Currently we remove the IPSEC_MARK flag from all packets that are
egressing on non-tunnel ports. However, this behavior is confusing
if we allow OpenFlow controllers to match and set the pkt_mark field
because the tunnel behavior applies even on non-tunnel ports.
This instead clears the mark on tunnel input which should have the
same effect for tunnel ports. However, on non-tunnel traffic (or
even for traffic entering on a tunnel port but leaving on a non-
tunnel port) it allows the mark to pass through without change.
Signed-off-by: Jesse Gross <je...@nicira.com>
---
ofproto/ofproto-dpif-xlate.c | 1 -
ofproto/tunnel.c | 5 +++++
ofproto/tunnel.h | 3 ---
tests/ofproto-dpif.at | 2 +-
4 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
index 0c0d9ef..c6ff6ac 100644
--- a/ofproto/ofproto-dpif-xlate.c
+++ b/ofproto/ofproto-dpif-xlate.c
@@ -1548,7 +1548,6 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t
ofp_port,
out_port = ofp_port_to_odp_port(ctx->xbridge, vlandev_port);
flow->vlan_tci = htons(0);
}
- flow->pkt_mark &= ~IPSEC_MARK;
}
if (out_port != ODPP_NONE) {
diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c
index f662a66..2a00574 100644
--- a/ofproto/tunnel.c
+++ b/ofproto/tunnel.c
@@ -31,6 +31,9 @@
VLOG_DEFINE_THIS_MODULE(tunnel);
+/* skb mark used for IPsec tunnel packets */
+#define IPSEC_MARK 1
+
struct tnl_match {
ovs_be64 in_key;
ovs_be32 ip_src;
@@ -282,6 +285,8 @@ tnl_xlate_init(const struct flow *base_flow, struct flow
*flow,
if (!tnl_ecn_ok(base_flow, flow)) {
return false;
}
+
+ flow->pkt_mark &= ~IPSEC_MARK;
}
return true;
diff --git a/ofproto/tunnel.h b/ofproto/tunnel.h
index afe78ab..27a2f7d 100644
--- a/ofproto/tunnel.h
+++ b/ofproto/tunnel.h
@@ -20,9 +20,6 @@
#include <stdint.h>
#include "flow.h"
-/* skb mark used for IPsec tunnel packets */
-#define IPSEC_MARK 1
-
/* Tunnel port emulation layer.
*
* These functions emulate tunnel virtual ports based on the outer
diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
index 25bd982..d1f224c 100644
--- a/tests/ofproto-dpif.at
+++ b/tests/ofproto-dpif.at
@@ -1215,7 +1215,7 @@ Flow:
pkt_mark=0x2,skb_priority=0x1,arp,metadata=0,in_port=1,vlan_tci=0x0000,dl_
AT_CHECK([ovs-appctl ofproto/trace br0 \
"in_port=2,skb_priority=2,pkt_mark=1" "$pkt2to1"], [0], [stdout],[stderr])
AT_CHECK([tail -1 stdout], [0], [dnl
-Datapath actions: set(skb_mark(0)),1
+Datapath actions: 1
])
AT_CHECK([head -n 2 stdout], [0], [dnl
Packet:
arp,metadata=0,in_port=0,vlan_tci=0x0000,dl_src=50:54:00:00:00:02,dl_dst=50:54:00:00:00:01,arp_spa=0.0.0.0,arp_tpa=0.0.0.0,arp_sha=00:00:00:00:00:00,arp_tha=00:00:00:00:00:00
--
1.8.1.2
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
