| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | /*
 | 
					
						
							| 
									
										
										
										
											2014-05-09 18:18:17 -07:00
										 |  |  |  |  * Copyright (c) 2011, 2012, 2013, 2014 Nicira, Inc. | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |  * | 
					
						
							|  |  |  |  |  * Licensed under the Apache License, Version 2.0 (the "License"); | 
					
						
							|  |  |  |  |  * you may not use this file except in compliance with the License. | 
					
						
							|  |  |  |  |  * You may obtain a copy of the License at: | 
					
						
							|  |  |  |  |  * | 
					
						
							|  |  |  |  |  *     http://www.apache.org/licenses/LICENSE-2.0
 | 
					
						
							|  |  |  |  |  * | 
					
						
							|  |  |  |  |  * Unless required by applicable law or agreed to in writing, software | 
					
						
							|  |  |  |  |  * distributed under the License is distributed on an "AS IS" BASIS, | 
					
						
							|  |  |  |  |  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 
					
						
							|  |  |  |  |  * See the License for the specific language governing permissions and | 
					
						
							|  |  |  |  |  * limitations under the License. | 
					
						
							|  |  |  |  |  */ | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | #include <config.h>
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | #include "meta-flow.h"
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | #include <errno.h>
 | 
					
						
							|  |  |  |  | #include <limits.h>
 | 
					
						
							|  |  |  |  | #include <netinet/icmp6.h>
 | 
					
						
							|  |  |  |  | #include <netinet/ip6.h>
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | #include "classifier.h"
 | 
					
						
							|  |  |  |  | #include "dynamic-string.h"
 | 
					
						
							| 
									
										
										
										
											2014-09-16 22:13:44 -07:00
										 |  |  |  | #include "nx-match.h"
 | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  | #include "ofp-errors.h"
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | #include "ofp-util.h"
 | 
					
						
							| 
									
										
										
										
											2013-04-15 15:30:03 -07:00
										 |  |  |  | #include "ovs-thread.h"
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | #include "packets.h"
 | 
					
						
							|  |  |  |  | #include "random.h"
 | 
					
						
							|  |  |  |  | #include "shash.h"
 | 
					
						
							|  |  |  |  | #include "socket-util.h"
 | 
					
						
							|  |  |  |  | #include "unaligned.h"
 | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  | #include "vlog.h"
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | VLOG_DEFINE_THIS_MODULE(meta_flow); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-12-11 11:07:01 -08:00
										 |  |  |  | #define FLOW_U32OFS(FIELD)                                              \
 | 
					
						
							|  |  |  |  |     offsetof(struct flow, FIELD) % 4 ? -1 : offsetof(struct flow, FIELD) / 4 | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | #define MF_FIELD_SIZES(MEMBER)                  \
 | 
					
						
							|  |  |  |  |     sizeof ((union mf_value *)0)->MEMBER,       \ | 
					
						
							|  |  |  |  |     8 * sizeof ((union mf_value *)0)->MEMBER | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-10-24 13:19:27 -07:00
										 |  |  |  | extern const struct mf_field mf_fields[MFF_N_IDS]; /* Silence a warning. */ | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | const struct mf_field mf_fields[MFF_N_IDS] = { | 
					
						
							| 
									
										
										
										
											2014-10-07 15:24:11 -07:00
										 |  |  |  | #include "meta-flow.inc"
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | }; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-04-15 15:30:03 -07:00
										 |  |  |  | /* Maps from an mf_field's 'name' or 'extra_name' to the mf_field. */ | 
					
						
							|  |  |  |  | static struct shash mf_by_name; | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  | /* Rate limit for parse errors.  These always indicate a bug in an OpenFlow
 | 
					
						
							|  |  |  |  |  * controller and so there's not much point in showing a lot of them. */ | 
					
						
							|  |  |  |  | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5); | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-04-15 15:30:03 -07:00
										 |  |  |  | static void nxm_init(void); | 
					
						
							| 
									
										
										
										
											2012-06-26 10:52:34 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | /* Returns the field with the given 'name', or a null pointer if no field has
 | 
					
						
							|  |  |  |  |  * that name. */ | 
					
						
							|  |  |  |  | const struct mf_field * | 
					
						
							|  |  |  |  | mf_from_name(const char *name) | 
					
						
							|  |  |  |  | { | 
					
						
							| 
									
										
										
										
											2013-04-15 15:30:03 -07:00
										 |  |  |  |     nxm_init(); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     return shash_find_data(&mf_by_name, name); | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  | static void | 
					
						
							| 
									
										
										
										
											2013-04-15 15:30:03 -07:00
										 |  |  |  | nxm_do_init(void) | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  | { | 
					
						
							| 
									
										
										
										
											2013-10-15 08:35:39 -07:00
										 |  |  |  |     int i; | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-04-15 15:30:03 -07:00
										 |  |  |  |     shash_init(&mf_by_name); | 
					
						
							| 
									
										
										
										
											2013-10-15 08:35:39 -07:00
										 |  |  |  |     for (i = 0; i < MFF_N_IDS; i++) { | 
					
						
							|  |  |  |  |         const struct mf_field *mf = &mf_fields[i]; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |         ovs_assert(mf->id == i); /* Fields must be in the enum order. */ | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-04-15 15:30:03 -07:00
										 |  |  |  |         shash_add_once(&mf_by_name, mf->name, mf); | 
					
						
							|  |  |  |  |         if (mf->extra_name) { | 
					
						
							|  |  |  |  |             shash_add_once(&mf_by_name, mf->extra_name, mf); | 
					
						
							|  |  |  |  |         } | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-04-15 15:30:03 -07:00
										 |  |  |  | static void | 
					
						
							|  |  |  |  | nxm_init(void) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     static pthread_once_t once = PTHREAD_ONCE_INIT; | 
					
						
							|  |  |  |  |     pthread_once(&once, nxm_do_init); | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | /* Returns true if 'wc' wildcards all the bits in field 'mf', false if 'wc'
 | 
					
						
							|  |  |  |  |  * specifies at least one bit in the field. | 
					
						
							|  |  |  |  |  * | 
					
						
							|  |  |  |  |  * The caller is responsible for ensuring that 'wc' corresponds to a flow that | 
					
						
							|  |  |  |  |  * meets 'mf''s prerequisites. */ | 
					
						
							|  |  |  |  | bool | 
					
						
							|  |  |  |  | mf_is_all_wild(const struct mf_field *mf, const struct flow_wildcards *wc) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     switch (mf->id) { | 
					
						
							| 
									
										
										
										
											2014-03-04 14:20:19 -08:00
										 |  |  |  |     case MFF_DP_HASH: | 
					
						
							|  |  |  |  |         return !wc->masks.dp_hash; | 
					
						
							|  |  |  |  |     case MFF_RECIRC_ID: | 
					
						
							|  |  |  |  |         return !wc->masks.recirc_id; | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  |     case MFF_TUN_SRC: | 
					
						
							| 
									
										
										
										
											2013-05-09 15:24:16 +03:00
										 |  |  |  |         return !wc->masks.tunnel.ip_src; | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  |     case MFF_TUN_DST: | 
					
						
							| 
									
										
										
										
											2013-05-09 15:24:16 +03:00
										 |  |  |  |         return !wc->masks.tunnel.ip_dst; | 
					
						
							|  |  |  |  |     case MFF_TUN_ID: | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  |     case MFF_TUN_TOS: | 
					
						
							|  |  |  |  |     case MFF_TUN_TTL: | 
					
						
							|  |  |  |  |     case MFF_TUN_FLAGS: | 
					
						
							| 
									
										
										
										
											2012-09-13 20:11:08 -07:00
										 |  |  |  |         return !wc->masks.tunnel.tun_id; | 
					
						
							| 
									
										
										
										
											2012-06-27 01:09:44 +12:00
										 |  |  |  |     case MFF_METADATA: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.metadata; | 
					
						
							| 
									
										
										
										
											2012-08-03 13:27:15 -07:00
										 |  |  |  |     case MFF_IN_PORT: | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |     case MFF_IN_PORT_OXM: | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |         return !wc->masks.in_port.ofp_port; | 
					
						
							| 
									
										
										
										
											2012-11-29 14:36:49 -08:00
										 |  |  |  |     case MFF_SKB_PRIORITY: | 
					
						
							|  |  |  |  |         return !wc->masks.skb_priority; | 
					
						
							| 
									
										
										
										
											2013-08-06 12:57:13 -07:00
										 |  |  |  |     case MFF_PKT_MARK: | 
					
						
							|  |  |  |  |         return !wc->masks.pkt_mark; | 
					
						
							| 
									
										
										
										
											2012-06-27 07:23:25 -07:00
										 |  |  |  |     CASE_MFF_REGS: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.regs[mf->id - MFF_REG0]; | 
					
						
							| 
									
										
										
										
											2014-07-28 09:50:37 -07:00
										 |  |  |  |     CASE_MFF_XREGS: | 
					
						
							|  |  |  |  |         return !flow_get_xreg(&wc->masks, mf->id - MFF_XREG0); | 
					
						
							| 
									
										
										
										
											2014-11-03 14:24:01 -08:00
										 |  |  |  |     case MFF_ACTSET_OUTPUT: | 
					
						
							|  |  |  |  |         return !wc->masks.actset_output; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-05-29 00:38:21 +12:00
										 |  |  |  |     case MFF_ETH_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return eth_addr_is_zero(wc->masks.dl_src); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ETH_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return eth_addr_is_zero(wc->masks.dl_dst); | 
					
						
							| 
									
										
										
										
											2012-06-18 13:33:13 -07:00
										 |  |  |  |     case MFF_ETH_TYPE: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.dl_type; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-19 09:21:49 -07:00
										 |  |  |  |     case MFF_ARP_SHA: | 
					
						
							|  |  |  |  |     case MFF_ND_SLL: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return eth_addr_is_zero(wc->masks.arp_sha); | 
					
						
							| 
									
										
										
										
											2012-07-19 09:21:49 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_THA: | 
					
						
							|  |  |  |  |     case MFF_ND_TLL: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return eth_addr_is_zero(wc->masks.arp_tha); | 
					
						
							| 
									
										
										
										
											2012-07-19 09:21:49 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_VLAN_TCI: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.vlan_tci; | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !(wc->masks.vlan_tci & htons(VLAN_VID_MASK)); | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_VID: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !(wc->masks.vlan_tci & htons(VLAN_VID_MASK | VLAN_CFI)); | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !(wc->masks.vlan_tci & htons(VLAN_PCP_MASK)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |     case MFF_MPLS_LABEL: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         return !(wc->masks.mpls_lse[0] & htonl(MPLS_LABEL_MASK)); | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |     case MFF_MPLS_TC: | 
					
						
							| 
									
										
										
										
											2014-10-06 14:12:57 -07:00
										 |  |  |  |         return !(wc->masks.mpls_lse[0] & htonl(MPLS_TC_MASK)); | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |     case MFF_MPLS_BOS: | 
					
						
							| 
									
										
										
										
											2014-10-06 14:12:57 -07:00
										 |  |  |  |         return !(wc->masks.mpls_lse[0] & htonl(MPLS_BOS_MASK)); | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IPV4_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.nw_src; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IPV4_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.nw_dst; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV6_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return ipv6_mask_is_any(&wc->masks.ipv6_src); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IPV6_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return ipv6_mask_is_any(&wc->masks.ipv6_dst); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-18 12:02:19 +09:00
										 |  |  |  |     case MFF_IPV6_LABEL: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.ipv6_label; | 
					
						
							| 
									
										
										
										
											2012-07-18 12:02:19 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-18 14:12:52 -07:00
										 |  |  |  |     case MFF_IP_PROTO: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.nw_proto; | 
					
						
							| 
									
										
										
										
											2012-06-18 14:11:13 -07:00
										 |  |  |  |     case MFF_IP_DSCP: | 
					
						
							| 
									
										
										
										
											2013-04-18 09:40:48 -07:00
										 |  |  |  |     case MFF_IP_DSCP_SHIFTED: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !(wc->masks.nw_tos & IP_DSCP_MASK); | 
					
						
							| 
									
										
										
										
											2012-06-18 14:11:13 -07:00
										 |  |  |  |     case MFF_IP_ECN: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !(wc->masks.nw_tos & IP_ECN_MASK); | 
					
						
							| 
									
										
										
										
											2012-06-18 11:36:03 -07:00
										 |  |  |  |     case MFF_IP_TTL: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.nw_ttl; | 
					
						
							| 
									
										
										
										
											2012-06-18 14:11:13 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-04-25 15:48:40 -07:00
										 |  |  |  |     case MFF_ND_TARGET: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return ipv6_mask_is_any(&wc->masks.nd_target); | 
					
						
							| 
									
										
										
										
											2012-04-25 15:48:40 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |     case MFF_IP_FRAG: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !(wc->masks.nw_frag & FLOW_NW_FRAG_MASK); | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-18 14:12:52 -07:00
										 |  |  |  |     case MFF_ARP_OP: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.nw_proto; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ARP_SPA: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.nw_src; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ARP_TPA: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.nw_dst; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-01-27 17:16:05 -08:00
										 |  |  |  |     case MFF_TCP_SRC: | 
					
						
							|  |  |  |  |     case MFF_UDP_SRC: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_SRC: | 
					
						
							| 
									
										
										
										
											2012-01-27 17:16:05 -08:00
										 |  |  |  |     case MFF_ICMPV4_TYPE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_TYPE: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.tp_src; | 
					
						
							| 
									
										
										
										
											2012-01-27 17:16:05 -08:00
										 |  |  |  |     case MFF_TCP_DST: | 
					
						
							|  |  |  |  |     case MFF_UDP_DST: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_DST: | 
					
						
							| 
									
										
										
										
											2012-01-27 17:16:05 -08:00
										 |  |  |  |     case MFF_ICMPV4_CODE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_CODE: | 
					
						
							| 
									
										
										
										
											2012-08-07 13:38:38 -07:00
										 |  |  |  |         return !wc->masks.tp_dst; | 
					
						
							| 
									
										
										
										
											2013-10-28 13:54:40 -07:00
										 |  |  |  |     case MFF_TCP_FLAGS: | 
					
						
							|  |  |  |  |         return !wc->masks.tcp_flags; | 
					
						
							| 
									
										
										
										
											2012-01-27 17:16:05 -08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_N_IDS: | 
					
						
							|  |  |  |  |     default: | 
					
						
							| 
									
										
										
