Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2195508/?format=api
{ "id": 2195508, "url": "http://patchwork.ozlabs.org/api/patches/2195508/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ovn/patch/20260211093707.846789-3-amusil@redhat.com/", "project": { "id": 68, "url": "http://patchwork.ozlabs.org/api/projects/68/?format=api", "name": "Open Virtual Network development", "link_name": "ovn", "list_id": "ovs-dev.openvswitch.org", "list_email": "ovs-dev@openvswitch.org", "web_url": "http://openvswitch.org/", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260211093707.846789-3-amusil@redhat.com>", "list_archive_url": null, "date": "2026-02-11T09:37:07", "name": "[ovs-dev,v8,2/2] controller: Add option to make port security compliant with RFC 9568.", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "b7bc54b41b81ee8f5651da2bbf34c90b80360116", "submitter": { "id": 83634, "url": "http://patchwork.ozlabs.org/api/people/83634/?format=api", "name": "Ales Musil", "email": "amusil@redhat.com" }, "delegate": { "id": 94943, "url": "http://patchwork.ozlabs.org/api/users/94943/?format=api", "username": "dceara", "first_name": "Dumitru", "last_name": "Ceara", "email": "dceara@redhat.com" }, "mbox": "http://patchwork.ozlabs.org/project/ovn/patch/20260211093707.846789-3-amusil@redhat.com/mbox/", "series": [ { "id": 491803, "url": "http://patchwork.ozlabs.org/api/series/491803/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ovn/list/?series=491803", "date": "2026-02-11T09:37:05", "name": "Add support for VRRPv3 in port security.", "version": 8, "mbox": "http://patchwork.ozlabs.org/series/491803/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2195508/comments/", "check": "success", "checks": "http://patchwork.ozlabs.org/api/patches/2195508/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<ovs-dev-bounces@openvswitch.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "dev@openvswitch.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "ovs-dev@lists.linuxfoundation.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=BxSqxnJp;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)", "smtp3.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key)\n header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=BxSqxnJp", "smtp4.osuosl.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com", "smtp4.osuosl.org;\n dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com\n header.a=rsa-sha256 header.s=mimecast20190719 header.b=BxSqxnJp" ], "Received": [ "from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4f9tdF42hFz1xvb\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 11 Feb 2026 20:37:37 +1100 (AEDT)", "from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id D5A2160F92;\n\tWed, 11 Feb 2026 09:37:30 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id MsSh7rtAzMJ3; Wed, 11 Feb 2026 09:37:27 +0000 (UTC)", "from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])\n\tby smtp3.osuosl.org (Postfix) with ESMTPS id 874EA610B5;\n\tWed, 11 Feb 2026 09:37:27 +0000 (UTC)", "from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id 53DDBC077F;\n\tWed, 11 Feb 2026 09:37:27 +0000 (UTC)", "from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 205E5C0780\n for <dev@openvswitch.org>; Wed, 11 Feb 2026 09:37:26 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 6E0E241213\n for <dev@openvswitch.org>; Wed, 11 Feb 2026 09:37:23 +0000 (UTC)", "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id F3rCo6xt8xpo for <dev@openvswitch.org>;\n Wed, 11 Feb 2026 09:37:21 +0000 (UTC)", "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.133.124])\n by smtp4.osuosl.org (Postfix) with ESMTPS id 9A25A40A83\n for <dev@openvswitch.org>; Wed, 11 Feb 2026 09:37:20 +0000 (UTC)", "from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-668-ggeocHSOOguTEUmWEsEG8A-1; Wed,\n 11 Feb 2026 04:37:15 -0500", "from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id CDDDF1955E76; Wed, 11 Feb 2026 09:37:14 +0000 (UTC)", "from amusil.brq.redhat.com (unknown [10.43.17.233])\n by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id 2B6C219560B0; Wed, 11 Feb 2026 09:37:12 +0000 (UTC)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.9.56;\n helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 874EA610B5", "OpenDKIM Filter v2.11.0 smtp4.osuosl.org 9A25A40A83" ], "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124;\n helo=us-smtp-delivery-124.mimecast.com; envelope-from=amusil@redhat.com;\n receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp4.osuosl.org 9A25A40A83", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1770802638;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=U1H2Q+4AV+AF+3XfsqX8NmRrNy9EF03cvqw0byIj6Zw=;\n b=BxSqxnJp//tXMFZgbXHCUYaGOskLapWmIwJh/lMKwcqK5yJWno7m+EItAa/fkYm3f3psRn\n evkb1psKOHYhJzGYabYBA34ajMnTWtGMly44fuN17t/qwQ+O6FtZ7lkSCAkJsgVmMj5/m1\n FkxJYsESNQKRgNezlr4mR0RKdCjW510=", "X-MC-Unique": "ggeocHSOOguTEUmWEsEG8A-1", "X-Mimecast-MFC-AGG-ID": "ggeocHSOOguTEUmWEsEG8A_1770802635", "To": "dev@openvswitch.org", "Date": "Wed, 11 Feb 2026 10:37:07 +0100", "Message-ID": "<20260211093707.846789-3-amusil@redhat.com>", "In-Reply-To": "<20260211093707.846789-1-amusil@redhat.com>", "References": "<20260211093707.846789-1-amusil@redhat.com>", "MIME-Version": "1.0", "X-Scanned-By": "MIMEDefang 3.0 on 10.30.177.12", "X-Mimecast-Spam-Score": "0", "X-Mimecast-MFC-PROC-ID": "J_FgELYrPe9et9-vM_F4lPrwV5oXidiIjYkYZTKYJ6s_1770802635", "X-Mimecast-Originator": "redhat.com", "Subject": "[ovs-dev] [PATCH ovn v8 2/2] controller: Add option to make port\n security compliant with RFC 9568.", "X-BeenThere": "ovs-dev@openvswitch.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "<ovs-dev.openvswitch.org>", "List-Unsubscribe": "<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>", "List-Archive": "<http://mail.openvswitch.org/pipermail/ovs-dev/>", "List-Post": "<mailto:ovs-dev@openvswitch.org>", "List-Help": "<mailto:ovs-dev-request@openvswitch.org?subject=help>", "List-Subscribe": "<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>", "From": "Ales Musil via dev <ovs-dev@openvswitch.org>", "Reply-To": "Ales Musil <amusil@redhat.com>", "Cc": "i.maximets@ovn.org, dceara@redhat.com", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "ovs-dev-bounces@openvswitch.org", "Sender": "\"dev\" <ovs-dev-bounces@openvswitch.org>" }, "content": "The RFC defines a Virtual Router Redundancy Protocol [0], in order\nfor that protocol to work the workload might \"spoof\" MAC address\nwithin ARP or ND request/response. This wasn't allowed as the port\nsecurity is specifically designed against spoofing and checks if\nthe port security MAC address is the same for source of ARP/ND\nand the inner source/target address. To make the port security\ncompliant add a special literal which when specified will allow\nuser to add any/all MAC addresses defined by VRRPv3. The traffic\nfrom and to those additional MAC addresses will be allowed as\nwell as permutations of ARP/ND inner MACs combined with the\nphysical MAC as a source.\n\n[0] https://datatracker.ietf.org/doc/html/rfc9568\nReported-at: https://issues.redhat.com/browse/FDP-2979\nSigned-off-by: Ales Musil <amusil@redhat.com>\n---\nv4: Rebase on top of latest main.\n Update the RFC url.\n Add Jacob's ack.\nv5: Rebase on top of latest main.\n Address nits pointed out by Dumitru.\n Add extra test for invalid VRRPv3 MAC.\n Update the wording in documentation.\n Remove acks as the code changed.\n Do not populate flows for physical MAC when VRRP is specified.\nv6: Rebase on top of latest main.\n Update the documentation formatting.\n Update the behavior when masked portion of MAC is non-zero.\n Address some nits.\n Update testing.\n Remove all acks as the patch has changed.\nv7: Update the tests.\n Update the documentation according to Ilya's suggestion.\nv8: Rebase on top of latest main.\n Address nits.\n Adjust the test.\n---\n NEWS | 3 +\n controller/lflow.c | 931 +++++++++++++++++++++++++++++----------------\n ovn-nb.xml | 55 +++\n tests/ovn.at | 854 +++++++++++++++++++++++++++++++++++++++++\n 4 files changed, 1520 insertions(+), 323 deletions(-)", "diff": "diff --git a/NEWS b/NEWS\nindex bb550fe59..c566ebfc8 100644\n--- a/NEWS\n+++ b/NEWS\n@@ -101,6 +101,9 @@ Post v25.09.0\n - Add \"distributed\" option for load balancer, that forces traffic to be\n routed only to backend instances running locally on the same chassis\n it arrives on.