[ovs-dev,v2] northd: add router broadcast option to logical switch

Assume the following setup:

+----------------+
| Logical Router |
| lr001          +-+
+----------------+ |
                   |
+----------------+ |
| Logical Router | | +----------------+ +------------------+
| lr002          +-+-+ Logical Switch +-+ Phyiscal Network |
+----------------+ | | ls-ext         | |                  |
                   | +----------------+ +------------------+
      ...          |
                   |
+----------------+ |
| Logical Router | |
| lr300          +-+
+----------------+

If a arp request for the ip of lr001 on ls-ext is now received it is
only forwarded to that individual logical router.

If we however now receive a arp request for an ip not used by any of
lr001-lr300 we try to flood the arp request to all logical ports on ls-ext.
With around 300 routers this causes the arp request to be dropped after
some routers as we hit the 4096 resubmit limit.

In the most cases forwarding the arp requests to the logical routers is
pointless as we already know all of their ip addresses and they will
therefor not be able to answer the arp requests anyway.
Only if someone sends garps this is not the case. Then the request would
need to be flooded to all logical routers.

We can therefor not generally send these arp requests to MC_FLOOD_L2 as
this would break garps. As we can also not detect garps we need to leave
the solution to our users.

To do this we introduce the other_config `broadcast-arps-to-all-routers`
on logical switches (which is per default true). If set to false we add
a logical flow that forwards arp requests where we do not know a
specific target logical switch port to MC_FLOOD_L2, thereby bypassing
all logical routers.

Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
---
 NEWS                    |  5 +++++
 northd/northd.c         |  8 ++++++++
 northd/ovn-northd.8.xml |  7 +++++++
 ovn-nb.xml              | 12 ++++++++++++
 tests/ovn-northd.at     | 31 +++++++++++++++++++++++++++++++
 5 files changed, 63 insertions(+)

--
2.39.2
Diese E Mail enthält möglicherweise vertrauliche Inhalte und ist nur für die Verwertung durch den vorgesehenen Empfänger bestimmt. Sollten Sie nicht der vorgesehene Empfänger sein, setzen Sie den Absender bitte unverzüglich in Kenntnis und löschen diese E Mail. Hinweise zum Datenschutz finden Sie hier<https://www.datenschutz.schwarz>.

On Mon, Mar 20, 2023 at 9:04 AM Felix Hüttner via dev <
ovs-dev@openvswitch.org> wrote:

