From patchwork Sun Jun 27 12:42:13 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Brendan Doyle <brendan.doyle@oracle.com>
X-Patchwork-Id: 1497698
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.138; helo=smtp1.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=oracle.com header.i=@oracle.com header.a=rsa-sha256
 header.s=corp-2020-01-29 header.b=F3cyLKbO;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com
 header.a=rsa-sha256 header.s=selector2-oracle-onmicrosoft-com
 header.b=qA27kRDo;
	dkim-atps=neutral
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GCVkd3ZdJz9sRR
	for <incoming@patchwork.ozlabs.org>; Sun, 27 Jun 2021 22:42:32 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by smtp1.osuosl.org (Postfix) with ESMTP id 271E781AAD;
	Sun, 27 Jun 2021 12:42:30 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
	by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id SOEPhbZn40ep; Sun, 27 Jun 2021 12:42:29 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp1.osuosl.org (Postfix) with ESMTPS id 2C21581AC4;
	Sun, 27 Jun 2021 12:42:28 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id E1305C0010;
	Sun, 27 Jun 2021 12:42:27 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id AB4BEC000E
 for <dev@openvswitch.org>; Sun, 27 Jun 2021 12:42:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id 81E304031C
 for <dev@openvswitch.org>; Sun, 27 Jun 2021 12:42:26 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Authentication-Results: smtp4.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key) header.d=oracle.com header.b="F3cyLKbO";
 dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com
 header.b="qA27kRDo"
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id QTZm4eVYaEC8 for <dev@openvswitch.org>;
 Sun, 27 Jun 2021 12:42:24 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com
 [205.220.177.32])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 3376E4030C
 for <dev@openvswitch.org>; Sun, 27 Jun 2021 12:42:24 +0000 (UTC)
Received: from pps.filterd (m0246631.ppops.net [127.0.0.1])
 by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 15RCgJdD012788
 for <dev@openvswitch.org>; Sun, 27 Jun 2021 12:42:23 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
 h=to : from : subject :
 message-id : date : content-type : mime-version; s=corp-2020-01-29;
 bh=bH8sPElzeRDcN6+P8b9I0rDXI5UFay4HxrACNfhKEDs=;
 b=F3cyLKbOAzs0IMxGIn5b+nQDRVsZzn1fcpechZdmXRjJzOiYOYx7Wme3B1RpcXpcOBUW
 QD8monJPdl2HXnExP71AuJfQvzLy9cYnnjWMe0blimIlAQRokfGDExbklfieiIQWEqIo
 F1VKK71AtpKYhmQcq16J3RIwgdzq+f1vlLd20ylQYNJqyBi68ME77/6kI4OQwEZGrgn6
 qGFMPb/1dCgD1WYccN+uM53/kmWu8jpfSYJ4oy00e+oXad2+FkBTkc10FbAhfn3gfNwb
 lPuAdzy02q0xF1RLQwUgYSG7aI6JlDwSW/opiOGoBbeP9tPvwMBz2bzcS+OiTOSEvwzl GQ==
Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70])
