[ovs-dev] [PATCH 3/3] ofproto: Drop flows between protected ports

Ben Kelly ben at benjii.net
Sun Nov 13 13:30:40 UTC 2016


Protected ports can not forward frames to other protected ports.
Unprotected ports can receive and forward frames to protected and other
unprotected ports.

Signed-off-by: Ben Kelly <ben at benjii.net>
---
 ofproto/ofproto-dpif-xlate.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
index 98b536a..fad049d 100644
--- a/ofproto/ofproto-dpif-xlate.c
+++ b/ofproto/ofproto-dpif-xlate.c
@@ -2847,6 +2847,22 @@ clear_conntrack(struct flow *flow)
     memset(&flow->ct_label, 0, sizeof flow->ct_label);
 }
 
+static bool
+xlate_flow_is_protected(const struct xlate_ctx *ctx, const struct flow *flow, const struct xport *xport_out)
+{
+    const struct xport *xport_in;
+
+    if (!xport_out) {
+        return false;
+    }
+
+    xport_in = get_ofp_port(ctx->xbridge, flow->in_port.ofp_port);
+
+    return (xport_in && xport_in->xbundle && xport_out->xbundle &&
+            xport_in->xbundle->protected && xport_out->xbundle->protected);
+}
+
+
 static void
 compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port,
                         const struct xlate_bond_recirc *xr, bool check_stp)
@@ -2876,6 +2892,9 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port,
     } else if (ctx->mirror_snaplen != 0 && xport->odp_port == ODPP_NONE) {
         xlate_report(ctx, "Mirror truncate to ODPP_NONE, skipping output");
         return;
+    } else if (xlate_flow_is_protected(ctx, flow, xport)) {
+        xlate_report(ctx, "Flow is between protected ports, skipping output.");
+        return;
     } else if (check_stp) {
         if (is_stp(&ctx->base_flow)) {
             if (!xport_stp_should_forward_bpdu(xport) &&
-- 
2.7.4



More information about the dev mailing list