On Tue, Apr 18, 2017 at 10:29:50AM -0400, Eric Garver wrote: > On Tue, Apr 18, 2017 at 12:17:17PM +0800, Dickens Yeh wrote: > > Thanks for your response. > > I know that if I have to match multiple vlan tags, it have to pop the outer > > vlan. > > But I think my question are not the matching vlan tags in multiple vlan, my > > question is matching the first vlan tag and the correct ethertype that > > OpenFlow Spec defined ( the ethertype after all vlan tags ), not the case > > that match multiple vlan tags in a single flow entry. > > > > For example, that packet header like > > ffffffffffff000000000012 8100 00d0 8060 001080006040001000000000012c0a > > 80202000000000000c0a80302 > > In the view of ethernet, the ethertype should be 8100, that's not a problem. > > In the view of openflow spec match, the ethertype should be 0806 ( ARP ), > > the ethertype match after vlan tags > > In the view of OVS match, the etherype is 0806, the result is matching with > > spec. > > > > Then, if the packet header like > > ffffffffffff000000000012 88a8 00c0 8100 00d0 8060 > > 001080006040001000000000012c0a80202000000000000c0a80302 > > In the view of ethernet, the ethertype should be 88a8, the same result with > > one vlan tag. > > In the view of openflow spec match, the ethertype should be 0806 ( ARP ) > > In the view of OVS match, the ethertype is 8100, not 0806. > > This is true if vlan-limit == 1, which is the default. > If vlan-limit > 1, then dl_type would be 0x0806. As I indicated earlier, > vlan-limit is new with 802.1ad support. > > > I think the result is strange, but I don't know that it's an issue or > > something else. > > Strange or not, it's this way because OVS used to only support a single > VLAN tag. It didn't know how to keep looking for the "true" Ethertype.
It's also a security risk if OVS skips over VLAN tags and indicates the innermost Ethertype, because it means that the controller has no way to tell that it's forwarding a packet with additional VLANs that might have arbitrary semantics to the receivers. On the other hand, with a VLAN Ethertype when the maximum number of VLANs is surpassed, the controller can detect and drop such packets. _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
