From patchwork Fri Jun 11 14:31:53 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
X-Patchwork-Id: 1490984
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=UoLfrARf;
	dkim-atps=neutral
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4G1jwk4z08z9sVb
	for <incoming@patchwork.ozlabs.org>; Sat, 12 Jun 2021 00:32:22 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by smtp2.osuosl.org (Postfix) with ESMTP id 6CCD340502;
	Fri, 11 Jun 2021 14:32:20 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
	by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id YfukrBF0hJp6; Fri, 11 Jun 2021 14:32:19 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org
 [IPv6:2605:bc80:3010:104::8cd3:938])
	by smtp2.osuosl.org (Postfix) with ESMTPS id 7CFC9404E8;
	Fri, 11 Jun 2021 14:32:18 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id E722DC0026;
	Fri, 11 Jun 2021 14:32:16 +0000 (UTC)
X-Original-To: ovs-dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 68CD0C000B
 for <ovs-dev@openvswitch.org>; Fri, 11 Jun 2021 14:32:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id C91194159B
 for <ovs-dev@openvswitch.org>; Fri, 11 Jun 2021 14:32:05 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Authentication-Results: smtp4.osuosl.org (amavisd-new);
 dkim=pass (1024-bit key) header.d=redhat.com
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 8y8KnQLWeP2b for <ovs-dev@openvswitch.org>;
 Fri, 11 Jun 2021 14:32:04 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 9EA3E415AF
 for <ovs-dev@openvswitch.org>; Fri, 11 Jun 2021 14:32:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1623421923;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=X/x93DrL4OHFDZ/rZCYpuN9AA0hHZUdExychRkCMIKs=;
 b=UoLfrARfcot9G2fgG0BXw+WButkjE5JmXSM163o/exFpC94GyIqpm43230S2iqGhohwlJT
 jFhTmIgaOY/SxqClPc+NSGAV+738wePOlO1vLmIkwk9lchLYRHQe3Z3BPlqqYNDvFQgeo2
 fJlM4Cm9NP5NvBFFJMyZuCmkF05SIqw=
Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com
 [209.85.208.71]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-264-6QxDhTynNkuz9rQFg_ZJFQ-1; Fri, 11 Jun 2021 10:32:02 -0400
X-MC-Unique: 6QxDhTynNkuz9rQFg_ZJFQ-1
Received: by mail-ed1-f71.google.com with SMTP id
 s25-20020aa7c5590000b0290392e051b029so10964923edr.11
 for <ovs-dev@openvswitch.org>; Fri, 11 Jun 2021 07:32:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=X/x93DrL4OHFDZ/rZCYpuN9AA0hHZUdExychRkCMIKs=;
 b=Cm9lm8Ig21+OO3K5sfDLljCYxgA3TVn3rr4T8Z09xRFQIqBVH3Js2aZBv7XpCtPsuV
 +pYdHLH03rOoJ787HnrMLZZtoGZb2FcWF8l8nKU2S7GNCmwXxQLTNhKQWVhGIXi5YxH8
 e33zerLYHH5mtRTpTC92cmoYiVsoxGyIeZnH3VrGHg9oO7ynpLW1iOzoDIXW93YILKAh
 8hG9aNX5VGK5V+eL5s48MIXsMemMvUJZmEt09Z5xSkD8Opf4VYbf8ZO+HiPA7uPla3gB
 +hSk9zOSdK6PX2hdA8GDaZuqqeGQoFPmjfO6PUpcsTS98WcsJZg+tLxGSeT8FeSf6QVh
 8tcQ==
X-Gm-Message-State: AOAM531tVfNSEfWf1MaOHbcI4xTYFO50O4TIfGarB19JkJ60rkJktFS4
 JEEX41YW5BBCEEPY8k6u9xYRltiiEvJs2CiT31lnwJU9JtOFzkuFu+rv1jcfR26H8G95G3ELW3o
 b/AkAoPmNz6hrTuQqYKaiLfoIKi/Bob9ns7FVZX2cb9OCUDq7KfmnJjV4KR5mx5NvKnKabZiT+k
 StctM+
X-Received: by 2002:a05:6402:510f:: with SMTP id
 m15mr4049020edd.283.1623421920818;
 Fri, 11 Jun 2021 07:32:00 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJzwk7GGhjDQQqz0Nf5deM+yXqJWdELWpAkZuLa0yDSx+vGBuk6GxYRqihq2obDShDQ6oqRgDw==
X-Received: by 2002:a05:6402:510f:: with SMTP id
 m15mr4048988edd.283.1623421920572;
 Fri, 11 Jun 2021 07:32:00 -0700 (PDT)
Received: from lore-desk.redhat.com (net-47-53-237-43.cust.vodafonedsl.it.
 [47.53.237.43])
 by smtp.gmail.com with ESMTPSA id d5sm2721586edt.49.2021.06.11.07.31.59
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 11 Jun 2021 07:32:00 -0700 (PDT)
From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
To: ovs-dev@openvswitch.org
Date: Fri, 11 Jun 2021 16:31:53 +0200
Message-Id: 
 <ecdaab2d41d2c2c25e581f467dd1a46d01d87fed.1623420545.git.lorenzo.bianconi@redhat.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <cover.1623420545.git.lorenzo.bianconi@redhat.com>
References: <cover.1623420545.git.lorenzo.bianconi@redhat.com>
MIME-Version: 1.0
Authentication-Results: relay.mimecast.com;
 auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lorenzo.bianconi@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Subject: [ovs-dev] [PATCH v3 1/3] northd: introduce
	build_check_pkt_len_flows_for_lrp routine
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

Introduce build_check_pkt_len_flows_for_lrp routine to configure
check_pkt_larger logical flow for a given logical port. This is a
preliminary patch to enable check_pkt_larger support for gw router
use case.

Acked-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
---
 northd/ovn-northd.c | 181 +++++++++++++++++++++++---------------------
 1 file changed, 95 insertions(+), 86 deletions(-)

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index d872f6a3c..512ec4a32 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -10422,6 +10422,99 @@ build_arp_resolve_flows_for_lrouter_port(
 
 }
 
+static void
+build_check_pkt_len_flows_for_lrp(struct ovn_port *op,
+                                  struct hmap *lflows, struct hmap *ports,
+                                  struct ds *match, struct ds *actions)
+{
+    int gw_mtu = 0;
+
+    if (op->nbrp) {
+         gw_mtu = smap_get_int(&op->nbrp->options, "gateway_mtu", 0);
+    }
+    /* Add the flows only if gateway_mtu is configured. */
+    if (gw_mtu <= 0) {
+        return;
+    }
+
+    ds_clear(match);
+    ds_put_format(match, "outport == %s", op->json_key);
+
+    ds_clear(actions);
+    ds_put_format(actions,
+                  REGBIT_PKT_LARGER" = check_pkt_larger(%d);"
+                  " next;", gw_mtu + VLAN_ETH_HEADER_LEN);
+    ovn_lflow_add_with_hint(lflows, op->od, S_ROUTER_IN_CHK_PKT_LEN, 50,
+                            ds_cstr(match), ds_cstr(actions),
+                            &op->nbrp->header_);
+
+    for (size_t i = 0; i < op->od->nbr->n_ports; i++) {
+        struct ovn_port *rp = ovn_port_find(ports,
+                                            op->od->nbr->ports[i]->name);
+        if (!rp || rp == op) {
+            continue;
+        }
+
+        if (rp->lrp_networks.ipv4_addrs) {
+            ds_clear(match);
+            ds_put_format(match, "inport == %s && outport == %s"
+                          " && ip4 && "REGBIT_PKT_LARGER,
+                          rp->json_key, op->json_key);
+
+            ds_clear(actions);
+            /* Set icmp4.frag_mtu to gw_mtu */
+            ds_put_format(actions,
+                "icmp4_error {"
+                REGBIT_EGRESS_LOOPBACK" = 1; "
+                "eth.dst = %s; "
+                "ip4.dst = ip4.src; "
+                "ip4.src = %s; "
+                "ip.ttl = 255; "
+                "icmp4.type = 3; /* Destination Unreachable. */ "
+                "icmp4.code = 4; /* Frag Needed and DF was Set. */ "
+                "icmp4.frag_mtu = %d; "
+                "next(pipeline=ingress, table=%d); };",
+                rp->lrp_networks.ea_s,
+                rp->lrp_networks.ipv4_addrs[0].addr_s,
+                gw_mtu,
+                ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
+            ovn_lflow_add_with_hint(lflows, op->od,
+                                    S_ROUTER_IN_LARGER_PKTS, 50,
+                                    ds_cstr(match), ds_cstr(actions),
+                                    &rp->nbrp->header_);
+        }
+
+        if (rp->lrp_networks.ipv6_addrs) {
+            ds_clear(match);
+            ds_put_format(match, "inport == %s && outport == %s"
+                          " && ip6 && "REGBIT_PKT_LARGER,
+                          rp->json_key, op->json_key);
+
+            ds_clear(actions);
+            /* Set icmp6.frag_mtu to gw_mtu */
+            ds_put_format(actions,
+                "icmp6_error {"
+                REGBIT_EGRESS_LOOPBACK" = 1; "
+                "eth.dst = %s; "
+                "ip6.dst = ip6.src; "
+                "ip6.src = %s; "
+                "ip.ttl = 255; "
+                "icmp6.type = 2; /* Packet Too Big. */ "
+                "icmp6.code = 0; "
+                "icmp6.frag_mtu = %d; "
+                "next(pipeline=ingress, table=%d); };",
+                rp->lrp_networks.ea_s,
+                rp->lrp_networks.ipv6_addrs[0].addr_s,
+                gw_mtu,
+                ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
+            ovn_lflow_add_with_hint(lflows, op->od,
+                                    S_ROUTER_IN_LARGER_PKTS, 50,
+                                    ds_cstr(match), ds_cstr(actions),
+                                    &rp->nbrp->header_);
+        }
+    }
+}
+
 /* Local router ingress table CHK_PKT_LEN: Check packet length.
  *
  * Any IPv4 packet with outport set to the distributed gateway
@@ -10450,92 +10543,8 @@ build_check_pkt_len_flows_for_lrouter(
                       "next;");
 
         if (od->l3dgw_port && od->l3redirect_port) {
-            int gw_mtu = 0;
-            if (od->l3dgw_port->nbrp) {
-                 gw_mtu = smap_get_int(&od->l3dgw_port->nbrp->options,
-                                       "gateway_mtu", 0);
-            }
-            /* Add the flows only if gateway_mtu is configured. */
-            if (gw_mtu <= 0) {
-                return;
-            }
-
-            ds_clear(match);
-            ds_put_format(match, "outport == %s", od->l3dgw_port->json_key);
-
-            ds_clear(actions);
-            ds_put_format(actions,
-                          REGBIT_PKT_LARGER" = check_pkt_larger(%d);"
-                          " next;", gw_mtu + VLAN_ETH_HEADER_LEN);
-            ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_CHK_PKT_LEN, 50,
-                                    ds_cstr(match), ds_cstr(actions),
-                                    &od->l3dgw_port->nbrp->header_);
-
-            for (size_t i = 0; i < od->nbr->n_ports; i++) {
-                struct ovn_port *rp = ovn_port_find(ports,
-                                                    od->nbr->ports[i]->name);
-                if (!rp || rp == od->l3dgw_port) {
-                    continue;
-                }
-
-                if (rp->lrp_networks.ipv4_addrs) {
-                    ds_clear(match);
-                    ds_put_format(match, "inport == %s && outport == %s"
-                                  " && ip4 && "REGBIT_PKT_LARGER,
-                                  rp->json_key, od->l3dgw_port->json_key);
-
-                    ds_clear(actions);
-                    /* Set icmp4.frag_mtu to gw_mtu */
-                    ds_put_format(actions,
-                        "icmp4_error {"
-                        REGBIT_EGRESS_LOOPBACK" = 1; "
-                        "eth.dst = %s; "
-                        "ip4.dst = ip4.src; "
-                        "ip4.src = %s; "
-                        "ip.ttl = 255; "
-                        "icmp4.type = 3; /* Destination Unreachable. */ "
-                        "icmp4.code = 4; /* Frag Needed and DF was Set. */ "
-                        "icmp4.frag_mtu = %d; "
-                        "next(pipeline=ingress, table=%d); };",
-                        rp->lrp_networks.ea_s,
-                        rp->lrp_networks.ipv4_addrs[0].addr_s,
-                        gw_mtu,
-                        ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
-                    ovn_lflow_add_with_hint(lflows, od,
-                                            S_ROUTER_IN_LARGER_PKTS, 50,
-                                            ds_cstr(match), ds_cstr(actions),
-                                            &rp->nbrp->header_);
-                }
-
-                if (rp->lrp_networks.ipv6_addrs) {
-                    ds_clear(match);
-                    ds_put_format(match, "inport == %s && outport == %s"
-                                  " && ip6 && "REGBIT_PKT_LARGER,
-                                  rp->json_key, od->l3dgw_port->json_key);
-
-                    ds_clear(actions);
-                    /* Set icmp6.frag_mtu to gw_mtu */
-                    ds_put_format(actions,
-                        "icmp6_error {"
-                        REGBIT_EGRESS_LOOPBACK" = 1; "
-                        "eth.dst = %s; "
-                        "ip6.dst = ip6.src; "
-                        "ip6.src = %s; "
-                        "ip.ttl = 255; "
-                        "icmp6.type = 2; /* Packet Too Big. */ "
-                        "icmp6.code = 0; "
-                        "icmp6.frag_mtu = %d; "
-                        "next(pipeline=ingress, table=%d); };",
-                        rp->lrp_networks.ea_s,
-                        rp->lrp_networks.ipv6_addrs[0].addr_s,
-                        gw_mtu,
-                        ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
-                    ovn_lflow_add_with_hint(lflows, od,
-                                            S_ROUTER_IN_LARGER_PKTS, 50,
-                                            ds_cstr(match), ds_cstr(actions),
-                                            &rp->nbrp->header_);
-                }
-            }
+            build_check_pkt_len_flows_for_lrp(od->l3dgw_port, lflows,
+                                              ports, match, actions);
         }
     }
 }

From patchwork Fri Jun 11 14:31:54 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
X-Patchwork-Id: 1490983
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=CDuxllQe;
	dkim-atps=neutral
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4G1jwh2fjrz9sVb
	for <incoming@patchwork.ozlabs.org>; Sat, 12 Jun 2021 00:32:20 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by smtp3.osuosl.org (Postfix) with ESMTP id D32FD60AC3;
	Fri, 11 Jun 2021 14:32:17 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
	by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id HYqfhqUI2rOH; Fri, 11 Jun 2021 14:32:17 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp3.osuosl.org (Postfix) with ESMTPS id 233E0606B8;
	Fri, 11 Jun 2021 14:32:16 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 04B0DC000F;
	Fri, 11 Jun 2021 14:32:16 +0000 (UTC)
X-Original-To: ovs-dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 047ABC000D
 for <ovs-dev@openvswitch.org>; Fri, 11 Jun 2021 14:32:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id D834383E0E
 for <ovs-dev@openvswitch.org>; Fri, 11 Jun 2021 14:32:12 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Authentication-Results: smtp1.osuosl.org (amavisd-new);
 dkim=pass (1024-bit key) header.d=redhat.com
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id iGR7hRqWriix for <ovs-dev@openvswitch.org>;
 Fri, 11 Jun 2021 14:32:11 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by smtp1.osuosl.org (Postfix) with ESMTPS id A6A0F83E1C
 for <ovs-dev@openvswitch.org>; Fri, 11 Jun 2021 14:32:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1623421930;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=+vnfx6ulU+uYMqQAs1PH1Akoe/Ay5HadHoPy6c9bQQ0=;
 b=CDuxllQeX78u6QLuKZOeCG12B5k95P4LdhP1TBlHqEEb86CQMnGpEh/klnf/jp+RBstPef
 sQvvtigpuZN3j8CUuTFhPPzvgrrLx0ycb8ClaX5WJkn/I47w6Bl3f84Z+JGO/Ia12b0W8d
 FMmidbapfxu8JiIIr0WdhG38Sr72XCE=
Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com
 [209.85.208.69]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-120-Y27u057-PLOE4Q8SS_eZZA-1; Fri, 11 Jun 2021 10:32:03 -0400
X-MC-Unique: Y27u057-PLOE4Q8SS_eZZA-1
Received: by mail-ed1-f69.google.com with SMTP id
 ch5-20020a0564021bc5b029039389929f28so8175292edb.16
 for <ovs-dev@openvswitch.org>; Fri, 11 Jun 2021 07:32:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=+vnfx6ulU+uYMqQAs1PH1Akoe/Ay5HadHoPy6c9bQQ0=;
 b=A+cjkMK4F0OaxsACrmSDD4Frw5FHrF6V9gp7GxHlwntiWkxl3CEtnkOdS/akSkap+e
 6ZEU6I824XLEnmKxGJyvg3mq4HgDLOQjzVxWKTkQJtv5cmt2npxJsDQdm9+1hgaMMgz0
 c/AGjCRJFVoiUDGivZkQ7KB+bCm7oyAf7o/I7Jz9DADjgcCxIa/PTbWYwq0T/nlNlYZM
 XzB0urvi+wyvWtxCPBVZdmIbnUPUxBca3f+bt+MQrx4kWbSyf1z9BN9sge3iku4P0UmS
 qgpudWl8aI43hEvCbiLtlDCpVLLz1aOt87wnmNo5fZer4GQMYWq4bxgqprTDMildevrw
 fQpQ==
X-Gm-Message-State: AOAM532h2cTFwBHONAx2geqzwYlVgCNWOeaCnbk0+I5w+jlYxvtjh+ap
 BT8ztDkEAI3EPVu7VM3qwtglTpXnSoKJn/rxVDFgikHYl+hMRexUozVvzk40U+dUSO0CCgkKmbn
 ezV2P9dGzS/hh418HzJnYxeoXiNWK5VyewARpzJZ1HjsUrfd3N+xSTy/SxlWd1GWwbI9L/VQsKC
 MfWzPY
X-Received: by 2002:aa7:dd1a:: with SMTP id i26mr4079900edv.358.1623421922088;
 Fri, 11 Jun 2021 07:32:02 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJwG2C1by6Pu0kpre3gYxbt8fzfHDgqHz5N7Ud1ReH28SjuRc2epi7eTgJ9jRtfuWbdEfkoqlw==
X-Received: by 2002:aa7:dd1a:: with SMTP id i26mr4079870edv.358.1623421921830;
 Fri, 11 Jun 2021 07:32:01 -0700 (PDT)
Received: from lore-desk.redhat.com (net-47-53-237-43.cust.vodafonedsl.it.
 [47.53.237.43])
 by smtp.gmail.com with ESMTPSA id d5sm2721586edt.49.2021.06.11.07.32.01
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 11 Jun 2021 07:32:01 -0700 (PDT)
From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
To: ovs-dev@openvswitch.org
Date: Fri, 11 Jun 2021 16:31:54 +0200
Message-Id: 
 <2280175bfbb0f010c0c6d3b850aba9c8ff8d9c2b.1623420545.git.lorenzo.bianconi@redhat.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <cover.1623420545.git.lorenzo.bianconi@redhat.com>
References: <cover.1623420545.git.lorenzo.bianconi@redhat.com>
MIME-Version: 1.0
Authentication-Results: relay.mimecast.com;
 auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lorenzo.bianconi@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Subject: [ovs-dev] [PATCH v3 2/3] northd: enable check_pkt_larger for gw
	router
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

