2009-07-08 13:19:16 -07:00
|
|
|
|
/*
|
2015-01-11 13:25:24 -08:00
|
|
|
|
* Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 Nicira, Inc.
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*
|
2009-06-15 15:11:30 -07:00
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
|
* You may obtain a copy of the License at:
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*
|
2009-06-15 15:11:30 -07:00
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
*
|
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
|
* limitations under the License.
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*/
|
|
|
|
|
|
#ifndef FLOW_H
|
|
|
|
|
|
#define FLOW_H 1
|
|
|
|
|
|
|
2010-02-12 12:51:36 -08:00
|
|
|
|
#include <sys/types.h>
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
|
#include <stdbool.h>
|
|
|
|
|
|
#include <stdint.h>
|
|
|
|
|
|
#include <string.h>
|
2015-08-25 13:55:03 -07:00
|
|
|
|
#include "bitmap.h"
|
2013-09-25 15:07:21 -07:00
|
|
|
|
#include "byte-order.h"
|
2010-04-12 11:49:16 -04:00
|
|
|
|
#include "openflow/nicira-ext.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "openflow/openflow.h"
|
2014-04-18 08:26:56 -07:00
|
|
|
|
#include "packets.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "hash.h"
|
|
|
|
|
|
#include "util.h"
|
|
|
|
|
|
|
2011-01-26 07:11:50 -08:00
|
|
|
|
struct dpif_flow_stats;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
struct ds;
|
2010-11-08 10:37:35 -08:00
|
|
|
|
struct flow_wildcards;
|
2012-09-04 12:43:53 -07:00
|
|
|
|
struct minimask;
|
2015-02-22 03:21:09 -08:00
|
|
|
|
struct dp_packet;
|
2014-02-26 18:08:04 -08:00
|
|
|
|
struct pkt_metadata;
|
2015-05-15 17:03:17 -07:00
|
|
|
|
struct match;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2011-07-29 13:15:09 -07:00
|
|
|
|
/* This sequence number should be incremented whenever anything involving flows
|
|
|
|
|
|
* or the wildcarding of flows changes. This will cause build assertion
|
|
|
|
|
|
* failures in places which likely need to be updated. */
|
2015-11-25 11:31:11 -02:00
|
|
|
|
#define FLOW_WC_SEQ 35
|
2011-07-29 13:15:09 -07:00
|
|
|
|
|
2014-07-28 09:50:37 -07:00
|
|
|
|
/* Number of Open vSwitch extension 32-bit registers. */
|
2012-03-08 14:44:54 -08:00
|
|
|
|
#define FLOW_N_REGS 8
|
2010-11-11 10:41:33 -08:00
|
|
|
|
BUILD_ASSERT_DECL(FLOW_N_REGS <= NXM_NX_MAX_REGS);
|
2015-01-06 11:10:42 -08:00
|
|
|
|
BUILD_ASSERT_DECL(FLOW_N_REGS % 2 == 0); /* Even. */
|
2010-11-11 10:41:33 -08:00
|
|
|
|
|
2014-07-28 09:50:37 -07:00
|
|
|
|
/* Number of OpenFlow 1.5+ 64-bit registers.
|
|
|
|
|
|
*
|
|
|
|
|
|
* Each of these overlays a pair of Open vSwitch 32-bit registers, so there
|
|
|
|
|
|
* are half as many of them.*/
|
|
|
|
|
|
#define FLOW_N_XREGS (FLOW_N_REGS / 2)
|
|
|
|
|
|
|
2011-01-23 18:44:44 -08:00
|
|
|
|
/* Used for struct flow's dl_type member for frames that have no Ethernet
|
|
|
|
|
|
* type, that is, pure 802.2 frames. */
|
|
|
|
|
|
#define FLOW_DL_TYPE_NONE 0x5ff
|
|
|
|
|
|
|
Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary. It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present. This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly. It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset. This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers. In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG. Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments". It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
2011-10-19 21:33:44 -07:00
|
|
|
|
/* Fragment bits, used for IPv4 and IPv6, always zero for non-IP flows. */
|
2011-11-09 17:10:27 -08:00
|
|
|
|
#define FLOW_NW_FRAG_ANY (1 << 0) /* Set for any IP frag. */
|
|
|
|
|
|
#define FLOW_NW_FRAG_LATER (1 << 1) /* Set for IP frag with nonzero offset. */
|
|
|
|
|
|
#define FLOW_NW_FRAG_MASK (FLOW_NW_FRAG_ANY | FLOW_NW_FRAG_LATER)
|
Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary. It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present. This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly. It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset. This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers. In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG. Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments". It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
2011-10-19 21:33:44 -07:00
|
|
|
|
|
2011-11-09 17:10:27 -08:00
|
|
|
|
BUILD_ASSERT_DECL(FLOW_NW_FRAG_ANY == NX_IP_FRAG_ANY);
|
|
|
|
|
|
BUILD_ASSERT_DECL(FLOW_NW_FRAG_LATER == NX_IP_FRAG_LATER);
|
Implement new fragment handling policy.
Until now, OVS has handled IP fragments more awkwardly than necessary. It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present. This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly. It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset. This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers. In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG. Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments". It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
2011-10-19 21:33:44 -07:00
|
|
|
|
|
2015-07-08 16:02:30 -07:00
|
|
|
|
BUILD_ASSERT_DECL(FLOW_TNL_F_OAM == NX_TUN_FLAG_OAM);
|
|
|
|
|
|
|
2012-11-21 18:51:36 -08:00
|
|
|
|
const char *flow_tun_flag_to_string(uint32_t flags);
|
|
|
|
|
|
|
2014-02-04 10:32:35 -08:00
|
|
|
|
/* Maximum number of supported MPLS labels. */
|
|
|
|
|
|
#define FLOW_MAX_MPLS_LABELS 3
|
|
|
|
|
|
|
2012-09-25 15:25:51 -07:00
|
|
|
|
/*
|
2013-10-17 14:28:20 -07:00
|
|
|
|
* A flow in the network.
|
|
|
|
|
|
*
|
|
|
|
|
|
* Must be initialized to all zeros to make any compiler-induced padding
|
|
|
|
|
|
* zeroed. Helps also in keeping unused fields (such as mutually exclusive
|
|
|
|
|
|
* IPv4 and IPv6 addresses) zeroed out.
|
|
|
|
|
|
*
|
|
|
|
|
|
* The meaning of 'in_port' is context-dependent. In most cases, it is a
|
|
|
|
|
|
* 16-bit OpenFlow 1.0 port number. In the software datapath interface (dpif)
|
2014-09-18 04:17:54 -07:00
|
|
|
|
* layer and its implementations (e.g. dpif-netlink, dpif-netdev), it is
|
|
|
|
|
|
* instead a 32-bit datapath port number.
|
2013-11-19 17:31:29 -08:00
|
|
|
|
*
|
|
|
|
|
|
* The fields are organized in four segments to facilitate staged lookup, where
|
|
|
|
|
|
* lower layer fields are first used to determine if the later fields need to
|
|
|
|
|
|
* be looked at. This enables better wildcarding for datapath flows.
|
2014-04-18 08:26:56 -07:00
|
|
|
|
*
|
|
|
|
|
|
* NOTE: Order of the fields is significant, any change in the order must be
|
|
|
|
|
|
* reflected in miniflow_extract()!
|
2013-10-17 14:28:20 -07:00
|
|
|
|
*/
|
2010-10-11 13:31:35 -07:00
|
|
|
|
struct flow {
|
2014-10-17 09:37:11 -07:00
|
|
|
|
/* Metadata */
|
2012-09-13 20:11:08 -07:00
|
|
|
|
struct flow_tnl tunnel; /* Encapsulating tunnel parameters. */
|
2012-06-27 01:09:44 +12:00
|
|
|
|
ovs_be64 metadata; /* OpenFlow Metadata. */
|
2013-11-19 17:31:29 -08:00
|
|
|
|
uint32_t regs[FLOW_N_REGS]; /* Registers. */
|
|
|
|
|
|
uint32_t skb_priority; /* Packet priority for QoS. */
|
|
|
|
|
|
uint32_t pkt_mark; /* Packet mark. */
|
2015-01-06 11:10:42 -08:00
|
|
|
|
uint32_t dp_hash; /* Datapath computed hash value. The exact
|
|
|
|
|
|
* computation is opaque to the user space. */
|
2013-11-19 17:31:29 -08:00
|
|
|
|
union flow_in_port in_port; /* Input port.*/
|
2015-01-06 11:10:42 -08:00
|
|
|
|
uint32_t recirc_id; /* Must be exact match. */
|
Add support for connection tracking.
