"dev" <dev-boun...@openvswitch.org> wrote on 07/18/2016 11:30:00 AM:
> From: nickcooper-zhangtonghao <nickcooper-zhangtong...@opencloud.tech> > To: dev@openvswitch.org > Date: 07/18/2016 11:30 AM > Subject: [ovs-dev] [PATCH 1/4] ovn: ovn-nbctl, the implementation of > icmp4 reject actions > Sent by: "dev" <dev-boun...@openvswitch.org> > > Hi, > > Now that some reject functions have been implemented and tested, > other functions(e.g. TCP RST) need perfect! > > ovn: the implementation of icmp4 reject actions. > > It support icmp4 reject (e.g. icmp-net-unreachable, icmp-host- > prohibited, tcp-reset, > icmp-admin-prohibited, icmp-port-unreachable, icmp-net-prohibited, > icmp-host-unreachable, > and icmp-proto-unreachable). The icmp-net-unreachable is default. > The "TCP RST” function > will be completed soon. Reject action support only "from-lport" > direction. In general, > considering performance requirements, it might make sense to support > only “from-lport” direction. > > Signed-off-by: nickcooper-zhangtonghao <nickcooper- > zhangtong...@opencloud.tech> This is a patch organization nit, but it would be better to either combine all of the changes into a single patch or use the --cover-letter option when formatting the patches and then each patch set can describe what it is doing. That being said, I'm not in favor of this patch going in without some sort of upcall message dropping (in addition to the current upcall rate throttling). Testing here is already showing potential DOS attacks by using a DHCP message storm and I'm worried that tasking the controller with processing these types of messages will just increase that attack surface many, many fold. Ryan _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