As it is already done for distributed gw router scenario, introduce
check_pkt_larger logical flows for gw router use case.

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
---
 northd/ovn-northd.c | 31 +++++++++++++++++++++---------
 tests/ovn.at        | 47 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+), 9 deletions(-)

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 512ec4a32..23367dbb0 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -10534,17 +10534,30 @@ build_check_pkt_len_flows_for_lrouter(
         struct hmap *ports,
         struct ds *match, struct ds *actions)
 {
-    if (od->nbr) {
+    if (!od->nbr) {
+        return;
+    }
 
-        /* Packets are allowed by default. */
-        ovn_lflow_add(lflows, od, S_ROUTER_IN_CHK_PKT_LEN, 0, "1",
-                      "next;");
-        ovn_lflow_add(lflows, od, S_ROUTER_IN_LARGER_PKTS, 0, "1",
-                      "next;");
+    /* Packets are allowed by default. */
+    ovn_lflow_add(lflows, od, S_ROUTER_IN_CHK_PKT_LEN, 0, "1",
+                  "next;");
+    ovn_lflow_add(lflows, od, S_ROUTER_IN_LARGER_PKTS, 0, "1",
+                  "next;");
 
-        if (od->l3dgw_port && od->l3redirect_port) {
-            build_check_pkt_len_flows_for_lrp(od->l3dgw_port, lflows,
-                                              ports, match, actions);
+    if (od->l3dgw_port && od->l3redirect_port) {
+        /* gw router port */
+        build_check_pkt_len_flows_for_lrp(od->l3dgw_port, lflows,
+                                          ports, match, actions);
+    } else if (smap_get(&od->nbr->options, "chassis")) {
+        for (size_t i = 0; i < od->nbr->n_ports; i++) {
+            /* gw router */
+            struct ovn_port *rp = ovn_port_find(ports,
+                                                od->nbr->ports[i]->name);
+            if (!rp) {
+                continue;
+            }
+            build_check_pkt_len_flows_for_lrp(rp, lflows, ports, match,
+                                              actions);
         }
     }
 }
diff --git a/tests/ovn.at b/tests/ovn.at
index 11a85c457..5c3ed2633 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -16408,6 +16408,53 @@ for mtu in 100 500 118; do
     test_ip6_packet_larger $mtu
 done
 
+ovn-nbctl lsp-del sw0-lr0
+
+ovn-nbctl lr-del lr0
+ovn-nbctl create Logical_Router name=lr1 options:chassis="hv1"
+ovn-nbctl lrp-add lr1 lr1-sw0 00:00:00:00:ff:01 10.0.0.1/24 1000::1/64
+ovn-nbctl lsp-add sw0 sw0-lr1
+ovn-nbctl lsp-set-type sw0-lr1 router
+ovn-nbctl lsp-set-addresses sw0-lr1 router
+ovn-nbctl lsp-set-options sw0-lr1 router-port=lr1-sw0
+
+ovn-nbctl lrp-add lr1 lr1-public 00:00:20:20:12:13 172.168.0.100/24 2000::1/64
+ovn-nbctl lsp-del public-lr0
+ovn-nbctl lsp-add public public-lr1
+ovn-nbctl lsp-set-type public-lr1 router
+ovn-nbctl lsp-set-addresses public-lr1 router
+ovn-nbctl lsp-set-options public-lr1 router-port=lr1-public
+
+ovn-nbctl lr-nat-add lr1 snat 172.168.0.100 10.0.0.0/24
+ovn-nbctl lr-nat-add lr1 snat 2000::1 1000::/64
+
+dp_uuid=$(ovn-sbctl find datapath_binding | grep sw0 -B2 | grep _uuid | \
+awk '{print $3}')
+ovn-sbctl create MAC_Binding ip=172.168.0.3 datapath=$dp_uuid \
+logical_port=lr1-public mac="00\:00\:00\:12\:af\:11"
+
+# Try different gateway mtus and send a 142-byte packet (corresponding
+# to a 124-byte MTU).  If the MTU is less than 124, ovn-controller
+# should send icmp host not reachable with pmtu set to $mtu.
+for mtu in 100 500 118; do
+    AS_BOX([testing gw mtu $mtu])
+    check ovn-nbctl --wait=hv set logical_router_port lr1-public options:gateway_mtu=$mtu
+    ovn-sbctl dump-flows > sbflows-gw-$mtu
+    AT_CAPTURE_FILE([sbflows-gw-$mtu])
+
+    OVS_WAIT_FOR_OUTPUT([
+        as hv1 ovs-ofctl dump-flows br-int > br-int-gw-flows-$mtu
+        AT_CAPTURE_FILE([br-int-gw-flows-$mtu])
+        grep "check_pkt_larger($(expr $mtu + 18))" br-int-gw-flows-$mtu | wc -l], [0], [1
+])
+
+    AS_BOX([testing gw mtu $mtu - IPv4])
+    test_ip_packet_larger $mtu
+
+    AS_BOX([testing gw mtu $mtu - IPv6])
+    test_ip6_packet_larger $mtu
+done
+
 OVN_CLEANUP([hv1])
 AT_CLEANUP
 ])

