[ovs-dev] [PATCH 1/3] ovn-northd: Don't deliver even broadcast packets to disabled logical ports.

Ben Pfaff blp at nicira.com
Fri Sep 11 18:36:25 UTC 2015


Until now, the priority-100 flow for broadcast and multicast packets caused
such packets to be delivered to disabled logical ports.  This commit makes
ovn-northd add a priority-150 flow for each disabled logical port to
override that behavior.

Found by inspection.

Signed-off-by: Ben Pfaff <blp at nicira.com>
---
 ovn/northd/ovn-northd.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 253ee59..a6572df 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -863,20 +863,26 @@ build_lflows(struct northd_context *ctx, struct hmap *datapaths,
                       "output;");
     }
 
-    /* Egress table 1: Egress port security (priority 50). */
+    /* Egress table 1: Egress port security (priority 50).
+     *
+     * Also, priority 150 rules for disabled logical ports so that they don't
+     * even receive multicast or broadcast packets. */
     HMAP_FOR_EACH (op, key_node, ports) {
         struct ds match;
 
         ds_init(&match);
         ds_put_cstr(&match, "outport == ");
         json_string_escape(op->key, &match);
-        build_port_security("eth.dst",
-                            op->nb->port_security, op->nb->n_port_security,
-                            &match);
-
-        ovn_lflow_add(&lflows, op->od, P_OUT, S_OUT_PORT_SEC, 50,
-                      ds_cstr(&match),
-                      lport_is_enabled(op->nb) ? "output;" : "drop;");
+        if (lport_is_enabled(op->nb)) {
+            build_port_security("eth.dst",
+                                op->nb->port_security, op->nb->n_port_security,
+                                &match);
+            ovn_lflow_add(&lflows, op->od, P_OUT, S_OUT_PORT_SEC, 50,
+                          ds_cstr(&match), "output;");
+        } else {
+            ovn_lflow_add(&lflows, op->od, P_OUT, S_OUT_PORT_SEC, 150,
+                          ds_cstr(&match), "drop;");
+        }
 
         ds_destroy(&match);
     }
-- 
2.1.3




More information about the dev mailing list