2009-07-08 13:19:16 -07:00
|
|
|
|
/*
|
2017-05-31 16:06:12 -07:00
|
|
|
|
* Copyright (c) 2008-2017 Nicira, Inc.
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*
|
2009-06-15 15:11:30 -07:00
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
|
* You may obtain a copy of the License at:
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*
|
2009-06-15 15:11:30 -07:00
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
*
|
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
|
* limitations under the License.
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
#include "learning-switch.h"
|
|
|
|
|
|
|
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
|
#include <inttypes.h>
|
2017-11-06 14:42:32 -08:00
|
|
|
|
#include <sys/types.h>
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
|
#include <time.h>
|
|
|
|
|
|
|
2010-10-28 17:13:18 -07:00
|
|
|
|
#include "byte-order.h"
|
2010-11-10 14:51:49 -08:00
|
|
|
|
#include "classifier.h"
|
2015-02-22 03:21:09 -08:00
|
|
|
|
#include "dp-packet.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "flow.h"
|
2016-07-12 16:37:34 -05:00
|
|
|
|
#include "openvswitch/hmap.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "mac-learning.h"
|
|
|
|
|
|
#include "openflow/openflow.h"
|
2016-04-14 15:20:19 -07:00
|
|
|
|
#include "openvswitch/ofp-actions.h"
|
2018-02-09 10:04:26 -08:00
|
|
|
|
#include "openvswitch/ofp-connection.h"
|
2016-04-04 21:32:10 -04:00
|
|
|
|
#include "openvswitch/ofp-errors.h"
|
2018-02-09 10:04:26 -08:00
|
|
|
|
#include "openvswitch/ofp-flow.h"
|
|
|
|
|
|
#include "openvswitch/ofp-match.h"
|
2016-04-04 21:32:10 -04:00
|
|
|
|
#include "openvswitch/ofp-msgs.h"
|
2016-04-14 15:20:21 -07:00
|
|
|
|
#include "openvswitch/ofp-print.h"
|
2016-04-04 21:32:10 -04:00
|
|
|
|
#include "openvswitch/ofp-util.h"
|
2018-02-09 10:04:26 -08:00
|
|
|
|
#include "openvswitch/ofp-packet.h"
|
|
|
|
|
|
#include "openvswitch/ofp-port.h"
|
|
|
|
|
|
#include "openvswitch/ofp-switch.h"
|
2016-04-04 21:32:10 -04:00
|
|
|
|
#include "openvswitch/ofpbuf.h"
|
|
|
|
|
|
#include "openvswitch/vconn.h"
|
|
|
|
|
|
#include "openvswitch/vlog.h"
|
2017-11-03 13:53:53 +08:00
|
|
|
|
#include "openvswitch/poll-loop.h"
|
2017-08-17 00:06:24 +08:00
|
|
|
|
#include "openvswitch/rconn.h"
|
2016-07-12 16:37:34 -05:00
|
|
|
|
#include "openvswitch/shash.h"
|
2012-05-22 10:32:02 -07:00
|
|
|
|
#include "simap.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "timeval.h"
|
|
|
|
|
|
|
2010-10-19 14:47:01 -07:00
|
|
|
|
VLOG_DEFINE_THIS_MODULE(learning_switch);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2010-10-01 13:41:40 -07:00
|
|
|
|
struct lswitch_port {
|
|
|
|
|
|
struct hmap_node hmap_node; /* Hash node for port number. */
|
2013-06-19 16:58:44 -07:00
|
|
|
|
ofp_port_t port_no; /* OpenFlow port number. */
|
2010-10-01 13:41:40 -07:00
|
|
|
|
uint32_t queue_id; /* OpenFlow queue number. */
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
enum lswitch_state {
|
|
|
|
|
|
S_CONNECTING, /* Waiting for connection to complete. */
|
|
|
|
|
|
S_FEATURES_REPLY, /* Waiting for features reply. */
|
|
|
|
|
|
S_SWITCHING, /* Switching flows. */
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
struct lswitch {
|
2012-07-24 16:15:37 -07:00
|
|
|
|
struct rconn *rconn;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
enum lswitch_state state;
|
2012-07-24 16:15:37 -07:00
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
/* If nonnegative, the switch sets up flows that expire after the given
|
|
|
|
|
|
* number of seconds (or never expire, if the value is OFP_FLOW_PERMANENT).
|
|
|
|
|
|
* Otherwise, the switch processes every packet. */
|
|
|
|
|
|
int max_idle;
|
|
|
|
|
|
|
2012-07-03 22:17:14 -07:00
|
|
|
|
enum ofputil_protocol protocol;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
unsigned long long int datapath_id;
|
|
|
|
|
|
struct mac_learning *ml; /* NULL to act as hub instead of switch. */
|
2010-11-10 14:51:49 -08:00
|
|
|
|
struct flow_wildcards wc; /* Wildcards to apply to flows. */
|
2009-11-19 12:48:32 -08:00
|
|
|
|
bool action_normal; /* Use OFPP_NORMAL? */
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
|
|
|
|
|
/* Queue distribution. */
|
|
|
|
|
|
uint32_t default_queue; /* Default OpenFlow queue, or UINT32_MAX. */
|
|
|
|
|
|
struct hmap queue_numbers; /* Map from port number to lswitch_port. */
|
|
|
|
|
|
struct shash queue_names; /* Map from port name to lswitch_port. */
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
|
|
|
|
|
/* Number of outgoing queued packets on the rconn. */
|
|
|
|
|
|
struct rconn_packet_counter *queued;
|
2012-07-24 16:15:37 -07:00
|
|
|
|
|
|
|
|
|
|
/* If true, do not reply to any messages from the switch (for debugging
|
|
|
|
|
|
* fail-open mode). */
|
|
|
|
|
|
bool mute;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
|
|
|
|
|
|
/* Optional "flow mod" requests to send to the switch at connection time,
|
|
|
|
|
|
* to set up the flow table. */
|
|
|
|
|
|
const struct ofputil_flow_mod *default_flows;
|
|
|
|
|
|
size_t n_default_flows;
|
2013-08-20 18:41:45 -07:00
|
|
|
|
enum ofputil_protocol usable_protocols;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/* The log messages here could actually be useful in debugging, so keep the
|
|
|
|
|
|
* rate limit relatively high. */
|
|
|
|
|
|
static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(30, 300);
|
|
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
static void queue_tx(struct lswitch *, struct ofpbuf *);
|
|
|
|
|
|
static void send_features_request(struct lswitch *);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
static void lswitch_process_packet(struct lswitch *, const struct ofpbuf *);
|
2012-02-15 16:33:04 -08:00
|
|
|
|
static enum ofperr process_switch_features(struct lswitch *,
|
2012-07-19 23:23:17 -07:00
|
|
|
|
struct ofp_header *);
|
2012-07-24 16:15:37 -07:00
|
|
|
|
static void process_packet_in(struct lswitch *, const struct ofp_header *);
|
|
|
|
|
|
static void process_echo_request(struct lswitch *, const struct ofp_header *);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
static ofp_port_t get_mac_entry_ofp_port(const struct mac_learning *ml,
|
|
|
|
|
|
const struct mac_entry *)
|
|
|
|
|
|
OVS_REQ_RDLOCK(ml->rwlock);
|
|
|
|
|
|
static void set_mac_entry_ofp_port(struct mac_learning *ml,
|
|
|
|
|
|
struct mac_entry *, ofp_port_t)
|
|
|
|
|
|
OVS_REQ_WRLOCK(ml->rwlock);
|
|
|
|
|
|
|
2010-09-23 14:12:09 -07:00
|
|
|
|
/* Creates and returns a new learning switch whose configuration is given by
|
|
|
|
|
|
* 'cfg'.
