It seemed to me that the descriptions of what actions do should be just
above the action structures, where the reader can see the arguments,
instead of just above the enumeration name, so I rearranged the code
this way.
A few actions didn't have their own structures, so to do this I had to give
them some.
The OpenFlow OFPAT_ENQUEUE action sets a queue id and outputs the packet
in one shot. There are times in which the queue should be set, but the
output port is not yet known. This commit adds the NXAST_SET_QUEUE and
NXAST_POP_QUEUE Nicira extension actions to modify the queue
configuration without requiring a port argument.
CC: Jeremy Stribling <strib@nicira.com>
CC: Keith Amidon <keith@nicira.com>
"ARP spoofing" is when a host claims an incorrect association between an
IP address and a MAC address for deceptive purposes. OpenFlow by itself
can prevent a host from sending out ARP replies from an incorrect MAC
address in the Ethernet L2 header, but it cannot control the MAC addresses
inside the ARP L3 packet. This commit adds a new action that can be used
to drop these spoofed packets.
CC: Paul Ingram <paul@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
ovs-vswitchd doesn't declare its QoS capabilities in the database yet,
so the controller has to know what they are. We can add that later.
The linux-htb QoS class has been tested to the extent that I can see that
it sets up the queues I expect when I run "tc qdisc show" and "tc class
show". I haven't tested that the effects on flows are what we expect them
to be. I am sure that there will be problems in that area that we will
have to fix.
Now that Open vSwitch has support for multiple simultaneous controllers,
there is some need for a degree of coordination among them. For now, the
plan is for the controllers themselves to take the lead on this. This
commit adds a small bit of OVS infrastructure: the ability for a controller
to designate itself as a "master" or a "slave". There may be at most one
master at a time; when a controller designates itself as the master, then
any existing master is demoted to slave status. Slave controllers are not
allowed to modify the flow table or global configuration; any attempt to
do so is rejected with a "bad request" error.
Feature #2495.
Add a tun_id field which contains the ID of the encapsulating tunnel
on which a packet was received (0 if not received on a tunnel). Also
add an action which allows the tunnel ID to be set for outgoing
packets. At this point there aren't any tunnel implementations so
these fields don't have any effect.
The matching is exposed to OpenFlow by overloading the high 32 bits
of the cookie as the tunnel ID. ovs-ofctl is capable of turning
on this special behavior using a new "tun-cookie" command but this
command is intentially undocumented to avoid it being used without
a full understanding of the consequences.
If NXAST_RESUBMIT adopts the replacement in_port for executing actions,
then OFPP_NORMAL will believe that traffic originated from whatever port
that is. This seems unlikely to ever be useful and in fact breaks
applications that use NXAST_RESUBMIT for two-stage ACLs.
Bug #2644.
Until now, the NXAST_RESUBMIT action has always looked up the original
flow except for the updated in_port. This commit changes the semantics to
instead look up the flow as modified by any preceding actions that affect
it, e.g. if OFPAT_SET_VLAN_VID precedes NXAST_RESUBMIT, then NXAST_RESUBMIT
now looks up the flow with the modified VLAN, not the original (as well as
the modified in_port).
Also, document how NXAST_RESUBMIT is supposed to work.
Suggested-by: Paul Ingram <paul@nicira.com>
Finalize OpenFlow 1.0 wire-compatibility:
- Set protocol version to 0x01
- Remove references to retired OFPC_MULTI_PHY_TX
- Clean extraneous spaces in header file
NOTE: This is the final commit in the OpenFlow 1.0 set. Starting with
this commit, OVS is OpenFlow 1.0 wire-compatible. Slicing is not yet
implemented.
OpenFlow 1.0 adds support for a subset of QoS that's referred to as slicing.
Open vSwitch does not support this yet, so send errors if it's used.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0 until
the final commit in this OpenFlow 1.0 set.
OpenFlow 1.0 adds "port_no" field to the Port Stat request messages to
allow stats for individual ports to be queried. Port stats for all ports
can still be requested by specifying OFPP_NONE as the port number.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0 until
the final commit in this OpenFlow 1.0 set.
OpenFlow 1.0 adds support for matching on IP ToS/DSCP bits.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0 until
the final commit in this OpenFlow 1.0 set.
OpenFlow 1.0 increases the resolution of flow stats and flow removed messages
from seconds to (potentially) nanoseconds. The spec stats that only
millisecond granularity is required, so that's all we provide at this
time. Increasing to nanoseconds would require more significant code
change and would not provide an appreciable improvement in real world
use.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0 until
the final commit in this OpenFlow 1.0 set.
The OpenFlow 1.0 specification supports matching the IP address and
opcode in ARP messages. The datapath already supports this, so this
commit merely exposes that through the OpenFlow module.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0
until the final commit in this OpenFlow 1.0 set.
