From patchwork Wed Aug 19 07:41:00 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Numan Siddique <numans@ovn.org>
X-Patchwork-Id: 1347591
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.137; helo=fraxinus.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=ovn.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4BWfq36cxLz9sTY
	for <incoming@patchwork.ozlabs.org>; Wed, 19 Aug 2020 17:41:19 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id C918185D7D;
	Wed, 19 Aug 2020 07:41:17 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 7-cpI8PwbmR2; Wed, 19 Aug 2020 07:41:16 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by fraxinus.osuosl.org (Postfix) with ESMTP id BC41A85C11;
	Wed, 19 Aug 2020 07:41:16 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 9BCF4C0889;
	Wed, 19 Aug 2020 07:41:16 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by lists.linuxfoundation.org (Postfix) with ESMTP id D0365C0051
 for <dev@openvswitch.org>; Wed, 19 Aug 2020 07:41:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by silver.osuosl.org (Postfix) with ESMTP id 9C26B20017
 for <dev@openvswitch.org>; Wed, 19 Aug 2020 07:41:14 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id nJ-vjtsZ0p-O for <dev@openvswitch.org>;
 Wed, 19 Aug 2020 07:41:13 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
 [217.70.183.197])
 by silver.osuosl.org (Postfix) with ESMTPS id CF7212000B
 for <dev@openvswitch.org>; Wed, 19 Aug 2020 07:41:12 +0000 (UTC)
X-Originating-IP: 27.7.101.229
Received: from nusiddiq.home.org.com (unknown [27.7.101.229])
 (Authenticated sender: numans@ovn.org)
 by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 65AAF1C000C;
 Wed, 19 Aug 2020 07:41:07 +0000 (UTC)
From: numans@ovn.org
To: dev@openvswitch.org
Date: Wed, 19 Aug 2020 13:11:00 +0530
Message-Id: <20200819074100.2682036-1-numans@ovn.org>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Subject: [ovs-dev] [PATCH ovn v3] northd: Fix the routing for external
	logical ports of bridged logical switches.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

From: Numan Siddique <numans@ovn.org>

Routing for external logical ports is broken if these ports belonged
to bridged logical switches (with localnet port) and 'ovn-chassis-mac-mappings'
is configured. External logical ports are those which are external to OVN,
but there is a logical port for it and it is claimed by one of the HA chassis.
The claimed chassis provides routing and other native OVN serices like dhcp and dns.

When the external port sends ARP request for the router IP, the claimed chassis
replies for the ARP request, but the arp.sha is set to the actual router mac instead
of the chassis mac. This causes the traffic from external port VM/container to be handled
incorrectly. A ping to the router ip, is replied by all the chassis which can see this
packet instead of just the claimed HA chassis.

This patch fixes this issue by adding a logical flow to drop any packet from the external
ports destined to the router port mac on all the chassis except the claimed chassis.

Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1829762
Reported-by: Daniel Alvarez <dalvarez@redhat.com>
Suggested-by: Dumitru Ceara <dceara@redhat.com>
Signed-off-by: Numan Siddique <numans@ovn.org>
Acked-by: Dumitru Ceara <dceara@redhat.com>
---
 northd/ovn-northd.8.xml | 11 +++++++++++
 northd/ovn-northd.c     | 13 +++++++++++++
 tests/ovn.at            |  7 +++++++
 3 files changed, 31 insertions(+)

diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index ee21c825d..989e3643b 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -1161,6 +1161,17 @@ output;
           which has claimed these external ports. All the other chassis,
           drops these packets.
         </p>
+
+        <p>
+          A priority-100 flow is added for each <code>external</code> logical
+          port which doesn't reside on a chassis to drop any packet destined
+          to the router mac - with the match
+          <code>inport == <var>external</var> &amp;&amp;
+          eth.src == <var>E</var> &amp;&amp; eth.dst == <var>R</var>
+          &amp;&amp; !is_chassis_resident("<var>external</var>")</code>
+          where <var>E</var> is the external port mac and <var>R</var> is the
+          router port mac.
+        </p>
       </li>
 
       <li>
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index dc4592980..212de2f1f 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -6577,6 +6577,19 @@ build_drop_arp_nd_flows_for_unbound_router_ports(struct ovn_port *op,
                                             ds_cstr(&match), "drop;",
                                             &op->nbsp->header_);
                 }
+
+                ds_clear(&match);
+                ds_put_format(
+                    &match, "inport == %s && eth.src == %s"
+                    " && eth.dst == %s"
+                    " && !is_chassis_resident(%s)",
+                    port->json_key,
+                    op->lsp_addrs[i].ea_s, rp->lsp_addrs[k].ea_s,
+                    op->json_key);
+                ovn_lflow_add_with_hint(lflows, op->od,
+                                        S_SWITCH_IN_EXTERNAL_PORT,
+                                        100, ds_cstr(&match), "drop;",
+                                        &op->nbsp->header_);
             }
         }
     }
diff --git a/tests/ovn.at b/tests/ovn.at
index 9b250b02f..8aabdf307 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -14870,6 +14870,13 @@ OVS_WAIT_UNTIL(
 logical_port=ls1-lp_ext1`
     test "$chassis" = "$hv1_uuid"])
 
+# There should be a flow in hv2 to drop traffic from ls1-lp_ext1 destined
+# to router mac.
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int \
+table=26,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \
+grep -c "actions=drop"], [0], [1
+])
+
 # Stop ovn-controllers on hv1 and hv3.
 as hv1 ovn-appctl -t ovn-controller exit
 as hv3 ovn-appctl -t ovn-controller exit