|
2010-07-28 15:18:14 -07:00
|
|
|
|
*
|
2009-07-08 13:19:16 -07:00
|
|
|
|
* 'rconn' is used to send out an OpenFlow features request. */
|
|
|
|
|
|
struct lswitch *
|
2010-09-23 14:12:09 -07:00
|
|
|
|
lswitch_create(struct rconn *rconn, const struct lswitch_config *cfg)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
|
|
|
|
|
struct lswitch *sw;
|
2012-08-07 11:30:46 -07:00
|
|
|
|
uint32_t ofpfw;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2009-09-28 13:56:42 -07:00
|
|
|
|
sw = xzalloc(sizeof *sw);
|
2012-07-24 16:15:37 -07:00
|
|
|
|
sw->rconn = rconn;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
sw->state = S_CONNECTING;
|
2010-09-23 14:12:09 -07:00
|
|
|
|
sw->max_idle = cfg->max_idle;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
sw->datapath_id = 0;
|
2012-02-01 15:04:51 -08:00
|
|
|
|
sw->ml = (cfg->mode == LSW_LEARN
|
|
|
|
|
|
? mac_learning_create(MAC_ENTRY_DEFAULT_IDLE_TIME)
|
|
|
|
|
|
: NULL);
|
2010-09-23 14:12:09 -07:00
|
|
|
|
sw->action_normal = cfg->mode == LSW_NORMAL;
|
2010-11-10 14:51:49 -08:00
|
|
|
|
|
2012-08-07 11:30:46 -07:00
|
|
|
|
switch (cfg->wildcards) {
|
|
|
|
|
|
case 0:
|
|
|
|
|
|
ofpfw = 0;
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case UINT32_MAX:
|
|
|
|
|
|
/* Try to wildcard as many fields as possible, but we cannot
|
|
|
|
|
|
* wildcard all fields. We need in_port to detect moves. We need
|
|
|
|
|
|
* Ethernet source and dest and VLAN VID to do L2 learning. */
|
|
|
|
|
|
ofpfw = (OFPFW10_DL_TYPE | OFPFW10_DL_VLAN_PCP
|
|
|
|
|
|
| OFPFW10_NW_SRC_ALL | OFPFW10_NW_DST_ALL
|
|
|
|
|
|
| OFPFW10_NW_TOS | OFPFW10_NW_PROTO
|
|
|
|
|
|
| OFPFW10_TP_SRC | OFPFW10_TP_DST);
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
|
ofpfw = cfg->wildcards;
|
|
|
|
|
|
break;
|
2010-07-15 16:20:37 -07:00
|
|
|
|
}
|
2012-08-07 11:30:46 -07:00
|
|
|
|
ofputil_wildcard_from_ofpfw10(ofpfw, &sw->wc);
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
|
|
|
|
|
sw->default_queue = cfg->default_queue;
|
|
|
|
|
|
hmap_init(&sw->queue_numbers);
|
|
|
|
|
|
shash_init(&sw->queue_names);
|
|
|
|
|
|
if (cfg->port_queues) {
|
2012-05-22 10:32:02 -07:00
|
|
|
|
struct simap_node *node;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
2012-05-22 10:32:02 -07:00
|
|
|
|
SIMAP_FOR_EACH (node, cfg->port_queues) {
|
2010-10-01 13:41:40 -07:00
|
|
|
|
struct lswitch_port *port = xmalloc(sizeof *port);
|
|
|
|
|
|
hmap_node_nullify(&port->hmap_node);
|
2012-05-22 10:32:02 -07:00
|
|
|
|
port->queue_id = node->data;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
shash_add(&sw->queue_names, node->name, port);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
sw->default_flows = cfg->default_flows;
|
|
|
|
|
|
sw->n_default_flows = cfg->n_default_flows;
|
2013-08-20 18:41:45 -07:00
|
|
|
|
sw->usable_protocols = cfg->usable_protocols;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
sw->queued = rconn_packet_counter_create();
|
2012-08-07 10:38:35 -07:00
|
|
|
|
|
|
|
|
|
|
return sw;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
|
lswitch_handshake(struct lswitch *sw)
|
|
|
|
|
|
{
|
|
|
|
|
|
enum ofputil_protocol protocol;
|
2014-07-16 13:28:40 -07:00
|
|
|
|
enum ofp_version version;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
send_features_request(sw);
|
2010-09-23 14:08:13 -07:00
|
|
|
|
|
2014-07-16 13:28:40 -07:00
|
|
|
|
version = rconn_get_version(sw->rconn);
|
|
|
|
|
|
protocol = ofputil_protocol_from_ofp_version(version);
|
|
|
|
|
|
if (version >= OFP13_VERSION) {
|
|
|
|
|
|
/* OpenFlow 1.3 and later by default drop packets that miss in the flow
|
|
|
|
|
|
* table. Set up a flow to send packets to the controller by
|
|
|
|
|
|
* default. */
|
|
|
|
|
|
struct ofpact_output output;
|
|
|
|
|
|
struct ofpbuf *msg;
|
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
|
|
ofpact_init_OUTPUT(&output);
|
|
|
|
|
|
output.port = OFPP_CONTROLLER;
|
|
|
|
|
|
output.max_len = OFP_DEFAULT_MISS_SEND_LEN;
|
|
|
|
|
|
|
2016-01-04 11:36:14 -08:00
|
|
|
|
struct ofputil_flow_mod fm = {
|
|
|
|
|
|
.priority = 0,
|
|
|
|
|
|
.table_id = 0,
|
|
|
|
|
|
.command = OFPFC_ADD,
|
|
|
|
|
|
.buffer_id = UINT32_MAX,
|
|
|
|
|
|
.out_port = OFPP_NONE,
|
|
|
|
|
|
.out_group = OFPG_ANY,
|
|
|
|
|
|
.ofpacts = &output.ofpact,
|
|
|
|
|
|
.ofpacts_len = sizeof output,
|
|
|
|
|
|
};
|
2018-03-19 22:01:47 -07:00
|
|
|
|
minimatch_init_catchall(&fm.match);
|
2014-07-16 13:28:40 -07:00
|
|
|
|
msg = ofputil_encode_flow_mod(&fm, protocol);
|
2018-03-19 22:01:47 -07:00
|
|
|
|
minimatch_destroy(&fm.match);
|
|
|
|
|
|
|
2014-07-16 13:28:40 -07:00
|
|
|
|
error = rconn_send(sw->rconn, msg, NULL);
|
|
|
|
|
|
if (error) {
|
|
|
|
|
|
VLOG_INFO_RL(&rl, "%s: failed to add default flow (%s)",
|
|
|
|
|
|
rconn_get_name(sw->rconn), ovs_strerror(error));
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2012-08-07 10:38:35 -07:00
|
|
|
|
if (sw->default_flows) {
|
2012-02-10 13:30:23 -08:00
|
|
|
|
struct ofpbuf *msg = NULL;
|
|
|
|
|
|
int error = 0;
|
|
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
|
|
|
|
/* If the initial protocol isn't good enough for default_flows, then
|
|
|
|
|
|
* pick one that will work and encode messages to set up that
|
|
|
|
|
|
* protocol.
