@@ -1339,8 +1339,9 @@ nd_na {
<li>
<p>
- Protocol unreachable. Priority-70 flows generate ICMP protocol
- unreachable messages in reply to packets directed to the router's IP
+ Protocol or address unreachable. Priority-70 flows generate ICMP
+ protocol or address unreachable messages for IPv4 and IPv6
+ respectively in reply to packets directed to the router's IP
address on IP protocols other than UDP, TCP, and ICMP, except in the
special case of gateways, which accept traffic directed to a router
IP for load balancing purposes.
@@ -5352,6 +5352,20 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
"next; };";
ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 80,
ds_cstr(&match), action);
+
+ ds_clear(&match);
+ ds_put_format(&match,
+ "ip6 && ip6.dst == %s && !ip.later_frag",
+ op->lrp_networks.ipv6_addrs[i].addr_s);
+ action = "icmp6 {"
+ "eth.dst <-> eth.src; "
+ "ip6.dst <-> ip6.src; "
+ "ip.ttl = 255; "
+ "icmp6.type = 1; "
+ "icmp6.code = 3; "
+ "next; };";
+ ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 70,
+ ds_cstr(&match), action);
}
}
@@ -10495,6 +10495,7 @@ test_ip6_packet 1 1 000000000001 00000000ff01 20010db8000100000000000000000011 2
OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])
test_tcp_syn_packet 2 2 000000000002 00000000ff02 $(ip_to_hex 192 168 2 1) $(ip_to_hex 192 168 2 254) 0000 8b40 3039 0000 7bae 4486
+test_ip6_packet 2 2 000000000002 00000000ff02 20010db8000200000000000000000011 20010db8000200000000000000000001 84 0004 01020304 0103 627e
OVN_CHECK_PACKETS([hv2/vif2-tx.pcap], [vif2.expected])
OVN_CLEANUP([hv1], [hv2])
Add priority-70 flows to generate ICMPv6 address unreachable messages in reply to IPv6 packets directed to the router's IP address on IP protocols other than UDP, TCP, and ICMP Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> --- ovn/northd/ovn-northd.8.xml | 5 +++-- ovn/northd/ovn-northd.c | 14 ++++++++++++++ tests/ovn.at | 1 + 3 files changed, 18 insertions(+), 2 deletions(-)