northd: Fix the routing for external logical ports of bridged logical…

… switches. Routing for external logical ports is broken if these ports belonged to bridged logical switches (with localnet port) and 'ovn-chassis-mac-mappings' is configured. External logical ports are those which are external to OVN, but there is a logical port for it and it is claimed by one of the HA chassis. The claimed chassis provides routing and other native OVN serices like dhcp and dns. When the external port sends ARP request for the router IP, the claimed chassis replies for the ARP request, but the arp.sha is set to the actual router mac instead of the chassis mac. This causes the traffic from external port VM/container to be handled incorrectly. A ping to the router ip, is replied by all the chassis which can see this packet instead of just the claimed HA chassis. This patch fixes this issue by adding a logical flow to drop any packet from the external ports destined to the router port mac on all the chassis except the claimed chassis. Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1829762 Reported-by: Daniel Alvarez <dalvarez@redhat.com> Suggested-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Numan Siddique <numans@ovn.org> Signed-off-by: 0-day Robot <robot@bytheb.org>
ovsrobot · Aug 19, 2020 · de57265 · de57265
1 parent e2aa124
commit de57265
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 0 deletions.
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
@@ -1161,6 +1161,17 @@ output;
           which has claimed these external ports. All the other chassis,
           drops these packets.
         </p>
+
+        <p>
+          A priority-100 flow is added for each <code>external</code> logical
+          port which doesn't reside on a chassis to drop any packet destined
+          to the router mac - with the match
+          <code>inport == <var>external</var> &amp;&amp;
+          eth.src == <var>E</var> &amp;&amp; eth.dst == <var>R</var>
+          &amp;&amp; !is_chassis_resident("<var>external</var>")</code>
+          where <var>E</var> is the external port mac and <var>R</var> is the
+          router port mac.
+        </p>
       </li>
 
       <li>

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
@@ -6577,6 +6577,19 @@ build_drop_arp_nd_flows_for_unbound_router_ports(struct ovn_port *op,
                                             ds_cstr(&match), "drop;",
                                             &op->nbsp->header_);
                 }
+
+                ds_clear(&match);
+                ds_put_format(
+                    &match, "inport == %s && eth.src == %s"
+                    " && eth.dst == %s"
+                    " && !is_chassis_resident(%s)",
+                    port->json_key,
+                    op->lsp_addrs[i].ea_s, rp->lsp_addrs[k].ea_s,
+                    op->json_key);
+                ovn_lflow_add_with_hint(lflows, op->od,
+                                        S_SWITCH_IN_EXTERNAL_PORT,
+                                        100, ds_cstr(&match), "drop;",
+                                        &op->nbsp->header_);
             }
         }
     }

diff --git a/tests/ovn.at b/tests/ovn.at
@@ -14870,6 +14870,13 @@ OVS_WAIT_UNTIL(
 logical_port=ls1-lp_ext1`
     test "$chassis" = "$hv1_uuid"])
 
+# There should be a flow in hv2 to drop traffic from ls1-lp_ext1 destined
+# to router mac.
+AT_CHECK([as hv2 ovs-ofctl dump-flows br-int \
+table=26,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \
+grep -c "actions=drop"], [0], [1
+])
+
 # Stop ovn-controllers on hv1 and hv3.
 as hv1 ovn-appctl -t ovn-controller exit
 as hv3 ovn-appctl -t ovn-controller exit