 by mx0b-00069f02.pphosted.com with ESMTP id 39du10sfhj-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
 for <dev@openvswitch.org>; Sun, 27 Jun 2021 12:42:22 +0000
Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1])
 by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 15RCdhx9041691
 for <dev@openvswitch.org>; Sun, 27 Jun 2021 12:42:22 GMT
Received: from nam10-mw2-obe.outbound.protection.outlook.com
 (mail-mw2nam10lp2108.outbound.protection.outlook.com [104.47.55.108])
 by aserp3020.oracle.com with ESMTP id 39dv225peh-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
 for <dev@openvswitch.org>; Sun, 27 Jun 2021 12:42:21 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Sj+bpl8gmLsTtgciSi5CUdgMQrW8w+wZEHSO7GId2Yq5LBglFDnTdQQbpcgdo5zmmJDAoc88JF/LVuuzXxYg6wb56aAN9MIyDLk+iWTtoYHxxxAcX1xHFzXb0zRJXw4AUVLNdX1GljQ2UFoneM6RvaphQXQwx3oGypHD+6BcX53nH8AUjn8JmSWFIBpDh5PCyxeuW/m7OtNZfpGRqwGp6tespI+7f/OyEBjTFKAljQk/h3ff8t4fVo3m59ceU1IKkateuV59DGtPdU0iFw0eYtm4lbeNuaebfhb/vq4z0ORjhCqjOpFTerc01xFFeVJnCnxw++ymAu7CTvzkroWL6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=bH8sPElzeRDcN6+P8b9I0rDXI5UFay4HxrACNfhKEDs=;
 b=EDmJsbDnyKkZGYpJPDmEVIglbi9Rpfl9ni1+vIdowaByf02MBVUz3inrjIzWbZZSqf+Ac5HQB8aFIC8gDe6lCjOsbCg2zhUg//Ke1xEreYdiGSvrxDiVmK0MSBHIDmMt1GlGyUAbcoje5peurnvT/vIVVU0c/O1/bLT1TMJ8T8na6IBsuW25nI7Ib4aYwYV6KsVnv+Y4YJbJcbVFMPANEJT4yQDiUp/UNZPMJwJforv8uEa8N5JyQEvlm+lAJ9DgcBlgTmjM+KAWDjnWA74SjbEapBs+7mm5F6SvBmImUjHbKwyolbfN3zPp/I2h3nEfNE8EVkXy0zSezsvMIaFyNg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com;
 dkim=pass header.d=oracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=bH8sPElzeRDcN6+P8b9I0rDXI5UFay4HxrACNfhKEDs=;
 b=qA27kRDoZ0dBAnbI8AhxcKi8nJIqtZT9sF2xjQayCN8GaLHVlc2D+DUy30urDLYSBVdak5UsNV5OCN5KhOwkCuq8Sv8CrB5kub5reaBIFOaRQ8gW3oJDUPfofyw9dbnAB3wRE6CtfeTrdn26/FVx3BGYBTkM5g3Lr1Nl1/asygc=
Authentication-Results: openvswitch.org; dkim=none (message not signed)
 header.d=none; openvswitch.org;
 dmarc=none action=none header.from=oracle.com;
Received: from DM8PR10MB5478.namprd10.prod.outlook.com (2603:10b6:8:33::6) by
 DS7PR10MB4989.namprd10.prod.outlook.com (2603:10b6:5:3a9::21) with
 Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.4264.18; Sun, 27 Jun 2021 12:42:19 +0000
Received: from DM8PR10MB5478.namprd10.prod.outlook.com
 ([fe80::dd98:54a4:3d55:c38c]) by DM8PR10MB5478.namprd10.prod.outlook.com
 ([fe80::dd98:54a4:3d55:c38c%9]) with mapi id 15.20.4264.026; Sun, 27 Jun 2021
 12:42:19 +0000
To: dev@openvswitch.org
From: Brendan Doyle <brendan.doyle@oracle.com>
Organization: Oracle Corporation
Message-ID: <9d24b588-9527-f7bc-7e39-b9f9d31954f6@oracle.com>
Date: Sun, 27 Jun 2021 13:42:13 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
Content-Language: en-US
X-Originating-IP: [138.3.204.10]
