[{"id":3677561,"web_url":"http://patchwork.ozlabs.org/comment/3677561/","msgid":"<3dd7687a-9cb4-42e6-89c6-0942655aeac1@redhat.com>","list_archive_url":null,"date":"2026-04-15T09:39:08","subject":"Re: [ovs-dev] [PATCH ovn] northd: Move ingress logical port\n mirroring before port security.","submitter":{"id":76591,"url":"http://patchwork.ozlabs.org/api/people/76591/","name":"Dumitru Ceara","email":"dceara@redhat.com"},"content":"On 4/13/26 10:54 AM, Alexandra Rukomoinikova wrote:\n> Currently, ingress logical port mirroring does not take ACL rules into\n> account, allowing the receiver interface (the sink in OVN) to observe\n> the same traffic that exits the port.\n> \n> Ingress mirroring should also bypass port security checks. This is\n> important because packets sent from a mirrored port that do not originate\n> from the port’s MAC address would otherwise be dropped, potentially\n> masking issues such as unexpected virtual machine behavior.\n> \n> Fixes: 2a2fe266d09c (\"northd: Added support for port mirroring in OVN overlay.\")\n> Signed-off-by: Alexandra Rukomoinikova <arukomoinikova@k2.cloud>\n> ---\n\nHi Alexandra,\n\nThanks for the patch, it looks good to me overall.\n\nJust double checking, we're fine with the egress pipeline order right?\nMirroring happens now after to-lport ACLs are evaluated but _before_\nport security.  So if a packet is dropped by a to-lport ACL we don't\nmirror it.  But if a packet is dropped by egress port security we do\nmirror it.\n\nPlease see some more small comments inline.\n\n>  lib/ovn-util.c  |  4 ++--\n>  northd/northd.h |  6 +++---\n>  tests/ovn.at    | 18 +++++++++++++++++-\n>  3 files changed, 22 insertions(+), 6 deletions(-)\n> \n> diff --git a/lib/ovn-util.c b/lib/ovn-util.c\n> index 65fdb3a59..cb2692e0b 100644\n> --- a/lib/ovn-util.c\n> +++ b/lib/ovn-util.c\n> @@ -1026,8 +1026,8 @@ ip_address_and_port_from_lb_key(const char *key, char **ip_address,\n>   *\n>   * NOTE: If OVN_NORTHD_PIPELINE_CSUM is updated make sure to double check\n>   * whether an update of OVN_INTERNAL_MINOR_VER is required. */\n> -#define OVN_NORTHD_PIPELINE_CSUM \"3760014456 11249\"\n> -#define OVN_INTERNAL_MINOR_VER 13\n> +#define OVN_NORTHD_PIPELINE_CSUM \"2129825571 11245\"\n> +#define OVN_INTERNAL_MINOR_VER 14\n>  \n>  /* Returns the OVN version. The caller must free the returned value. */\n>  char *\n> diff --git a/northd/northd.h b/northd/northd.h\n> index 139519006..8f57b930d 100644\n> --- a/northd/northd.h\n> +++ b/northd/northd.h\n> @@ -509,9 +509,9 @@ ovn_datapath_is_stale(const struct ovn_datapath *od)\n>  /* Pipeline stages. */\n>  #define PIPELINE_STAGES                                                   \\\n>      /* Logical switch ingress stages. */                                  \\\n> -    PIPELINE_STAGE(SWITCH, IN,  CHECK_PORT_SEC, 0, \"ls_in_check_port_sec\")   \\\n> -    PIPELINE_STAGE(SWITCH, IN,  APPLY_PORT_SEC, 