This patch adds a new action and fields to OVS that allow connection
tracking to be performed. This support works in conjunction with the
Linux kernel support merged into the Linux-4.3 development cycle.
Packets have two possible states with respect to connection tracking:
Untracked packets have not previously passed through the connection
tracker, while tracked packets have previously been through the
connection tracker. For OpenFlow pipeline processing, untracked packets
can become tracked, and they will remain tracked until the end of the
pipeline. Tracked packets cannot become untracked.
Connections can be unknown, uncommitted, or committed. Packets which are
untracked have unknown connection state. To know the connection state,
the packet must become tracked. Uncommitted connections have no
connection state stored about them, so it is only possible for the
connection tracker to identify whether they are a new connection or
whether they are invalid. Committed connections have connection state
stored beyond the lifetime of the packet, which allows later packets in
the same connection to be identified as part of the same established
connection, or related to an existing connection - for instance ICMP
error responses.
The new 'ct' action transitions the packet from "untracked" to
"tracked" by sending this flow through the connection tracker.
The following parameters are supported initally:
- "commit": When commit is executed, the connection moves from
uncommitted state to committed state. This signals that information
about the connection should be stored beyond the lifetime of the
packet within the pipeline. This allows future packets in the same
connection to be recognized as part of the same "established" (est)
connection, as well as identifying packets in the reply (rpl)
direction, or packets related to an existing connection (rel).
- "zone=[u16|NXM]": Perform connection tracking in the zone specified.
Each zone is an independent connection tracking context. When the
"commit" parameter is used, the connection will only be committed in
the specified zone, and not in other zones. This is 0 by default.
- "table=NUMBER": Fork pipeline processing in two. The original instance
of the packet will continue processing the current actions list as an
untracked packet. An additional instance of the packet will be sent to
the connection tracker, which will be re-injected into the OpenFlow
pipeline to resume processing in the specified table, with the
ct_state and other ct match fields set. If the table is not specified,
then the packet is submitted to the connection tracker, but the
pipeline does not fork and the ct match fields are not populated. It
is strongly recommended to specify a table later than the current
table to prevent loops.
When the "table" option is used, the packet that continues processing in
the specified table will have the ct_state populated. The ct_state may
have any of the following flags set:
- Tracked (trk): Connection tracking has occurred.
- Reply (rpl): The flow is in the reply direction.
- Invalid (inv): The connection tracker couldn't identify the connection.
- New (new): This is the beginning of a new connection.
- Established (est): This is part of an already existing connection.
- Related (rel): This connection is related to an existing connection.
For more information, consult the ovs-ofctl(8) man pages.
Below is a simple example flow table to allow outbound TCP traffic from
port 1 and drop traffic from port 2 that was not initiated by port 1:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=9),2
table=0,in_port=2,tcp,ct_state=-trk,action=ct(zone=9,table=1)
table=1,in_port=2,ct_state=+trk+est,tcp,action=1
table=1,in_port=2,ct_state=+trk+new,tcp,action=drop
Based on original design by Justin Pettit, contributions from Thomas
Graf and Daniele Di Proietto.
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-08-11 10:56:09 -07:00
|
|
|
|
uint16_t ct_state; /* Connection tracking state. */
|
|
|
|
|
|
uint16_t ct_zone; /* Connection tracking zone. */
|
Add connection tracking mark support.
This patch adds a new 32-bit metadata field to the connection tracking
interface. When a mark is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_mark" field in the flow.
For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a mark with those
connections:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
table=1,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-09-18 13:58:00 -07:00
|
|
|
|
uint32_t ct_mark; /* Connection mark.*/
|
|
|
|
|
|
uint8_t pad1[4]; /* Pad to 64 bits. */
|
Add connection tracking label support.
This patch adds a new 128-bit metadata field to the connection tracking
interface. When a label is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_label" field in the flow.
For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a label with
those connections:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_label)),2
table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
table=1,in_port=2,ct_state=+trk,ct_label=1,tcp,action=1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-10-13 11:13:10 -07:00
|
|
|
|
ovs_u128 ct_label; /* Connection label. */
|
2015-01-11 13:25:24 -08:00
|
|
|
|
uint32_t conj_id; /* Conjunction ID. */
|
2014-11-03 14:24:01 -08:00
|
|
|
|
ofp_port_t actset_output; /* Output port in action set. */
|
Add connection tracking mark support.
This patch adds a new 32-bit metadata field to the connection tracking
interface. When a mark is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_mark" field in the flow.
For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a mark with those
connections:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
table=1,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-09-18 13:58:00 -07:00
|
|
|
|
uint8_t pad2[2]; /* Pad to 64 bits. */
|
2013-11-19 17:31:29 -08:00
|
|
|
|
|
2015-01-06 11:10:42 -08:00
|
|
|
|
/* L2, Order the same as in the Ethernet header! (64-bit aligned) */
|
2015-08-28 14:55:11 -07:00
|
|
|
|
struct eth_addr dl_dst; /* Ethernet destination address. */
|
|
|
|
|
|
struct eth_addr dl_src; /* Ethernet source address. */
|
2013-11-19 17:31:29 -08:00
|
|
|
|
ovs_be16 dl_type; /* Ethernet frame type. */
|
|
|
|
|
|
ovs_be16 vlan_tci; /* If 802.1Q, TCI | VLAN_CFI; otherwise 0. */
|
2015-01-06 11:10:42 -08:00
|
|
|
|
ovs_be32 mpls_lse[ROUND_UP(FLOW_MAX_MPLS_LABELS, 2)]; /* MPLS label stack
|
|
|
|
|
|
(with padding). */
|
|
|
|
|
|
/* L3 (64-bit aligned) */
|
|
|
|
|
|
ovs_be32 nw_src; /* IPv4 source address. */
|
|
|
|
|
|
ovs_be32 nw_dst; /* IPv4 destination address. */
|
2011-11-02 18:22:22 -07:00
|
|
|
|
struct in6_addr ipv6_src; /* IPv6 source address. */
|
|
|
|
|
|
struct in6_addr ipv6_dst; /* IPv6 destination address. */
|
2013-11-19 17:31:29 -08:00
|
|
|
|
ovs_be32 ipv6_label; /* IPv6 flow label. */
|
|
|
|
|
|
uint8_t nw_frag; /* FLOW_FRAG_* flags. */
|
2011-11-09 17:10:27 -08:00
|
|
|
|
uint8_t nw_tos; /* IP ToS (including DSCP and ECN). */
|
2013-11-19 17:31:29 -08:00
|
|
|
|
uint8_t nw_ttl; /* IP TTL/Hop Limit. */
|
|
|
|
|
|
uint8_t nw_proto; /* IP protocol or low 8 bits of ARP opcode. */
|
2015-01-06 11:10:42 -08:00
|
|
|
|
struct in6_addr nd_target; /* IPv6 neighbor discovery (ND) target. */
|
2015-08-28 14:55:11 -07:00
|
|
|
|
struct eth_addr arp_sha; /* ARP/ND source hardware address. */
|
|
|
|
|
|
struct eth_addr arp_tha; /* ARP/ND target hardware address. */
|
2013-11-19 17:31:29 -08:00
|
|
|
|
ovs_be16 tcp_flags; /* TCP flags. With L3 to avoid matching L4. */
|
Add connection tracking mark support.
This patch adds a new 32-bit metadata field to the connection tracking
interface. When a mark is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_mark" field in the flow.
