From: Ben Pfaff Date: Fri, 10 Sep 2010 16:17:29 +0000 (-0700) Subject: ovs-ofctl: Add support for drop_spoofed_arp action. X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=933df876ffa272d9d5768edf7fc5465261888ad2;p=openvswitch ovs-ofctl: Add support for drop_spoofed_arp action. Requested-by: Michael Mao --- diff --git a/include/openflow/nicira-ext.h b/include/openflow/nicira-ext.h index 885e01da..c97478fa 100644 --- a/include/openflow/nicira-ext.h +++ b/include/openflow/nicira-ext.h @@ -141,7 +141,7 @@ enum nx_action_subtype { * * This is useful because OpenFlow does not provide a way to match on the * Ethernet addresses inside ARP packets, so there is no other way to drop - * spoofed ARPs other than sending every packet up to the controller. */ + * spoofed ARPs other than sending every ARP packet to a controller. */ NXAST_DROP_SPOOFED_ARP }; diff --git a/lib/ofp-parse.c b/lib/ofp-parse.c index cc1419a0..06d5bd11 100644 --- a/lib/ofp-parse.c +++ b/lib/ofp-parse.c @@ -263,6 +263,11 @@ str_to_action(char *str, struct ofpbuf *b) nast->vendor = htonl(NX_VENDOR_ID); nast->subtype = htons(NXAST_SET_TUNNEL); nast->tun_id = htonl(str_to_u32(arg)); + } else if (!strcasecmp(act, "drop_spoofed_arp")) { + struct nx_action_header *nah; + nah = put_action(b, sizeof *nah, OFPAT_VENDOR); + nah->vendor = htonl(NX_VENDOR_ID); + nah->subtype = htons(NXAST_DROP_SPOOFED_ARP); } else if (!strcasecmp(act, "output")) { put_output_action(b, str_to_u32(arg)); } else if (!strcasecmp(act, "enqueue")) { diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in index f51f87a1..7de788e1 100644 --- a/utilities/ovs-ofctl.8.in +++ b/utilities/ovs-ofctl.8.in @@ -451,6 +451,15 @@ addition to any other actions in this flow entry. Recursive If outputting to a port that encapsulates the packet in a tunnel and supports an identifier (such as GRE), sets the identifier to \fBid\fR. . +.IP \fBdrop_spoofed_arp\fR +Stops processing further actions, if the packet being processed is an +Ethernet+IPv4 ARP packet for which the source Ethernet address inside +the ARP packet differs from the source Ethernet address in the +Ethernet header. +. +This is useful because OpenFlow does not provide a way to match on the +Ethernet addresses inside ARP packets, so there is no other way to +drop spoofed ARPs other than sending every ARP packet to a controller. .RE . .IP