From 0ed8c91b86b0d4bc01b4795155b25e85df1c6a9d Mon Sep 17 00:00:00 2001

From: Russell Bryant <russell@ovn.org>

Date: Fri, 25 Oct 2019 16:47:21 -0400

Subject: [PATCH 4/5] northd: Add lflows for IPv6 NAT.

Signed-off-by: Russell Bryant <russell@ovn.org>

Acked-by: Numan Siddique <numans@ovn.org>

---

 ovn/northd/ovn-northd.8.xml | 233 ++++++++++++----------

 ovn/northd/ovn-northd.c     | 384 +++++++++++++++++++++++++++---------

 2 files changed, 418 insertions(+), 199 deletions(-)

diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml

index b9ae28e14..38e6ecec5 100644

--- a/ovn/northd/ovn-northd.8.xml

+++ b/ovn/northd/ovn-northd.8.xml

@@ -1498,11 +1498,55 @@ output;

-          These flows reply to ARP requests for the virtual IP addresses

-          configured in the router for DNAT or load balancing.  For a

-          configured DNAT IP address or a load balancer IPv4 VIP A,

-          for each router port P with Ethernet

-          address E, a priority-90 flow matches

+          Reply to IPv6 Neighbor Solicitations.  These flows reply to

+          Neighbor Solicitation requests for the router's own IPv6

+          address and populate the logical router's mac binding table.

+        

+

+        

+          For each router port P that

+          owns IPv6 address A, solicited node address S,

+          and Ethernet address E, a priority-90 flow matches

+          inport == P &&

+          nd_ns && ip6.dst == {A, E} &&

+          nd.target == A with the following actions:

+        

+

+        

+nd_na_router {

+    eth.src = E;

+    ip6.src = A;

+    nd.target = A;

+    nd.tll = E;

+    outport = inport;

+    flags.loopback = 1;

+    output;

+};

+        

+

+        

+          For the gateway port on a distributed logical router (where

+          one of the logical router ports specifies a

+          redirect-chassis), the above flows replying to

+          IPv6 Neighbor Solicitations are only programmed on the

+          gateway port instance on the redirect-chassis.

+          This behavior avoids generation of multiple replies from

+          different chassis, and allows upstream MAC learning to point

+          to the redirect-chassis.

+        

+      

+

+      

+        

+          These flows reply to ARP requests or IPv6 neighbor solicitation

+          for the virtual IP addresses configured in the router for DNAT

+          or load balancing.

+        

+

+        

+          IPv4: For a configured DNAT IP address or a load balancer

+          IPv4 VIP A, for each router port P with

+          Ethernet address E, a priority-90 flow matches

           inport == P && arp.op == 1 &&

           arp.tpa == A (ARP request)

           with the following actions:

@@ -1521,6 +1565,30 @@ flags.loopback = 1;

 output;

+        

+          IPv6: For a configured DNAT IP address or a load balancer

+          IPv6 VIP A, solicited node address S,

+          for each router port P with

+          Ethernet address E, a priority-90 flow matches

+          inport == P && nd_ns &&

+          ip6.dst == {A, S} &&

+          nd.target == A

+          with the following actions:

+        

+

+        

+eth.dst = eth.src;

+nd_na {

+    eth.src = E;

+    nd.tll = E;

+    ip6.src = A;

+    nd.target = A;

+    outport = P;

+    flags.loopback = 1;

+    output;

+}

+        

+

           For the gateway port on a distributed logical router with NAT

           (where one of the logical router ports specifies a

@@ -1557,6 +1625,15 @@ eth.src = external_mac;

 arp.sha = external_mac;

+            

+              or in the case of IPv6 neighbor solicition:

+            

+

+            

+eth.src = external_mac;

+nd.tll = external_mac;

+            

+

               This behavior avoids generation of multiple ARP responses

               from different chassis, and allows upstream MAC learning to

@@ -1566,68 +1643,6 @@ arp.sha = external_mac;

-      

-        

-          Reply to IPv6 Neighbor Solicitations.  These flows reply to

-          Neighbor Solicitation requests for the router's own IPv6

-          address and load balancing IPv6 VIPs and populate the logical

-          router's mac binding table.