										
											2013-12-17 10:32:12 -08:00
										 |  |  |  |         OVS_NOT_REACHED(); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | /* Initializes 'mask' with the wildcard bit pattern for field 'mf' within 'wc'.
 | 
					
						
							|  |  |  |  |  * Each bit in 'mask' will be set to 1 if the bit is significant for matching | 
					
						
							|  |  |  |  |  * purposes, or to 0 if it is wildcarded. | 
					
						
							|  |  |  |  |  * | 
					
						
							|  |  |  |  |  * The caller is responsible for ensuring that 'wc' corresponds to a flow that | 
					
						
							|  |  |  |  |  * meets 'mf''s prerequisites. */ | 
					
						
							|  |  |  |  | void | 
					
						
							|  |  |  |  | mf_get_mask(const struct mf_field *mf, const struct flow_wildcards *wc, | 
					
						
							|  |  |  |  |             union mf_value *mask) | 
					
						
							|  |  |  |  | { | 
					
						
							| 
									
										
										
										
											2012-12-18 09:45:02 -08:00
										 |  |  |  |     mf_get_value(mf, &wc->masks, mask); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | /* Tests whether 'mask' is a valid wildcard bit pattern for 'mf'.  Returns true
 | 
					
						
							|  |  |  |  |  * if the mask is valid, false otherwise. */ | 
					
						
							|  |  |  |  | bool | 
					
						
							|  |  |  |  | mf_is_mask_valid(const struct mf_field *mf, const union mf_value *mask) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     switch (mf->maskable) { | 
					
						
							|  |  |  |  |     case MFM_NONE: | 
					
						
							| 
									
										
										
										
											2014-09-05 15:44:19 -07:00
										 |  |  |  |         return (is_all_zeros(mask, mf->n_bytes) || | 
					
						
							|  |  |  |  |                 is_all_ones(mask, mf->n_bytes)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFM_FULLY: | 
					
						
							|  |  |  |  |         return true; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-12-17 10:32:12 -08:00
										 |  |  |  |     OVS_NOT_REACHED(); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | /* Returns true if 'flow' meets the prerequisites for 'mf', false otherwise. */ | 
					
						
							|  |  |  |  | bool | 
					
						
							|  |  |  |  | mf_are_prereqs_ok(const struct mf_field *mf, const struct flow *flow) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     switch (mf->prereqs) { | 
					
						
							|  |  |  |  |     case MFP_NONE: | 
					
						
							|  |  |  |  |         return true; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFP_ARP: | 
					
						
							| 
									
										
										
										
											2012-11-02 11:43:46 -07:00
										 |  |  |  |       return (flow->dl_type == htons(ETH_TYPE_ARP) || | 
					
						
							|  |  |  |  |               flow->dl_type == htons(ETH_TYPE_RARP)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFP_IPV4: | 
					
						
							|  |  |  |  |         return flow->dl_type == htons(ETH_TYPE_IP); | 
					
						
							|  |  |  |  |     case MFP_IPV6: | 
					
						
							|  |  |  |  |         return flow->dl_type == htons(ETH_TYPE_IPV6); | 
					
						
							| 
									
										
										
										
											2012-07-23 11:36:44 +09:00
										 |  |  |  |     case MFP_VLAN_VID: | 
					
						
							| 
									
										
										
										
											2012-07-24 15:43:27 -07:00
										 |  |  |  |         return (flow->vlan_tci & htons(VLAN_CFI)) != 0; | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |     case MFP_MPLS: | 
					
						
							|  |  |  |  |         return eth_type_mpls(flow->dl_type); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFP_IP_ANY: | 
					
						
							|  |  |  |  |         return is_ip_any(flow); | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFP_TCP: | 
					
						
							|  |  |  |  |         return is_ip_any(flow) && flow->nw_proto == IPPROTO_TCP; | 
					
						
							|  |  |  |  |     case MFP_UDP: | 
					
						
							|  |  |  |  |         return is_ip_any(flow) && flow->nw_proto == IPPROTO_UDP; | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFP_SCTP: | 
					
						
							|  |  |  |  |         return is_ip_any(flow) && flow->nw_proto == IPPROTO_SCTP; | 
					
						
							| 
									
										
										
										
											2011-10-22 13:11:48 -07:00
										 |  |  |  |     case MFP_ICMPV4: | 
					
						
							|  |  |  |  |         return is_icmpv4(flow); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFP_ICMPV6: | 
					
						
							|  |  |  |  |         return is_icmpv6(flow); | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFP_ND: | 
					
						
							|  |  |  |  |         return (is_icmpv6(flow) | 
					
						
							| 
									
										
										
										
											2011-10-05 11:06:12 -07:00
										 |  |  |  |                 && flow->tp_dst == htons(0) | 
					
						
							|  |  |  |  |                 && (flow->tp_src == htons(ND_NEIGHBOR_SOLICIT) || | 
					
						
							|  |  |  |  |                     flow->tp_src == htons(ND_NEIGHBOR_ADVERT))); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFP_ND_SOLICIT: | 
					
						
							|  |  |  |  |         return (is_icmpv6(flow) | 
					
						
							| 
									
										
										
										
											2011-10-05 11:06:12 -07:00
										 |  |  |  |                 && flow->tp_dst == htons(0) | 
					
						
							|  |  |  |  |                 && (flow->tp_src == htons(ND_NEIGHBOR_SOLICIT))); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFP_ND_ADVERT: | 
					
						
							|  |  |  |  |         return (is_icmpv6(flow) | 
					
						
							| 
									
										
										
										
											2011-10-05 11:06:12 -07:00
										 |  |  |  |                 && flow->tp_dst == htons(0) | 
					
						
							|  |  |  |  |                 && (flow->tp_src == htons(ND_NEIGHBOR_ADVERT))); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-12-17 10:32:12 -08:00
										 |  |  |  |     OVS_NOT_REACHED(); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-10-15 12:40:37 -07:00
										 |  |  |  | /* Set field and it's prerequisities in the mask.
 | 
					
						
							|  |  |  |  |  * This is only ever called for writeable 'mf's, but we do not make the | 
					
						
							|  |  |  |  |  * distinction here. */ | 
					
						
							|  |  |  |  | void | 
					
						
							|  |  |  |  | mf_mask_field_and_prereqs(const struct mf_field *mf, struct flow *mask) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     static const union mf_value exact_match_mask = MF_EXACT_MASK_INITIALIZER; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     mf_set_flow_value(mf, &exact_match_mask, mask); | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     switch (mf->prereqs) { | 
					
						
							|  |  |  |  |     case MFP_ND: | 
					
						
							|  |  |  |  |     case MFP_ND_SOLICIT: | 
					
						
							|  |  |  |  |     case MFP_ND_ADVERT: | 
					
						
							|  |  |  |  |         mask->tp_src = OVS_BE16_MAX; | 
					
						
							|  |  |  |  |         mask->tp_dst = OVS_BE16_MAX; | 
					
						
							|  |  |  |  |         /* Fall through. */ | 
					
						
							|  |  |  |  |     case MFP_TCP: | 
					
						
							|  |  |  |  |     case MFP_UDP: | 
					
						
							|  |  |  |  |     case MFP_SCTP: | 
					
						
							|  |  |  |  |     case MFP_ICMPV4: | 
					
						
							|  |  |  |  |     case MFP_ICMPV6: | 
					
						
							|  |  |  |  |         mask->nw_proto = 0xff; | 
					
						
							|  |  |  |  |         /* Fall through. */ | 
					
						
							|  |  |  |  |     case MFP_ARP: | 
					
						
							|  |  |  |  |     case MFP_IPV4: | 
					
						
							|  |  |  |  |     case MFP_IPV6: | 
					
						
							|  |  |  |  |     case MFP_MPLS: | 
					
						
							|  |  |  |  |     case MFP_IP_ANY: | 
					
						
							|  |  |  |  |         mask->dl_type = OVS_BE16_MAX; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFP_VLAN_VID: | 
					
						
							|  |  |  |  |         mask->vlan_tci |= htons(VLAN_CFI); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFP_NONE: | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | /* Returns true if 'value' may be a valid value *as part of a masked match*,
 | 
					
						
							|  |  |  |  |  * false otherwise. | 
					
						
							|  |  |  |  |  * | 
					
						
							|  |  |  |  |  * A value is not rejected just because it is not valid for the field in | 
					
						
							|  |  |  |  |  * question, but only if it doesn't make sense to test the bits in question at | 
					
						
							|  |  |  |  |  * all.  For example, the MFF_VLAN_TCI field will never have a nonzero value | 
					
						
							|  |  |  |  |  * without the VLAN_CFI bit being set, but we can't reject those values because | 
					
						
							|  |  |  |  |  * it is still legitimate to test just for those bits (see the documentation | 
					
						
							|  |  |  |  |  * for NXM_OF_VLAN_TCI in nicira-ext.h).  On the other hand, there is never a | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |  * reason to set the low bit of MFF_IP_DSCP to 1, so we reject that. */ | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | bool | 
					
						
							|  |  |  |  | mf_is_value_valid(const struct mf_field *mf, const union mf_value *value) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     switch (mf->id) { | 
					
						
							| 
									
										
										
										
											2014-03-04 14:20:19 -08:00
										 |  |  |  |     case MFF_DP_HASH: | 
					
						
							|  |  |  |  |     case MFF_RECIRC_ID: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_TUN_ID: | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  |     case MFF_TUN_SRC: | 
					
						
							|  |  |  |  |     case MFF_TUN_DST: | 
					
						
							|  |  |  |  |     case MFF_TUN_TOS: | 
					
						
							|  |  |  |  |     case MFF_TUN_TTL: | 
					
						
							|  |  |  |  |     case MFF_TUN_FLAGS: | 
					
						
							| 
									
										
										
										
											2012-06-27 01:09:44 +12:00
										 |  |  |  |     case MFF_METADATA: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IN_PORT: | 
					
						
							| 
									
										
										
										
											2012-11-29 14:36:49 -08:00
										 |  |  |  |     case MFF_SKB_PRIORITY: | 
					
						
							| 
									
										
										
										
											2013-08-06 12:57:13 -07:00
										 |  |  |  |     case MFF_PKT_MARK: | 
					
						
							| 
									
										
										
										
											2012-06-27 07:23:25 -07:00
										 |  |  |  |     CASE_MFF_REGS: | 
					
						
							| 
									
										
										
										
											2014-07-28 09:50:37 -07:00
										 |  |  |  |     CASE_MFF_XREGS: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ETH_SRC: | 
					
						
							|  |  |  |  |     case MFF_ETH_DST: | 
					
						
							|  |  |  |  |     case MFF_ETH_TYPE: | 
					
						
							|  |  |  |  |     case MFF_VLAN_TCI: | 
					
						
							|  |  |  |  |     case MFF_IPV4_SRC: | 
					
						
							|  |  |  |  |     case MFF_IPV4_DST: | 
					
						
							|  |  |  |  |     case MFF_IPV6_SRC: | 
					
						
							|  |  |  |  |     case MFF_IPV6_DST: | 
					
						
							|  |  |  |  |     case MFF_IP_PROTO: | 
					
						
							| 
									
										
										
										
											2011-11-05 15:48:12 -07:00
										 |  |  |  |     case MFF_IP_TTL: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ARP_SPA: | 
					
						
							|  |  |  |  |     case MFF_ARP_TPA: | 
					
						
							|  |  |  |  |     case MFF_ARP_SHA: | 
					
						
							|  |  |  |  |     case MFF_ARP_THA: | 
					
						
							|  |  |  |  |     case MFF_TCP_SRC: | 
					
						
							|  |  |  |  |     case MFF_TCP_DST: | 
					
						
							|  |  |  |  |     case MFF_UDP_SRC: | 
					
						
							|  |  |  |  |     case MFF_UDP_DST: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_SRC: | 
					
						
							|  |  |  |  |     case MFF_SCTP_DST: | 
					
						
							| 
									
										
										
										
											2011-10-22 13:11:48 -07:00
										 |  |  |  |     case MFF_ICMPV4_TYPE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV4_CODE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_TYPE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_CODE: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ND_TARGET: | 
					
						
							|  |  |  |  |     case MFF_ND_SLL: | 
					
						
							|  |  |  |  |     case MFF_ND_TLL: | 
					
						
							|  |  |  |  |         return true; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-11-03 14:24:01 -08:00
										 |  |  |  |     case MFF_IN_PORT_OXM: | 
					
						
							|  |  |  |  |     case MFF_ACTSET_OUTPUT: { | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |         ofp_port_t port; | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |         return !ofputil_port_from_ofp11(value->be32, &port); | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |     case MFF_IP_DSCP: | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |         return !(value->u8 & ~IP_DSCP_MASK); | 
					
						
							| 
									
										
										
										
											2013-04-18 09:40:48 -07:00
										 |  |  |  |     case MFF_IP_DSCP_SHIFTED: | 
					
						
							|  |  |  |  |         return !(value->u8 & (~IP_DSCP_MASK >> 2)); | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |     case MFF_IP_ECN: | 
					
						
							|  |  |  |  |         return !(value->u8 & ~IP_ECN_MASK); | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |     case MFF_IP_FRAG: | 
					
						
							| 
									
										
										
										
											2011-11-09 17:10:27 -08:00
										 |  |  |  |         return !(value->u8 & ~FLOW_NW_FRAG_MASK); | 
					
						
							| 
									
										
										
										
											2013-10-28 13:54:40 -07:00
										 |  |  |  |     case MFF_TCP_FLAGS: | 
					
						
							|  |  |  |  |         return !(value->be16 & ~htons(0x0fff)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_OP: | 
					
						
							|  |  |  |  |         return !(value->be16 & htons(0xff00)); | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         return !(value->be16 & htons(VLAN_CFI | VLAN_PCP_MASK)); | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_VID: | 
					
						
							|  |  |  |  |         return !(value->be16 & htons(VLAN_PCP_MASK)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2012-06-27 13:26:57 +09:00
										 |  |  |  |         return !(value->u8 & ~(VLAN_PCP_MASK >> VLAN_PCP_SHIFT)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-01 15:57:56 -07:00
										 |  |  |  |     case MFF_IPV6_LABEL: | 
					
						
							|  |  |  |  |         return !(value->be32 & ~htonl(IPV6_LABEL_MASK)); | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |     case MFF_MPLS_LABEL: | 
					
						
							|  |  |  |  |         return !(value->be32 & ~htonl(MPLS_LABEL_MASK >> MPLS_LABEL_SHIFT)); | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_MPLS_TC: | 
					
						
							|  |  |  |  |         return !(value->u8 & ~(MPLS_TC_MASK >> MPLS_TC_SHIFT)); | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_MPLS_BOS: | 
					
						
							|  |  |  |  |         return !(value->u8 & ~(MPLS_BOS_MASK >> MPLS_BOS_SHIFT)); | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_N_IDS: | 
					
						
							|  |  |  |  |     default: | 
					
						
							| 
									
										
										
