OVN: add ICMPv6 time exceeded support to OVN logical router

Using icmp6 action, send an ICMPv6 time exceeded frame whenever an OVN logical router receives an IPv6 packets whose TTL has expired (ip.ttl == {0, 1}) Signed-off-by: Lorenzo Bianconi <[email protected]> Signed-off-by: Ben Pfaff <[email protected]>
jotak · Jul 5, 2018 · 23626bc · 23626bc
1 parent a02f9a6
commit 23626bc
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 1 deletion.
diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
@@ -1383,7 +1383,8 @@ nd_na {
           address is <var>A</var>, a priority-40 flow with match <code>inport
           == <var>P</var> &amp;&amp; ip.ttl == {0, 1} &amp;&amp;
           !ip.later_frag</code> matches packets whose TTL has expired, with the
-          following actions to send an ICMP time exceeded reply:
+          following actions to send an ICMP time exceeded reply for IPv4 and
+          IPv6 respectively:
         </p>
 
         <pre>
@@ -1395,6 +1396,15 @@ icmp4 {
     ip.ttl = 255;
     next;
 };
+
+icmp6 {
+    icmp6.type = 3; /* Time exceeded. */
+    icmp6.code = 0;  /* TTL exceeded in transit. */
+    ip6.dst = ip6.src;
+    ip6.src = <var>A</var>;
+    ip.ttl = 255;
+    next;
+};
         </pre>
       </li>
 

diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
@@ -5340,6 +5340,37 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
                           ds_cstr(&match), action);
             }
         }
+
+        /* ICMPv6 time exceeded */
+        for (int i = 0; i < op->lrp_networks.n_ipv6_addrs; i++) {
+            /* skip link-local address */
+            if (in6_is_lla(&op->lrp_networks.ipv6_addrs[i].network)) {
+                continue;
+            }
+
+            ds_clear(&match);
+            ds_clear(&actions);
+
+            ds_put_format(&match,
+                          "inport == %s && ip6 && "
+                          "ip6.src == %s/%d && "
+                          "ip.ttl == {0, 1} && !ip.later_frag",
+                          op->json_key,
+                          op->lrp_networks.ipv6_addrs[i].network_s,
+                          op->lrp_networks.ipv6_addrs[i].plen);
+            ds_put_format(&actions,
+                          "icmp6 {"
+                          "eth.dst <-> eth.src; "
+                          "ip6.dst = ip6.src; "
+                          "ip6.src = %s; "
+                          "ip.ttl = 255; "
+                          "icmp6.type = 3; /* Time exceeded */ "
+                          "icmp6.code = 0; /* TTL exceeded in transit */ "
+                          "next; };",
+                          op->lrp_networks.ipv6_addrs[i].addr_s);
+            ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 40,
+                          ds_cstr(&match), ds_cstr(&actions));
+        }
     }
 
     /* NAT, Defrag and load balancing. */