-        

-

-        

-          For each router port P that

-          owns IPv6 address A, solicited node address S,

-          and Ethernet address E, a priority-90 flow matches

-          inport == P &&

-          nd_ns && ip6.dst == {A, E} &&

-          nd.target == A with the following actions:

-        

-

-        

-nd_na_router {

-    eth.src = E;

-    ip6.src = A;

-    nd.target = A;

-    nd.tll = E;

-    outport = inport;

-    flags.loopback = 1;

-    output;

-};

-        

-

-        

-          For each router port P that has load balancing VIP

-          A, solicited node address S, and Ethernet

-          address E, a priority-90 flow matches

-          inport == P &&

-          nd_ns && ip6.dst == {A, E} &&

-          nd.target == A with the following actions:

-        

-

-        

-nd_na {

-    eth.src = E;

-    ip6.src = A;

-    nd.target = A;

-    nd.tll = E;

-    outport = inport;

-    flags.loopback = 1;

-    output;

-};

-        

-

-        

-          For the gateway port on a distributed logical router (where

-          one of the logical router ports specifies a

-          redirect-chassis), the above flows replying to

-          IPv6 Neighbor Solicitations are only programmed on the

-          gateway port instance on the redirect-chassis.

-          This behavior avoids generation of multiple replies from

-          different chassis, and allows upstream MAC learning to point

-          to the redirect-chassis.

-        

-      

-

         Priority-85 flows which drops the ARP and IPv6 Neighbor Discovery

         packets.

@@ -1681,10 +1696,11 @@ nd_na {

         handled by one of the flows above, which amounts to ICMP (other than

         echo requests) and fragments with nonzero offsets.  For each IP address

         A owned by the router, a priority-60 flow matches

-        ip4.dst == A and drops the traffic.  An

-        exception is made and the above flow is not added if the router

-        port's own IP address is used to SNAT packets passing through that

-        router.

+        ip4.dst == A or

+        ip6.dst == A

+        and drops the traffic.  An exception is made and the above flow

+        is not added if the router port's own IP address is used to SNAT

+        packets passing through that router.

@@ -1778,23 +1794,26 @@ icmp6 {

           If the Gateway router has been configured to force SNAT any

           previously DNATted packets to B, a priority-110 flow

-          matches ip && ip4.dst == B with

-          an action ct_snat; .

+          matches ip && ip4.dst == B or

+          ip && ip6.dst == B

+          with an action ct_snat; .

           If the Gateway router has been configured to force SNAT any

           previously load-balanced packets to B, a priority-100 flow

-          matches ip && ip4.dst == B with

-          an action ct_snat; .

+          matches ip && ip4.dst == B or

+          ip && ip6.dst == B

+          with an action ct_snat; .

           For each NAT configuration in the OVN Northbound database, that asks

           to change the source IP address of a packet from A to

-          B, a priority-90 flow matches ip &&

-          ip4.dst == B with an action

-          ct_snat; .

+          B, a priority-90 flow matches

+          ip && ip4.dst == B or

+          ip && ip6.dst == B

+          with an action ct_snat; .

@@ -1812,7 +1831,9 @@ icmp6 {

           For each configuration in the OVN Northbound database, that asks

           to change the source IP address of a packet from A to

           B, a priority-100 flow matches ip &&

-          ip4.dst == B && inport == GW,

+          ip4.dst == B && inport == GW or

+          ip &&

+          ip6.dst == B && inport == GW

           where GW is the logical router gateway port, with an

           action ct_snat;.

@@ -1826,10 +1847,12 @@ icmp6 {

           For each configuration in the OVN Northbound database, that asks

           to change the source IP address of a packet from A to

-          B, a priority-50 flow matches ip &&

-          ip4.dst == B with an action

+          B, a priority-50 flow matches

+          ip && ip4.dst == B or

+          ip && ip6.dst == B

+          with an action

           REGBIT_NAT_REDIRECT = 1; next;.  This flow is for

-          east/west traffic to a NAT destination IPv4 address.  By

+          east/west traffic to a NAT destination IPv4/IPv6 address.  By

           setting the REGBIT_NAT_REDIRECT flag, in the

           ingress table Gateway Redirect this will trigger a

           redirect to the instance of the gateway port on the

@@ -1875,25 +1898,27 @@ icmp6 {

         For all the configured load balancing rules for a Gateway router or

         Router with gateway port in OVN_Northbound database that

         includes a L4 port PORT of protocol P and IPv4

-        address VIP, a priority-120 flow that matches on

+        or IPv6 address VIP, a priority-120 flow that matches on

         ct.new && ip && ip4.dst == VIP

         && P && P.dst == PORT

-         with an action of ct_lb(args),

-        where args contains comma separated IPv4 addresses (and

-        optional port numbers) to load balance to.  If the router is configured

-        to force SNAT any load-balanced packets, the above action will be

-        replaced by flags.force_snat_for_lb = 1;

+         (ip6.dst == VIP in the IPv6 case)

+        with an action of ct_lb(args),

+        where args contains comma separated IPv4 or IPv6 addresses

+        (and optional port numbers) to load balance to.  If the router is

+        configured to force SNAT any load-balanced packets, the above action

+        will be replaced by flags.force_snat_for_lb = 1;

         ct_lb(args);.

