raise priority of dead vlan drop
- This change adds a max priority flow to drop
all traffic that is associated with the
DEAD VLAN 4095.
- This change is part of a partial mitigation of
bug 1734320. Without this change vlan 4095 traffic
will be dropped via a low priority flow after being
processed by part/all of the openflow pipeline.
By raising the priorty and droping in table 0
we drop invalid packets as soon as they enter
the pipeline.
Change-Id: I3482c7c4f00942828cc9396cd2f3d646c9e8c9d1
Partial-Bug: #1734320
(cherry picked from commit e3dc447b90
)
This commit is contained in:
parent
8bda3c2ed3
commit
ffee956d44
|
@ -190,6 +190,8 @@ OPENFLOW13 = "OpenFlow13"
|
||||||
OPENFLOW14 = "OpenFlow14"
|
OPENFLOW14 = "OpenFlow14"
|
||||||
OPENFLOW15 = "OpenFlow15"
|
OPENFLOW15 = "OpenFlow15"
|
||||||
|
|
||||||
|
OPENFLOW_MAX_PRIORITY = 65535
|
||||||
|
|
||||||
# A placeholder for dead vlans.
|
# A placeholder for dead vlans.
|
||||||
DEAD_VLAN_TAG = p_const.MAX_VLAN_TAG + 1
|
DEAD_VLAN_TAG = p_const.MAX_VLAN_TAG + 1
|
||||||
|
|
||||||
|
|
|
@ -45,6 +45,9 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
|
||||||
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE)
|
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE)
|
||||||
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
|
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
|
||||||
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
|
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
|
||||||
|
self.install_drop(table_id=constants.LOCAL_SWITCHING,
|
||||||
|
priority=constants.OPENFLOW_MAX_PRIORITY,
|
||||||
|
vlan_vid=constants.DEAD_VLAN_TAG)
|
||||||
|
|
||||||
def setup_canary_table(self):
|
def setup_canary_table(self):
|
||||||
self.install_drop(constants.CANARY_TABLE)
|
self.install_drop(constants.CANARY_TABLE)
|
||||||
|
|
|
@ -37,6 +37,9 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
|
||||||
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE)
|
self.install_goto(dest_table_id=constants.TRANSIENT_TABLE)
|
||||||
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
|
self.install_normal(table_id=constants.TRANSIENT_TABLE, priority=3)
|
||||||
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
|
self.install_drop(table_id=constants.ARP_SPOOF_TABLE)
|
||||||
|
self.install_drop(table_id=constants.LOCAL_SWITCHING,
|
||||||
|
priority=constants.OPENFLOW_MAX_PRIORITY,
|
||||||
|
dl_vlan=constants.DEAD_VLAN_TAG)
|
||||||
|
|
||||||
def setup_canary_table(self):
|
def setup_canary_table(self):
|
||||||
self.install_drop(constants.CANARY_TABLE)
|
self.install_drop(constants.CANARY_TABLE)
|
||||||
|
|
|
@ -68,6 +68,13 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
|
||||||
priority=0,
|
priority=0,
|
||||||
table_id=24),
|
table_id=24),
|
||||||
active_bundle=None),
|
active_bundle=None),
|
||||||
|
call._send_msg(ofpp.OFPFlowMod(dp,
|
||||||
|
cookie=self.stamp,
|
||||||
|
instructions=[],
|
||||||
|
match=ofpp.OFPMatch(vlan_vid=4095),
|
||||||
|
priority=65535,
|
||||||
|
table_id=0),
|
||||||
|
active_bundle=None),
|
||||||
]
|
]
|
||||||
self.assertEqual(expected, self.mock.mock_calls)
|
self.assertEqual(expected, self.mock.mock_calls)
|
||||||
|
|
||||||
|
|
|
@ -37,6 +37,8 @@ class OVSIntegrationBridgeTest(ovs_bridge_test_base.OVSBridgeTestBase):
|
||||||
call.add_flow(priority=0, table=0, actions='resubmit(,60)'),
|
call.add_flow(priority=0, table=0, actions='resubmit(,60)'),
|
||||||
call.add_flow(priority=3, table=60, actions='normal'),
|
call.add_flow(priority=3, table=60, actions='normal'),
|
||||||
call.add_flow(priority=0, table=24, actions='drop'),
|
call.add_flow(priority=0, table=24, actions='drop'),
|
||||||
|
call.add_flow(actions='drop', dl_vlan=4095,
|
||||||
|
priority=65535, table=0)
|
||||||
]
|
]
|
||||||
self.assertEqual(expected, self.mock.mock_calls)
|
self.assertEqual(expected, self.mock.mock_calls)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue