[ovs-dev] [PATCH] Implement new fragment handling policy.
Ben Pfaff
blp at nicira.com
Wed Oct 12 18:16:55 PDT 2011
On Wed, Oct 12, 2011 at 06:12:27PM -0700, Jesse Gross wrote:
> On Tue, Oct 11, 2011 at 4:05 PM, Ben Pfaff <blp at nicira.com> wrote:
> > Until now, OVS has handled IP fragments more awkwardly than necessary. ??It
> > has not been possible to match on L4 headers, even in fragments with offset
> > 0 where they are actually present. ??This means that there was no way to
> > implement ACLs that treat, say, different TCP ports differently, on
> > fragmented traffic; instead, all decisions for fragment forwarding had to
> > be made on the basis of L2 and L3 headers alone.
> >
> > This commit improves the situation significantly. ??It is still not possible
> > to match on L4 headers in fragments with nonzero offset, because that
> > information is simply not present in such fragments, but this commit adds
> > the ability to match on L4 headers for fragments with zero offset. ??This
> > means that it becomes possible to implement ACLs that drop such "first
> > fragments" on the basis of L4 headers. ??In practice, that effectively
> > blocks even fragmented traffic on an L4 basis, because the receiving IP
> > stack cannot reassemble a full packet when the first fragment is missing.
> >
> > This commit works by adding a new "fragment type" to the kernel flow match
> > and making it available through OpenFlow as a new NXM field named
> > NXM_NX_IP_FRAG. ??Because OpenFlow 1.0 explicitly says that the L4 fields
> > are always 0 for IP fragments, it adds a new OpenFlow fragment handling
> > mode that fills in the L4 fields for "first fragments". ??It also enhances
> > ovs-ofctl to allow users to configure this new fragment handling mode and
> > to parse the new field.
> >
> > Signed-off-by: Ben Pfaff <blp at nicira.com>
> > Bug #7557.
>
> Is this a new version?
No, something weird happened. Reading the Received: headers, this is a
copy I sent it on Tuesday after Nicira's internal SMTP server was
decommissioned. Somehow it reappeared and got reinjected into the
ether.
Ignore it.
More information about the dev
mailing list