[ovs-dev] [OVN] Reject action

Ben Pfaff blp at ovn.org
Wed Apr 20 16:55:44 UTC 2016 

On Wed, Apr 20, 2016 at 09:40:26AM -0700, Justin Pettit wrote:
> 
> > On Apr 20, 2016, at 9:36 AM, Ben Pfaff <blp at ovn.org> wrote:
> > 
> > On Wed, Apr 20, 2016 at 11:19:18AM -0500, Daniel Levy wrote:
> >> After some digging I've figured out where the code needs to go within
> >> OVN. Looking through the ofctl man page to understand how to set a
> >> flows action to return an RST packet, but I do not see the option.
> >> Asked on the OVS IRC and was told OVS currently does not support it,
> >> unless  the packet is forwarded to the controller and built manually
> >> as RST.
> > 
> > Yes, that's right.
> > 
> > The initial plan for implementing the OVN tcp_reset logical action is to
> > direct packets as needed to ovn-controller, the same way OVN handles
> > ARP.
> 
> Daniel, are you planning to generate ICMP errors for UDP and ICMP
> rejected packets?  It might be nice to create a generic reject OVN
> action that does "the right thing" regardless of whether it's TCP,
> UDP, or ICMP.

There's a design proposal already in ovn-sb(5):

              icmp4 { action; ... };
                     Temporarily replaces the IPv4 packet being  processed  by
                     an  ICMPv4  packet and executes each nested action on the
                     ICMPv4 packet.  Actions following the  icmp4  action,  if
                     any, apply to the original, unmodified packet.

                     The  ICMPv4  packet  that this action operates on is ini‐
                     tialized based on the IPv4  packet  being  processed,  as
                     follows.   These  are  default  values  that  the  nested
                     actions will probably want to change.  Ethernet and  IPv4
                     fields not listed here are not changed:

                     ·      ip.proto = 1 (ICMPv4)

                     ·      ip.frag = 0 (not a fragment)

                     ·      icmp4.type = 3 (destination unreachable)

                     ·      icmp4.code = 1 (host unreachable)

                     Details TBD.

                     Prerequisite: ip4

              tcp_reset;
                     This  action  transforms the current TCP packet according
                     to the following pseudocode:

                     if (tcp.ack) {
                             tcp.seq = tcp.ack;
                     } else {
                             tcp.ack = tcp.seq + length(tcp.payload);
                             tcp.seq = 0;
                     }
                     tcp.flags = RST;

                     Then, the action drops all TCP options and payload  data,
                     and updates the TCP checksum.

                     Details TBD.

                     Prerequisite: tcp

More information about the dev mailing list