2009-07-08 13:19:16 -07:00
|
|
|
|
/*
|
2015-01-11 13:25:24 -08:00
|
|
|
|
* Copyright (c) 2009, 2010, 2011, 2012, 2013, 2014, 2015 Nicira, Inc.
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*
|
2009-06-15 15:11:30 -07:00
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
|
* You may obtain a copy of the License at:
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*
|
2009-06-15 15:11:30 -07:00
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
*
|
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
|
* limitations under the License.
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
#ifndef ODP_UTIL_H
|
|
|
|
|
|
#define ODP_UTIL_H 1
|
|
|
|
|
|
|
|
|
|
|
|
#include <stdbool.h>
|
2010-05-26 10:37:39 -07:00
|
|
|
|
#include <stddef.h>
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include <stdint.h>
|
2010-10-11 13:31:35 -07:00
|
|
|
|
#include <string.h>
|
2014-06-13 08:40:00 -07:00
|
|
|
|
#include "flow.h"
|
2010-10-11 13:31:35 -07:00
|
|
|
|
#include "hash.h"
|
2013-09-23 22:58:46 -07:00
|
|
|
|
#include "hmap.h"
|
2014-08-04 11:11:40 -07:00
|
|
|
|
#include "odp-netlink.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "openflow/openflow.h"
|
2010-08-04 10:50:40 -07:00
|
|
|
|
#include "util.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
|
|
|
|
|
struct ds;
|
2011-10-04 15:30:40 -07:00
|
|
|
|
struct nlattr;
|
2011-01-23 18:44:44 -08:00
|
|
|
|
struct ofpbuf;
|
2012-05-22 10:32:02 -07:00
|
|
|
|
struct simap;
|
2013-12-30 15:58:58 -08:00
|
|
|
|
struct pkt_metadata;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2013-10-09 17:28:05 -07:00
|
|
|
|
#define SLOW_PATH_REASONS \
|
|
|
|
|
|
/* These reasons are mutually exclusive. */ \
|
|
|
|
|
|
SPR(SLOW_CFM, "cfm", "Consists of CFM packets") \
|
|
|
|
|
|
SPR(SLOW_BFD, "bfd", "Consists of BFD packets") \
|
|
|
|
|
|
SPR(SLOW_LACP, "lacp", "Consists of LACP packets") \
|
|
|
|
|
|
SPR(SLOW_STP, "stp", "Consists of STP packets") \
|
2015-02-20 14:17:10 -05:00
|
|
|
|
SPR(SLOW_LLDP, "lldp", "Consists of LLDP packets") \
|
2013-10-09 17:28:05 -07:00
|
|
|
|
SPR(SLOW_CONTROLLER, "controller", \
|
|
|
|
|
|
"Sends \"packet-in\" messages to the OpenFlow controller") \
|
|
|
|
|
|
SPR(SLOW_ACTION, "action", \
|
|
|
|
|
|
"Uses action(s) not supported by datapath")
|
|
|
|
|
|
|
|
|
|
|
|
/* Indexes for slow-path reasons. Client code uses "enum slow_path_reason"
|
|
|
|
|
|
* values instead of these, these are just a way to construct those. */
|
|
|
|
|
|
enum {
|
|
|
|
|
|
#define SPR(ENUM, STRING, EXPLANATION) ENUM##_INDEX,
|
|
|
|
|
|
SLOW_PATH_REASONS
|
|
|
|
|
|
#undef SPR
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/* Reasons why a subfacet might not be fast-pathable.
