Fix multicast allow policies to include IGMP/MLD traffic.

IGMP and MLD traffic must be allowed towards pods if multicast is allowed, otherwise, ovn-controller generated IGMP/MLD queries will be dropped. Fixes: c3def15 ("Add multicast support.") Signed-off-by: Dumitru Ceara <dceara@redhat.com>
vpickard · Mar 4, 2021 · 5657c1e · 5657c1e
1 parent 3398ca5
commit 5657c1e
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/go-controller/pkg/ovn/policy.go b/go-controller/pkg/ovn/policy.go
@@ -327,12 +327,16 @@ func getMulticastACLMatch() string {
 	return "(ip4.mcast || mldv1 || mldv2 || " + ipv6DynamicMulticastMatch + ")"
 }
 
+// Allow IGMP traffic (e.g., IGMP queries) and namespace multicast traffic
+// towards pods.
 func getMulticastACLIgrMatchV4(addrSetName string) string {
-	return "(ip4.src == $" + addrSetName + " && ip4.mcast)"
+	return "(igmp || (ip4.src == $" + addrSetName + " && ip4.mcast))"
 }
 
+// Allow MLD traffic (e.g., MLD queries) and namespace multicast traffic
+// towards pods.
 func getMulticastACLIgrMatchV6(addrSetName string) string {
-	return "(ip6.src == $" + addrSetName + " && " + ipv6DynamicMulticastMatch + ")"
+	return "(mldv1 || mldv2 || (ip6.src == $" + addrSetName + " && " + ipv6DynamicMulticastMatch + "))"
 }
 
 // Creates the match string used for ACLs allowing incoming multicast into a