tunnel: Clear IPSEC_MARK on input rather than output.

Currently we remove the IPSEC_MARK flag from all packets that are egressing on non-tunnel ports. However, this behavior is confusing if we allow OpenFlow controllers to match and set the pkt_mark field because the tunnel behavior applies even on non-tunnel ports. This instead clears the mark on tunnel input which should have the same effect for tunnel ports. However, on non-tunnel traffic (or even for traffic entering on a tunnel port but leaving on a non- tunnel port) it allows the mark to pass through without change. Signed-off-by: Jesse Gross <[email protected]> Acked-by: Andy Zhou <[email protected]>
Milstein · Aug 13, 2013 · ed2e724 · ed2e724
1 parent 62a7cc7
commit ed2e724
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 5 deletions.
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
@@ -1631,7 +1631,6 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port,
             out_port = ofp_port_to_odp_port(ctx->xbridge, vlandev_port);
             flow->vlan_tci = htons(0);
         }
-        flow->pkt_mark &= ~IPSEC_MARK;
     }
 
     if (out_port != ODPP_NONE) {

diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c
@@ -31,6 +31,9 @@
 
 VLOG_DEFINE_THIS_MODULE(tunnel);
 
+/* skb mark used for IPsec tunnel packets */
+#define IPSEC_MARK 1
+
 struct tnl_match {
     ovs_be64 in_key;
     ovs_be32 ip_src;
@@ -282,6 +285,8 @@ tnl_xlate_init(const struct flow *base_flow, struct flow *flow,
         if (!tnl_ecn_ok(base_flow, flow)) {
             return false;
         }
+
+        flow->pkt_mark &= ~IPSEC_MARK;
     }
 
     return true;

diff --git a/ofproto/tunnel.h b/ofproto/tunnel.h
@@ -20,9 +20,6 @@
 #include <stdint.h>
 #include "flow.h"
 
-/* skb mark used for IPsec tunnel packets */
-#define IPSEC_MARK 1
-
 /* Tunnel port emulation layer.
  *
  * These functions emulate tunnel virtual ports based on the outer

diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
@@ -1215,7 +1215,7 @@ Flow: pkt_mark=0x2,skb_priority=0x1,arp,metadata=0,in_port=1,vlan_tci=0x0000,dl_
 AT_CHECK([ovs-appctl ofproto/trace br0 \
   "in_port=2,skb_priority=2,pkt_mark=1" "$pkt2to1"], [0], [stdout],[stderr])
 AT_CHECK([tail -1 stdout], [0], [dnl
-Datapath actions: set(skb_mark(0)),1
+Datapath actions: 1
 ])
 AT_CHECK([head -n 2 stdout], [0], [dnl
 Packet: arp,metadata=0,in_port=0,vlan_tci=0x0000,dl_src=50:54:00:00:00:02,dl_dst=50:54:00:00:00:01,arp_spa=0.0.0.0,arp_tpa=0.0.0.0,arp_sha=00:00:00:00:00:00,arp_tha=00:00:00:00:00:00