|
|
|
|
|
|
*
|
|
|
|
|
|
* Each reason is a separate bit to allow reasons to be combined. */
|
|
|
|
|
|
enum slow_path_reason {
|
|
|
|
|
|
#define SPR(ENUM, STRING, EXPLANATION) ENUM = 1 << ENUM##_INDEX,
|
|
|
|
|
|
SLOW_PATH_REASONS
|
|
|
|
|
|
#undef SPR
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2014-09-05 15:44:20 -07:00
|
|
|
|
/* Mask of all slow_path_reasons. */
|
|
|
|
|
|
enum {
|
|
|
|
|
|
SLOW_PATH_REASON_MASK = 0
|
|
|
|
|
|
#define SPR(ENUM, STRING, EXPLANATION) | 1 << ENUM##_INDEX
|
|
|
|
|
|
SLOW_PATH_REASONS
|
|
|
|
|
|
#undef SPR
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2013-10-09 17:28:05 -07:00
|
|
|
|
const char *slow_path_reason_to_explanation(enum slow_path_reason);
|
|
|
|
|
|
|
2013-06-19 16:58:44 -07:00
|
|
|
|
#define ODPP_LOCAL ODP_PORT_C(OVSP_LOCAL)
|
|
|
|
|
|
#define ODPP_NONE ODP_PORT_C(UINT32_MAX)
|
2011-01-08 16:00:41 -08:00
|
|
|
|
|
2010-12-10 10:40:58 -08:00
|
|
|
|
void format_odp_actions(struct ds *, const struct nlattr *odp_actions,
|
|
|
|
|
|
size_t actions_len);
|
2012-05-22 10:32:02 -07:00
|
|
|
|
int odp_actions_from_string(const char *, const struct simap *port_names,
|
2011-11-11 15:22:56 -08:00
|
|
|
|
struct ofpbuf *odp_actions);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2013-09-23 22:58:46 -07:00
|
|
|
|
/* A map from odp port number to its name. */
|
|
|
|
|
|
struct odp_portno_names {
|
|
|
|
|
|
struct hmap_node hmap_node; /* A node in a port number to name hmap. */
|
|
|
|
|
|
odp_port_t port_no; /* Port number in the datapath. */
|
|
|
|
|
|
char *name; /* Name associated with the above 'port_no'. */
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
void odp_portno_names_set(struct hmap *portno_names, odp_port_t port_no,
|
|
|
|
|
|
char *port_name);
|
|
|
|
|
|
void odp_portno_names_destroy(struct hmap *portno_names);
|
2012-05-15 12:50:57 -07:00
|
|
|
|
/* The maximum number of bytes that odp_flow_key_from_flow() appends to a
|
|
|
|
|
|
* buffer. This is the upper bound on the length of a nlattr-formatted flow
|
|
|
|
|
|
* key that ovs-vswitchd fully understands.
|
|
|
|
|
|
*
|
|
|
|
|
|
* OVS doesn't insist that ovs-vswitchd and the datapath have exactly the same
|
|
|
|
|
|
* idea of a flow, so therefore this value isn't necessarily an upper bound on
|
|
|
|
|
|
* the length of a flow key that the datapath can pass to ovs-vswitchd.
|
|
|
|
|
|
*
|
|
|
|
|
|
* The longest nlattr-formatted flow key appended by odp_flow_key_from_flow()
|
|
|
|
|
|
* would be:
|
2011-01-23 18:44:44 -08:00
|
|
|
|
*
|
2013-01-20 23:15:07 -08:00
|
|
|
|
* struct pad nl hdr total
|
|
|
|
|
|
* ------ --- ------ -----
|
|
|
|
|
|
* OVS_KEY_ATTR_PRIORITY 4 -- 4 8
|
|
|
|
|
|
* OVS_KEY_ATTR_TUNNEL 0 -- 4 4
|
|
|
|
|
|
* - OVS_TUNNEL_KEY_ATTR_ID 8 -- 4 12
|
|
|
|
|
|
* - OVS_TUNNEL_KEY_ATTR_IPV4_SRC 4 -- 4 8
|
|
|
|
|
|
* - OVS_TUNNEL_KEY_ATTR_IPV4_DST 4 -- 4 8
|
|
|
|
|
|
* - OVS_TUNNEL_KEY_ATTR_TOS 1 3 4 8
|
|
|
|
|
|
* - OVS_TUNNEL_KEY_ATTR_TTL 1 3 4 8
|
|
|
|
|
|
* - OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT 0 -- 4 4
|
|
|
|
|
|
* - OVS_TUNNEL_KEY_ATTR_CSUM 0 -- 4 4
|
2014-05-27 21:50:35 -07:00
|
|
|
|
* - OVS_TUNNEL_KEY_ATTR_OAM 0 -- 4 4
|
2014-06-05 19:07:32 -07:00
|
|
|
|
* - OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS 256 -- 4 260
|
2015-02-14 15:13:17 +01:00
|
|
|
|
* - OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS - -- - - (shared with _GENEVE_OPTS)
|
2013-01-20 23:15:07 -08:00
|
|
|
|
* OVS_KEY_ATTR_IN_PORT 4 -- 4 8
|
|
|
|
|
|
* OVS_KEY_ATTR_SKB_MARK 4 -- 4 8
|
2014-06-12 22:39:51 -07:00
|
|
|
|
* OVS_KEY_ATTR_DP_HASH 4 -- 4 8
|
|
|
|
|
|
* OVS_KEY_ATTR_RECIRC_ID 4 -- 4 8
|
Add support for connection tracking.