\n+ - Add support for special port_security prefix \"VRRPv3\". This prefix allows\n+ CMS to allow all required traffic for a VRRPv3 virtual router behind LSP.\n+ See ovn-nb(5) man page for more details.\n \n OVN v25.09.0 - xxx xx xxxx\n --------------------------\ndiff --git a/controller/lflow.c b/controller/lflow.c\nindex b6be5c630..eb96a9597 100644\n--- a/controller/lflow.c\n+++ b/controller/lflow.c\n@@ -2357,6 +2357,156 @@ add_port_sec_flows(const struct shash *binding_lports,\n }\n }\n \n+struct masked_ip4_addr {\n+ ovs_be32 addr;\n+ ovs_be32 mask;\n+ ovs_be32 bcast;\n+};\n+\n+struct masked_ip6_addr {\n+ struct in6_addr addr;\n+ struct in6_addr mask;\n+};\n+\n+struct masked_eth_addr {\n+ struct eth_addr addr;\n+ struct eth_addr mask;\n+};\n+\n+struct port_security_addresses {\n+ struct eth_addr phys_addr;\n+ /* Vector of 'struct masked_eth_addr'. */\n+ struct vector vrrp4;\n+ /* Vector of 'struct masked_eth_addr'. */\n+ struct vector vrrp6;\n+ /* Vector of 'struct masked_ip4_addr' .*/\n+ struct vector ip4;\n+ /* Vector of 'struct masked_ip6_addr' .*/\n+ struct vector ip6;\n+};\n+\n+static void\n+port_security_addresses_init(struct port_security_addresses *ps_addr)\n+{\n+ *ps_addr = (struct port_security_addresses) {\n+ .phys_addr = eth_addr_zero,\n+ .vrrp4 = VECTOR_EMPTY_INITIALIZER(struct masked_eth_addr),\n+ .vrrp6 = VECTOR_EMPTY_INITIALIZER(struct masked_eth_addr),\n+ .ip4 = VECTOR_EMPTY_INITIALIZER(struct masked_ip4_addr),\n+ .ip6 = VECTOR_EMPTY_INITIALIZER(struct masked_ip6_addr),\n+ };\n+}\n+\n+static void\n+port_security_addresses_clear(struct port_security_addresses *ps_addr)\n+{\n+ vector_clear(&ps_addr->vrrp4);\n+ vector_clear(&ps_addr->vrrp6);\n+ vector_clear(&ps_addr->ip4);\n+ vector_clear(&ps_addr->ip6);\n+}\n+\n+static void\n+port_security_addresses_destroy(struct port_security_addresses *ps_addr)\n+{\n+ vector_destroy(&ps_addr->vrrp4);\n+ vector_destroy(&ps_addr->vrrp6);\n+ vector_destroy(&ps_addr->ip4);\n+ vector_destroy(&ps_addr->ip6);\n+}\n+\n+static const struct masked_eth_addr maddr_any_vrrp4 = {\n+ .addr = ETH_ADDR_C(00,00,5e,00,01,00),\n+ .mask = ETH_ADDR_C(ff,ff,ff,ff,ff,00),\n+};\n+static const struct masked_eth_addr maddr_any_vrrp6 = {\n+ .addr = ETH_ADDR_C(00,00,5e,00,02,00),\n+ .mask = ETH_ADDR_C(ff,ff,ff,ff,ff,00),\n+};\n+\n+static bool\n+port_security_addresses_add_vrrp_mac(struct port_security_addresses *ps_addr,\n+ struct eth_addr mac, unsigned int plen)\n+{\n+ /* Only the last byte contains ID for VRRPv3. */\n+ if (plen < 40) {\n+ return false;\n+ }\n+\n+ /* Allow only zeroed masked portion of MAC. */\n+ struct eth_addr mask = eth_addr_create_mask(plen);\n+ if (eth_addr_to_uint64(mac) & ~eth_addr_to_uint64(mask)) {\n+ return false;\n+ }\n+\n+ struct masked_eth_addr maddr = (struct masked_eth_addr) {\n+ .addr = mac,\n+ .mask = mask,\n+ };\n+\n+ /* The exact match on VRRPv3 MAC ending with zero is not allowed, the\n+ * id is starting from 1. */\n+ if (plen == 48) {\n+ if (eth_addr_equals(mac, maddr_any_vrrp4.addr) ||\n+ eth_addr_equals(mac, maddr_any_vrrp6.addr)) {\n+ return false;\n+ }\n+ }\n+\n+ if (eth_addr_equal_except(maddr_any_vrrp4.addr, mac,\n+ maddr_any_vrrp4.mask)) {\n+ vector_push(&ps_addr->vrrp4, &maddr);\n+ return true;\n+ }\n+\n+ if (eth_addr_equal_except(maddr_any_vrrp6.addr, mac,\n+ maddr_any_vrrp6.mask)) {\n+ vector_push(&ps_addr->vrrp6, &maddr);\n+ return true;\n+ }\n+\n+ return false;\n+}\n+\n+static bool\n+port_security_addresses_add_ip(struct port_security_addresses *ps_addr,\n+ struct in6_addr ip, unsigned int plen)\n+{\n+ /* When the netmask is applied, if the host portion is non-zero, the host\n+ * can only use the specified address. If zero, the host is allowed to\n+ * use any address in the subnet. Also add broadcast in the special case\n+ * of matching only the specified address.\n+ */\n+ if (IN6_IS_ADDR_V4MAPPED(&ip)) {\n+ if (plen > 32) {\n+ return false;\n+ }\n+\n+ ovs_be32 addr = in6_addr_get_mapped_ipv4(&ip);\n+ ovs_be32 mask = be32_prefix_mask(plen);\n+\n+ struct masked_ip4_addr maddr = (struct masked_ip4_addr) {\n+ .addr = addr,\n+ .mask = (addr & ~mask) ? OVS_BE32_MAX : mask,\n+ .bcast = (addr & ~mask) ? (addr | ~mask) : htonl(0),\n+ };\n+ vector_push(&ps_addr->ip4, &maddr);\n+ } else {\n+ if (plen > 128) {\n+ return false;\n+ }\n+\n+ struct in6_addr mask = ipv6_create_mask(plen);\n+ struct masked_ip6_addr maddr = (struct masked_ip6_addr) {\n+ .addr = ip,\n+ .mask = !ipv6_addr_is_host_zero(&ip, &mask) ? in6addr_exact : mask,\n+ };\n+ vector_push(&ps_addr->ip6, &maddr);\n+ }\n+\n+ return true;\n+}\n+\n static void\n reset_match_for_port_sec_flows(const struct sbrec_port_binding *pb,\n enum mf_field_id reg_id, struct match *match)\n@@ -2463,24 +2613,39 @@ build_in_port_sec_default_flows(const struct sbrec_port_binding *pb,\n &pb->header_.uuid);\n }\n \n+static void\n+build_out_port_sec_default_flows(const struct sbrec_port_binding *pb,\n+ struct match *m, struct ofpbuf *ofpacts,\n+ struct ovn_desired_flow_table *flow_table)\n+{\n+ /* Add the below logical flow equivalent OF rules in 'out_port_sec_nd'\n+ * table.\n+ * priority: 80\n+ * match - \"outport == pb->logical_port\"\n+ * action - \"port_sec_failed = 1;\"\n+ * description: \"Drop all traffic\"\n+ */\n+ reset_match_for_port_sec_flows(pb, MFF_LOG_OUTPORT, m);\n+ build_port_sec_deny_action(ofpacts);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 80,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n+}\n+\n static void\n build_in_port_sec_no_ip_flows(const struct sbrec_port_binding *pb,\n- struct lport_addresses *ps_addr,\n+ struct eth_addr mac, struct eth_addr mask,\n struct match *m, struct ofpbuf *ofpacts,\n struct ovn_desired_flow_table *flow_table)\n {\n- if (ps_addr->n_ipv4_addrs || ps_addr->n_ipv6_addrs) {\n- return;\n- }\n-\n /* Add the below logical flow equivalent OF rules in 'in_port_sec' table.\n * priority: 90\n- * match - \"inport == pb->logical_port && eth.src == ps_addr.ea\"\n+ * match - \"inport == pb->logical_port && eth.src == mac/mask\"\n * action - \"next;\"\n * description: \"Advance the packet for ARP/ND check\"\n */\n reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n- match_set_dl_src(m, ps_addr->ea);\n+ match_set_dl_src_masked(m, mac, mask);\n build_port_sec_adv_nd_check(ofpacts);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90,\n pb->header_.uuid.parts[0], m, ofpacts,\n@@ -2489,43 +2654,26 @@ build_in_port_sec_no_ip_flows(const struct sbrec_port_binding *pb,\n \n static void\n build_in_port_sec_ip4_flows(const struct sbrec_port_binding *pb,\n- struct lport_addresses *ps_addr,\n- struct match *m, struct ofpbuf *ofpacts,\n- struct ovn_desired_flow_table *flow_table)\n+ struct eth_addr mac, struct eth_addr mask,\n+ const struct vector *ip4_addrs,\n+ struct match *m, struct ofpbuf *ofpacts,\n+ struct ovn_desired_flow_table *flow_table)\n {\n- if (!ps_addr->n_ipv4_addrs) {\n- /* If no IPv4 addresses, then 'pb' is not allowed to send IPv4 traffic.\n- * build_in_port_sec_default_flows() takes care of this scenario. */\n- return;\n- }\n-\n /* Advance all traffic from the port security eth address for ND check. */\n build_port_sec_allow_action(ofpacts);\n+ reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n+ match_set_dl_src_masked(m, mac, mask);\n+ match_set_dl_type(m, htons(ETH_TYPE_IP));\n \n /* Add the below logical flow equivalent OF rules in in_port_sec.\n * priority: 90\n- * match - \"inport == pb->port && eth.src == ps_addr.ea &&\n- * ip4.src == {ps_addr.ipv4_addrs}\"\n+ * match - \"inport == pb->port && eth.src == mac/mask &&\n+ * ip4.src == {ip4}\"\n * action - \"port_sec_failed = 0;\"\n */\n- for (size_t j = 0; j < ps_addr->n_ipv4_addrs; j++) {\n- reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n- match_set_dl_src(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_IP));\n-\n- ovs_be32 mask = ps_addr->ipv4_addrs[j].mask;\n- /* When the netmask is applied, if the host portion is\n- * non-zero, the host can only use the specified\n- * address. If zero, the host is allowed to use any\n- * address in the subnet.\n- */\n- if (ps_addr->ipv4_addrs[j].plen == 32 ||\n- ps_addr->ipv4_addrs[j].addr & ~mask) {\n- match_set_nw_src(m, ps_addr->ipv4_addrs[j].addr);\n- } else {\n- match_set_nw_src_masked(m, ps_addr->ipv4_addrs[j].addr, mask);\n- }\n-\n+ const struct masked_ip4_addr *ip;\n+ VECTOR_FOR_EACH_PTR (ip4_addrs, ip) {\n+ match_set_nw_src_masked(m, ip->addr, ip->mask);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n@@ -2533,20 +2681,14 @@ build_in_port_sec_ip4_flows(const struct sbrec_port_binding *pb,\n \n /* Add the below logical flow equivalent OF rules in in_port_sec.