1, \"ls_in_apply_port_sec\")   \\\n> -    PIPELINE_STAGE(SWITCH, IN,  MIRROR,         2, \"ls_in_mirror\")        \\\n> +    PIPELINE_STAGE(SWITCH, IN,  MIRROR,         0, \"ls_in_mirror\")        \\\n> +    PIPELINE_STAGE(SWITCH, IN,  CHECK_PORT_SEC, 1, \"ls_in_check_port_sec\") \\\n> +    PIPELINE_STAGE(SWITCH, IN,  APPLY_PORT_SEC, 2, \"ls_in_apply_port_sec\") \\\n>      PIPELINE_STAGE(SWITCH, IN,  LOOKUP_FDB,     3, \"ls_in_lookup_fdb\")    \\\n>      PIPELINE_STAGE(SWITCH, IN,  PUT_FDB,        4, \"ls_in_put_fdb\")       \\\n>      PIPELINE_STAGE(SWITCH, IN,  PRE_ACL,        5, \"ls_in_pre_acl\")       \\\n> diff --git a/tests/ovn.at b/tests/ovn.at\n> index cec3bb9a7..6d6481135 100644\n> --- a/tests/ovn.at\n> +++ b/tests/ovn.at\n> @@ -19122,9 +19122,25 @@ OVN_CHECK_PACKETS([hv3/vif1-tx.pcap], [expected])\n>  as hv2 reset_pcap_file hv2-vif1 hv2/vif1\n>  as hv3 reset_pcap_file hv3-vif1 hv3/vif1\n>  \n> -# Test mirror filtering.\n>  check ovn-nbctl lsp-attach-mirror ls1-lp1 mirror0\n>  \n> +# Ensure that port security on the source port does not impact mirroring:\n> +# send a packet with an unknown MAC and checking it appears on the sink port.\n\nTypo: and check.\n\n> +check ovn-nbctl lsp-set-port-security ls1-lp1 $ls1_lp1_mac\n\nMissing --wait=hv?  We risk ovn-controller not having the port security\nin place at the moment we're injecting the test packet below.\n\n> +\n> +fake_mac=\"f1:f1:f1:f1:f1:04\"\n> +packet=\"inport==\\\"ls1-lp1\\\" && eth.src==$fake_mac && eth.dst==$rp_ls1_mac &&\n> +        ip4 && ip.ttl==64 && ip4.src==$ls1_lp1_ip && ip4.dst==$ls2_lp1_ip &&\n> +        udp && udp.src==53 && udp.dst==4369\"\n> +OVS_WAIT_UNTIL([as hv1 ovs-appctl -t ovn-controller inject-pkt \"$packet\"])\n> +\n> +echo $packet | ovstest test-ovn expr-to-packets > packet\n> +\n> +OVN_CHECK_PACKETS([hv3/vif1-tx.pcap], [packet])\n> +\n> +as hv3 reset_pcap_file hv3-vif1 hv3/vif1\n> +\n> +# Test mirror filtering.\n>  check ovn-nbctl mirror-rule-add mirror0 200 '1' skip\n>  check ovn-nbctl --wait=hv sync\n>  \n\nRegards,\nDumitru","headers":{"Return-Path":"<ovs-dev-bounces@openvswitch.org>","X-Original-To":["incoming@patchwork.ozlabs.org","dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","ovs-dev@lists.linuxfoundation.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=PKuhvFEO;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)","smtp3.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key)\n header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=PKuhvFEO","smtp1.osuosl.