Do not forward ethernet packets with unknown ether type (0x05ff) to router pipeline.
Reported-at: https://issues.redhat.com/browse/FDP-1908 Signed-off-by: Lorenzo Bianconi <[email protected]> --- northd/northd.c | 9 +++++++++ northd/ovn-northd.8.xml | 5 +++++ 2 files changed, 14 insertions(+) diff --git a/northd/northd.c b/northd/northd.c index b4bb4ba6d..539567ba7 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -5947,6 +5947,15 @@ build_lswitch_port_sec_op(struct ovn_port *op, struct lflow_table *lflows, return; } + if (lsp_is_router(op->nbsp)) { + ds_clear(match); + ds_put_format(match, "outport == %s && eth.type == 0x%04x", + op->json_key, OFP_DL_TYPE_NOT_ETH_TYPE); + ovn_lflow_add(lflows, op->od, S_SWITCH_OUT_APPLY_PORT_SEC, 150, + ds_cstr(match), debug_drop_action(), op->lflow_ref, + WITH_DESC("Packet with unknown ether type")); + } + ds_clear(match); ds_clear(actions); ds_put_format(match, "inport == %s", op->json_key); diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 279d81f35..fe1dc4dc0 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -2816,6 +2816,11 @@ output; </p> <ul> + <li> + For router ports, a priority 150 flow to drop ethernet packets with + unknown ether type (0x05ff). + </li> + <li> A priority 100 flow which matches on the multicast traffic and applies the action <code>REGBIT_PORT_SEC_DROP" = 0; next;"</code> to skip -- 2.52.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
