[ovs-dev] [IPv6 6/7] nicira-ext: Support matching IPv6 Neighbor Discovery messages.
Ben Pfaff
blp at nicira.com
Fri Jan 21 22:56:41 UTC 2011
On Fri, Jan 21, 2011 at 04:27:42AM -0800, Justin Pettit wrote:
> IPv6 uses Neighbor Discovery messages in a similar manner to how IPv4
> uses ARP. This commit adds support for matching deeper into the
> payloads of Neighbor Solicitation (NS) and Neighbor Advertisement (NA)
> messages. Currently, the matching fields include:
>
> - NS and NA Target (nd_target)
> - NS Source Link Layer Address (nd_sll)
> - NA Target Link Layer Address (nd_tll)
>
> When defining IPv6 Neighbor Discovery rules, the Nicira Extensible Match
> (NXM) extension to OVS must be used.
>
> Signed-off-by: Justin Pettit <jpettit at nicira.com>
Jesse needs to look at the kernel code. Here are my comments.
In parse_icmpv6(), does anything guarantee that the initial icmp_len is
at least sizeof(*nd) if it is an ND message? I don't see anything.
Also in parse_icmpv6(), what's the proper handling of an ND message with
duplicate ND_OPT_SOURCE_LL_ADDR or ND_OPT_TARGET_LL_ADDR options? This
could be a security issue, if different implementations do it
differently.
Also in parse_icmpv6(), it is completely equivalent as far as I can
tell, but I'd be more comfortable putting the
if (!opt_len || (opt_len > icmp_len))
return -EINVAL;
check before the tests for ND_OPT_SOURCE_LL_ADDR and
ND_OPT_TARGET_LL_ADDR.
Also in parse_icmpv6(), if icmp_len is not a multiple of 8 (is this
possible?), should this be considered an error?
All of the uses of CONSTANT_*() in this patch could instead just call
the ordinary non-CONSTANT version.
Please add test cases for the new NXM_NX_ND_* fields to the "ovs-ofctl
parse-nx-match" test in ovs-ofctl.at.
> diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
> index e1e5dd5..bbec3df 100644
> --- a/utilities/ovs-ofctl.8.in
> +++ b/utilities/ovs-ofctl.8.in
> @@ -388,6 +388,24 @@ groups of 16-bits of zeros. The optional \fInetmask\fR allows
> restricting a match to an IPv6 address prefix. A netmask is specified
> as a CIDR block (e.g. \fB2001:db8:3c4d:1::/64\fR).
> .
> +.IP \fBnd_target=\fIip\fR
> +When \fBdl_type\fR, \fBnw_proto\fR, and \fBicmp_type\fR specify
> +IPv6 Neighbor Discovery (ICMPv6 type 135 or 136), matches the target address
> +\fIip\fR. \fIip\fR is in the same format described earlier for the
> +\fBipv6_src\fR and \fBipv6_dst\fR fields.
'ip' must be an IPv6 address here, I think, so calling 'ipv6' or 'ip6'
might be better?
More information about the dev
mailing list