For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a mark with those
connections:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
table=1,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-09-18 13:58:00 -07:00
|
|
|
|
ovs_be16 pad3; /* Pad to 64 bits. */
|
2014-02-04 10:32:35 -08:00
|
|
|
|
|
2015-01-06 11:10:42 -08:00
|
|
|
|
/* L4 (64-bit aligned) */
|
2015-10-20 22:03:02 -07:00
|
|
|
|
ovs_be16 tp_src; /* TCP/UDP/SCTP source port/ICMP type. */
|
|
|
|
|
|
ovs_be16 tp_dst; /* TCP/UDP/SCTP destination port/ICMP code. */
|
2015-01-06 11:10:42 -08:00
|
|
|
|
ovs_be32 igmp_group_ip4; /* IGMP group IPv4 address.
|
2014-06-18 22:14:30 -03:00
|
|
|
|
* Keep last for BUILD_ASSERT_DECL below. */
|
2010-10-11 13:31:35 -07:00
|
|
|
|
};
|
2015-01-06 11:10:42 -08:00
|
|
|
|
BUILD_ASSERT_DECL(sizeof(struct flow) % sizeof(uint64_t) == 0);
|
2015-07-17 15:18:43 -07:00
|
|
|
|
BUILD_ASSERT_DECL(sizeof(struct flow_tnl) % sizeof(uint64_t) == 0);
|
2012-06-18 15:12:57 -07:00
|
|
|
|
|
2015-01-06 11:10:42 -08:00
|
|
|
|
#define FLOW_U64S (sizeof(struct flow) / sizeof(uint64_t))
|
2012-08-07 13:43:18 -07:00
|
|
|
|
|
2014-09-20 07:30:02 +00:00
|
|
|
|
/* Some flow fields are mutually exclusive or only appear within the flow
|
|
|
|
|
|
* pipeline. IPv6 headers are bigger than IPv4 and MPLS, and IPv6 ND packets
|
|
|
|
|
|
* are bigger than TCP,UDP and IGMP packets. */
|
2015-01-06 11:10:42 -08:00
|
|
|
|
#define FLOW_MAX_PACKET_U64S (FLOW_U64S \
|
|
|
|
|
|
/* Unused in datapath */ - FLOW_U64_SIZE(regs) \
|
|
|
|
|
|
- FLOW_U64_SIZE(metadata) \
|
|
|
|
|
|
/* L2.5/3 */ - FLOW_U64_SIZE(nw_src) /* incl. nw_dst */ \
|
|
|
|
|
|
- FLOW_U64_SIZE(mpls_lse) \
|
|
|
|
|
|
/* L4 */ - FLOW_U64_SIZE(tp_src) \
|
2014-09-20 07:30:02 +00:00
|
|
|
|
)
|
|
|
|
|
|
|
2012-06-18 15:12:57 -07:00
|
|
|
|
/* Remember to update FLOW_WC_SEQ when changing 'struct flow'. */
|
2015-01-06 11:10:42 -08:00
|
|
|
|
BUILD_ASSERT_DECL(offsetof(struct flow, igmp_group_ip4) + sizeof(uint32_t)
|
Add connection tracking label support.
This patch adds a new 128-bit metadata field to the connection tracking
interface. When a label is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_label" field in the flow.
For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a label with
those connections:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_label)),2
table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
table=1,in_port=2,ct_state=+trk,ct_label=1,tcp,action=1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-10-13 11:13:10 -07:00
|
|
|
|
== sizeof(struct flow_tnl) + 216
|
2015-11-25 11:31:11 -02:00
|
|
|
|
&& FLOW_WC_SEQ == 35);
|
2013-11-19 17:31:29 -08:00
|
|
|
|
|
|
|
|
|
|
/* Incremental points at which flow classification may be performed in
|
|
|
|
|
|
* segments.
|
|
|
|
|
|
* This is located here since this is dependent on the structure of the
|
|
|
|
|
|
* struct flow defined above:
|
2015-01-06 11:10:42 -08:00
|
|
|
|
* Each offset must be on a distinct, successive U64 boundary strictly
|
2013-11-19 17:31:29 -08:00
|
|
|
|
* within the struct flow. */
|
|
|
|
|
|
enum {
|
2014-04-18 08:26:56 -07:00
|
|
|
|
FLOW_SEGMENT_1_ENDS_AT = offsetof(struct flow, dl_dst),
|
2015-01-06 11:10:42 -08:00
|
|
|
|
FLOW_SEGMENT_2_ENDS_AT = offsetof(struct flow, nw_src),
|
2014-04-18 08:26:56 -07:00
|
|
|
|
FLOW_SEGMENT_3_ENDS_AT = offsetof(struct flow, tp_src),
|
2013-11-19 17:31:29 -08:00
|
|
|
|
};
|
2015-01-06 11:10:42 -08:00
|
|
|
|
BUILD_ASSERT_DECL(FLOW_SEGMENT_1_ENDS_AT % sizeof(uint64_t) == 0);
|
|
|
|
|
|
BUILD_ASSERT_DECL(FLOW_SEGMENT_2_ENDS_AT % sizeof(uint64_t) == 0);
|
|
|
|
|
|
BUILD_ASSERT_DECL(FLOW_SEGMENT_3_ENDS_AT % sizeof(uint64_t) == 0);
|
2013-11-19 17:31:29 -08:00
|
|
|
|
BUILD_ASSERT_DECL( 0 < FLOW_SEGMENT_1_ENDS_AT);
|
|
|
|
|
|
BUILD_ASSERT_DECL(FLOW_SEGMENT_1_ENDS_AT < FLOW_SEGMENT_2_ENDS_AT);
|
|
|
|
|
|
BUILD_ASSERT_DECL(FLOW_SEGMENT_2_ENDS_AT < FLOW_SEGMENT_3_ENDS_AT);
|
|
|
|
|
|
BUILD_ASSERT_DECL(FLOW_SEGMENT_3_ENDS_AT < sizeof(struct flow));
|
|
|
|
|
|
|
2015-01-06 11:10:42 -08:00
|
|
|
|
extern const uint8_t flow_segment_u64s[];
|
2010-10-11 13:31:35 -07:00
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
#define FLOW_U64_OFFSET(FIELD) \
|
|
|
|
|
|
(offsetof(struct flow, FIELD) / sizeof(uint64_t))
|
|
|
|
|
|
#define FLOW_U64_OFFREM(FIELD) \
|
|
|
|
|
|
(offsetof(struct flow, FIELD) % sizeof(uint64_t))
|
|
|
|
|
|
|
|
|
|
|
|
/* Number of 64-bit units spanned by a 'FIELD'. */
|
|
|
|
|
|
#define FLOW_U64_SIZE(FIELD) \
|
|
|
|
|
|
DIV_ROUND_UP(FLOW_U64_OFFREM(FIELD) + MEMBER_SIZEOF(struct flow, FIELD), \
|
|
|
|
|
|
sizeof(uint64_t))
|
|
|
|
|
|
|
2015-02-22 03:21:09 -08:00
|
|
|
|
void flow_extract(struct dp_packet *, struct flow *);
|
2013-01-25 16:22:07 +09:00
|
|
|
|
|
2011-08-19 09:39:16 -07:00
|
|
|
|
void flow_zero_wildcards(struct flow *, const struct flow_wildcards *);
|
2013-12-06 18:53:12 -08:00
|
|
|
|
void flow_unwildcard_tp_ports(const struct flow *, struct flow_wildcards *);
|
2015-05-15 17:03:17 -07:00
|
|
|
|
void flow_get_metadata(const struct flow *, struct match *flow_metadata);
|
2011-08-19 09:39:16 -07:00
|
|
|
|
|
Add support for connection tracking.
This patch adds a new action and fields to OVS that allow connection
tracking to be performed. This support works in conjunction with the
Linux kernel support merged into the Linux-4.3 development cycle.
Packets have two possible states with respect to connection tracking:
Untracked packets have not previously passed through the connection
tracker, while tracked packets have previously been through the
connection tracker. For OpenFlow pipeline processing, untracked packets
can become tracked, and they will remain tracked until the end of the
pipeline. Tracked packets cannot become untracked.