         For all the configured load balancing rules for a router in

         OVN_Northbound database that includes a L4 port

-        PORT of protocol P and IPv4 address

+        PORT of protocol P and IPv4 or IPv6 address

         VIP, a priority-120 flow that matches on

         ct.est && ip && ip4.dst == VIP

         && P && P.dst == PORT

-         with an action of ct_dnat;. If the router is

+         (ip6.dst == VIP in the IPv6 case)

+        with an action of ct_dnat;. If the router is

         configured to force SNAT any load-balanced packets, the above action

         will be replaced by flags.force_snat_for_lb = 1; ct_dnat;.

@@ -1903,11 +1928,13 @@ icmp6 {

         OVN_Northbound database that includes just an IP address

         VIP to match on, a priority-110 flow that matches on

         ct.new && ip && ip4.dst ==

-        VIP with an action of

+        VIP (ip6.dst == VIP in the

+        IPv6 case) with an action of

         ct_lb(args), where args contains

-        comma separated IPv4 addresses.  If the router is configured to force

-        SNAT any load-balanced packets, the above action will be replaced by

-        flags.force_snat_for_lb = 1; ct_lb(args);.

+        comma separated IPv4 or IPv6 addresses.  If the router is configured

+        to force SNAT any load-balanced packets, the above action will be

+        replaced by flags.force_snat_for_lb = 1;

+        ct_lb(args);.

@@ -1915,7 +1942,8 @@ icmp6 {

         OVN_Northbound database that includes just an IP address

         VIP to match on, a priority-110 flow that matches on

         ct.est && ip && ip4.dst ==

-        VIP with an action of ct_dnat;.

+        VIP (or ip6.dst == VIP)

+        with an action of ct_dnat;.

         If the router is configured to force SNAT any load-balanced

         packets, the above action will be replaced by

         flags.force_snat_for_lb = 1; ct_dnat;.

@@ -1929,7 +1957,8 @@ icmp6 {

         For each configuration in the OVN Northbound database, that asks

         to change the destination IP address of a packet from A to

         B, a priority-100 flow matches ip &&

-        ip4.dst == A with an action

+        ip4.dst == A or ip &&

+        ip6.dst == A with an action

         flags.loopback = 1; ct_dnat(B);.  If the

         Gateway router is configured to force SNAT any DNATed packet,

         the above action will be replaced by

@@ -1966,7 +1995,8 @@ icmp6 {

           B, a priority-100 flow matches ip &&

           ip4.dst == B && inport == GW,

           where GW is the logical router gateway port, with an

-          action ct_dnat(B);.

+          action ct_dnat(B);.  The match will

+          include ip6.dst == B in the IPv6 case.

@@ -1979,9 +2009,10 @@ icmp6 {

           For each configuration in the OVN Northbound database, that asks

           to change the destination IP address of a packet from A to

           B, a priority-50 flow matches ip &&

-          ip4.dst == B with an action

+          ip4.dst == B or ip &&

+          ip6.dst == B with an action

           REGBIT_NAT_REDIRECT = 1; next;.  This flow is for

-          east/west traffic to a NAT destination IPv4 address.  By

+          east/west traffic to a NAT destination IPv4/IPv6 address.  By

           setting the REGBIT_NAT_REDIRECT flag, in the

           ingress table Gateway Redirect this will trigger a

           redirect to the instance of the gateway port on the

@@ -2136,8 +2167,8 @@ logical_ip{0,1} = LIP{0,1};

 eth.dst = MAC0;

 eth.src = MAC1;

-reg0 = ip4.dst;

-reg1 = EIP1;

+reg0 = ip4.dst; /* xxreg0 = ip6.dst; in the IPv6 case */

+reg1 = EIP1; /* xxreg1 in the IPv6 case */

 outport = redirect-chassis-port;

 REGBIT_DISTRIBUTED_NAT = 1; next;.

diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c

index 7cfeb60be..84b2a9ff1 100644

--- a/ovn/northd/ovn-northd.c

+++ b/ovn/northd/ovn-northd.c

@@ -66,6 +66,15 @@ struct northd_context {

     struct ovsdb_idl_index *sbrec_ip_mcast_by_dp;

