logical-fields: Fix ip6.dst matches caused by multicast flows.

ND NS and MLD flows are added to pipelines unconditionally in order to avoid sending such traffic through conntrack or implement ND responder flows. The problem is that these matches turn into matches on ip6.dst that end up as exact matches in datapath flows in the kernel. This means a separate datapath flow per destination IP address. This may cause significant performance issues in setups where traffic for many different IP addresses is passing through. Since network protocol is stored further in the packet, it is evaluated after checking the IP addresses, and so having a match on ip.proto doesn't save us in this scenario. ND NS and MLD packets are all supposed to be multicast packets and so they all should have multicast destination ethernet addresses. Add the missing eth.mcast6 match to all such packets. This ensures that all the non-multicast traffic will quickly fail the OpenFlow lookup on such rules and the bits from higher layers will not be added to the match criteria in datapath flows. IGMP did not check for IP address being multicast for some reason, so it didn't cause issues for IPv4 traffic. But let's fix it as well. ARP is not an IP protocol, so there is no need to fix ARP responders. Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
igsilya · Aug 6, 2024 · 06452b7 · 06452b7
1 parent cd7729d
commit 06452b7
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/lib/logical-fields.c b/lib/logical-fields.c
@@ -221,7 +221,7 @@ ovn_init_symtab(struct shash *symtab)
     expr_symtab_add_field(symtab, "icmp4.code", MFF_ICMPV4_CODE, "icmp4",
               false);
 
-    expr_symtab_add_predicate(symtab, "igmp", "ip4 && ip.proto == 2");
+    expr_symtab_add_predicate(symtab, "igmp", "ip4.mcast && ip.proto == 2");
 
     expr_symtab_add_field(symtab, "ip6.src", MFF_IPV6_SRC, "ip6", false);
     expr_symtab_add_field(symtab, "ip6.dst", MFF_IPV6_DST, "ip6", false);
@@ -280,6 +280,7 @@ ovn_init_symtab(struct shash *symtab)
     expr_symtab_add_predicate(symtab, "nd",
               "icmp6.type == {135, 136} && icmp6.code == 0 && ip.ttl == 255");
     expr_symtab_add_predicate(symtab, "nd_ns",
+              "eth.mcastv6 && "
               "icmp6.type == 135 && icmp6.code == 0 && ip.ttl == 255");
     expr_symtab_add_predicate(symtab, "nd_na",
               "icmp6.type == 136 && icmp6.code == 0 && ip.ttl == 255");
@@ -295,11 +296,12 @@ ovn_init_symtab(struct shash *symtab)
      * (RFC 2710 and RFC 3810).
      */
     expr_symtab_add_predicate(symtab, "mldv1",
-                              "ip6.src == fe80::/10 && "
+                              "eth.mcastv6 && ip6.src == fe80::/10 && "
                               "icmp6.type == {130, 131, 132}");
     /* MLDv2 packets are sent to ff02::16 (RFC 3810, 5.2.14) */
     expr_symtab_add_predicate(symtab, "mldv2",
-                              "ip6.dst == ff02::16 && icmp6.type == 143");
+                              "eth.mcastv6 && ip6.dst == ff02::16 && "
+                              "icmp6.type == 143");
 
     expr_symtab_add_predicate(symtab, "tcp", "ip.proto == 6");
     expr_symtab_add_field(symtab, "tcp.src", MFF_TCP_SRC, "tcp", false);