|
|
|
|
|
|
*
|
|
|
|
|
|
* This could be improved by actually negotiating a mutually acceptable
|
|
|
|
|
|
* flow format with the switch, but that would require an asynchronous
|
|
|
|
|
|
* state machine. This version ought to work fine in practice. */
|
2013-08-20 18:41:45 -07:00
|
|
|
|
if (!(protocol & sw->usable_protocols)) {
|
|
|
|
|
|
enum ofputil_protocol want = rightmost_1bit(sw->usable_protocols);
|
2012-02-10 13:30:23 -08:00
|
|
|
|
while (!error) {
|
|
|
|
|
|
msg = ofputil_encode_set_protocol(protocol, want, &protocol);
|
|
|
|
|
|
if (!msg) {
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
2012-08-07 10:38:35 -07:00
|
|
|
|
error = rconn_send(sw->rconn, msg, NULL);
|
2011-06-01 10:53:53 -07:00
|
|
|
|
}
|
2010-12-06 10:03:31 -08:00
|
|
|
|
}
|
2013-08-20 18:41:45 -07:00
|
|
|
|
if (protocol & sw->usable_protocols) {
|
2012-11-15 22:09:07 -08:00
|
|
|
|
for (i = 0; !error && i < sw->n_default_flows; i++) {
|
|
|
|
|
|
msg = ofputil_encode_flow_mod(&sw->default_flows[i], protocol);
|
|
|
|
|
|
error = rconn_send(sw->rconn, msg, NULL);
|
|
|
|
|
|
}
|
2012-02-10 13:30:23 -08:00
|
|
|
|
|
2012-11-15 22:09:07 -08:00
|
|
|
|
if (error) {
|
|
|
|
|
|
VLOG_INFO_RL(&rl, "%s: failed to queue default flows (%s)",
|
2013-06-24 10:54:49 -07:00
|
|
|
|
rconn_get_name(sw->rconn), ovs_strerror(error));
|
2012-11-15 22:09:07 -08:00
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
VLOG_INFO_RL(&rl, "%s: failed to set usable protocol",
|
|
|
|
|
|
rconn_get_name(sw->rconn));
|
2012-02-10 13:30:23 -08:00
|
|
|
|
}
|
2010-12-06 10:03:31 -08:00
|
|
|
|
}
|
2012-07-03 22:17:14 -07:00
|
|
|
|
sw->protocol = protocol;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
bool
|
|
|
|
|
|
lswitch_is_alive(const struct lswitch *sw)
|
|
|
|
|
|
{
|
|
|
|
|
|
return rconn_is_alive(sw->rconn);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
/* Destroys 'sw'. */
|
|
|
|
|
|
void
|
|
|
|
|
|
lswitch_destroy(struct lswitch *sw)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (sw) {
|
2016-04-06 18:53:59 -07:00
|
|
|
|
struct lswitch_port *node;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
rconn_destroy(sw->rconn);
|
2016-04-06 18:53:59 -07:00
|
|
|
|
HMAP_FOR_EACH_POP (node, hmap_node, &sw->queue_numbers) {
|
2010-10-01 13:41:40 -07:00
|
|
|
|
free(node);
|
|
|
|
|
|
}
|
|
|
|
|
|
shash_destroy(&sw->queue_names);
|
2013-06-18 19:41:51 -07:00
|
|
|
|
mac_learning_unref(sw->ml);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
rconn_packet_counter_destroy(sw->queued);
|
|
|
|
|
|
free(sw);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Takes care of necessary 'sw' activity, except for receiving packets (which
|
|
|
|
|
|
* the caller must do). */
|
|
|
|
|
|
void
|
2010-08-11 17:24:13 -07:00
|
|
|
|
lswitch_run(struct lswitch *sw)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-07-24 16:15:37 -07:00
|
|
|
|
int i;
|
|
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
if (sw->ml) {
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_wrlock(&sw->ml->rwlock);
|
2013-08-01 18:04:07 -07:00
|
|
|
|
mac_learning_run(sw->ml);
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2012-07-24 16:15:37 -07:00
|
|
|
|
|
|
|
|
|
|
rconn_run(sw->rconn);
|
|
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
if (sw->state == S_CONNECTING) {
|
rconn: Introduce new invariant to fix assertion failure in corner case.
Until now, rconn_get_version() has only reported the OpenFlow version in
use when the rconn is actually connected. This makes sense, but it has a
harsh consequence. Consider code like this:
if (rconn_is_connected(rconn) && rconn_get_version(rconn) >= 0) {
for (int i = 0; i < 2; i++) {
struct ofpbuf *b = ofputil_encode_echo_request(
rconn_get_version(rconn));
rconn_send(rconn, b, NULL);
}
}
Maybe not the smartest code in the world, and probably no one would write
this exact code in any case, but it doesn't look too risky or crazy.
But it is. The second trip through the loop can assert-fail inside
ofputil_encode_echo_request() because rconn_get_version(rconn) returns -1
instead of a valid OpenFlow version. That happens if the first call to
rconn_send() encounters an error while sending the message and therefore
destroys the underlying vconn and disconnects so that rconn_get_version()
doesn't have a vconn to query for its version.