This patch adds a new action and fields to OVS that allow connection
tracking to be performed. This support works in conjunction with the
Linux kernel support merged into the Linux-4.3 development cycle.
Packets have two possible states with respect to connection tracking:
Untracked packets have not previously passed through the connection
tracker, while tracked packets have previously been through the
connection tracker. For OpenFlow pipeline processing, untracked packets
can become tracked, and they will remain tracked until the end of the
pipeline. Tracked packets cannot become untracked.
Connections can be unknown, uncommitted, or committed. Packets which are
untracked have unknown connection state. To know the connection state,
the packet must become tracked. Uncommitted connections have no
connection state stored about them, so it is only possible for the
connection tracker to identify whether they are a new connection or
whether they are invalid. Committed connections have connection state
stored beyond the lifetime of the packet, which allows later packets in
the same connection to be identified as part of the same established
connection, or related to an existing connection - for instance ICMP
error responses.
The new 'ct' action transitions the packet from "untracked" to
"tracked" by sending this flow through the connection tracker.
The following parameters are supported initally:
- "commit": When commit is executed, the connection moves from
uncommitted state to committed state. This signals that information
about the connection should be stored beyond the lifetime of the
packet within the pipeline. This allows future packets in the same
connection to be recognized as part of the same "established" (est)
connection, as well as identifying packets in the reply (rpl)
direction, or packets related to an existing connection (rel).
- "zone=[u16|NXM]": Perform connection tracking in the zone specified.
Each zone is an independent connection tracking context. When the
"commit" parameter is used, the connection will only be committed in
the specified zone, and not in other zones. This is 0 by default.
- "table=NUMBER": Fork pipeline processing in two. The original instance
of the packet will continue processing the current actions list as an
untracked packet. An additional instance of the packet will be sent to
the connection tracker, which will be re-injected into the OpenFlow
pipeline to resume processing in the specified table, with the
ct_state and other ct match fields set. If the table is not specified,
then the packet is submitted to the connection tracker, but the
pipeline does not fork and the ct match fields are not populated. It
is strongly recommended to specify a table later than the current
table to prevent loops.
When the "table" option is used, the packet that continues processing in
the specified table will have the ct_state populated. The ct_state may
have any of the following flags set:
- Tracked (trk): Connection tracking has occurred.
- Reply (rpl): The flow is in the reply direction.
- Invalid (inv): The connection tracker couldn't identify the connection.
- New (new): This is the beginning of a new connection.
- Established (est): This is part of an already existing connection.
- Related (rel): This connection is related to an existing connection.
For more information, consult the ovs-ofctl(8) man pages.
Below is a simple example flow table to allow outbound TCP traffic from
port 1 and drop traffic from port 2 that was not initiated by port 1:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=9),2
table=0,in_port=2,tcp,ct_state=-trk,action=ct(zone=9,table=1)
table=1,in_port=2,ct_state=+trk+est,tcp,action=1
table=1,in_port=2,ct_state=+trk+new,tcp,action=drop
Based on original design by Justin Pettit, contributions from Thomas
Graf and Daniele Di Proietto.
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-08-11 10:56:09 -07:00
|
|
|
|
* OVS_KEY_ATTR_CT_STATE 4 -- 4 8
|
|
|
|
|
|
* OVS_KEY_ATTR_CT_ZONE 2 2 4 8
|
Add connection tracking mark support.
This patch adds a new 32-bit metadata field to the connection tracking
interface. When a mark is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_mark" field in the flow.
For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a mark with those
connections:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
table=1,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-09-18 13:58:00 -07:00
|
|
|
|
* OVS_KEY_ATTR_CT_MARK 4 -- 4 8
|
2013-01-20 23:15:07 -08:00
|
|
|
|
* OVS_KEY_ATTR_ETHERNET 12 -- 4 16
|
|
|
|
|
|
* OVS_KEY_ATTR_ETHERTYPE 2 2 4 8 (outer VLAN ethertype)
|
2014-08-06 14:15:52 -07:00
|
|
|
|
* OVS_KEY_ATTR_VLAN 2 2 4 8
|
2013-01-20 23:15:07 -08:00
|
|
|
|
* OVS_KEY_ATTR_ENCAP 0 -- 4 4 (VLAN encapsulation)
|
|
|
|
|
|
* OVS_KEY_ATTR_ETHERTYPE 2 2 4 8 (inner VLAN ethertype)
|
|
|
|
|
|
* OVS_KEY_ATTR_IPV6 40 -- 4 44
|
|
|
|
|
|
* OVS_KEY_ATTR_ICMPV6 2 2 4 8
|
|
|
|
|
|
* OVS_KEY_ATTR_ND 28 -- 4 32
|
|
|
|
|
|
* ----------------------------------------------------------
|
Add connection tracking mark support.
