ovn-northd: Port security allows receiving packets to multicast/broad…

…cast. Otherwise ARP and other broadcast protocols would be problematic. Reported-by: Justin Pettit <jpettit@nicira.com> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Russell Bryant <rbryant@redhat.com> Acked-by: Justin Pettit <jpettit@nicira.com>
openvswitch · Apr 28, 2015 · 2f60b7b · 2f60b7b
1 parent 35060cd
commit 2f60b7b
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
@@ -442,6 +442,9 @@ build_pipeline(struct northd_context *ctx)
     }
 
     /* Table 3: Egress port security. */
+    NBREC_LOGICAL_SWITCH_FOR_EACH (lswitch, ctx->ovnnb_idl) {
+        pipeline_add(&pc, lswitch, 3, 100, "eth.dst[40]", "output;");
+    }
     NBREC_LOGICAL_PORT_FOR_EACH (lport, ctx->ovnnb_idl) {
         struct ds match;
 

diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
@@ -140,7 +140,8 @@
         A set of L2 (Ethernet) or L3 (IPv4 or IPv6) addresses or L2+L3 pairs
         from which the logical port is allowed to send packets and to which it
         is allowed to receive packets.  If this column is empty, all addresses
-        are permitted.
+        are permitted.  Logical ports are always allowed to receive packets
+        addressed to multicast and broadcast addresses.
       </p>
 
       <p>