X-ClientProxiedBy: LO3P123CA0007.GBRP123.PROD.OUTLOOK.COM
 (2603:10a6:600:ba::12) To DM8PR10MB5478.namprd10.prod.outlook.com
 (2603:10b6:8:33::6)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [10.175.80.138] (138.3.204.10) by
 LO3P123CA0007.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:ba::12) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.4264.18 via Frontend Transport; Sun, 27 Jun 2021 12:42:18 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c5d9230d-4c8a-489c-d114-08d939690087
X-MS-TrafficTypeDiagnostic: DS7PR10MB4989:
X-Microsoft-Antispam-PRVS: 
 <DS7PR10MB498979B9C7261DB76DA8181B86049@DS7PR10MB4989.namprd10.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:1247;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 fILbtaBrRn2OhHFqsMJUMvb8h/K9H5ZH3OOJe23T6Nqbcl5yArSREwIbUXYzmLz1wUdIU8ZxKyBzs22vI4qT/BoF3GH3aCs4cSGNR25kllIBLKFXXPY3J4DFGX+yyQ9XT5PnRANFvjSzu+7C9fxL8hH6N+I6mfTCT8+XeEi59xwT2bVATONE1gYuzmCAColI/SpfeiUbU6jIF6MyTfzE/IcOoy/2FCD8anFEzre7NtzJcU2VAAcErNRTep9IF8ZF4WmYNSKRNkBamYScsgKp1wMYAEIcZ47liDf16E50UKoZU833YkzMNrK1go0Ec//kIER19yHmXnVsmmMonC0Par8ZJof28hjnF/Wp6dxKpelsP8GxxDFbGLY5xr2c+Ibl+rWBmu6N5xaOHdG4aDU30HqmXwiDp4CwaykzC3tGF+o7X5ZMy8whX/DILne2vGPzY7YzwxMcec8xjgMPechOHt4U1Ga7ef3F5J9p0jZRSHQ2Y/XJuDx1Z2nd+hV2in7hKmeHh5cmbBByWzJvOMoqJ9LvI+3C7K2XRen2cFygUxiLKfQyCqILdwzZ1TKRFZ7b/JeYg/YhHCrI8AYUlJcn1HP/g4bLSb13C/yQtZEiK+8s3+rqk52qqAfw48tzNNizy8cUkTiEMBNbahA583nwSt1V7wE44vFUa4c1XS30u9YGoo2MFMb4xEHoHvCMm/TQT/H1vtPXIIB2rQmp72F58LYDdGZHXHPSGBujlc7KGLY=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:DM8PR10MB5478.namprd10.prod.outlook.com; PTR:; CAT:NONE;
 SFS:(366004)(136003)(396003)(376002)(346002)(39860400002)(86362001)(2616005)(956004)(5660300002)(31696002)(66476007)(316002)(6486002)(30864003)(31686004)(16576012)(66556008)(66946007)(33964004)(16526019)(6666004)(8676002)(8936002)(36756003)(478600001)(66574015)(83380400001)(53546011)(6916009)(26005)(36916002)(44832011)(186003)(38100700002)(2906002)(43740500002)(45980500001);
 DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?4IoqHvx9fJh85Cc+4DBb4qJ25fja?=
	=?utf-8?q?1ibYE4zghbPtL2nZjdo4+eChg+bBHKBH0I7lhLPAW0WhcUVHwleMRDyZwBf8iiJAs?=
	=?utf-8?q?2VctAJz4Tf8AtVlSM/s6z5PpoZUrO5wLDcP4qeNfOV+Qg3Xc8D29ShnHe6VUuyHZC?=
	=?utf-8?q?Wi+4btXkEa4h8QG/ufU820Bt51HI7NjEEFo0Pg0MYSxHdctfyz6zxFblD+oBNwIq+?=
	=?utf-8?q?MuYxlIjxOWOPn4eP3rnn2ZoYNRnrh9EvwVATazKuB/9SzeIOljwzrUotaO5F2ARNy?=
	=?utf-8?q?TAI95T2Rn5DFc3ehBkkvAWZZQww4B2wlXL+QirrVVCBOXz82rGcRbWy4dvccDPjwn?=
	=?utf-8?q?hFH3uPTNDtOldEcKiq1wvXdMz4LS/1pli4OqbVdT3WY7Qt+Q2AXFq4lPQhnrY0MiT?=
	=?utf-8?q?DhW0G0oUpMZFoftYFmVnoKMA/PY5pSh494ww60j/Ty+5xgfMIA87KkntBtAD9T6qw?=
	=?utf-8?q?IsUbC9wzI5CJVWcvfFzSmxfv6w/XoqA9bAkDByljdfkgkwJpxvAHiZzhrc9qTuwhR?=
	=?utf-8?q?nktxu6E8yQseZp3IHWerU4lfsxGykXNgv5Jx08OGwifl8OH2whZznxYhp6rYdfGGI?=
