Filter disallowed outbound multicast

danwinship · danwinship · commit 8311af37bf5d · 2017-01-24T11:37:30.000-05:00
To avoid DoS attacks, we should filter out disallowed outbound
multicast packets on the sending end, not just on the receiving end.
diff --git a/pkg/sdn/plugin/controller.go b/pkg/sdn/plugin/controller.go
@@ -313,10 +313,14 @@ func (plugin *OsdnNode) SetupSDN() (bool, error) {
 	// eg, "table=100, reg0=${tenant_id}, priority=2, ip, nw_dst=${external_cidr}, actions=drop
 	otx.AddFlow("table=100, priority=0, actions=output:2")
 
-	// Table 110: multicast delivery from local pods to the VXLAN; only one rule, updated by updateVXLANMulticastRules() in subnets.go
-	// eg, "table=110, priority=100, actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31],set_field:${remote_node_ip_1}->tun_dst,output:1,set_field:${remote_node_ip_2}->tun_dst,output:1,goto_table:120"
+	// Table 110: outbound multicast filtering, updated by updateLocalMulticastFlows() in pod.go
+	// eg, "table=110, priority=100, reg0=${tenant_id}, actions=goto_table:111
 	otx.AddFlow("table=110, priority=0, actions=drop")
 
+	// Table 111: multicast delivery from local pods to the VXLAN; only one rule, updated by updateVXLANMulticastRules() in subnets.go
+	// eg, "table=111, priority=100, actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31],set_field:${remote_node_ip_1}->tun_dst,output:1,set_field:${remote_node_ip_2}->tun_dst,output:1,goto_table:120"
+	otx.AddFlow("table=111, priority=0, actions=drop")
+
 	// Table 120: multicast delivery to local pods (either from VXLAN or local pods); updated by updateLocalMulticastFlows() in pod.go
 	// eg, "table=120, priority=100, reg0=${tenant_id}, actions=output:${ovs_port_1},output:${ovs_port_2}"
 	otx.AddFlow("table=120, priority=0, actions=drop")
diff --git a/pkg/sdn/plugin/pod.go b/pkg/sdn/plugin/pod.go
@@ -206,10 +206,13 @@ func localMulticastOutputs(runningPods map[string]*runningPod, vnid uint32) stri
 
 func (m *podManager) updateLocalMulticastRulesWithLock(vnid uint32) {
 	var outputs string
+	otx := m.ovs.NewTransaction()
 	if m.policy.GetMCEnabled(vnid) {
 		outputs = localMulticastOutputs(m.runningPods, vnid)
+		otx.AddFlow("table=110, reg0=%d, actions=goto_table:111", vnid)
+	} else {
+		otx.DeleteFlows("table=110, reg0=%d", vnid)
 	}
-	otx := m.ovs.NewTransaction()
 	if len(outputs) > 0 {
 		otx.AddFlow("table=120, priority=100, reg0=%d, actions=%s", vnid, outputs)
 	} else {
diff --git a/pkg/sdn/plugin/subnets.go b/pkg/sdn/plugin/subnets.go
@@ -272,7 +272,7 @@ func (plugin *OsdnNode) updateVXLANMulticastRules(subnets hostSubnetMap) {
 			tun_dsts += fmt.Sprintf(",set_field:%s->tun_dst,output:1", subnet.HostIP)
 		}
 	}
-	otx.AddFlow("table=110, priority=100, actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31]%s,goto_table:120", tun_dsts)
+	otx.AddFlow("table=111, priority=100, actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31]%s,goto_table:120", tun_dsts)
 
 	if err := otx.EndTransaction(); err != nil {
 		log.Errorf("Error updating OVS VXLAN multicast flows: %v", err)

Original file line number	Diff line number	Diff line change
`@@ -272,7 +272,7 @@ func (plugin *OsdnNode) updateVXLANMulticastRules(subnets hostSubnetMap) {`
`272`	`272`	`tun_dsts += fmt.Sprintf(",set_field:%s->tun_dst,output:1", subnet.HostIP)`
`273`	`273`	`}`
`274`	`274`	`}`
`275`		`- otx.AddFlow("table=110, priority=100, actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31]%s,goto_table:120", tun_dsts)`
	`275`	`+ otx.AddFlow("table=111, priority=100, actions=move:NXM_NX_REG0[]->NXM_NX_TUN_ID[0..31]%s,goto_table:120", tun_dsts)`
`276`	`276`
`277`	`277`	`if err := otx.EndTransaction(); err != nil {`
`278`	`278`	`log.Errorf("Error updating OVS VXLAN multicast flows: %v", err)`