\n * priority: 90\n- * match - \"inport == pb->port && eth.src == ps_addr.ea &&\n+ * match - \"inport == pb->port && eth.src == mac/mask &&\n * ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 &&\n * udp.src == 67 && udp.dst == 68\"\n * action - \"port_sec_failed = 0;\"\n * description: \"Allow the DHCP requests.\"\n */\n- reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n- match_set_dl_src(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_IP));\n-\n- ovs_be32 ip4 = htonl(0);\n- match_set_nw_src(m, ip4);\n- ip4 = htonl(0xffffffff);\n- match_set_nw_dst(m, ip4);\n+ match_set_nw_src(m, htonl(0));\n+ match_set_nw_dst(m, htonl(0xffffffff));\n match_set_nw_proto(m, IPPROTO_UDP);\n match_set_tp_src(m, htons(68));\n match_set_tp_dst(m, htons(67));\n@@ -2559,33 +2701,42 @@ build_in_port_sec_ip4_flows(const struct sbrec_port_binding *pb,\n /* Adds the OF rules to allow ARP packets in 'in_port_sec_nd' table. */\n static void\n build_in_port_sec_arp_flows(const struct sbrec_port_binding *pb,\n- struct lport_addresses *ps_addr,\n- struct match *m, struct ofpbuf *ofpacts,\n- struct ovn_desired_flow_table *flow_table)\n+ struct eth_addr phys_mac,\n+ const struct vector *ip4_addrs,\n+ const struct vector *vrrp4_addrs,\n+ bool is_vrrp, struct match *m,\n+ struct ofpbuf *ofpacts,\n+ struct ovn_desired_flow_table *flow_table)\n {\n- if (!ps_addr->n_ipv4_addrs && ps_addr->n_ipv6_addrs) {\n- /* No ARP is allowed as only IPv6 addresses are configured. */\n- return;\n- }\n-\n build_port_sec_allow_action(ofpacts);\n+ reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n+ match_set_dl_src(m, phys_mac);\n+ match_set_dl_type(m, htons(ETH_TYPE_ARP));\n \n- if (!ps_addr->n_ipv4_addrs) {\n+ if (vector_is_empty(ip4_addrs)) {\n /* No IPv4 addresses.\n * Add the below logical flow equivalent OF rules in 'in_port_sec_nd'\n * table.\n * priority: 90\n- * match - \"inport == pb->port && eth.src == ps_addr.ea &&\n- * arp && arp.sha == ps_addr.ea\"\n+ * match - \"inport == pb->port && eth.src == phys_mac &&\n+ * arp && arp.sha == {phys_mac, vrrp4_addrs}\"\n * action - \"port_sec_failed = 0;\"\n */\n- reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n- match_set_dl_src(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_ARP));\n- match_set_arp_sha(m, ps_addr->ea);\n- ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n- pb->header_.uuid.parts[0], m, ofpacts,\n- &pb->header_.uuid);\n+\n+ if (!is_vrrp) {\n+ match_set_arp_sha(m, phys_mac);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n+ }\n+\n+ struct masked_eth_addr *mmac;\n+ VECTOR_FOR_EACH_PTR (vrrp4_addrs, mmac) {\n+ match_set_arp_sha_masked(m, mmac->addr, mmac->mask);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n+ }\n }\n \n /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd'\n@@ -2595,74 +2746,62 @@ build_in_port_sec_arp_flows(const struct sbrec_port_binding *pb,\n * arp && arp.sha == ps_addr.ea && arp.spa == {ps_addr.ipv4_addrs}\"\n * action - \"port_sec_failed = 0;\"\n */\n- for (size_t j = 0; j < ps_addr->n_ipv4_addrs; j++) {\n- reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n- match_set_dl_src(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_ARP));\n- match_set_arp_sha(m, ps_addr->ea);\n-\n- ovs_be32 mask = ps_addr->ipv4_addrs[j].mask;\n- if (ps_addr->ipv4_addrs[j].plen == 32 ||\n- ps_addr->ipv4_addrs[j].addr & ~mask) {\n- match_set_nw_src(m, ps_addr->ipv4_addrs[j].addr);\n- } else {\n- match_set_nw_src_masked(m, ps_addr->ipv4_addrs[j].addr, mask);\n+ const struct masked_ip4_addr *ip;\n+ VECTOR_FOR_EACH_PTR (ip4_addrs, ip) {\n+ match_set_nw_src_masked(m, ip->addr, ip->mask);\n+\n+ if (!is_vrrp) {\n+ match_set_arp_sha(m, phys_mac);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n+ }\n+\n+ struct masked_eth_addr *mmac;\n+ VECTOR_FOR_EACH_PTR (vrrp4_addrs, mmac) {\n+ match_set_arp_sha_masked(m, mmac->addr, mmac->mask);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n }\n- ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n- pb->header_.uuid.parts[0], m, ofpacts,\n- &pb->header_.uuid);\n }\n }\n \n static void\n build_in_port_sec_ip6_flows(const struct sbrec_port_binding *pb,\n- struct lport_addresses *ps_addr,\n- struct match *m, struct ofpbuf *ofpacts,\n- struct ovn_desired_flow_table *flow_table)\n+ struct eth_addr mac, struct eth_addr mask,\n+ const struct vector *ip6_addrs,\n+ struct match *m, struct ofpbuf *ofpacts,\n+ struct ovn_desired_flow_table *flow_table)\n {\n- if (!ps_addr->n_ipv6_addrs) {\n- /* If no IPv6 addresses, then 'pb' is not allowed to send IPv6 traffic.\n- * build_in_port_sec_default_flows() takes care of this scenario. */\n- return;\n- }\n-\n /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd'\n * table.\n * priority: 90\n- * match - \"inport == pb->port && eth.src == ps_addr.ea &&\n+ * match - \"inport == pb->port && eth.src == mac/mask &&\n * ip6.src == {ps_addr.ipv6_addrs, lla}\"\n * action - \"next;\"\n * description - Advance the packet for Neighbor Solicit/Adv check.\n */\n build_port_sec_adv_nd_check(ofpacts);\n+ reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n+ match_set_dl_src_masked(m, mac, mask);\n+ match_set_dl_type(m, htons(ETH_TYPE_IPV6));\n \n- for (size_t j = 0; j < ps_addr->n_ipv6_addrs; j++) {\n- reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n- match_set_dl_src(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_IPV6));\n-\n- if (ps_addr->ipv6_addrs[j].plen == 128\n- || !ipv6_addr_is_host_zero(&ps_addr->ipv6_addrs[j].addr,\n- &ps_addr->ipv6_addrs[j].mask)) {\n- match_set_ipv6_src(m, &ps_addr->ipv6_addrs[j].addr);\n- } else {\n- match_set_ipv6_src_masked(m, &ps_addr->ipv6_addrs[j].network,\n- &ps_addr->ipv6_addrs[j].mask);\n- }\n-\n+ const struct masked_ip6_addr *ip;\n+ VECTOR_FOR_EACH_PTR (ip6_addrs, ip) {\n+ match_set_ipv6_src_masked(m, &ip->addr, &ip->mask);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n }\n \n- reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n- match_set_dl_src(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_IPV6));\n \n struct in6_addr lla;\n- in6_generate_lla(ps_addr->ea, &lla);\n- match_set_ipv6_src(m, &lla);\n+ in6_generate_lla(mac, &lla);\n+ unsigned int plen = 128 - 48 + eth_addr_get_prefix_len(mask);\n+ struct in6_addr lla_mask = ipv6_create_mask(plen);\n \n+ match_set_ipv6_src_masked(m, &lla, &lla_mask);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC, 90,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n@@ -2677,11 +2816,12 @@ build_in_port_sec_ip6_flows(const struct sbrec_port_binding *pb,\n */\n build_port_sec_allow_action(ofpacts);\n match_set_ipv6_src(m, &in6addr_any);\n- struct in6_addr ip6, mask;\n- char *err = ipv6_parse_masked(\"ff02::/16\", &ip6, &mask);\n+\n+ struct in6_addr ip6, ip_mask;\n+ char *err = ipv6_parse_masked(\"ff02::/16\", &ip6, &ip_mask);\n ovs_assert(!err);\n \n- match_set_ipv6_dst_masked(m, &ip6, &mask);\n+ match_set_ipv6_dst_masked(m, &ip6, &ip_mask);\n match_set_nw_proto(m, IPPROTO_ICMPV6);\n match_set_icmp_type(m, 131);\n match_set_icmp_code(m, 0);\n@@ -2714,99 +2854,118 @@ build_in_port_sec_ip6_flows(const struct sbrec_port_binding *pb,\n * 'in_port_sec_nd' table. */\n static void\n build_in_port_sec_nd_flows(const struct sbrec_port_binding *pb,\n- struct lport_addresses *ps_addr,\n- struct match *m, struct ofpbuf *ofpacts,\n+ struct eth_addr phys_mac,\n+ const struct vector *ip6_addrs,\n+ const struct vector *vrrp6_addrs,\n+ bool is_vrrp, struct match *m,\n+ struct ofpbuf *ofpacts,\n struct ovn_desired_flow_table *flow_table)\n {\n build_port_sec_allow_action(ofpacts);\n+ reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n+ match_set_dl_src(m, phys_mac);\n+ match_set_dl_type(m, htons(ETH_TYPE_IPV6));\n+ match_set_nw_proto(m, IPPROTO_ICMPV6);\n+ match_set_icmp_code(m, 0);\n+ match_set_nw_ttl(m, 255);\n \n /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd'\n * table.