From patchwork Thu Jun 11 13:14:41 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Numan Siddique <numans@ovn.org>
X-Patchwork-Id: 1307569
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.136; helo=silver.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=ovn.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 49jPTr2qMFz9sQx
	for <incoming@patchwork.ozlabs.org>; Thu, 11 Jun 2020 23:14:55 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id E18CA2695C;
	Thu, 11 Jun 2020 13:14:53 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id hOlc7zhXcYx1; Thu, 11 Jun 2020 13:14:51 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by silver.osuosl.org (Postfix) with ESMTP id 32F1020439;
	Thu, 11 Jun 2020 13:14:51 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 281E0C0865;
	Thu, 11 Jun 2020 13:14:51 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 28466C016F
 for <dev@openvswitch.org>; Thu, 11 Jun 2020 13:14:50 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by fraxinus.osuosl.org (Postfix) with ESMTP id 1108E87AAB
 for <dev@openvswitch.org>; Thu, 11 Jun 2020 13:14:50 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ygHldzsinJ_6 for <dev@openvswitch.org>;
 Thu, 11 Jun 2020 13:14:49 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net
 [217.70.183.200])
 by fraxinus.osuosl.org (Postfix) with ESMTPS id D8AE687AA8
 for <dev@openvswitch.org>; Thu, 11 Jun 2020 13:14:48 +0000 (UTC)
X-Originating-IP: 27.7.184.71
Received: from nusiddiq.home.org.home.org (unknown [27.7.184.71])
 (Authenticated sender: numans@ovn.org)
 by relay7-d.mail.gandi.net (Postfix) with ESMTPSA id 6A4DA20009;
 Thu, 11 Jun 2020 13:14:45 +0000 (UTC)
From: numans@ovn.org
To: dev@openvswitch.org
Date: Thu, 11 Jun 2020 18:44:41 +0530
Message-Id: <20200611131441.1600359-1-numans@ovn.org>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Cc: Jakub Libosvar <jlibosva@redhat.com>
Subject: [ovs-dev] [PATCH ovn] northd: By pass IPv6 Router Adv and Router
	Solicitation packets from ACL stages.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

From: Numan Siddique <numans@ovn.org>

We already add below logical flows to by pass IPv6 Neighbor discovery packets
from in/out ACL stage.

table=6 (ls_in_acl          ), priority=65535, match=(nd), action=(next;)
table=4 (ls_out_acl         ), priority=65535, match=(nd), action=(next;)

This patch also adds nd_rs and nd_ra to these logical flows. Without these
the IPv6 Router Adv packets generated by ovn-controller are dropped if
CMS has configured ACLs.

Reported-by: Jakub Libosvar <jlibosva@redhat.com>
Signed-off-by: Numan Siddique <numans@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
---
 northd/ovn-northd.8.xml | 6 ++++++
 northd/ovn-northd.c     | 6 ++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index 7281eeecc..a7639f33a 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -467,6 +467,12 @@
         ACL re-allow this connection.
       </li>
 
+      <li>
+        A priority-65535 flow that allows IPv6 Neighbor solicitation,
+        Neighbor discover, Router solicitation and Router advertisement
+        packets.
+      </li>
+
       <li>
         A priority 34000 logical flow is added for each logical switch datapath
         with the match <code>eth.dst = <var>E</var></code> to allow the service
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 0fc62bf91..b8c9e9325 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -5389,8 +5389,10 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
         /* Ingress and Egress ACL Table (Priority 65535).
          *
          * Not to do conntrack on ND packets. */
-        ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "nd", "next;");
-        ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "nd", "next;");
+        ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
+                      "nd || nd_ra || nd_rs", "next;");
+        ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
+                      "nd || nd_ra || nd_rs", "next;");
     }
 
     /* Ingress or Egress ACL Table (Various priorities). */