										
											2013-12-17 10:32:12 -08:00
										 |  |  |  |         OVS_NOT_REACHED(); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | /* Copies the value of field 'mf' from 'flow' into 'value'.  The caller is
 | 
					
						
							|  |  |  |  |  * responsible for ensuring that 'flow' meets 'mf''s prerequisites. */ | 
					
						
							|  |  |  |  | void | 
					
						
							|  |  |  |  | mf_get_value(const struct mf_field *mf, const struct flow *flow, | 
					
						
							|  |  |  |  |              union mf_value *value) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     switch (mf->id) { | 
					
						
							| 
									
										
										
										
											2014-03-04 14:20:19 -08:00
										 |  |  |  |     case MFF_DP_HASH: | 
					
						
							|  |  |  |  |         value->be32 = htonl(flow->dp_hash); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_RECIRC_ID: | 
					
						
							|  |  |  |  |         value->be32 = htonl(flow->recirc_id); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_TUN_ID: | 
					
						
							| 
									
										
										
										
											2012-09-13 20:11:08 -07:00
										 |  |  |  |         value->be64 = flow->tunnel.tun_id; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  |     case MFF_TUN_SRC: | 
					
						
							|  |  |  |  |         value->be32 = flow->tunnel.ip_src; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_DST: | 
					
						
							|  |  |  |  |         value->be32 = flow->tunnel.ip_dst; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_FLAGS: | 
					
						
							|  |  |  |  |         value->be16 = htons(flow->tunnel.flags); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_TTL: | 
					
						
							|  |  |  |  |         value->u8 = flow->tunnel.ip_ttl; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_TOS: | 
					
						
							|  |  |  |  |         value->u8 = flow->tunnel.ip_tos; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-27 01:09:44 +12:00
										 |  |  |  |     case MFF_METADATA: | 
					
						
							|  |  |  |  |         value->be64 = flow->metadata; | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IN_PORT: | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |         value->be16 = htons(ofp_to_u16(flow->in_port.ofp_port)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |     case MFF_IN_PORT_OXM: | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |         value->be32 = ofputil_port_to_ofp11(flow->in_port.ofp_port); | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2014-11-03 14:24:01 -08:00
										 |  |  |  |     case MFF_ACTSET_OUTPUT: | 
					
						
							|  |  |  |  |         value->be32 = ofputil_port_to_ofp11(flow->actset_output); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-11-29 14:36:49 -08:00
										 |  |  |  |     case MFF_SKB_PRIORITY: | 
					
						
							| 
									
										
										
										
											2012-12-18 15:54:29 -08:00
										 |  |  |  |         value->be32 = htonl(flow->skb_priority); | 
					
						
							| 
									
										
										
										
											2012-11-29 14:36:49 -08:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-08-06 12:57:13 -07:00
										 |  |  |  |     case MFF_PKT_MARK: | 
					
						
							|  |  |  |  |         value->be32 = htonl(flow->pkt_mark); | 
					
						
							| 
									
										
										
										
											2012-11-29 14:36:49 -08:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-27 07:23:25 -07:00
										 |  |  |  |     CASE_MFF_REGS: | 
					
						
							| 
									
										
										
										
											2011-10-11 06:58:49 -07:00
										 |  |  |  |         value->be32 = htonl(flow->regs[mf->id - MFF_REG0]); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-28 09:50:37 -07:00
										 |  |  |  |     CASE_MFF_XREGS: | 
					
						
							|  |  |  |  |         value->be64 = htonll(flow_get_xreg(flow, mf->id - MFF_XREG0)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ETH_SRC: | 
					
						
							|  |  |  |  |         memcpy(value->mac, flow->dl_src, ETH_ADDR_LEN); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ETH_DST: | 
					
						
							|  |  |  |  |         memcpy(value->mac, flow->dl_dst, ETH_ADDR_LEN); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ETH_TYPE: | 
					
						
							|  |  |  |  |         value->be16 = flow->dl_type; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_VLAN_TCI: | 
					
						
							|  |  |  |  |         value->be16 = flow->vlan_tci; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         value->be16 = flow->vlan_tci & htons(VLAN_VID_MASK); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_VID: | 
					
						
							|  |  |  |  |         value->be16 = flow->vlan_tci & htons(VLAN_VID_MASK | VLAN_CFI); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         value->u8 = vlan_tci_to_pcp(flow->vlan_tci); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |     case MFF_MPLS_LABEL: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         value->be32 = htonl(mpls_lse_to_label(flow->mpls_lse[0])); | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_MPLS_TC: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         value->u8 = mpls_lse_to_tc(flow->mpls_lse[0]); | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_MPLS_BOS: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         value->u8 = mpls_lse_to_bos(flow->mpls_lse[0]); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IPV4_SRC: | 
					
						
							|  |  |  |  |         value->be32 = flow->nw_src; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV4_DST: | 
					
						
							|  |  |  |  |         value->be32 = flow->nw_dst; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV6_SRC: | 
					
						
							|  |  |  |  |         value->ipv6 = flow->ipv6_src; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV6_DST: | 
					
						
							|  |  |  |  |         value->ipv6 = flow->ipv6_dst; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-01 15:57:56 -07:00
										 |  |  |  |     case MFF_IPV6_LABEL: | 
					
						
							|  |  |  |  |         value->be32 = flow->ipv6_label; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IP_PROTO: | 
					
						
							|  |  |  |  |         value->u8 = flow->nw_proto; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |     case MFF_IP_DSCP: | 
					
						
							| 
									
										
										
										
											2011-11-09 17:10:27 -08:00
										 |  |  |  |         value->u8 = flow->nw_tos & IP_DSCP_MASK; | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-04-18 09:40:48 -07:00
										 |  |  |  |     case MFF_IP_DSCP_SHIFTED: | 
					
						
							|  |  |  |  |         value->u8 = flow->nw_tos >> 2; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |     case MFF_IP_ECN: | 
					
						
							| 
									
										
										
										
											2011-11-09 17:10:27 -08:00
										 |  |  |  |         value->u8 = flow->nw_tos & IP_ECN_MASK; | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-05 15:48:12 -07:00
										 |  |  |  |     case MFF_IP_TTL: | 
					
						
							|  |  |  |  |         value->u8 = flow->nw_ttl; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |     case MFF_IP_FRAG: | 
					
						
							| 
									
										
										
										
											2011-11-09 17:10:27 -08:00
										 |  |  |  |         value->u8 = flow->nw_frag; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_OP: | 
					
						
							|  |  |  |  |         value->be16 = htons(flow->nw_proto); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_SPA: | 
					
						
							|  |  |  |  |         value->be32 = flow->nw_src; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_TPA: | 
					
						
							|  |  |  |  |         value->be32 = flow->nw_dst; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_SHA: | 
					
						
							|  |  |  |  |     case MFF_ND_SLL: | 
					
						
							|  |  |  |  |         memcpy(value->mac, flow->arp_sha, ETH_ADDR_LEN); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_THA: | 
					
						
							|  |  |  |  |     case MFF_ND_TLL: | 
					
						
							|  |  |  |  |         memcpy(value->mac, flow->arp_tha, ETH_ADDR_LEN); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_TCP_SRC: | 
					
						
							|  |  |  |  |     case MFF_UDP_SRC: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_SRC: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         value->be16 = flow->tp_src; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-12 11:07:15 +12:00
										 |  |  |  |     case MFF_TCP_DST: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_UDP_DST: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_DST: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         value->be16 = flow->tp_dst; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-10-28 13:54:40 -07:00
										 |  |  |  |     case MFF_TCP_FLAGS: | 
					
						
							|  |  |  |  |         value->be16 = flow->tcp_flags; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-10-22 13:11:48 -07:00
										 |  |  |  |     case MFF_ICMPV4_TYPE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_TYPE: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         value->u8 = ntohs(flow->tp_src); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-10-22 13:11:48 -07:00
										 |  |  |  |     case MFF_ICMPV4_CODE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_CODE: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         value->u8 = ntohs(flow->tp_dst); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ND_TARGET: | 
					
						
							|  |  |  |  |         value->ipv6 = flow->nd_target; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_N_IDS: | 
					
						
							|  |  |  |  |     default: | 
					
						
							| 
									
										
										
										
											2013-12-17 10:32:12 -08:00
										 |  |  |  |         OVS_NOT_REACHED(); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  | /* Makes 'match' match field 'mf' exactly, with the value matched taken from
 | 
					
						
							|  |  |  |  |  * 'value'.  The caller is responsible for ensuring that 'match' meets 'mf''s | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |  * prerequisites. */ | 
					
						
							|  |  |  |  | void | 
					
						
							|  |  |  |  | mf_set_value(const struct mf_field *mf, | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |              const union mf_value *value, struct match *match) | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | { | 
					
						
							|  |  |  |  |     switch (mf->id) { | 
					
						
							| 
									
										
										
										
											2014-03-04 14:20:19 -08:00
										 |  |  |  |     case MFF_DP_HASH: | 
					
						
							|  |  |  |  |         match_set_dp_hash(match, ntohl(value->be32)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_RECIRC_ID: | 
					
						
							|  |  |  |  |         match_set_recirc_id(match, ntohl(value->be32)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_TUN_ID: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_tun_id(match, value->be64); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  |     case MFF_TUN_SRC: | 
					
						
							|  |  |  |  |         match_set_tun_src(match, value->be32); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_DST: | 
					
						
							|  |  |  |  |         match_set_tun_dst(match, value->be32); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_FLAGS: | 
					
						
							|  |  |  |  |         match_set_tun_flags(match, ntohs(value->be16)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_TOS: | 
					
						
							|  |  |  |  |         match_set_tun_tos(match, value->u8); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_TTL: | 
					
						
							|  |  |  |  |         match_set_tun_ttl(match, value->u8); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-27 01:09:44 +12:00
										 |  |  |  |     case MFF_METADATA: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_metadata(match, value->be64); | 
					
						
							| 
									
										
										
										
											2012-06-27 01:09:44 +12:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IN_PORT: | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |         match_set_in_port(match, u16_to_ofp(ntohs(value->be16))); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |     case MFF_IN_PORT_OXM: { | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |         ofp_port_t port; | 
					
						
							| 
									
										
										
										
											2013-05-20 12:21:51 -07:00
										 |  |  |  |         ofputil_port_from_ofp11(value->be32, &port); | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |         match_set_in_port(match, port); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     } | 
					
						
							| 
									
										
										
										
											2014-11-03 14:24:01 -08:00
										 |  |  |  |     case MFF_ACTSET_OUTPUT: { | 
					
						
							|  |  |  |  |         ofp_port_t port; | 
					
						
							|  |  |  |  |         ofputil_port_from_ofp11(value->be32, &port); | 
					
						
							|  |  |  |  |         match_set_actset_output(match, port); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     } | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-11-29 14:36:49 -08:00
										 |  |  |  |     case MFF_SKB_PRIORITY: | 
					
						
							|  |  |  |  |         match_set_skb_priority(match, ntohl(value->be32)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-08-06 12:57:13 -07:00
										 |  |  |  |     case MFF_PKT_MARK: | 
					
						
							|  |  |  |  |         match_set_pkt_mark(match, ntohl(value->be32)); | 
					
						
							| 
									
										
										
										
											2012-11-29 14:36:49 -08:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-27 07:23:25 -07:00
										 |  |  |  |     CASE_MFF_REGS: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_reg(match, mf->id - MFF_REG0, ntohl(value->be32)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-28 09:50:37 -07:00
										 |  |  |  |     CASE_MFF_XREGS: | 
					
						
							|  |  |  |  |         match_set_xreg(match, mf->id - MFF_XREG0, ntohll(value->be64)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ETH_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_dl_src(match, value->mac); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ETH_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_dl_dst(match, value->mac); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ETH_TYPE: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_dl_type(match, value->be16); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_VLAN_TCI: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_dl_tci(match, value->be16); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_dl_vlan(match, value->be16); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_VID: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_vlan_vid(match, value->be16); | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_dl_vlan_pcp(match, value->u8); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |     case MFF_MPLS_LABEL: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         match_set_mpls_label(match, 0, value->be32); | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_MPLS_TC: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         match_set_mpls_tc(match, 0, value->u8); | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_MPLS_BOS: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         match_set_mpls_bos(match, 0, value->u8); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IPV4_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_src(match, value->be32); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV4_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_dst(match, value->be32); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV6_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_ipv6_src(match, &value->ipv6); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV6_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_ipv6_dst(match, &value->ipv6); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-01 15:57:56 -07:00
										 |  |  |  |     case MFF_IPV6_LABEL: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_ipv6_label(match, value->be32); | 
					
						
							| 
									
										
										
										
											2011-11-01 15:57:56 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IP_PROTO: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_proto(match, value->u8); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |     case MFF_IP_DSCP: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_dscp(match, value->u8); | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-04-18 09:40:48 -07:00
										 |  |  |  |     case MFF_IP_DSCP_SHIFTED: | 
					
						
							|  |  |  |  |         match_set_nw_dscp(match, value->u8 << 2); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |     case MFF_IP_ECN: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_ecn(match, value->u8); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-05 15:48:12 -07:00
										 |  |  |  |     case MFF_IP_TTL: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_ttl(match, value->u8); | 
					
						
							| 
									
										
										
										
											2011-11-05 15:48:12 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |     case MFF_IP_FRAG: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_frag(match, value->u8); | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ARP_OP: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_proto(match, ntohs(value->be16)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_SPA: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_src(match, value->be32); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_TPA: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_dst(match, value->be32); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_SHA: | 
					
						
							|  |  |  |  |     case MFF_ND_SLL: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_arp_sha(match, value->mac); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_THA: | 
					
						
							|  |  |  |  |     case MFF_ND_TLL: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_arp_tha(match, value->mac); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_TCP_SRC: | 
					
						
							|  |  |  |  |     case MFF_UDP_SRC: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_tp_src(match, value->be16); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-12 11:07:15 +12:00
										 |  |  |  |     case MFF_TCP_DST: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_UDP_DST: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_tp_dst(match, value->be16); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-10-28 13:54:40 -07:00
										 |  |  |  |     case MFF_TCP_FLAGS: | 
					
						
							|  |  |  |  |         match_set_tcp_flags(match, value->be16); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-10-22 13:11:48 -07:00
										 |  |  |  |     case MFF_ICMPV4_TYPE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_TYPE: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_icmp_type(match, value->u8); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-10-22 13:11:48 -07:00
										 |  |  |  |     case MFF_ICMPV4_CODE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_CODE: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_icmp_code(match, value->u8); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ND_TARGET: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nd_target(match, &value->ipv6); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_N_IDS: | 
					
						
							|  |  |  |  |     default: | 
					
						
							| 
									
										
										
										
											2013-12-17 10:32:12 -08:00
										 |  |  |  |         OVS_NOT_REACHED(); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-10-13 12:44:20 -07:00
										 |  |  |  | /* Unwildcard 'mask' member field described by 'mf'.  The caller is
 | 
					
						
							|  |  |  |  |  * responsible for ensuring that 'mask' meets 'mf''s prerequisites. */ | 
					
						
							|  |  |  |  | void | 
					
						
							|  |  |  |  | mf_mask_field(const struct mf_field *mf, struct flow *mask) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     static const union mf_value exact_match_mask = MF_EXACT_MASK_INITIALIZER; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     /* For MFF_DL_VLAN, we cannot send a all 1's to flow_set_dl_vlan()
 | 
					
						
							|  |  |  |  |      * as that will be considered as OFP10_VLAN_NONE. So consider it as a | 
					
						
							|  |  |  |  |      * special case. For the rest, calling mf_set_flow_value() is good | 
					
						
							|  |  |  |  |      * enough. */ | 
					
						
							|  |  |  |  |     if (mf->id == MFF_DL_VLAN) { | 
					
						
							|  |  |  |  |         flow_set_dl_vlan(mask, htons(VLAN_VID_MASK)); | 
					
						
							|  |  |  |  |     } else { | 
					
						
							|  |  |  |  |         mf_set_flow_value(mf, &exact_match_mask, mask); | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-06-01 11:44:01 -07:00
										 |  |  |  | /* Sets 'flow' member field described by 'mf' to 'value'.  The caller is
 | 
					
						
							|  |  |  |  |  * responsible for ensuring that 'flow' meets 'mf''s prerequisites.*/ | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  | void | 
					
						
							|  |  |  |  | mf_set_flow_value(const struct mf_field *mf, | 
					
						
							|  |  |  |  |                   const union mf_value *value, struct flow *flow) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     switch (mf->id) { | 
					
						
							| 
									
										
										
										
											2014-03-04 14:20:19 -08:00
										 |  |  |  |     case MFF_DP_HASH: | 
					
						
							|  |  |  |  |         flow->dp_hash = ntohl(value->be32); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_RECIRC_ID: | 
					
						
							|  |  |  |  |         flow->recirc_id = ntohl(value->be32); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |     case MFF_TUN_ID: | 
					
						
							| 
									
										
										
										
											2012-09-13 20:11:08 -07:00
										 |  |  |  |         flow->tunnel.tun_id = value->be64; | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  |     case MFF_TUN_SRC: | 
					
						
							|  |  |  |  |         flow->tunnel.ip_src = value->be32; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_DST: | 
					
						
							|  |  |  |  |         flow->tunnel.ip_dst = value->be32; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_FLAGS: | 
					
						
							|  |  |  |  |         flow->tunnel.flags = ntohs(value->be16); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_TOS: | 
					
						
							|  |  |  |  |         flow->tunnel.ip_tos = value->u8; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_TTL: | 
					
						
							|  |  |  |  |         flow->tunnel.ip_ttl = value->u8; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-27 01:09:44 +12:00
										 |  |  |  |     case MFF_METADATA: | 
					
						
							|  |  |  |  |         flow->metadata = value->be64; | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IN_PORT: | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |         flow->in_port.ofp_port = u16_to_ofp(ntohs(value->be16)); | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-11-03 14:24:01 -08:00
										 |  |  |  |     case MFF_IN_PORT_OXM: | 
					
						
							|  |  |  |  |         ofputil_port_from_ofp11(value->be32, &flow->in_port.ofp_port); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_ACTSET_OUTPUT: | 
					
						
							|  |  |  |  |         ofputil_port_from_ofp11(value->be32, &flow->actset_output); | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-11-29 14:36:49 -08:00
										 |  |  |  |     case MFF_SKB_PRIORITY: | 
					
						
							|  |  |  |  |         flow->skb_priority = ntohl(value->be32); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-08-06 12:57:13 -07:00
										 |  |  |  |     case MFF_PKT_MARK: | 
					
						
							|  |  |  |  |         flow->pkt_mark = ntohl(value->be32); | 
					
						
							| 
									
										
										
										
											2012-11-29 14:36:49 -08:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-27 07:23:25 -07:00
										 |  |  |  |     CASE_MFF_REGS: | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |         flow->regs[mf->id - MFF_REG0] = ntohl(value->be32); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-28 09:50:37 -07:00
										 |  |  |  |     CASE_MFF_XREGS: | 
					
						
							|  |  |  |  |         flow_set_xreg(flow, mf->id - MFF_XREG0, ntohll(value->be64)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |     case MFF_ETH_SRC: | 
					
						
							|  |  |  |  |         memcpy(flow->dl_src, value->mac, ETH_ADDR_LEN); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ETH_DST: | 
					
						
							| 
									
										
										
										
											2012-04-27 08:45:10 -07:00
										 |  |  |  |         memcpy(flow->dl_dst, value->mac, ETH_ADDR_LEN); | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ETH_TYPE: | 
					
						
							|  |  |  |  |         flow->dl_type = value->be16; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_VLAN_TCI: | 
					
						
							|  |  |  |  |         flow->vlan_tci = value->be16; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN: | 
					
						
							| 
									
										
										
										
											2012-07-22 22:42:55 -07:00
										 |  |  |  |         flow_set_dl_vlan(flow, value->be16); | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_VID: | 
					
						
							|  |  |  |  |         flow_set_vlan_vid(flow, value->be16); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |         flow_set_vlan_pcp(flow, value->u8); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |     case MFF_MPLS_LABEL: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         flow_set_mpls_label(flow, 0, value->be32); | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_MPLS_TC: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         flow_set_mpls_tc(flow, 0, value->u8); | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_MPLS_BOS: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         flow_set_mpls_bos(flow, 0, value->u8); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |     case MFF_IPV4_SRC: | 
					
						
							|  |  |  |  |         flow->nw_src = value->be32; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV4_DST: | 
					
						
							|  |  |  |  |         flow->nw_dst = value->be32; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV6_SRC: | 
					
						
							|  |  |  |  |         flow->ipv6_src = value->ipv6; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV6_DST: | 
					
						
							|  |  |  |  |         flow->ipv6_dst = value->ipv6; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV6_LABEL: | 
					
						
							|  |  |  |  |         flow->ipv6_label = value->be32 & ~htonl(IPV6_LABEL_MASK); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IP_PROTO: | 
					
						
							|  |  |  |  |         flow->nw_proto = value->u8; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IP_DSCP: | 
					
						
							|  |  |  |  |         flow->nw_tos &= ~IP_DSCP_MASK; | 
					
						
							|  |  |  |  |         flow->nw_tos |= value->u8 & IP_DSCP_MASK; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-04-18 09:40:48 -07:00
										 |  |  |  |     case MFF_IP_DSCP_SHIFTED: | 
					
						
							|  |  |  |  |         flow->nw_tos &= ~IP_DSCP_MASK; | 
					
						
							|  |  |  |  |         flow->nw_tos |= value->u8 << 2; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |     case MFF_IP_ECN: | 
					
						
							|  |  |  |  |         flow->nw_tos &= ~IP_ECN_MASK; | 
					
						
							|  |  |  |  |         flow->nw_tos |= value->u8 & IP_ECN_MASK; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IP_TTL: | 
					
						
							|  |  |  |  |         flow->nw_ttl = value->u8; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IP_FRAG: | 
					
						
							| 
									
										
										
										
											2014-02-07 11:34:02 -08:00
										 |  |  |  |         flow->nw_frag = value->u8 & FLOW_NW_FRAG_MASK; | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_OP: | 
					
						
							|  |  |  |  |         flow->nw_proto = ntohs(value->be16); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_SPA: | 
					
						
							|  |  |  |  |         flow->nw_src = value->be32; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_TPA: | 
					
						
							|  |  |  |  |         flow->nw_dst = value->be32; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_SHA: | 
					
						
							|  |  |  |  |     case MFF_ND_SLL: | 
					
						
							|  |  |  |  |         memcpy(flow->arp_sha, value->mac, ETH_ADDR_LEN); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_THA: | 
					
						
							|  |  |  |  |     case MFF_ND_TLL: | 
					
						
							|  |  |  |  |         memcpy(flow->arp_tha, value->mac, ETH_ADDR_LEN); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_TCP_SRC: | 
					
						
							|  |  |  |  |     case MFF_UDP_SRC: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_SRC: | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |         flow->tp_src = value->be16; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_TCP_DST: | 
					
						
							|  |  |  |  |     case MFF_UDP_DST: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_DST: | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |         flow->tp_dst = value->be16; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-10-28 13:54:40 -07:00
										 |  |  |  |     case MFF_TCP_FLAGS: | 
					
						
							|  |  |  |  |         flow->tcp_flags = value->be16; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |     case MFF_ICMPV4_TYPE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_TYPE: | 
					
						
							|  |  |  |  |         flow->tp_src = htons(value->u8); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ICMPV4_CODE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_CODE: | 
					
						
							|  |  |  |  |         flow->tp_dst = htons(value->u8); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ND_TARGET: | 
					
						
							|  |  |  |  |         flow->nd_target = value->ipv6; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_N_IDS: | 
					
						
							|  |  |  |  |     default: | 
					
						
							| 
									
										
										
										
											2013-12-17 10:32:12 -08:00
										 |  |  |  |         OVS_NOT_REACHED(); | 
					
						
							| 
									
										
										
										
											2011-10-12 17:04:13 -07:00
										 |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-07 16:49:50 -07:00
										 |  |  |  | /* Consider each of 'src', 'mask', and 'dst' as if they were arrays of 8*n
 | 
					
						
							|  |  |  |  |  * bits.  Then, for each 0 <= i < 8 * n such that mask[i] == 1, sets dst[i] = | 
					
						
							|  |  |  |  |  * src[i].  */ | 
					
						
							|  |  |  |  | static void | 
					
						
							|  |  |  |  | apply_mask(const uint8_t *src, const uint8_t *mask, uint8_t *dst, size_t n) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     size_t i; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     for (i = 0; i < n; i++) { | 
					
						
							|  |  |  |  |         dst[i] = (src[i] & mask[i]) | (dst[i] & ~mask[i]); | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | /* Sets 'flow' member field described by 'field' to 'value', except that bits
 | 
					
						
							|  |  |  |  |  * for which 'mask' has a 0-bit keep their existing values.  The caller is | 
					
						
							|  |  |  |  |  * responsible for ensuring that 'flow' meets 'field''s prerequisites.*/ | 
					
						
							|  |  |  |  | void | 
					
						
							|  |  |  |  | mf_set_flow_value_masked(const struct mf_field *field, | 
					
						
							|  |  |  |  |                          const union mf_value *value, | 
					
						
							|  |  |  |  |                          const union mf_value *mask, | 
					
						
							|  |  |  |  |                          struct flow *flow) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     union mf_value tmp; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     mf_get_value(field, flow, &tmp); | 
					
						
							|  |  |  |  |     apply_mask((const uint8_t *) value, (const uint8_t *) mask, | 
					
						
							|  |  |  |  |                (uint8_t *) &tmp, field->n_bytes); | 
					
						
							|  |  |  |  |     mf_set_flow_value(field, &tmp, flow); | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-05-04 09:52:37 -07:00
										 |  |  |  | /* Returns true if 'mf' has a zero value in 'flow', false if it is nonzero.
 | 
					
						
							|  |  |  |  |  * | 
					
						
							|  |  |  |  |  * The caller is responsible for ensuring that 'flow' meets 'mf''s | 
					
						
							|  |  |  |  |  * prerequisites. */ | 
					
						
							|  |  |  |  | bool | 
					
						
							|  |  |  |  | mf_is_zero(const struct mf_field *mf, const struct flow *flow) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     union mf_value value; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     mf_get_value(mf, flow, &value); | 
					
						
							| 
									
										
										
										
											2014-09-05 15:44:19 -07:00
										 |  |  |  |     return is_all_zeros(&value, mf->n_bytes); | 
					
						
							| 
									
										
										
										
											2012-05-04 09:52:37 -07:00
										 |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  | /* Makes 'match' wildcard field 'mf'.
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |  * | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |  * The caller is responsible for ensuring that 'match' meets 'mf''s | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |  * prerequisites. */ | 
					
						
							|  |  |  |  | void | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  | mf_set_wild(const struct mf_field *mf, struct match *match) | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | { | 
					
						
							|  |  |  |  |     switch (mf->id) { | 
					
						
							| 
									
										
										
										
											2014-03-04 14:20:19 -08:00
										 |  |  |  |     case MFF_DP_HASH: | 
					
						
							|  |  |  |  |         match->flow.dp_hash = 0; | 
					
						
							|  |  |  |  |         match->wc.masks.dp_hash = 0; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_RECIRC_ID: | 
					
						
							|  |  |  |  |         match->flow.recirc_id = 0; | 
					
						
							|  |  |  |  |         match->wc.masks.recirc_id = 0; | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_TUN_ID: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_tun_id_masked(match, htonll(0), htonll(0)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  |     case MFF_TUN_SRC: | 
					
						
							|  |  |  |  |         match_set_tun_src_masked(match, htonl(0), htonl(0)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_DST: | 
					
						
							|  |  |  |  |         match_set_tun_dst_masked(match, htonl(0), htonl(0)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_FLAGS: | 
					
						
							|  |  |  |  |         match_set_tun_flags_masked(match, 0, 0); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_TOS: | 
					
						
							|  |  |  |  |         match_set_tun_tos_masked(match, 0, 0); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_TTL: | 
					
						
							|  |  |  |  |         match_set_tun_ttl_masked(match, 0, 0); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-27 01:09:44 +12:00
										 |  |  |  |     case MFF_METADATA: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_metadata_masked(match, htonll(0), htonll(0)); | 
					
						
							| 
									
										
										