Connections can be unknown, uncommitted, or committed. Packets which are
untracked have unknown connection state. To know the connection state,
the packet must become tracked. Uncommitted connections have no
connection state stored about them, so it is only possible for the
connection tracker to identify whether they are a new connection or
whether they are invalid. Committed connections have connection state
stored beyond the lifetime of the packet, which allows later packets in
the same connection to be identified as part of the same established
connection, or related to an existing connection - for instance ICMP
error responses.
The new 'ct' action transitions the packet from "untracked" to
"tracked" by sending this flow through the connection tracker.
The following parameters are supported initally:
- "commit": When commit is executed, the connection moves from
uncommitted state to committed state. This signals that information
about the connection should be stored beyond the lifetime of the
packet within the pipeline. This allows future packets in the same
connection to be recognized as part of the same "established" (est)
connection, as well as identifying packets in the reply (rpl)
direction, or packets related to an existing connection (rel).
- "zone=[u16|NXM]": Perform connection tracking in the zone specified.
Each zone is an independent connection tracking context. When the
"commit" parameter is used, the connection will only be committed in
the specified zone, and not in other zones. This is 0 by default.
- "table=NUMBER": Fork pipeline processing in two. The original instance
of the packet will continue processing the current actions list as an
untracked packet. An additional instance of the packet will be sent to
the connection tracker, which will be re-injected into the OpenFlow
pipeline to resume processing in the specified table, with the
ct_state and other ct match fields set. If the table is not specified,
then the packet is submitted to the connection tracker, but the
pipeline does not fork and the ct match fields are not populated. It
is strongly recommended to specify a table later than the current
table to prevent loops.
When the "table" option is used, the packet that continues processing in
the specified table will have the ct_state populated. The ct_state may
have any of the following flags set:
- Tracked (trk): Connection tracking has occurred.
- Reply (rpl): The flow is in the reply direction.
- Invalid (inv): The connection tracker couldn't identify the connection.
- New (new): This is the beginning of a new connection.
- Established (est): This is part of an already existing connection.
- Related (rel): This connection is related to an existing connection.
For more information, consult the ovs-ofctl(8) man pages.
Below is a simple example flow table to allow outbound TCP traffic from
port 1 and drop traffic from port 2 that was not initiated by port 1:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=9),2
table=0,in_port=2,tcp,ct_state=-trk,action=ct(zone=9,table=1)
table=1,in_port=2,ct_state=+trk+est,tcp,action=1
table=1,in_port=2,ct_state=+trk+new,tcp,action=drop
Based on original design by Justin Pettit, contributions from Thomas
Graf and Daniele Di Proietto.
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-08-11 10:56:09 -07:00
|
|
|
|
const char *ct_state_to_string(uint32_t state);
|
2010-09-03 11:30:02 -07:00
|
|
|
|
char *flow_to_string(const struct flow *);
|
2012-11-21 18:51:36 -08:00
|
|
|
|
void format_flags(struct ds *ds, const char *(*bit_to_string)(uint32_t),
|
|
|
|
|
|
uint32_t flags, char del);
|
2013-12-02 15:14:09 -08:00
|
|
|
|
void format_flags_masked(struct ds *ds, const char *name,
|
|
|
|
|
|
const char *(*bit_to_string)(uint32_t),
|
2015-07-11 20:48:29 -07:00
|
|
|
|
uint32_t flags, uint32_t mask, uint32_t max_mask);
|
|
|
|
|
|
int parse_flags(const char *s, const char *(*bit_to_string)(uint32_t),
|
|
|
|
|
|
char end, const char *field_name, char **res_string,
|
|
|
|
|
|
uint32_t *res_flags, uint32_t allowed, uint32_t *res_mask);
|
2012-11-21 18:51:36 -08:00
|
|
|
|
|
2010-09-03 11:30:02 -07:00
|
|
|
|
void flow_format(struct ds *, const struct flow *);
|
|
|
|
|
|
void flow_print(FILE *, const struct flow *);
|
2011-10-25 16:33:38 -07:00
|
|
|
|
static inline int flow_compare_3way(const struct flow *, const struct flow *);
|
2010-09-03 11:30:02 -07:00
|
|
|
|
static inline bool flow_equal(const struct flow *, const struct flow *);
|
|
|
|
|
|
static inline size_t flow_hash(const struct flow *, uint32_t basis);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-07-22 22:42:55 -07:00
|
|
|
|
void flow_set_dl_vlan(struct flow *, ovs_be16 vid);
|
2012-07-22 23:20:22 -07:00
|
|
|
|
void flow_set_vlan_vid(struct flow *, ovs_be16 vid);
|
2011-11-21 14:14:02 -08:00
|
|
|
|
void flow_set_vlan_pcp(struct flow *, uint8_t pcp);
|
|
|
|
|
|
|
2014-02-04 10:32:35 -08:00
|
|
|
|
int flow_count_mpls_labels(const struct flow *, struct flow_wildcards *);
|
|
|
|
|
|
int flow_count_common_mpls_labels(const struct flow *a, int an,
|
|
|
|
|
|
const struct flow *b, int bn,
|
|
|
|
|
|
struct flow_wildcards *wc);
|
|
|
|
|
|
void flow_push_mpls(struct flow *, int n, ovs_be16 mpls_eth_type,
|
|
|
|
|
|
struct flow_wildcards *);
|
|
|
|
|
|
bool flow_pop_mpls(struct flow *, int n, ovs_be16 eth_type,
|
|
|
|
|
|
struct flow_wildcards *);
|
|
|
|
|
|
void flow_set_mpls_label(struct flow *, int idx, ovs_be32 label);
|
|
|
|
|
|
void flow_set_mpls_ttl(struct flow *, int idx, uint8_t ttl);
|
|
|
|
|
|
void flow_set_mpls_tc(struct flow *, int idx, uint8_t tc);
|
|
|
|
|
|
void flow_set_mpls_bos(struct flow *, int idx, uint8_t stack);
|
|
|
|
|
|
void flow_set_mpls_lse(struct flow *, int idx, ovs_be32 lse);
|
2013-01-25 16:22:07 +09:00
|
|
|
|
|
2015-02-22 03:21:09 -08:00
|
|
|
|
void flow_compose(struct dp_packet *, const struct flow *);
|
2011-09-08 14:32:13 -07:00
|
|
|
|
|
2014-07-28 09:50:37 -07:00
|
|
|
|
static inline uint64_t
|
|
|
|
|
|
flow_get_xreg(const struct flow *flow, int idx)
|
|
|
|
|
|
{
|
|
|
|
|
|
return ((uint64_t) flow->regs[idx * 2] << 32) | flow->regs[idx * 2 + 1];
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline void
|
|
|
|
|
|
flow_set_xreg(struct flow *flow, int idx, uint64_t value)
|
|
|
|
|
|
{
|
|
|
|
|
|
flow->regs[idx * 2] = value >> 32;
|
|
|
|
|
|
flow->regs[idx * 2 + 1] = value;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
static inline int
|
2011-10-25 16:33:38 -07:00
|
|
|
|
flow_compare_3way(const struct flow *a, const struct flow *b)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-06-18 15:12:57 -07:00
|
|
|
|
return memcmp(a, b, sizeof *a);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline bool
|
2010-09-03 11:30:02 -07:00
|
|
|
|
flow_equal(const struct flow *a, const struct flow *b)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2011-10-25 16:33:38 -07:00
|
|
|
|
return !flow_compare_3way(a, b);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline size_t
|
2010-09-03 11:30:02 -07:00
|
|
|
|
flow_hash(const struct flow *flow, uint32_t basis)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2015-01-06 11:10:42 -08:00
|
|
|
|
return hash_words64((const uint64_t *)flow,
|
|
|
|
|
|
sizeof *flow / sizeof(uint64_t), basis);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2012-09-04 12:43:53 -07:00
|
|
|
|
|
2013-06-19 16:58:44 -07:00
|
|
|
|
static inline uint16_t
|
|
|
|
|
|
ofp_to_u16(ofp_port_t ofp_port)
|
|
|
|
|
|
{
|
|
|
|
|
|
return (OVS_FORCE uint16_t) ofp_port;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline uint32_t
|
|
|
|
|
|
odp_to_u32(odp_port_t odp_port)
|
|
|
|
|
|
{
|
|
|
|
|
|
return (OVS_FORCE uint32_t) odp_port;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline uint32_t
|
|
|
|
|
|
ofp11_to_u32(ofp11_port_t ofp11_port)
|
|
|
|
|
|
{
|
|
|
|
|
|
return (OVS_FORCE uint32_t) ofp11_port;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline ofp_port_t
|
|
|
|
|
|
u16_to_ofp(uint16_t port)
|
|
|
|
|
|
{
|
|
|
|
|
|
return OFP_PORT_C(port);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline odp_port_t
|
|
|
|
|
|
u32_to_odp(uint32_t port)
|
|
|
|
|
|
{
|
|
|
|
|
|
return ODP_PORT_C(port);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline ofp11_port_t
|
|
|
|
|
|
u32_to_ofp11(uint32_t port)
|
|
|
|
|
|
{
|
|
|
|
|
|
return OFP11_PORT_C(port);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-06-22 10:33:27 -07:00
|
|
|
|
static inline uint32_t
|
|
|
|
|
|
hash_ofp_port(ofp_port_t ofp_port)
|
|
|
|
|
|
{
|
|
|
|
|
|
return hash_int(ofp_to_u16(ofp_port), 0);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline uint32_t
|
|
|
|
|
|
hash_odp_port(odp_port_t odp_port)
|
|
|
|
|
|
{
|
|
|
|
|
|
return hash_int(odp_to_u32(odp_port), 0);
|
|
|
|
|
|
}
|
2012-08-07 13:43:18 -07:00
|
|
|
|
�
|
2012-08-07 13:38:38 -07:00
|
|
|
|
/* Wildcards for a flow.
