Andy noted offline that matching on the in_port will prevent tunneled packets matching with non-tunneled flows. Tunnels have their own datapath port number and we always unwildcard the in_port. SO, I’ll just update the comment and the commit description.
Jarno On Apr 11, 2014, at 11:12 AM, Jarno Rajahalme <jrajaha...@nicira.com> wrote: > Upon further research I think I was wrong about this, and we actually need to > unwildcard the ‘tun_dst’ bits to prevent tunneled packets matching on > non-tunneled flows. > > I’ll send a revised patch soon. > > Jarno > > On Apr 9, 2014, at 1:38 PM, Ben Pfaff <b...@nicira.com> wrote: > >> On Tue, Apr 08, 2014 at 04:38:52PM -0700, Jarno Rajahalme wrote: >>> It would seem that we should set the 'tun_dst' in 'wc' when calling >>> tnl_port_should_receive(), as it is reading that flow field. >>> >>> However, tnl_port_should_receive() returns true, if the flow has >>> tunnel metadata. If there is no tunnel metadata, then there is >>> nothing to mask, so we do not set the 'ip_dst' field in the 'wc' if >>> this test fails, even though we used that field to determine the >>> non-presence of the tunnel metadata. >>> >>> Datapath flow matching ensures that a key that does not include tunnel >>> metadata cannot match a tunneled packet. >>> >>> Signed-off-by: Jarno Rajahalme <jrajaha...@nicira.com> >> >> Acked-by: Ben Pfaff <b...@nicira.com> > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
