Re: [ovs-dev] [PATCH] ovn-northd: Handle IPv4 addresses with prefixes in lport port security

Thu, 07 Apr 2016 17:24:06 -0700 

> On Apr 7, 2016, at 11:34 AM, Numan Siddique <nusid...@redhat.com> wrote:
> 
> ​Hi Justin, there is still a problem with the below approach.​
> 
> In the case where port security has "10.0.0.4/24" it means that the logical 
> port ​is restricted in sending and receiving IP traffic with ip address 
> 10.0.0.4. IP traffic with any other ip address should be dropped. But with 
> the below approach we would be allowing all the ip addresses in the 
> 10.0.0.0/24.

Huh, there's a fair amount of subtlety there.  What about logic similar to the 
following (untested) code?

-=-=-=-=-=-=-=-=-
                ovs_be32 mask = be32_prefix_mask(ps.ipv4_addrs[i].plen);
                /* When the netmask is applied, if the host portion is
                 * non-zero, the host can only use the specified
                 * address.  If zero, the host is allowed to use any
                 * address in the subnet. */
                if (ps.ipv4_addrs[i].addr & ~mask) {
                    ds_put_format(&match, IP_FMT,
                                  IP_ARGS(ps.ipv4_addrs[i].addr));
                } else {          
                    ip_format_masked(ps.ipv4_addrs[i].addr & mask, mask,
                                     &match);
                } 
-=-=-=-=-=-=-=-=-

> ​Below is the port security description
> 
> <p>
>           Each element in the set may additionally contain one or more IPv4 or
>           IPv6 addresses (or both), with optional masks.  If a mask is given, 
> it
>           must be a CIDR mask.  In addition to the restrictions described for
>           Ethernet addresses above, such an element restricts the IPv4 or IPv6
>           addresses from which the host may send and to which it may receive
>           packets to the specified addresses.  A masked address, if the host 
> part
>           is zero, indicates that the host is allowed to use any address in 
> the
>           subnet; if the host part is nonzero, the mask simply indicates the 
> size
>           of the subnet. In addition:
> </p>

The next paragraph is interesting because it describes what should happen with 
the subnet:

              ·      If any IPv4 address is given, the host is also allowed to
                     receive packets  to  the  IPv4  local  broadcast  address
                     255.255.255.255   and   to   IPv4   multicast   addresses
                     (224.0.0.0/4).  If an IPv4 address with a mask is  given,
                     the host is also allowed to receive packets to the broad‐
                     cast address in that specified subnet.

Would you mind expanding the tests to make sure that we're testing these 
different combinations both on the send and receive enforcement?  We clearly 
had some gaps before.

Thanks for noticing these issues.

--Justin


_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to