\n * priority: 90\n- * match - \"inport == pb->port && eth.src == ps_addr.ea &&\n- * icmp6 && icmp6.code == 135 && icmp6.type == 0 &&\n- * ip6.tll == 255 && nd.sll == {00:00:00:00:00:00, ps_addr.ea}\"\n+ * match - \"inport == pb->port && eth.src == phys_mac &&\n+ * icmp6 && icmp6.type == 135 && icmp6.code == 0 &&\n+ * ip6.tll == 255 &&\n+ * nd.sll == {00:00:00:00:00:00, phys_mac, vrrp6_addrs}\"\n * action - \"port_sec_failed = 0;\"\n */\n- reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n- match_set_dl_type(m, htons(ETH_TYPE_IPV6));\n- match_set_nw_proto(m, IPPROTO_ICMPV6);\n- match_set_dl_src(m, ps_addr->ea);\n- match_set_nw_ttl(m, 255);\n+\n match_set_icmp_type(m, 135);\n- match_set_icmp_code(m, 0);\n \n match_set_arp_sha(m, eth_addr_zero);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n \n- match_set_arp_sha(m, ps_addr->ea);\n- ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n- pb->header_.uuid.parts[0], m, ofpacts,\n- &pb->header_.uuid);\n+ if (!is_vrrp) {\n+ match_set_arp_sha(m, phys_mac);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n+ }\n+\n+ struct masked_eth_addr *mmac;\n+ VECTOR_FOR_EACH_PTR (vrrp6_addrs, mmac) {\n+ match_set_arp_sha_masked(m, mmac->addr, mmac->mask);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n+ }\n \n+ match_set_arp_sha_masked(m, eth_addr_zero, eth_addr_zero);\n match_set_icmp_type(m, 136);\n- match_set_icmp_code(m, 0);\n- if (ps_addr->n_ipv6_addrs) {\n+ if (!vector_is_empty(ip6_addrs)) {\n /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd'\n * table if IPv6 addresses are configured.\n * priority: 90\n- * match - \"inport == pb->port && eth.src == ps_addr.ea && icmp6 &&\n- * icmp6.code == 136 && icmp6.type == 0 && ip6.tll == 255 &&\n- * nd.tll == {00:00:00:00:00:00, ps_addr.ea} &&\n- * nd.target == {ps_addr.ipv6_addrs, lla}\"\n+ * match - \"inport == pb->port && eth.src == phys_mac && icmp6 &&\n+ * icmp6.type == 136 && icmp6.code == 0 && ip6.tll == 255 &&\n+ * nd.tll == {00:00:00:00:00:00, phys_mac, vrrp6_addrs} &&\n+ * nd.target == {lla, ip6_addrs}\"\n * action - \"port_sec_failed = 0;\"\n */\n struct in6_addr lla;\n- in6_generate_lla(ps_addr->ea, &lla);\n- match_set_arp_tha(m, eth_addr_zero);\n-\n- match_set_nd_target(m, &lla);\n- ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n- pb->header_.uuid.parts[0], m, ofpacts,\n- &pb->header_.uuid);\n- match_set_arp_tha(m, ps_addr->ea);\n+ in6_generate_lla(phys_mac, &lla);\n match_set_nd_target(m, &lla);\n+\n+ match_set_arp_tha(m, eth_addr_zero);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n \n- for (size_t j = 0; j < ps_addr->n_ipv6_addrs; j++) {\n- reset_match_for_port_sec_flows(pb, MFF_LOG_INPORT, m);\n- match_set_dl_src(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_IPV6));\n- match_set_nw_proto(m, IPPROTO_ICMPV6);\n- match_set_nw_ttl(m, 255);\n- match_set_icmp_type(m, 136);\n- match_set_icmp_code(m, 0);\n- match_set_arp_tha(m, eth_addr_zero);\n-\n- if (ps_addr->ipv6_addrs[j].plen == 128\n- || !ipv6_addr_is_host_zero(&ps_addr->ipv6_addrs[j].addr,\n- &ps_addr->ipv6_addrs[j].mask)) {\n- match_set_nd_target(m, &ps_addr->ipv6_addrs[j].addr);\n- } else {\n- match_set_nd_target_masked(m, &ps_addr->ipv6_addrs[j].network,\n- &ps_addr->ipv6_addrs[j].mask);\n- }\n+ if (!is_vrrp) {\n+ match_set_arp_tha(m, phys_mac);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n+ }\n \n+ VECTOR_FOR_EACH_PTR (vrrp6_addrs, mmac) {\n+ match_set_arp_tha_masked(m, mmac->addr, mmac->mask);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n+ }\n+\n+ const struct masked_ip6_addr *ip;\n+ VECTOR_FOR_EACH_PTR (ip6_addrs, ip) {\n+ match_set_nd_target_masked(m, &ip->addr, &ip->mask);\n \n- match_set_arp_tha(m, ps_addr->ea);\n+ match_set_arp_tha(m, eth_addr_zero);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n+\n+ if (!is_vrrp) {\n+ match_set_arp_tha(m, phys_mac);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n+ }\n+\n+ VECTOR_FOR_EACH_PTR (vrrp6_addrs, mmac) {\n+ match_set_arp_tha_masked(m, mmac->addr, mmac->mask);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n+ }\n }\n } else {\n /* Add the below logical flow equivalent OF rules in 'in_port_sec_nd'\n * table if no IPv6 addresses are configured.\n * priority: 90\n- * match - \"inport == pb->port && eth.src == ps_addr.ea && icmp6 &&\n+ * match - \"inport == pb->port && eth.src == phys_mac && icmp6 &&\n * icmp6.code == 136 && icmp6.type == 0 && ip6.tll == 255 &&\n- * nd.tll == {00:00:00:00:00:00, ps_addr.ea}\"\n+ * nd.tll == {00:00:00:00:00:00, phys_mac, vrrp6_addrs}\"\n * action - \"port_sec_failed = 0;\"\n */\n match_set_arp_tha(m, eth_addr_zero);\n@@ -2814,27 +2973,36 @@ build_in_port_sec_nd_flows(const struct sbrec_port_binding *pb,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n \n- match_set_arp_tha(m, ps_addr->ea);\n- ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n- pb->header_.uuid.parts[0], m, ofpacts,\n- &pb->header_.uuid);\n+ if (!is_vrrp) {\n+ match_set_arp_tha(m, phys_mac);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n+ }\n+\n+ VECTOR_FOR_EACH_PTR (vrrp6_addrs, mmac) {\n+ match_set_arp_tha_masked(m, mmac->addr, mmac->mask);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_IN_PORT_SEC_ND, 90,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n+ }\n }\n }\n \n static void\n build_out_port_sec_no_ip_flows(const struct sbrec_port_binding *pb,\n- struct lport_addresses *ps_addr,\n+ struct eth_addr mac, struct eth_addr mask,\n struct match *m, struct ofpbuf *ofpacts,\n struct ovn_desired_flow_table *flow_table)\n {\n /* Add the below logical flow equivalent OF rules in 'out_port_sec' table.\n * priority: 85\n- * match - \"outport == pb->logical_port && eth.dst == ps_addr.ea\"\n+ * match - \"outport == pb->logical_port && eth.dst == mac/mask\"\n * action - \"port_sec_failed = 0;\"\n * description: \"Allow the packet if eth.dst matches.\"\n */\n reset_match_for_port_sec_flows(pb, MFF_LOG_OUTPORT, m);\n- match_set_dl_dst(m, ps_addr->ea);\n+ match_set_dl_dst_masked(m, mac, mask);\n build_port_sec_allow_action(ofpacts);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 85,\n pb->header_.uuid.parts[0], m, ofpacts,\n@@ -2843,97 +3011,70 @@ build_out_port_sec_no_ip_flows(const struct sbrec_port_binding *pb,\n \n static void\n build_out_port_sec_ip4_flows(const struct sbrec_port_binding *pb,\n- struct lport_addresses *ps_addr,\n- struct match *m, struct ofpbuf *ofpacts,\n- struct ovn_desired_flow_table *flow_table)\n+ struct eth_addr mac, struct eth_addr mask,\n+ const struct vector *ip4_addrs,\n+ struct match *m, struct ofpbuf *ofpacts,\n+ struct ovn_desired_flow_table *flow_table)\n {\n- if (!ps_addr->n_ipv4_addrs && !ps_addr->n_ipv6_addrs) {\n- /* No IPv4 and no IPv6 addresses in the port security.\n- * Both IPv4 and IPv6 traffic should be delivered to the\n- * lport. build_out_port_sec_no_ip_flows() takes care of\n- * adding the required flow(s) to allow. */\n- return;\n- }\n+ reset_match_for_port_sec_flows(pb, MFF_LOG_OUTPORT, m);\n+ match_set_dl_dst_masked(m, mac, mask);\n+ match_set_dl_type(m, htons(ETH_TYPE_IP));\n \n /* Add the below logical flow equivalent OF rules in 'out_port_sec' table.\n * priority: 90\n- * match - \"outport == pb->logical_port && eth.dst == ps_addr.ea && ip4\"\n+ * match - \"outport == pb->logical_port && eth.dst == mac/mask && ip4\"\n * action - \"port_sec_failed = 1;\"\n * description: Default drop IPv4 packets. If IPv4 addresses are\n * configured, then higher priority flows are added\n * to allow specific IPv4 packets.\n */\n- reset_match_for_port_sec_flows(pb, MFF_LOG_OUTPORT, m);\n- match_set_dl_dst(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_IP));\n+\n build_port_sec_deny_action(ofpacts);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 90,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n \n- if (!ps_addr->n_ipv4_addrs) {\n+ if (vector_is_empty(ip4_addrs)) {\n return;\n }\n \n+ build_port_sec_allow_action(ofpacts);\n /* Add the below logical flow equivalent OF rules in 'out_port_sec' table.\n * priority: 95\n- * match - \"outport == pb->logical_port && eth.dst == ps_addr.ea &&\n- * ip4.dst == {ps_addr.ipv4_addrs, 255.255.255.255, 224.0.0.0/4},\"\n+ * match - \"outport == pb->logical_port && eth.dst == mac/mask &&\n+ * ip4.dst == {ip4_addrs, 255.255.255.255, 224.0.0.0/4},\"\n * action - \"port_sec_failed = 0;\"\n */\n- build_port_sec_allow_action(ofpacts);\n- for (size_t j = 0; j < ps_addr->n_ipv4_addrs; j++) {\n- reset_match_for_port_sec_flows(pb, MFF_LOG_OUTPORT, m);\n- match_set_dl_dst(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_IP));\n- ovs_be32 mask = ps_addr->ipv4_addrs[j].mask;\n- if (ps_addr->ipv4_addrs[j].plen == 32\n- || ps_addr->ipv4_addrs[j].addr & ~mask) {\n-\n- if (ps_addr->ipv4_addrs[j].plen != 32) {\n- /* Special case to allow bcast traffic.