{"id":2222641,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2222641/?format=json","web_url":"http://patchwork.ozlabs.org/project/ovn/patch/20260413085447.32382-1-arukomoinikova@k2.cloud/","project":{"id":68,"url":"http://patchwork.ozlabs.org/api/1.2/projects/68/?format=json","name":"Open Virtual Network development","link_name":"ovn","list_id":"ovs-dev.openvswitch.org","list_email":"ovs-dev@openvswitch.org","web_url":"http://openvswitch.org/","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260413085447.32382-1-arukomoinikova@k2.cloud>","list_archive_url":null,"date":"2026-04-13T08:54:45","name":"[ovs-dev] northd: Move ingress logical port mirroring before port security.","commit_ref":null,"pull_url":null,"state":"changes-requested","archived":false,"hash":"e7c5297027cb0aaa1ea7320b6fb0acaea1af4cb9","submitter":{"id":89461,"url":"http://patchwork.ozlabs.org/api/1.2/people/89461/?format=json","name":"Alexandra Rukomoinikova","email":"ARukomoinikova@k2.cloud"},"delegate":{"id":94943,"url":"http://patchwork.ozlabs.org/api/1.2/users/94943/?format=json","username":"dceara","first_name":"Dumitru","last_name":"Ceara","email":"dceara@redhat.com"},"mbox":"http://patchwork.ozlabs.org/project/ovn/patch/20260413085447.32382-1-arukomoinikova@k2.cloud/mbox/","series":[{"id":499668,"url":"http://patchwork.ozlabs.org/api/1.2/series/499668/?format=json","web_url":"http://patchwork.ozlabs.org/project/ovn/list/?series=499668","date":"2026-04-13T08:54:45","name":"[ovs-dev] northd: Move ingress logical port mirroring before port security.","version":1,"mbox":"http://patchwork.ozlabs.org/series/499668/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2222641/comments/","check":"success","checks":"http://patchwork.ozlabs.org/api/patches/2222641/checks/","tags":{},"related":[],"headers":{"Return-Path":"<ovs-dev-bounces@openvswitch.org>","X-Original-To":["incoming@patchwork.ozlabs.org","dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","ovs-dev@lists.linuxfoundation.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=k2.cloud header.i=@k2.cloud header.a=rsa-sha256\n header.s=cloudmail header.b=k2AzFft0;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)","smtp3.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key,\n unprotected) header.d=k2.cloud header.i=@k2.cloud header.a=rsa-sha256\n header.s=cloudmail header.b=k2AzFft0","smtp2.osuosl.org;\n dmarc=pass (p=none dis=none) header.from=k2.cloud","smtp2.osuosl.org; dkim=pass (1024-bit key,\n unprotected) header.d=k2.cloud header.i=@k2.cloud header.a=rsa-sha256\n header.s=cloudmail header.b=k2AzFft0"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvLnw1btyz1yDF\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 13 Apr 2026 18:54:59 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id CD43560DD8;\n\tMon, 13 Apr 2026 08:54:57 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id WjjwZJNGPWew; Mon, 13 Apr 2026 08:54:56 +0000 (UTC)","from lists.linuxfoundation.org (lf-lists.osuosl.org\n [IPv6:2605:bc80:3010:104::8cd3:938])\n\tby smtp3.osuosl.org (Postfix) with ESMTPS id ADF0860609;\n\tMon, 13 Apr 2026 08:54:55 +0000 (UTC)","from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id 965CCC054A;\n\tMon, 13 Apr 2026 08:54:55 +0000 (UTC)","from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists.linuxfoundation.org (Postfix) with ESMTP id DB56CC0549\n for <dev@openvswitch.org>; Mon, 13 Apr 2026 08:54:54 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id C1F3840142\n for <dev@openvswitch.org>; Mon, 13 Apr 2026 08:54:54 +0000 (UTC)","from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id qVaoiO3g2RpW for <dev@openvswitch.org>;\n Mon, 13 Apr 2026 08:54:54 +0000 (UTC)","from mail3.k2.cloud (mail3.k2.cloud [109.73.14.254])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 267664008A\n for <dev@openvswitch.org>; Mon, 13 Apr 2026 08:54:52 +0000 (UTC)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections -\n client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org ADF0860609","OpenDKIM Filter v2.11.0 smtp2.osuosl.org 267664008A"],"Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=109.73.14.254;\n helo=mail3.k2.cloud; envelope-from=arukomoinikova@k2.cloud;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp2.osuosl.org 267664008A","From":"Alexandra Rukomoinikova <arukomoinikova@k2.cloud>","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=k2.cloud;\n s=cloudmail; t=1776070489;\n bh=UdVQrsOtKUPj/6fs5VxD0ChbU59XOgIXFOqDhzcOU4g=;\n h=From:To:Cc:Subject:Date;\n b=k2AzFft0QMVb7LWbPDU9kyYBL0uUsDjeeqcAjKBP4AdZtUrkRu+77Ek94SV2yhZx2\n WTzBgnPs0r2H/nfnn5+RMnZMSbGflltmBWYd71m1p2gWoJB8utzgelFW4b8EnvVg8Z\n