In a case like this where all the code to send the messages is close by, we
could just check rconn_get_version() in each loop iteration. We could even
go through the tree and convince ourselves that individual bits of code are
safe, or be conservative and check rconn_get_version() >= 0 in the iffy
cases. But this seems to me like an ongoing source of risk and a way to
get things wrong in corner cases.
This commit takes a different approach. It introduces a new invariant: if
an rconn has ever been connected, then it returns a valid OpenFlow version
from rconn_get_version(). In addition, if an rconn is currently connected,
then the OpenFlow version it returns is the correct one (that may be
obvious, but there were corner cases before where it returned -1 even
though rconn_is_connected() returned true).
With this commit, the code above would work OK. If the first call to
rconn_send() encounters an error sending the message, then
rconn_get_version() in the second iteration will return the same value as
in the first iteration. The message passed to rconn_send() will end up
being discarded, but that's much better than either an assertion failure or
having to carefully analyze a lot of our code to deal with one unusual
corner case.
Reported-by: Han Zhou <zhouhan@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Han Zhou <hzhou8@ebay.com>
2018-05-23 16:58:31 -07:00
|
|
|
|
if (rconn_is_connected(sw->rconn)) {
|
2012-08-07 10:38:35 -07:00
|
|
|
|
lswitch_handshake(sw);
|
|
|
|
|
|
sw->state = S_FEATURES_REPLY;
|
|
|
|
|
|
}
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
for (i = 0; i < 50; i++) {
|
|
|
|
|
|
struct ofpbuf *msg;
|
|
|
|
|
|
|
|
|
|
|
|
msg = rconn_recv(sw->rconn);
|
|
|
|
|
|
if (!msg) {
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (!sw->mute) {
|
|
|
|
|
|
lswitch_process_packet(sw, msg);
|
|
|
|
|
|
}
|
|
|
|
|
|
ofpbuf_delete(msg);
|
|
|
|
|
|
}
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
|
lswitch_wait(struct lswitch *sw)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (sw->ml) {
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_rdlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
mac_learning_wait(sw->ml);
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2012-08-07 10:38:35 -07:00
|
|
|
|
rconn_run_wait(sw->rconn);
|
2012-07-24 16:15:37 -07:00
|
|
|
|
rconn_recv_wait(sw->rconn);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Processes 'msg', which should be an OpenFlow received on 'rconn', according
|
|
|
|
|
|
* to the learning switch state in 'sw'. The most likely result of processing
|
|
|
|
|
|
* is that flow-setup and packet-out OpenFlow messages will be sent out on
|
|
|
|
|
|
* 'rconn'. */
|
2012-07-24 16:15:37 -07:00
|
|
|
|
static void
|
|
|
|
|
|
lswitch_process_packet(struct lswitch *sw, const struct ofpbuf *msg)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-07-19 23:23:17 -07:00
|
|
|
|
enum ofptype type;
|
|
|
|
|
|
struct ofpbuf b;
|
|
|
|
|
|
|
|
|
|
|
|
b = *msg;
|
|
|
|
|
|
if (ofptype_pull(&type, &b)) {
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
2010-12-06 10:20:20 -08:00
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
if (sw->state == S_FEATURES_REPLY
|
2012-07-19 23:23:17 -07:00
|
|
|
|
&& type != OFPTYPE_ECHO_REQUEST
|
|
|
|
|
|
&& type != OFPTYPE_FEATURES_REPLY) {
|
2009-07-08 13:19:16 -07:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2016-01-18 14:49:47 -08:00
|
|
|
|
if (type == OFPTYPE_ECHO_REQUEST) {
|
2015-03-02 17:29:44 -08:00
|
|
|
|
process_echo_request(sw, msg->data);
|
2016-01-18 14:49:47 -08:00
|
|
|
|
} else if (type == OFPTYPE_FEATURES_REPLY) {
|
2012-08-07 10:38:35 -07:00
|
|
|
|
if (sw->state == S_FEATURES_REPLY) {
|
2015-03-02 17:29:44 -08:00
|
|
|
|
if (!process_switch_features(sw, msg->data)) {
|
2012-08-07 10:38:35 -07:00
|
|
|
|
sw->state = S_SWITCHING;
|
|
|
|
|
|
} else {
|
|
|
|
|
|
rconn_disconnect(sw->rconn);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2016-01-18 14:49:47 -08:00
|
|
|
|
} else if (type == OFPTYPE_PACKET_IN) {
|
2015-03-02 17:29:44 -08:00
|
|
|
|
process_packet_in(sw, msg->data);
|
2016-01-18 14:49:47 -08:00
|
|
|
|
} else if (type == OFPTYPE_FLOW_REMOVED) {
|
2010-12-06 10:20:20 -08:00
|
|
|
|
/* Nothing to do. */
|
2016-01-18 14:49:47 -08:00
|
|
|
|
} else if (VLOG_IS_DBG_ENABLED()) {
|
Support accepting and displaying table names in OVS tools.
OpenFlow has little-known support for naming tables. Open vSwitch has
supported table names for ages, but it has never used or displayed them
outside of commands dedicated to table manipulation. This commit adds
support for table names in ovs-ofctl. When a table has a name, it displays
that name in flows and actions, so that, for example, the following:
table=1, arp, actions=resubmit(,2)
might become:
table=ingress_acl, arp, actions=resubmit(,mac_learning)
given appropriately named tables.
For backward compatibility, only interactive ovs-ofctl commands by default
display table names; to display them in scripts, use the new --names
option.
This feature was inspired by a talk that Kei Nohguchi presented at Open
vSwitch 2017 Fall Conference.
