[PATCH] Narrowed allowed ARPs with inband rules

David Erickson daviderickson at cs.stanford.edu
Mon Nov 14 04:35:18 UTC 2011


Per the DESIGN document the following rules
have been changed from:

  (b) ARP replies to the local port's MAC address.
  (c) ARP requests from the local port's MAC address.

To:

  (b*) ARP replies containing the remote's IP address as a source
  (c*) ARP requests containing remote's IP address as a target

This narrows the scope of ARPs that are caught
by these rules to only allow those that are
absolutely critical to enable an in-band connection
to a controller, allowing all others to be dealt
with as desired by the controller itself.
---
 ofproto/in-band.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/ofproto/in-band.c b/ofproto/in-band.c
index 6c68324..6f59849 100644
--- a/ofproto/in-band.c
+++ b/ofproto/in-band.c
@@ -320,19 +320,23 @@ update_rules(struct in_band *ib)
         cls_rule_set_tp_src(&rule, htons(DHCP_CLIENT_PORT));
         cls_rule_set_tp_dst(&rule, htons(DHCP_SERVER_PORT));
         add_rule(ib, &rule);
+    }
+
+    for (r = ib->remotes; r < &ib->remotes[ib->n_remotes]; r++) {
+        const struct sockaddr_in *a = &r->remote_addr;
 
-        /* (b) Allow ARP replies to the local port's MAC address. */
+        /* (b*) Allow ARP replies with the remote's IP address as src */
         cls_rule_init_catchall(&rule, IBR_TO_LOCAL_ARP);
         cls_rule_set_dl_type(&rule, htons(ETH_TYPE_ARP));
-        cls_rule_set_dl_dst(&rule, ib->local_mac);
         cls_rule_set_nw_proto(&rule, ARP_OP_REPLY);
+        cls_rule_set_nw_src(&rule, a->sin_addr.s_addr);
         add_rule(ib, &rule);
 
-        /* (c) Allow ARP requests from the local port's MAC address.  */
+        /* (c*) Allow ARP requests with the remote's IP address as target */
         cls_rule_init_catchall(&rule, IBR_FROM_LOCAL_ARP);
         cls_rule_set_dl_type(&rule, htons(ETH_TYPE_ARP));
-        cls_rule_set_dl_src(&rule, ib->local_mac);
         cls_rule_set_nw_proto(&rule, ARP_OP_REQUEST);
+        cls_rule_set_nw_dst(&rule, a->sin_addr.s_addr);
         add_rule(ib, &rule);
     }
 
-- 
1.7.0.4


--------------080309030601000100040505--


More information about the discuss mailing list