										
											2013-01-24 13:41:10 -08:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IN_PORT: | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |     case MFF_IN_PORT_OXM: | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |         match->flow.in_port.ofp_port = 0; | 
					
						
							|  |  |  |  |         match->wc.masks.in_port.ofp_port = 0; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2014-11-03 14:24:01 -08:00
										 |  |  |  |     case MFF_ACTSET_OUTPUT: | 
					
						
							|  |  |  |  |         match->flow.actset_output = 0; | 
					
						
							|  |  |  |  |         match->wc.masks.actset_output = 0; | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-11-29 14:36:49 -08:00
										 |  |  |  |     case MFF_SKB_PRIORITY: | 
					
						
							|  |  |  |  |         match->flow.skb_priority = 0; | 
					
						
							|  |  |  |  |         match->wc.masks.skb_priority = 0; | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-08-06 12:57:13 -07:00
										 |  |  |  |     case MFF_PKT_MARK: | 
					
						
							|  |  |  |  |         match->flow.pkt_mark = 0; | 
					
						
							|  |  |  |  |         match->wc.masks.pkt_mark = 0; | 
					
						
							| 
									
										
										
										
											2012-11-29 14:36:49 -08:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-27 07:23:25 -07:00
										 |  |  |  |     CASE_MFF_REGS: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_reg_masked(match, mf->id - MFF_REG0, 0, 0); | 
					
						
							| 
									
										
										
										
											2012-03-08 14:44:54 -08:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-28 09:50:37 -07:00
										 |  |  |  |     CASE_MFF_XREGS: | 
					
						
							|  |  |  |  |         match_set_xreg_masked(match, mf->id - MFF_XREG0, 0, 0); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ETH_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         memset(match->flow.dl_src, 0, ETH_ADDR_LEN); | 
					
						
							|  |  |  |  |         memset(match->wc.masks.dl_src, 0, ETH_ADDR_LEN); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ETH_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         memset(match->flow.dl_dst, 0, ETH_ADDR_LEN); | 
					
						
							|  |  |  |  |         memset(match->wc.masks.dl_dst, 0, ETH_ADDR_LEN); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ETH_TYPE: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match->flow.dl_type = htons(0); | 
					
						
							|  |  |  |  |         match->wc.masks.dl_type = htons(0); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_VLAN_TCI: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_dl_tci_masked(match, htons(0), htons(0)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN: | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_VID: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_any_vid(match); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_any_pcp(match); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |     case MFF_MPLS_LABEL: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         match_set_any_mpls_label(match, 0); | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_MPLS_TC: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         match_set_any_mpls_tc(match, 0); | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_MPLS_BOS: | 
					
						
							| 
									
										
										
										
											2014-02-04 10:32:35 -08:00
										 |  |  |  |         match_set_any_mpls_bos(match, 0); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IPV4_SRC: | 
					
						
							|  |  |  |  |     case MFF_ARP_SPA: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_src_masked(match, htonl(0), htonl(0)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV4_DST: | 
					
						
							|  |  |  |  |     case MFF_ARP_TPA: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_dst_masked(match, htonl(0), htonl(0)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV6_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         memset(&match->wc.masks.ipv6_src, 0, sizeof match->wc.masks.ipv6_src); | 
					
						
							|  |  |  |  |         memset(&match->flow.ipv6_src, 0, sizeof match->flow.ipv6_src); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV6_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         memset(&match->wc.masks.ipv6_dst, 0, sizeof match->wc.masks.ipv6_dst); | 
					
						
							|  |  |  |  |         memset(&match->flow.ipv6_dst, 0, sizeof match->flow.ipv6_dst); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-01 15:57:56 -07:00
										 |  |  |  |     case MFF_IPV6_LABEL: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match->wc.masks.ipv6_label = htonl(0); | 
					
						
							|  |  |  |  |         match->flow.ipv6_label = htonl(0); | 
					
						
							| 
									
										
										
										
											2011-11-01 15:57:56 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IP_PROTO: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match->wc.masks.nw_proto = 0; | 
					
						
							|  |  |  |  |         match->flow.nw_proto = 0; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |     case MFF_IP_DSCP: | 
					
						
							| 
									
										
										
										
											2013-04-18 09:40:48 -07:00
										 |  |  |  |     case MFF_IP_DSCP_SHIFTED: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match->wc.masks.nw_tos &= ~IP_DSCP_MASK; | 
					
						
							|  |  |  |  |         match->flow.nw_tos &= ~IP_DSCP_MASK; | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |     case MFF_IP_ECN: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match->wc.masks.nw_tos &= ~IP_ECN_MASK; | 
					
						
							|  |  |  |  |         match->flow.nw_tos &= ~IP_ECN_MASK; | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-05 15:48:12 -07:00
										 |  |  |  |     case MFF_IP_TTL: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match->wc.masks.nw_ttl = 0; | 
					
						
							|  |  |  |  |         match->flow.nw_ttl = 0; | 
					
						
							| 
									
										
										
										
											2011-11-05 15:48:12 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |     case MFF_IP_FRAG: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match->wc.masks.nw_frag |= FLOW_NW_FRAG_MASK; | 
					
						
							|  |  |  |  |         match->flow.nw_frag &= ~FLOW_NW_FRAG_MASK; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_OP: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match->wc.masks.nw_proto = 0; | 
					
						
							|  |  |  |  |         match->flow.nw_proto = 0; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_SHA: | 
					
						
							|  |  |  |  |     case MFF_ND_SLL: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         memset(match->flow.arp_sha, 0, ETH_ADDR_LEN); | 
					
						
							|  |  |  |  |         memset(match->wc.masks.arp_sha, 0, ETH_ADDR_LEN); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_THA: | 
					
						
							|  |  |  |  |     case MFF_ND_TLL: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         memset(match->flow.arp_tha, 0, ETH_ADDR_LEN); | 
					
						
							|  |  |  |  |         memset(match->wc.masks.arp_tha, 0, ETH_ADDR_LEN); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_TCP_SRC: | 
					
						
							|  |  |  |  |     case MFF_UDP_SRC: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_SRC: | 
					
						
							| 
									
										
										
										
											2011-10-22 13:11:48 -07:00
										 |  |  |  |     case MFF_ICMPV4_TYPE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_TYPE: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match->wc.masks.tp_src = htons(0); | 
					
						
							|  |  |  |  |         match->flow.tp_src = htons(0); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_TCP_DST: | 
					
						
							|  |  |  |  |     case MFF_UDP_DST: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_DST: | 
					
						
							| 
									
										
										
										
											2011-10-22 13:11:48 -07:00
										 |  |  |  |     case MFF_ICMPV4_CODE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_CODE: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match->wc.masks.tp_dst = htons(0); | 
					
						
							|  |  |  |  |         match->flow.tp_dst = htons(0); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-10-28 13:54:40 -07:00
										 |  |  |  |     case MFF_TCP_FLAGS: | 
					
						
							|  |  |  |  |         match->wc.masks.tcp_flags = htons(0); | 
					
						
							|  |  |  |  |         match->flow.tcp_flags = htons(0); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ND_TARGET: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         memset(&match->wc.masks.nd_target, 0, | 
					
						
							|  |  |  |  |                sizeof match->wc.masks.nd_target); | 
					
						
							|  |  |  |  |         memset(&match->flow.nd_target, 0, sizeof match->flow.nd_target); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_N_IDS: | 
					
						
							|  |  |  |  |     default: | 
					
						
							| 
									
										
										
										
											2013-12-17 10:32:12 -08:00
										 |  |  |  |         OVS_NOT_REACHED(); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  | /* Makes 'match' match field 'mf' with the specified 'value' and 'mask'.
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |  * 'value' specifies a value to match and 'mask' specifies a wildcard pattern, | 
					
						
							|  |  |  |  |  * with a 1-bit indicating that the corresponding value bit must match and a | 
					
						
							|  |  |  |  |  * 0-bit indicating a don't-care. | 
					
						
							|  |  |  |  |  * | 
					
						
							|  |  |  |  |  * If 'mask' is NULL or points to all-1-bits, then this call is equivalent to | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |  * mf_set_value(mf, value, match).  If 'mask' points to all-0-bits, then this | 
					
						
							|  |  |  |  |  * call is equivalent to mf_set_wild(mf, match). | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |  * | 
					
						
							|  |  |  |  |  * 'mask' must be a valid mask for 'mf' (see mf_is_mask_valid()).  The caller | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |  * is responsible for ensuring that 'match' meets 'mf''s prerequisites. */ | 
					
						
							| 
									
										
										
										
											2013-08-20 18:41:45 -07:00
										 |  |  |  | enum ofputil_protocol | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | mf_set(const struct mf_field *mf, | 
					
						
							|  |  |  |  |        const union mf_value *value, const union mf_value *mask, | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |        struct match *match) | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | { | 
					
						
							| 
									
										
										
										
											2014-09-05 15:44:19 -07:00
										 |  |  |  |     if (!mask || is_all_ones(mask, mf->n_bytes)) { | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         mf_set_value(mf, value, match); | 
					
						
							| 
									
										
										
										
											2014-10-07 15:24:11 -07:00
										 |  |  |  |         return mf->usable_protocols_exact; | 
					
						
							| 
									
										
										
										
											2014-09-05 15:44:19 -07:00
										 |  |  |  |     } else if (is_all_zeros(mask, mf->n_bytes)) { | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         mf_set_wild(mf, match); | 
					
						
							| 
									
										
										
										
											2013-08-20 18:41:45 -07:00
										 |  |  |  |         return OFPUTIL_P_ANY; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     switch (mf->id) { | 
					
						
							| 
									
										
										
										
											2014-03-04 14:20:19 -08:00
										 |  |  |  |     case MFF_RECIRC_ID: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IN_PORT: | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |     case MFF_IN_PORT_OXM: | 
					
						
							| 
									
										
										
										
											2014-11-03 14:24:01 -08:00
										 |  |  |  |     case MFF_ACTSET_OUTPUT: | 
					
						
							| 
									
										
										
										
											2012-11-29 14:36:49 -08:00
										 |  |  |  |     case MFF_SKB_PRIORITY: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ETH_TYPE: | 
					
						
							| 
									
										
										
										
											2012-07-22 23:36:41 -07:00
										 |  |  |  |     case MFF_DL_VLAN: | 
					
						
							|  |  |  |  |     case MFF_DL_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_PCP: | 
					
						
							| 
									
										
										
										
											2013-01-25 16:22:07 +09:00
										 |  |  |  |     case MFF_MPLS_LABEL: | 
					
						
							|  |  |  |  |     case MFF_MPLS_TC: | 
					
						
							|  |  |  |  |     case MFF_MPLS_BOS: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IP_PROTO: | 
					
						
							| 
									
										
										
										
											2011-11-05 15:48:12 -07:00
										 |  |  |  |     case MFF_IP_TTL: | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |     case MFF_IP_DSCP: | 
					
						
							| 
									
										
										
										
											2013-04-18 09:40:48 -07:00
										 |  |  |  |     case MFF_IP_DSCP_SHIFTED: | 
					
						
							| 
									
										
										
										
											2011-11-02 23:34:15 -07:00
										 |  |  |  |     case MFF_IP_ECN: | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ARP_OP: | 
					
						
							| 
									
										
										
										
											2011-10-22 13:11:48 -07:00
										 |  |  |  |     case MFF_ICMPV4_TYPE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV4_CODE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_TYPE: | 
					
						
							|  |  |  |  |     case MFF_ICMPV6_CODE: | 
					
						
							| 
									
										
										
										
											2013-10-31 13:00:02 +09:00
										 |  |  |  |         return OFPUTIL_P_NONE; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-03-04 14:20:19 -08:00
										 |  |  |  |     case MFF_DP_HASH: | 
					
						
							|  |  |  |  |         match_set_dp_hash_masked(match, ntohl(value->be32), ntohl(mask->be32)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_TUN_ID: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_tun_id_masked(match, value->be64, mask->be64); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  |     case MFF_TUN_SRC: | 
					
						
							|  |  |  |  |         match_set_tun_src_masked(match, value->be32, mask->be32); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_DST: | 
					
						
							|  |  |  |  |         match_set_tun_dst_masked(match, value->be32, mask->be32); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_FLAGS: | 
					
						
							|  |  |  |  |         match_set_tun_flags_masked(match, ntohs(value->be16), ntohs(mask->be16)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_TTL: | 
					
						
							|  |  |  |  |         match_set_tun_ttl_masked(match, value->u8, mask->u8); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  |     case MFF_TUN_TOS: | 
					
						
							|  |  |  |  |         match_set_tun_tos_masked(match, value->u8, mask->u8); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-27 01:09:44 +12:00
										 |  |  |  |     case MFF_METADATA: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_metadata_masked(match, value->be64, mask->be64); | 
					
						
							| 
									
										
										
										
											2012-06-27 01:09:44 +12:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-27 07:23:25 -07:00
										 |  |  |  |     CASE_MFF_REGS: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_reg_masked(match, mf->id - MFF_REG0, | 
					
						
							|  |  |  |  |                              ntohl(value->be32), ntohl(mask->be32)); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2013-08-06 12:57:16 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-07-28 09:50:37 -07:00
										 |  |  |  |     CASE_MFF_XREGS: | 
					
						
							|  |  |  |  |         match_set_xreg_masked(match, mf->id - MFF_XREG0, | 
					
						
							|  |  |  |  |                               ntohll(value->be64), ntohll(mask->be64)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-08-06 12:57:16 -07:00
										 |  |  |  |     case MFF_PKT_MARK: | 
					
						
							|  |  |  |  |         match_set_pkt_mark_masked(match, ntohl(value->be32), | 
					
						
							|  |  |  |  |                                   ntohl(mask->be32)); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ETH_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_dl_dst_masked(match, value->mac, mask->mac); | 
					
						
							| 
									
										
										
										
											2012-05-29 00:38:21 +12:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ETH_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_dl_src_masked(match, value->mac, mask->mac); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-19 09:21:49 -07:00
										 |  |  |  |     case MFF_ARP_SHA: | 
					
						
							|  |  |  |  |     case MFF_ND_SLL: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_arp_sha_masked(match, value->mac, mask->mac); | 
					
						
							| 
									
										
										
										
											2012-07-19 09:21:49 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_THA: | 
					
						
							|  |  |  |  |     case MFF_ND_TLL: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_arp_tha_masked(match, value->mac, mask->mac); | 
					
						
							| 
									
										
										
										
											2012-07-19 09:21:49 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_VLAN_TCI: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_dl_tci_masked(match, value->be16, mask->be16); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |     case MFF_VLAN_VID: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_vlan_vid_masked(match, value->be16, mask->be16); | 
					
						
							| 
									
										
										
										
											2012-07-22 23:20:22 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_IPV4_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_src_masked(match, value->be32, mask->be32); | 
					
						
							| 
									
										
										
										
											2014-10-07 15:24:11 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV4_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_dst_masked(match, value->be32, mask->be32); | 
					
						
							| 
									
										
										