> Assume the following setup:
>
> +----------------+
> | Logical Router |
> | lr001          +-+
> +----------------+ |
>                    |
> +----------------+ |
> | Logical Router | | +----------------+ +------------------+
> | lr002          +-+-+ Logical Switch +-+ Phyiscal Network |
> +----------------+ | | ls-ext         | |                  |
>                    | +----------------+ +------------------+
>       ...          |
>                    |
> +----------------+ |
> | Logical Router | |
> | lr300          +-+
> +----------------+
>
> If a arp request for the ip of lr001 on ls-ext is now received it is
> only forwarded to that individual logical router.
>
> If we however now receive a arp request for an ip not used by any of
> lr001-lr300 we try to flood the arp request to all logical ports on ls-ext.
> With around 300 routers this causes the arp request to be dropped after
> some routers as we hit the 4096 resubmit limit.
>
> In the most cases forwarding the arp requests to the logical routers is
> pointless as we already know all of their ip addresses and they will
> therefor not be able to answer the arp requests anyway.
> Only if someone sends garps this is not the case. Then the request would
> need to be flooded to all logical routers.
>
> We can therefor not generally send these arp requests to MC_FLOOD_L2 as
> this would break garps. As we can also not detect garps we need to leave
> the solution to our users.
>
> To do this we introduce the other_config `broadcast-arps-to-all-routers`
> on logical switches (which is per default true). If set to false we add
> a logical flow that forwards arp requests where we do not know a
> specific target logical switch port to MC_FLOOD_L2, thereby bypassing
> all logical routers.
>
> Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
> ---
>  NEWS                    |  5 +++++
>  northd/northd.c         |  8 ++++++++
>  northd/ovn-northd.8.xml |  7 +++++++
>  ovn-nb.xml              | 12 ++++++++++++
>  tests/ovn-northd.at     | 31 +++++++++++++++++++++++++++++++
>  5 files changed, 63 insertions(+)
>
> diff --git a/NEWS b/NEWS
> index 637adcff3..2379f5089 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -2,6 +2,11 @@ Post v23.03.0
>  -------------
>    - Enhance LSP.options:arp_proxy to support IPv6, configurable MAC
>      addresses and CIDRs.
> +  - Add LS.other_config:broadcast-arps-to-all-routers. If false then arp
> +    requests are only send to Logical Routers on that Logical Switch if
> the
> +    target mac address matches. Arp requests matching no Logical Router
> will
> +    only be forwarded to non-router ports. Default is true which keeps the
> +    existing behaviour of flooding these arp requests to all attached
> Ports.
>
>  OVN v23.03.0 - 03 Mar 2023
>  --------------------------
> diff --git a/northd/northd.c b/northd/northd.c
> index 5f0b436c2..be6d70d94 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -9030,6 +9030,14 @@ build_lswitch_destination_lookup_bmcast(struct
> ovn_datapath *od,
>              }
>          }
>
> +
> +        if (!smap_get_bool(&od->nbs->other_config,
> +                           "broadcast-arps-to-all-routers", true)) {
> +            ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 72,
> +                        "eth.mcast && (arp.op == 1 || nd_ns)",
> +                        "outport = \""MC_FLOOD_L2"\"; output;");
> +        }
> +
>          ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 70, "eth.mcast",
>                        "outport = \""MC_FLOOD"\"; output;");
>      }
> diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> index 5d513e65a..3d5f579fe 100644
> --- a/northd/ovn-northd.8.xml
> +++ b/northd/ovn-northd.8.xml
> @@ -1880,6 +1880,13 @@ output;
>          non-router logical ports.
