[ovs-dev] [IPv6 6/7] nicira-ext: Support matching IPv6 Neighbor Discovery messages.

Ben Pfaff blp at nicira.com
Fri Jan 21 22:56:41 UTC 2011


On Fri, Jan 21, 2011 at 04:27:42AM -0800, Justin Pettit wrote:
> IPv6 uses Neighbor Discovery messages in a similar manner to how IPv4
> uses ARP.  This commit adds support for matching deeper into the
> payloads of Neighbor Solicitation (NS) and Neighbor Advertisement (NA)
> messages.  Currently, the matching fields include:
> 
>     - NS and NA Target (nd_target)
>     - NS Source Link Layer Address (nd_sll)
>     - NA Target Link Layer Address (nd_tll)
> 
> When defining IPv6 Neighbor Discovery rules, the Nicira Extensible Match
> (NXM) extension to OVS must be used.
> 
> Signed-off-by: Justin Pettit <jpettit at nicira.com>

Jesse needs to look at the kernel code.  Here are my comments.

In parse_icmpv6(), does anything guarantee that the initial icmp_len is
at least sizeof(*nd) if it is an ND message?  I don't see anything.

Also in parse_icmpv6(), what's the proper handling of an ND message with
duplicate ND_OPT_SOURCE_LL_ADDR or ND_OPT_TARGET_LL_ADDR options?  This
could be a security issue, if different implementations do it
differently.

Also in parse_icmpv6(), it is completely equivalent as far as I can
tell, but I'd be more comfortable putting the
			if (!opt_len || (opt_len > icmp_len))
				return -EINVAL;
check before the tests for ND_OPT_SOURCE_LL_ADDR and
ND_OPT_TARGET_LL_ADDR.

Also in parse_icmpv6(), if icmp_len is not a multiple of 8 (is this
possible?), should this be considered an error?

All of the uses of CONSTANT_*() in this patch could instead just call
the ordinary non-CONSTANT version.

Please add test cases for the new NXM_NX_ND_* fields to the "ovs-ofctl
parse-nx-match" test in ovs-ofctl.at.

> diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
> index e1e5dd5..bbec3df 100644
> --- a/utilities/ovs-ofctl.8.in
> +++ b/utilities/ovs-ofctl.8.in
> @@ -388,6 +388,24 @@ groups of 16-bits of zeros.  The optional \fInetmask\fR allows
>  restricting a match to an IPv6 address prefix.  A netmask is specified
>  as a CIDR block (e.g. \fB2001:db8:3c4d:1::/64\fR).
>  .
> +.IP \fBnd_target=\fIip\fR
> +When \fBdl_type\fR, \fBnw_proto\fR, and \fBicmp_type\fR specify
> +IPv6 Neighbor Discovery (ICMPv6 type 135 or 136), matches the target address
> +\fIip\fR.  \fIip\fR is in the same format described earlier for the
> +\fBipv6_src\fR and \fBipv6_dst\fR fields.

'ip' must be an IPv6 address here, I think, so calling 'ipv6' or 'ip6'
might be better?




More information about the dev mailing list