From patchwork Fri Jun 11 14:31:55 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
X-Patchwork-Id: 1490986
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=YmrF/upG;
	dkim-atps=neutral
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4G1jwr3rssz9sVb
	for <incoming@patchwork.ozlabs.org>; Sat, 12 Jun 2021 00:32:28 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by smtp4.osuosl.org (Postfix) with ESMTP id 90C49415CF;
	Fri, 11 Jun 2021 14:32:25 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
	by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id p2AupHYzBsze; Fri, 11 Jun 2021 14:32:22 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp4.osuosl.org (Postfix) with ESMTPS id 351F441583;
	Fri, 11 Jun 2021 14:32:21 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id CA0F0C002E;
	Fri, 11 Jun 2021 14:32:18 +0000 (UTC)
X-Original-To: ovs-dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 200F6C000F
 for <ovs-dev@openvswitch.org>; Fri, 11 Jun 2021 14:32:17 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id 93DEE404E8
 for <ovs-dev@openvswitch.org>; Fri, 11 Jun 2021 14:32:16 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Authentication-Results: smtp2.osuosl.org (amavisd-new);
 dkim=pass (1024-bit key) header.d=redhat.com
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id wVTHIIO2UVPq for <ovs-dev@openvswitch.org>;
 Fri, 11 Jun 2021 14:32:15 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 6221C40259
 for <ovs-dev@openvswitch.org>; Fri, 11 Jun 2021 14:32:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1623421934;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=iRbx94OZrl22e4vVMU38Hjoum/9l6yJtaJngAsa2SDY=;
 b=YmrF/upGqEpQFOqxcna/lxtWit86stghh3Yti+sTyJ5JoLO/vujoJt3laNclDDo/SDBRxX
 QteZwqS7iYW2cJcRMgHwGABPjhf1oBWkmwb467xUb8pljMj2i5CvmXFojfi8Xqs/x8BZRc
 sdbn0efOfYBN/3XxSBL2DwVozM3szjY=
Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com
 [209.85.218.72]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-410-t94uU7SoO1iWUZAu6tI5Pw-1; Fri, 11 Jun 2021 10:32:08 -0400
X-MC-Unique: t94uU7SoO1iWUZAu6tI5Pw-1
Received: by mail-ej1-f72.google.com with SMTP id
 nd10-20020a170907628ab02903a324b229bfso1238202ejc.7
 for <ovs-dev@openvswitch.org>; Fri, 11 Jun 2021 07:32:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=iRbx94OZrl22e4vVMU38Hjoum/9l6yJtaJngAsa2SDY=;
 b=Yr3jqjGQy84ZLuAjKz6u3hHiPovw8ocd26iFA/aAMFDmQTMrE2x+zBS4uZq+ZdOpJ9
 T6iQdj8G1xuL3VBH1MEf9G/+2TzmPiFba6YwxbLWe9au/vD7+Ymdxtmc88FEm21NIEU9
 NZ20jJTGGwkHErQLX0OIZVEEpv48fq3iasJwRvmHqlvQ/miZPZgOsT8rERoFwiV1qZzl
 up8A/p5tkV4Tf8C5YIE1Q0U0/w3jsWEI03OdCY67hYscZbBUkUv0l3LFj8ifMfrmNDeG
 k+eWIFHULTbU3r4C9hFSKNo77hhh9TU9iw8zvvZV5EVG2sQg5dUr7cS8z0hwCg7XFsH6
 Ty3w==
X-Gm-Message-State: AOAM533mh5Hpaucy2XCNVkZedKmL0mwMxXMqk0JzJQ6CODEseN60IDqK
 TYSUWw3L/bKxR1BCeptTBk4Ds/k1mPJBNgJZynfJ0ut+c/8WWvkb78QYWgS288LTJqK4T+ve66y
 f9dNFElkA6pTf5Yp0zvkRE533+Yad6yBZ1YhWdM56AhrNH9jmjbtP9Jk07jPL+R7hNmwe9QQSSQ
 7S9rLL
X-Received: by 2002:a17:906:509:: with SMTP id
 j9mr3878805eja.149.1623421926506;
 Fri, 11 Jun 2021 07:32:06 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJy0u0L9Do5MvZA1elZ2yp39hG6b2fwCzuHZNbG7TaABWIdhVyT1jzaVXpsIfJl6q2k7YxiucQ==
X-Received: by 2002:a17:906:509:: with SMTP id
 j9mr3878763eja.149.1623421926112;
 Fri, 11 Jun 2021 07:32:06 -0700 (PDT)
Received: from lore-desk.redhat.com (net-47-53-237-43.cust.vodafonedsl.it.
 [47.53.237.43])
 by smtp.gmail.com with ESMTPSA id d5sm2721586edt.49.2021.06.11.07.32.05
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 11 Jun 2021 07:32:05 -0700 (PDT)
From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
To: ovs-dev@openvswitch.org
Date: Fri, 11 Jun 2021 16:31:55 +0200
Message-Id: 
 <42a54f0abac560ad8a20991a05b30c5e0cdecc97.1623420545.git.lorenzo.bianconi@redhat.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <cover.1623420545.git.lorenzo.bianconi@redhat.com>
References: <cover.1623420545.git.lorenzo.bianconi@redhat.com>
MIME-Version: 1.0
Authentication-Results: relay.mimecast.com;
 auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lorenzo.bianconi@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Subject: [ovs-dev] [PATCH v3 3/3] northd: add check_pkt_larger lflows for
	ingress traffic
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

Introduce check_pkt_larger action for ingress traffic
entering the cluster from a distributed gw router port
or from a gw router. This patch enables pMTU discovery
for ingress traffic.

