Problem Description:

When a packet goes from a container through OVN router to an external IP through a localnet port, we end up with a datapath flow in OVS with a very narrow match (in most cases - exact match) on IPv6 destination address.  If we have a lot clients making requests from a large number of IPv6 addresses external to OVN setup, this is causing creation of one datapath flow per client IP and overwhelming the node.

The reason for this exact-match is a match on ip6.mcast_rsvd addresses that uses non-contiguous match on 124 bits of the IPv6 address that make prefix tracking optimization enabled in FDP-1024 ineffective for the ipv6_dst field.

 Impact Assessment:

If we have more than 200K external IPv6 clients of an OCP service, we may hit the datapath flow limit resulting in upcall storm on the node, reduced performance and potential packet drops.

 Software Versions:

Reported on OCP 4.14.53 with OVN 24.03.5-40.el9fdp and OVS 3.3.4-110.el9fdp.

  Issue Type:

Always broken. 

 Reproducibility:

100%

 Reproduction Steps:

1. Create a setup with a tcp server behind LSP connected through an OVN router to a different logical switch with a localnet port.
2. Send requests from multiple external IPv6 addresses to that LSP.
3. Check ovs-appctl dpctl/dump-flows and observe that there is a separate datapath flow for lsp-to-external direction per external IPv6 address.

 Expected Behavior:

There should not be a per-IP datapath flow.  Some sort of a large masked match should be used.

 Observed Behavior:

There is a separate datapath flow for lsp-to-external direction per external IPv6 address.