										
											2014-10-07 15:24:11 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV6_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_ipv6_src_masked(match, &value->ipv6, &mask->ipv6); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_IPV6_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_ipv6_dst_masked(match, &value->ipv6, &mask->ipv6); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-18 12:02:19 +09:00
										 |  |  |  |     case MFF_IPV6_LABEL: | 
					
						
							|  |  |  |  |         if ((mask->be32 & htonl(IPV6_LABEL_MASK)) == htonl(IPV6_LABEL_MASK)) { | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |             mf_set_value(mf, value, match); | 
					
						
							| 
									
										
										
										
											2012-07-18 12:02:19 +09:00
										 |  |  |  |         } else { | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |             match_set_ipv6_label_masked(match, value->be32, mask->be32); | 
					
						
							| 
									
										
										
										
											2012-07-18 12:02:19 +09:00
										 |  |  |  |         } | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-04-25 15:48:40 -07:00
										 |  |  |  |     case MFF_ND_TARGET: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nd_target_masked(match, &value->ipv6, &mask->ipv6); | 
					
						
							| 
									
										
										
										
											2012-04-25 15:48:40 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |     case MFF_IP_FRAG: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_frag_masked(match, value->u8, mask->u8); | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_ARP_SPA: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_src_masked(match, value->be32, mask->be32); | 
					
						
							| 
									
										
										
										
											2014-10-07 15:24:11 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_ARP_TPA: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_nw_dst_masked(match, value->be32, mask->be32); | 
					
						
							| 
									
										
										
										
											2014-10-07 15:24:11 -07:00
										 |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-01-27 17:16:05 -08:00
										 |  |  |  |     case MFF_TCP_SRC: | 
					
						
							|  |  |  |  |     case MFF_UDP_SRC: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_SRC: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_tp_src_masked(match, value->be16, mask->be16); | 
					
						
							| 
									
										
										
										
											2012-01-27 17:16:05 -08:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFF_TCP_DST: | 
					
						
							|  |  |  |  |     case MFF_UDP_DST: | 
					
						
							| 
									
										
										
										
											2013-08-22 20:24:45 +12:00
										 |  |  |  |     case MFF_SCTP_DST: | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |         match_set_tp_dst_masked(match, value->be16, mask->be16); | 
					
						
							| 
									
										
										
										
											2012-01-27 17:16:05 -08:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-10-28 13:54:40 -07:00
										 |  |  |  |     case MFF_TCP_FLAGS: | 
					
						
							|  |  |  |  |         match_set_tcp_flags_masked(match, value->be16, mask->be16); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFF_N_IDS: | 
					
						
							|  |  |  |  |     default: | 
					
						
							| 
									
										
										
										
											2013-12-17 10:32:12 -08:00
										 |  |  |  |         OVS_NOT_REACHED(); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } | 
					
						
							| 
									
										
										
										
											2013-08-20 18:41:45 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-07 15:24:11 -07:00
										 |  |  |  |     return ((mf->usable_protocols_bitwise == mf->usable_protocols_cidr | 
					
						
							|  |  |  |  |              || ip_is_cidr(mask->be32)) | 
					
						
							|  |  |  |  |             ? mf->usable_protocols_cidr | 
					
						
							|  |  |  |  |             : mf->usable_protocols_bitwise); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  | static enum ofperr | 
					
						
							|  |  |  |  | mf_check__(const struct mf_subfield *sf, const struct flow *flow, | 
					
						
							|  |  |  |  |            const char *type) | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | { | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  |     if (!sf->field) { | 
					
						
							|  |  |  |  |         VLOG_WARN_RL(&rl, "unknown %s field", type); | 
					
						
							| 
									
										
										
										
											2013-08-23 11:11:03 -07:00
										 |  |  |  |         return OFPERR_OFPBAC_BAD_SET_TYPE; | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  |     } else if (!sf->n_bits) { | 
					
						
							|  |  |  |  |         VLOG_WARN_RL(&rl, "zero bit %s field %s", type, sf->field->name); | 
					
						
							| 
									
										
										
										
											2013-08-23 11:11:03 -07:00
										 |  |  |  |         return OFPERR_OFPBAC_BAD_SET_LEN; | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  |     } else if (sf->ofs >= sf->field->n_bits) { | 
					
						
							|  |  |  |  |         VLOG_WARN_RL(&rl, "bit offset %d exceeds %d-bit width of %s field %s", | 
					
						
							|  |  |  |  |                      sf->ofs, sf->field->n_bits, type, sf->field->name); | 
					
						
							| 
									
										
										
										
											2013-08-23 11:11:03 -07:00
										 |  |  |  |         return OFPERR_OFPBAC_BAD_SET_LEN; | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  |     } else if (sf->ofs + sf->n_bits > sf->field->n_bits) { | 
					
						
							|  |  |  |  |         VLOG_WARN_RL(&rl, "bit offset %d and width %d exceeds %d-bit width " | 
					
						
							|  |  |  |  |                      "of %s field %s", sf->ofs, sf->n_bits, | 
					
						
							|  |  |  |  |                      sf->field->n_bits, type, sf->field->name); | 
					
						
							| 
									
										
										
										
											2013-08-23 11:11:03 -07:00
										 |  |  |  |         return OFPERR_OFPBAC_BAD_SET_LEN; | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  |     } else if (flow && !mf_are_prereqs_ok(sf->field, flow)) { | 
					
						
							|  |  |  |  |         VLOG_WARN_RL(&rl, "%s field %s lacks correct prerequisites", | 
					
						
							|  |  |  |  |                      type, sf->field->name); | 
					
						
							| 
									
										
										
										
											2013-08-23 11:11:03 -07:00
										 |  |  |  |         return OFPERR_OFPBAC_MATCH_INCONSISTENT; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } else { | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  |         return 0; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  | /* Checks whether 'sf' is valid for reading a subfield out of 'flow'.  Returns
 | 
					
						
							|  |  |  |  |  * 0 if so, otherwise an OpenFlow error code (e.g. as returned by | 
					
						
							|  |  |  |  |  * ofp_mkerr()).  */ | 
					
						
							|  |  |  |  | enum ofperr | 
					
						
							|  |  |  |  | mf_check_src(const struct mf_subfield *sf, const struct flow *flow) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     return mf_check__(sf, flow, "source"); | 
					
						
							|  |  |  |  | } | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  | /* Checks whether 'sf' is valid for writing a subfield into 'flow'.  Returns 0
 | 
					
						
							|  |  |  |  |  * if so, otherwise an OpenFlow error code (e.g. as returned by | 
					
						
							|  |  |  |  |  * ofp_mkerr()). */ | 
					
						
							|  |  |  |  | enum ofperr | 
					
						
							|  |  |  |  | mf_check_dst(const struct mf_subfield *sf, const struct flow *flow) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     int error = mf_check__(sf, flow, "destination"); | 
					
						
							|  |  |  |  |     if (!error && !sf->field->writable) { | 
					
						
							|  |  |  |  |         VLOG_WARN_RL(&rl, "destination field %s is not writable", | 
					
						
							|  |  |  |  |                      sf->field->name); | 
					
						
							| 
									
										
										
										
											2013-08-23 11:11:03 -07:00
										 |  |  |  |         return OFPERR_OFPBAC_BAD_SET_ARGUMENT; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  |     return error; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  | /* Copies the value and wildcard bit pattern for 'mf' from 'match' into the
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |  * 'value' and 'mask', respectively. */ | 
					
						
							|  |  |  |  | void | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  | mf_get(const struct mf_field *mf, const struct match *match, | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |        union mf_value *value, union mf_value *mask) | 
					
						
							|  |  |  |  | { | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |     mf_get_value(mf, &match->flow, value); | 
					
						
							|  |  |  |  |     mf_get_mask(mf, &match->wc, mask); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | static char * | 
					
						
							|  |  |  |  | mf_from_integer_string(const struct mf_field *mf, const char *s, | 
					
						
							|  |  |  |  |                        uint8_t *valuep, uint8_t *maskp) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     unsigned long long int integer, mask; | 
					
						
							|  |  |  |  |     char *tail; | 
					
						
							|  |  |  |  |     int i; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     errno = 0; | 
					
						
							|  |  |  |  |     integer = strtoull(s, &tail, 0); | 
					
						
							|  |  |  |  |     if (errno || (*tail != '\0' && *tail != '/')) { | 
					
						
							|  |  |  |  |         goto syntax_error; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     if (*tail == '/') { | 
					
						
							|  |  |  |  |         mask = strtoull(tail + 1, &tail, 0); | 
					
						
							|  |  |  |  |         if (errno || *tail != '\0') { | 
					
						
							|  |  |  |  |             goto syntax_error; | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  |     } else { | 
					
						
							|  |  |  |  |         mask = ULLONG_MAX; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     for (i = mf->n_bytes - 1; i >= 0; i--) { | 
					
						
							|  |  |  |  |         valuep[i] = integer; | 
					
						
							|  |  |  |  |         maskp[i] = mask; | 
					
						
							|  |  |  |  |         integer >>= 8; | 
					
						
							|  |  |  |  |         mask >>= 8; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  |     if (integer) { | 
					
						
							|  |  |  |  |         return xasprintf("%s: value too large for %u-byte field %s", | 
					
						
							|  |  |  |  |                          s, mf->n_bytes, mf->name); | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  |     return NULL; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | syntax_error: | 
					
						
							|  |  |  |  |     return xasprintf("%s: bad syntax for %s", s, mf->name); | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | static char * | 
					
						
							|  |  |  |  | mf_from_ethernet_string(const struct mf_field *mf, const char *s, | 
					
						
							|  |  |  |  |                         uint8_t mac[ETH_ADDR_LEN], | 
					
						
							|  |  |  |  |                         uint8_t mask[ETH_ADDR_LEN]) | 
					
						
							|  |  |  |  | { | 
					
						
							| 
									
										
										
										
											2013-07-25 09:48:36 -07:00
										 |  |  |  |     int n; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-07-25 09:48:36 -07:00
										 |  |  |  |     ovs_assert(mf->n_bytes == ETH_ADDR_LEN); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-07-25 09:48:36 -07:00
										 |  |  |  |     n = -1; | 
					
						
							| 
									
										
										
										
											2013-11-09 15:44:23 -08:00
										 |  |  |  |     if (ovs_scan(s, ETH_ADDR_SCAN_FMT"%n", ETH_ADDR_SCAN_ARGS(mac), &n) | 
					
						
							| 
									
										
										
										
											2013-07-25 09:48:36 -07:00
										 |  |  |  |         && n == strlen(s)) { | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         memset(mask, 0xff, ETH_ADDR_LEN); | 
					
						
							|  |  |  |  |         return NULL; | 
					
						
							| 
									
										
										
										
											2013-07-25 09:48:36 -07:00
										 |  |  |  |     } | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-07-25 09:48:36 -07:00
										 |  |  |  |     n = -1; | 
					
						
							| 
									
										
										
										
											2013-11-09 15:44:23 -08:00
										 |  |  |  |     if (ovs_scan(s, ETH_ADDR_SCAN_FMT"/"ETH_ADDR_SCAN_FMT"%n", | 
					
						
							|  |  |  |  |                  ETH_ADDR_SCAN_ARGS(mac), ETH_ADDR_SCAN_ARGS(mask), &n) | 
					
						
							| 
									
										
										
										
											2013-07-25 09:48:36 -07:00
										 |  |  |  |         && n == strlen(s)) { | 
					
						
							|  |  |  |  |         return NULL; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } | 
					
						
							| 
									
										
										
										
											2013-07-25 09:48:36 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     return xasprintf("%s: invalid Ethernet address", s); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | static char * | 
					
						
							|  |  |  |  | mf_from_ipv4_string(const struct mf_field *mf, const char *s, | 
					
						
							|  |  |  |  |                     ovs_be32 *ip, ovs_be32 *mask) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     int prefix; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-11-06 13:14:55 -08:00
										 |  |  |  |     ovs_assert(mf->n_bytes == sizeof *ip); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-11-09 15:44:23 -08:00
										 |  |  |  |     if (ovs_scan(s, IP_SCAN_FMT"/"IP_SCAN_FMT, | 
					
						
							|  |  |  |  |                  IP_SCAN_ARGS(ip), IP_SCAN_ARGS(mask))) { | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         /* OK. */ | 
					
						
							| 
									
										
										
										
											2013-11-09 15:44:23 -08:00
										 |  |  |  |     } else if (ovs_scan(s, IP_SCAN_FMT"/%d", IP_SCAN_ARGS(ip), &prefix)) { | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         if (prefix <= 0 || prefix > 32) { | 
					
						
							|  |  |  |  |             return xasprintf("%s: network prefix bits not between 1 and " | 
					
						
							|  |  |  |  |                              "32", s); | 
					
						
							|  |  |  |  |         } else if (prefix == 32) { | 
					
						
							| 
									
										
										
										
											2013-06-27 15:27:15 -07:00
										 |  |  |  |             *mask = OVS_BE32_MAX; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         } else { | 
					
						
							|  |  |  |  |             *mask = htonl(((1u << prefix) - 1) << (32 - prefix)); | 
					
						
							|  |  |  |  |         } | 
					
						
							| 
									
										
										
										
											2013-11-09 15:44:23 -08:00
										 |  |  |  |     } else if (ovs_scan(s, IP_SCAN_FMT, IP_SCAN_ARGS(ip))) { | 
					
						
							| 
									
										
										
										
											2013-06-27 15:27:15 -07:00
										 |  |  |  |         *mask = OVS_BE32_MAX; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } else { | 
					
						
							|  |  |  |  |         return xasprintf("%s: invalid IP address", s); | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  |     return NULL; | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | static char * | 
					
						
							|  |  |  |  | mf_from_ipv6_string(const struct mf_field *mf, const char *s, | 
					
						
							|  |  |  |  |                     struct in6_addr *value, struct in6_addr *mask) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     char *str = xstrdup(s); | 
					
						
							|  |  |  |  |     char *save_ptr = NULL; | 
					
						
							|  |  |  |  |     const char *name, *netmask; | 
					
						
							|  |  |  |  |     int retval; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-11-06 13:14:55 -08:00
										 |  |  |  |     ovs_assert(mf->n_bytes == sizeof *value); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     name = strtok_r(str, "/", &save_ptr); | 
					
						
							|  |  |  |  |     retval = name ? lookup_ipv6(name, value) : EINVAL; | 
					
						
							|  |  |  |  |     if (retval) { | 
					
						
							|  |  |  |  |         char *err; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |         err = xasprintf("%s: could not convert to IPv6 address", str); | 
					
						
							|  |  |  |  |         free(str); | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |         return err; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     netmask = strtok_r(NULL, "/", &save_ptr); | 
					
						
							|  |  |  |  |     if (netmask) { | 
					
						
							| 
									
										
										
