Bug 1165: ContainerFlow boundary is not always enforced for vlans
- When a flow add is requested, ForwardingRulesmanager checks whether
the requested flow complies with the ContainerFlow(s) for the current container.
The check is performed by ContainerFlow.allowsFlow(Flow x).
This function checks if the Match portion of the passed Flow does conflict with the
container flow (which is a Match itself). It then checks whether the Flow's Actions
are allowed by the container flow (this to avoid cross container redirection of traffic).
In order to do so, it constructs a Match which summarizes the actions, then it checks if
it conflicts with the container flow Match.
BUG: During this last step, it misses to account the SetVlan actions.
Because of the above bug an app/user can install a flow which leaks traffic from one
container to another, when the containers' flows specify vlan as boundary.
Change-Id: Id5a5e60c190b4353ed1fd76966e885a021ee4d2a
Signed-off-by: Alessandro Boch <aboch@cisco.com>
Code Review / controller.git / commit