>        </li>
>
> +      <li>
> +        A priority-72 flow that outputs all ARP requests and ND packets
> with
> +        an Ethernet broadcast or multicast <code>eth.dst</code> to the
> +        <code>MC_FLOOD_L2</code> multicast group if
> +        <code>other_config:broadcast-arps-to-all-routers=true</code>.
> +      </li>
> +
>        <li>
>          A priority-70 flow that outputs all packets with an Ethernet
> broadcast
>          or multicast <code>eth.dst</code> to the <code>MC_FLOOD</code>
> diff --git a/ovn-nb.xml b/ovn-nb.xml
> index 73f707aa0..d106af8be 100644
> --- a/ovn-nb.xml
> +++ b/ovn-nb.xml
> @@ -729,6 +729,18 @@
>          localnet ports, fabric traffic that belongs to other tagged
> networks may
>          be passed through such a port.
>        </column>
> +
> +      <column name="other_config" key="broadcast-arps-to-all-routers"
> +          type='{"type": "boolean"}'>
> +        Determines whether arp requests and ipv6 neighbor solicitations
> should
> +        be send to all routers and other switchports (default) or if it
> should
> +        only be send to switchports where the ip/mac address is unknown.
> +        Setting this to false can significantly reduce the load if the
> logical
> +        switch can receive arp requests for ips it does not know about.
> +        However setting this to false also means that garps are no longer
> +        forwarded to all routers and therefor the mac bindings of the
> routers
> +        are no longer updated.
> +      </column>
>      </group>
>
>      <group title="Common Columns">
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index ef29233db..4bf59f4af 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -6421,6 +6421,37 @@ AT_CHECK([ovn-sbctl get Port_Binding S1-R1
> nat_addresses |grep -q 172.16.1.10],
>  AT_CLEANUP
>  ])
>
> +OVN_FOR_EACH_NORTHD_NO_HV([
> +AT_SETUP([check broadcast-arps-to-all-routers option])
> +ovn_start
> +
> +ovn-nbctl lr-add R1
> +ovn-nbctl set logical_router R1 options:chassis=hv1
> +ovn-nbctl lrp-add R1 R1-S1 02:ac:10:01:00:01 172.16.1.1/24
> +
> +ovn-nbctl ls-add S1
> +ovn-nbctl lsp-add S1 S1-R1
> +ovn-nbctl lsp-set-type S1-R1 router
> +ovn-nbctl lsp-set-addresses S1-R1 "02:ac:10:01:00:01 172.16.1.1"
> +ovn-nbctl --wait=sb lsp-set-options S1-R1 router-port=R1-S1
> nat-addresses="router"
> +ovn-nbctl lsp-add S1 S1-VIF
> +ovn-nbctl lsp-set-addresses S1-VIF "02:ac:10:01:00:02 unkown"
> +
> +AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_in_l2_lkup | grep -q
> 'match=(eth.mcast && (arp.op == 1 || nd_ns)), action=(outport =
> "_MC_flood_l2"; output;)'], [1])
> +
> +ovn-nbctl --wait=sb set Logical_Switch S1 \
> +                    other_config:broadcast-arps-to-all-routers=false
> +
> +AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_in_l2_lkup | grep -q
> 'match=(eth.mcast && (arp.op == 1 || nd_ns)), action=(outport =
> "_MC_flood_l2"; output;)'], [0])
> +
> +ovn-nbctl --wait=sb set Logical_Switch S1 \
> +                    other_config:broadcast-arps-to-all-routers=true
> +
> +AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_in_l2_lkup | grep -q
> 'match=(eth.mcast && (arp.op == 1 || nd_ns)), action=(outport =
> "_MC_flood_l2"; output;)'], [1])
> +
> +AT_CLEANUP
> +])
> +
>  OVN_FOR_EACH_NORTHD_NO_HV([
>  AT_SETUP([ACL log replies -- flows])
>
> --
> 2.39.2
> Diese E Mail enthält möglicherweise vertrauliche Inhalte und ist nur für
> die Verwertung durch den vorgesehenen Empfänger bestimmt. Sollten Sie nicht
> der vorgesehene Empfänger sein, setzen Sie den Absender bitte unverzüglich
> in Kenntnis und löschen diese E Mail. Hinweise zum Datenschutz finden Sie
> hier<https://www.datenschutz.schwarz>.
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Looks good to me, thanks.

