[ovs-dev] [PATCH 1/4] ovn: ovn-nbctl, the implementation of icmp4 reject actions

Ryan Moats rmoats at us.ibm.com
Mon Jul 18 19:13:45 UTC 2016


"dev" <dev-bounces at openvswitch.org> wrote on 07/18/2016 11:30:00 AM:

> From: nickcooper-zhangtonghao <nickcooper-zhangtonghao at opencloud.tech>
> To: dev at openvswitch.org
> Date: 07/18/2016 11:30 AM
> Subject: [ovs-dev] [PATCH 1/4] ovn: ovn-nbctl, the implementation of
> icmp4 reject actions
> Sent by: "dev" <dev-bounces at openvswitch.org>
>
> Hi,
>
> Now that some reject functions have been implemented and tested,
> other functions(e.g. TCP RST) need perfect!
>
> ovn: the implementation of icmp4 reject actions.
>
> It support icmp4 reject (e.g. icmp-net-unreachable, icmp-host-
> prohibited, tcp-reset,
> icmp-admin-prohibited, icmp-port-unreachable, icmp-net-prohibited,
> icmp-host-unreachable,
> and icmp-proto-unreachable). The icmp-net-unreachable is default.
> The "TCP RST” function
> will be completed soon. Reject action support only "from-lport"
> direction. In general,
> considering performance requirements, it might make sense to support
> only “from-lport” direction.
>
> Signed-off-by: nickcooper-zhangtonghao <nickcooper-
> zhangtonghao at opencloud.tech>

This is a patch organization nit, but it would be better to either
combine all of the changes into a single patch or use the
--cover-letter option when formatting the patches and then each
patch set can describe what it is doing.

That being said, I'm not in favor of this patch going in without
some sort of upcall message dropping (in addition to the current
upcall rate throttling).  Testing here is already showing
potential DOS attacks by using a DHCP message storm and I'm worried
that tasking the controller with processing these types of messages
will just increase that attack surface many, many fold.

Ryan



More information about the dev mailing list