[ovs-dev] [PATCH v2 3/3] ofproto: Drop flows between protected ports

Ben Kelly ben at benjii.net
Sun Nov 20 09:34:41 UTC 2016 

Protected ports can not forward frames to other protected ports.
Unprotected ports can receive and forward frames to protected and other
unprotected ports.

Signed-off-by: Ben Kelly <ben at benjii.net>
---
 NEWS                         |  4 ++++
 ofproto/ofproto-dpif-xlate.c | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/NEWS b/NEWS
index c49d21c..a4806d3 100644
--- a/NEWS
+++ b/NEWS
@@ -40,6 +40,10 @@ Post-v2.6.0
        which set the number of rx and tx descriptors to use for the given port.
    - Fedora packaging:
      * A package upgrade does not automatically restart OVS service.
+   - ovs-vswitchd/ovs-vsctl:
+     * Ports now have a "protected" flag. Protected ports can not forward
+       frames to other protected ports. Unprotected ports can receive and
+       forward frames to protected and other unprotected ports.
 
 v2.6.0 - 27 Sep 2016
 ---------------------
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
index 98b536a..fad049d 100644
--- a/ofproto/ofproto-dpif-xlate.c
+++ b/ofproto/ofproto-dpif-xlate.c
@@ -2847,6 +2847,22 @@ clear_conntrack(struct flow *flow)
     memset(&flow->ct_label, 0, sizeof flow->ct_label);
 }
 
+static bool
+xlate_flow_is_protected(const struct xlate_ctx *ctx, const struct flow *flow, const struct xport *xport_out)
+{
+    const struct xport *xport_in;
+
+    if (!xport_out) {
+        return false;
+    }
+
+    xport_in = get_ofp_port(ctx->xbridge, flow->in_port.ofp_port);
+
+    return (xport_in && xport_in->xbundle && xport_out->xbundle &&
+            xport_in->xbundle->protected && xport_out->xbundle->protected);
+}
+
+
 static void
 compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port,
                         const struct xlate_bond_recirc *xr, bool check_stp)
@@ -2876,6 +2892,9 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port,
     } else if (ctx->mirror_snaplen != 0 && xport->odp_port == ODPP_NONE) {
         xlate_report(ctx, "Mirror truncate to ODPP_NONE, skipping output");
         return;
+    } else if (xlate_flow_is_protected(ctx, flow, xport)) {
+        xlate_report(ctx, "Flow is between protected ports, skipping output.");
+        return;
     } else if (check_stp) {
         if (is_stp(&ctx->base_flow)) {
             if (!xport_stp_should_forward_bpdu(xport) &&
-- 
2.7.4

More information about the dev mailing list