Acked-by: Ales Musil <amusil@redhat.com>

On 3/24/23 10:11, Ales Musil wrote:
> On Mon, Mar 20, 2023 at 9:04 AM Felix Hüttner via dev <
> ovs-dev@openvswitch.org> wrote:
> 
>> Assume the following setup:
>>
>> +----------------+
>> | Logical Router |
>> | lr001          +-+
>> +----------------+ |
>>                    |
>> +----------------+ |
>> | Logical Router | | +----------------+ +------------------+
>> | lr002          +-+-+ Logical Switch +-+ Phyiscal Network |
>> +----------------+ | | ls-ext         | |                  |
>>                    | +----------------+ +------------------+
>>       ...          |
>>                    |
>> +----------------+ |
>> | Logical Router | |
>> | lr300          +-+
>> +----------------+
>>
>> If a arp request for the ip of lr001 on ls-ext is now received it is
>> only forwarded to that individual logical router.
>>
>> If we however now receive a arp request for an ip not used by any of
>> lr001-lr300 we try to flood the arp request to all logical ports on ls-ext.
>> With around 300 routers this causes the arp request to be dropped after
>> some routers as we hit the 4096 resubmit limit.
>>
>> In the most cases forwarding the arp requests to the logical routers is
>> pointless as we already know all of their ip addresses and they will
>> therefor not be able to answer the arp requests anyway.
>> Only if someone sends garps this is not the case. Then the request would
>> need to be flooded to all logical routers.
>>
>> We can therefor not generally send these arp requests to MC_FLOOD_L2 as
>> this would break garps. As we can also not detect garps we need to leave
>> the solution to our users.
>>
>> To do this we introduce the other_config `broadcast-arps-to-all-routers`
>> on logical switches (which is per default true). If set to false we add
>> a logical flow that forwards arp requests where we do not know a
>> specific target logical switch port to MC_FLOOD_L2, thereby bypassing
>> all logical routers.
>>
>> Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
>> ---
>>  NEWS                    |  5 +++++
>>  northd/northd.c         |  8 ++++++++
>>  northd/ovn-northd.8.xml |  7 +++++++
>>  ovn-nb.xml              | 12 ++++++++++++
>>  tests/ovn-northd.at     | 31 +++++++++++++++++++++++++++++++
>>  5 files changed, 63 insertions(+)
>>
>> diff --git a/NEWS b/NEWS
>> index 637adcff3..2379f5089 100644
>> --- a/NEWS
>> +++ b/NEWS
>> @@ -2,6 +2,11 @@ Post v23.03.0
>>  -------------
>>    - Enhance LSP.options:arp_proxy to support IPv6, configurable MAC
>>      addresses and CIDRs.
>> +  - Add LS.other_config:broadcast-arps-to-all-routers. If false then arp
>> +    requests are only send to Logical Routers on that Logical Switch if
>> the
>> +    target mac address matches. Arp requests matching no Logical Router
>> will
>> +    only be forwarded to non-router ports. Default is true which keeps the
>> +    existing behaviour of flooding these arp requests to all attached
>> Ports.
>>
>>  OVN v23.03.0 - 03 Mar 2023
>>  --------------------------
>> diff --git a/northd/northd.c b/northd/northd.c
>> index 5f0b436c2..be6d70d94 100644
>> --- a/northd/northd.c
>> +++ b/northd/northd.c
>> @@ -9030,6 +9030,14 @@ build_lswitch_destination_lookup_bmcast(struct
>> ovn_datapath *od,
>>              }
>>          }
>>
>> +
>> +        if (!smap_get_bool(&od->nbs->other_config,
>> +                           "broadcast-arps-to-all-routers", true)) {
>> +            ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 72,
>> +                        "eth.mcast && (arp.op == 1 || nd_ns)",
>> +                        "outport = \""MC_FLOOD_L2"\"; output;");
>> +        }
>> +
>>          ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 70, "eth.mcast",
>>                        "outport = \""MC_FLOOD"\"; output;");
>>      }
>> diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
>> index 5d513e65a..3d5f579fe 100644
>> --- a/northd/ovn-northd.8.xml
>> +++ b/northd/ovn-northd.8.xml
>> @@ -1880,6 +1880,13 @@ output;
