[ovs-dev,ovn-ipv6,22/26] ovn-controller: Tighten "nd" definition, add "nd_sol" and "nd_adv".
diff mbox

Message ID 1468306616-125783-23-git-send-email-jpettit@ovn.org
State Changes Requested
Headers show

Commit Message

Justin Pettit July 12, 2016, 6:56 a.m. UTC
According to RFC 4861, Neighbor Discovery messages should only match
when the Hop Limit is 255 to prevent off-link senders from sending ND
messages.  This commit limits matching to that Hop Limit.

It also introduces Neighbor Discovery Solicitation ("nd_sol") and
Advertisement ("nd_adv") definitions.

The "nd.sll" and "nd.tll" only apply to "nd_sol" and "nd_adv",
respectively.  This commit limits those symbols appropriately.  (Note
that Router and Redirect also use those fields, but they will like not
use "nd" in their description.

Signed-off-by: Justin Pettit <jpettit@ovn.org>
---
 ovn/controller/lflow.c | 10 +++++++---
 ovn/ovn-sb.xml         |  4 +++-
 tests/test-ovn.c       |  7 ++++++-
 3 files changed, 16 insertions(+), 5 deletions(-)

Comments

Ben Pfaff July 13, 2016, 8:06 p.m. UTC | #1
On Mon, Jul 11, 2016 at 11:56:52PM -0700, Justin Pettit wrote:
> According to RFC 4861, Neighbor Discovery messages should only match
> when the Hop Limit is 255 to prevent off-link senders from sending ND
> messages.  This commit limits matching to that Hop Limit.
> 
> It also introduces Neighbor Discovery Solicitation ("nd_sol") and
> Advertisement ("nd_adv") definitions.
> 
> The "nd.sll" and "nd.tll" only apply to "nd_sol" and "nd_adv",
> respectively.  This commit limits those symbols appropriately.  (Note
> that Router and Redirect also use those fields, but they will like not
> use "nd" in their description.
> 
> Signed-off-by: Justin Pettit <jpettit@ovn.org>

Acked-by: Ben Pfaff <blp@ovn.org>

Patch
diff mbox

diff --git a/ovn/controller/lflow.c b/ovn/controller/lflow.c
index b77b364..10a7e18 100644
--- a/ovn/controller/lflow.c
+++ b/ovn/controller/lflow.c
@@ -146,12 +146,16 @@  lflow_init(void)
     expr_symtab_add_field(&symtab, "arp.tha", MFF_ARP_THA, "arp", false);
 
     expr_symtab_add_predicate(&symtab, "nd",
-                              "icmp6.type == {135, 136} && icmp6.code == 0");
+              "icmp6.type == {135, 136} && icmp6.code == 0 && ip.ttl == 255");
+    expr_symtab_add_predicate(&symtab, "nd_sol",
+              "icmp6.type == 135 && icmp6.code == 0 && ip.ttl == 255");
+    expr_symtab_add_predicate(&symtab, "nd_adv",
+              "icmp6.type == 136 && icmp6.code == 0 && ip.ttl == 255");
     expr_symtab_add_field(&symtab, "nd.target", MFF_ND_TARGET, "nd", false);
     expr_symtab_add_field(&symtab, "nd.sll", MFF_ND_SLL,
-              "nd && icmp6.type == 135", false);
+              "nd_sol && icmp6.type == 135", false);
     expr_symtab_add_field(&symtab, "nd.tll", MFF_ND_TLL,
-              "nd && icmp6.type == 136", false);
+              "nd_adv && icmp6.type == 136", false);
 
     expr_symtab_add_predicate(&symtab, "tcp", "ip.proto == 6");
     expr_symtab_add_field(&symtab, "tcp.src", MFF_TCP_SRC, "tcp", false);
diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml
index 7b45bbb..2914349 100644
--- a/ovn/ovn-sb.xml
+++ b/ovn/ovn-sb.xml
@@ -803,7 +803,9 @@ 
         <li><code>ip.later_frag</code> expands to <code>ip.frag[1]</code></li>
         <li><code>ip.first_frag</code> expands to <code>ip.is_frag &amp;&amp; !ip.later_frag</code></li>
         <li><code>arp</code> expands to <code>eth.type == 0x806</code></li>
-        <li><code>nd</code> expands to <code>icmp6.type == {135, 136} &amp;&amp; icmp6.code == 0</code></li>
+        <li><code>nd</code> expands to <code>icmp6.type == {135, 136} &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
+        <li><code>nd_sol</code> expands to <code>icmp6.type == 135 &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
+        <li><code>nd_adv</code> expands to <code>icmp6.type == 136 &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
         <li><code>tcp</code> expands to <code>ip.proto == 6</code></li>
         <li><code>udp</code> expands to <code>ip.proto == 17</code></li>
         <li><code>sctp</code> expands to <code>ip.proto == 132</code></li>
diff --git a/tests/test-ovn.c b/tests/test-ovn.c
index fd004c9..26affa0 100644
--- a/tests/test-ovn.c
+++ b/tests/test-ovn.c
@@ -212,7 +212,12 @@  create_symtab(struct shash *symtab)
     expr_symtab_add_field(symtab, "arp.tpa", MFF_ARP_TPA, "arp", false);
     expr_symtab_add_field(symtab, "arp.tha", MFF_ARP_THA, "arp", false);
 
-    expr_symtab_add_predicate(symtab, "nd", "icmp6.type == {135, 136} && icmp6.code == 0");
+    expr_symtab_add_predicate(symtab, "nd",
+              "icmp6.type == {135, 136} && icmp6.code == 0 && ip.ttl == 255");
+    expr_symtab_add_predicate(symtab, "nd_sol",
+              "icmp6.type == 135 && icmp6.code == 0 && ip.ttl == 255");
+    expr_symtab_add_predicate(symtab, "nd_adv",
+              "icmp6.type == 136 && icmp6.code == 0 && ip.ttl == 255");
     expr_symtab_add_field(symtab, "nd.target", MFF_ND_TARGET, "nd", false);
     expr_symtab_add_field(symtab, "nd.sll", MFF_ND_SLL,
               "nd && icmp6.type == 135", false);