[ovs-dev] [IP DEFRAG ACTION RFC 2/2] datapath: add ip_defag action

Thomas Graf tgraf at noironetworks.com
Tue Nov 11 22:13:55 UTC 2014 

On 11/11/14 at 12:03pm, Andy Zhou wrote:
> On Tue, Nov 11, 2014 at 2:48 AM, Thomas Graf <tgraf at noironetworks.com> wrote:
> > Don't you need to pull off the ethernet header first? ip_defrag()
> > expects an IP header at skb->data.
> I could be wrong on this, but It looks to me ip_defrag uses ip_hdr()
> to get the IP header information, thus pull
> off ethernet header is not necessary.

ip_frag_queue() pulls off the IP header:

        if (pskb_pull(skb, ihl) == NULL)
                goto err;

        err = pskb_trim_rcsum(skb, end - offset);
        if (err)
                goto err;

It also assumes skb->len to not include any L2 headers if I read the
code correctly.

> > Given I remember the defrag implementation correctly:
> >
> > We have to be clear about the side effects of this if we are reusing the
> > existing CONNTRACK_IN zones. A packet processed in parallel outside of
> > OVS on another net_device in the same net namespace can be reassembled
> > into the OVS owned skb even though that packet may not match the original
> > flow. The iif check not part of the ipq lookup.
> 
> Should zone be assigned in such a way to avoid those conflicts?  In
> addition, OVS IP_DEFRAG
> can skip any SKBs that has already filtered by netfilter.

I think the zone support is what makes the behaviour as proposed
acceptable. If documented, it is up to the user to configure the
system in a way that does not include these holes.

> A cleaner option is to add new zone for OVS so we can avoid reusing
> CONTRACK_IN zone.

I would like to keep the option to share the same zones because I
can see a lot of value to match on CTs which have been created by
netfilter or vice versa.

> Technically this cleaner. OVS IP_DEFRAG can be applied to either IN or
> OUT direction,
> depending on OF rules, thus only one zone is needed.  I did not add a
> new zone  for this patch
> since I have not found a good way to add compat header for it.
> >
> > A typical example would be:
> >
> >         in_port(2),actions=ip_defrag(),...
> 
> Why is this typical?

Should have been more precise. A typical example in which the match
associated with the flow running the defrag action may not match all
packets which end up being reassembled.

This specific discussion was held a couple of years back in the context
of netfilter where packets could bypass the iptables rules by getting
reassembled/defraged into a packet which was already accepted. Such a
packet may contain L2 bits or metadata which would require it to get
dropped by rules.

More information about the dev mailing list