From: Ben Pfaff <blp@nicira.com>
Date: Fri, 10 Sep 2010 16:17:29 +0000 (-0700)
Subject: ovs-ofctl: Add support for drop_spoofed_arp action.
X-Git-Tag: v1.1.0pre2~4
X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=933df876ffa272d9d5768edf7fc5465261888ad2;p=sliver-openvswitch.git

ovs-ofctl: Add support for drop_spoofed_arp action.

Requested-by: Michael Mao <mmao@nicira.com>
---

diff --git a/include/openflow/nicira-ext.h b/include/openflow/nicira-ext.h
index 885e01da6..c97478faf 100644
--- a/include/openflow/nicira-ext.h
+++ b/include/openflow/nicira-ext.h
@@ -141,7 +141,7 @@ enum nx_action_subtype {
      *
      * This is useful because OpenFlow does not provide a way to match on the
      * Ethernet addresses inside ARP packets, so there is no other way to drop
-     * spoofed ARPs other than sending every packet up to the controller. */
+     * spoofed ARPs other than sending every ARP packet to a controller. */
     NXAST_DROP_SPOOFED_ARP
 };
 
diff --git a/lib/ofp-parse.c b/lib/ofp-parse.c
index cc1419a0e..06d5bd11d 100644
--- a/lib/ofp-parse.c
+++ b/lib/ofp-parse.c
@@ -263,6 +263,11 @@ str_to_action(char *str, struct ofpbuf *b)
             nast->vendor = htonl(NX_VENDOR_ID);
             nast->subtype = htons(NXAST_SET_TUNNEL);
             nast->tun_id = htonl(str_to_u32(arg));
+        } else if (!strcasecmp(act, "drop_spoofed_arp")) {
+            struct nx_action_header *nah;
+            nah = put_action(b, sizeof *nah, OFPAT_VENDOR);
+            nah->vendor = htonl(NX_VENDOR_ID);
+            nah->subtype = htons(NXAST_DROP_SPOOFED_ARP);
         } else if (!strcasecmp(act, "output")) {
             put_output_action(b, str_to_u32(arg));
         } else if (!strcasecmp(act, "enqueue")) {
diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
index f51f87a14..7de788e1c 100644
--- a/utilities/ovs-ofctl.8.in
+++ b/utilities/ovs-ofctl.8.in
@@ -451,6 +451,15 @@ addition to any other actions in this flow entry.  Recursive
 If outputting to a port that encapsulates the packet in a tunnel and supports
 an identifier (such as GRE), sets the identifier to \fBid\fR.
 .
+.IP \fBdrop_spoofed_arp\fR
+Stops processing further actions, if the packet being processed is an
+Ethernet+IPv4 ARP packet for which the source Ethernet address inside
+the ARP packet differs from the source Ethernet address in the
+Ethernet header.
+.
+This is useful because OpenFlow does not provide a way to match on the
+Ethernet addresses inside ARP packets, so there is no other way to
+drop spoofed ARPs other than sending every ARP packet to a controller.
 .RE
 .
 .IP