ofproto-dpif-xlate: Add a recursion limit to tunnel address lookup.

In deployments with multiple tunnels, it can be possible to enter an infinite loop where traffic generates an arp/nd lookup which is forwarded to a different tunnel, generating a new arp/nd packet that is send back to the first tunnel. Now the depth counter is incremented for new arp/nd packets, just as happens in xlate_table_action(). Signed-off-by: Mike Pattrick <[email protected]> Signed-off-by: Ilya Maximets <[email protected]>
openvswitch · Aug 9, 2024 · 81e64f4 · 81e64f4
1 parent 7428125
commit 81e64f4
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
@@ -677,6 +677,7 @@ static size_t count_skb_priorities(const struct xport *);
 static bool dscp_from_skb_priority(const struct xport *, uint32_t skb_priority,
  uint8_t *dscp);
 
+static bool xlate_resubmit_resource_check(struct xlate_ctx *);
 static void xlate_xbridge_init(struct xlate_cfg *, struct xbridge *);
 static void xlate_xbundle_init(struct xlate_cfg *, struct xbundle *);
 static void xlate_xport_init(struct xlate_cfg *, struct xport *);
@@ -3655,6 +3656,10 @@ compose_table_xlate(struct xlate_ctx *ctx, const struct xport *out_dev,
  struct ofpact_output output;
  struct flow flow;
 
+ if (!xlate_resubmit_resource_check(ctx)) {
+ return 0;
+ }
+
  ofpact_init(&output.ofpact, OFPACT_OUTPUT, sizeof output);
  flow_extract(packet, &flow);
  flow.in_port.ofp_port = out_dev->ofp_port;
@@ -3663,7 +3668,8 @@ compose_table_xlate(struct xlate_ctx *ctx, const struct xport *out_dev,
 
  return ofproto_dpif_execute_actions__(xbridge->ofproto, version, &flow,
  NULL, &output.ofpact, sizeof output,
- ctx->depth, ctx->resubmits, packet);
+ ctx->depth + 1, ctx->resubmits,
+ packet);
 }
 
 static void