From patchwork Fri Aug 9 15:35:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilya Maximets X-Patchwork-Id: 1971004 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WgSft28Wmz1ybT for ; Sat, 10 Aug 2024 01:35:50 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id B7A5661335; Fri, 9 Aug 2024 15:35:48 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id AR75kdlfgIvH; Fri, 9 Aug 2024 15:35:47 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 91F4461348 Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id 91F4461348; Fri, 9 Aug 2024 15:35:47 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 64C4FC003D; Fri, 9 Aug 2024 15:35:47 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1EC62C0033 for ; Fri, 9 Aug 2024 15:35:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 0AE3A61348 for ; Fri, 9 Aug 2024 15:35:46 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id I8rfW9heVUNr for ; Fri, 9 Aug 2024 15:35:45 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.208.66; helo=mail-ed1-f66.google.com; envelope-from=i.maximets.ovn@gmail.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org A6CF061335 Authentication-Results: smtp3.osuosl.org; dmarc=none (p=none dis=none) header.from=ovn.org DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org A6CF061335 Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com [209.85.208.66]) by smtp3.osuosl.org (Postfix) with ESMTPS id A6CF061335 for ; Fri, 9 Aug 2024 15:35:44 +0000 (UTC) Received: by mail-ed1-f66.google.com with SMTP id 4fb4d7f45d1cf-5af51684d52so2533922a12.1 for ; Fri, 09 Aug 2024 08:35:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723217742; x=1723822542; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sO4JJ4Pf6er/5U7rnx4eJsIMQSkWR47QoyzHYGProno=; b=sGPf5Bi+gzVdZstv2mYt4SuQlgMl0YOvBIAsQIWxprZ03MRUvqJ4tuLff/w20nTjIa 4wdVLbFu90lWnkUQzdO9spyOPlU6YP16rA7bpXi2qJOJJo22sqA+ARIrV6zeTuEuuepl sXuGq+9HvMnDOpHvSMrvvX2KcUcKdpu8zH4Upux+79xZp5jsa5nrb0v9diuVJVV9C9iQ hs8tb9JAfOrpVS0T+jW9ba28D84ni65G5bR0oPYLyILilc4Z1I8yUosaK+PqH0o1fvCR pMwBfDn1+UQCOkN0kDEMSHLUDkgbRLac7w1VdDlZbKo7SRV6pXZWeBOOAQD9f7PSEIzX 300Q== X-Gm-Message-State: AOJu0YxsYYnWdkGW7Q1HivJ1ZH41Sza9XPlF+DkcyNxh4lrXrhXqfS+h HVtbAljnK/su8TDH/gtOooHuqz6rRPfD+X7HE7ZhHwNH4kjOrepbf6RlPtj1oQU= X-Google-Smtp-Source: AGHT+IGdOBcBNyvU5GjymStpY6c4onWT5oOBkp6/XtguS7mFG/UpKiTpxjJoAjbmmGCX9YLHPZVE1A== X-Received: by 2002:a17:907:802:b0:a7a:d093:f843 with SMTP id a640c23a62f3a-a80aa67b2f5mr156046266b.63.1723217742259; Fri, 09 Aug 2024 08:35:42 -0700 (PDT) Received: from im-t490s.redhat.com (ip-86-49-44-151.bb.vodafone.cz. [86.49.44.151]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a7dc9d42680sm850497866b.118.2024.08.09.08.35.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Aug 2024 08:35:41 -0700 (PDT) From: Ilya Maximets To: ovs-dev@openvswitch.org Date: Fri, 9 Aug 2024 17:35:35 +0200 Message-ID: <20240809153538.3717625-1-i.maximets@ovn.org> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn branch-23.09] logical-fields: Add missing multicast matches for MLD and IGMP. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Dumitru Ceara , Ilya Maximets Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" MLD flows are added to pipelines unconditionally in order to avoid sending such traffic through conntrack. The problem is that these matches turn into matches on ip6.dst that end up as exact matches in datapath flows. This means a separate datapath flow per destination IP address. This may cause significant performance issues in setups where traffic for many different IP addresses is passing through. Since network protocol is stored further in the packet, it is evaluated after checking the IP addresses, and so having a match on ip.proto doesn't save us in this scenario. MLD packets are all supposed to be multicast packets and so they all should have multicast destination ethernet addresses. Add the missing eth.mcast6 match to all such packets. This ensures that non-multicast traffic