										
											2012-05-22 22:49:31 -07:00
										 |  |  |  |         if (inet_pton(AF_INET6, netmask, mask) != 1) { | 
					
						
							|  |  |  |  |             int prefix = atoi(netmask); | 
					
						
							|  |  |  |  |             if (prefix <= 0 || prefix > 128) { | 
					
						
							|  |  |  |  |                 free(str); | 
					
						
							|  |  |  |  |                 return xasprintf("%s: prefix bits not between 1 and 128", s); | 
					
						
							|  |  |  |  |             } else { | 
					
						
							|  |  |  |  |                 *mask = ipv6_create_mask(prefix); | 
					
						
							|  |  |  |  |             } | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         } | 
					
						
							|  |  |  |  |     } else { | 
					
						
							|  |  |  |  |         *mask = in6addr_exact; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  |     free(str); | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     return NULL; | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | static char * | 
					
						
							|  |  |  |  | mf_from_ofp_port_string(const struct mf_field *mf, const char *s, | 
					
						
							|  |  |  |  |                         ovs_be16 *valuep, ovs_be16 *maskp) | 
					
						
							|  |  |  |  | { | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |     ofp_port_t port; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-11-06 13:14:55 -08:00
										 |  |  |  |     ovs_assert(mf->n_bytes == sizeof(ovs_be16)); | 
					
						
							| 
									
										
										
										
											2013-05-10 22:54:35 +03:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     if (ofputil_port_from_string(s, &port)) { | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |         *valuep = htons(ofp_to_u16(port)); | 
					
						
							| 
									
										
										
										
											2013-06-27 15:27:15 -07:00
										 |  |  |  |         *maskp = OVS_BE16_MAX; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         return NULL; | 
					
						
							|  |  |  |  |     } | 
					
						
							| 
									
										
										
										
											2013-05-10 22:54:35 +03:00
										 |  |  |  |     return xasprintf("%s: port value out of range for %s", s, mf->name); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  | static char * | 
					
						
							|  |  |  |  | mf_from_ofp_port_string32(const struct mf_field *mf, const char *s, | 
					
						
							|  |  |  |  |                           ovs_be32 *valuep, ovs_be32 *maskp) | 
					
						
							|  |  |  |  | { | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |     ofp_port_t port; | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     ovs_assert(mf->n_bytes == sizeof(ovs_be32)); | 
					
						
							|  |  |  |  |     if (ofputil_port_from_string(s, &port)) { | 
					
						
							|  |  |  |  |         *valuep = ofputil_port_to_ofp11(port); | 
					
						
							| 
									
										
										
										
											2013-06-27 15:27:15 -07:00
										 |  |  |  |         *maskp = OVS_BE32_MAX; | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |         return NULL; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  |     return xasprintf("%s: port value out of range for %s", s, mf->name); | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  | struct frag_handling { | 
					
						
							|  |  |  |  |     const char *name; | 
					
						
							|  |  |  |  |     uint8_t mask; | 
					
						
							|  |  |  |  |     uint8_t value; | 
					
						
							|  |  |  |  | }; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | static const struct frag_handling all_frags[] = { | 
					
						
							| 
									
										
										
										
											2011-11-09 17:10:27 -08:00
										 |  |  |  | #define A FLOW_NW_FRAG_ANY
 | 
					
						
							|  |  |  |  | #define L FLOW_NW_FRAG_LATER
 | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |     /* name               mask  value */ | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     { "no",               A|L,  0     }, | 
					
						
							|  |  |  |  |     { "first",            A|L,  A     }, | 
					
						
							|  |  |  |  |     { "later",            A|L,  A|L   }, | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     { "no",               A,    0     }, | 
					
						
							|  |  |  |  |     { "yes",              A,    A     }, | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     { "not_later",        L,    0     }, | 
					
						
							|  |  |  |  |     { "later",            L,    L     }, | 
					
						
							|  |  |  |  | #undef A
 | 
					
						
							|  |  |  |  | #undef L
 | 
					
						
							|  |  |  |  | }; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | static char * | 
					
						
							|  |  |  |  | mf_from_frag_string(const char *s, uint8_t *valuep, uint8_t *maskp) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     const struct frag_handling *h; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     for (h = all_frags; h < &all_frags[ARRAY_SIZE(all_frags)]; h++) { | 
					
						
							|  |  |  |  |         if (!strcasecmp(s, h->name)) { | 
					
						
							|  |  |  |  |             /* We force the upper bits of the mask on to make mf_parse_value()
 | 
					
						
							|  |  |  |  |              * happy (otherwise it will never think it's an exact match.) */ | 
					
						
							| 
									
										
										
										
											2011-11-09 17:10:27 -08:00
										 |  |  |  |             *maskp = h->mask | ~FLOW_NW_FRAG_MASK; | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |             *valuep = h->value; | 
					
						
							|  |  |  |  |             return NULL; | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     return xasprintf("%s: unknown fragment type (valid types are \"no\", " | 
					
						
							|  |  |  |  |                      "\"yes\", \"first\", \"later\", \"not_first\"", s); | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  | static int | 
					
						
							|  |  |  |  | parse_flow_tun_flags(const char *s_, const char *(*bit_to_string)(uint32_t), | 
					
						
							|  |  |  |  |                      ovs_be16 *res) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     uint32_t result = 0; | 
					
						
							|  |  |  |  |     char *save_ptr = NULL; | 
					
						
							|  |  |  |  |     char *name; | 
					
						
							|  |  |  |  |     int rc = 0; | 
					
						
							|  |  |  |  |     char *s = xstrdup(s_); | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     for (name = strtok_r((char *)s, " |", &save_ptr); name; | 
					
						
							|  |  |  |  |          name = strtok_r(NULL, " |", &save_ptr)) { | 
					
						
							|  |  |  |  |         int name_len; | 
					
						
							|  |  |  |  |         unsigned long long int flags; | 
					
						
							|  |  |  |  |         uint32_t bit; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-11-09 15:44:23 -08:00
										 |  |  |  |         if (ovs_scan(name, "%lli", &flags)) { | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  |             result |= flags; | 
					
						
							|  |  |  |  |             continue; | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  |         name_len = strlen(name); | 
					
						
							|  |  |  |  |         for (bit = 1; bit; bit <<= 1) { | 
					
						
							|  |  |  |  |             const char *fname = bit_to_string(bit); | 
					
						
							|  |  |  |  |             size_t len; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |             if (!fname) { | 
					
						
							|  |  |  |  |                 continue; | 
					
						
							|  |  |  |  |             } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |             len = strlen(fname); | 
					
						
							|  |  |  |  |             if (len != name_len) { | 
					
						
							|  |  |  |  |                 continue; | 
					
						
							|  |  |  |  |             } | 
					
						
							|  |  |  |  |             if (!strncmp(name, fname, len)) { | 
					
						
							|  |  |  |  |                 result |= bit; | 
					
						
							|  |  |  |  |                 break; | 
					
						
							|  |  |  |  |             } | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |         if (!bit) { | 
					
						
							|  |  |  |  |             rc = -ENOENT; | 
					
						
							|  |  |  |  |             goto out; | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     *res = htons(result); | 
					
						
							|  |  |  |  | out: | 
					
						
							|  |  |  |  |     free(s); | 
					
						
							|  |  |  |  |     return rc; | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | static char * | 
					
						
							| 
									
										
										
										
											2012-12-21 14:01:43 -08:00
										 |  |  |  | mf_from_tun_flags_string(const char *s, ovs_be16 *valuep, ovs_be16 *maskp) | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  | { | 
					
						
							|  |  |  |  |     if (!parse_flow_tun_flags(s, flow_tun_flag_to_string, valuep)) { | 
					
						
							| 
									
										
										
										
											2013-06-27 15:27:15 -07:00
										 |  |  |  |         *maskp = OVS_BE16_MAX; | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  |         return NULL; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     return xasprintf("%s: unknown tunnel flags (valid flags are \"df\", " | 
					
						
							| 
									
										
										
										
											2013-11-09 15:12:12 -08:00
										 |  |  |  |                      "\"csum\", \"key\")", s); | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-12-02 15:14:09 -08:00
										 |  |  |  | static char * | 
					
						
							|  |  |  |  | mf_from_tcp_flags_string(const char *s, ovs_be16 *flagsp, ovs_be16 *maskp) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     uint16_t flags = 0; | 
					
						
							|  |  |  |  |     uint16_t mask = 0; | 
					
						
							|  |  |  |  |     uint16_t bit; | 
					
						
							|  |  |  |  |     int n; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     if (ovs_scan(s, "%"SCNi16"/%"SCNi16"%n", &flags, &mask, &n) && !s[n]) { | 
					
						
							|  |  |  |  |         *flagsp = htons(flags); | 
					
						
							|  |  |  |  |         *maskp = htons(mask); | 
					
						
							|  |  |  |  |         return NULL; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  |     if (ovs_scan(s, "%"SCNi16"%n", &flags, &n) && !s[n]) { | 
					
						
							|  |  |  |  |         *flagsp = htons(flags); | 
					
						
							|  |  |  |  |         *maskp = OVS_BE16_MAX; | 
					
						
							|  |  |  |  |         return NULL; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     while (*s != '\0') { | 
					
						
							|  |  |  |  |         bool set; | 
					
						
							|  |  |  |  |         int name_len; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |         switch (*s) { | 
					
						
							|  |  |  |  |         case '+': | 
					
						
							|  |  |  |  |             set = true; | 
					
						
							|  |  |  |  |             break; | 
					
						
							|  |  |  |  |         case '-': | 
					
						
							|  |  |  |  |             set = false; | 
					
						
							|  |  |  |  |             break; | 
					
						
							|  |  |  |  |         default: | 
					
						
							|  |  |  |  |             return xasprintf("%s: TCP flag must be preceded by '+' (for SET) " | 
					
						
							|  |  |  |  |                              "or '-' (NOT SET)", s); | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  |         s++; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |         name_len = strcspn(s,"+-"); | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |         for (bit = 1; bit; bit <<= 1) { | 
					
						
							|  |  |  |  |             const char *fname = packet_tcp_flag_to_string(bit); | 
					
						
							|  |  |  |  |             size_t len; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |             if (!fname) { | 
					
						
							|  |  |  |  |                 continue; | 
					
						
							|  |  |  |  |             } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |             len = strlen(fname); | 
					
						
							|  |  |  |  |             if (len != name_len) { | 
					
						
							|  |  |  |  |                 continue; | 
					
						
							|  |  |  |  |             } | 
					
						
							|  |  |  |  |             if (!strncmp(s, fname, len)) { | 
					
						
							|  |  |  |  |                 if (mask & bit) { | 
					
						
							|  |  |  |  |                     return xasprintf("%s: Each TCP flag can be specified only " | 
					
						
							|  |  |  |  |                                      "once", s); | 
					
						
							|  |  |  |  |                 } | 
					
						
							|  |  |  |  |                 if (set) { | 
					
						
							|  |  |  |  |                     flags |= bit; | 
					
						
							|  |  |  |  |                 } | 
					
						
							|  |  |  |  |                 mask |= bit; | 
					
						
							|  |  |  |  |                 break; | 
					
						
							|  |  |  |  |             } | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |         if (!bit) { | 
					
						
							|  |  |  |  |             return xasprintf("%s: unknown TCP flag(s)", s); | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  |         s += name_len; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     *flagsp = htons(flags); | 
					
						
							|  |  |  |  |     *maskp = htons(mask); | 
					
						
							|  |  |  |  |     return NULL; | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | /* Parses 's', a string value for field 'mf', into 'value' and 'mask'.  Returns
 | 
					
						
							|  |  |  |  |  * NULL if successful, otherwise a malloc()'d string describing the error. */ | 
					
						
							|  |  |  |  | char * | 
					
						
							|  |  |  |  | mf_parse(const struct mf_field *mf, const char *s, | 
					
						
							|  |  |  |  |          union mf_value *value, union mf_value *mask) | 
					
						
							|  |  |  |  | { | 
					
						
							| 
									
										
										
										
											2013-10-31 17:18:38 -07:00
										 |  |  |  |     char *error; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-01-08 15:29:44 -08:00
										 |  |  |  |     if (!strcmp(s, "*")) { | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         memset(value, 0, mf->n_bytes); | 
					
						
							|  |  |  |  |         memset(mask, 0, mf->n_bytes); | 
					
						
							|  |  |  |  |         return NULL; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     switch (mf->string) { | 
					
						
							|  |  |  |  |     case MFS_DECIMAL: | 
					
						
							|  |  |  |  |     case MFS_HEXADECIMAL: | 
					
						
							| 
									
										
										
										
											2013-10-31 17:18:38 -07:00
										 |  |  |  |         error = mf_from_integer_string(mf, s, | 
					
						
							|  |  |  |  |                                        (uint8_t *) value, (uint8_t *) mask); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFS_ETHERNET: | 
					
						
							| 
									
										
										
										
											2013-10-31 17:18:38 -07:00
										 |  |  |  |         error = mf_from_ethernet_string(mf, s, value->mac, mask->mac); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFS_IPV4: | 
					
						
							| 
									
										
										
										
											2013-10-31 17:18:38 -07:00
										 |  |  |  |         error = mf_from_ipv4_string(mf, s, &value->be32, &mask->be32); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFS_IPV6: | 
					
						
							| 
									
										
										
										
											2013-10-31 17:18:38 -07:00
										 |  |  |  |         error = mf_from_ipv6_string(mf, s, &value->ipv6, &mask->ipv6); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFS_OFP_PORT: | 
					
						
							| 
									
										
										
										
											2013-10-31 17:18:38 -07:00
										 |  |  |  |         error = mf_from_ofp_port_string(mf, s, &value->be16, &mask->be16); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |     case MFS_OFP_PORT_OXM: | 
					
						
							| 
									
										
										
										
											2013-10-31 17:18:38 -07:00
										 |  |  |  |         error = mf_from_ofp_port_string32(mf, s, &value->be32, &mask->be32); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |     case MFS_FRAG: | 
					
						
							| 
									
										
										
										
											2013-10-31 17:18:38 -07:00
										 |  |  |  |         error = mf_from_frag_string(s, &value->u8, &mask->u8); | 
					
						
							|  |  |  |  |         break; | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFS_TNL_FLAGS: | 
					
						
							| 
									
										
										
