Hi,
On Fri, Oct 29, 2021 at 5:50 AM 鲁 成 <[email protected]> wrote:
> *Environment info:*
> OVN 21.06
>
> OVS 2.12.0
>
> *Reproduction:*
> 1. Create a port with neutronclient assign it to a node and close port
> security group
>
> 2. Create a ovs port and add it to br-int, and set interface iface-id same
> as neutron port uuid
>
> After it Neutron will create a LSP in OVN NB, and append unknow into LSP’s
> address field
>
> Check it in script[1]
>
>
>
> Port info:
> ()[root@ovn-tool-0 /]# ovn-nbctl find Logical_Switch_Port
> name=6a8064f9-f2cc-407d-b8da-345c6a216cb3
>
> _uuid : 88fd1a84-8695-4cef-b916-45531edaf0db
>
> addresses : ["fa:16:3e:b3:c0:e5 192.168.111.42", unknown]
>
> dhcpv4_options : 1a8ca1af-519c-4aa2-b3a3-cc74955dee1f
>
> dhcpv6_options : []
>
> dynamic_addresses : []
>
> enabled : true
>
> external_ids : {"neutron:cidrs"="192.168.111.42/24",
> "neutron:device_id"="", "neutron:device_owner"="",
> "neutron:network_name"=neutron-6ac00688-422f-4a4f-99ae-b092b2d87f7b,
> "neutron:port_name"=lc-tap-2,
> "neutron:project_id"="498e2a96e4cc4edeb0c525a081dd6830",
> "neutron:revision_number"="4", "neutron:security_group_ids"=""}
>
> ha_chassis_group : []
>
> name : "6a8064f9-f2cc-407d-b8da-345c6a216cb3"
>
> options : {mcast_flood_reports="true",
> requested-chassis=node-1.domain.tld}
>
> parent_name : []
>
> port_security : []
>
> tag : []
>
> tag_request : []
>
> type : ""
>
> up : false
>
>
>
> *Results:*
> OVN will not build arp responder lfows for this LSP
>
I believe that this is the expected behavior as you disable port security,
meaning that the traffic from that port can come from any MAC address (it's
unknown to OVN). Hence, it is up to the VM/container/whatever to reply to
ARP requests and OVN should not reply on its behalf.
Hope this helps.
Thanks!
daniel
>
> *Script:*
>
> [1]:
>
> #!/usr/bin/bash
>
>
>
> # Create port
>
> # neutron port-create --name lucheng-tap
> --binding:host_id=node-3.domain.tld share_net
>
>
>
> HOST=""
>
> MAC=""
>
>
>
> get_port_info() {
>
> source openrc
>
> port_id="$1"
>
> HOST=$(neutron port-show -F binding:host_id -f value "$port_id")
>
> MAC=$(neutron port-show -F mac_address -f value "$port_id")
>
> ip_info=$(neutron port-show -F fixed_ips -f value "$port_id")
>
> echo Port "$port_id" Mac: "$MAC" HOST: "$HOST"
>
> echo IP Info: "$ip_info"
>
> }
>
>
>
> create_ns() {
>
> port_id="$1"
>
> iface_name="lc-tap-${port_id:0:8}"
>
> netns_name="lc-vm-${port_id:0:8}"
>
> ssh "$HOST" ovs-vsctl add-port br-int "$iface_name" \
>
> -- set Interface "$iface_name" type=internal \
>
> -- set Interface "$iface_name" external_ids:iface-id="$port_id" \
>
> -- set Interface "$iface_name" external_ids:attached-mac="$MAC" \
>
> -- set Interface "$iface_name" external_ids:iface-status=active
>
>
>
> ssh "$HOST" ip netns add "$netns_name"
>
> ssh "$HOST" ip l set dev "$iface_name" address "$MAC"
>
> ssh "$HOST" ip l set "$iface_name" netns "$netns_name"
>
> ssh "$HOST" ip netns exec "$netns_name" ip l set lo up
>
> ssh "$HOST" ip netns exec "$netns_name" ip l set "$iface_name" up
>
> }
>
>
>
> main() {
>
> get_port_info "$1"
>
> create_ns "$1"
>
> }
>
>
>
> main $@
>
> neutron port-update --no-security-groups [port uuid]
>
> neutron port-update --port_security_enabled=false [port uuid]
>
>
>
> *What I found:*
>
> When try to build_lswitch_arp_nd_responder_known_ips in ovn northd, it
> will skip LSP, which has unknow flag.
>
> static void
>
> build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op,
>
> struct hmap *lflows,
>
> struct hmap *ports,
>
> struct ds *actions,
>
> struct ds *match)
>
> {
>
> ...
>
> if (lsp_is_external(op->nbsp) || op->has_unknown) {
>
> return;
>
> }
>
>
>
> 从 Windows 版邮件 <https://go.microsoft.com/fwlink/?LinkId=550986>发送
>
>
> _______________________________________________
> discuss mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