This patch adds a new 32-bit metadata field to the connection tracking
interface. When a mark is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_mark" field in the flow.
For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a mark with those
connections:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
table=1,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-09-18 13:58:00 -07:00
|
|
|
|
* total 512
|
2012-05-15 12:50:57 -07:00
|
|
|
|
*
|
|
|
|
|
|
* We include some slack space in case the calculation isn't quite right or we
|
|
|
|
|
|
* add another field and forget to adjust this value.
|
2011-02-06 22:46:27 -08:00
|
|
|
|
*/
|
Add connection tracking mark support.
This patch adds a new 32-bit metadata field to the connection tracking
interface. When a mark is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_mark" field in the flow.
For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a mark with those
connections:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
table=1,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-09-18 13:58:00 -07:00
|
|
|
|
#define ODPUTIL_FLOW_KEY_BYTES 576
|
Add support for connection tracking.
This patch adds a new action and fields to OVS that allow connection
tracking to be performed. This support works in conjunction with the
Linux kernel support merged into the Linux-4.3 development cycle.
Packets have two possible states with respect to connection tracking:
Untracked packets have not previously passed through the connection
tracker, while tracked packets have previously been through the
connection tracker. For OpenFlow pipeline processing, untracked packets
can become tracked, and they will remain tracked until the end of the
pipeline. Tracked packets cannot become untracked.
Connections can be unknown, uncommitted, or committed. Packets which are
untracked have unknown connection state. To know the connection state,
the packet must become tracked. Uncommitted connections have no
connection state stored about them, so it is only possible for the
connection tracker to identify whether they are a new connection or
whether they are invalid. Committed connections have connection state
stored beyond the lifetime of the packet, which allows later packets in
the same connection to be identified as part of the same established
connection, or related to an existing connection - for instance ICMP
error responses.
The new 'ct' action transitions the packet from "untracked" to
"tracked" by sending this flow through the connection tracker.
The following parameters are supported initally:
- "commit": When commit is executed, the connection moves from
uncommitted state to committed state. This signals that information
about the connection should be stored beyond the lifetime of the
packet within the pipeline. This allows future packets in the same
connection to be recognized as part of the same "established" (est)
connection, as well as identifying packets in the reply (rpl)
direction, or packets related to an existing connection (rel).
- "zone=[u16|NXM]": Perform connection tracking in the zone specified.
Each zone is an independent connection tracking context. When the
"commit" parameter is used, the connection will only be committed in
the specified zone, and not in other zones. This is 0 by default.
- "table=NUMBER": Fork pipeline processing in two. The original instance
of the packet will continue processing the current actions list as an
untracked packet. An additional instance of the packet will be sent to
the connection tracker, which will be re-injected into the OpenFlow
pipeline to resume processing in the specified table, with the
ct_state and other ct match fields set. If the table is not specified,
then the packet is submitted to the connection tracker, but the
pipeline does not fork and the ct match fields are not populated. It
is strongly recommended to specify a table later than the current
table to prevent loops.
When the "table" option is used, the packet that continues processing in
the specified table will have the ct_state populated. The ct_state may
have any of the following flags set:
- Tracked (trk): Connection tracking has occurred.
- Reply (rpl): The flow is in the reply direction.
- Invalid (inv): The connection tracker couldn't identify the connection.
- New (new): This is the beginning of a new connection.
- Established (est): This is part of an already existing connection.
- Related (rel): This connection is related to an existing connection.
For more information, consult the ovs-ofctl(8) man pages.
Below is a simple example flow table to allow outbound TCP traffic from
port 1 and drop traffic from port 2 that was not initiated by port 1:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=9),2
table=0,in_port=2,tcp,ct_state=-trk,action=ct(zone=9,table=1)
table=1,in_port=2,ct_state=+trk+est,tcp,action=1
table=1,in_port=2,ct_state=+trk+new,tcp,action=drop
Based on original design by Justin Pettit, contributions from Thomas
Graf and Daniele Di Proietto.