will quickly fail the OpenFlow lookup on such rules and the bits from higher layers will not be added to the match criteria in datapath flows. This also ensures that OVN doesn't handle incorrect MLD packets. There are still ND responder flows that can add extra matches for IPv6 addresses, but they can be disabled or handled by other means. IGMP did not check for IP address being multicast for some reason, so it didn't cause issues for IPv4 traffic. But let's fix it as well. Tests were using incorrect multicast addresses, fixed now. Reported-at: https://issues.redhat.com/browse/FDP-728 Reported-by: Mike Pattrick Fixes: 677a3ba4d66b ("ovn: Add MLD support.") Signed-off-by: Ilya Maximets Acked-by: Dumitru Ceara Signed-off-by: Numan Siddique (cherry picked from commit 43c34f2e6676af87e3ca80c5a16d56c73e685963) --- lib/logical-fields.c | 7 ++++--- tests/ovn.at | 23 +++++++++++++++++------ 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/lib/logical-fields.c b/lib/logical-fields.c index 20219a67a..736f279ef 100644 --- a/lib/logical-fields.c +++ b/lib/logical-fields.c @@ -243,7 +243,7 @@ ovn_init_symtab(struct shash *symtab) expr_symtab_add_field(symtab, "icmp4.code", MFF_ICMPV4_CODE, "icmp4", false); - expr_symtab_add_predicate(symtab, "igmp", "ip4 && ip.proto == 2"); + expr_symtab_add_predicate(symtab, "igmp", "ip4.mcast && ip.proto == 2"); expr_symtab_add_field(symtab, "ip6.src", MFF_IPV6_SRC, "ip6", false); expr_symtab_add_field(symtab, "ip6.dst", MFF_IPV6_DST, "ip6", false); @@ -317,11 +317,12 @@ ovn_init_symtab(struct shash *symtab) * (RFC 2710 and RFC 3810). */ expr_symtab_add_predicate(symtab, "mldv1", - "ip6.src == fe80::/10 && " + "eth.mcastv6 && ip6.src == fe80::/10 && " "icmp6.type == {130, 131, 132}"); /* MLDv2 packets are sent to ff02::16 (RFC 3810, 5.2.14) */ expr_symtab_add_predicate(symtab, "mldv2", - "ip6.dst == ff02::16 && icmp6.type == 143"); + "eth.mcastv6 && ip6.dst == ff02::16 && " + "icmp6.type == 143"); expr_symtab_add_predicate(symtab, "tcp", "ip.proto == 6"); expr_symtab_add_field(symtab, "tcp.src", MFF_TCP_SRC, "tcp", false); diff --git a/tests/ovn.at b/tests/ovn.at index be274d1ec..274e03734 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -5770,13 +5770,24 @@ for i in 1 2 3; do # Test ICMPv6 MLD reports (v1 and v2) and NS for DAD sip=00000000000000000000000000000000 - test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip ff020000000000000000000000160000 83 21 - test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip ff020000000000000000000000160000 8f 21 - test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip ff0200000000000000ea2aeafffe2800 87 21 + # Multicast traffic is delivered to all ports, except for the source. + out_ports= + for j in 1 2 3; do + for k in 1 2 3; do + if test "${j}${k}" -eq "${i}3"; then + continue + else + out_ports="$out_ports ${j}${k}" + fi + done + done + test_icmpv6 ${i}3 f00000000${i}${i}3 333300160000 $sip ff020000000000000000000000160000 83 ${out_ports} + test_icmpv6 ${i}3 f00000000${i}${i}3 333300160000 $sip ff020000000000000000000000160000 8f ${out_ports} + test_icmpv6 ${i}3 f00000000${i}${i}3 3333fffe2800 $sip ff0200000000000000ea2aeafffe2800 87 ${out_ports} # Traffic to non-multicast traffic should be dropped test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip $tip 83 # Traffic of other ICMPv6 types should be dropped - test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip ff020000000000000000000000160000 80 + test_icmpv6 ${i}3 f00000000${i}${i}3 333300160000 $sip ff020000000000000000000000160000 80 # should be dropped sip=ae80000000000000ea2aeafffe2800aa @@ -14174,8 +14185,8 @@ test_mldv2() { local inport=$1 outport=$2 src_mac=$3 src_ip=$4 packet=$(fmt_pkt " - Ether(dst='ff:ff:ff:ff:ff:ff', src='${src_mac}') / - IPv6(src='${src_ip}', dst='ff02::2') / + Ether(dst='33:33:00:00:00:01', src='${src_mac}') / + IPv6(src='${src_ip}', dst='ff02::1') / ICMPv6MLQuery2() ") as hv1 ovs-appctl netdev-dummy/receive vif${inport} $packet