sdn: handle offset>0 fragments when validating service traffic

dcbw · dcbw · commit 454d496a762b · 2017-03-01T00:21:31.000-06:00
By default (set-frag normal) all fragments of a fragmented packet have a port number of 0. This is quite unhelpful; to get the right port number for all fragments requires un-fragmenting the packet with OVS's contrack capability, but this interacts badly with iptables' contrack capability. Instead, use the 'nx-frag' mode which keeps the port numbers in the first fragment of a fragmented packet, and add rules to allow subsequent fragments (with port=0) to pass through. Assume that the destination IP stack will reject offset>0 fragments that arrive without a corresponding offset=0 first fragment. We can't just drop the port checking because services can be manually created with a static service IP address, and perhaps users rely on creating two distinct services with the same service IP address, but differentiated via port numbers. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1419692
diff --git a/pkg/sdn/plugin/controller.go b/pkg/sdn/plugin/controller.go
@@ -225,6 +225,10 @@ func (plugin *OsdnNode) SetupSDN() (bool, error) {
 	if err != nil {
 		return false, err
 	}
+	err = plugin.ovs.SetFrags("nx-match")
+	if err != nil {
+		return false, err
+	}
 	_ = plugin.ovs.DeletePort(VXLAN)
 	_, err = plugin.ovs.AddPort(VXLAN, 1, "type=vxlan", `options:remote_ip="flow"`, `options:key="flow"`)
 	if err != nil {
@@ -458,7 +462,10 @@ func (plugin *OsdnNode) AddServiceRules(service *kapi.Service, netID uint32) {
 
 	otx := plugin.ovs.NewTransaction()
 	for _, port := range service.Spec.Ports {
+		// Add one flow matching port #s for unfragmented packets and the first fragment
 		otx.AddFlow(generateAddServiceRule(netID, service.Spec.ClusterIP, port.Protocol, int(port.Port)))
+		// Add another flow matching port 0 to allow subsequent fragments through
+		otx.AddFlow(generateAddServiceRule(netID, service.Spec.ClusterIP, port.Protocol, int(0)))
 		if err := otx.EndTransaction(); err != nil {
 			glog.Errorf("Error adding OVS flows for service %v, netid %d: %v", service, netID, err)
 		}
@@ -471,6 +478,8 @@ func (plugin *OsdnNode) DeleteServiceRules(service *kapi.Service) {
 	otx := plugin.ovs.NewTransaction()
 	for _, port := range service.Spec.Ports {
 		otx.DeleteFlows(generateDeleteServiceRule(service.Spec.ClusterIP, port.Protocol, int(port.Port)))
+		// Also delete the fragment rule which uses port 0
+		otx.DeleteFlows(generateDeleteServiceRule(service.Spec.ClusterIP, port.Protocol, int(0)))
 		if err := otx.EndTransaction(); err != nil {
 			glog.Errorf("Error deleting OVS flows for service %v: %v", service, err)
 		}
diff --git a/pkg/util/ovs/ovs.go b/pkg/util/ovs/ovs.go
@@ -144,6 +144,11 @@ func (ovsif *Interface) DeletePort(port string) error {
 	return err
 }
 
+func (ovsif *Interface) SetFrags(mode string) error {
+	_, err := ovsif.exec(OVS_OFCTL, "set-frags", ovsif.bridge, mode)
+	return err
+}
+
 type Transaction struct {
 	ovsif *Interface
 	err   error
