[ovs-dev] [PATCH 3/3] Fix setting transport ports with frags. Packets with 'LATER' fragment do not have a transport header, so it is not possible to set them. Setting the transport headers on such packets is prevented in two ways:
Jarno Rajahalme
jrajahalme at nicira.com
Mon Nov 3 22:38:23 UTC 2014
On Nov 3, 2014, at 2:03 PM, Ben Pfaff <blp at nicira.com> wrote:
> On Wed, Oct 29, 2014 at 03:12:02PM -0700, Jarno Rajahalme wrote:
>> 1. Flows with an explicit match on nw_frag, where the LATER bit is 1:
>> Prohibit setting transport header fields (port numbers) with
>> set_field or move, or using such a field as a source in a move.
>>
>> 2. Flows that wildcard the nw_frag LATER bit: At flow translation
>> time, detect the fact that the packet/flow has no transport header,
>> and (silently) do nothing when translating a set_field, set_tp_src,
>> set_tp_dst, or reg_move action that reads or writes on transport
>> headers. nw_frag is exact matched, so non-LATER packets deal with
>> the transport ports as before.
>>
>> 2. alone would suffice for correct behavior, but 1. seems like a right
>> thing to do, anyway.
>>
>> Finally, we add tests testing the new behavior.
>>
>> Signed-off-by: Jarno Rajahalme <jrajahalme at nicira.com>
>
> The subject line is much too long. Break it after the first sentence?
>
Oops. Will do.
> I think that this new constraint is really just a refinement of the
> prerequisites for MFP_TCP, MFP_UDP, and MFP_SCTP, so I would expect
> mf_are_prereqs_ok() to change instead of mf_check__().
>
OK.
> In IPv6, even the first fragment is not guaranteed to carry the
> transport port. Have you had any thoughts about how to handle IPv6?
Not yet :-) Looking at the documentation of OFPC_FRAG_NX_MATCH:
* - OFPC_FRAG_NX_MATCH (a Nicira extension): Similar to OFPC_FRAG_NORMAL,
* except that TCP and UDP port numbers should be included in fragments
* with offset 0.
It seems that the only way to implement this mode with IPv6 is to drop fragments of TCP/UDP/SCTP packet that have 0 offset, but do not contain the transport header port numbers. I’m not aware of legitimate traffic that would be harmed by this.
Thoughts?
Jarno
More information about the dev
mailing list