@@ -14680,6 +14680,42 @@ build_lrouter_arp_nd_for_datapath(struct ovn_datapath *od,
1468014680 }
1468114681}
1468214682
14683+ static void
14684+ build_time_exceeded_flow_for_dnat_and_snat(struct ovn_port *op,
14685+ struct hmap *lflows, struct ds *ip_ds,
14686+ struct ds *match, struct ds *actions,
14687+ const struct shash *meter_groups)
14688+ {
14689+ if (is_l3dgw_port(op)) {
14690+ for (int i = 0; i < op->od->nbr->n_nat; i++) {
14691+ ds_clear(match);
14692+ ds_clear(actions);
14693+ ds_clear(ip_ds);
14694+ struct ovn_nat *nat_entry = &op->od->nat_entries[i];
14695+ if (!strcmp(nat_entry->nb->type, "dnat_and_snat")) {
14696+ ds_put_format(match, "ip4.src == %s && ", nat_entry->nb->external_ip);
14697+ ds_put_cstr(ip_ds, "ip4.dst <-> ip4.src");
14698+ ds_put_format(match,
14699+ "inport == %s && ip4 && "
14700+ "ip.ttl == {0, 1} && !ip.later_frag", op->json_key);
14701+ ds_put_format(actions,
14702+ "icmp4 {"
14703+ "eth.dst <-> eth.src; "
14704+ "icmp4.type = 11; /* Time exceeded */ "
14705+ "icmp4.code = 0; /* TTL exceeded in transit */ "
14706+ "%s ; ip.ttl = 254; "
14707+ "outport = %s; flags.loopback = 1; output; };",
14708+ ds_cstr(ip_ds), op->json_key);
14709+ ovn_lflow_add_with_hint__(lflows, op->od, S_ROUTER_IN_IP_INPUT,
14710+ 30, ds_cstr(match), ds_cstr(actions), NULL,
14711+ copp_meter_get(COPP_ICMP4_ERR, op->od->nbr->copp,
14712+ meter_groups),
14713+ &op->nbrp->header_);
14714+ }
14715+ }
14716+ }
14717+ }
14718+
1468314719/* Logical router ingress table 3: IP Input for IPv4. */
1468414720static void
1468514721build_lrouter_ipv4_ip_input(struct ovn_port *op,
@@ -14730,6 +14766,8 @@ build_lrouter_ipv4_ip_input(struct ovn_port *op,
1473014766
1473114767 /* ICMP time exceeded */
1473214768 struct ds ip_ds = DS_EMPTY_INITIALIZER;
14769+ build_time_exceeded_flow_for_dnat_and_snat(op, lflows, &ip_ds,
14770+ match, actions, meter_groups);
1473314771 for (int i = 0; i < op->lrp_networks.n_ipv4_addrs; i++) {
1473414772 ds_clear(match);
1473514773 ds_clear(actions);
0 commit comments