Drop packets from unknown interfaces in classifier table #199
Conversation
|
Thanks for your PR. The following commands are available:
|
|
/test-e2e |
wenyingd
changed the title
|
@wenyingd: if we do not drop the packets, what will be the problem? I was thinking in some testing scenarios, could we create an extra interface on the bridge. |
|
@jianjuns If we don't drop the packets, packets sent from non-Pod/non-gw0/non-tunnel could be forwarded normally. Then it is possible that the unleagel packets can be sent to pods. We current found an issue with openflow binding, if Openflow entries are not realized before GARP(it is possible because OF binding is async, even if the flow entries is sent out from the UDS channel, it might be not realized at that time), the GARP packets are forwarded by the Normal flow. But after change the default action to "drop", the GARP packets might be dropped, and it affects several "Conformance" test. But it should be another issue about race between different goroutines. More details about the isse please refer to #195 " I was thinking in some testing scenarios, could we create an extra interface on the bridge." Do you mean these interfaces have no specific Openflow rules installed, and we want to leverage the Normal flow to forward the packets? Shall we install specific flow entries for these interfaces in such test cases? |
|
But non-Pod/tunnel/gw ports must be added manually for some purpose if they exist, so I feel no need to handle them specially. |
|
If we don't drop the packets, they should be forwarded normally, it is following OVS default actions after a bridge is created. Current code has another flow entry("priority=80,ip,actions=resubmit(,10)") which will enforce IP packets into table10(Spoofing guard table). Table10 will check inport/IP/Mac bindings, and drop all unlegal packets. If the packet is from unkown source, it should be dropped here. I will remove this flow in this PR, no matter the default actions in table0 is to drop or normal. |
|
Ok. I feel still better to drop the packets from unknown sources at least for now, to drop packets from a Pod interface that has no flow (inc. networkpolicy flows) installed. We could consider another approach later if we have cases to add test ports to the bridge. |
|
/test-e2e |
wenyingd
changed the title
|
Update according to @tnqn comment #195 (comment) |
There was a problem hiding this comment.
This LGTM, even though in the long term I'd rather rely on notifications from the OF switch if possible (#195 (comment))
|
/test-e2e |
|
Rebase to master to enforce golangci-lint check. |
There was a problem hiding this comment.
LGTM,
longer term we can implement something more robust (see #195 (comment))
| count := 0 | ||
| for count < 3 { | ||
| select { | ||
| case <-time.Tick(50 * time.Millisecond): |
There was a problem hiding this comment.
I know other implementations use Fibonacci sequence (like 50, 50, 100). Good with your current implementation too.
1. Change the priority of tableMiss from 80 to 0. Otherwise there would be another flow entry with action "Normal" added by OVS automatically after the bridge is created. 2. Change the default action of classifier table to drop packets. Signed-off-by: wenyingd <wenyingd@vmware.com>
Send 3 GARP packets in another goroutine with 50ms interval.
|
/test-e2e |
another flow entry with action "Normal" added by OVS automatically after
the bridge is created.
Fixes #195
Signed-off-by: wenyingd wenyingd@vmware.com