*
* This is useful because OpenFlow does not provide a way to match on the
* Ethernet addresses inside ARP packets, so there is no other way to drop
- * spoofed ARPs other than sending every packet up to the controller. */
+ * spoofed ARPs other than sending every ARP packet to a controller. */
NXAST_DROP_SPOOFED_ARP
};
nast->vendor = htonl(NX_VENDOR_ID);
nast->subtype = htons(NXAST_SET_TUNNEL);
nast->tun_id = htonl(str_to_u32(arg));
+ } else if (!strcasecmp(act, "drop_spoofed_arp")) {
+ struct nx_action_header *nah;
+ nah = put_action(b, sizeof *nah, OFPAT_VENDOR);
+ nah->vendor = htonl(NX_VENDOR_ID);
+ nah->subtype = htons(NXAST_DROP_SPOOFED_ARP);
} else if (!strcasecmp(act, "output")) {
put_output_action(b, str_to_u32(arg));
} else if (!strcasecmp(act, "enqueue")) {
If outputting to a port that encapsulates the packet in a tunnel and supports
an identifier (such as GRE), sets the identifier to \fBid\fR.
.
+.IP \fBdrop_spoofed_arp\fR
+Stops processing further actions, if the packet being processed is an
+Ethernet+IPv4 ARP packet for which the source Ethernet address inside
+the ARP packet differs from the source Ethernet address in the
+Ethernet header.
+.
+This is useful because OpenFlow does not provide a way to match on the
+Ethernet addresses inside ARP packets, so there is no other way to
+drop spoofed ARPs other than sending every ARP packet to a controller.
.RE
.
.IP
projects / openvswitch / commitdiff