|
|
|
|
|
|
*
|
|
|
|
|
|
* A 1-bit in each bit in 'masks' indicates that the corresponding bit of
|
|
|
|
|
|
* the flow is significant (must match). A 0-bit indicates that the
|
|
|
|
|
|
* corresponding bit of the flow is wildcarded (need not match). */
|
2009-07-08 13:19:16 -07:00
|
|
|
|
struct flow_wildcards {
|
2012-08-07 13:38:38 -07:00
|
|
|
|
struct flow masks;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
};
|
2011-07-29 13:15:09 -07:00
|
|
|
|
|
2014-10-01 15:35:45 -07:00
|
|
|
|
#define WC_MASK_FIELD(WC, FIELD) \
|
|
|
|
|
|
memset(&(WC)->masks.FIELD, 0xff, sizeof (WC)->masks.FIELD)
|
2015-08-25 13:55:03 -07:00
|
|
|
|
#define WC_MASK_FIELD_MASK(WC, FIELD, MASK) \
|
|
|
|
|
|
((WC)->masks.FIELD |= (MASK))
|
2014-10-01 15:35:45 -07:00
|
|
|
|
#define WC_UNMASK_FIELD(WC, FIELD) \
|
|
|
|
|
|
memset(&(WC)->masks.FIELD, 0, sizeof (WC)->masks.FIELD)
|
|
|
|
|
|
|
2010-11-10 14:39:54 -08:00
|
|
|
|
void flow_wildcards_init_catchall(struct flow_wildcards *);
|
2010-10-27 20:15:56 -07:00
|
|
|
|
|
2014-10-01 15:35:45 -07:00
|
|
|
|
void flow_wildcards_init_for_packet(struct flow_wildcards *,
|
|
|
|
|
|
const struct flow *);
|
|
|
|
|
|
|
2013-12-10 23:32:51 -08:00
|
|
|
|
void flow_wildcards_clear_non_packet_fields(struct flow_wildcards *);
|
|
|
|
|
|
|
2011-09-12 16:38:52 -07:00
|
|
|
|
bool flow_wildcards_is_catchall(const struct flow_wildcards *);
|
2010-11-08 16:45:00 -08:00
|
|
|
|
|
2010-11-11 10:41:33 -08:00
|
|
|
|
void flow_wildcards_set_reg_mask(struct flow_wildcards *,
|
|
|
|
|
|
int idx, uint32_t mask);
|
2014-07-28 09:50:37 -07:00
|
|
|
|
void flow_wildcards_set_xreg_mask(struct flow_wildcards *,
|
|
|
|
|
|
int idx, uint64_t mask);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2013-06-10 22:48:58 -07:00
|
|
|
|
void flow_wildcards_and(struct flow_wildcards *dst,
|
|
|
|
|
|
const struct flow_wildcards *src1,
|
|
|
|
|
|
const struct flow_wildcards *src2);
|
|
|
|
|
|
void flow_wildcards_or(struct flow_wildcards *dst,
|
|
|
|
|
|
const struct flow_wildcards *src1,
|
|
|
|
|
|
const struct flow_wildcards *src2);
|
2010-11-03 11:00:58 -07:00
|
|
|
|
bool flow_wildcards_has_extra(const struct flow_wildcards *,
|
|
|
|
|
|
const struct flow_wildcards *);
|
2011-05-26 16:23:21 -07:00
|
|
|
|
uint32_t flow_wildcards_hash(const struct flow_wildcards *, uint32_t basis);
|
2010-11-03 11:00:58 -07:00
|
|
|
|
bool flow_wildcards_equal(const struct flow_wildcards *,
|
|
|
|
|
|
const struct flow_wildcards *);
|
2014-02-26 10:07:38 -08:00
|
|
|
|
uint32_t flow_hash_5tuple(const struct flow *flow, uint32_t basis);
|
2011-02-01 18:50:25 -08:00
|
|
|
|
uint32_t flow_hash_symmetric_l4(const struct flow *flow, uint32_t basis);
|
2015-07-06 12:58:24 -05:00
|
|
|
|
uint32_t flow_hash_symmetric_l3l4(const struct flow *flow, uint32_t basis,
|
|
|
|
|
|
bool inc_udp_ports );
|
2010-11-03 11:00:58 -07:00
|
|
|
|
|
2013-10-17 14:28:20 -07:00
|
|
|
|
/* Initialize a flow with random fields that matter for nx_hash_fields. */
|
|
|
|
|
|
void flow_random_hash_fields(struct flow *);
|
2013-06-26 16:37:16 -07:00
|
|
|
|
void flow_mask_hash_fields(const struct flow *, struct flow_wildcards *,
|
|
|
|
|
|
enum nx_hash_fields);
|
2011-07-13 16:20:24 -07:00
|
|
|
|
uint32_t flow_hash_fields(const struct flow *, enum nx_hash_fields,
|
|
|
|
|
|
uint16_t basis);
|
|
|
|
|
|
const char *flow_hash_fields_to_str(enum nx_hash_fields);
|
|
|
|
|
|
bool flow_hash_fields_valid(enum nx_hash_fields);
|
2011-06-06 14:21:40 -07:00
|
|
|
|
|
2013-06-10 22:48:58 -07:00
|
|
|
|
uint32_t flow_hash_in_wildcards(const struct flow *,
|
|
|
|
|
|
const struct flow_wildcards *,
|
|
|
|
|
|
uint32_t basis);
|
|
|
|
|
|
|
2012-08-07 13:43:18 -07:00
|
|
|
|
bool flow_equal_except(const struct flow *a, const struct flow *b,
|
|
|
|
|
|
const struct flow_wildcards *);
|
2012-09-04 12:43:53 -07:00
|
|
|
|
�
|
2015-08-25 13:55:03 -07:00
|
|
|
|
/* Bitmap for flow values. For each 1-bit the corresponding flow value is
|
|
|
|
|
|
* explicitly specified, other values are zeroes.