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com","smtp1.osuosl.org;\n dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com\n header.a=rsa-sha256 header.s=mimecast20190719 header.b=PKuhvFEO"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwbhG4q8lz1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 19:39:24 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 41A956F7F4;\n\tWed, 15 Apr 2026 09:39:22 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id VmRGNVMkqzkg; Wed, 15 Apr 2026 09:39:21 +0000 (UTC)","from lists.linuxfoundation.org (lf-lists.osuosl.org\n [IPv6:2605:bc80:3010:104::8cd3:938])\n\tby smtp3.osuosl.org (Postfix) with ESMTPS id 25EE96F709;\n\tWed, 15 Apr 2026 09:39:21 +0000 (UTC)","from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id DFE77C054A;\n\tWed, 15 Apr 2026 09:39:20 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n by lists.linuxfoundation.org (Postfix) with ESMTP id DCEEDC0549\n for <dev@openvswitch.org>; Wed, 15 Apr 2026 09:39:19 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id C8FE185322\n for <dev@openvswitch.org>; Wed, 15 Apr 2026 09:39:19 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id RwdYT6qMMCB6 for <dev@openvswitch.org>;\n Wed, 15 Apr 2026 09:39:19 +0000 (UTC)","from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n by smtp1.osuosl.org (Postfix) with ESMTPS id BA4D485321\n for <dev@openvswitch.org>; Wed, 15 Apr 2026 09:39:17 +0000 (UTC)","from mail-wr1-f71.google.com (mail-wr1-f71.google.com\n [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS\n (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id\n us-mta-543-o8dL0zc_MeCtrjzZZKIXHw-1; Wed, 15 Apr 2026 05:39:15 -0400","by mail-wr1-f71.google.com with SMTP id\n ffacd0b85a97d-43d03db814eso6707628f8f.2\n for <dev@openvswitch.org>; Wed, 15 Apr 2026 02:39:15 -0700 (PDT)","from ?IPV6:2001:1c05:1417:d800:d1ef:9817:2a26:625d?\n (2001-1c05-1417-d800-d1ef-9817-2a26-625d.cable.dynamic.v6.ziggo.nl.\n [2001:1c05:1417:d800:d1ef:9817:2a26:625d])\n by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-43ead3fd3b7sm4049713f8f.35.2026.04.15.02.39.09\n (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);\n Wed, 15 Apr 2026 02:39:09 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections -\n client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org 25EE96F709","OpenDKIM Filter v2.11.0 smtp1.osuosl.org BA4D485321"],"Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124;\n helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org BA4D485321","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1776245956;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=DPhHGgkKz0clhig3VMynJxhQ4/wLotEMKlcmQmThAiM=;\n b=PKuhvFEO16Q3UVBrw17wENQrVTRnzu+H5/S1W3sUTUyzWY9AolOoSr/5mLlW4FhtmuC9hu\n swZsUHgDbKQ2MpiEtyyaSRP+rCuNPE5gp8bcKlGmfJWZ4EfSXkm+u54RVsHR1XZ9Rfa5tN\n GE3exlH8AP3mcMTDZi6J9NEdeTfi/K8=","X-MC-Unique":"o8dL0zc_MeCtrjzZZKIXHw-1","X-Mimecast-MFC-AGG-ID":"o8dL0zc_MeCtrjzZZKIXHw_1776245954","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776245951; x=1776850751;\n h=content-transfer-encoding:in-reply-to:cc:content-language:from\n :references:to:subject:user-agent:mime-version:date:message-id\n :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=DPhHGgkKz0clhig3VMynJxhQ4/wLotEMKlcmQmThAiM=;\n