On Wed, Jun 8, 2016 at 4:00 PM, Flaviof <fla...@flaviof.com> wrote: > > > On Wed, Jun 8, 2016 at 3:43 PM, Justin Pettit <jpet...@ovn.org> wrote: > >> >> > On Jun 8, 2016, at 11:42 AM, Flaviof <fla...@flaviof.com> wrote: >> > >> > On Wed, Jun 8, 2016 at 2:10 PM, Darrell Ball <dlu...@gmail.com> wrote: >> > >> > On Wed, Jun 8, 2016 at 6:38 AM, Flaviof <fla...@flaviof.com> wrote: >> > >> > As a continuation of the topic on ICMP reply rules [ml], I could not >> help but notice that in the logical flow, there is a match not only for the >> logical routers's IP address but also for the L3 broadcast (op->bcast) of >> the subnet [1]. So I -- the curious cat -- had to try it out. ;) >> > >> >> It is common to not respond to directed broadcast by default and >> enable it only by configuration; >> >> adding configuration ability for this would be an added requirement >> with dubious value. >> >> The reasons are obviously related to DOS. >> >> It may be here by default for special and/or historical reasons in NSX >> or Openstack. >> >> Unless there is some "extra specialness" usage or above historical >> reasons, I would >> >> say the disadvantages outweigh the meager advantages of responding to >> directed broadcasts. >> >> >> >>> Make sense; and I agree. I'll propose the simplification in ovs-dev >> and bring this up in the >> >>> OVN meeting tomorrow (Jun/9); to see if anybody has a diverging >> opinion and/or suggestion. >> >> Coincidentally, over the weekend, I also noticed that we were responding >> to broadcast pings. I was planning to send a patch to disable this >> behavior due to DOS concerns. (I agree with Darrell that it's not worth >> providing a configuration option at this time.) Let's confirm at the OVN >> meeting tomorrow, but if no one objects, I think it makes sense. Did you >> want to prepare the patch? >> >> > Hi Justin, > > I just pushed the patch to ovs-dev [1]. There is little room for messing > that up, but then again > that is often when I do. ;) > > Just for the fun of it, I will have a patch with option C (splitting the > logical rule into 2) in standby; in > case folks scream at my simplification and/or accuse me of being lazy. > > Thanks, > > -- flaviof > > [1]: https://patchwork.ozlabs.org/patch/632474/ > > > Hi again, Justin.
I implemented and tested option C here [option_c]. Depending on how things go tomorrow, we can opt for either one. Thanks, -- flaviof [option_c]: https://patchwork.ozlabs.org/patch/632536/ > > > >> --Justin >> >> >> >
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
