tnl-ports: Add destination IP and MAC address to the match.

Currently tnl-port table wildcard destination ip and mac addresses for given tunnel packet. That could result accepting tunnel packets destined for other hosts. Following patch adds support for matching for ip and mac address. IP address upates to tnl-port table are piggybacked on ovs-router updates. Reported-by: Ben Pfaff <blp@nicira.com> Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
openvswitch · Sep 8, 2015 · 7f9b850 · 7f9b850
1 parent c028192
commit 7f9b850
Show file tree

Hide file tree

Showing 5 changed files with 284 additions and 41 deletions.
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
@@ -65,6 +65,7 @@
 #include "sset.h"
 #include "timeval.h"
 #include "tnl-arp-cache.h"
+#include "tnl-ports.h"
 #include "unixctl.h"
 #include "util.h"
 #include "openvswitch/vlog.h"
@@ -2549,6 +2550,7 @@ dpif_netdev_run(struct dpif *dpif)
     dp_netdev_pmd_unref(non_pmd);
 
     tnl_arp_cache_run();
+    tnl_port_map_run();
     new_tnl_seq = seq_read(tnl_conf_seq);
 
     if (dp->last_tnl_conf_seq != new_tnl_seq) {

diff --git a/lib/ovs-router.c b/lib/ovs-router.c
@@ -37,6 +37,7 @@
 #include "ovs-router.h"
 #include "ovs-thread.h"
 #include "route-table.h"
+#include "tnl-ports.h"
 #include "unixctl.h"
 #include "util.h"
 
@@ -126,6 +127,7 @@ ovs_router_insert__(uint8_t priority, ovs_be32 ip_dst, uint8_t plen,
         /* An old rule with the same match was displaced. */
         ovsrcu_postpone(rt_entry_free, ovs_router_entry_cast(cr));
     }
+    tnl_port_map_insert_ipdev(output_bridge);
     seq_change(tnl_conf_seq);
 }
 
@@ -136,12 +138,29 @@ ovs_router_insert(ovs_be32 ip_dst, uint8_t plen, const char output_bridge[],
     ovs_router_insert__(plen, ip_dst, plen, output_bridge, gw);
 }
 
+
+static bool
+__rt_entry_delete(const struct cls_rule *cr)
+{
+    struct ovs_router_entry *p = ovs_router_entry_cast(cr);
+
+    tnl_port_map_delete_ipdev(p->output_bridge);
+    /* Remove it. */
+    cr = classifier_remove(&cls, cr);
+    if (cr) {
+        ovsrcu_postpone(rt_entry_free, ovs_router_entry_cast(cr));
+        return true;
+    }
+    return false;
+}
+
 static bool
 rt_entry_delete(uint8_t priority, ovs_be32 ip_dst, uint8_t plen)
 {
     const struct cls_rule *cr;
     struct cls_rule rule;
     struct match match;
+    bool res = false;
 
     rt_init_match(&match, ip_dst, plen);
 
@@ -150,17 +169,11 @@ rt_entry_delete(uint8_t priority, ovs_be32 ip_dst, uint8_t plen)
     /* Find the exact rule. */
     cr = classifier_find_rule_exactly(&cls, &rule, CLS_MAX_VERSION);
     if (cr) {
-        /* Remove it. */
         ovs_mutex_lock(&mutex);
-        cr = classifier_remove(&cls, cr);
+        res = __rt_entry_delete(cr);
         ovs_mutex_unlock(&mutex);
-
-        if (cr) {
-            ovsrcu_postpone(rt_entry_free, ovs_router_entry_cast(cr));
-            return true;
-        }
     }
-    return false;
+    return res;
 }
 
 static bool
@@ -295,9 +308,7 @@ ovs_router_flush(void)
     classifier_defer(&cls);
     CLS_FOR_EACH(rt, cr, &cls) {
         if (rt->priority == rt->plen) {
-            if (classifier_remove(&cls, &rt->cr)) {
-                ovsrcu_postpone(rt_entry_free, rt);
-            }
+            __rt_entry_delete(&rt->cr);
         }
     }
     classifier_publish(&cls);