Before, in in-band mode, the secure channel would flood all flows
destined for the broadcast destination when not connected to a
controller. The rationale was that this allowed for ARP replies
to be forwarded to the local port, so that the secure channel
could obtain the Ethernet address of the controller. But this
is a false rationale: ARP replies are unicast to the requester,
not broadcast. (Frames unicast to the local port are always handled
by the secure channel.)
Also, even if it were a correct rationale, it would not help in
at least one case: if the controller's Ethernet address has expired
from the ARP cache, but the secure channel's TCP connection to
the controller is still connected, then the secure channel attempt
to ARP would fail, since the broadcast ARP reply would not be
handled by the secure channel (since the secure channel thought
that it was still connected).
flow_extract(&pkt, in_port, &flow);
/* Deal with local stuff. */
- if (!rconn_is_connected(r->halves[HALF_REMOTE].rconn)
- && eth_addr_is_broadcast(flow.dl_dst)) {
- out_port = OFPP_FLOOD;
- } else if (in_port == OFPP_LOCAL) {
+ if (in_port == OFPP_LOCAL) {
out_port = mac_learning_lookup(local_ml, flow.dl_dst);
} else if (eth_addr_equals(flow.dl_dst, local_mac)) {
out_port = OFPP_LOCAL;