|
|
|
|
|
|
*
|
|
|
|
|
|
* map_t must be wide enough to hold any member of struct flow. */
|
|
|
|
|
|
typedef unsigned long long map_t;
|
|
|
|
|
|
#define MAP_T_BITS (sizeof(map_t) * CHAR_BIT)
|
|
|
|
|
|
#define MAP_1 (map_t)1
|
|
|
|
|
|
#define MAP_MAX TYPE_MAXIMUM(map_t)
|
|
|
|
|
|
|
|
|
|
|
|
#define MAP_IS_SET(MAP, IDX) ((MAP) & (MAP_1 << (IDX)))
|
|
|
|
|
|
|
|
|
|
|
|
/* Iterate through the indices of all 1-bits in 'MAP'. */
|
|
|
|
|
|
#define MAP_FOR_EACH_INDEX(IDX, MAP) \
|
|
|
|
|
|
ULLONG_FOR_EACH_1(IDX, MAP)
|
|
|
|
|
|
|
|
|
|
|
|
#define FLOWMAP_UNITS DIV_ROUND_UP(FLOW_U64S, MAP_T_BITS)
|
|
|
|
|
|
|
|
|
|
|
|
struct flowmap {
|
|
|
|
|
|
map_t bits[FLOWMAP_UNITS];
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
#define FLOWMAP_EMPTY_INITIALIZER { { 0 } }
|
|
|
|
|
|
|
|
|
|
|
|
static inline void flowmap_init(struct flowmap *);
|
|
|
|
|
|
static inline bool flowmap_equal(struct flowmap, struct flowmap);
|
|
|
|
|
|
static inline bool flowmap_is_set(const struct flowmap *, size_t idx);
|
|
|
|
|
|
static inline bool flowmap_are_set(const struct flowmap *, size_t idx,
|
|
|
|
|
|
unsigned int n_bits);
|
|
|
|
|
|
static inline void flowmap_set(struct flowmap *, size_t idx,
|
|
|
|
|
|
unsigned int n_bits);
|
|
|
|
|
|
static inline void flowmap_clear(struct flowmap *, size_t idx,
|
|
|
|
|
|
unsigned int n_bits);
|
|
|
|
|
|
static inline struct flowmap flowmap_or(struct flowmap, struct flowmap);
|
|
|
|
|
|
static inline struct flowmap flowmap_and(struct flowmap, struct flowmap);
|
|
|
|
|
|
static inline bool flowmap_is_empty(struct flowmap);
|
|
|
|
|
|
static inline unsigned int flowmap_n_1bits(struct flowmap);
|
|
|
|
|
|
|
|
|
|
|
|
#define FLOWMAP_HAS_FIELD(FM, FIELD) \
|
|
|
|
|
|
flowmap_are_set(FM, FLOW_U64_OFFSET(FIELD), FLOW_U64_SIZE(FIELD))
|
|
|
|
|
|
|
|
|
|
|
|
#define FLOWMAP_SET(FM, FIELD) \
|
|
|
|
|
|
flowmap_set(FM, FLOW_U64_OFFSET(FIELD), FLOW_U64_SIZE(FIELD))
|
|
|
|
|
|
|
|
|
|
|
|
#define FLOWMAP_SET__(FM, FIELD, SIZE) \
|
|
|
|
|
|
flowmap_set(FM, FLOW_U64_OFFSET(FIELD), \
|
|
|
|
|
|
DIV_ROUND_UP(SIZE, sizeof(uint64_t)))
|
|
|
|
|
|
|
|
|
|
|
|
/* XXX: Only works for full 64-bit units. */
|
|
|
|
|
|
#define FLOWMAP_CLEAR(FM, FIELD) \
|
|
|
|
|
|
BUILD_ASSERT_DECL(FLOW_U64_OFFREM(FIELD) == 0); \
|
|
|
|
|
|
BUILD_ASSERT_DECL(sizeof(((struct flow *)0)->FIELD) % sizeof(uint64_t) == 0); \
|
|
|
|
|
|
flowmap_clear(FM, FLOW_U64_OFFSET(FIELD), FLOW_U64_SIZE(FIELD))
|
|
|
|
|
|
|
|
|
|
|
|
/* Iterate through all units in 'FMAP'. */
|
|
|
|
|
|
#define FLOWMAP_FOR_EACH_UNIT(UNIT) \
|
|
|
|
|
|
for ((UNIT) = 0; (UNIT) < FLOWMAP_UNITS; (UNIT)++)
|
|
|
|
|
|
|
|
|
|
|
|
/* Iterate through all map units in 'FMAP'. */
|
|
|
|
|
|
#define FLOWMAP_FOR_EACH_MAP(MAP, FLOWMAP) \
|
|
|
|
|
|
for (size_t unit__ = 0; \
|
|
|
|
|
|
unit__ < FLOWMAP_UNITS && ((MAP) = (FLOWMAP).bits[unit__], true); \
|
|
|
|
|
|
unit__++)
|
|
|
|
|
|
|
|
|
|
|
|
struct flowmap_aux;
|
|
|
|
|
|
static inline bool flowmap_next_index(struct flowmap_aux *, size_t *idx);
|
|
|
|
|
|
|
|
|
|
|
|
#define FLOWMAP_AUX_INITIALIZER(FLOWMAP) { .unit = 0, .map = (FLOWMAP) }
|
|
|
|
|
|
|
|
|
|
|
|
/* Iterate through all struct flow u64 indices specified by 'MAP'. This is a
|
|
|
|
|
|
* slower but easier version of the FLOWMAP_FOR_EACH_MAP() &
|
|
|
|
|
|
* MAP_FOR_EACH_INDEX() combination. */
|
|
|
|
|
|
#define FLOWMAP_FOR_EACH_INDEX(IDX, MAP) \
|
|
|
|
|
|
for (struct flowmap_aux aux__ = FLOWMAP_AUX_INITIALIZER(MAP); \
|
|
|
|
|
|
flowmap_next_index(&aux__, &(IDX));)
|
|
|
|
|
|
|
|
|
|
|
|
/* Flowmap inline implementations. */
|
|
|
|
|
|
static inline void
|
|
|
|
|
|
flowmap_init(struct flowmap *fm)
|
|
|
|
|
|
{
|
|
|
|
|
|
memset(fm, 0, sizeof *fm);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline bool
|
|
|
|
|
|
flowmap_equal(struct flowmap a, struct flowmap b)
|
|
|
|
|
|
{
|
|
|
|
|
|
return !memcmp(&a, &b, sizeof a);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline bool
|
|
|
|
|
|
flowmap_is_set(const struct flowmap *fm, size_t idx)
|
|
|
|
|
|
{
|
|
|
|
|
|
return (fm->bits[idx / MAP_T_BITS] & (MAP_1 << (idx % MAP_T_BITS))) != 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Returns 'true' if any of the 'n_bits' bits starting at 'idx' are set in
|
|
|
|
|
|
* 'fm'. 'n_bits' can be at most MAP_T_BITS. */
|
|
|
|
|
|
static inline bool
|
|
|
|
|
|
flowmap_are_set(const struct flowmap *fm, size_t idx, unsigned int n_bits)
|
|
|
|
|
|
{
|
|
|
|
|
|
map_t n_bits_mask = (MAP_1 << n_bits) - 1;
|
|
|
|
|
|
size_t unit = idx / MAP_T_BITS;
|
|
|
|
|
|
|
|
|
|
|
|
idx %= MAP_T_BITS;
|
2012-09-04 12:43:53 -07:00
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
if (fm->bits[unit] & (n_bits_mask << idx)) {
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
2015-08-27 10:48:03 -07:00
|
|
|
|
/* The seemingly unnecessary bounds check on 'unit' is a workaround for a
|
|
|
|
|
|
* false-positive array out of bounds error by GCC 4.9. */
|
|
|
|
|
|
if (unit + 1 < FLOWMAP_UNITS && idx + n_bits > MAP_T_BITS) {
|
2015-08-25 13:55:03 -07:00
|
|
|
|
/* Check the remaining bits from the next unit. */
|
|
|
|
|
|
return fm->bits[unit + 1] & (n_bits_mask >> (MAP_T_BITS - idx));
|
|
|
|
|
|
}
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
2015-07-17 15:18:43 -07:00
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
/* Set the 'n_bits' consecutive bits in 'fm', starting at bit 'idx'.