KBonhw0HImII3JJT8RtueAePbg2rJnKzAGp8FaJg=","To":"dev@openvswitch.org","Cc":"Alexandra Rukomoinikova <arukomoinikova@k2.cloud>","Date":"Mon, 13 Apr 2026 11:54:45 +0300","Message-Id":"<20260413085447.32382-1-arukomoinikova@k2.cloud>","MIME-Version":"1.0","Subject":"[ovs-dev] [PATCH ovn] northd: Move ingress logical port mirroring\n before port security.","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"<ovs-dev.openvswitch.org>","List-Unsubscribe":"<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>","List-Archive":"<http://mail.openvswitch.org/pipermail/ovs-dev/>","List-Post":"<mailto:ovs-dev@openvswitch.org>","List-Help":"<mailto:ovs-dev-request@openvswitch.org?subject=help>","List-Subscribe":"<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"ovs-dev-bounces@openvswitch.org","Sender":"\"dev\" <ovs-dev-bounces@openvswitch.org>"},"content":"Currently, ingress logical port mirroring does not take ACL rules into\naccount, allowing the receiver interface (the sink in OVN) to observe\nthe same traffic that exits the port.\n\nIngress mirroring should also bypass port security checks. This is\nimportant because packets sent from a mirrored port that do not originate\nfrom the port’s MAC address would otherwise be dropped, potentially\nmasking issues such as unexpected virtual machine behavior.\n\nFixes: 2a2fe266d09c (\"northd: Added support for port mirroring in OVN overlay.\")\nSigned-off-by: Alexandra Rukomoinikova <arukomoinikova@k2.cloud>\n---\n lib/ovn-util.c  |  4 ++--\n northd/northd.h |  6 +++---\n tests/ovn.at    | 18 +++++++++++++++++-\n 3 files changed, 22 insertions(+), 6 deletions(-)","diff":"diff --git a/lib/ovn-util.c b/lib/ovn-util.c\nindex 65fdb3a59..cb2692e0b 100644\n--- a/lib/ovn-util.c\n+++ b/lib/ovn-util.c\n@@ -1026,8 +1026,8 @@ ip_address_and_port_from_lb_key(const char *key, char **ip_address,\n  *\n  * NOTE: If OVN_NORTHD_PIPELINE_CSUM is updated make sure to double check\n  * whether an update of OVN_INTERNAL_MINOR_VER is required. */\n-#define OVN_NORTHD_PIPELINE_CSUM \"3760014456 11249\"\n-#define OVN_INTERNAL_MINOR_VER 13\n+#define OVN_NORTHD_PIPELINE_CSUM \"2129825571 11245\"\n+#define OVN_INTERNAL_MINOR_VER 14\n \n /* Returns the OVN version. The caller must free the returned value. */\n char *\ndiff --git a/northd/northd.h b/northd/northd.h\nindex 139519006..8f57b930d 100644\n--- a/northd/northd.h\n+++ b/northd/northd.h\n@@ -509,9 +509,9 @@ ovn_datapath_is_stale(const struct ovn_datapath *od)\n /* Pipeline stages. */\n #define PIPELINE_STAGES                                                   \\\n     /* Logical switch ingress stages. */                                  \\\n-    PIPELINE_STAGE(SWITCH, IN,  CHECK_PORT_SEC, 0, \"ls_in_check_port_sec\")   \\\n-    PIPELINE_STAGE(SWITCH, IN,  APPLY_PORT_SEC, 1, \"ls_in_apply_port_sec\")   \\\n-    PIPELINE_STAGE(SWITCH, IN,  MIRROR,         2, \"ls_in_mirror\")        \\\n+    PIPELINE_STAGE(SWITCH, IN,  MIRROR,         0, \"ls_in_mirror\")        \\\n+    PIPELINE_STAGE(SWITCH, IN,  CHECK_PORT_SEC, 1, \"ls_in_check_port_sec\") \\\n+    PIPELINE_STAGE(SWITCH, IN,  APPLY_PORT_SEC, 2, \"ls_in_apply_port_sec\") \\\n     PIPELINE_STAGE(SWITCH, IN,  LOOKUP_FDB,     3, \"ls_in_lookup_fdb\")    \\\n     PIPELINE_STAGE(SWITCH, IN,  PUT_FDB,        4, \"ls_in_put_fdb\")       \\\n     PIPELINE_STAGE(SWITCH, IN,  PRE_ACL,        5, \"ls_in_pre_acl\")       \\\ndiff --git a/tests/ovn.at b/tests/ovn.at\nindex cec3bb9a7..6d6481135 100644\n--- a/tests/ovn.at\n+++ b/tests/ovn.at\n@@ -19122,9 +19122,25 @@ OVN_CHECK_PACKETS([hv3/vif1-tx.pcap], [expected])\n as hv2 reset_pcap_file hv2-vif1 hv2/vif1\n as hv3 reset_pcap_file hv3-vif1 hv3/vif1\n \n-# Test mirror filtering.\n check ovn-nbctl lsp-attach-mirror ls1-lp1 mirror0\n \n+# Ensure that port security on the source port does not impact mirroring:\n+# send a packet with an unknown MAC and checking it appears on the sink port.\n+check ovn-nbctl lsp-set-port-security ls1-lp1 $ls1_lp1_mac\n+\n+fake_mac=\"f1:f1:f1:f1:f1:04\"\n+packet=\"inport==\\\"ls1-lp1\\\" && eth.src==$fake_mac && eth.dst==$rp_ls1_mac &&\n+        ip4 && ip.ttl==64 && ip4.src==$ls1_lp1_ip && ip4.dst==$ls2_lp1_ip &&\n+        udp && udp.src==53 && udp.dst==4369\"\n+OVS_WAIT_UNTIL([as hv1 ovs-appctl -t ovn-controller inject-pkt \"$packet\"])\n+\n+echo $packet | ovstest test-ovn expr-to-packets > packet\n+\n+OVN_CHECK_PACKETS([hv3/vif1-tx.pcap], [packet])\n+\n+as hv3 reset_pcap_file hv3-vif1 hv3/vif1\n+\n+# Test mirror filtering.\n check ovn-nbctl mirror-rule-add mirror0 200 '1' skip\n check ovn-nbctl --wait=hv sync\n \n","prefixes":["ovs-dev"]}