CC: Kei Nohguchi <kei@nohguchi.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
2018-01-05 16:59:13 -08:00
|
|
|
|
char *s = ofp_to_string(msg->data, msg->size, NULL, NULL, 2);
|
2016-01-18 14:49:47 -08:00
|
|
|
|
VLOG_DBG_RL(&rl, "%016llx: OpenFlow packet ignored: %s",
|
|
|
|
|
|
sw->datapath_id, s);
|
|
|
|
|
|
free(s);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
�
|
|
|
|
|
|
static void
|
2012-07-24 16:15:37 -07:00
|
|
|
|
send_features_request(struct lswitch *sw)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-08-07 10:38:35 -07:00
|
|
|
|
struct ofpbuf *b;
|
|
|
|
|
|
int ofp_version = rconn_get_version(sw->rconn);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-11-06 13:14:55 -08:00
|
|
|
|
ovs_assert(ofp_version > 0 && ofp_version < 0xff);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
/* Send OFPT_FEATURES_REQUEST. */
|
|
|
|
|
|
b = ofpraw_alloc(OFPRAW_OFPT_FEATURES_REQUEST, ofp_version, 0);
|
|
|
|
|
|
queue_tx(sw, b);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
/* Send OFPT_SET_CONFIG. */
|
2015-12-21 15:39:10 -08:00
|
|
|
|
struct ofputil_switch_config config = {
|
|
|
|
|
|
.miss_send_len = OFP_DEFAULT_MISS_SEND_LEN
|
|
|
|
|
|
};
|
|
|
|
|
|
queue_tx(sw, ofputil_encode_set_config(&config, ofp_version));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2012-07-24 16:15:37 -07:00
|
|
|
|
queue_tx(struct lswitch *sw, struct ofpbuf *b)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-07-24 16:15:37 -07:00
|
|
|
|
int retval = rconn_send_with_limit(sw->rconn, b, sw->queued, 10);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
if (retval && retval != ENOTCONN) {
|
|
|
|
|
|
if (retval == EAGAIN) {
|
2009-11-13 13:21:13 -08:00
|
|
|
|
VLOG_INFO_RL(&rl, "%016llx: %s: tx queue overflow",
|
2012-07-24 16:15:37 -07:00
|
|
|
|
sw->datapath_id, rconn_get_name(sw->rconn));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
} else {
|
2009-11-13 13:21:13 -08:00
|
|
|
|
VLOG_WARN_RL(&rl, "%016llx: %s: send: %s",
|
2012-07-24 16:15:37 -07:00
|
|
|
|
sw->datapath_id, rconn_get_name(sw->rconn),
|
2013-06-24 10:54:49 -07:00
|
|
|
|
ovs_strerror(retval));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-02-15 16:33:04 -08:00
|
|
|
|
static enum ofperr
|
2012-07-19 23:23:17 -07:00
|
|
|
|
process_switch_features(struct lswitch *sw, struct ofp_header *oh)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-02-15 16:33:04 -08:00
|
|
|
|
struct ofputil_switch_features features;
|
|
|
|
|
|
struct ofputil_phy_port port;
|
|
|
|
|
|
|
2016-02-18 15:13:09 -08:00
|
|
|
|
struct ofpbuf b = ofpbuf_const_initializer(oh, ntohs(oh->length));
|
|
|
|
|
|
enum ofperr error = ofputil_pull_switch_features(&b, &features);
|
2012-02-15 16:33:04 -08:00
|
|
|
|
if (error) {
|
|
|
|
|
|
VLOG_ERR("received invalid switch feature reply (%s)",
|
|
|
|
|
|
ofperr_to_string(error));
|
|
|
|
|
|
return error;
|
|
|
|
|
|
}
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
2012-02-15 16:33:04 -08:00
|
|
|
|
sw->datapath_id = features.datapath_id;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
2012-07-19 23:23:17 -07:00
|
|
|
|
while (!ofputil_pull_phy_port(oh->version, &b, &port)) {
|
2012-02-15 16:33:04 -08:00
|
|
|
|
struct lswitch_port *lp = shash_find_data(&sw->queue_names, port.name);
|
2010-10-01 13:41:40 -07:00
|
|
|
|
if (lp && hmap_node_is_null(&lp->hmap_node)) {
|
2012-02-15 16:33:04 -08:00
|
|
|
|
lp->port_no = port.port_no;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
hmap_insert(&sw->queue_numbers, &lp->hmap_node,
|
2013-06-22 10:33:27 -07:00
|
|
|
|
hash_ofp_port(lp->port_no));
|
2010-10-01 13:41:40 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2012-02-15 16:33:04 -08:00
|
|
|
|
return 0;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2013-06-19 16:58:44 -07:00
|
|
|
|
static ofp_port_t
|
2010-09-03 11:30:02 -07:00
|
|
|
|
lswitch_choose_destination(struct lswitch *sw, const struct flow *flow)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2013-06-19 16:58:44 -07:00
|
|
|
|
ofp_port_t out_port;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Learn the source MAC. */
|
2013-10-08 23:52:40 +08:00
|
|
|
|
if (sw->ml) {
|
|
|
|
|
|
ovs_rwlock_wrlock(&sw->ml->rwlock);
|
|
|
|
|
|
if (mac_learning_may_learn(sw->ml, flow->dl_src, 0)) {
|
|
|
|
|
|
struct mac_entry *mac = mac_learning_insert(sw->ml, flow->dl_src,
|
|
|
|
|
|
0);
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
if (get_mac_entry_ofp_port(sw->ml, mac)
|
|
|
|
|
|
!= flow->in_port.ofp_port) {
|
2013-10-08 23:52:40 +08:00
|
|
|
|
VLOG_DBG_RL(&rl, "%016llx: learned that "ETH_ADDR_FMT" is on "
|
2017-01-13 17:51:00 -08:00
|
|
|
|
"port %"PRIu32, sw->datapath_id,
|
2013-10-08 23:52:40 +08:00
|
|
|
|
ETH_ADDR_ARGS(flow->dl_src),
|
|
|
|
|
|
flow->in_port.ofp_port);
|
|
|
|
|
|
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
set_mac_entry_ofp_port(sw->ml, mac, flow->in_port.ofp_port);
|
2013-10-08 23:52:40 +08:00
|
|
|
|
}
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2013-10-08 23:52:40 +08:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-15 16:02:46 -07:00
|
|
|
|
/* Drop frames for reserved multicast addresses. */
|
2010-07-20 11:10:45 -07:00
|
|
|
|
if (eth_addr_is_reserved(flow->dl_dst)) {
|
|
|
|
|
|
return OFPP_NONE;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
out_port = OFPP_FLOOD;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
if (sw->ml) {
|
2011-03-22 09:47:02 -07:00
|
|
|
|
struct mac_entry *mac;
|
|
|
|
|
|
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_rdlock(&sw->ml->rwlock);
|
2013-08-01 18:04:07 -07:00
|
|
|
|
mac = mac_learning_lookup(sw->ml, flow->dl_dst, 0);
|
2011-03-22 09:47:02 -07:00
|
|
|
|
if (mac) {
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
out_port = get_mac_entry_ofp_port(sw->ml, mac);
|
2013-06-19 16:58:44 -07:00
|
|
|
|
if (out_port == flow->in_port.ofp_port) {
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Don't send a packet back out its input port. */
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2010-07-20 11:10:45 -07:00
|
|
|
|
return OFPP_NONE;
|
|
|
|
|
|
}
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Check if we need to use "NORMAL" action. */
|
|
|
|
|
|
if (sw->action_normal && out_port != OFPP_FLOOD) {
|
|
|
|
|
|
return OFPP_NORMAL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return out_port;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2010-10-01 13:41:40 -07:00
|
|
|
|
static uint32_t
|
2013-06-19 16:58:44 -07:00
|
|
|
|
get_queue_id(const struct lswitch *sw, ofp_port_t in_port)
|
2010-10-01 13:41:40 -07:00
|
|
|
|
{
|
|
|
|
|
|
const struct lswitch_port *port;
|
|
|
|
|
|
|
2013-06-22 10:33:27 -07:00
|
|
|
|
HMAP_FOR_EACH_WITH_HASH (port, hmap_node, hash_ofp_port(in_port),
|
2010-10-01 13:41:40 -07:00
|
|
|
|
&sw->queue_numbers) {
|
|
|
|
|
|
if (port->port_no == in_port) {
|
|
|
|
|
|
return port->queue_id;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return sw->default_queue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
static void
|
2012-07-24 16:15:37 -07:00
|
|
|
|
process_packet_in(struct lswitch *sw, const struct ofp_header *oh)
|
2010-07-20 11:10:45 -07:00
|
|
|
|
{
|
2012-07-03 22:17:14 -07:00
|
|
|
|
struct ofputil_packet_in pi;
|
openflow: Better abstract handling of packet-in messages.
