-put_arp(inport, arp.spa, arp.sha);

 eth.dst = eth.src;

 eth.src = E;

 arp.op = 2; /* ARP reply. */

@@ -1370,17 +1487,6 @@ output;

-      

-        

-          These flows handles ARP requests not for router's own IP address.

-          They use the SPA and SHA to populate the logical router port's

-          mac binding table, with priority 80.  The typical use case of

-          these flows are GARP requests handling.  For the gateway port

-          on a distributed logical router, these flows are only programmed

-          on the gateway port instance on the redirect-chassis.

-        

-      

-

           These flows reply to ARP requests for the virtual IP addresses

@@ -1451,36 +1557,6 @@ arp.sha = external_mac;

-      

-        

-          ARP reply handling.  Following flows are added to handle ARP replies.

-        

-

-        

-          For each distributed gateway logical router port a priority-92 flow

-          with match inport == P &&

-          is_chassis_resident(cr-P) && eth.bcast &&

-          arp.op == 2 && arp.spa == I with the

-          action put_arp(inport, arp.spa, arp.sha); so that the

-          resident gateway chassis can learn the GARP reply, where

-          P is the distributed gateway router port name,

-          I is the logical router port's network address.

-        

-

-        

-          For each distributed gateway logical router port a priority-92 flow

-          with match inport == P &&

-          !is_chassis_resident(cr-P) && eth.bcast &&

-          arp.op == 2 && arp.spa == I with the action

-          drop; so that other chassis drop this packet.

-        

-

-        

-          A priority-90 flow with match arp.op == 2 has actions

-          put_arp(inport, arp.spa, arp.sha);.

-        

-      

-

           Reply to IPv6 Neighbor Solicitations.  These flows reply to

@@ -1499,7 +1575,6 @@ arp.sha = external_mac;

-put_nd(inport, ip6.src, nd.sll);

 nd_na_router {

     eth.src = E;

     ip6.src = A;

@@ -1521,7 +1596,6 @@ nd_na_router {

-put_nd(inport, ip6.src, nd.sll);

 nd_na {

     eth.src = E;

     ip6.src = A;

@@ -1546,20 +1620,8 @@ nd_na {

-        IPv6 neighbor advertisement handling.  This flow uses neighbor

-        advertisements to populate the logical router's mac binding

-        table.  A priority-90 flow with match nd_na

-        has actions put_nd(inport, nd.target, nd.tll);.

-      

-

-      

-        IPv6 neighbor solicitation for non-hosted addresses handling.

-        This flow uses neighbor solicitations to populate the logical

-        router's mac binding table (ones that were directed at the

-        logical router would have matched the priority-90 neighbor

-        solicitation flow already).  A priority-80 flow with match

-        nd_ns has actions

-        put_nd(inport, ip6.src, nd.sll);.

+        Priority-85 flows which drops the ARP and IPv6 Neighbor Discovery

+        packets.

@@ -1675,7 +1737,7 @@ icmp6 {

-    
Ingress Table 2: DEFRAG

+    
Ingress Table 4: DEFRAG

       This is to send packets to connection tracker for tracking and

@@ -1733,7 +1795,7 @@ icmp6 {

-    
Ingress Table 3: UNSNAT on Distributed Routers

+    
Ingress Table 5: UNSNAT on Distributed Routers

@@ -1772,7 +1834,7 @@ icmp6 {

-    
Ingress Table 4: DNAT

+    
Ingress Table 6: DNAT

       Packets enter the pipeline with destination IP address that needs to

@@ -1780,7 +1842,7 @@ icmp6 {

       in the reverse direction needs to be unDNATed.

-    
Ingress Table 4: Load balancing DNAT rules

+    
Ingress Table 6: Load balancing DNAT rules

       Following load balancing DNAT flows are added for Gateway router or

@@ -1851,7 +1913,7 @@ icmp6 {

-    
Ingress Table 4: DNAT on Gateway Routers

+    
Ingress Table 6: DNAT on Gateway Routers

@@ -1877,7 +1939,7 @@ icmp6 {

-    
Ingress Table 4: DNAT on Distributed Routers

+    
Ingress Table 6: DNAT on Distributed Routers

       On distributed routers, the DNAT table only handles packets

@@ -1924,7 +1986,7 @@ icmp6 {

-    
Ingress Table 5: IPv6 ND RA option processing

+    
Ingress Table 7: IPv6 ND RA option processing

@@ -1954,7 +2016,7 @@ reg0[5] = put_nd_ra_opts(options);next;

-    
Ingress Table 6: IPv6 ND RA responder

+    
Ingress Table 8: IPv6 ND RA responder

       This table implements IPv6 ND RA responder for the IPv6 ND RA replies

@@ -1999,7 +2061,7 @@ output;

-    
Ingress Table 7: IP Routing

+    
Ingress Table 9: IP Routing

       A packet that arrives at this table is an IP packet that should be

@@ -2149,7 +2211,7 @@ next;

-    
Ingress Table 8: ARP/ND Resolution

+    
Ingress Table 10: ARP/ND Resolution

       Any packet that reaches this table is an IP packet whose next-hop

@@ -2284,7 +2346,7 @@ next;

-    
Ingress Table 9: Check packet length

+    
Ingress Table 11: Check packet length

       For distributed logical routers with distributed gateway port configured

@@ -2314,7 +2376,7 @@ REGBIT_PKT_LARGER = check_pkt_larger(L); next;

       and advances to the next table.

-    
Ingress Table 10: Handle larger packets

+    
Ingress Table 12: Handle larger packets

       For distributed logical routers with distributed gateway port configured

@@ -2363,7 +2425,7 @@ icmp4 {

       and advances to the next table.

-    
Ingress Table 11: Gateway Redirect

+    
Ingress Table 13: Gateway Redirect

       For distributed logical routers where one of the logical router

@@ -2425,7 +2487,7 @@ icmp4 {