>>          non-router logical ports.
>>        </li>
>>
>> +      <li>
>> +        A priority-72 flow that outputs all ARP requests and ND packets
>> with
>> +        an Ethernet broadcast or multicast <code>eth.dst</code> to the
>> +        <code>MC_FLOOD_L2</code> multicast group if
>> +        <code>other_config:broadcast-arps-to-all-routers=true</code>.
>> +      </li>
>> +
>>        <li>
>>          A priority-70 flow that outputs all packets with an Ethernet
>> broadcast
>>          or multicast <code>eth.dst</code> to the <code>MC_FLOOD</code>
>> diff --git a/ovn-nb.xml b/ovn-nb.xml
>> index 73f707aa0..d106af8be 100644
>> --- a/ovn-nb.xml
>> +++ b/ovn-nb.xml
>> @@ -729,6 +729,18 @@
>>          localnet ports, fabric traffic that belongs to other tagged
>> networks may
>>          be passed through such a port.
>>        </column>
>> +
>> +      <column name="other_config" key="broadcast-arps-to-all-routers"
>> +          type='{"type": "boolean"}'>
>> +        Determines whether arp requests and ipv6 neighbor solicitations
>> should
>> +        be send to all routers and other switchports (default) or if it
>> should
>> +        only be send to switchports where the ip/mac address is unknown.
>> +        Setting this to false can significantly reduce the load if the
>> logical
>> +        switch can receive arp requests for ips it does not know about.
>> +        However setting this to false also means that garps are no longer
>> +        forwarded to all routers and therefor the mac bindings of the
>> routers
>> +        are no longer updated.
>> +      </column>
>>      </group>
>>
>>      <group title="Common Columns">
>> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
>> index ef29233db..4bf59f4af 100644
>> --- a/tests/ovn-northd.at
>> +++ b/tests/ovn-northd.at
>> @@ -6421,6 +6421,37 @@ AT_CHECK([ovn-sbctl get Port_Binding S1-R1
>> nat_addresses |grep -q 172.16.1.10],
>>  AT_CLEANUP
>>  ])
>>
>> +OVN_FOR_EACH_NORTHD_NO_HV([
>> +AT_SETUP([check broadcast-arps-to-all-routers option])
>> +ovn_start
>> +
>> +ovn-nbctl lr-add R1
>> +ovn-nbctl set logical_router R1 options:chassis=hv1
>> +ovn-nbctl lrp-add R1 R1-S1 02:ac:10:01:00:01 172.16.1.1/24
>> +
>> +ovn-nbctl ls-add S1
>> +ovn-nbctl lsp-add S1 S1-R1
>> +ovn-nbctl lsp-set-type S1-R1 router
>> +ovn-nbctl lsp-set-addresses S1-R1 "02:ac:10:01:00:01 172.16.1.1"
>> +ovn-nbctl --wait=sb lsp-set-options S1-R1 router-port=R1-S1
>> nat-addresses="router"
>> +ovn-nbctl lsp-add S1 S1-VIF
>> +ovn-nbctl lsp-set-addresses S1-VIF "02:ac:10:01:00:02 unkown"
>> +
>> +AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_in_l2_lkup | grep -q
>> 'match=(eth.mcast && (arp.op == 1 || nd_ns)), action=(outport =
>> "_MC_flood_l2"; output;)'], [1])
>> +
>> +ovn-nbctl --wait=sb set Logical_Switch S1 \
>> +                    other_config:broadcast-arps-to-all-routers=false
>> +
>> +AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_in_l2_lkup | grep -q
>> 'match=(eth.mcast && (arp.op == 1 || nd_ns)), action=(outport =
>> "_MC_flood_l2"; output;)'], [0])
>> +
>> +ovn-nbctl --wait=sb set Logical_Switch S1 \
>> +                    other_config:broadcast-arps-to-all-routers=true
>> +
>> +AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_in_l2_lkup | grep -q
>> 'match=(eth.mcast && (arp.op == 1 || nd_ns)), action=(outport =
>> "_MC_flood_l2"; output;)'], [1])
>> +
>> +AT_CLEANUP
>> +])
>> +
>>  OVN_FOR_EACH_NORTHD_NO_HV([
>>  AT_SETUP([ACL log replies -- flows])
>>
>> --
>> 2.39.2
>> Diese E Mail enthält möglicherweise vertrauliche Inhalte und ist nur für
>> die Verwertung durch den vorgesehenen Empfänger bestimmt. Sollten Sie nicht
>> der vorgesehene Empfänger sein, setzen Sie den Absender bitte unverzüglich
>> in Kenntnis und löschen diese E Mail. Hinweise zum Datenschutz finden Sie
>> hier<https://www.datenschutz.schwarz>.
>> _______________________________________________
>> dev mailing list
>> dev@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>>
>>
> Looks good to me, thanks.
> 
> Acked-by: Ales Musil <amusil@redhat.com>
> 