\n- * Eg. If ps_addr is 10.0.0.4/24, then add the below flow\n- * priority: 95\n- * match - \"outport == pb->logical_port &&\n- * eth.dst == ps_addr.ea &&\n- * ip4.dst == 10.0.0.255\"\n- * action - \"port_sec_failed = 0;\"\n- */\n- ovs_be32 bcast_addr;\n- ovs_assert(ip_parse(ps_addr->ipv4_addrs[j].bcast_s,\n- &bcast_addr));\n- match_set_nw_dst(m, bcast_addr);\n- ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 95,\n- pb->header_.uuid.parts[0], m, ofpacts,\n- &pb->header_.uuid);\n- }\n-\n- match_set_nw_dst(m, ps_addr->ipv4_addrs[j].addr);\n- } else {\n- /* host portion is zero */\n- match_set_nw_dst_masked(m, ps_addr->ipv4_addrs[j].addr,\n- mask);\n- }\n-\n+ const struct masked_ip4_addr *ip;\n+ VECTOR_FOR_EACH_PTR (ip4_addrs, ip) {\n+ match_set_nw_dst_masked(m, ip->addr, ip->mask);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 95,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n- }\n \n- reset_match_for_port_sec_flows(pb, MFF_LOG_OUTPORT, m);\n- match_set_dl_dst(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_IP));\n+ if (ip->bcast) {\n+ /* Special case to allow bcast traffic.\n+ * Eg. If address is 10.0.0.4/24, then add the below flow\n+ * priority: 95\n+ * match - \"outport == pb->logical_port &&\n+ * eth.dst == ps_addr.ea &&\n+ * ip4.dst == 10.0.0.255\"\n+ * action - \"port_sec_failed = 0;\"\n+ */\n+ match_set_nw_dst(m, ip->bcast);\n+ ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 95,\n+ pb->header_.uuid.parts[0], m, ofpacts,\n+ &pb->header_.uuid);\n+ }\n+ }\n \n- ovs_be32 ip4 = htonl(0xffffffff);\n- match_set_nw_dst(m, ip4);\n+ match_set_nw_dst(m, htonl(0xffffffff));\n ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 95,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n \n /* Allow 224.0.0.0/4 traffic. */\n- ip4 = htonl(0xe0000000);\n- ovs_be32 mask = htonl(0xf0000000);\n- match_set_nw_dst_masked(m, ip4, mask);\n+ match_set_nw_dst_masked(m, htonl(0xe0000000), htonl(0xf0000000));\n ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 95,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n@@ -2941,112 +3082,270 @@ build_out_port_sec_ip4_flows(const struct sbrec_port_binding *pb,\n \n static void\n build_out_port_sec_ip6_flows(const struct sbrec_port_binding *pb,\n- struct lport_addresses *ps_addr,\n- struct match *m, struct ofpbuf *ofpacts,\n- struct ovn_desired_flow_table *flow_table)\n+ struct eth_addr mac, struct eth_addr mask,\n+ const struct vector *ip6_addrs,\n+ struct match *m, struct ofpbuf *ofpacts,\n+ struct ovn_desired_flow_table *flow_table)\n {\n- if (!ps_addr->n_ipv4_addrs && !ps_addr->n_ipv6_addrs) {\n- /* No IPv4 and no IPv6 addresses in the port security.\n- * Both IPv4 and IPv6 traffic should be delivered to the\n- * lport. build_out_port_sec_no_ip_flows() takes care of\n- * adding the required flow(s) to allow. */\n- return;\n- }\n+ reset_match_for_port_sec_flows(pb, MFF_LOG_OUTPORT, m);\n+ match_set_dl_dst_masked(m, mac, mask);\n+ match_set_dl_type(m, htons(ETH_TYPE_IPV6));\n \n /* Add the below logical flow equivalent OF rules in 'out_port_sec' table.\n * priority: 90\n- * match - \"outport == pb->logical_port && eth.dst == ps_addr.ea && ip6\"\n+ * match - \"outport == pb->logical_port && eth.dst == mac/mask && ip6\"\n * action - \"port_sec_failed = 1;\"\n * description: Default drop IPv6 packets. If IPv6 addresses are\n * configured, then higher priority flows are added\n * to allow specific IPv6 packets.\n */\n- reset_match_for_port_sec_flows(pb, MFF_LOG_OUTPORT, m);\n- match_set_dl_dst(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_IPV6));\n build_port_sec_deny_action(ofpacts);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 90,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n \n- if (!ps_addr->n_ipv6_addrs) {\n+ if (vector_is_empty(ip6_addrs)) {\n return;\n }\n \n+ build_port_sec_allow_action(ofpacts);\n /* Add the below logical flow equivalent OF rules in 'out_port_sec' table.\n * priority: 95\n- * match - \"outport == pb->logical_port && eth.dst == ps_addr.ea &&\n- * ip6.dst == {ps_addr.ipv6_addrs, lla, ff00::/8},\"\n+ * match - \"outport == pb->logical_port && eth.dst == mac/mask &&\n+ * ip6.dst == {mac/mask, ip6_addrs, lla, ff00::/8},\"\n * action - \"port_sec_failed = 0;\"\n */\n- build_port_sec_allow_action(ofpacts);\n- for (size_t j = 0; j < ps_addr->n_ipv6_addrs; j++) {\n- reset_match_for_port_sec_flows(pb, MFF_LOG_OUTPORT, m);\n- match_set_dl_dst(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_IPV6));\n-\n- if (ps_addr->ipv6_addrs[j].plen == 128\n- || !ipv6_addr_is_host_zero(&ps_addr->ipv6_addrs[j].addr,\n- &ps_addr->ipv6_addrs[j].mask)) {\n- match_set_ipv6_dst(m, &ps_addr->ipv6_addrs[j].addr);\n- } else {\n- match_set_ipv6_dst_masked(m, &ps_addr->ipv6_addrs[j].network,\n- &ps_addr->ipv6_addrs[j].mask);\n- }\n-\n+ const struct masked_ip6_addr *ip;\n+ VECTOR_FOR_EACH_PTR (ip6_addrs, ip) {\n+ match_set_ipv6_dst_masked(m, &ip->addr, &ip->mask);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 95,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n }\n \n struct in6_addr lla;\n- in6_generate_lla(ps_addr->ea, &lla);\n+ in6_generate_lla(mac, &lla);\n+ unsigned int plen = 128 - 48 + eth_addr_get_prefix_len(mask);\n+ struct in6_addr lla_mask = ipv6_create_mask(plen);\n \n- reset_match_for_port_sec_flows(pb, MFF_LOG_OUTPORT, m);\n- match_set_dl_dst(m, ps_addr->ea);\n- match_set_dl_type(m, htons(ETH_TYPE_IPV6));\n- match_set_ipv6_dst(m, &lla);\n+ match_set_ipv6_dst_masked(m, &lla, &lla_mask);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 95,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n \n- struct in6_addr ip6, mask;\n- char *err = ipv6_parse_masked(\"ff00::/8\", &ip6, &mask);\n+ struct in6_addr ip6, ip_mask;\n+ char *err = ipv6_parse_masked(\"ff00::/8\", &ip6, &ip_mask);\n ovs_assert(!err);\n \n- match_set_ipv6_dst_masked(m, &ip6, &mask);\n+ match_set_ipv6_dst_masked(m, &ip6, &ip_mask);\n ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 95,\n pb->header_.uuid.parts[0], m, ofpacts,\n &pb->header_.uuid);\n }\n \n static void\n-consider_port_sec_flows(const struct sbrec_port_binding *pb,\n- struct ovn_desired_flow_table *flow_table)\n+build_port_sec_entry_flows(const struct sbrec_port_binding *pb,\n+ const struct port_security_addresses *ps_addr,\n+ struct match *m, struct ofpbuf *ofpacts,\n+ struct ovn_desired_flow_table *flow_table)\n {\n- if (!pb->n_port_security) {\n- return;\n+ /* Input no-ip flows. */\n+ if (vector_is_empty(&ps_addr->ip4) && vector_is_empty(&ps_addr->ip6)) {\n+ build_in_port_sec_no_ip_flows(pb, ps_addr->phys_addr, eth_addr_exact,\n+ m, ofpacts, flow_table);\n }\n \n- struct lport_addresses *ps_addrs; /* Port security addresses. */\n- size_t n_ps_addrs = 0;\n+ /* Input IPv4 flows. */\n+ if (!vector_is_empty(&ps_addr->ip4)) {\n+ build_in_port_sec_ip4_flows(pb, ps_addr->phys_addr, eth_addr_exact,\n+ &ps_addr->ip4, m, ofpacts, flow_table);\n+ }\n \n- ps_addrs = xmalloc(sizeof *ps_addrs * pb->n_port_security);\n- for (size_t i = 0; i < pb->n_port_security; i++) {\n- if (!extract_lsp_addresses(pb->port_security[i],\n- &ps_addrs[n_ps_addrs])) {\n- static struct vlog_rate_limit rl\n- = VLOG_RATE_LIMIT_INIT(1, 1);\n- VLOG_WARN_RL(&rl, \"invalid syntax '%s' in port \"\n- \"security. No MAC address found\",\n- pb->port_security[i]);\n- continue;\n+ /* Input ARP flows. */\n+ if (!vector_is_empty(&ps_addr->ip4) || vector_is_empty(&ps_addr->ip6)) {\n+ build_in_port_sec_arp_flows(pb, ps_addr->phys_addr, &ps_addr->ip4,\n+ &ps_addr->vrrp4, false, m, ofpacts,\n+ flow_table);\n+ }\n+\n+ /* Input Ipv6 flows. */\n+ if (!vector_is_empty(&ps_addr->ip6)) {\n+ build_in_port_sec_ip6_flows(pb, ps_addr->phys_addr, eth_addr_exact,\n+ &ps_addr->ip6, m, ofpacts, flow_table);\n+ }\n+\n+ /* Input ND flows. */\n+ build_in_port_sec_nd_flows(pb, ps_addr->phys_addr, &ps_addr->ip6,\n+ &ps_addr->vrrp6, false, m, ofpacts,\n+ flow_table);\n+\n+ /* Output no-ip flows. */\n+ build_out_port_sec_no_ip_flows(pb, ps_addr->phys_addr, eth_addr_exact,\n+ m, ofpacts, flow_table);\n+\n+ /* Output IPv4 flows. */\n+ if (!vector_is_empty(&ps_addr->ip4) || !vector_is_empty(&ps_addr->ip6)) {\n+ build_out_port_sec_ip4_flows(pb, ps_addr->phys_addr, eth_addr_exact,\n+ &ps_addr->ip4, m, ofpacts, flow_table);\n+ }\n+\n+ /* Output Ipv6 flows. */\n+ if (!vector_is_empty(&ps_addr->ip4) || !vector_is_empty(&ps_addr->ip6)) {\n+ build_out_port_sec_ip6_flows(pb, ps_addr->phys_addr, eth_addr_exact,\n+ &ps_addr->ip6, m, ofpacts, flow_table);\n+ }\n+}\n+\n+static void\n+build_port_sec_entry_vrrp_flows(const struct sbrec_port_binding *pb,\n+ const struct port_security_addresses *ps_addr,\n+ struct match *m, struct ofpbuf *ofpacts,\n+ struct ovn_desired_flow_table *flow_table)\n+{\n+ const struct masked_eth_addr *maddr;\n+\n+ /* Input