Packet-in messages have been a bit of a mess. First, their abstraction
in the form of struct ofputil_packet_in has some fields that are used
in a clear way for incoming and outgoing packet-ins, and others
(packet_len, total_len, buffer_id) have have confusing meanings or
usage pattern depending on their direction.
Second, it's very confusing how a packet-in has both a reason (OFPR_*)
and a miss type (OFPROTO_PACKET_IN_*) and how those add up to the
actual reason that is used "on the wire" for each OpenFlow version (and
even whether the packet-in is sent at all!).
Finally, there's all kind of low-level detail randomly scattered between
connmgr, ofproto-dpif-xlate, and ofp-util.
This commit attempts to clear up some of the confusion. It simplifies
the struct ofputil_packet_in abstraction by removing the members that
didn't have a clear and consistent meaning between incoming and outgoing
packet-ins. It gets rid of OFPROTO_PACKET_IN_*, instead adding a couple
of nonstandard OFPR_* reasons that add up to what OFPROTO_PACKET_IN_*
was meant to say (in what I hope is a clearer way). And it consolidates
the tricky parts into ofp-util, where I hope it will be easier to
understand all in one place.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-20 09:57:16 -08:00
|
|
|
|
uint32_t buffer_id;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
uint32_t queue_id;
|
2013-06-19 16:58:44 -07:00
|
|
|
|
ofp_port_t out_port;
|
2010-07-20 11:10:45 -07:00
|
|
|
|
|
2012-07-03 22:17:14 -07:00
|
|
|
|
uint64_t ofpacts_stub[64 / 8];
|
|
|
|
|
|
struct ofpbuf ofpacts;
|
2010-07-20 11:18:24 -07:00
|
|
|
|
|
2012-02-06 14:17:49 -08:00
|
|
|
|
struct ofputil_packet_out po;
|
2012-07-03 22:17:14 -07:00
|
|
|
|
enum ofperr error;
|
2012-02-06 14:17:49 -08:00
|
|
|
|
|
2015-02-22 03:21:09 -08:00
|
|
|
|
struct dp_packet pkt;
|
2010-09-03 11:30:02 -07:00
|
|
|
|
struct flow flow;
|
2010-07-20 11:10:45 -07:00
|
|
|
|
|
2017-03-13 11:28:20 -07:00
|
|
|
|
error = ofputil_decode_packet_in(oh, true, NULL, NULL, &pi, NULL,
|
2016-04-19 18:36:04 -07:00
|
|
|
|
&buffer_id, NULL);
|
2012-07-03 22:17:14 -07:00
|
|
|
|
if (error) {
|
|
|
|
|
|
VLOG_WARN_RL(&rl, "failed to decode packet-in: %s",
|
|
|
|
|
|
ofperr_to_string(error));
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2010-08-10 11:23:02 -07:00
|
|
|
|
/* Ignore packets sent via output to OFPP_CONTROLLER. This library never
|
|
|
|
|
|
* uses such an action. You never know what experiments might be going on,
|
|
|
|
|
|
* though, and it seems best not to interfere with them. */
|
2012-07-03 22:17:14 -07:00
|
|
|
|
if (pi.reason != OFPR_NO_MATCH) {
|
2010-08-10 11:23:02 -07:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
openflow: Better abstract handling of packet-in messages.
Packet-in messages have been a bit of a mess. First, their abstraction
in the form of struct ofputil_packet_in has some fields that are used
in a clear way for incoming and outgoing packet-ins, and others
(packet_len, total_len, buffer_id) have have confusing meanings or
usage pattern depending on their direction.
Second, it's very confusing how a packet-in has both a reason (OFPR_*)
and a miss type (OFPROTO_PACKET_IN_*) and how those add up to the
actual reason that is used "on the wire" for each OpenFlow version (and
even whether the packet-in is sent at all!).
Finally, there's all kind of low-level detail randomly scattered between
connmgr, ofproto-dpif-xlate, and ofp-util.
This commit attempts to clear up some of the confusion. It simplifies
the struct ofputil_packet_in abstraction by removing the members that
didn't have a clear and consistent meaning between incoming and outgoing
packet-ins. It gets rid of OFPROTO_PACKET_IN_*, instead adding a couple
of nonstandard OFPR_* reasons that add up to what OFPROTO_PACKET_IN_*
was meant to say (in what I hope is a clearer way). And it consolidates
the tricky parts into ofp-util, where I hope it will be easier to
understand all in one place.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-20 09:57:16 -08:00
|
|
|
|
/* Extract flow data from 'pi' into 'flow'. */
|
2016-02-17 00:31:11 -08:00
|
|
|
|
dp_packet_use_const(&pkt, pi.packet, pi.packet_len);
|
2015-02-22 03:21:09 -08:00
|
|
|
|
flow_extract(&pkt, &flow);
|
2015-05-15 17:03:17 -07:00
|
|
|
|
flow.in_port.ofp_port = pi.flow_metadata.flow.in_port.ofp_port;
|
|
|
|
|
|
flow.tunnel.tun_id = pi.flow_metadata.flow.tunnel.tun_id;
|
2010-07-20 11:10:45 -07:00
|
|
|
|
|
|
|
|
|
|
/* Choose output port. */
|
|
|
|
|
|
out_port = lswitch_choose_destination(sw, &flow);
|
|
|
|
|
|
|
2010-07-20 11:18:24 -07:00
|
|
|
|
/* Make actions. */
|
2015-05-15 17:03:17 -07:00
|
|
|
|
queue_id = get_queue_id(sw, pi.flow_metadata.flow.in_port.ofp_port);
|
2012-07-03 22:17:14 -07:00
|
|
|
|
ofpbuf_use_stack(&ofpacts, ofpacts_stub, sizeof ofpacts_stub);
|
2010-07-20 11:18:24 -07:00
|
|
|
|
if (out_port == OFPP_NONE) {
|
2012-07-03 22:17:14 -07:00
|
|
|
|
/* No actions. */
|
2013-06-19 16:58:44 -07:00
|
|
|
|
} else if (queue_id == UINT32_MAX
|
|
|
|
|
|
|| ofp_to_u16(out_port) >= ofp_to_u16(OFPP_MAX)) {
|
2012-07-03 22:17:14 -07:00
|
|
|
|
ofpact_put_OUTPUT(&ofpacts)->port = out_port;
|
2010-07-20 11:18:24 -07:00
|
|
|
|
} else {
|
2012-07-03 22:17:14 -07:00
|
|
|
|
struct ofpact_enqueue *enqueue = ofpact_put_ENQUEUE(&ofpacts);
|
|
|
|
|
|
enqueue->port = out_port;
|
|
|
|
|
|
enqueue->queue = queue_id;
|
2010-07-20 11:18:24 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-02-06 14:17:49 -08:00
|
|
|
|
/* Prepare packet_out in case we need one. */
|
learning-switch: Fix coredump of OpenFlow15 learning-switch.
