The NXM_IS_NX_REG macro didn't check the "hasmask" bit, which meant that it
looked like it was supposed to match both exact and wildcarded NXM headers,
e.g. both NXM_NX_REG0 and NXM_NX_REG0_W. But exact and wildcarded NXM
headers differ not just in the "hasmask" bit but in the "length" value
also (the wildcarded version's length is twice the exact version's length),
so this was not what it actually did.
The only current users of NXM_IS_NX_REG actually only want to match exact
versions, so this commit makes it only match those. It also adds a new
NXM_IS_NX_REG_W macro that matches only wildcarded versions. This new
macro has no users yet, but its existence should help to make it clear that
NXM_IS_NX_REG only matches exact NXM headers.
Reported-by: Natasha Gude <natasha@nicira.com>
Our controller group at Nicira has requested a way to annotate flows with
extra information beyond the flow cookie. The new NXAST_NOTE action
provides such a way.
This new action is somewhat controversial. Some have suggested that it
should be added another way (either as part of the Nicira Extended Match
or as a new component of the flow_mod and related messages). Others think
that it has no place in the OpenFlow protocol at all and that an equivalent
should be implemented using the already available features of OVSDB. So
it is possible that this extension will be deleted and the feature will
be reimplemented some other way (or not at all).
CC: Teemu Koponen <koponen@nicira.com>
CC: Jeremy Stribling <strib@nicira.com>
It seemed to me that the descriptions of what actions do should be just
above the action structures, where the reader can see the arguments,
instead of just above the enumeration name, so I rearranged the code
this way.
A few actions didn't have their own structures, so to do this I had to give
them some.
The OpenFlow OFPAT_ENQUEUE action sets a queue id and outputs the packet
in one shot. There are times in which the queue should be set, but the
output port is not yet known. This commit adds the NXAST_SET_QUEUE and
NXAST_POP_QUEUE Nicira extension actions to modify the queue
configuration without requiring a port argument.
CC: Jeremy Stribling <strib@nicira.com>
CC: Keith Amidon <keith@nicira.com>
"ARP spoofing" is when a host claims an incorrect association between an
IP address and a MAC address for deceptive purposes. OpenFlow by itself
can prevent a host from sending out ARP replies from an incorrect MAC
address in the Ethernet L2 header, but it cannot control the MAC addresses
inside the ARP L3 packet. This commit adds a new action that can be used
to drop these spoofed packets.
CC: Paul Ingram <paul@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
ovs-vswitchd doesn't declare its QoS capabilities in the database yet,
so the controller has to know what they are. We can add that later.
The linux-htb QoS class has been tested to the extent that I can see that
it sets up the queues I expect when I run "tc qdisc show" and "tc class
show". I haven't tested that the effects on flows are what we expect them
to be. I am sure that there will be problems in that area that we will
have to fix.
Now that Open vSwitch has support for multiple simultaneous controllers,
there is some need for a degree of coordination among them. For now, the
plan is for the controllers themselves to take the lead on this. This
commit adds a small bit of OVS infrastructure: the ability for a controller
to designate itself as a "master" or a "slave". There may be at most one
master at a time; when a controller designates itself as the master, then
any existing master is demoted to slave status. Slave controllers are not
allowed to modify the flow table or global configuration; any attempt to
do so is rejected with a "bad request" error.
Feature #2495.
Add a tun_id field which contains the ID of the encapsulating tunnel
on which a packet was received (0 if not received on a tunnel). Also
add an action which allows the tunnel ID to be set for outgoing
packets. At this point there aren't any tunnel implementations so
these fields don't have any effect.
The matching is exposed to OpenFlow by overloading the high 32 bits
of the cookie as the tunnel ID. ovs-ofctl is capable of turning
on this special behavior using a new "tun-cookie" command but this
command is intentially undocumented to avoid it being used without
a full understanding of the consequences.
If NXAST_RESUBMIT adopts the replacement in_port for executing actions,
then OFPP_NORMAL will believe that traffic originated from whatever port
that is. This seems unlikely to ever be useful and in fact breaks
applications that use NXAST_RESUBMIT for two-stage ACLs.
Bug #2644.
Until now, the NXAST_RESUBMIT action has always looked up the original
flow except for the updated in_port. This commit changes the semantics to
instead look up the flow as modified by any preceding actions that affect
it, e.g. if OFPAT_SET_VLAN_VID precedes NXAST_RESUBMIT, then NXAST_RESUBMIT
now looks up the flow with the modified VLAN, not the original (as well as
the modified in_port).
Also, document how NXAST_RESUBMIT is supposed to work.
Suggested-by: Paul Ingram <paul@nicira.com>
Finalize OpenFlow 1.0 wire-compatibility:
- Set protocol version to 0x01
- Remove references to retired OFPC_MULTI_PHY_TX
- Clean extraneous spaces in header file
NOTE: This is the final commit in the OpenFlow 1.0 set. Starting with
this commit, OVS is OpenFlow 1.0 wire-compatible. Slicing is not yet
implemented.