no-ip flows. */\n+ if (vector_is_empty(&ps_addr->ip4) && vector_is_empty(&ps_addr->ip6)) {\n+ VECTOR_FOR_EACH_PTR (&ps_addr->vrrp4, maddr) {\n+ build_in_port_sec_no_ip_flows(pb, maddr->addr, maddr->mask,\n+ m, ofpacts, flow_table);\n+ }\n+\n+ VECTOR_FOR_EACH_PTR (&ps_addr->vrrp6, maddr) {\n+ build_in_port_sec_no_ip_flows(pb, maddr->addr, maddr->mask,\n+ m, ofpacts, flow_table);\n }\n- n_ps_addrs++;\n }\n \n- if (!n_ps_addrs) {\n- free(ps_addrs);\n+ /* Input IPv4 flows. */\n+ if (!vector_is_empty(&ps_addr->ip4)) {\n+ VECTOR_FOR_EACH_PTR (&ps_addr->vrrp4, maddr) {\n+ build_in_port_sec_ip4_flows(pb, maddr->addr, maddr->mask,\n+ &ps_addr->ip4, m, ofpacts, flow_table);\n+ }\n+ }\n+\n+ /* Input ARP flows. */\n+ if (!vector_is_empty(&ps_addr->ip4) || vector_is_empty(&ps_addr->ip6)) {\n+ build_in_port_sec_arp_flows(pb, ps_addr->phys_addr, &ps_addr->ip4,\n+ &ps_addr->vrrp4, true, m, ofpacts,\n+ flow_table);\n+ }\n+\n+ /* Input Ipv6 flows. */\n+ if (!vector_is_empty(&ps_addr->ip6)) {\n+ VECTOR_FOR_EACH_PTR (&ps_addr->vrrp6, maddr) {\n+ build_in_port_sec_ip6_flows(pb, maddr->addr, maddr->mask,\n+ &ps_addr->ip6, m, ofpacts, flow_table);\n+ }\n+ }\n+\n+ /* Input ND flows. */\n+ build_in_port_sec_nd_flows(pb, ps_addr->phys_addr, &ps_addr->ip6,\n+ &ps_addr->vrrp6, true, m, ofpacts,\n+ flow_table);\n+\n+ /* Output no-ip flows. */\n+ VECTOR_FOR_EACH_PTR (&ps_addr->vrrp4, maddr) {\n+ build_out_port_sec_no_ip_flows(pb, maddr->addr, maddr->mask,\n+ m, ofpacts, flow_table);\n+ }\n+\n+ VECTOR_FOR_EACH_PTR (&ps_addr->vrrp6, maddr) {\n+ build_out_port_sec_no_ip_flows(pb, maddr->addr, maddr->mask,\n+ m, ofpacts, flow_table);\n+ }\n+\n+ /* Output IPv4 flows. */\n+ if (!vector_is_empty(&ps_addr->ip4) || !vector_is_empty(&ps_addr->ip6)) {\n+ VECTOR_FOR_EACH_PTR (&ps_addr->vrrp4, maddr) {\n+ build_out_port_sec_ip4_flows(pb, maddr->addr, maddr->mask,\n+ &ps_addr->ip4, m, ofpacts,\n+ flow_table);\n+ }\n+ }\n+\n+ /* Output Ipv6 flows. */\n+ if (!vector_is_empty(&ps_addr->ip4) || !vector_is_empty(&ps_addr->ip6)) {\n+ VECTOR_FOR_EACH_PTR (&ps_addr->vrrp6, maddr) {\n+ build_out_port_sec_ip6_flows(pb, maddr->addr, maddr->mask,\n+ &ps_addr->ip6, m, ofpacts,\n+ flow_table);\n+ }\n+ }\n+}\n+\n+static bool\n+port_security_addresses_parse_entry(const char *entry, const char *lsp,\n+ struct port_security_addresses *ps_addr)\n+{\n+ static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);\n+\n+ bool vrrpv3 = !strncmp(entry, \"VRRPv3\", 6);\n+ int n = vrrpv3 ? 7 : 0;\n+\n+ if (!ovs_scan_len(entry, &n, ETH_ADDR_SCAN_FMT,\n+ ETH_ADDR_SCAN_ARGS(ps_addr->phys_addr))) {\n+ VLOG_WARN_RL(&rl, \"invalid syntax '%s' in port security for LSP %s: \"\n+ \"No MAC address found\", entry, lsp);\n+ return false;\n+ }\n+\n+ bool ok = true;\n+\n+ /* Only MAC address is provided. */\n+ if (!entry[n]) {\n+ goto vrrp_check;\n+ }\n+\n+ char *save_ptr = NULL;\n+ char *tokstr = xstrdup(entry + n);\n+ for (char *token = strtok_r(tokstr, \" \", &save_ptr);\n+ token != NULL;\n+ token = strtok_r(NULL, \" \", &save_ptr)) {\n+ struct eth_addr mac;\n+ struct in6_addr ip;\n+ unsigned int plen;\n+\n+ if (vrrpv3 && eth_addr_parse_masked(token, &mac, &plen)) {\n+ if (!port_security_addresses_add_vrrp_mac(ps_addr, mac, plen)) {\n+ VLOG_WARN_RL(&rl, \"invalid syntax '%s' in port security for\"\n+ \" LSP %s: Invalid VRRPv3 MAC\", token, lsp);\n+ ok = false;\n+ break;\n+ }\n+ } else if (ip46_parse_cidr(token, &ip, &plen)) {\n+ if (!port_security_addresses_add_ip(ps_addr, ip, plen)) {\n+ VLOG_WARN_RL(&rl, \"invalid syntax '%s' in port security for\"\n+ \" LSP %s: Invalid IP\", token, lsp);\n+ ok = false;\n+ break;\n+ }\n+ } else {\n+ VLOG_WARN_RL(&rl, \"invalid syntax '%s' in port security for\"\n+ \" LSP %s: Invalid IP or MAC\", token, lsp);\n+ ok = false;\n+ break;\n+ }\n+ }\n+\n+ free(tokstr);\n+\n+vrrp_check:\n+ if (vrrpv3 && vector_is_empty(&ps_addr->vrrp4) &&\n+ vector_is_empty(&ps_addr->vrrp6)) {\n+ vector_push(&ps_addr->vrrp4, &maddr_any_vrrp4);\n+ vector_push(&ps_addr->vrrp6, &maddr_any_vrrp6);\n+ }\n+\n+ return ok;\n+}\n+\n+static void\n+consider_port_sec_flows(const struct sbrec_port_binding *pb,\n+ struct ovn_desired_flow_table *flow_table)\n+{\n+ if (!pb->n_port_security) {\n return;\n }\n \n@@ -3054,48 +3353,34 @@ consider_port_sec_flows(const struct sbrec_port_binding *pb,\n uint64_t stub[1024 / 8];\n struct ofpbuf ofpacts = OFPBUF_STUB_INITIALIZER(stub);\n \n- build_in_port_sec_default_flows(pb, &match, &ofpacts, flow_table);\n+ bool flows_installed = false;\n+ struct port_security_addresses ps_addr;\n+ port_security_addresses_init(&ps_addr);\n \n- for (size_t i = 0; i < n_ps_addrs; i++) {\n- build_in_port_sec_no_ip_flows(pb, &ps_addrs[i], &match, &ofpacts,\n- flow_table);\n- build_in_port_sec_ip4_flows(pb, &ps_addrs[i], &match, &ofpacts,\n- flow_table);\n- build_in_port_sec_arp_flows(pb, &ps_addrs[i], &match, &ofpacts,\n- flow_table);\n- build_in_port_sec_ip6_flows(pb, &ps_addrs[i], &match, &ofpacts,\n- flow_table);\n- build_in_port_sec_nd_flows(pb, &ps_addrs[i], &match, &ofpacts,\n- flow_table);\n- }\n+ for (size_t i = 0; i < pb->n_port_security; i++) {\n+ if (port_security_addresses_parse_entry(pb->port_security[i],\n+ pb->logical_port, &ps_addr)) {\n+ if (vector_is_empty(&ps_addr.vrrp4) &&\n+ vector_is_empty(&ps_addr.vrrp6)) {\n+ build_port_sec_entry_flows(pb, &ps_addr, &match,\n+ &ofpacts, flow_table);\n \n- /* Out port security. */\n+ } else {\n+ build_port_sec_entry_vrrp_flows(pb, &ps_addr, &match,\n+ &ofpacts, flow_table);\n+ }\n \n- /* Add the below logical flow equivalent OF rules in 'out_port_sec_nd'\n- * table.\n- * priority: 80\n- * match - \"outport == pb->logical_port\"\n- * action - \"port_sec_failed = 1;\"\n- * descrption: \"Drop all traffic\"\n- */\n- reset_match_for_port_sec_flows(pb, MFF_LOG_OUTPORT, &match);\n- build_port_sec_deny_action(&ofpacts);\n- ofctrl_add_flow(flow_table, OFTABLE_CHK_OUT_PORT_SEC, 80,\n- pb->header_.uuid.parts[0], &match, &ofpacts,\n- &pb->header_.uuid);\n+ flows_installed = true;\n+ }\n \n- for (size_t i = 0; i < n_ps_addrs; i++) {\n- build_out_port_sec_no_ip_flows(pb, &ps_addrs[i], &match, &ofpacts,\n- flow_table);\n- build_out_port_sec_ip4_flows(pb, &ps_addrs[i], &match, &ofpacts,\n- flow_table);\n- build_out_port_sec_ip6_flows(pb, &ps_addrs[i], &match, &ofpacts,\n- flow_table);\n+ port_security_addresses_clear(&ps_addr);\n }\n \n- ofpbuf_uninit(&ofpacts);\n- for (size_t i = 0; i < n_ps_addrs; i++) {\n- destroy_lport_addresses(&ps_addrs[i]);\n+ if (flows_installed) {\n+ build_in_port_sec_default_flows(pb, &match, &ofpacts, flow_table);\n+ build_out_port_sec_default_flows(pb, &match, &ofpacts, flow_table);\n }\n- free(ps_addrs);\n+\n+ ofpbuf_uninit(&ofpacts);\n+ port_security_addresses_destroy(&ps_addr);\n }\ndiff --git a/ovn-nb.xml b/ovn-nb.xml\nindex aab091883..85ac7b61b 100644\n--- a/ovn-nb.xml\n+++ b/ovn-nb.xml\n@@ -2057,6 +2057,23 @@\n addresses within an element may be space or comma separated.\n </p>\n \n+ <p>\n+ Each element in the set also supports the special prefix \"VRRPv3\"\n+ that allows specification of single physical MAC and multiple\n+ VRRPv3 MAC addresses. As for non VRRPv3 entries, multiple IP\n+ addresses can be associated with the specified MACs. \"VRRPv3\" with\n+ a single physical MAC translates to allowing traffic for the whole\n+ \"VRRPv3\" range of MACs. See more in the examples.\n+\n+ When the port security configuration entry contains the VRRPv3 label,\n+ the behavior for physical MAC (the first specified) is different.\n+ The installed flows will allow traffic from/to VRRP MACs + IPs.\n+ The physical MAC is there to properly allow ARP/ND with given\n+ VRRP MACs. To allow traffic that is not related to virtual router,\n+ e.g., IP traffic with a physical MAC as a source, a regular port\n+ security entry should be added separately.\n+ </p>\n+\n <p>\n This column is provided as a convenience to cloud management systems,\n but all of the features that it implements can be implemented as ACLs\n@@ -2102,6 +2119,44 @@\n 255.255.255.255, and any address in 224.0.0.0/4. The host may not\n send or receive any IPv6 (including IPv6 Neighbor Discovery) traffic.\n </dd>\n+\n+ <dt><code>\"VRRPv3 <PHYSICAL_MAC>\"</code></dt>\n+ <dd>\n+ The host may send ARP/ND packets with physical MAC as a source and\n+ any of the VRRPv3 MACs as inner SHA/TLL/SLL - 00:00:5e:00:01:00/40\n+ for IPv4 and 00:00:5E:00:02:00/40 for IPv6. It may also send or\n+ receive any traffic with any of VRRPv3 MAC addresses as a source\n+ or destination. But not with the physical MAC address.