On Tue, Oct 11, 2011 at 4:05 PM, Ben Pfaff <[email protected]> wrote: > Until now, OVS has handled IP fragments more awkwardly than necessary. It > has not been possible to match on L4 headers, even in fragments with offset > 0 where they are actually present. This means that there was no way to > implement ACLs that treat, say, different TCP ports differently, on > fragmented traffic; instead, all decisions for fragment forwarding had to > be made on the basis of L2 and L3 headers alone. > > This commit improves the situation significantly. It is still not possible > to match on L4 headers in fragments with nonzero offset, because that > information is simply not present in such fragments, but this commit adds > the ability to match on L4 headers for fragments with zero offset. This > means that it becomes possible to implement ACLs that drop such "first > fragments" on the basis of L4 headers. In practice, that effectively > blocks even fragmented traffic on an L4 basis, because the receiving IP > stack cannot reassemble a full packet when the first fragment is missing. > > This commit works by adding a new "fragment type" to the kernel flow match > and making it available through OpenFlow as a new NXM field named > NXM_NX_IP_FRAG. Because OpenFlow 1.0 explicitly says that the L4 fields > are always 0 for IP fragments, it adds a new OpenFlow fragment handling > mode that fills in the L4 fields for "first fragments". It also enhances > ovs-ofctl to allow users to configure this new fragment handling mode and > to parse the new field. > > Signed-off-by: Ben Pfaff <[email protected]> > Bug #7557.
Is this a new version? _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
