From patchwork Fri Sep 11 18:36:25 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Pfaff X-Patchwork-Id: 516930 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id 549E51400B7 for ; Sat, 12 Sep 2015 04:36:39 +1000 (AEST) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id C076B22C3D2; Fri, 11 Sep 2015 11:36:37 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v1.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id B131C22C3D1 for ; Fri, 11 Sep 2015 11:36:36 -0700 (PDT) Received: from bar3.cudamail.com (bar1 [192.168.15.1]) by mx3v1.cudamail.com (Postfix) with ESMTP id 20D83618B7C for ; Fri, 11 Sep 2015 12:36:36 -0600 (MDT) X-ASG-Debug-ID: 1441996594-03dd7b48e10f500001-byXFYA Received: from mx3-pf1.cudamail.com ([192.168.14.2]) by bar3.cudamail.com with ESMTP id AdaldWSiTsEF20Go (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 11 Sep 2015 12:36:34 -0600 (MDT) X-Barracuda-Envelope-From: blp@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.2 Received: from unknown (HELO mail-pa0-f44.google.com) (209.85.220.44) by mx3-pf1.cudamail.com with ESMTPS (RC4-SHA encrypted); 11 Sep 2015 18:36:34 -0000 Received-SPF: unknown (mx3-pf1.cudamail.com: Multiple SPF records returned) X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.44 Received: by padhk3 with SMTP id hk3so81636562pad.3 for ; Fri, 11 Sep 2015 11:36:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=A1WqomIZxyIusKasAoWFrNLN+cvxNsAglpTH1uILRbk=; b=V1cNs4vSUxSA1lbTrLVTI4yifx5e9MocLo7SnrPFN4/iAZZb2yyfYxxBkTtvNHMGrz L+z0tiDXXa+rBSq32IuDDs9Emqdi0W1P9aenJS9bSlKVf0scviydD4jalE/smHNk55fh NXp6vF0IV3YKWIArnl7D3L6NV6hplFxT9R/PGbyb3hxJg3aSRZsOY5RkMCRCdk9IL9La z4ko0zjmJDLLeuCOkELOSMqDZCqankRHj0OB5tC3ePemA28aLorH9xkZVAiuAmgg5INW gc3llXKJ3Rk585WQnlp45sqEFlxiemDwHhvUASVxeOdi577TgKj3UAygBLQ0t5oNXLSo 6GVg== X-Gm-Message-State: ALoCoQlQ1vY665n+/evtcKzwVK0HD1P3e2nEd6WmnB/hZXMInx5m/w/VWrcqLMCcg6lKYSjSE2YQ X-Received: by 10.68.96.197 with SMTP id du5mr496443pbb.32.1441996593543; Fri, 11 Sep 2015 11:36:33 -0700 (PDT) Received: from sigabrt.benpfaff.org ([208.91.2.4]) by smtp.gmail.com with ESMTPSA id fd9sm1651640pab.34.2015.09.11.11.36.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 11 Sep 2015 11:36:32 -0700 (PDT) X-CudaMail-Envelope-Sender: blp@nicira.com X-Barracuda-Apparent-Source-IP: 208.91.2.4 From: Ben Pfaff To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V1-910039125 X-CudaMail-DTE: 091115 X-CudaMail-Originating-IP: 209.85.220.44 Date: Fri, 11 Sep 2015 11:36:25 -0700 X-ASG-Orig-Subj: [##CM-V1-910039125##][PATCH 1/3] ovn-northd: Don't deliver even broadcast packets to disabled logical ports. Message-Id: <1441996587-615-1-git-send-email-blp@nicira.com> X-Mailer: git-send-email 2.1.3 X-Barracuda-Connect: UNKNOWN[192.168.14.2] X-Barracuda-Start-Time: 1441996594 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Cc: Ben Pfaff Subject: [ovs-dev] [PATCH 1/3] ovn-northd: Don't deliver even broadcast packets to disabled logical ports. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" Until now, the priority-100 flow for broadcast and multicast packets caused such packets to be delivered to disabled logical ports. This commit makes ovn-northd add a priority-150 flow for each disabled logical port to override that behavior. Found by inspection. Signed-off-by: Ben Pfaff Acked-by: Justin Pettit --- ovn/northd/ovn-northd.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 253ee59..a6572df 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -863,20 +863,26 @@ build_lflows(struct northd_context *ctx, struct hmap *datapaths, "output;"); } - /* Egress table 1: Egress port security (priority 50). */ + /* Egress table 1: Egress port security (priority 50). + * + * Also, priority 150 rules for disabled logical ports so that they don't + * even receive multicast or broadcast packets. */ HMAP_FOR_EACH (op, key_node, ports) { struct ds match; ds_init(&match); ds_put_cstr(&match, "outport == "); json_string_escape(op->key, &match); - build_port_security("eth.dst", - op->nb->port_security, op->nb->n_port_security, - &match); - - ovn_lflow_add(&lflows, op->od, P_OUT, S_OUT_PORT_SEC, 50, - ds_cstr(&match), - lport_is_enabled(op->nb) ? "output;" : "drop;"); + if (lport_is_enabled(op->nb)) { + build_port_security("eth.dst", + op->nb->port_security, op->nb->n_port_security, + &match); + ovn_lflow_add(&lflows, op->od, P_OUT, S_OUT_PORT_SEC, 50, + ds_cstr(&match), "output;"); + } else { + ovn_lflow_add(&lflows, op->od, P_OUT, S_OUT_PORT_SEC, 150, + ds_cstr(&match), "drop;"); + } ds_destroy(&match); }