On Sat, Mar 04, 2017 at 08:32:39PM +0100, Bhargava Shastry wrote:
> My point is "miniflow_extract" has these checks that indicate a failed
> parsing attempt for the packets in question. For example,
>
> ```C
> else if (OVS_LIKELY(nw_proto == IPPROTO_ICMP)) {
> if (OVS_LIKELY(size >= ICMP_HEADER_LEN)) {
> do_something_with_valid_icmp_packet();
> }
> // Signaling of failed parsing attempt does not take place //
> // i.e., no else corresponding to above predicate //
> }
>
> ...
>
> out:
> dst->map = mf.map
> ```
>
> So when you know that a packet is malformed during flow extraction
> itself, why would you let the packet float around in your downstream
> packet processing pipeline? Similar argument for malformed TCP/UDP packets.
OVS isn't just a firewall. It's also a switch that should be able to
handle any packet, not just the ones that pass some kind of firewall
check.
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