 };

+/* An IPv4 or IPv6 address */

+struct v46_ip {

+    int family;

+    union {

+        ovs_be32 ipv4;

+        struct in6_addr ipv6;

+    };

+};

+

 static const char *ovnnb_db;

 static const char *ovnsb_db;

 static const char *unixctl_path;

@@ -2266,6 +2275,15 @@ get_nat_addresses(const struct ovn_port *op, size_t *n)

                     break;

                 }

             }

+            if (!is_router_ip) {

+                for (size_t j = 0; j < op->lrp_networks.n_ipv6_addrs; j++) {

+                    if (!strcmp(nat->external_ip,

+                                op->lrp_networks.ipv6_addrs[j].addr_s)) {

+                        is_router_ip = true;

+                        break;

+                    }

+                }

+            }

             if (!is_router_ip) {

                 ds_put_format(&c_addresses, " %s", nat->external_ip);

@@ -6013,9 +6031,28 @@ add_distributed_nat_routes(struct hmap *lflows, const struct ovn_port *op)

             continue;

         }

+        /* Determine if we need to create IPv4 or IPv6 flows */

+        ovs_be32 ip;

+        struct in6_addr ipv6;

+        int family = AF_INET;

+        if (!ip_parse(nat->external_ip, &ip) || !ip) {

+            family = AF_INET6;

+            if (!ipv6_parse(nat->external_ip, &ipv6)) {

+                static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1);

+                VLOG_WARN_RL(&rl, "bad ip address %s in nat configuration "

+                             "for router %s", nat->external_ip, op->key);

+                /* We'll create IPv6 flows anyway, but the address

+                 * is probably bogus ... */

+            }

+        }

+

         ds_put_format(&match, "inport == %s && "

-                      "ip4.src == %s && ip4.dst == %s",

-                       op->json_key, nat->logical_ip, nat->external_ip);

+                      "ip%s.src == %s && ip%s.dst == %s",

+                       op->json_key,

+                       family == AF_INET ? "4" : "6",

+                       nat->logical_ip,

+                       family == AF_INET ? "4" : "6",

+                       nat->external_ip);

         ds_put_format(&actions, "outport = %s; eth.dst = %s; "

                       REGBIT_DISTRIBUTED_NAT" = 1; "

                       REGBIT_NAT_REDIRECT" = 0; next;",

@@ -6033,17 +6070,38 @@ add_distributed_nat_routes(struct hmap *lflows, const struct ovn_port *op)

                 !nat2->external_mac || !nat2->external_ip)

                 continue;

+            family = AF_INET;

+            if (!ip_parse(nat2->external_ip, &ip) || !ip) {

+                family = AF_INET6;

+                if (!ipv6_parse(nat2->external_ip, &ipv6)) {

+                    static struct vlog_rate_limit rl =

+                        VLOG_RATE_LIMIT_INIT(5, 1);

+                    VLOG_WARN_RL(&rl, "bad ip address %s in nat configuration "

+                                 "for router %s", nat2->external_ip, op->key);

+                    /* We'll create IPv6 flows anyway, but the address

+                     * is probably bogus ... */

+                }

+            }

+

             ds_put_format(&match, "inport == %s && "

-                          "ip4.src == %s && ip4.dst == %s",

-                          op->json_key, nat->logical_ip, nat2->external_ip);

+                          "ip%s.src == %s && ip%s.dst == %s",

+                          op->json_key,

+                          family == AF_INET ? "4" : "6",

+                          nat->logical_ip,

+                          family == AF_INET ? "4" : "6",

+                          nat2->external_ip);

             ds_put_format(&actions, "outport = %s; "

                           "eth.src = %s; eth.dst = %s; "

-                          "reg0 = ip4.dst; reg1 = %s; "

+                          "%sreg0 = ip%s.dst; %sreg1 = %s; "

                           REGBIT_DISTRIBUTED_NAT" = 1; "

                           REGBIT_NAT_REDIRECT" = 0; next;",

                           op->od->l3dgw_port->json_key,

                           op->od->l3dgw_port->lrp_networks.ea_s,

-                          nat2->external_mac, nat->external_ip);

+                          nat2->external_mac,

+                          family == AF_INET ? "" : "xx",

+                          family == AF_INET ? "4" : "6",

+                          family == AF_INET ? "" : "xx",

+                          nat->external_ip);

             ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_ROUTING, 400,

                           ds_cstr(&match), ds_cstr(&actions));

             ds_clear(&match);

@@ -6280,7 +6338,8 @@ op_put_v6_networks(struct ds *ds, const struct ovn_port *op)

 }

 static const char *

-get_force_snat_ip(struct ovn_datapath *od, const char *key_type, ovs_be32 *ip)

+get_force_snat_ip(struct ovn_datapath *od, const char *key_type,

+                  struct v46_ip *ip)

 {

     char *key = xasprintf("%s_force_snat_ip", key_type);

     const char *ip_address = smap_get(&od->nbr->options, key);

@@ -6288,19 +6347,27 @@ get_force_snat_ip(struct ovn_datapath *od, const char *key_type, ovs_be32 *ip)

     if (ip_address) {

         ovs_be32 mask;

-        char *error = ip_parse_masked(ip_address, ip, &mask);

+        ip->family = AF_INET;

+        char *error = ip_parse_masked(ip_address, &ip->ipv4, &mask);

         if (error || mask != OVS_BE32_MAX) {

-            static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1);

-            VLOG_WARN_RL(&rl, "bad ip %s in options of router "UUID_FMT"",

-                         ip_address, UUID_ARGS(&od->key));

             free(error);

-            *ip = 0;

-            return NULL;

+            struct in6_addr mask_v6, v6_exact = IN6ADDR_EXACT_INIT;

+            ip->family = AF_INET6;

+            error = ipv6_parse_masked(ip_address, &ip->ipv6, &mask_v6);

+            if (error || memcmp(&mask_v6, &v6_exact, sizeof(mask_v6))) {

+                static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1);

+                VLOG_WARN_RL(&rl, "bad ip %s in options of router "UUID_FMT"",

+                             ip_address, UUID_ARGS(&od->key));

+                memset(ip, 0, sizeof *ip);

+                ip->family = AF_UNSPEC;

+                return NULL;

+            }

         }

         return ip_address;

     }

-    *ip = 0;

+    memset(ip, 0, sizeof *ip);

+    ip->family = AF_UNSPEC;

     return NULL;

 }

@@ -6866,11 +6933,11 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,

         /* A gateway router can have 2 SNAT IP addresses to force DNATed and

          * LBed traffic respectively to be SNATed.  In addition, there can be

          * a number of SNAT rules in the NAT table. */

-        ovs_be32 *snat_ips = xmalloc(sizeof *snat_ips *

-                                     (op->od->nbr->n_nat + 2));

+        struct v46_ip *snat_ips = xmalloc(sizeof *snat_ips

+                                          * (op->od->nbr->n_nat + 2));

         size_t n_snat_ips = 0;

-        ovs_be32 snat_ip;

+        struct v46_ip snat_ip;

         const char *dnat_force_snat_ip = get_force_snat_ip(op->od, "dnat",

                                                            &snat_ip);

         if (dnat_force_snat_ip) {

@@ -6889,44 +6956,85 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,

             nat = op->od->nbr->nat[i];

             ovs_be32 ip;

+            struct in6_addr ipv6;

+            bool is_v6 = false;

             if (!ip_parse(nat->external_ip, &ip) || !ip) {

-                static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1);

-                VLOG_WARN_RL(&rl, "bad ip address %s in nat configuration "

-                             "for router %s", nat->external_ip, op->key);

-                continue;

+                if (!ipv6_parse(nat->external_ip, &ipv6)) {

+                    static struct vlog_rate_limit rl =

+                        VLOG_RATE_LIMIT_INIT(5, 1);

+                    VLOG_WARN_RL(&rl, "bad ip address %s in nat configuration "

+                                 "for router %s", nat->external_ip, op->key);

+                    continue;

+                }

+                is_v6 = true;

             }

             if (!strcmp(nat->type, "snat")) {

-                snat_ips[n_snat_ips++] = ip;

+                if (is_v6) {

+                    snat_ips[n_snat_ips].family = AF_INET6;

+                    snat_ips[n_snat_ips++].ipv6 = ipv6;

+                } else {

+                    snat_ips[n_snat_ips].family = AF_INET;

+                    snat_ips[n_snat_ips++].ipv4 = ip;

+                }

                 continue;

             }

-            /* ARP handling for external IP addresses.

+            /* ARP / ND handling for external IP addresses.