|
|
|
|
|
|
* 'n_bits' can be at most MAP_T_BITS. */
|
|
|
|
|
|
static inline void
|
|
|
|
|
|
flowmap_set(struct flowmap *fm, size_t idx, unsigned int n_bits)
|
|
|
|
|
|
{
|
|
|
|
|
|
map_t n_bits_mask = (MAP_1 << n_bits) - 1;
|
|
|
|
|
|
size_t unit = idx / MAP_T_BITS;
|
|
|
|
|
|
|
|
|
|
|
|
idx %= MAP_T_BITS;
|
|
|
|
|
|
|
|
|
|
|
|
fm->bits[unit] |= n_bits_mask << idx;
|
2015-08-27 10:48:03 -07:00
|
|
|
|
/* The seemingly unnecessary bounds check on 'unit' is a workaround for a
|
|
|
|
|
|
* false-positive array out of bounds error by GCC 4.9. */
|
|
|
|
|
|
if (unit + 1 < FLOWMAP_UNITS && idx + n_bits > MAP_T_BITS) {
|
2015-08-25 13:55:03 -07:00
|
|
|
|
/* 'MAP_T_BITS - idx' bits were set on 'unit', set the remaining
|
|
|
|
|
|
* bits from the next unit. */
|
|
|
|
|
|
fm->bits[unit + 1] |= n_bits_mask >> (MAP_T_BITS - idx);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Clears the 'n_bits' consecutive bits in 'fm', starting at bit 'idx'.
|
|
|
|
|
|
* 'n_bits' can be at most MAP_T_BITS. */
|
|
|
|
|
|
static inline void
|
|
|
|
|
|
flowmap_clear(struct flowmap *fm, size_t idx, unsigned int n_bits)
|
|
|
|
|
|
{
|
|
|
|
|
|
map_t n_bits_mask = (MAP_1 << n_bits) - 1;
|
|
|
|
|
|
size_t unit = idx / MAP_T_BITS;
|
|
|
|
|
|
|
|
|
|
|
|
idx %= MAP_T_BITS;
|
|
|
|
|
|
|
|
|
|
|
|
fm->bits[unit] &= ~(n_bits_mask << idx);
|
2015-08-27 10:48:03 -07:00
|
|
|
|
/* The seemingly unnecessary bounds check on 'unit' is a workaround for a
|
|
|
|
|
|
* false-positive array out of bounds error by GCC 4.9. */
|
|
|
|
|
|
if (unit + 1 < FLOWMAP_UNITS && idx + n_bits > MAP_T_BITS) {
|
2015-08-25 13:55:03 -07:00
|
|
|
|
/* 'MAP_T_BITS - idx' bits were cleared on 'unit', clear the
|
|
|
|
|
|
* remaining bits from the next unit. */
|
|
|
|
|
|
fm->bits[unit + 1] &= ~(n_bits_mask >> (MAP_T_BITS - idx));
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* OR the bits in the flowmaps. */
|
|
|
|
|
|
static inline struct flowmap
|
2015-08-30 07:40:31 -07:00
|
|
|
|
flowmap_or(struct flowmap a, struct flowmap b)
|
2015-08-25 13:55:03 -07:00
|
|
|
|
{
|
|
|
|
|
|
struct flowmap map;
|
|
|
|
|
|
size_t unit;
|
|
|
|
|
|
|
|
|
|
|
|
FLOWMAP_FOR_EACH_UNIT (unit) {
|
|
|
|
|
|
map.bits[unit] = a.bits[unit] | b.bits[unit];
|
|
|
|
|
|
}
|
|
|
|
|
|
return map;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* AND the bits in the flowmaps. */
|
|
|
|
|
|
static inline struct flowmap
|
2015-08-30 07:40:31 -07:00
|
|
|
|
flowmap_and(struct flowmap a, struct flowmap b)
|
2015-08-25 13:55:03 -07:00
|
|
|
|
{
|
|
|
|
|
|
struct flowmap map;
|
|
|
|
|
|
size_t unit;
|
|
|
|
|
|
|
|
|
|
|
|
FLOWMAP_FOR_EACH_UNIT (unit) {
|
|
|
|
|
|
map.bits[unit] = a.bits[unit] & b.bits[unit];
|
|
|
|
|
|
}
|
|
|
|
|
|
return map;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline bool
|
2015-08-30 07:40:31 -07:00
|
|
|
|
flowmap_is_empty(struct flowmap fm)
|
2015-08-25 13:55:03 -07:00
|
|
|
|
{
|
|
|
|
|
|
map_t map;
|
|
|
|
|
|
|
|
|
|
|
|
FLOWMAP_FOR_EACH_MAP (map, fm) {
|
|
|
|
|
|
if (map) {
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline unsigned int
|
|
|
|
|
|
flowmap_n_1bits(struct flowmap fm)
|
|
|
|
|
|
{
|
|
|
|
|
|
unsigned int n_1bits = 0;
|
|
|
|
|
|
size_t unit;
|
|
|
|
|
|
|
|
|
|
|
|
FLOWMAP_FOR_EACH_UNIT (unit) {
|
|
|
|
|
|
n_1bits += count_1bits(fm.bits[unit]);
|
|
|
|
|
|
}
|
|
|
|
|
|
return n_1bits;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
struct flowmap_aux {
|
|
|
|
|
|
size_t unit;
|
|
|
|
|
|
struct flowmap map;
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
static inline bool
|
|
|
|
|
|
flowmap_next_index(struct flowmap_aux *aux, size_t *idx)
|
|
|
|
|
|
{
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
|
map_t *map = &aux->map.bits[aux->unit];
|
|
|
|
|
|
if (*map) {
|
|
|
|
|
|
*idx = aux->unit * MAP_T_BITS + raw_ctz(*map);
|
|
|
|
|
|
*map = zero_rightmost_1bit(*map);
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
if (++aux->unit >= FLOWMAP_UNITS) {
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
�
|
|
|
|
|
|
/* Compressed flow. */
|
2012-09-04 12:43:53 -07:00
|
|
|
|
|
|
|
|
|
|
/* A sparse representation of a "struct flow".
|
|
|
|
|
|
*
|
|
|
|
|
|
* A "struct flow" is fairly large and tends to be mostly zeros. Sparse
|
2015-07-15 13:17:01 -07:00
|
|
|
|
* representation has two advantages. First, it saves memory and, more
|
|
|
|
|
|
* importantly, minimizes the number of accessed cache lines. Second, it saves
|
|
|
|
|
|
* time when the goal is to iterate over only the nonzero parts of the struct.
|
2012-09-04 12:43:53 -07:00
|
|
|
|
*
|
2015-08-25 13:55:03 -07:00
|
|
|
|
* The map member hold one bit for each uint64_t in a "struct flow". Each
|
2015-01-06 11:10:42 -08:00
|
|
|
|
* 0-bit indicates that the corresponding uint64_t is zero, each 1-bit that it
|
2014-04-29 15:50:39 -07:00
|
|
|
|
* *may* be nonzero (see below how this applies to minimasks).
|
2012-09-04 12:43:53 -07:00
|
|
|
|
*
|
2015-08-25 13:55:03 -07:00
|
|
|
|
* The values indicated by 'map' always follow the miniflow in memory. The
|
|
|
|
|
|
* user of the miniflow is responsible for always having enough storage after
|
|
|
|
|
|
* the struct miniflow corresponding to the number of 1-bits in maps.
|
2015-07-17 15:18:43 -07:00
|
|
|
|
*
|
2014-04-29 15:50:39 -07:00
|
|
|
|
* Elements in values array are allowed to be zero. This is useful for "struct
|
2013-02-06 16:13:19 -08:00
|
|
|
|
* minimatch", for which ensuring that the miniflow and minimask members have
|
2015-07-17 15:18:43 -07:00
|
|
|
|
* same maps allows optimization. This allowance applies only to a miniflow
|
2015-07-16 17:42:24 -07:00
|
|
|
|
* that is not a mask. That is, a minimask may NOT have zero elements in its
|
2015-07-17 15:18:43 -07:00
|
|
|
|
* values.
