[ovs-dev] [PATCH] netdev implementation for FreeBSD

Giuseppe Lettieri g.lettieri at iet.unipi.it
Thu Jul 12 18:07:08 UTC 2012


On 10/07/2012 18:08, Ben Pfaff wrote:
> On Tue, Jul 10, 2012 at 09:23:05AM -0400, Ed Maste wrote:
>>>> It isn't clear to me though why the Linux userspace mode does not behave
>>>> the same way though.  I had a (very) brief look at the way PF_PACKET is
>>>> handled in Linux and it seemed like the packet would still be passed up
>>>> the stack -- there must be something else that I'm missing.
>>> Linux appears to have a special case such that a packet will never be
>>> delivered back to the socket from which it originates via the network
>>> tap interface, see dev_queue_xmit_nit() in net/core/dev.c:
>> That looks to me like it should address the transmit case, avoiding
>> duplicate handling of a packet transmitted by Open vSwitch - I don't
>> see how the receive case (from the physical network) is handled.
> Probably there's just a bug there.  The userspace version isn't the
> primary way to use Open vSwitch with a Linux kernel so it gets little
> testing.
>

I think I have found what was causing the different behavior of Linux 
and FreeBSD. It turns out that several Linux distributions (Gentoo and 
Ubuntu, at least) set /proc/sys/net/conf/*/rp_filter to 1, i.e., they 
use reverse path filtering on all interfaces. In our tests we had an 
userlevel ovs bridge connecting a tap device with an IP address and a 
physical device with no address. The ping reply coming out of the 
physical device was dropped by the reverse path filter in the kernel, 
because the source address of the packet was not expected to live behind 
that device. The copy made by the the AF_PACKET socket in the ovs 
bridge, instead, was forwarded by ovs to the tap device and then 
accepted. If we set rp_filter to 0, both copies are accepted and we see 
duplicate ping replies in Linux, as in FreeBSD.

Now the question is: is the configuration we were using supposed to work 
(i.e., *not* to make duplicate packets)? If the answer is yes, then 
INSTALL.usermode should mention the need for firewall rules or filters 
for both FreeBSD and Linux. Indeed, I think the most clear think to do, 
even in Linux, is to use firewall rules, like

iptables -A INPUT -i eth_n -j DROP
iptables -A FORWARD -i eth_n -j DROP

for each eth_n which is connected to an ovs bridge.

Thoughts?

Giuseppe

-- 
Dr. Ing. Giuseppe Lettieri
Dipartimento di Ingegneria della Informazione
Universita' di Pisa
Largo Lucio Lazzarino 2, 56122 Pisa - Italy
Ph. : (+39) 050-2217.649 (direct) .599 (switch)
Fax : (+39) 050-2217.600
e-mail: g.lettieri at iet.unipi.it




More information about the dev mailing list