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
---
 northd/ovn-northd.c | 166 ++++++++++++++++++++++++++------------------
 tests/ovn.at        | 137 ++++++++++++++++++++++++++++++++++--
 2 files changed, 231 insertions(+), 72 deletions(-)

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 23367dbb0..a9b046898 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -9501,6 +9501,10 @@ build_adm_ctrl_flows_for_lrouter(
     }
 }
 
+static void
+build_check_pkt_len_action_string(struct ovn_port *op, int *pmtu,
+                                  struct ds *actions);
+
 /* Logical router ingress Table 0: L2 Admission Control
  * This table drops packets that the router shouldn’t see at all based
  * on their Ethernet headers.
@@ -9528,6 +9532,8 @@ build_adm_ctrl_flows_for_lrouter_port(
          * the pipeline.
          */
         ds_clear(actions);
+
+        build_check_pkt_len_action_string(op, NULL, actions);
         ds_put_format(actions, REG_INPORT_ETH_ADDR " = %s; next;",
                       op->lrp_networks.ea_s);
 
@@ -10422,32 +10428,110 @@ build_arp_resolve_flows_for_lrouter_port(
 
 }
 
+static void
+build_icmperr_pkt_big_flows(struct ovn_port *op, int mtu, struct hmap *lflows,
+                            struct ds *match, struct ds *actions,
+                            enum ovn_stage stage)
+{
+    if (op->lrp_networks.ipv4_addrs) {
+        ds_clear(match);
+        ds_put_format(match,
+                      "inport == %s && ip4 && "REGBIT_PKT_LARGER
+                      " && !"REGBIT_EGRESS_LOOPBACK, op->json_key);
+
+        ds_clear(actions);
+        /* Set icmp4.frag_mtu to gw_mtu */
+        ds_put_format(actions,
+            "icmp4_error {"
+            REGBIT_EGRESS_LOOPBACK" = 1; "
+            REGBIT_PKT_LARGER" = 0; "
+            "eth.dst = %s; "
+            "ip4.dst = ip4.src; "
+            "ip4.src = %s; "
+            "ip.ttl = 255; "
+            "icmp4.type = 3; /* Destination Unreachable. */ "
+            "icmp4.code = 4; /* Frag Needed and DF was Set. */ "
+            "icmp4.frag_mtu = %d; "
+            "next(pipeline=ingress, table=%d); };",
+            op->lrp_networks.ea_s,
+            op->lrp_networks.ipv4_addrs[0].addr_s,
+            mtu, ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
+        ovn_lflow_add_with_hint(lflows, op->od, stage, 150,
+                                ds_cstr(match), ds_cstr(actions),
+                                &op->nbrp->header_);
+    }
+
+    if (op->lrp_networks.ipv6_addrs) {
+        ds_clear(match);
+        ds_put_format(match, "inport == %s && ip6 && "REGBIT_PKT_LARGER
+                      " && !"REGBIT_EGRESS_LOOPBACK, op->json_key);
+
+        ds_clear(actions);
+        /* Set icmp6.frag_mtu to gw_mtu */
+        ds_put_format(actions,
+            "icmp6_error {"
+            REGBIT_EGRESS_LOOPBACK" = 1; "
+            REGBIT_PKT_LARGER" = 0; "
+            "eth.dst = %s; "
+            "ip6.dst = ip6.src; "
+            "ip6.src = %s; "
+            "ip.ttl = 255; "
+            "icmp6.type = 2; /* Packet Too Big. */ "
+            "icmp6.code = 0; "
+            "icmp6.frag_mtu = %d; "
+            "next(pipeline=ingress, table=%d); };",
+            op->lrp_networks.ea_s,
+            op->lrp_networks.ipv6_addrs[0].addr_s,
+            mtu, ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
+        ovn_lflow_add_with_hint(lflows, op->od, stage, 150,
+                                ds_cstr(match), ds_cstr(actions),
+                                &op->nbrp->header_);
+    }
+}
+
+static void
+build_check_pkt_len_action_string(struct ovn_port *op, int *pmtu,
+                                  struct ds *actions)
+{
+    int gw_mtu = smap_get_int(&op->nbrp->options, "gateway_mtu", 0);
+
+    if (gw_mtu > 0) {
+        /* Add the flows only if gateway_mtu is configured. */
+        ds_put_format(actions,
+                      REGBIT_PKT_LARGER" = check_pkt_larger(%d); ",
+                      gw_mtu + VLAN_ETH_HEADER_LEN);
+    }
+    if (pmtu) {
+        *pmtu = gw_mtu;
+    }
+}
+
 static void
 build_check_pkt_len_flows_for_lrp(struct ovn_port *op,
                                   struct hmap *lflows, struct hmap *ports,
                                   struct ds *match, struct ds *actions)
 {
-    int gw_mtu = 0;
+    int gw_mtu;
 
-    if (op->nbrp) {
-         gw_mtu = smap_get_int(&op->nbrp->options, "gateway_mtu", 0);
-    }
-    /* Add the flows only if gateway_mtu is configured. */
+    ds_clear(actions);
+    build_check_pkt_len_action_string(op, &gw_mtu, actions);
     if (gw_mtu <= 0) {
         return;
     }
 
+    ds_put_format(actions, "next;");
+
     ds_clear(match);
     ds_put_format(match, "outport == %s", op->json_key);
 
-    ds_clear(actions);
-    ds_put_format(actions,
-                  REGBIT_PKT_LARGER" = check_pkt_larger(%d);"
-                  " next;", gw_mtu + VLAN_ETH_HEADER_LEN);
     ovn_lflow_add_with_hint(lflows, op->od, S_ROUTER_IN_CHK_PKT_LEN, 50,
                             ds_cstr(match), ds_cstr(actions),
                             &op->nbrp->header_);
 
+    /* ingress traffic */
+    build_icmperr_pkt_big_flows(op, gw_mtu, lflows, match, actions,
+                                S_ROUTER_IN_IP_INPUT);
+
     for (size_t i = 0; i < op->od->nbr->n_ports; i++) {
         struct ovn_port *rp = ovn_port_find(ports,
                                             op->od->nbr->ports[i]->name);
@@ -10455,63 +10539,9 @@ build_check_pkt_len_flows_for_lrp(struct ovn_port *op,
             continue;
         }
 
