raise priority of dead vlan drop
- This change adds a max priority flow to drop all traffic that is associated with the DEAD VLAN 4095. - This change is part of a partial mitigation of bug 1734320. Without this change vlan 4095 traffic will be dropped via a low priority flow after being processed by part/all of the openflow pipeline. By raising the priorty and droping in table 0 we drop invalid packets as soon as they enter the pipeline. Change-Id: I3482c7c4f00942828cc9396cd2f3d646c9e8c9d1 Partial-Bug: #1734320
This commit is contained in:
parent
6efb09fe22
commit
e3dc447b90
|
@ -153,6 +153,8 @@ OPENFLOW13 = "OpenFlow13"
|
|||
OPENFLOW14 = "OpenFlow14"
|
||||
OPENFLOW15 = "OpenFlow15"
|
||||
|
||||
OPENFLOW_MAX_PRIORITY = 65535
|
||||
|
||||
# A placeholder for dead vlans.
|
||||
DEAD_VLAN_TAG = p_const.MAX_VLAN_TAG + 1
|
||||
|
||||
|
|
|
@ -43,6 +43,9 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
|
|||
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE)
|
||||
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
|
||||
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
|
||||
self.install_drop(table_id=constants.LOCAL_SWITCHING,
|
||||
priority=constants.OPENFLOW_MAX_PRIORITY,
|
||||
vlan_vid=constants.DEAD_VLAN_TAG)
|
||||
|
||||
def setup_canary_table(self):
|
||||
self.install_drop(constants.CANARY_TABLE)
|
||||
|
|
|
@ -37,6 +37,9 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
|
|||
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE)
|
||||
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
|
||||
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
|
||||
self.install_drop(table_id=constants.LOCAL_SWITCHING,
|
||||
priority=constants.OPENFLOW_MAX_PRIORITY,
|
||||
dl_vlan=constants.DEAD_VLAN_TAG)
|
||||
|
||||
def setup_canary_table(self):
|
||||
self.install_drop(constants.CANARY_TABLE)
|
||||
|
|
|
@ -68,6 +68,13 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
|
|||
priority=0,
|
||||
table_id=24),
|
||||
active_bundle=None),
|
||||
call._send_msg(ofpp.OFPFlowMod(dp,
|
||||
cookie=self.stamp,
|
||||
instructions=[],
|
||||
match=ofpp.OFPMatch(vlan_vid=4095),
|
||||
priority=65535,
|
||||
table_id=0),
|
||||
active_bundle=None),
|
||||
]
|
||||
self.assertEqual(expected, self.mock.mock_calls)
|
||||
|
||||
|
|
|
@ -37,6 +37,8 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
|
|||
call.add_flow(priority=0, table=0, actions='resubmit(,60)'),
|
||||
call.add_flow(priority=3, table=60, actions='normal'),
|
||||
call.add_flow(priority=0, table=24, actions='drop'),
|
||||
call.add_flow(actions='drop', dl_vlan=4095,
|
||||
priority=65535, table=0)
|
||||
]
|
||||
self.assertEqual(expected, self.mock.mock_calls)
|
||||
|
||||
|
|
Loading…
Reference in New Issue