Replicate VXLAN UDP sport security to switch level#2195
Merged
tjchadaga merged 1 commit intoopencomputeproject:masterfrom Dec 2, 2025
Merged
Replicate VXLAN UDP sport security to switch level#2195tjchadaga merged 1 commit intoopencomputeproject:masterfrom
tjchadaga merged 1 commit intoopencomputeproject:masterfrom
Conversation
prsunny
reviewed
Aug 21, 2025
prsunny
reviewed
Aug 21, 2025
|
hi @marian-pritsak , would it be possible to accept the spelling change for this one? |
Collaborator
|
@marian-pritsak , gentle reminder to address the comments |
|
hello @marian-pritsak , would you please check this one? TY... |
|
Expected to look at this one tomorrow |
marian-pritsak
force-pushed
the
tunnel-security
branch
from
36cd731 to
0502b78
Compare
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
marian-pritsak
changed the title
marian-pritsak
force-pushed
the
tunnel-security
branch
2 times, most recently
from
b36de10 to
b21de56
Compare
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
Discussed in meeting w/ @prsunny - AI is to review |
prsunny
reviewed
Nov 13, 2025
inc/saitunnel.h
Outdated
| * @brief Tunnel UDP source port | ||
| * | ||
| * See also SAI_TUNNEL_ATTR_VXLAN_UDP_SPORT_SECURITY. | ||
| * This attribute is applied to VXLAN pockets ingressing the switch. If the incoming |
Contributor
Author
There was a problem hiding this comment.
Fixed, thanks.
prsunny
reviewed
Nov 13, 2025
inc/saiswitch.h
Outdated
| * @brief Tunnel UDP source port | ||
| * | ||
| * See also SAI_SWITCH_TUNNEL_ATTR_VXLAN_UDP_SPORT_SECURITY. | ||
| * This attribute is applied to VXLAN pockets ingressing the switch. If the incoming |
Contributor
Author
There was a problem hiding this comment.
Fixed, thanks.
- Add SAI_SWITCH_TUNNEL_ATTR_VXLAN_UDP_SPORT_SECURITY attribute to drop tunnel packets with UDP source port outside allowed range - Add documentation for UDP source port validation on VXLAN packet ingress - Update both saiswitch.h and saitunnel.h with security clarifications Signed-off-by: Marian Pritsak <marianp@mellanox.com>
marian-pritsak
force-pushed
the
tunnel-security
branch
from
b21de56 to
488e27e
Compare
prsunny
approved these changes
Nov 20, 2025
Collaborator
|
@tjchadaga , would you help merge? |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
tjchadaga
approved these changes
Nov 20, 2025
Collaborator
|
@JaiOCP, @ashutosh-agrawal, @rck-innovium - could you please help take a quick look? |
JaiOCP
added a commit
to JaiOCP/SAI
that referenced
this pull request
Dec 19, 2025
Signed-off-by: JaiOCP <jai.kumar@broadcom.com> CSIG Port and Switch Attributes Signed-off-by: JaiOCP <jai.kumar@broadcom.com> CSIG ACL Attributes Signed-off-by: JaiOCP <jai.kumar@broadcom.com> CSIG TAM Attributes Signed-off-by: JaiOCP <jai.kumar@broadcom.com> CSIG Time Interval Unit Signed-off-by: JaiOCP <jai.kumar@broadcom.com> CSIG Document Signed-off-by: JaiOCP <jai.kumar@broadcom.com> CSIG Document Signed-off-by: JaiOCP <jai.kumar@broadcom.com> CSIG Document Signed-off-by: JaiOCP <jai.kumar@broadcom.com> Fix: "INVAILD" typo in enum '_sai_dash_flow_entry_bulk_get_session_filter_key_t' (opencomputeproject#2224) This PR fixes a typo in the enum definition for dash_flow_entry_bulk_get_session_filter_key_t where the member INVAILD is corrected to INVALID. Changes: saitypesextensions.h: Renamed enum member INVAILD → INVALID. Following will be pushed to DASH's repo once these SAI repo changes are merged. dash_headers.p4: Renamed enum member INVAILD → INVALID. Non UEC Member Agreement Form (opencomputeproject#2226) Signed-off-by: JaiOCP <jai.kumar@broadcom.com> Seamless BFD (S-BFD) (opencomputeproject#2220) Signed-off-by: Jason Bos <jbos@cisco.com> Replicate VXLAN UDP sport security to switch level (opencomputeproject#2195) - Add SAI_SWITCH_TUNNEL_ATTR_VXLAN_UDP_SPORT_SECURITY attribute to drop tunnel packets with UDP source port outside allowed range - Add documentation for UDP source port validation on VXLAN packet ingress - Update both saiswitch.h and saitunnel.h with security clarifications Signed-off-by: Marian Pritsak <marianp@mellanox.com> SRv6 SID Marking (opencomputeproject#2222) * SID Marking APIs Signed-off-by: Jason Bos <jbos@cisco.com> [DASH] Add flow bulk get session event data struct (opencomputeproject#2175) * [DASH] Add flow bulk get session event data struct Add flow bulk get event callback and supporting structures to provide ability to query flows in asynchronous manner. Introducing SAI_PORT_ATTR_PORT_PG_PKT_DROP_STATUS (opencomputeproject#2234) In this map, the key is the PG index and the status value (clear-on-read) for each PG is from {0, 1}, where 0 indicates no drops were observed and 1 indicates packet drops. Signed-off-by: Prasun Sinha <prasunsinha@google.com> Add flow entry to the bulk session event data (opencomputeproject#2237) Add the ability to query the flows with the bulk get session event data callback. The commit contains a fix for bad ordering of classes generated by Thrift compiler for the nested structures used in this callback. Signed-off-by: Marian Pritsak <marianp@mellanox.com>
tjchadaga
pushed a commit
that referenced
this pull request
Jan 5, 2026
- Add SAI_SWITCH_TUNNEL_ATTR_VXLAN_UDP_SPORT_SECURITY attribute to drop tunnel packets with UDP source port outside allowed range - Add documentation for UDP source port validation on VXLAN packet ingress - Update both saiswitch.h and saitunnel.h with security clarifications Signed-off-by: Marian Pritsak <marianp@mellanox.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.