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-08-11 10:56:09 -07:00
|
|
|
|
BUILD_ASSERT_DECL(FLOW_WC_SEQ == 34);
|
2011-02-06 22:46:27 -08:00
|
|
|
|
|
2011-03-02 13:25:10 -08:00
|
|
|
|
/* A buffer with sufficient size and alignment to hold an nlattr-formatted flow
|
|
|
|
|
|
* key. An array of "struct nlattr" might not, in theory, be sufficiently
|
|
|
|
|
|
* aligned because it only contains 16-bit types. */
|
|
|
|
|
|
struct odputil_keybuf {
|
|
|
|
|
|
uint32_t keybuf[DIV_ROUND_UP(ODPUTIL_FLOW_KEY_BYTES, 4)];
|
|
|
|
|
|
};
|
2010-10-11 13:31:35 -07:00
|
|
|
|
|
2015-06-29 18:01:59 -07:00
|
|
|
|
enum odp_key_fitness odp_tun_key_from_attr(const struct nlattr *, bool udpif,
|
2013-06-05 14:28:48 +09:00
|
|
|
|
struct flow_tnl *);
|
|
|
|
|
|
|
2014-11-12 09:49:22 -08:00
|
|
|
|
int odp_ufid_from_string(const char *s_, ovs_u128 *ufid);
|
2014-09-24 16:26:35 +12:00
|
|
|
|
void odp_format_ufid(const ovs_u128 *ufid, struct ds *);
|
2013-06-19 07:15:10 +00:00
|
|
|
|
void odp_flow_format(const struct nlattr *key, size_t key_len,
|
|
|
|
|
|
const struct nlattr *mask, size_t mask_len,
|
2013-09-23 22:58:46 -07:00
|
|
|
|
const struct hmap *portno_names, struct ds *,
|
|
|
|
|
|
bool verbose);
|
2011-01-23 18:44:44 -08:00
|
|
|
|
void odp_flow_key_format(const struct nlattr *, size_t, struct ds *);
|
2013-06-19 07:15:10 +00:00
|
|
|
|
int odp_flow_from_string(const char *s,
|
|
|
|
|
|
const struct simap *port_names,
|
|
|
|
|
|
struct ofpbuf *, struct ofpbuf *);
|
2010-10-11 13:31:35 -07:00
|
|
|
|
|
2015-06-30 16:43:03 -07:00
|
|
|
|
/* Indicates support for various fields. This defines how flows will be
|
|
|
|
|
|
* serialised. */
|
|
|
|
|
|
struct odp_support {
|
|
|
|
|
|
/* Maximum number of MPLS label stack entries to serialise in a mask. */
|
|
|
|
|
|
size_t max_mpls_depth;
|
|
|
|
|
|
|
|
|
|
|
|
/* If this is true, then recirculation fields will always be serialised. */
|
|
|
|
|
|
bool recirc;
|
Add support for connection tracking.
This patch adds a new action and fields to OVS that allow connection
tracking to be performed. This support works in conjunction with the
Linux kernel support merged into the Linux-4.3 development cycle.
Packets have two possible states with respect to connection tracking:
Untracked packets have not previously passed through the connection
tracker, while tracked packets have previously been through the
connection tracker. For OpenFlow pipeline processing, untracked packets
can become tracked, and they will remain tracked until the end of the
pipeline. Tracked packets cannot become untracked.
Connections can be unknown, uncommitted, or committed. Packets which are
untracked have unknown connection state. To know the connection state,
the packet must become tracked. Uncommitted connections have no
connection state stored about them, so it is only possible for the
connection tracker to identify whether they are a new connection or
whether they are invalid. Committed connections have connection state
stored beyond the lifetime of the packet, which allows later packets in
the same connection to be identified as part of the same established
connection, or related to an existing connection - for instance ICMP
error responses.
The new 'ct' action transitions the packet from "untracked" to
"tracked" by sending this flow through the connection tracker.
The following parameters are supported initally:
- "commit": When commit is executed, the connection moves from
uncommitted state to committed state. This signals that information
about the connection should be stored beyond the lifetime of the
packet within the pipeline. This allows future packets in the same
connection to be recognized as part of the same "established" (est)
connection, as well as identifying packets in the reply (rpl)
direction, or packets related to an existing connection (rel).
- "zone=[u16|NXM]": Perform connection tracking in the zone specified.
Each zone is an independent connection tracking context. When the
"commit" parameter is used, the connection will only be committed in
the specified zone, and not in other zones. This is 0 by default.
- "table=NUMBER": Fork pipeline processing in two. The original instance
of the packet will continue processing the current actions list as an
untracked packet. An additional instance of the packet will be sent to
the connection tracker, which will be re-injected into the OpenFlow
pipeline to resume processing in the specified table, with the
ct_state and other ct match fields set. If the table is not specified,
then the packet is submitted to the connection tracker, but the
pipeline does not fork and the ct match fields are not populated. It
is strongly recommended to specify a table later than the current
table to prevent loops.