	=?utf-8?q?5C7N73k6slduy3FV1uxZaygSEgP2fdF8pHErZFobxCow6rKTLU4wwJot6rc+SNHtq?=
	=?utf-8?q?W3h9ilVTN171o3VnNEzxC8m0tbTeh8Za+U3TlAJfcM6oqCsaTw5U3NwzAu5c89Jy1?=
	=?utf-8?q?f3PzCGS9tu5T1+pE7faHm0y0bH1Uq81cnYKLEQmoKnis0myYQN42LsR7FXwEpiTyi?=
	=?utf-8?q?C1+pJnM2AMQdEr2ePhOx09xYDW87qsrsZRdiDPyMerD4sITUPtErmLOK0pa5DUIv6?=
	=?utf-8?q?sWQuVlUT0NQbvMYP+31yf1GFCXBGLC0EUHuztxdhVEVOIvNCTB8fEvHR4bSSI6EmN?=
	=?utf-8?q?q1jkKY36Dr2NqgcixBZD9iNyqC9nOJmq8r/RQONKT3+g/eV/F9yDITKVxKbFzcmPy?=
	=?utf-8?q?myqQ1fp83Wm2s6xSQnDOMCs5Dn3K6UVgVfVr+4uMgDW+j2NOAZu6eEvUZx4xbxCGh?=
	=?utf-8?q?o/IvYmElLiwsYEa0+tywj6FbPzgfaSLkNNcHvDFaZyFNA66LmmfuSmbRKJSJ4e0Hc?=
	=?utf-8?q?HvEVIGOv7o+zrV4K+sAe8DxD5QgHAW2xUpHQQhJRv1u9h1sKhmdop0lN81uxPKqE3?=
	=?utf-8?q?J+R/QeZQzmzBMLhL8xlWzLjp8pQaD3WIR0EzaqRc8aX+prm0DyykjjbWDEBiyAdge?=
	=?utf-8?q?iikik+CLlIHFjs1sa/nLT/oSave/m9DUts8LjRAnJKjKYFfYLhj4Vm6WIZ4iJTxCI?=
	=?utf-8?q?ATJC29Ki5vIjcOzc?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 c5d9230d-4c8a-489c-d114-08d939690087
X-MS-Exchange-CrossTenant-AuthSource: DM8PR10MB5478.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2021 12:42:19.5733 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 8YBmscni293pKXxAl8+Lc7rAT4KA6shzj+KmLKZVi/wKhTnTTJrGgQlCSFk/qgM70NmJxiybOi/E2qGILLuLoCQq4B+WSa/vwLyZZO+d0Uc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB4989
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10027
 signatures=668682
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0
 spamscore=0 adultscore=0
 malwarescore=0 mlxlogscore=999 suspectscore=0 phishscore=0 mlxscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000
 definitions=main-2106270092
X-Proofpoint-GUID: 0dPm00vi-6S8ylessoW7ms6FTMiXecdY
X-Proofpoint-ORIG-GUID: 0dPm00vi-6S8ylessoW7ms6FTMiXecdY
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: [ovs-dev] [PATCH ovn v4] ovn-northd.c: Add proxy ARP support to OVN
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

From 7a38fff6ce6ee17767b426c7cf84e1b07eda5552 Mon Sep 17 00:00:00 2001
From: Brendan Doyle <brendan.doyle@oracle.com>
Date: Sun, 27 Jun 2021 05:36:40 -0700
Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN

This patch provides the ability to configure proxy ARP IPs on a Logical
Switch Router port. The IPs are added as Options for router ports. This
provides a useful feature where traffic for a service must be sent to an
address in a logical network address space, but the service is provided
in a different network. For example an NFS service is provide to Logical
networks at an address in their Logical network space, but the NFS
server resides in a physical network. A Logical switch Router port can
be configured to respond to ARP requests sent to the service "Logical
address", the Logical Router/Gateway can then be configured to forward
the traffic to the underlay/physical network.

