[ovs-dev] [PATCH 3/3] ofproto: Drop flows between protected ports
Ben Kelly
ben at benjii.net
Sun Nov 13 13:30:40 UTC 2016
Protected ports can not forward frames to other protected ports.
Unprotected ports can receive and forward frames to protected and other
unprotected ports.
Signed-off-by: Ben Kelly <ben at benjii.net>
---
ofproto/ofproto-dpif-xlate.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
index 98b536a..fad049d 100644
--- a/ofproto/ofproto-dpif-xlate.c
+++ b/ofproto/ofproto-dpif-xlate.c
@@ -2847,6 +2847,22 @@ clear_conntrack(struct flow *flow)
memset(&flow->ct_label, 0, sizeof flow->ct_label);
}
+static bool
+xlate_flow_is_protected(const struct xlate_ctx *ctx, const struct flow *flow, const struct xport *xport_out)
+{
+ const struct xport *xport_in;
+
+ if (!xport_out) {
+ return false;
+ }
+
+ xport_in = get_ofp_port(ctx->xbridge, flow->in_port.ofp_port);
+
+ return (xport_in && xport_in->xbundle && xport_out->xbundle &&
+ xport_in->xbundle->protected && xport_out->xbundle->protected);
+}
+
+
static void
compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port,
const struct xlate_bond_recirc *xr, bool check_stp)
@@ -2876,6 +2892,9 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port,
} else if (ctx->mirror_snaplen != 0 && xport->odp_port == ODPP_NONE) {
xlate_report(ctx, "Mirror truncate to ODPP_NONE, skipping output");
return;
+ } else if (xlate_flow_is_protected(ctx, flow, xport)) {
+ xlate_report(ctx, "Flow is between protected ports, skipping output.");
+ return;
} else if (check_stp) {
if (is_stp(&ctx->base_flow)) {
if (!xport_stp_should_forward_bpdu(xport) &&
--
2.7.4
More information about the dev
mailing list