From d6d98d46254435b0ce0507d694f37b401bd91b30 Mon Sep 17 00:00:00 2001
From: Numan Siddique <numans@ovn.org>
Date: Thu, 11 Jun 2020 18:44:41 +0530
Subject: [PATCH 2/2] northd: By pass IPv6 Router Adv and Router Solicitation
 packets from ACL stages.

We already add below logical flows to by pass IPv6 Neighbor discovery packets
from in/out ACL stage.

table=6 (ls_in_acl          ), priority=65535, match=(nd), action=(next;)
table=4 (ls_out_acl         ), priority=65535, match=(nd), action=(next;)

This patch also adds nd_rs and nd_ra to these logical flows. Without these
the IPv6 Router Adv packets generated by ovn-controller are dropped if
CMS has configured ACLs.

Reported-by: Jakub Libosvar <jlibosva@redhat.com>
Signed-off-by: Numan Siddique <numans@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>

(cherry-picked from upstream master commit 90e5971018277ab0f383a56f59ffcfe17466a2c6)

Change-Id: I33fcb3032fe946f2b2333a8cf2791af75dceaf44
---
 ovn/northd/ovn-northd.8.xml | 6 ++++++
 ovn/northd/ovn-northd.c     | 6 ++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index 95b826944..3fb811bf6 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -421,6 +421,12 @@
         ACL re-allow this connection.
       </li>
 
+      <li>
+        A priority-65535 flow that allows IPv6 Neighbor solicitation,
+        Neighbor discover, Router solicitation and Router advertisement
+        packets.
+      </li>
+
       <li>
         A priority 34000 logical flow is added for each logical switch datapath
         with the match <code>eth.dst = <var>E</var></code> to allow the service
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index b3561f986..ab5c291c7 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -5217,8 +5217,10 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
         /* Ingress and Egress ACL Table (Priority 65535).
          *
          * Not to do conntrack on ND packets. */
-        ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "nd", "next;");
-        ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "nd", "next;");
+        ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
+                      "nd || nd_ra || nd_rs", "next;");
+        ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
+                      "nd || nd_ra || nd_rs", "next;");
     }
 
     /* Ingress or Egress ACL Table (Various priorities). */
-- 
2.26.2