Signed-off-by: Brendan Doyle <brendan.doyle@oracle.com>
---
  northd/ovn-northd.c |  48 ++++++++++++++++++++++++
  ovn-nb.xml          |   9 +++++
  tests/ovn.at        | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++
  3 files changed, 160 insertions(+)

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index fcd6167..258b5db 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -6969,6 +6969,8 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op,
                                           struct ds *match)
  {
      if (op->nbsp) {
+        const char *arp_proxy;
+
          if (!strcmp(op->nbsp->type, "virtual")) {
              /* Handle
               *  - GARPs for virtual ip which belongs to a logical port
@@ -7126,6 +7128,52 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op,
                  }
              }
          }
+
+        /*
+         * Add responses for ARP proxies.
+         */
+        arp_proxy = smap_get(&op->nbsp->options,"arp_proxy");
+
+        if (arp_proxy && op->peer) {
+            struct lport_addresses proxy_arp_addrs;
+            int i = 0;
+
+            if (extract_ip_addresses(arp_proxy, &proxy_arp_addrs)) {
+                /*
+                 * Match rule on all proxy ARP IPs.
+                 */
+                ds_clear(match);
+                ds_put_cstr(match, "arp.op == 1 && (");
+
+                for (i = 0; i < proxy_arp_addrs.n_ipv4_addrs; i++) {
+                    if (i > 0) {
+                        ds_put_cstr(match, " || ");
+                    }
+                    ds_put_format(match, "arp.tpa == %s",
+                        proxy_arp_addrs.ipv4_addrs[i].addr_s);
+                }
+
+                ds_put_cstr(match, ")");
+                destroy_lport_addresses(&proxy_arp_addrs);
+
+                ds_clear(actions);
+                ds_put_format(actions,
+                    "eth.dst = eth.src; "
+                    "eth.src = %s; "
+                    "arp.op = 2; /* ARP reply */ "
+                    "arp.tha = arp.sha; "
+                    "arp.sha = %s; "
+                    "arp.tpa <-> arp.spa; "
+                    "outport = inport; "
+                    "flags.loopback = 1; "
+                    "output;",
+                    op->peer->lrp_networks.ea_s,
+                    op->peer->lrp_networks.ea_s);
+
+                ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP,
+                    50, ds_cstr(match), ds_cstr(actions), &op->nbsp->header_);
+            }
+        }
      }
  }
  
diff --git a/ovn-nb.xml b/ovn-nb.xml
index 406bc85..077a2d8 100644
--- a/ovn-nb.xml
+++ b/ovn-nb.xml
@@ -848,6 +848,15 @@
              </dd>
            </dl>
          </column>
+
+        <column name="options" key="arp_proxy">
+          Optional. A list IPv4 addresses that this
+          logical switch <code>router</code> port will reply to ARP requests.
+          Example: <code>169.254.239.254 169.254.239.2</code>. The
+          <ref column="options" key="router-port"/>'s logical router should
+          have a route to forward packets sent to configured proxy ARP IPs to
+          an appropriate destination.
+        </column>
        </group>
  
        <group title="Options for localnet ports">
diff --git a/tests/ovn.at b/tests/ovn.at
index 5926350..1e0065d 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -26899,3 +26899,106 @@ AT_CHECK([ovs-ofctl dump-flows br-int "nw_src=10.0.0.0/24" | \
  OVN_CLEANUP([hv1])
  AT_CLEANUP
  ])
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([ovn -- proxy-arp: 1 HVs, 1 LSs, 1 lport/LS, 1 LR])
+AT_KEYWORDS([proxy-arp])
+ovn_start
+
+# Logical network:
+# One LR - lr1 has switch ls1 (192.16.1.0/24) connected to it,
+# and and one HV with IP 192.16.1.6.
+
+ovn-nbctl lr-add lr1
+ovn-nbctl ls-add ls1
+
+# Connect ls1 to lr1
+ovn-nbctl lrp-add lr1 ls1 00:00:00:01:02:f1 192.16.1.1/24
+ovn-nbctl lsp-add ls1 rp-ls1 -- set Logical_Switch_Port rp-ls1 \
+    type=router options:router-port=ls1 addresses=\"00:00:00:01:02:f1\"
+
+# Create logical port ls1-lp1 in ls1
+ovn-nbctl lsp-add ls1 ls1-lp1 \
+-- lsp-set-addresses ls1-lp1 "00:00:00:01:02:03 192.16.1.6"
+
+
+# Create one hypervisor and create OVS ports corresponding to logical ports.