The OpenFlow15 Packet-Out message contains the match instead of the
in_port. The flow.tunnel.metadata.tab is not inited but used in the
loop of tun_metadata_to_nx_match.
The coredump gdb backtrace is:
0 memcpy_from_metadata (dst=0x2f060, src=0x30880, loc=0x10) at lib/tun-metadata.c:467
1 metadata_loc_from_match_read (match=0x30598, is_masked=<..>,
mask=0x30838, idx=0, map=0x0)
at lib/tun-metadata.c:865
2 metadata_loc_from_match_read (is_masked=<...>, mask=0x30838, idx=0,
match=0x30598, map=0x0)
at lib/tun-metadata.c:854
3 tun_metadata_to_nx_match (b=0x892260, oxm=OFP15_VERSION, match=0x30598)
at lib/tun-metadata.c:888
4 nx_put_raw (b=0x892260, oxm=OFP15_VERSION, match=0x30598,
cookie=<...>, cookie=0, cookie_mask=<...>, cookie_mask=0)
at lib/nx-match.c:1186
5 oxm_put_match (b=0x892260, match=0x30598, version=OFP15_VERSION)
at lib/nx-match.c:1343
6 ofputil_encode_packet_out (po=0x30580, protocol=<...>) at lib/ofp-packet.c:1226
7 process_packet_in (sw=0x891d70, oh=<...>) at lib/learning-switch.c:619
8 lswitch_process_packet (msg=0x892210, sw=0x891d70) at lib/learning-switch.c:374
9 lswitch_run (sw=0x891d70) at lib/learning-switch.c:324
10 main (argc=<...>, argv=<...>) at utilities/ovs-testcontroller.c:180
Fix that by initing the flow metadata.
Fixes: 35eb6326d5d0 ("ofp-util: Add flow metadata to ofputil_packet_out")
Signed-off-by: Faicker Mo <faicker.mo@ucloud.cn>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2023-04-07 14:30:22 +08:00
|
|
|
|
match_init_catchall(&po.flow_metadata);
|
openflow: Better abstract handling of packet-in messages.
Packet-in messages have been a bit of a mess. First, their abstraction
in the form of struct ofputil_packet_in has some fields that are used
in a clear way for incoming and outgoing packet-ins, and others
(packet_len, total_len, buffer_id) have have confusing meanings or
usage pattern depending on their direction.
Second, it's very confusing how a packet-in has both a reason (OFPR_*)
and a miss type (OFPROTO_PACKET_IN_*) and how those add up to the
actual reason that is used "on the wire" for each OpenFlow version (and
even whether the packet-in is sent at all!).
Finally, there's all kind of low-level detail randomly scattered between
connmgr, ofproto-dpif-xlate, and ofp-util.
This commit attempts to clear up some of the confusion. It simplifies
the struct ofputil_packet_in abstraction by removing the members that
didn't have a clear and consistent meaning between incoming and outgoing
packet-ins. It gets rid of OFPROTO_PACKET_IN_*, instead adding a couple
of nonstandard OFPR_* reasons that add up to what OFPROTO_PACKET_IN_*
was meant to say (in what I hope is a clearer way). And it consolidates
the tricky parts into ofp-util, where I hope it will be easier to
understand all in one place.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-20 09:57:16 -08:00
|
|
|
|
po.buffer_id = buffer_id;
|
|
|
|
|
|
if (buffer_id == UINT32_MAX) {
|
2015-02-22 03:21:09 -08:00
|
|
|
|
po.packet = dp_packet_data(&pkt);
|
|
|
|
|
|
po.packet_len = dp_packet_size(&pkt);
|
2012-02-06 14:17:49 -08:00
|
|
|
|
} else {
|
|
|
|
|
|
po.packet = NULL;
|
|
|
|
|
|
po.packet_len = 0;
|
|
|
|
|
|
}
|
2017-05-15 10:04:55 -07:00
|
|
|
|
match_set_in_port(&po.flow_metadata,
|
|
|
|
|
|
pi.flow_metadata.flow.in_port.ofp_port);
|
2015-03-02 17:29:44 -08:00
|
|
|
|
po.ofpacts = ofpacts.data;
|
|
|
|
|
|
po.ofpacts_len = ofpacts.size;
|
2012-02-06 14:17:49 -08:00
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Send the packet, and possibly the whole flow, to the output port. */
|
|
|
|
|
|
if (sw->max_idle >= 0 && (!sw->ml || out_port != OFPP_FLOOD)) {
|
2009-07-08 13:19:16 -07:00
|
|
|
|
/* The output port is known, or we always flood everything, so add a
|
|
|
|
|
|
* new flow. */
|
2016-01-04 11:36:14 -08:00
|
|
|
|
struct ofputil_flow_mod fm = {
|
|
|
|
|
|
.priority = 1, /* Must be > 0 because of table-miss flow entry. */
|
|
|
|
|
|
.table_id = 0xff,
|
|
|
|
|
|
.command = OFPFC_ADD,
|
|
|
|
|
|
.idle_timeout = sw->max_idle,
|
openflow: Better abstract handling of packet-in messages.
