[ovs-dev] [PATCH] ovn-northd: Handle IPv4 addresses with prefixes in lport port security

Numan Siddique nusiddiq at redhat.com
Thu Apr 7 06:26:28 UTC 2016


On Thu, Apr 7, 2016 at 3:37 AM, Justin Pettit <jpettit at ovn.org> wrote:

> I think you might be able to write a slightly simpler patch by using
> ip_format_masked() like the following:
>
> -=-=-=-=-=-=-=-=-=-
> diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
> index 4b1d611..890b17c 100644
> --- a/ovn/northd/ovn-northd.c
> +++ b/ovn/northd/ovn-northd.c
> @@ -1179,8 +1179,11 @@ build_port_security_nd(struct ovn_port *op, struct
> hmap *
>              if (ps.n_ipv4_addrs) {
>                  ds_put_cstr(&match, " && (");
>                  for (size_t i = 0; i < ps.n_ipv4_addrs; i++) {
> -                    ds_put_format(&match, "arp.spa == "IP_FMT" || ",
> -                                  IP_ARGS(ps.ipv4_addrs[i].addr));
> +                    ds_put_cstr(&match, "arp.spa == ");
> +                    ip_format_masked(ps.ipv4_addrs[i].addr,
> +
>  be32_prefix_mask(ps.ipv4_addrs[i].plen),
> +                                     &match);
> +                    ds_put_cstr(&match, " || ");
>                  }
>                  ds_chomp(&match, ' ');
>                  ds_chomp(&match, '|');
> @@ -1264,7 +1267,10 @@ build_port_security_ip(enum ovn_pipeline pipeline,
> struct
>              }
>
>              for (int i = 0; i < ps.n_ipv4_addrs; i++) {
> -                ds_put_format(&match, IP_FMT", ",
> IP_ARGS(ps.ipv4_addrs[i].addr
> +                ip_format_masked(ps.ipv4_addrs[i].addr,
> +                                 be32_prefix_mask(ps.ipv4_addrs[i].plen),
> +                                 &match);
> +                ds_put_cstr(&match, ", ");
>              }
>
>              /* Replace ", " by "}". */
> -=-=-=-=-=-=-=-=-=-
>
> What do you think?
>
>
​Thanks for the comments Justin. I tried a similar approach. It will not
work in the cases where the port security address also has a prefix defined.
For example with port security - "00:00:00:00:00:02 10.0.0.4/24", the ovn
lexer parser is throwing the below error,

-------
lflow|WARN|error parsing match "outport == "sw0-port2" && eth.dst ==
00:00:00:00:00:02 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.0.0.4/24}":
Value contains unmasked 1-bits.
------

Thats the reason I am calling 'is_host_part_zero()' and putting the prefix
only if host part is zero.

​


> --Justin
>
>
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > http://openvswitch.org/mailman/listinfo/dev
>
>



More information about the dev mailing list