When the "table" option is used, the packet that continues processing in
the specified table will have the ct_state populated. The ct_state may
have any of the following flags set:
- Tracked (trk): Connection tracking has occurred.
- Reply (rpl): The flow is in the reply direction.
- Invalid (inv): The connection tracker couldn't identify the connection.
- New (new): This is the beginning of a new connection.
- Established (est): This is part of an already existing connection.
- Related (rel): This connection is related to an existing connection.
For more information, consult the ovs-ofctl(8) man pages.
Below is a simple example flow table to allow outbound TCP traffic from
port 1 and drop traffic from port 2 that was not initiated by port 1:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=9),2
table=0,in_port=2,tcp,ct_state=-trk,action=ct(zone=9,table=1)
table=1,in_port=2,ct_state=+trk+est,tcp,action=1
table=1,in_port=2,ct_state=+trk+new,tcp,action=drop
Based on original design by Justin Pettit, contributions from Thomas
Graf and Daniele Di Proietto.
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-08-11 10:56:09 -07:00
|
|
|
|
|
|
|
|
|
|
/* If true, serialise the corresponding OVS_KEY_ATTR_CONN_* field. */
|
|
|
|
|
|
bool ct_state;
|
|
|
|
|
|
bool ct_zone;
|
Add connection tracking mark support.
This patch adds a new 32-bit metadata field to the connection tracking
interface. When a mark is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_mark" field in the flow.
For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a mark with those
connections:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
table=1,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-09-18 13:58:00 -07:00
|
|
|
|
bool ct_mark;
|
2015-06-30 16:43:03 -07:00
|
|
|
|
};
|
|
|
|
|
|
|
2015-06-16 11:15:28 -07:00
|
|
|
|
struct odp_flow_key_parms {
|
|
|
|
|
|
/* The flow and mask to be serialized. In the case of masks, 'flow'
|
|
|
|
|
|
* is used as a template to determine how to interpret 'mask'. For
|
|
|
|
|
|
* example, the 'dl_type' of 'mask' describes the mask, but it doesn't
|
|
|
|
|
|
* indicate whether the other fields should be interpreted as ARP, IPv4,
|
|
|
|
|
|
* IPv6, etc. */
|
|
|
|
|
|
const struct flow *flow;
|
|
|
|
|
|
const struct flow *mask;
|
|
|
|
|
|
|
|
|
|
|
|
/* 'flow->in_port' is ignored (since it is likely to be an OpenFlow port
|
|
|
|
|
|
* number rather than a datapath port number). Instead, if 'odp_in_port'
|
|
|
|
|
|
* is anything other than ODPP_NONE, it is included in 'buf' as the input
|
|
|
|
|
|
* port. */
|
|
|
|
|
|
odp_port_t odp_in_port;
|
|
|
|
|
|
|
2015-06-30 16:43:03 -07:00
|
|
|
|
/* Indicates support for various fields. If the datapath supports a field,
|
|
|
|
|
|
* then it will always be serialised. */
|
|
|
|
|
|
struct odp_support support;
|
2015-06-19 13:54:13 -07:00
|
|
|
|
|
|
|
|
|
|
/* The netlink formatted version of the flow. It is used in cases where
|
|
|
|
|
|
* the mask cannot be constructed from the OVS internal representation
|
|
|
|
|
|
* and needs to see the original form. */
|
|
|
|
|
|
const struct ofpbuf *key_buf;
|
2015-06-16 11:15:28 -07:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
void odp_flow_key_from_flow(const struct odp_flow_key_parms *, struct ofpbuf *);
|
|
|
|
|
|
void odp_flow_key_from_mask(const struct odp_flow_key_parms *, struct ofpbuf *);
|
2011-11-23 10:26:02 -08:00
|
|
|
|
|
|
|
|
|
|
uint32_t odp_flow_key_hash(const struct nlattr *, size_t);
|
|
|
|
|
|
|
2013-12-30 15:58:58 -08:00
|
|
|
|
/* Estimated space needed for metadata. */
|
|
|
|
|
|
enum { ODP_KEY_METADATA_SIZE = 9 * 8 };
|
|
|
|
|
|
void odp_key_from_pkt_metadata(struct ofpbuf *, const struct pkt_metadata *);
|
|
|
|
|
|
void odp_key_to_pkt_metadata(const struct nlattr *key, size_t key_len,
|
|
|
|
|
|
struct pkt_metadata *md);
|
|
|
|
|
|
|
2011-11-23 10:26:02 -08:00
|
|
|
|
/* How well a kernel-provided flow key (a sequence of OVS_KEY_ATTR_*
|
|
|
|
|
|
* attributes) matches OVS userspace expectations.
