[ovs-dev] [tunnel 04/11] ofproto-dpif: Install drops for flows from invalid in_ports.

Ben Pfaff blp at nicira.com
Mon Jan 28 18:55:58 UTC 2013


On Sun, Jan 27, 2013 at 04:58:05PM -0800, Ethan Jackson wrote:
> Before this patch, if a packet came in on a port which userspace
> doesn't know about, it would be silently dropped without installing
> a drop flow.  Historically, this has been fine because this
> situation could only occur during transient reconfiguration
> periods.  However, in future, this could occur when the tunneling
> code decides to reject a packet due to invalid headers.  In this
> case, it's preferable to drop the packet in the kernel to avoid a
> high bandwidth stream of invalid packets DoSing the switch.
> 
> Signed-off-by: Ethan Jackson <ethan at nicira.com>

I think it would be better to create a real data structure for
handling these, instead of using (I'm close to saying "abusing")
struct ofpbuf for the purpose.

I think there is a minor memory leak in here, because I see a new
hmap_init() but no hmap_destroy().

> @@ -844,6 +850,12 @@ type_run(const char *type)
>          case REV_INCONSISTENCY: COVERAGE_INC(rev_inconsistency); break;
>          }
>  
> +        if (backer->need_revalidate) {
> +            /* Clear the drop_keys in case we should now be accepting some
> +             * formally dropped flows. */

Do you mean "formerly"?

In update_stats(), I think that we could save some time by only
calling drop_key_lookup() if ofproto_receive() returns ENODEV, since
drop keys should not be the common case.

Thanks,

Ben.



More information about the dev mailing list