bridge: Eject NORMAL flows without a learning entry from datapath.

When revalidating NORMAL flows we consult the learning table, which
could be empty if a packet hasn't come to userspace in a while or we
just did a bridge flush.  If there is no learning entry then existing
flows will begin flooding packets until a new flow is setup.  The
problem is worse with bonding because we can receive one of the flooded
packets back on a bond slave and learn that port, causing us to send
traffic to the wrong location.

diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index fda80f1a2c0a3ed93f7adedf85a872678afeaf28..05003e1c1c27e43f66455b401657d012df193f11 100644 (file)
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -1947,6 +1947,11 @@ process_flow(struct bridge *br, const flow_t *flow,
                                                tags);
         if (out_port_idx >= 0 && out_port_idx < br->n_ports) {
             out_port = br->ports[out_port_idx];
+        } else if (!packet) {
+            /* If we are revalidating but don't have a learning entry then
+             * eject the flow.  Installing a flow that floods packets will
+             * prevent us from seeing future packets and learning properly. */
+            return false;
         }
     }