b=gn5+5oyxPpO7z0b80W4ezf/auh14qd33Ex/XQf1e70vpr9pzWydhD6FNYksmauQkDf\n sLKEvBzR0mf0VgQaDaV42dBMmSSmr9hYVgW+rtv3XbMUz4X76ror1ufgfJyuuopjEUNT\n jLSer/mkmImm8GIE8/jZE2liiKp/TT3JLZwQc3AwJGPYd6C83WwbgYaz+5G5Vafeae+f\n UW857Ww+pelWmqmsfOVe0uK2HKgGEQ0q9W8+YMz1BQVcNz0m7oysSE1B+jL3oBNzKI0Y\n fOkZ/fOmgfFtuYVTek/CdxxQ2KNrAOQAvnG6SINPl1wn5/YZ9Rq8d+JqTfBgE7ASLrw5\n dT6g==","X-Forwarded-Encrypted":"i=1;\n AFNElJ9i5zqIdNek7wmPXM42RwpbcJelLSQMRVtN2TNaRvj3OgLfbTRJ+Jt3coDODMvGO30lnWg=@openvswitch.org","X-Gm-Message-State":"AOJu0YwhrgCK1Rcq/Lhc/b2cGFDj4cvxI4BxNNZ1fDeapEBLtqolPKhu\n S6mbEePI4BG8/bu/2BCrg5ZXAnmBLo7MPa1jawaTQ0Lb/jwQWjyDrr6cs9ZNLuiLrIl/ejy1+0U\n KjHVFeDufgtctpmRz0UcTu+dUNbKpPyzXaTZSKuMguaK1Z9FzLhneqA==","X-Gm-Gg":"AeBDievAKOk6QSKIV6iJ4Lw4sl3S2aKhLVegPs9jKhG0h7aYZfz/LCcjFlVBLuFjpG2\n UHUPbiOeXJ10EiSYEXWvAIWw9miE4musvRbDanXZzy+CEQxnbN+FCh9kCqNgh/paUmhmkmOBT5R\n LRWrzqL29RLnJlKlSDTzEm/hEzcU//gd+CBKgRwHnEhtUq/KQpqqTKHFhOZ6Bncn0zqlb9GCGVR\n 0iomUt6JPOnaMmn+RjRrJiFcWpZK3LA2d+G98cwS1beEAvKO6g7Qr0vW6vF21DyoBQ2NlINKVQW\n 2JbhhRM9zGVVK3UIuNFXQV8wDFwSVXU/xb1mbW5YASim3kZJrsafJIY8fxdomQsvZTHqRUPV/GP\n wCg/T2CqDCZd445Wsh8wxKGoLma0YKj7BDnkS0Dvwb0qMqCnXu2rvxy1gF8MrJ1QnjsiqM+8PvM\n zfRcflKfCVTkC9rhsqLrZPBhmQEJ6p6gs1TBr4MZOoLZ3gICh5vs9McSLmVHrspfxIFFcv2czm0\n xfj+cDY6q0=","X-Received":["by 2002:a05:6000:2888:b0:43b:3d44:6624 with SMTP id\n ffacd0b85a97d-43d6427bad1mr31268369f8f.2.1776245951257;\n Wed, 15 Apr 2026 02:39:11 -0700 (PDT)","by 2002:a05:6000:2888:b0:43b:3d44:6624 with SMTP id\n ffacd0b85a97d-43d6427bad1mr31268315f8f.2.1776245950646;\n Wed, 15 Apr 2026 02:39:10 -0700 (PDT)"],"Message-ID":"<3dd7687a-9cb4-42e6-89c6-0942655aeac1@redhat.com>","Date":"Wed, 15 Apr 2026 11:39:08 +0200","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","To":"Alexandra Rukomoinikova <arukomoinikova@k2.cloud>, dev@openvswitch.org","References":"<20260413085447.32382-1-arukomoinikova@k2.cloud>","In-Reply-To":"<20260413085447.32382-1-arukomoinikova@k2.cloud>","X-Mimecast-Spam-Score":"0","X-Mimecast-MFC-PROC-ID":"_bcNfZcq0pDLheFtujrUaA-63C5HlHVkZLtBvfcdujY_1776245954","X-Mimecast-Originator":"redhat.com","Content-Language":"en-US","Subject":"Re: [ovs-dev] [PATCH ovn] northd: Move ingress logical port\n mirroring before port security.","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"<ovs-dev.openvswitch.org>","List-Unsubscribe":"<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>","List-Archive":"<http://mail.openvswitch.org/pipermail/ovs-dev/>","List-Post":"<mailto:ovs-dev@openvswitch.org>","List-Help":"<mailto:ovs-dev-request@openvswitch.org?subject=help>","List-Subscribe":"<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>","From":"Dumitru Ceara via dev <ovs-dev@openvswitch.org>","Reply-To":"Dumitru Ceara <dceara@redhat.com>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"ovs-dev-bounces@openvswitch.org","Sender":"\"dev\" <ovs-dev-bounces@openvswitch.org>"}}]