+net_add n1
+
+sim_add pa-hv
+as pa-hv
+ovs-vsctl add-br br-phys
+ovn_attach n1 br-phys 192.16.0.1
+
+# Note: tx/rx are with respect to the LS port, so
+# tx on switch port is HV rx, etc.
+ovs-vsctl -- add-port br-int vif1 -- \
+    set interface vif1 external-ids:iface-id=ls1-lp1 \
+    options:tx_pcap=pa-hv/vif1-tx.pcap \
+    options:rxq_pcap=pa-hv/vif1-rx.pcap \
+    ofport-request=1
+
+# And proxy ARP flows for 69.254.239.254 and 169.254.239.2
+# and check that SB flows have been added.
+ovn-nbctl --wait=hv add Logical_Switch_Port rp-ls1 \
+options arp_proxy='"169.254.239.254 169.254.239.2"'
+ovn-sbctl dump-flows > sbflows
+AT_CAPTURE_FILE([sbflows])
+
+AT_CHECK([ovn-sbctl dump-flows | grep ls_in_arp_rsp | grep "169.254.239.2" | wc -l], [0], [dnl
+1
+])
+
+# Remove and check that the flows have been removed
+ovn-nbctl --wait=hv remove Logical_Switch_Port rp-ls1 options arp_proxy='"169.254.239.254 169.254.239.2"'
+
+AT_CHECK([ovn-sbctl dump-flows | grep ls_in_arp_rsp | grep "169.254.239.2" | wc -l], [0], [dnl
+0
+])
+
+# Add the flows back send arp request and check we see an ARP response
+ovn-nbctl --wait=hv add Logical_Switch_Port rp-ls1 \
+options arp_proxy='"169.254.239.254 169.254.239.2"'
+
+ls1_p1_mac=00:00:00:01:02:03
+ls1_p1_ip=192.16.1.6
+
+ls1_ro_mac=00:00:00:01:02:f1
+ls1_ro_ip=192.168.1.1
+
+proxy_ip1=169.254.239.254
+proxy_ip2=169.254.239.2
+
+bcast_mac=ff:ff:ff:ff:ff:ff
+
+# Send ARP request for 169.254.239.254
+packet="inport==\"ls1-lp1\" && eth.src==$ls1_p1_mac && eth.dst==$bcast_mac &&
+       arp.op==1 && arp.sha==$ls1_p1_mac && arp.spa==$ls1_p1_ip &&
+       arp.tha==$bcast_mac && arp.tpa==$proxy_ip1"
+
+as pa-hv ovs-appctl -t ovn-controller inject-pkt "$packet"
+
+ovs-ofctl dump-flows br-int| grep 169.254.239.254 | grep priority=50 > debug1
+AT_CAPTURE_FILE([debug1])
+
+
+# Check if packet hit the ARP reply ovs flow
+AT_CHECK([ovs-ofctl dump-flows br-int | \
+    grep "169.254.239.254" | \
+    grep "priority=50" | \
+    grep "arp_op=1" | \
+    grep "n_packets=1" | wc -l], [0], [dnl
+1
+])
+
+# Check that the HV gets an ARP reply
+expected="eth.src==$ls1_ro_mac && eth.dst==$ls1_p1_mac &&
+       arp.op==2 && arp.sha==$ls1_ro_mac && arp.spa==$proxy_ip1 &&
+       arp.tha==$ls1_p1_mac && arp.tpa==$ls1_p1_ip"
+echo $expected | ovstest test-ovn expr-to-packets > expected
+
+OVN_CHECK_PACKETS([pa-hv/vif1-tx.pcap], [expected])
+
+OVN_CLEANUP([pa-hv])
+AT_CLEANUP
+])