Description of problem: OVN supports FDB learning on localnet ports since https://github.com/ovn-org/ovn/commit/93514df0d4c8fe7986dc5f287d7011f420d1be6d If this is enabled it may lead to an unbounded ("very large" to be more precise) number of FDB entries to be learnt on the localnet port (usually connected to an external network). We probably need a mechanism in place to protect OVN against that. A potential idea is to implement FDB aging (similar to MAC binding - ARP - aging that's available since https://github.com/ovn-org/ovn/commit/1a947dd3073628d2f2655f46ee7d3db62ed15b55).
For reference, bug for MAC_Binding entries aging: https://bugzilla.redhat.com/show_bug.cgi?id=2084668
Patches posted u/s: https://patchwork.ozlabs.org/project/ovn/list/?series=355569
ovn23.09 fast-datapath-rhel-9 clone created at https://bugzilla.redhat.com/show_bug.cgi?id=2224401
*** Bug 2224401 has been marked as a duplicate of this bug. ***
Verified On: [root@hp-dl388g10-01 bz_2179942]# rpm -qa | grep -E 'ovn|openvswitch' openvswitch-selinux-extra-policy-1.0-34.el9fdp.noarch openvswitch2.17-2.17.0-125.el9fdp.x86_64 ovn23.09-23.09.0-87.el9fdp.x86_64 ovn23.09-host-23.09.0-87.el9fdp.x86_64 ovn23.09-central-23.09.0-87.el9fdp.x86_64 Here is the reproducer: ################ HV1 #################### systemctl start ovn-northd ovn-nbctl set-connection ptcp:6641 ovn-sbctl set-connection ptcp:6642 systemctl start openvswitch ovs-vsctl set open . external_ids:system-id=hv1 ifconfig ens1f0 192.168.20.1 netmask 255.255.255.0 ovs-vsctl set open . external_ids:ovn-remote=tcp:192.168.20.1:6642 ovs-vsctl set open . external_ids:ovn-encap-type=geneve ovs-vsctl set open . external_ids:ovn-encap-ip=192.168.20.1 ovs-vsctl set open . external_ids:ovn-monitor-all=true systemctl start ovn-controller ovn-nbctl ls-add ls0 ovn-nbctl lsp-add ls0 ln_port ovn-nbctl lsp-set-addresses ln_port unknown ovn-nbctl lsp-set-type ln_port localnet ovn-nbctl lsp-set-options ln_port network_name=physnet1 ovn-nbctl set logical_switch_port ln_port options:localnet_learn_fdb=true ovn-nbctl lsp-add ls0 vif1 ovn-nbctl lsp-set-addresses vif1 "00:00:01:01:01:01 192.168.20.1" ovn-nbctl lsp-add ls0 vif2 ovn-nbctl lsp-set-addresses vif2 "00:00:01:01:01:02 192.168.20.2" ovs-vsctl add-br br-phys ovs-vsctl set open . external_ids:ovn-bridge-mappings=physnet1:br-phys ovs-vsctl -- add-port br-int vif1 -- set Interface vif1 type=internal -- set Interface vif1 external_ids:iface-id=vif1 ofport-request=1 ip netns add vif1 ip link set vif1 netns vif1 ip netns exec vif1 ip link set vif1 address 00:00:01:01:01:01 ip netns exec vif1 ip addr add 192.168.20.1/24 dev vif1 ip netns exec vif1 ip link set vif1 up ovs-vsctl add-port br-phys ens1f1 ovs-vsctl set Interface ens1f1 ofport-request=2 ip link set br-phys up ip link set ens1f1 up ovn-nbctl --wait=hv sync ################ HV0 #################### systemctl start ovn-northd systemctl start openvswitch ovs-vsctl set open . external_ids:system-id=hv0 ifconfig ens1f0 192.168.20.2 netmask 255.255.255.0 ovs-vsctl set open . external_ids:ovn-remote=tcp:192.168.20.1:6642 ovs-vsctl set open . external_ids:ovn-encap-type=geneve ovs-vsctl set open . external_ids:ovn-encap-ip=192.168.20.2 ovs-vsctl set open . external_ids:ovn-monitor-all=true systemctl start ovn-controller ovs-vsctl add-br br-phys ovs-vsctl set open . external_ids:ovn-bridge-mappings=physnet1:br-phys ovs-vsctl add-port br-int vif2 ovs-vsctl set Interface vif2 type=internal -- set Interface vif2 external_ids:iface-id=vif2 ofport-request=1 ip netns add vif2 ip link set vif2 netns vif2 ip netns exec vif2 ip link set vif2 address 00:00:01:01:01:02 ip netns exec vif2 ip addr add 192.168.20.2/24 dev vif2 ip netns exec vif2 ip link set vif2 up ovs-vsctl -- add-port br-phys ens1f1 -- set interface ens1f1 ofport-request=2 ip link set br-phys up ip link set ens1f1 up ovn-nbctl --wait=hv sync ################ ON HV1 #################### ovn-sbctl find fdb mac="00\:00\:01\:01\:01\:02" <<<=================== No record found, send few packets to update FDB record [root@dell-per740-81 bz_2179942]# ip netns exec vif1 ping 192.168.20.2 -c3 PING 192.168.20.2 (192.168.20.2) 56(84) bytes of data. 64 bytes from 192.168.20.2: icmp_seq=1 ttl=64 time=0.850 ms 64 bytes from 192.168.20.2: icmp_seq=2 ttl=64 time=0.131 ms 64 bytes from 192.168.20.2: icmp_seq=3 ttl=64 time=0.134 ms --- 192.168.20.2 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2051ms rtt min/avg/max/mdev = 0.131/0.371/0.850/0.338 ms [root@dell-per740-81 bz_2179942]# ovn-sbctl find fdb mac="00\:00\:01\:01\:01\:02" _uuid : 1038bdde-dc76-4704-b49d-efc3b099b6f3 dp_key : 1 mac : "00:00:01:01:01:02" port_key : 1 timestamp : 1702035900463 <<============== Set fdb_age_threshold=10 [root@dell-per740-81 bz_2179942]# ovn-nbctl set logical_switch ls0 other_config:fdb_age_threshold=10 [root@dell-per740-81 bz_2179942]# sleep 10 [root@dell-per740-81 bz_2179942]# ovn-sbctl find fdb mac="00\:00\:01\:01\:01\:02" [root@dell-per740-81 bz_2179942]# <<=============== record removed after 10 seconds of inactivity
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn23.09 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2024:0392