On Thu, Jul 12, 2012 at 08:07:08PM +0200, Giuseppe Lettieri wrote: > On 10/07/2012 18:08, Ben Pfaff wrote: > >On Tue, Jul 10, 2012 at 09:23:05AM -0400, Ed Maste wrote: > >>>>It isn't clear to me though why the Linux userspace mode does not behave > >>>>the same way though. I had a (very) brief look at the way PF_PACKET is > >>>>handled in Linux and it seemed like the packet would still be passed up > >>>>the stack -- there must be something else that I'm missing. > >>>Linux appears to have a special case such that a packet will never be > >>>delivered back to the socket from which it originates via the network > >>>tap interface, see dev_queue_xmit_nit() in net/core/dev.c: > >>That looks to me like it should address the transmit case, avoiding > >>duplicate handling of a packet transmitted by Open vSwitch - I don't > >>see how the receive case (from the physical network) is handled. > >Probably there's just a bug there. The userspace version isn't the > >primary way to use Open vSwitch with a Linux kernel so it gets little > >testing. > > > > I think I have found what was causing the different behavior of > Linux and FreeBSD. It turns out that several Linux distributions > (Gentoo and Ubuntu, at least) set /proc/sys/net/conf/*/rp_filter to > 1, i.e., they use reverse path filtering on all interfaces. In our > tests we had an userlevel ovs bridge connecting a tap device with an > IP address and a physical device with no address. The ping reply > coming out of the physical device was dropped by the reverse path > filter in the kernel, because the source address of the packet was > not expected to live behind that device. The copy made by the the > AF_PACKET socket in the ovs bridge, instead, was forwarded by ovs to > the tap device and then accepted. If we set rp_filter to 0, both > copies are accepted and we see duplicate ping replies in Linux, as > in FreeBSD. > > Now the question is: is the configuration we were using supposed to > work (i.e., *not* to make duplicate packets)? If the answer is yes, > then INSTALL.usermode should mention the need for firewall rules or > filters for both FreeBSD and Linux. Indeed, I think the most clear > think to do, even in Linux, is to use firewall rules, like > > iptables -A INPUT -i eth_n -j DROP > iptables -A FORWARD -i eth_n -j DROP > > for each eth_n which is connected to an ovs bridge. > > Thoughts?
This sounds correct to me, but I do not know iptables well. The diagram here: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#Figure_14-1_Iptables_Packet_Flow_Diagram suggests that the PREROUTING chain in the mangle table would be the best place to put the DROP rule. In FreeBSD, do you intend to add the equivalent filter rules automatically somewhere? Or to document that it is necessary and that the administrator should do so by hand? If the former, then let's figure out a good mechanism to hook in. Perhaps we should add a pair of "netdev" functions for disabling and re-enabling default network stack behavior, that dpif-netdev could call on adding and removing port and could be implemented appropriately for Linux and for FreeBSD. What do you think? Thanks, Ben. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