Thanks, Felix and Ales!  I rebased this patch and applied it to the main
branch with the following minor change:

diff --git a/northd/northd.c b/northd/northd.c
index 0721a99389..64e1e095c5 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -9133,8 +9133,8 @@ build_lswitch_destination_lookup_bmcast(struct ovn_datapath *od,
     if (!smap_get_bool(&od->nbs->other_config,
                        "broadcast-arps-to-all-routers", true)) {
         ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 72,
-                    "eth.mcast && (arp.op == 1 || nd_ns)",
-                    "outport = \""MC_FLOOD_L2"\"; output;");
+                      "eth.mcast && (arp.op == 1 || nd_ns)",
+                      "outport = \""MC_FLOOD_L2"\"; output;");
     }
 
     ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 70, "eth.mcast",
diff --git a/ovn-nb.xml b/ovn-nb.xml
index cf5c4e1ee3..d6694778f3 100644
--- a/ovn-nb.xml
+++ b/ovn-nb.xml
@@ -746,8 +746,8 @@
       <column name="other_config" key="broadcast-arps-to-all-routers"
           type='{"type": "boolean"}'>
         Determines whether arp requests and ipv6 neighbor solicitations should
-        be send to all routers and other switchports (default) or if it should
-        only be send to switchports where the ip/mac address is unknown.
+        be sent to all routers and other switchports (default) or if it should
+        only be sent to switchports where the ip/mac address is unknown.
         Setting this to false can significantly reduce the load if the logical
         switch can receive arp requests for ips it does not know about.
         However setting this to false also means that garps are no longer
diff --git a/ovs b/ovs
index b72a7f9257..8986d4d556 160000
--- a/ovs
+++ b/ovs
@@ -1 +1 @@
-Subproject commit b72a7f92573aa4e6205e57cb978532b4c04702e1
+Subproject commit 8986d4d5564401eeef3dea828b51fe8bae2cc8aa
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 3067ca037c..c3ff60d54e 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -6475,27 +6475,28 @@ OVN_FOR_EACH_NORTHD_NO_HV([
 AT_SETUP([check broadcast-arps-to-all-routers option])
 ovn_start
 
-ovn-nbctl lr-add R1
-ovn-nbctl set logical_router R1 options:chassis=hv1
-ovn-nbctl lrp-add R1 R1-S1 02:ac:10:01:00:01 172.16.1.1/24
+check ovn-nbctl lr-add R1
+check ovn-nbctl set logical_router R1 options:chassis=hv1
+check ovn-nbctl lrp-add R1 R1-S1 02:ac:10:01:00:01 172.16.1.1/24
 
-ovn-nbctl ls-add S1
-ovn-nbctl lsp-add S1 S1-R1
-ovn-nbctl lsp-set-type S1-R1 router
-ovn-nbctl lsp-set-addresses S1-R1 "02:ac:10:01:00:01 172.16.1.1"
-ovn-nbctl --wait=sb lsp-set-options S1-R1 router-port=R1-S1 nat-addresses="router"
-ovn-nbctl lsp-add S1 S1-VIF
-ovn-nbctl lsp-set-addresses S1-VIF "02:ac:10:01:00:02 unkown"
+check ovn-nbctl ls-add S1
+check ovn-nbctl lsp-add S1 S1-R1
+check ovn-nbctl lsp-set-type S1-R1 router
+check ovn-nbctl lsp-set-addresses S1-R1 "02:ac:10:01:00:01 172.16.1.1"
+check ovn-nbctl --wait=sb lsp-set-options S1-R1 router-port=R1-S1 nat-addresses="router"
+check ovn-nbctl lsp-add S1 S1-VIF
+check ovn-nbctl lsp-set-addresses S1-VIF "02:ac:10:01:00:02 unkown"
+check ovn-nbctl --wait=sb sync
 
 AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_in_l2_lkup | grep -q 'match=(eth.mcast && (arp.op == 1 || nd_ns)), action=(outport = "_MC_flood_l2"; output;)'], [1])
 
-ovn-nbctl --wait=sb set Logical_Switch S1 \
-                    other_config:broadcast-arps-to-all-routers=false
+check ovn-nbctl --wait=sb set Logical_Switch S1 \
+    other_config:broadcast-arps-to-all-routers=false
 
 AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_in_l2_lkup | grep -q 'match=(eth.mcast && (arp.op == 1 || nd_ns)), action=(outport = "_MC_flood_l2"; output;)'], [0])
 
-ovn-nbctl --wait=sb set Logical_Switch S1 \
-                    other_config:broadcast-arps-to-all-routers=true
+check ovn-nbctl --wait=sb set Logical_Switch S1 \
+    other_config:broadcast-arps-to-all-routers=true
 
 AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_in_l2_lkup | grep -q 'match=(eth.mcast && (arp.op == 1 || nd_ns)), action=(outport = "_MC_flood_l2"; output;)'], [1])