Packet-in messages have been a bit of a mess. First, their abstraction
in the form of struct ofputil_packet_in has some fields that are used
in a clear way for incoming and outgoing packet-ins, and others
(packet_len, total_len, buffer_id) have have confusing meanings or
usage pattern depending on their direction.
Second, it's very confusing how a packet-in has both a reason (OFPR_*)
and a miss type (OFPROTO_PACKET_IN_*) and how those add up to the
actual reason that is used "on the wire" for each OpenFlow version (and
even whether the packet-in is sent at all!).
Finally, there's all kind of low-level detail randomly scattered between
connmgr, ofproto-dpif-xlate, and ofp-util.
This commit attempts to clear up some of the confusion. It simplifies
the struct ofputil_packet_in abstraction by removing the members that
didn't have a clear and consistent meaning between incoming and outgoing
packet-ins. It gets rid of OFPROTO_PACKET_IN_*, instead adding a couple
of nonstandard OFPR_* reasons that add up to what OFPROTO_PACKET_IN_*
was meant to say (in what I hope is a clearer way). And it consolidates
the tricky parts into ofp-util, where I hope it will be easier to
understand all in one place.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-20 09:57:16 -08:00
|
|
|
|
.buffer_id = buffer_id,
|
2016-01-04 11:36:14 -08:00
|
|
|
|
.out_port = OFPP_NONE,
|
|
|
|
|
|
.ofpacts = ofpacts.data,
|
|
|
|
|
|
.ofpacts_len = ofpacts.size,
|
|
|
|
|
|
};
|
2018-03-19 22:01:47 -07:00
|
|
|
|
|
|
|
|
|
|
struct match match;
|
|
|
|
|
|
match_init(&match, &flow, &sw->wc);
|
|
|
|
|
|
ofputil_normalize_match_quiet(&match);
|
|
|
|
|
|
minimatch_init(&fm.match, &match);
|
2016-01-04 11:36:14 -08:00
|
|
|
|
|
|
|
|
|
|
struct ofpbuf *buffer = ofputil_encode_flow_mod(&fm, sw->protocol);
|
2012-07-03 22:17:14 -07:00
|
|
|
|
|
2018-03-19 22:01:47 -07:00
|
|
|
|
minimatch_destroy(&fm.match);
|
|
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
queue_tx(sw, buffer);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
|
|
|
|
|
/* If the switch didn't buffer the packet, we need to send a copy. */
|
openflow: Better abstract handling of packet-in messages.
Packet-in messages have been a bit of a mess. First, their abstraction
in the form of struct ofputil_packet_in has some fields that are used
in a clear way for incoming and outgoing packet-ins, and others
(packet_len, total_len, buffer_id) have have confusing meanings or
usage pattern depending on their direction.
Second, it's very confusing how a packet-in has both a reason (OFPR_*)
and a miss type (OFPROTO_PACKET_IN_*) and how those add up to the
actual reason that is used "on the wire" for each OpenFlow version (and
even whether the packet-in is sent at all!).
Finally, there's all kind of low-level detail randomly scattered between
connmgr, ofproto-dpif-xlate, and ofp-util.
This commit attempts to clear up some of the confusion. It simplifies
the struct ofputil_packet_in abstraction by removing the members that
didn't have a clear and consistent meaning between incoming and outgoing
packet-ins. It gets rid of OFPROTO_PACKET_IN_*, instead adding a couple
of nonstandard OFPR_* reasons that add up to what OFPROTO_PACKET_IN_*
was meant to say (in what I hope is a clearer way). And it consolidates
the tricky parts into ofp-util, where I hope it will be easier to
understand all in one place.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-20 09:57:16 -08:00
|
|
|
|
if (buffer_id == UINT32_MAX && out_port != OFPP_NONE) {
|
2012-08-08 12:19:57 +09:00
|
|
|
|
queue_tx(sw, ofputil_encode_packet_out(&po, sw->protocol));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
/* We don't know that MAC, or we don't set up flows. Send along the
|
|
|
|
|
|
* packet without setting up a flow. */
|
openflow: Better abstract handling of packet-in messages.
Packet-in messages have been a bit of a mess. First, their abstraction
in the form of struct ofputil_packet_in has some fields that are used
in a clear way for incoming and outgoing packet-ins, and others
(packet_len, total_len, buffer_id) have have confusing meanings or
usage pattern depending on their direction.
Second, it's very confusing how a packet-in has both a reason (OFPR_*)
and a miss type (OFPROTO_PACKET_IN_*) and how those add up to the
actual reason that is used "on the wire" for each OpenFlow version (and
even whether the packet-in is sent at all!).
Finally, there's all kind of low-level detail randomly scattered between
connmgr, ofproto-dpif-xlate, and ofp-util.
This commit attempts to clear up some of the confusion. It simplifies
the struct ofputil_packet_in abstraction by removing the members that
didn't have a clear and consistent meaning between incoming and outgoing
packet-ins. It gets rid of OFPROTO_PACKET_IN_*, instead adding a couple
of nonstandard OFPR_* reasons that add up to what OFPROTO_PACKET_IN_*
was meant to say (in what I hope is a clearer way). And it consolidates
the tricky parts into ofp-util, where I hope it will be easier to
understand all in one place.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-20 09:57:16 -08:00
|
|
|
|
if (buffer_id != UINT32_MAX || out_port != OFPP_NONE) {
|
2012-08-08 12:19:57 +09:00
|
|
|
|
queue_tx(sw, ofputil_encode_packet_out(&po, sw->protocol));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2012-07-24 16:15:37 -07:00
|
|
|
|
process_echo_request(struct lswitch *sw, const struct ofp_header *rq)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2018-02-15 13:43:41 -08:00
|
|
|
|
queue_tx(sw, ofputil_encode_echo_reply(rq));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
|
|
|
|
|
|
static ofp_port_t
|
|
|
|
|
|
get_mac_entry_ofp_port(const struct mac_learning *ml,
|
|
|
|
|
|
const struct mac_entry *e)
|
|
|
|
|
|
OVS_REQ_RDLOCK(ml->rwlock)
|
|
|
|
|
|
{
|
|
|
|
|
|
void *port = mac_entry_get_port(ml, e);
|
|
|
|
|
|
return (OVS_FORCE ofp_port_t) (uintptr_t) port;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
|
set_mac_entry_ofp_port(struct mac_learning *ml,
|
|
|
|
|
|
struct mac_entry *e, ofp_port_t ofp_port)
|
|
|
|
|
|
OVS_REQ_WRLOCK(ml->rwlock)
|
|
|
|
|
|
{
|
|
|
|
|
|
mac_entry_set_port(ml, e, (void *) (OVS_FORCE uintptr_t) ofp_port);
|
|
|
|
|
|
}
|