-        if (rp->lrp_networks.ipv4_addrs) {
-            ds_clear(match);
-            ds_put_format(match, "inport == %s && outport == %s"
-                          " && ip4 && "REGBIT_PKT_LARGER,
-                          rp->json_key, op->json_key);
-
-            ds_clear(actions);
-            /* Set icmp4.frag_mtu to gw_mtu */
-            ds_put_format(actions,
-                "icmp4_error {"
-                REGBIT_EGRESS_LOOPBACK" = 1; "
-                "eth.dst = %s; "
-                "ip4.dst = ip4.src; "
-                "ip4.src = %s; "
-                "ip.ttl = 255; "
-                "icmp4.type = 3; /* Destination Unreachable. */ "
-                "icmp4.code = 4; /* Frag Needed and DF was Set. */ "
-                "icmp4.frag_mtu = %d; "
-                "next(pipeline=ingress, table=%d); };",
-                rp->lrp_networks.ea_s,
-                rp->lrp_networks.ipv4_addrs[0].addr_s,
-                gw_mtu,
-                ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
-            ovn_lflow_add_with_hint(lflows, op->od,
-                                    S_ROUTER_IN_LARGER_PKTS, 50,
-                                    ds_cstr(match), ds_cstr(actions),
-                                    &rp->nbrp->header_);
-        }
-
-        if (rp->lrp_networks.ipv6_addrs) {
-            ds_clear(match);
-            ds_put_format(match, "inport == %s && outport == %s"
-                          " && ip6 && "REGBIT_PKT_LARGER,
-                          rp->json_key, op->json_key);
-
-            ds_clear(actions);
-            /* Set icmp6.frag_mtu to gw_mtu */
-            ds_put_format(actions,
-                "icmp6_error {"
-                REGBIT_EGRESS_LOOPBACK" = 1; "
-                "eth.dst = %s; "
-                "ip6.dst = ip6.src; "
-                "ip6.src = %s; "
-                "ip.ttl = 255; "
-                "icmp6.type = 2; /* Packet Too Big. */ "
-                "icmp6.code = 0; "
-                "icmp6.frag_mtu = %d; "
-                "next(pipeline=ingress, table=%d); };",
-                rp->lrp_networks.ea_s,
-                rp->lrp_networks.ipv6_addrs[0].addr_s,
-                gw_mtu,
-                ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
-            ovn_lflow_add_with_hint(lflows, op->od,
-                                    S_ROUTER_IN_LARGER_PKTS, 50,
-                                    ds_cstr(match), ds_cstr(actions),
-                                    &rp->nbrp->header_);
-        }
+        /* egress traffic */
+        build_icmperr_pkt_big_flows(rp, gw_mtu, lflows, match, actions,
+                                    S_ROUTER_IN_LARGER_PKTS);
     }
 }
 
@@ -11579,8 +11609,10 @@ build_lrouter_ingress_flow(struct hmap *lflows, struct ovn_datapath *od,
         * down in the pipeline.
         */
         ds_clear(actions);
+
+        build_check_pkt_len_action_string(od->l3dgw_port, NULL, actions);
         ds_put_format(actions, REG_INPORT_ETH_ADDR " = %s; next;",
-                    od->l3dgw_port->lrp_networks.ea_s);
+                      od->l3dgw_port->lrp_networks.ea_s);
 
         ds_clear(match);
         ds_put_format(match,
diff --git a/tests/ovn.at b/tests/ovn.at
index 5c3ed2633..cf3cbd4d3 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -16312,6 +16312,52 @@ test_ip_packet_larger() {
     fi
 }
 
+test_ip_packet_larger_ext() {
+    local mtu=$1
+
+    # Send ip packet from sw0-port1 to outside
+    src_mac="00000012af11" # external mac
+    dst_mac="000020201213" # lr0-public mac
+    src_ip=`ip_to_hex 172 168 0 4`
+    dst_ip=`ip_to_hex 172 168 0 100`
+    # Set the packet length to 118.
+    pkt_len=0076
+    packet=${dst_mac}${src_mac}08004500${pkt_len}00000000400120cf
+    orig_packet_l3=${src_ip}${dst_ip}0900000000000000
+    orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+    orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+    orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+    orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+    orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
+    packet=${packet}${orig_packet_l3}
+
+    gw_ip_garp=ffffffffffff00002020121308060001080006040001000020201213aca80064000000000000aca80064
+    ext_ip_garp=ffffffffffff00000012af110806000108000604000100000012af11aca80004000000000000aca80004
+
+    src_ip=`ip_to_hex 172 168 0 100`
+    dst_ip=`ip_to_hex 172 168 0 4`
+    # pkt len should be 146 (28 (icmp packet) + 118 (orig ip + payload))
+    reply_pkt_len=0092
+    ip_csum=f397
+    icmp_reply=${src_mac}${dst_mac}08004500${reply_pkt_len}00004000fe0122b2
+    icmp_reply=${icmp_reply}${src_ip}${dst_ip}0304${ip_csum}0000$(printf "%04x" $mtu)
+    icmp_reply=${icmp_reply}4500${pkt_len}00000000400120cf
+    icmp_reply=${icmp_reply}${orig_packet_l3}
+    echo $icmp_reply > br-phys_n1.expected
+
+    echo $gw_ip_garp >> br-phys_n1.expected
+
+    as hv1 reset_pcap_file br-phys_n1 hv1/br-phys_n1
+    as hv1 reset_pcap_file hv1-vif1 hv1/vif1
+
+    check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $ext_ip_garp
+    sleep 1
+    # Send packet from sw0-port1 to outside
+    check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $packet
+
+    OVN_CHECK_PACKETS([hv1/br-phys_n1-tx.pcap], [br-phys_n1.expected])
+}
+
 test_ip6_packet_larger() {
     local mtu=$1
 
@@ -16327,7 +16373,7 @@ test_ip6_packet_larger() {
     local payload=${payload}0000000000000000000000000000000000000000
     local payload=${payload}0000000000000000000000000000000000000000
 
-    local ip6_hdr=6000000000583aff${ipv6_src}${ipv6_dst}
+    local ip6_hdr=6000000000583afe${ipv6_src}${ipv6_dst}
     local packet=${eth_dst}${eth_src}86dd${ip6_hdr}8000ec7662f00001${payload}
 
     as hv1 reset_pcap_file br-phys_n1 hv1/br-phys_n1
@@ -16344,11 +16390,11 @@ test_ip6_packet_larger() {
     mtu_needed=$(expr ${packet_bytes} - 18)
     if test $mtu -lt $mtu_needed; then
         # First construct the inner IPv6 packet.
-        inner_ip6=6000000000583afe${ipv6_src}${ipv6_dst}
+        inner_ip6=6000000000583afd${ipv6_src}${ipv6_dst}
         inner_icmp6=8000000062f00001
         inner_icmp6_and_payload=$(icmp6_csum_inplace ${inner_icmp6}${payload} ${inner_ip6})
         inner_packet=${inner_ip6}${inner_icmp6_and_payload}
-        
+
         # Then the outer.
         outer_ip6=6000000000883afe${ipv6_rt}${ipv6_src}
         outer_icmp6_and_payload=$(icmp6_csum_inplace 020000000000$(printf "%04x" $mtu)${inner_packet} $outer_ip6)
@@ -16366,6 +16412,53 @@ test_ip6_packet_larger() {
     fi
 }
 
