On 10/07/2012 18:08, Ben Pfaff wrote:
On Tue, Jul 10, 2012 at 09:23:05AM -0400, Ed Maste wrote:
It isn't clear to me though why the Linux userspace mode does not behave
the same way though. I had a (very) brief look at the way PF_PACKET is
handled in Linux and it seemed like the packet would still be passed up
the stack -- there must be something else that I'm missing.
Linux appears to have a special case such that a packet will never be
delivered back to the socket from which it originates via the network
tap interface, see dev_queue_xmit_nit() in net/core/dev.c:
That looks to me like it should address the transmit case, avoiding
duplicate handling of a packet transmitted by Open vSwitch - I don't
see how the receive case (from the physical network) is handled.
Probably there's just a bug there. The userspace version isn't the
primary way to use Open vSwitch with a Linux kernel so it gets little
testing.
I think I have found what was causing the different behavior of Linux
and FreeBSD. It turns out that several Linux distributions (Gentoo and
Ubuntu, at least) set /proc/sys/net/conf/*/rp_filter to 1, i.e., they
use reverse path filtering on all interfaces. In our tests we had an
userlevel ovs bridge connecting a tap device with an IP address and a
physical device with no address. The ping reply coming out of the
physical device was dropped by the reverse path filter in the kernel,
because the source address of the packet was not expected to live behind
that device. The copy made by the the AF_PACKET socket in the ovs
bridge, instead, was forwarded by ovs to the tap device and then
accepted. If we set rp_filter to 0, both copies are accepted and we see
duplicate ping replies in Linux, as in FreeBSD.
Now the question is: is the configuration we were using supposed to work
(i.e., *not* to make duplicate packets)? If the answer is yes, then
INSTALL.usermode should mention the need for firewall rules or filters
for both FreeBSD and Linux. Indeed, I think the most clear think to do,
even in Linux, is to use firewall rules, like
iptables -A INPUT -i eth_n -j DROP
iptables -A FORWARD -i eth_n -j DROP
for each eth_n which is connected to an ovs bridge.
Thoughts?
Giuseppe
--
Dr. Ing. Giuseppe Lettieri
Dipartimento di Ingegneria della Informazione
Universita' di Pisa
Largo Lucio Lazzarino 2, 56122 Pisa - Italy
Ph. : (+39) 050-2217.649 (direct) .599 (switch)
Fax : (+39) 050-2217.600
e-mail: g.letti...@iet.unipi.it
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