\n+ </dd>\n+\n+ <dt><code>\"VRRPv3 <PHYSICAL_MAC></code>\n+ <code><VRRPV3_MACv4_1>/[<MASK1>]</code>\n+ <code><VRRPV3_MACv4_N></code>\n+ <code><VRRPV3_MACv6_1>/[<MASK2>]</code>\n+ <code><VRRPV3_MACv6_N>\"</code></dt>\n+ <dd>\n+ Same as the previous example, but allowed VRRPv3 MAC addresses are\n+ limited to the specified ones. The specified VRRPv3 MAC addresses\n+ must have a correct prefix - 00:00:5e:00:01 for IPv4 and\n+ 00:00:5e:00:02 for IPv6. VRRPv3 MACs can be provided with a mask\n+ with a prefix between /40 and /48.\n+ </dd>\n+\n+ <dt><code>\"VRRPv3 <PHYSICAL_MAC></code>\n+ <code><VRRPV3_MACv4_1>/[<MASK1>]</code>\n+ <code><VRRPV3_MACv4_N></code>\n+ <code><VRRPV3_MACv6_1>/[<MASK2>]</code>\n+ <code><VRRPV3_MACv6_N></code>\n+ <code><VRRPV3_IPv4_1>/[<MASK1>]</code>\n+ <code><VRRPV3_IPv4_N></code>\n+ <code><VRRPV3_IPv6_1>/[<MASK2>]</code>\n+ <code><VRRPV3_IPv6_N>\"</code></dt>\n+ <dd>\n+ The same as the previous example, but the provided IP addresses\n+ further restrict the inner IP for ARP/ND. As well as IP/IPv6\n+ traffic to/from given VRRPv3 MACs. The IP address format is the\n+ same as for the regular port security entry.\n+ </dd>\n </dl>\n </column>\n </group>\ndiff --git a/tests/ovn.at b/tests/ovn.at\nindex c2d113f8e..05d2bc65f 100644\n--- a/tests/ovn.at\n+++ b/tests/ovn.at\n@@ -44643,3 +44643,857 @@ check ovn-nbctl --wait=hv lsp-set-type down_ext localnet\n OVN_CLEANUP([hv1],[hv2])\n AT_CLEANUP\n ])\n+\n+OVN_FOR_EACH_NORTHD([\n+AT_SETUP([Port security - VRRPv3 ARP/ND])\n+AT_SKIP_IF([test $HAVE_SCAPY = no])\n+ovn_start\n+net_add n1\n+sim_add hv1\n+as hv1\n+check ovs-vsctl add-br br-phys\n+ovn_attach n1 br-phys 192.168.0.1\n+\n+check ovn-nbctl ls-add ls \\\n+ -- set logical_switch ls other-config:requested-tnl-key=1\n+\n+check ovn-nbctl lsp-add ls lsp1\n+check ovn-nbctl lsp-set-addresses lsp1 \"00:00:00:00:10:01 192.168.10.1 fd10::1\" \\\n+ -- set logical_switch_port lsp1 options:requested-tnl-key=1\n+\n+check ovn-nbctl lsp-add ls lsp2\n+check ovn-nbctl lsp-set-addresses lsp2 \"00:00:00:00:10:02 192.168.10.2 fd10::2\" \\\n+ -- set logical_switch_port lsp2 options:requested-tnl-key=2\n+\n+check ovs-vsctl -- add-port br-int vif1 -- \\\n+ set interface vif1 external-ids:iface-id=lsp1 \\\n+ options:tx_pcap=hv1/vif1-tx.pcap \\\n+ options:rxq_pcap=hv1/vif1-rx.pcap\n+\n+check ovs-vsctl -- add-port br-int vif2 -- \\\n+ set interface vif2 external-ids:iface-id=lsp2 \\\n+ options:tx_pcap=hv1/vif2-tx.pcap \\\n+ options:rxq_pcap=hv1/vif2-rx.pcap\n+\n+wait_for_ports_up\n+\n+test_arp() {\n+ local dropped=$1\n+\n+ packet=$(fmt_pkt \"\n+ Ether(dst='ff:ff:ff:ff:ff:ff', src='00:00:00:00:10:01') /\n+ ARP(op=1, hwsrc='00:00:5e:00:01:05', hwdst='ff:ff:ff:ff:ff:ff', psrc='192.168.10.1', pdst='192.168.10.2')\n+ \")\n+ check as hv1 ovs-appctl netdev-dummy/receive vif1 $packet\n+\n+ packet=$(fmt_pkt \"\n+ Ether(dst='ff:ff:ff:ff:ff:ff', src='00:00:00:00:10:01') /\n+ ARP(op=2, hwsrc='00:00:5e:00:01:05', hwdst='ff:ff:ff:ff:ff:ff', psrc='192.168.10.1', pdst='192.168.10.1')\n+ \")\n+ check as hv1 ovs-appctl netdev-dummy/receive vif1 $packet\n+\n+ if [[ \"$dropped\" != \"yes\" ]]; then\n+ echo $packet >> vif2.expected\n+ packet=$(fmt_pkt \"\n+ Ether(dst='00:00:00:00:10:01', src='00:00:00:00:10:02') /\n+ ARP(op=2, hwsrc='00:00:00:00:10:02', hwdst='00:00:5e:00:01:05', psrc='192.168.10.2', pdst='192.168.10.1')\n+ \")\n+ echo $packet >> vif1.expected\n+ fi\n+}\n+test_nd() {\n+ local dropped=$1\n+\n+ packet=$(fmt_pkt \"\n+ Ether(dst='33:33:ff:00:00:01', src='00:00:00:00:10:01') /\n+ IPv6(src='fd10::1', dst='ff02::1:ff00:2') /\n+ ICMPv6ND_NS(tgt='fd10::2') /\n+ ICMPv6NDOptSrcLLAddr(lladdr='00:00:5e:00:02:05')\n+ \")\n+ check as hv1 ovs-appctl netdev-dummy/receive vif1 $packet\n+\n+ packet=$(fmt_pkt \"\n+ Ether(dst='33:33:ff:00:00:01', src='00:00:00:00:10:01') /\n+ IPv6(src='fd10::1', dst='ff02::1:ff00:1') /\n+ ICMPv6ND_NA(tgt='fd10::1') /\n+ ICMPv6NDOptDstLLAddr(lladdr='00:00:5e:00:02:05')\n+ \")\n+ check as hv1 ovs-appctl netdev-dummy/receive vif1 $packet\n+\n+ if [[ \"$dropped\" != \"yes\" ]]; then\n+ echo $packet >> vif2.expected\n+\n+ packet=$(fmt_pkt \"\n+ Ether(dst='00:00:00:00:10:01', src='00:00:00:00:10:02') /\n+ IPv6(src='fd10::2', dst='fd10::1') /\n+ ICMPv6ND_NA(tgt='fd10::2', R=0, S=1, O=1) /\n+ ICMPv6NDOptDstLLAddr(lladdr='00:00:00:00:10:02')\n+ \")\n+ echo $packet >> vif1.expected\n+ fi\n+}\n+\n+reset_pcap_and_expected() {\n+ reset_pcap_file vif1 hv1/vif1\n+ reset_pcap_file vif2 hv1/vif2\n+\n+ : > vif1.expected\n+ : > vif2.expected\n+}\n+\n+AS_BOX([Without port security])\n+reset_pcap_and_expected\n+\n+test_arp no\n+test_nd no\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [1])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [1])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [1])\n+\n+AS_BOX([With MAC only port security])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01\"\n+\n+test_arp yes\n+test_nd yes\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With MAC + IP port security])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01 192.168.10.1 fd10::1\"\n+\n+test_arp yes\n+test_nd yes\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fe80::200:ff:fe00:1001 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fe80::200:ff:fe00:1001 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+\n+AS_BOX([With MAC only port security, VRRPv3=any])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01\" \"VRRPv3 00:00:00:00:10:01\"\n+\n+test_arp no\n+test_nd no\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_sha=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With MAC + IP port security, VRRPv3=any])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01 192.168.10.1 fd10::1\" \"VRRPv3 00:00:00:00:10:01 192.168.10.1 fd10::1\"\n+\n+test_arp no\n+test_nd no\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fe80::200:ff:fe00:1001 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00,ipv6_src=fe80::200:5eff:fe00:200/120 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fe80::200:ff:fe00:1001 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00,ipv6_dst=fe80::200:5eff:fe00:200/120 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With MAC only port security, VRRPv3 valid IPv4])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01\" \"VRRPv3 00:00:00:00:10:01 00:00:5e:00:01:05\"\n+\n+test_arp no\n+test_nd yes\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:05 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_sha=00:00:5e:00:01:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With MAC + IP port security, VRRPv3 valid IPv4])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01 192.168.10.1 fd10::1\" \"VRRPv3 00:00:00:00:10:01 00:00:5e:00:01:05 192.168.10.1 fd10::1\"\n+\n+test_arp no\n+test_nd yes\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:05,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fe80::200:ff:fe00:1001 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:05,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:5e:00:01:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fe80::200:ff:fe00:1001 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With MAC only port security, VRRPv3 valid IPv6])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01\" \"VRRPv3 00:00:00:00:10:01 00:00:5e:00:02:05\"\n+\n+test_arp yes\n+test_nd no\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With MAC + IP port security, VRRPv3 valid IPv6])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01 192.168.10.1 fd10::1\" \"VRRPv3 00:00:00:00:10:01 00:00:5e:00:02:05 192.168.10.1 fd10::1\"\n+\n+test_arp yes\n+test_nd no\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fe80::200:ff:fe00:1001 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=fe80::200:5eff:fe00:205 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fe80::200:ff:fe00:1001 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05,ipv6_dst=fe80::200:5eff:fe00:205 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With MAC only port security, VRRPv3 valid IPv4 + IPv6])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01\" \"VRRPv3 00:00:00:00:10:01 00:00:5e:00:01:05 00:00:5e:00:02:05\"\n+\n+test_arp no\n+test_nd no\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:05 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_sha=00:00:5e:00:01:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With MAC + IP port security, VRRPv3 valid IPv4 + IPv6])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01 