+test_ip6_packet_larger_ext() {
+    local mtu=$1
+
+    local eth_src=00000012af11
+    local eth_dst=000020201213
+
+    local ipv6_src=20000000000000000000000000000004
+    local ipv6_dst=20000000000000000000000000000001
+
+    local payload=0000000000000000000000000000000000000000
+    local payload=${payload}0000000000000000000000000000000000000000
+    local payload=${payload}0000000000000000000000000000000000000000
+    local payload=${payload}0000000000000000000000000000000000000000
+
+    local ip6_hdr=6000000000583afe${ipv6_src}${ipv6_dst}
+    local packet=${eth_dst}${eth_src}86dd${ip6_hdr}9000cc7662f00001${payload}
+
+    local ns=ffffffffffff00002020121308060001080006040001000020201213aca80064000000000000aca80064
+    echo $ns > br-phys_n1.expected
+
+    as hv1 reset_pcap_file br-phys_n1 hv1/br-phys_n1
+    as hv1 reset_pcap_file hv1-vif1 hv1/vif1
+
+    local na_ip6_hdr=6000000000203aff${ipv6_src}${ipv6_dst}
+    local na=${eth_dst}${eth_src}86dd${na_ip6_hdr}8800d78440000000${ipv6_src}0201${eth_src}
+    check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $na
+    sleep 1
+    check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $packet
+    AT_CAPTURE_FILE([trace-$mtu])
+
+    # First construct the inner IPv6 packet.
+    inner_ip6=6000000000583afe${ipv6_src}${ipv6_dst}
+    inner_icmp6=9000000062f00001
+    inner_icmp6_and_payload=$(icmp6_csum_inplace ${inner_icmp6}${payload} ${inner_ip6})
+    inner_packet=${inner_ip6}${inner_icmp6_and_payload}
+
+    # Then the outer.
+    outer_ip6=6000000000883afe${ipv6_dst}${ipv6_src}
+    outer_icmp6_and_payload=$(icmp6_csum_inplace 020000000000$(printf "%04x" $mtu)${inner_packet} $outer_ip6)
+    outer_packet=${outer_ip6}${outer_icmp6_and_payload}
+
+    icmp6_reply=${eth_src}${eth_dst}86dd${outer_packet}
+    echo $icmp6_reply >> br-phys_n1.expected
+
+    OVN_CHECK_PACKETS([hv1/br-phys_n1-tx.pcap], [br-phys_n1.expected])
+}
+
 wait_for_ports_up
 ovn-nbctl --wait=hv sync
 
@@ -16398,7 +16491,7 @@ for mtu in 100 500 118; do
     OVS_WAIT_FOR_OUTPUT([
         as hv1 ovs-ofctl dump-flows br-int > br-int-flows-$mtu
         AT_CAPTURE_FILE([br-int-flows-$mtu])
-        grep "check_pkt_larger($(expr $mtu + 18))" br-int-flows-$mtu | wc -l], [0], [1
+        grep "check_pkt_larger($(expr $mtu + 18))" br-int-flows-$mtu | wc -l], [0], [3
 ])
 
     AS_BOX([testing mtu $mtu - IPv4])
@@ -16408,6 +16501,23 @@ for mtu in 100 500 118; do
     test_ip6_packet_larger $mtu
 done
 
+AS_BOX([testing mtu $mtu])
+check ovn-nbctl --wait=hv set logical_router_port lr0-public options:gateway_mtu=100
+ovn-sbctl dump-flows > ext-sbflows-100
+AT_CAPTURE_FILE([ext-sbflows-$mtu])
+
+OVS_WAIT_FOR_OUTPUT([
+    as hv1 ovs-ofctl dump-flows br-int > ext-br-int-flows-100
+    AT_CAPTURE_FILE([ext-br-int-flows-100])
+    grep "check_pkt_larger(118)" ext-br-int-flows-100 | wc -l], [0], [3
+])
+
+AS_BOX([testing ext mtu 100 - IPv4])
+test_ip_packet_larger_ext 100
+
+AS_BOX([testing mtu 100 - IPv6])
+test_ip6_packet_larger_ext 100
+
 ovn-nbctl lsp-del sw0-lr0
 
 ovn-nbctl lr-del lr0
@@ -16445,7 +16555,7 @@ for mtu in 100 500 118; do
     OVS_WAIT_FOR_OUTPUT([
         as hv1 ovs-ofctl dump-flows br-int > br-int-gw-flows-$mtu
         AT_CAPTURE_FILE([br-int-gw-flows-$mtu])
-        grep "check_pkt_larger($(expr $mtu + 18))" br-int-gw-flows-$mtu | wc -l], [0], [1
+        grep "check_pkt_larger($(expr $mtu + 18))" br-int-gw-flows-$mtu | wc -l], [0], [3
 ])
 
     AS_BOX([testing gw mtu $mtu - IPv4])
@@ -16455,6 +16565,23 @@ for mtu in 100 500 118; do
     test_ip6_packet_larger $mtu
 done
 
+AS_BOX([testing gw mtu $mtu])
+check ovn-nbctl --wait=hv set logical_router_port lr1-public options:gateway_mtu=100
+ovn-sbctl dump-flows > ext-gw-sbflows-100
+AT_CAPTURE_FILE([ext-gw-sbflows-$mtu])
+
+OVS_WAIT_FOR_OUTPUT([
+    as hv1 ovs-ofctl dump-flows br-int > ext-br-int-gw-flows-100
+    AT_CAPTURE_FILE([ext-br-int-gw-flows-100])
+    grep "check_pkt_larger(118)" ext-br-int-gw-flows-100 | wc -l], [0], [3
+])
+
+AS_BOX([testing gw ext mtu 100 - IPv4])
+test_ip_packet_larger_ext 100
+
+AS_BOX([testing gw mtu 100 - IPv6])
+test_ip6_packet_larger_ext 100
+
 OVN_CLEANUP([hv1])
 AT_CLEANUP
 ])