										
											2012-11-06 13:14:55 -08:00
										 |  |  |  |         ovs_assert(mf->n_bytes == sizeof(ovs_be16)); | 
					
						
							| 
									
										
										
										
											2013-10-31 17:18:38 -07:00
										 |  |  |  |         error = mf_from_tun_flags_string(s, &value->be16, &mask->be16); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-12-02 15:14:09 -08:00
										 |  |  |  |     case MFS_TCP_FLAGS: | 
					
						
							|  |  |  |  |         ovs_assert(mf->n_bytes == sizeof(ovs_be16)); | 
					
						
							|  |  |  |  |         error = mf_from_tcp_flags_string(s, &value->be16, &mask->be16); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-10-31 17:18:38 -07:00
										 |  |  |  |     default: | 
					
						
							| 
									
										
										
										
											2013-12-17 10:32:12 -08:00
										 |  |  |  |         OVS_NOT_REACHED(); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } | 
					
						
							| 
									
										
										
										
											2013-10-31 17:18:38 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     if (!error && !mf_is_mask_valid(mf, mask)) { | 
					
						
							|  |  |  |  |         error = xasprintf("%s: invalid mask for field %s", s, mf->name); | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  |     return error; | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | /* Parses 's', a string value for field 'mf', into 'value'.  Returns NULL if
 | 
					
						
							|  |  |  |  |  * successful, otherwise a malloc()'d string describing the error. */ | 
					
						
							|  |  |  |  | char * | 
					
						
							|  |  |  |  | mf_parse_value(const struct mf_field *mf, const char *s, union mf_value *value) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     union mf_value mask; | 
					
						
							|  |  |  |  |     char *error; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     error = mf_parse(mf, s, value, &mask); | 
					
						
							|  |  |  |  |     if (error) { | 
					
						
							|  |  |  |  |         return error; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     if (!is_all_ones((const uint8_t *) &mask, mf->n_bytes)) { | 
					
						
							|  |  |  |  |         return xasprintf("%s: wildcards not allowed here", s); | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  |     return NULL; | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | static void | 
					
						
							|  |  |  |  | mf_format_integer_string(const struct mf_field *mf, const uint8_t *valuep, | 
					
						
							|  |  |  |  |                          const uint8_t *maskp, struct ds *s) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     unsigned long long int integer; | 
					
						
							|  |  |  |  |     int i; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-11-06 13:14:55 -08:00
										 |  |  |  |     ovs_assert(mf->n_bytes <= 8); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     integer = 0; | 
					
						
							|  |  |  |  |     for (i = 0; i < mf->n_bytes; i++) { | 
					
						
							|  |  |  |  |         integer = (integer << 8) | valuep[i]; | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  |     if (mf->string == MFS_HEXADECIMAL) { | 
					
						
							|  |  |  |  |         ds_put_format(s, "%#llx", integer); | 
					
						
							|  |  |  |  |     } else { | 
					
						
							|  |  |  |  |         ds_put_format(s, "%lld", integer); | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     if (maskp) { | 
					
						
							|  |  |  |  |         unsigned long long int mask; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |         mask = 0; | 
					
						
							|  |  |  |  |         for (i = 0; i < mf->n_bytes; i++) { | 
					
						
							|  |  |  |  |             mask = (mask << 8) | maskp[i]; | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |         /* I guess we could write the mask in decimal for MFS_DECIMAL but I'm
 | 
					
						
							|  |  |  |  |          * not sure that that a bit-mask written in decimal is ever easier to | 
					
						
							|  |  |  |  |          * understand than the same bit-mask written in hexadecimal. */ | 
					
						
							|  |  |  |  |         ds_put_format(s, "/%#llx", mask); | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  | static void | 
					
						
							| 
									
										
										
										
											2013-01-24 13:39:23 -08:00
										 |  |  |  | mf_format_frag_string(uint8_t value, uint8_t mask, struct ds *s) | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  | { | 
					
						
							|  |  |  |  |     const struct frag_handling *h; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-09 17:10:27 -08:00
										 |  |  |  |     mask &= FLOW_NW_FRAG_MASK; | 
					
						
							| 
									
										
										
										
											2013-01-24 13:39:23 -08:00
										 |  |  |  |     value &= mask; | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  |     for (h = all_frags; h < &all_frags[ARRAY_SIZE(all_frags)]; h++) { | 
					
						
							|  |  |  |  |         if (value == h->value && mask == h->mask) { | 
					
						
							|  |  |  |  |             ds_put_cstr(s, h->name); | 
					
						
							|  |  |  |  |             return; | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  |     ds_put_cstr(s, "<error>"); | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  | static void | 
					
						
							|  |  |  |  | mf_format_tnl_flags_string(const ovs_be16 *valuep, struct ds *s) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     format_flags(s, flow_tun_flag_to_string, ntohs(*valuep), '|'); | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-12-02 15:14:09 -08:00
										 |  |  |  | static void | 
					
						
							|  |  |  |  | mf_format_tcp_flags_string(ovs_be16 value, ovs_be16 mask, struct ds *s) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     format_flags_masked(s, NULL, packet_tcp_flag_to_string, ntohs(value), | 
					
						
							|  |  |  |  |                         TCP_FLAGS(mask)); | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  | /* Appends to 's' a string representation of field 'mf' whose value is in
 | 
					
						
							|  |  |  |  |  * 'value' and 'mask'.  'mask' may be NULL to indicate an exact match. */ | 
					
						
							|  |  |  |  | void | 
					
						
							|  |  |  |  | mf_format(const struct mf_field *mf, | 
					
						
							|  |  |  |  |           const union mf_value *value, const union mf_value *mask, | 
					
						
							|  |  |  |  |           struct ds *s) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     if (mask) { | 
					
						
							| 
									
										
										
										
											2014-09-05 15:44:19 -07:00
										 |  |  |  |         if (is_all_zeros(mask, mf->n_bytes)) { | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |             ds_put_cstr(s, "ANY"); | 
					
						
							|  |  |  |  |             return; | 
					
						
							| 
									
										
										
										
											2014-09-05 15:44:19 -07:00
										 |  |  |  |         } else if (is_all_ones(mask, mf->n_bytes)) { | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |             mask = NULL; | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     switch (mf->string) { | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |     case MFS_OFP_PORT_OXM: | 
					
						
							|  |  |  |  |         if (!mask) { | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |             ofp_port_t port; | 
					
						
							| 
									
										
										
										
											2013-05-20 12:21:51 -07:00
										 |  |  |  |             ofputil_port_from_ofp11(value->be32, &port); | 
					
						
							| 
									
										
										
										
											2013-05-19 15:44:53 +03:00
										 |  |  |  |             ofputil_format_port(port, s); | 
					
						
							|  |  |  |  |             break; | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  |         /* fall through */ | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     case MFS_OFP_PORT: | 
					
						
							|  |  |  |  |         if (!mask) { | 
					
						
							| 
									
										
										
										
											2013-06-19 16:58:44 -07:00
										 |  |  |  |             ofputil_format_port(u16_to_ofp(ntohs(value->be16)), s); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |             break; | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  |         /* fall through */ | 
					
						
							|  |  |  |  |     case MFS_DECIMAL: | 
					
						
							|  |  |  |  |     case MFS_HEXADECIMAL: | 
					
						
							|  |  |  |  |         mf_format_integer_string(mf, (uint8_t *) value, (uint8_t *) mask, s); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFS_ETHERNET: | 
					
						
							| 
									
										
										
										
											2012-05-29 11:07:16 -07:00
										 |  |  |  |         eth_format_masked(value->mac, mask->mac, s); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFS_IPV4: | 
					
						
							| 
									
										
										
										
											2013-06-27 15:27:15 -07:00
										 |  |  |  |         ip_format_masked(value->be32, mask ? mask->be32 : OVS_BE32_MAX, s); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     case MFS_IPV6: | 
					
						
							|  |  |  |  |         print_ipv6_masked(s, &value->ipv6, mask ? &mask->ipv6 : NULL); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |     case MFS_FRAG: | 
					
						
							| 
									
										
										
										
											2013-01-24 13:39:23 -08:00
										 |  |  |  |         mf_format_frag_string(value->u8, mask ? mask->u8 : UINT8_MAX, s); | 
					
						
							| 
									
										
											  
											
												Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary.  It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present.  This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly.  It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset.  This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers.  In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG.  Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments".  It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
											
										 
											2011-10-19 21:33:44 -07:00
										 |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-11-21 18:51:36 -08:00
										 |  |  |  |     case MFS_TNL_FLAGS: | 
					
						
							|  |  |  |  |         mf_format_tnl_flags_string(&value->be16, s); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2013-12-02 15:14:09 -08:00
										 |  |  |  |     case MFS_TCP_FLAGS: | 
					
						
							|  |  |  |  |         mf_format_tcp_flags_string(value->be16, | 
					
						
							|  |  |  |  |                                    mask ? mask->be16 : OVS_BE16_MAX, s); | 
					
						
							|  |  |  |  |         break; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     default: | 
					
						
							| 
									
										
										
										
											2013-12-17 10:32:12 -08:00
										 |  |  |  |         OVS_NOT_REACHED(); | 
					
						
							| 
									
										
										
										
											2011-09-12 12:11:50 -07:00
										 |  |  |  |     } | 
					
						
							|  |  |  |  | } | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  |  | 
					
						
							| 
									
										
										
										
											2012-09-12 17:44:28 +09:00
										 |  |  |  | /* Makes subfield 'sf' within 'flow' exactly match the 'sf->n_bits'
 | 
					
						
							|  |  |  |  |  * least-significant bits in 'x'. | 
					
						
							|  |  |  |  |  */ | 
					
						
							|  |  |  |  | void | 
					
						
							|  |  |  |  | mf_write_subfield_flow(const struct mf_subfield *sf, | 
					
						
							|  |  |  |  |                        const union mf_subvalue *x, struct flow *flow) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     const struct mf_field *field = sf->field; | 
					
						
							|  |  |  |  |     union mf_value value; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     mf_get_value(field, flow, &value); | 
					
						
							| 
									
										
										
										
											2012-09-12 11:37:53 -07:00
										 |  |  |  |     bitwise_copy(x, sizeof *x, 0, &value, field->n_bytes, | 
					
						
							| 
									
										
										
										
											2012-09-12 17:44:28 +09:00
										 |  |  |  |                  sf->ofs, sf->n_bits); | 
					
						
							|  |  |  |  |     mf_set_flow_value(field, &value, flow); | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  | /* Makes subfield 'sf' within 'match' exactly match the 'sf->n_bits'
 | 
					
						
							| 
									
										
										
										
											2012-04-11 14:45:34 -07:00
										 |  |  |  |  * least-significant bits in 'x'. | 
					
						
							| 
									
										
										
										
											2012-07-05 17:15:17 +09:00
										 |  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2012-04-11 14:45:34 -07:00
										 |  |  |  | void | 
					
						
							|  |  |  |  | mf_write_subfield(const struct mf_subfield *sf, const union mf_subvalue *x, | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |                   struct match *match) | 
					
						
							| 
									
										
										
										
											2012-04-11 14:45:34 -07:00
										 |  |  |  | { | 
					
						
							|  |  |  |  |     const struct mf_field *field = sf->field; | 
					
						
							|  |  |  |  |     union mf_value value, mask; | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |     mf_get(field, match, &value, &mask); | 
					
						
							| 
									
										
										
										
											2012-04-11 14:45:34 -07:00
										 |  |  |  |     bitwise_copy(x, sizeof *x, 0, &value, field->n_bytes, sf->ofs, sf->n_bits); | 
					
						
							|  |  |  |  |     bitwise_one (                 &mask,  field->n_bytes, sf->ofs, sf->n_bits); | 
					
						
							| 
									
										
										
										
											2012-08-07 15:28:18 -07:00
										 |  |  |  |     mf_set(field, &value, &mask, match); | 
					
						
							| 
									
										
										
										
											2012-04-11 14:45:34 -07:00
										 |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | /* Initializes 'x' to the value of 'sf' within 'flow'.  'sf' must be valid for
 | 
					
						
							|  |  |  |  |  * reading 'flow', e.g. as checked by mf_check_src(). */ | 
					
						
							|  |  |  |  | void | 
					
						
							|  |  |  |  | mf_read_subfield(const struct mf_subfield *sf, const struct flow *flow, | 
					
						
							|  |  |  |  |                  union mf_subvalue *x) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     union mf_value value; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     mf_get_value(sf->field, flow, &value); | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     memset(x, 0, sizeof *x); | 
					
						
							|  |  |  |  |     bitwise_copy(&value, sf->field->n_bytes, sf->ofs, | 
					
						
							|  |  |  |  |                  x, sizeof *x, 0, | 
					
						
							|  |  |  |  |                  sf->n_bits); | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-12-28 12:42:14 -08:00
										 |  |  |  | /* Returns the value of 'sf' within 'flow'.  'sf' must be valid for reading
 | 
					
						
							|  |  |  |  |  * 'flow', e.g. as checked by mf_check_src() and sf->n_bits must be 64 or | 
					
						
							|  |  |  |  |  * less. */ | 
					
						
							|  |  |  |  | uint64_t | 
					
						
							|  |  |  |  | mf_get_subfield(const struct mf_subfield *sf, const struct flow *flow) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     union mf_value value; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     mf_get_value(sf->field, flow, &value); | 
					
						
							|  |  |  |  |     return bitwise_get(&value, sf->field->n_bytes, sf->ofs, sf->n_bits); | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-09-12 17:44:28 +09:00
										 |  |  |  | void | 
					
						
							|  |  |  |  | mf_format_subvalue(const union mf_subvalue *subvalue, struct ds *s) | 
					
						
							|  |  |  |  | { | 
					
						
							|  |  |  |  |     int i; | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  |     for (i = 0; i < ARRAY_SIZE(subvalue->u8); i++) { | 
					
						
							|  |  |  |  |         if (subvalue->u8[i]) { | 
					
						
							|  |  |  |  |             ds_put_format(s, "0x%"PRIx8, subvalue->u8[i]); | 
					
						
							|  |  |  |  |             for (i++; i < ARRAY_SIZE(subvalue->u8); i++) { | 
					
						
							|  |  |  |  |                 ds_put_format(s, "%02"PRIx8, subvalue->u8[i]); | 
					
						
							|  |  |  |  |             } | 
					
						
							|  |  |  |  |             return; | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  |     } | 
					
						
							|  |  |  |  |     ds_put_char(s, '0'); | 
					
						
							|  |  |  |  | } |