From: Jesse Gross Date: Tue, 6 Aug 2013 19:57:15 +0000 (-0700) Subject: tunnel: Clear IPSEC_MARK on input rather than output. X-Git-Tag: sliver-openvswitch-2.0.90-1~27^2~11 X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=ed2e72459317c689c46d3f1d279945485ff34fda;p=sliver-openvswitch.git tunnel: Clear IPSEC_MARK on input rather than output. Currently we remove the IPSEC_MARK flag from all packets that are egressing on non-tunnel ports. However, this behavior is confusing if we allow OpenFlow controllers to match and set the pkt_mark field because the tunnel behavior applies even on non-tunnel ports. This instead clears the mark on tunnel input which should have the same effect for tunnel ports. However, on non-tunnel traffic (or even for traffic entering on a tunnel port but leaving on a non- tunnel port) it allows the mark to pass through without change. Signed-off-by: Jesse Gross Acked-by: Andy Zhou --- diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c index 0f4a10c35..8be808827 100644 --- a/ofproto/ofproto-dpif-xlate.c +++ b/ofproto/ofproto-dpif-xlate.c @@ -1631,7 +1631,6 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port, out_port = ofp_port_to_odp_port(ctx->xbridge, vlandev_port); flow->vlan_tci = htons(0); } - flow->pkt_mark &= ~IPSEC_MARK; } if (out_port != ODPP_NONE) { diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c index 8b49d6a45..0ba0066fe 100644 --- a/ofproto/tunnel.c +++ b/ofproto/tunnel.c @@ -31,6 +31,9 @@ VLOG_DEFINE_THIS_MODULE(tunnel); +/* skb mark used for IPsec tunnel packets */ +#define IPSEC_MARK 1 + struct tnl_match { ovs_be64 in_key; ovs_be32 ip_src; @@ -282,6 +285,8 @@ tnl_xlate_init(const struct flow *base_flow, struct flow *flow, if (!tnl_ecn_ok(base_flow, flow)) { return false; } + + flow->pkt_mark &= ~IPSEC_MARK; } return true; diff --git a/ofproto/tunnel.h b/ofproto/tunnel.h index afe78ab80..27a2f7dbc 100644 --- a/ofproto/tunnel.h +++ b/ofproto/tunnel.h @@ -20,9 +20,6 @@ #include #include "flow.h" -/* skb mark used for IPsec tunnel packets */ -#define IPSEC_MARK 1 - /* Tunnel port emulation layer. * * These functions emulate tunnel virtual ports based on the outer diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at index 28067d386..b09399875 100644 --- a/tests/ofproto-dpif.at +++ b/tests/ofproto-dpif.at @@ -1215,7 +1215,7 @@ Flow: pkt_mark=0x2,skb_priority=0x1,arp,metadata=0,in_port=1,vlan_tci=0x0000,dl_ AT_CHECK([ovs-appctl ofproto/trace br0 \ "in_port=2,skb_priority=2,pkt_mark=1" "$pkt2to1"], [0], [stdout],[stderr]) AT_CHECK([tail -1 stdout], [0], [dnl -Datapath actions: set(skb_mark(0)),1 +Datapath actions: 1 ]) AT_CHECK([head -n 2 stdout], [0], [dnl Packet: arp,metadata=0,in_port=0,vlan_tci=0x0000,dl_src=50:54:00:00:00:02,dl_dst=50:54:00:00:00:01,arp_spa=0.0.0.0,arp_tpa=0.0.0.0,arp_sha=00:00:00:00:00:00,arp_tha=00:00:00:00:00:00