|
|
|
|
|
|
*
|
|
|
|
|
|
* These values are arranged so that greater values are "more important" than
|
|
|
|
|
|
* lesser ones. In particular, a single flow key can fit the descriptions for
|
|
|
|
|
|
* both ODP_FIT_TOO_LITTLE and ODP_FIT_TOO_MUCH. Such a key is treated as
|
|
|
|
|
|
* ODP_FIT_TOO_LITTLE. */
|
|
|
|
|
|
enum odp_key_fitness {
|
|
|
|
|
|
ODP_FIT_PERFECT, /* The key had exactly the fields we expect. */
|
|
|
|
|
|
ODP_FIT_TOO_MUCH, /* The key had fields we don't understand. */
|
|
|
|
|
|
ODP_FIT_TOO_LITTLE, /* The key lacked fields we expected to see. */
|
|
|
|
|
|
ODP_FIT_ERROR, /* The key was invalid. */
|
|
|
|
|
|
};
|
|
|
|
|
|
enum odp_key_fitness odp_flow_key_to_flow(const struct nlattr *, size_t,
|
|
|
|
|
|
struct flow *);
|
2015-06-19 13:54:13 -07:00
|
|
|
|
enum odp_key_fitness odp_flow_key_to_mask(const struct nlattr *mask_key,
|
|
|
|
|
|
size_t mask_key_len,
|
|
|
|
|
|
const struct nlattr *flow_key,
|
|
|
|
|
|
size_t flow_key_len,
|
2013-08-20 10:40:50 -07:00
|
|
|
|
struct flow *mask,
|
|
|
|
|
|
const struct flow *flow);
|
2015-06-29 18:01:59 -07:00
|
|
|
|
|
|
|
|
|
|
enum odp_key_fitness odp_flow_key_to_flow_udpif(const struct nlattr *, size_t,
|
|
|
|
|
|
struct flow *);
|
|
|
|
|
|
enum odp_key_fitness odp_flow_key_to_mask_udpif(const struct nlattr *mask_key,
|
|
|
|
|
|
size_t mask_key_len,
|
|
|
|
|
|
const struct nlattr *flow_key,
|
|
|
|
|
|
size_t flow_key_len,
|
|
|
|
|
|
struct flow *mask,
|
|
|
|
|
|
const struct flow *flow);
|
|
|
|
|
|
|
2012-01-16 12:37:44 -08:00
|
|
|
|
const char *odp_key_fitness_to_string(enum odp_key_fitness);
|
2010-10-11 13:31:35 -07:00
|
|
|
|
|
2012-12-14 19:14:54 -08:00
|
|
|
|
void commit_odp_tunnel_action(const struct flow *, struct flow *base,
|
|
|
|
|
|
struct ofpbuf *odp_actions);
|
2014-09-05 15:44:19 -07:00
|
|
|
|
void commit_masked_set_action(struct ofpbuf *odp_actions,
|
|
|
|
|
|
enum ovs_key_attr key_type, const void *key,
|
|
|
|
|
|
const void *mask, size_t key_size);
|
2013-10-09 17:28:05 -07:00
|
|
|
|
enum slow_path_reason commit_odp_actions(const struct flow *,
|
|
|
|
|
|
struct flow *base,
|
|
|
|
|
|
struct ofpbuf *odp_actions,
|
2014-09-05 16:00:49 -07:00
|
|
|
|
struct flow_wildcards *wc,
|
|
|
|
|
|
bool use_masked);
|
2012-05-04 14:52:36 -07:00
|
|
|
|
�
|
|
|
|
|
|
/* ofproto-dpif interface.
|
|
|
|
|
|
*
|
|
|
|
|
|
* The following types and functions are logically part of ofproto-dpif.