              *

              * DNAT IP addresses are external IP addresses that need ARP

              * handling. */

+            char addr_s[INET6_ADDRSTRLEN + 1];

             ds_clear(&match);

-            ds_put_format(&match,

-                          "inport == %s && arp.tpa == "IP_FMT" && arp.op == 1",

-                          op->json_key, IP_ARGS(ip));

-

             ds_clear(&actions);

-            ds_put_format(&actions,

-                "eth.dst = eth.src; "

-                "arp.op = 2; /* ARP reply */ "

-                "arp.tha = arp.sha; ");

+            if (is_v6) {

+                /* For ND solicitations, we need to listen for both the

+                 * unicast IPv6 address and its all-nodes multicast address,

+                 * but always respond with the unicast IPv6 address. */

+                char sn_addr_s[INET6_ADDRSTRLEN + 1];

+                struct in6_addr sn_addr;

+                in6_addr_solicited_node(&sn_addr, &ipv6);

+                ipv6_string_mapped(sn_addr_s, &sn_addr);

+                ipv6_string_mapped(addr_s, &ipv6);

+

+                ds_put_format(&match, "inport == %s && "

+                        "nd_ns && ip6.dst == {%s, %s} && nd.target == %s",

+                        op->json_key, addr_s, sn_addr_s, addr_s);

+                ds_put_format(&actions,

+                    "eth.dst = eth.src; "

+                    "nd_na { ");

+            } else {

+                ds_put_format(&match,

+                              "inport == %s "

+                              "&& arp.tpa == "IP_FMT" && arp.op == 1",

+                              op->json_key, IP_ARGS(ip));

+

+                ds_put_format(&actions,

+                    "eth.dst = eth.src; "

+                    "arp.op = 2; /* ARP reply */ "

+                    "arp.tha = arp.sha; ");

+            }

             if (op->od->l3dgw_port && op == op->od->l3dgw_port) {

                 struct eth_addr mac;

                 if (nat->external_mac &&

                     eth_addr_from_string(nat->external_mac, &mac)

                     && nat->logical_port) {

                     /* distributed NAT case, use nat->external_mac */

-                    ds_put_format(&actions,

-                        "eth.src = "ETH_ADDR_FMT"; "

-                        "arp.sha = "ETH_ADDR_FMT"; ",

-                        ETH_ADDR_ARGS(mac),

-                        ETH_ADDR_ARGS(mac));

+                    if (is_v6) {

+                        ds_put_format(&actions,

+                            "eth.src = "ETH_ADDR_FMT"; "

+                            "nd.tll = "ETH_ADDR_FMT"; ",

+                            ETH_ADDR_ARGS(mac),

+                            ETH_ADDR_ARGS(mac));

+

+                    } else {

+                        ds_put_format(&actions,

+                            "eth.src = "ETH_ADDR_FMT"; "

+                            "arp.sha = "ETH_ADDR_FMT"; ",

+                            ETH_ADDR_ARGS(mac),

+                            ETH_ADDR_ARGS(mac));

+                    }

                     /* Traffic with eth.src = nat->external_mac should only be

                      * sent from the chassis where nat->logical_port is

                      * resident, so that upstream MAC learning points to the

@@ -6935,11 +7043,20 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,

                     ds_put_format(&match, " && is_chassis_resident(\"%s\")",

                                   nat->logical_port);

                 } else {

-                    ds_put_format(&actions,

-                        "eth.src = %s; "

-                        "arp.sha = %s; ",

-                        op->lrp_networks.ea_s,

-                        op->lrp_networks.ea_s);

+                    if (is_v6) {

+                        ds_put_format(&actions,

+                            "eth.src = %s; "

+                            "nd.tll = %s; ",

+                            op->lrp_networks.ea_s,

+                            op->lrp_networks.ea_s);

+

+                    } else {

+                        ds_put_format(&actions,

+                            "eth.src = %s; "

+                            "arp.sha = %s; ",

+                            op->lrp_networks.ea_s,

+                            op->lrp_networks.ea_s);

+                    }

                     /* Traffic with eth.src = l3dgw_port->lrp_networks.ea_s

                      * should only be sent from the "redirect-chassis", so that

                      * upstream MAC learning points to the "redirect-chassis".

@@ -6950,21 +7067,40 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,

                                       op->od->l3redirect_port->json_key);

                     }

                 }

+            } else {

+                if (is_v6) {

+                    ds_put_format(&actions,

+                        "eth.src = %s; "

+                        "nd.tll = %s; ",

+                        op->lrp_networks.ea_s,

+                        op->lrp_networks.ea_s);

+                } else {

+                    ds_put_format(&actions,

+                        "eth.src = %s; "

+                        "arp.sha = %s; ",