Add static FDB entry to OVS for shared MAC

The FDB lookup is only used for non-destined shared MAC traffic. When
OVN or the host send a packet that hits a NORMAL action it will initate
MAC learning and can drive up the CPU of OVS. We still need NORMAL
action to account for sending to unknown ports like localnet ports, but
we do not want to learn the shared MAC. Therefore create a static entry
binding it to the LOCAL port.

Signed-off-by: Tim Rozet <[email protected]>

Author: trozet

go-controller/pkg/node/gateway.go

@@ -424,6 +424,11 @@ func gatewayInitInternal(nodeName, gwIntf, egressGatewayIntf string, gwNextHops
 		}
 	}
 
+	// Set static FDB entry for LOCAL port
+	if err := util.SetStaticFDBEntry(gatewayBridge.bridgeName, gatewayBridge.bridgeName, gatewayBridge.macAddress); err != nil {
+		return nil, nil, err
+	}
+
 	l3GwConfig := util.L3GatewayConfig{
 		Mode:           config.Gateway.Mode,
 		ChassisID:      chassisID,

go-controller/pkg/node/gateway_init_linux_test.go

@@ -195,6 +195,9 @@ func shareGatewayInterfaceTest(app *cli.App, testNS ns.NetNS,
 			Cmd:    "ovs-vsctl --timeout=15 --if-exists get Open_vSwitch . other_config:hw-offload",
 			Output: fmt.Sprintf("%t", hwOffload),
 		})
+		fexec.AddFakeCmdsNoOutputNoError([]string{
+			"ovs-appctl --timeout=15 fdb/add breth0 breth0 0 " + eth0MAC,
+		})
 		fexec.AddFakeCmd(&ovntest.ExpectedCmd{
 			Cmd:    "ovs-vsctl --timeout=15 get Interface patch-breth0_node1-to-br-int ofport",
 			Output: "5",
@@ -633,6 +636,9 @@ func shareGatewayInterfaceDPUTest(app *cli.App, testNS ns.NetNS,
 			Cmd:    "ovs-vsctl --timeout=15 --if-exists get Open_vSwitch . other_config:hw-offload",
 			Output: "false",
 		})
+		fexec.AddFakeCmdsNoOutputNoError([]string{
+			fmt.Sprintf("ovs-appctl --timeout=15 fdb/add %s %s 0 %s", brphys, brphys, hostMAC),
+		})
 		// GetDPUHostInterface
 		fexec.AddFakeCmd(&ovntest.ExpectedCmd{
 			Cmd:    "ovs-vsctl --timeout=15 list-ports " + brphys,
@@ -1086,6 +1092,9 @@ OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0`
 			Cmd:    "ovs-vsctl --timeout=15 --if-exists get Open_vSwitch . other_config:hw-offload",
 			Output: "false",
 		})
+		fexec.AddFakeCmdsNoOutputNoError([]string{
+			"ovs-appctl --timeout=15 fdb/add breth0 breth0 0 " + eth0MAC,
+		})
 		fexec.AddFakeCmd(&ovntest.ExpectedCmd{
 			Cmd:    "ovs-vsctl --timeout=15 get Interface patch-breth0_node1-to-br-int ofport",
 			Output: "5",

go-controller/pkg/node/gateway_udn_test.go

@@ -171,6 +171,9 @@ func setUpGatewayFakeOVSCommands(fexec *ovntest.FakeExec) {
 		Cmd:    "ovs-vsctl --timeout=15 --if-exists get Open_vSwitch . other_config:hw-offload",
 		Output: "false",
 	})
+	fexec.AddFakeCmdsNoOutputNoError([]string{
+		"ovs-appctl --timeout=15 fdb/add breth0 breth0 0 00:00:00:55:66:99",
+	})
 	fexec.AddFakeCmd(&ovntest.ExpectedCmd{
 		Cmd:    "ovs-vsctl --timeout=15 get Interface patch-breth0_worker1-to-br-int ofport",
 		Output: "5",

go-controller/pkg/util/ovs.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"net"
 	"regexp"
 	"runtime"
 	"strings"
@@ -819,6 +820,18 @@ func DetectCheckPktLengthSupport(bridge string) (bool, error) {
 	return false, nil
 }
 
+// SetStaticFDBEntry programs a static MAC entry into the OVS FIB and disables MAC learning for this entry
+func SetStaticFDBEntry(bridge, port string, mac net.HardwareAddr) error {
+	// Assume default VLAN for local port
+	vlan := "0"
+	stdout, stderr, err := RunOVSAppctl("fdb/add", bridge, port, vlan, mac.String())
+	if err != nil {
+		return fmt.Errorf("failed to add FDB entry to OVS for LOCAL port, "+
+			"stdout: %q, stderr: %q, error: %v", stdout, stderr, err)
+	}
+	return nil
+}
+
 // IsOvsHwOffloadEnabled checks if OvS Hardware Offload is enabled.
 func IsOvsHwOffloadEnabled() (bool, error) {
 	stdout, stderr, err := RunOVSVsctl("--if-exists", "get",