git://git.onelab.eu / sliver-openvswitch.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 62a7cc7)
tunnel: Clear IPSEC_MARK on input rather than output.
authorJesse Gross <jesse@nicira.com>
Tue, 6 Aug 2013 19:57:15 +0000 (12:57 -0700)
committerJesse Gross <jesse@nicira.com>
Tue, 13 Aug 2013 21:39:51 +0000 (14:39 -0700)
Currently we remove the IPSEC_MARK flag from all packets that are
egressing on non-tunnel ports. However, this behavior is confusing
if we allow OpenFlow controllers to match and set the pkt_mark field
because the tunnel behavior applies even on non-tunnel ports.

This instead clears the mark on tunnel input which should have the
same effect for tunnel ports. However, on non-tunnel traffic (or
even for traffic entering on a tunnel port but leaving on a non-
tunnel port) it allows the mark to pass through without change.

Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Andy Zhou <azhou@nicira.com>
ofproto/ofproto-dpif-xlate.c patch | blob | history
ofproto/tunnel.c patch | blob | history
ofproto/tunnel.h patch | blob | history
tests/ofproto-dpif.at patch | blob | history

diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
index 0f4a10c..8be8088 100644 (file)
--- a/ofproto/ofproto-dpif-xlate.c
+++ b/ofproto/ofproto-dpif-xlate.c
@@ -1631,7 +1631,6 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port,
             out_port = ofp_port_to_odp_port(ctx->xbridge, vlandev_port);
             flow->vlan_tci = htons(0);
         }
-        flow->pkt_mark &= ~IPSEC_MARK;
     }
 
     if (out_port != ODPP_NONE) {
diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c
index 8b49d6a..0ba0066 100644 (file)
--- a/ofproto/tunnel.c
+++ b/ofproto/tunnel.c
@@ -31,6 +31,9 @@
 
 VLOG_DEFINE_THIS_MODULE(tunnel);
 
+/* skb mark used for IPsec tunnel packets */
+#define IPSEC_MARK 1
+
 struct tnl_match {
     ovs_be64 in_key;
     ovs_be32 ip_src;
@@ -282,6 +285,8 @@ tnl_xlate_init(const struct flow *base_flow, struct flow *flow,
         if (!tnl_ecn_ok(base_flow, flow)) {
             return false;
         }
+
+        flow->pkt_mark &= ~IPSEC_MARK;
     }
 
     return true;
diff --git a/ofproto/tunnel.h b/ofproto/tunnel.h
index afe78ab..27a2f7d 100644 (file)
--- a/ofproto/tunnel.h
+++ b/ofproto/tunnel.h
@@ -20,9 +20,6 @@
 #include <stdint.h>
 #include "flow.h"
 
-/* skb mark used for IPsec tunnel packets */
-#define IPSEC_MARK 1
-
 /* Tunnel port emulation layer.
  *
  * These functions emulate tunnel virtual ports based on the outer
diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
index 28067d3..b093998 100644 (file)
--- a/tests/ofproto-dpif.at
+++ b/tests/ofproto-dpif.at
@@ -1215,7 +1215,7 @@ Flow: pkt_mark=0x2,skb_priority=0x1,arp,metadata=0,in_port=1,vlan_tci=0x0000,dl_
 AT_CHECK([ovs-appctl ofproto/trace br0 \
   "in_port=2,skb_priority=2,pkt_mark=1" "$pkt2to1"], [0], [stdout],[stderr])
 AT_CHECK([tail -1 stdout], [0], [dnl
-Datapath actions: set(skb_mark(0)),1
+Datapath actions: 1
 ])
 AT_CHECK([head -n 2 stdout], [0], [dnl
 Packet: arp,metadata=0,in_port=0,vlan_tci=0x0000,dl_src=50:54:00:00:00:02,dl_dst=50:54:00:00:00:01,arp_spa=0.0.0.0,arp_tpa=0.0.0.0,arp_sha=00:00:00:00:00:00,arp_tha=00:00:00:00:00:00
sliver-openvswitch