In OpenFlow 1.0, flows have been extended to include an opaque
identifier, referred to as a cookie. The cookie is specified by the
controller when the flow is installed; the cookie will be returned as
part of each flow stats and flow removed message.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0 until
the final commit in this Openflow 1.0 set.
In OpenFlow 1.0, a "dp_desc" character array was added to the ofp_desc_stats
structure that allows a human readable description of the datapath to be
provided.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0 until
the final commit in this OpenFlow 1.0 set.
The length of a datapath was changed from 48 bits to 64 bits in OpenFlow
0.9. For parity, we increased the management id size to match.
NOTE: This is the final commit in the OpenFlow 0.9 set. Starting with
this commit, OVS is OpenFlow 0.9-compliant.
OpenFlow 0.9 introduces the concept of the barrier command. When the
controller sends a Barrier Request, the switch is not allowed to respond
with a Barrier Reply until it has finished processing any other commands
that preceded it. This commit provides that support.
NOTE: OVS at this point is not wire-compatible with OpenFlow 0.9 until the
final commit in this OpenFlow 0.9 set.
This commit cleans up a few comments in openflow.h. The only one of
significance is that OpenFlow port numbers now begin enumeration at 1.
OVS already behaved in this manner, so this is just a documentation
issue for us.
NOTE: OVS at this point is not wire-compatible with OpenFlow 0.9 until the
final commit in this OpenFlow 0.9 set.
In OpenFlow 0.9, flow "expiration" messages are sent when flows are
explicitly removed by a delete action. As such, the message is renamed
from Flow Expired to Flow Removed. This commit adds that support as well
as supporting the ability to choose sending these messages on a per flow
basis.
NOTE: OVS at this point is not wire-compatible with OpenFlow 0.9 until the
final commit in this OpenFlow 0.9 set.
This commit adds (some) support for a couple new OpenFlow 0.9 features:
- The OFPFF_CHECK_OVERLAP flag in Flow Mod messages allows the
controller to prevent flows that would conflict at the same
priority.
- An emergency flow cache that contains a small flow table that is
used if the switch loses connectivity with the controller. I
believe the design has fundamental flaws and looks likely to be
retired. If a controller attempts to add a flow to the emergency
flow cache, OVS always responds that the tables are full.
The OpenFlow 0.9 error codes are also sync'd in the commit.
NOTE: OVS at this point is not wire-compatible with OpenFlow 0.9 until the
final commit in this OpenFlow 0.9 set.
Starting in OpenFlow 0.9, it is possible to match on the VLAN PCP
(priority) field and rewrite the IP ToS/DSCP bits. This check-in
provides that support and bumps the wire protocol number to 0x98.
NOTE: The wire changes come together over the set of OpenFlow 0.9 commits,
so OVS will not be OpenFlow-compatible with any official release between
this commit and the one that completes the set.
Older versions of Open vSwitch supported a management protocol based on
OpenFlow message framing. The current Open vSwitch instead uses the
OVSDB protocol for the same purposes. We don't plan to support this older
protocol any longer, so this commit deletes support.
This commit also deletes the management_id column from the vswitch's
database schema. The management_id was used by the older management
protocol to match up OpenFlow switch connections to management connections,
but the current implementation instead matches up connections based on
the datapath IDs exported by the configuration database. In fact, the
OpenFlow connections had no way to actually export the management ID, so
this just deletes code that was essentially without function anyhow.
At one point Nicira had deployment plans for which adding a remote command
execution feature to the OpenFlow stack made a lot of sense. We no longer
have those plans, as far as I know, and leaving the feature in seems like
a huge potential security hole. So this commit blows away the entire
feature.
OpenFlow has a maximum messages size of 65536 bytes, but management
messages can be greater than that. The management protocol's Extended
Data message is used to get around that limitation. This commit cleans
up some problems with our implementation and adds some additional
sanity-checking to received messages.
Related to vNetManager Bug #1843.
OpenFlow 0.9 will change the interpretation of a max_len of 0 in an
OFPP_CONTROLLER output action from "send entire packet" to "send 0 bytes
of packet", but ovs-ofctl documents that specifying no argument or "ALL"
as the argument to a CONTROLLER output action sends the whole packet, so
we need to make that happen.
OpenFlow uses a 16-bit field to describe the message length, which
limits messages to a maximum 65535 bytes. Some of the messages passed
by the management protocol may be larger than this, so a general
Extended Data message has been added to management protocol. It
encapsulates a single giant OpenFlow-like message, and breaks it into
however many vaild smaller ones are required.
The controller needs to know various things about virtual interfaces as
they move about the network. This commit sends the VIF, virtual
machine, and network UUIDs associated with the VIF, as well as its MAC
address over the management channel.
Feature #1324
One of the OpenFlow managment protocol's UUID TLV messages had a problem
building on 64-bit systems. By extending the structure length by 4
bytes, the problem goes away.