192.168.10.1 fd10::1\" \"VRRPv3 00:00:00:00:10:01 00:00:5e:00:01:05 00:00:5e:00:02:05 192.168.10.1 fd10::1\"\n+\n+test_arp no\n+test_nd no\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:05,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fe80::200:ff:fe00:1001 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=fe80::200:5eff:fe00:205 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:05,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:5e:00:01:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fe80::200:ff:fe00:1001 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05,ipv6_dst=fe80::200:5eff:fe00:205 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With MAC only port security, VRRPv3 masked IPv4 + IPv6])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01\" \"VRRPv3 00:00:00:00:10:01 00:00:5e:00:01:00/45 00:00:5e:00:02:00/45\"\n+\n+test_arp no\n+test_nd no\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:00/ff:ff:ff:ff:ff:f8 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_sha=00:00:5e:00:01:00/ff:ff:ff:ff:ff:f8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:f8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With MAC + IP port security, VRRPv3 masked IPv4 + IPv6])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01 192.168.10.1 fd10::1\" \"VRRPv3 00:00:00:00:10:01 00:00:5e:00:01:00/45 00:00:5e:00:02:00/45 192.168.10.1 fd10::1\"\n+\n+test_arp no\n+test_nd no\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:00/ff:ff:ff:ff:ff:f8,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fe80::200:ff:fe00:1001 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8,ipv6_src=fe80::200:5eff:fe00:200/125 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:00/ff:ff:ff:ff:ff:f8,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:5e:00:01:00/ff:ff:ff:ff:ff:f8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:f8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:f8 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:f8,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:f8,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:f8,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fe80::200:ff:fe00:1001 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8,ipv6_dst=fe80::200:5eff:fe00:200/125 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:f8,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With MAC + IP port security, VRRPv3 valid but different IPv4 + IPv6])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"00:00:00:00:10:01 192.168.10.1 fd10::1\" \"VRRPv3 00:00:00:00:10:01 00:00:5e:00:01:01 00:00:5e:00:02:01 192.168.10.1 fd10::1\"\n+\n+test_arp yes\n+test_nd yes\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:01,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:01,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,ipv6_src=fe80::200:ff:fe00:1001 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:01,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:01,ipv6_src=fe80::200:5eff:fe00:201 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:01,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:5e:00:01:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:5e:00:02:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:5e:00:02:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:5e:00:02:01 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:01 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:01 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:01,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:01,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:01,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=fe80::200:ff:fe00:1001 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:00:00:10:01,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:01,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:01,ipv6_dst=fe80::200:5eff:fe00:201 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:01,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With MAC only port security, VRRPv3 invalid IPv4])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"VRRPv3 00:00:00:00:10:01 00:00:5e:00:01:00\"\n+\n+test_arp no\n+test_nd no\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [1])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [1])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [1])\n+\n+AS_BOX([With MAC only port security, VRRPv3 invalid IPv6])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"VRRPv3 00:00:00:00:10:01 00:00:5e:00:02:00\"\n+\n+test_arp no\n+test_nd no\n+\n+OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AS_BOX([With VRRPv3=any])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"VRRPv3 00:00:00:00:10:01\"\n+\n+test_arp no\n+test_nd yes\n+\n+# The ARP/ND response has eth.dst == \"00:00:00:00:10:01\" which isn't allowed in this case. Check only vif2.\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_sha=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_tll=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:00/ff:ff:ff:ff:ff:00 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+AS_BOX([With VRRPv3 valid IPv4 + IPv6])\n+reset_pcap_and_expected\n+check ovn-nbctl --wait=hv lsp-set-port-security lsp1 \"VRRPv3 00:00:00:00:10:01 00:00:5e:00:01:05 00:00:5e:00:02:05 192.168.10.1 fd10::1\"\n+\n+test_arp no\n+test_nd yes\n+\n+# The ARP/ND response has eth.dst == \"00:00:00:00:10:01\" which isn't allowed in this case. Check only vif2.\n+OVN_CHECK_PACKETS([hv1/vif2-tx.pcap], [vif2.expected])\n+\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=80,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=131,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=135,icmp_code=0 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=::,ipv6_dst=ff02::/16,icmp_type=143,icmp_code=0 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ip,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:05,nw_src=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=fd10::1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,ipv6,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:02:05,ipv6_src=fe80::200:5eff:fe00:205 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=90,udp,reg14=0x1,metadata=0x1,dl_src=00:00:5e:00:01:05,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC, priority=95,arp,reg14=0x1,metadata=0x1 actions=resubmit(,OFTABLE_CHK_IN_PORT_SEC_ND)\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_IN_PORT_SEC_ND | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,arp,reg14=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=135 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=80,icmp6,reg14=0x1,metadata=0x1,nw_ttl=255,icmp_type=136 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,arp,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,arp_spa=192.168.10.1,arp_sha=00:00:5e:00:01:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=135,icmp_code=0,nd_sll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fd10::1,nd_tll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:00:00:00:00 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_IN_PORT_SEC_ND, priority=90,icmp6,reg14=0x1,metadata=0x1,dl_src=00:00:00:00:10:01,nw_ttl=255,icmp_type=136,icmp_code=0,nd_target=fe80::200:ff:fe00:1001,nd_tll=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+AT_CHECK([ovs-ofctl dump-flows br-int table=OFTABLE_CHK_OUT_PORT_SEC | ofctl_strip_all | sort | grep -v NXST_FLOW], [0], [dnl\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=80,reg15=0x1,metadata=0x1 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=85,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=90,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05 actions=load:0x1->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05,nw_dst=192.168.10.1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05,nw_dst=224.0.0.0/4 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ip,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:01:05,nw_dst=255.255.255.255 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05,ipv6_dst=fd10::1 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05,ipv6_dst=fe80::200:5eff:fe00:205 actions=load:0->NXM_NX_REG10[[12]]\n+ table=OFTABLE_CHK_OUT_PORT_SEC, priority=95,ipv6,reg15=0x1,metadata=0x1,dl_dst=00:00:5e:00:02:05,ipv6_dst=ff00::/8 actions=load:0->NXM_NX_REG10[[12]]\n+])\n+\n+OVN_CLEANUP([hv1\n+/Invalid VRRPv3 MAC/d])\n+AT_CLEANUP\n+])\n", "prefixes": [ "ovs-dev", "v8", "2/2" ] }