|
|
|
|
|
|
* ofproto-dpif puts values of these types into the flows that it installs in
|
|
|
|
|
|
* the kernel datapath, though, so ovs-dpctl needs to interpret them so that
|
|
|
|
|
|
* it can print flows in a more human-readable manner. */
|
|
|
|
|
|
|
2011-09-28 10:43:07 -07:00
|
|
|
|
enum user_action_cookie_type {
|
|
|
|
|
|
USER_ACTION_COOKIE_UNSPEC,
|
2013-04-22 10:01:14 -07:00
|
|
|
|
USER_ACTION_COOKIE_SFLOW, /* Packet for per-bridge sFlow sampling. */
|
|
|
|
|
|
USER_ACTION_COOKIE_SLOW_PATH, /* Userspace must process this flow. */
|
|
|
|
|
|
USER_ACTION_COOKIE_FLOW_SAMPLE, /* Packet for per-flow sampling. */
|
|
|
|
|
|
USER_ACTION_COOKIE_IPFIX, /* Packet for per-bridge IPFIX sampling. */
|
2011-09-28 10:43:07 -07:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/* user_action_cookie is passed as argument to OVS_ACTION_ATTR_USERSPACE.
|
2012-05-02 14:22:17 -07:00
|
|
|
|
* Since it is passed to kernel as u64, its size has to be 8 bytes. */
|
2012-05-04 14:56:40 -07:00
|
|
|
|
union user_action_cookie {
|
2012-05-09 09:36:08 -07:00
|
|
|
|
uint16_t type; /* enum user_action_cookie_type. */
|
|
|
|
|
|
|
2012-05-04 14:56:40 -07:00
|
|
|
|
struct {
|
|
|
|
|
|
uint16_t type; /* USER_ACTION_COOKIE_SFLOW. */
|
|
|
|
|
|
ovs_be16 vlan_tci; /* Destination VLAN TCI. */
|
|
|
|
|
|
uint32_t output; /* SFL_FLOW_SAMPLE_TYPE 'output' value. */
|
|
|
|
|
|
} sflow;
|
2011-09-28 10:43:07 -07:00
|
|
|
|
|
2012-05-04 14:52:36 -07:00
|
|
|
|
struct {
|
|
|
|
|
|
uint16_t type; /* USER_ACTION_COOKIE_SLOW_PATH. */
|
|
|
|
|
|
uint16_t unused;
|
|
|
|
|
|
uint32_t reason; /* enum slow_path_reason. */
|
|
|
|
|
|
} slow_path;
|
2013-04-22 10:01:14 -07:00
|
|
|
|
|
|
|
|
|
|
struct {
|
|
|
|
|
|
uint16_t type; /* USER_ACTION_COOKIE_FLOW_SAMPLE. */
|
|
|
|
|
|
uint16_t probability; /* Sampling probability. */
|
|
|
|
|
|
uint32_t collector_set_id; /* ID of IPFIX collector set. */
|
|
|
|
|
|
uint32_t obs_domain_id; /* Observation Domain ID. */
|
|
|
|
|
|
uint32_t obs_point_id; /* Observation Point ID. */
|
|
|
|
|
|
} flow_sample;
|
|
|
|
|
|
|
|
|
|
|
|
struct {
|
2014-08-17 20:19:36 -07:00
|
|
|
|
uint16_t type; /* USER_ACTION_COOKIE_IPFIX. */
|
|
|
|
|
|
odp_port_t output_odp_port; /* The output odp port. */
|
2013-04-22 10:01:14 -07:00
|
|
|
|
} ipfix;
|
2012-05-04 14:52:36 -07:00
|
|
|
|
};
|
2013-04-22 10:01:14 -07:00
|
|
|
|
BUILD_ASSERT_DECL(sizeof(union user_action_cookie) == 16);
|
2011-09-28 10:43:07 -07:00
|
|
|
|
|
2011-10-25 16:54:42 -07:00
|
|
|
|
size_t odp_put_userspace_action(uint32_t pid,
|
2013-02-15 16:48:32 -08:00
|
|
|
|
const void *userdata, size_t userdata_size,
|
2014-08-17 20:19:36 -07:00
|
|
|
|
odp_port_t tunnel_out_port,
|
2015-07-17 21:37:02 -07:00
|
|
|
|
bool include_actions,
|
2011-10-25 16:54:42 -07:00
|
|
|
|
struct ofpbuf *odp_actions);
|
2012-12-14 19:14:54 -08:00
|
|
|
|
void odp_put_tunnel_action(const struct flow_tnl *tunnel,
|
|
|
|
|
|
struct ofpbuf *odp_actions);
|
2011-11-28 14:14:23 -08:00
|
|
|
|
|
2014-11-11 11:53:47 -08:00
|
|
|
|
void odp_put_tnl_push_action(struct ofpbuf *odp_actions,
|
|
|
|
|
|
struct ovs_action_push_tnl *data);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#endif /* odp-util.h */
|