OpenFlow 1.0 adds support for a subset of QoS that's referred to as slicing.
Open vSwitch does not support this yet, so send errors if it's used.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0 until
the final commit in this OpenFlow 1.0 set.
OpenFlow 1.0 adds "port_no" field to the Port Stat request messages to
allow stats for individual ports to be queried. Port stats for all ports
can still be requested by specifying OFPP_NONE as the port number.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0 until
the final commit in this OpenFlow 1.0 set.
OpenFlow 1.0 adds support for matching on IP ToS/DSCP bits.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0 until
the final commit in this OpenFlow 1.0 set.
OpenFlow 1.0 increases the resolution of flow stats and flow removed messages
from seconds to (potentially) nanoseconds. The spec stats that only
millisecond granularity is required, so that's all we provide at this
time. Increasing to nanoseconds would require more significant code
change and would not provide an appreciable improvement in real world
use.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0 until
the final commit in this OpenFlow 1.0 set.
The OpenFlow 1.0 specification supports matching the IP address and
opcode in ARP messages. The datapath already supports this, so this
commit merely exposes that through the OpenFlow module.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0
until the final commit in this OpenFlow 1.0 set.
In OpenFlow 1.0, flows have been extended to include an opaque
identifier, referred to as a cookie. The cookie is specified by the
controller when the flow is installed; the cookie will be returned as
part of each flow stats and flow removed message.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0 until
the final commit in this Openflow 1.0 set.
In OpenFlow 1.0, a "dp_desc" character array was added to the ofp_desc_stats
structure that allows a human readable description of the datapath to be
provided.
NOTE: OVS at this point is not wire-compatible with OpenFlow 1.0 until
the final commit in this OpenFlow 1.0 set.
The length of a datapath was changed from 48 bits to 64 bits in OpenFlow
0.9. For parity, we increased the management id size to match.
NOTE: This is the final commit in the OpenFlow 0.9 set. Starting with
this commit, OVS is OpenFlow 0.9-compliant.
OpenFlow 0.9 introduces the concept of the barrier command. When the
controller sends a Barrier Request, the switch is not allowed to respond
with a Barrier Reply until it has finished processing any other commands
that preceded it. This commit provides that support.
NOTE: OVS at this point is not wire-compatible with OpenFlow 0.9 until the
final commit in this OpenFlow 0.9 set.
This commit cleans up a few comments in openflow.h. The only one of
significance is that OpenFlow port numbers now begin enumeration at 1.
OVS already behaved in this manner, so this is just a documentation
issue for us.
NOTE: OVS at this point is not wire-compatible with OpenFlow 0.9 until the
final commit in this OpenFlow 0.9 set.
In OpenFlow 0.9, flow "expiration" messages are sent when flows are
explicitly removed by a delete action. As such, the message is renamed
from Flow Expired to Flow Removed. This commit adds that support as well
as supporting the ability to choose sending these messages on a per flow
basis.
NOTE: OVS at this point is not wire-compatible with OpenFlow 0.9 until the
final commit in this OpenFlow 0.9 set.
This commit adds (some) support for a couple new OpenFlow 0.9 features:
- The OFPFF_CHECK_OVERLAP flag in Flow Mod messages allows the
controller to prevent flows that would conflict at the same
priority.
- An emergency flow cache that contains a small flow table that is
used if the switch loses connectivity with the controller. I
believe the design has fundamental flaws and looks likely to be
retired. If a controller attempts to add a flow to the emergency
flow cache, OVS always responds that the tables are full.
The OpenFlow 0.9 error codes are also sync'd in the commit.
NOTE: OVS at this point is not wire-compatible with OpenFlow 0.9 until the
final commit in this OpenFlow 0.9 set.
Starting in OpenFlow 0.9, it is possible to match on the VLAN PCP
(priority) field and rewrite the IP ToS/DSCP bits. This check-in
provides that support and bumps the wire protocol number to 0x98.
NOTE: The wire changes come together over the set of OpenFlow 0.9 commits,
so OVS will not be OpenFlow-compatible with any official release between
this commit and the one that completes the set.
Older versions of Open vSwitch supported a management protocol based on
OpenFlow message framing. The current Open vSwitch instead uses the
OVSDB protocol for the same purposes. We don't plan to support this older
protocol any longer, so this commit deletes support.
This commit also deletes the management_id column from the vswitch's
database schema. The management_id was used by the older management
protocol to match up OpenFlow switch connections to management connections,
but the current implementation instead matches up connections based on
the datapath IDs exported by the configuration database. In fact, the
OpenFlow connections had no way to actually export the management ID, so
this just deletes code that was essentially without function anyhow.
At one point Nicira had deployment plans for which adding a remote command
execution feature to the OpenFlow stack made a lot of sense. We no longer
have those plans, as far as I know, and leaving the feature in seems like
a huge potential security hole. So this commit blows away the entire
feature.