|
2015-07-15 13:17:01 -07:00
|
|
|
|
*
|
2015-07-17 15:18:43 -07:00
|
|
|
|
* A miniflow is always dynamically allocated so that the maps are followed by
|
|
|
|
|
|
* at least as many elements as there are 1-bits in maps. */
|
2012-09-04 12:43:53 -07:00
|
|
|
|
struct miniflow {
|
2015-08-25 13:55:03 -07:00
|
|
|
|
struct flowmap map;
|
2015-07-17 15:18:43 -07:00
|
|
|
|
/* Followed by:
|
|
|
|
|
|
* uint64_t values[n];
|
|
|
|
|
|
* where 'n' is miniflow_n_values(miniflow). */
|
2012-09-04 12:43:53 -07:00
|
|
|
|
};
|
2015-08-25 13:55:03 -07:00
|
|
|
|
BUILD_ASSERT_DECL(sizeof(struct miniflow) % sizeof(uint64_t) == 0);
|
2012-09-04 12:43:53 -07:00
|
|
|
|
|
2015-01-06 11:10:42 -08:00
|
|
|
|
#define MINIFLOW_VALUES_SIZE(COUNT) ((COUNT) * sizeof(uint64_t))
|
2014-04-29 15:50:39 -07:00
|
|
|
|
|
2015-07-16 17:42:24 -07:00
|
|
|
|
static inline uint64_t *miniflow_values(struct miniflow *mf)
|
|
|
|
|
|
{
|
|
|
|
|
|
return (uint64_t *)(mf + 1);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline const uint64_t *miniflow_get_values(const struct miniflow *mf)
|
|
|
|
|
|
{
|
|
|
|
|
|
return (const uint64_t *)(mf + 1);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2014-04-18 08:26:56 -07:00
|
|
|
|
struct pkt_metadata;
|
|
|
|
|
|
|
2015-07-15 13:17:01 -07:00
|
|
|
|
/* The 'dst' must follow with buffer space for FLOW_U64S 64-bit units.
|
|
|
|
|
|
* 'dst->map' is ignored on input and set on output to indicate which fields
|
|
|
|
|
|
* were extracted. */
|
2015-02-22 03:21:09 -08:00
|
|
|
|
void miniflow_extract(struct dp_packet *packet, struct miniflow *dst);
|
2015-07-15 13:17:01 -07:00
|
|
|
|
void miniflow_map_init(struct miniflow *, const struct flow *);
|
2015-08-25 13:55:03 -07:00
|
|
|
|
void flow_wc_map(const struct flow *, struct flowmap *);
|
2015-07-15 13:17:01 -07:00
|
|
|
|
size_t miniflow_alloc(struct miniflow *dsts[], size_t n,
|
|
|
|
|
|
const struct miniflow *src);
|
|
|
|
|
|
void miniflow_init(struct miniflow *, const struct flow *);
|
2015-07-15 13:17:01 -07:00
|
|
|
|
void miniflow_clone(struct miniflow *, const struct miniflow *,
|
|
|
|
|
|
size_t n_values);
|
2015-07-15 13:17:01 -07:00
|
|
|
|
struct miniflow * miniflow_create(const struct flow *);
|
2012-09-04 12:43:53 -07:00
|
|
|
|
|
|
|
|
|
|
void miniflow_expand(const struct miniflow *, struct flow *);
|
|
|
|
|
|
|
2015-01-06 11:10:42 -08:00
|
|
|
|
static inline uint64_t flow_u64_value(const struct flow *flow, size_t index)
|
2014-06-13 10:38:05 -07:00
|
|
|
|
{
|
2015-07-17 15:18:43 -07:00
|
|
|
|
return ((uint64_t *)flow)[index];
|
2014-06-13 10:38:05 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2015-01-06 11:10:42 -08:00
|
|
|
|
static inline uint64_t *flow_u64_lvalue(struct flow *flow, size_t index)
|
2014-06-13 10:38:05 -07:00
|
|
|
|
{
|
2015-07-17 15:18:43 -07:00
|
|
|
|
return &((uint64_t *)flow)[index];
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline size_t
|
|
|
|
|
|
miniflow_n_values(const struct miniflow *flow)
|
|
|
|
|
|
{
|
2015-08-25 13:55:03 -07:00
|
|
|
|
return flowmap_n_1bits(flow->map);
|
2015-07-17 15:18:43 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
struct flow_for_each_in_maps_aux {
|
2015-08-25 13:55:03 -07:00
|
|
|
|
const struct flow *flow;
|
|
|
|
|
|
struct flowmap_aux map_aux;
|
2015-07-17 15:18:43 -07:00
|
|
|
|
};
|
|
|
|
|
|
|
2014-05-28 16:56:29 -07:00
|
|
|
|
static inline bool
|
2015-07-17 15:18:43 -07:00
|
|
|
|
flow_values_get_next_in_maps(struct flow_for_each_in_maps_aux *aux,
|
|
|
|
|
|
uint64_t *value)
|
2014-04-29 15:50:39 -07:00
|
|
|
|
{
|
2015-08-25 13:55:03 -07:00
|
|
|
|
size_t idx;
|
|
|
|
|
|
|
|
|
|
|
|
if (flowmap_next_index(&aux->map_aux, &idx)) {
|
|
|
|
|
|
*value = flow_u64_value(aux->flow, idx);
|
2014-04-29 15:50:39 -07:00
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
/* Iterate through all flow u64 values specified by 'MAPS'. */
|
2015-07-17 15:18:43 -07:00
|
|
|
|
#define FLOW_FOR_EACH_IN_MAPS(VALUE, FLOW, MAPS) \
|
|
|
|
|
|
for (struct flow_for_each_in_maps_aux aux__ \
|
2015-08-25 13:55:03 -07:00
|
|
|
|
= { (FLOW), FLOWMAP_AUX_INITIALIZER(MAPS) }; \
|
2015-07-17 15:18:43 -07:00
|
|
|
|
flow_values_get_next_in_maps(&aux__, &(VALUE));)
|
2014-04-29 15:50:39 -07:00
|
|
|
|
|
2014-10-07 12:59:14 -07:00
|
|
|
|
struct mf_for_each_in_map_aux {
|
2015-08-25 13:55:03 -07:00
|
|
|
|
size_t unit;
|
|
|
|
|
|
struct flowmap fmap;
|
|
|
|
|
|
struct flowmap map;
|
2015-01-06 11:10:42 -08:00
|
|
|
|
const uint64_t *values;
|
2014-10-07 12:59:14 -07:00
|
|
|
|
};
|
2014-04-18 08:26:56 -07:00
|
|
|
|
|
2014-10-07 12:59:14 -07:00
|
|
|
|
static inline bool
|
2015-07-17 15:18:43 -07:00
|
|
|
|
mf_get_next_in_map(struct mf_for_each_in_map_aux *aux,
|
|
|
|
|
|
uint64_t *value)
|
2014-10-07 12:59:14 -07:00
|
|
|
|
{
|
2015-08-25 13:55:03 -07:00
|
|
|
|
map_t *map, *fmap;
|
|
|
|
|
|
map_t rm1bit;
|
|
|
|
|
|
|
|
|
|
|
|
while (OVS_UNLIKELY(!*(map = &aux->map.bits[aux->unit]))) {
|
|
|
|
|
|
/* Skip remaining data in the previous unit. */
|
|
|
|
|
|
aux->values += count_1bits(aux->fmap.bits[aux->unit]);
|
|
|
|
|
|
if (++aux->unit == FLOWMAP_UNITS) {
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2015-07-17 15:18:43 -07:00
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
rm1bit = rightmost_1bit(*map);
|
|
|
|
|
|
*map -= rm1bit;
|
|
|
|
|
|
fmap = &aux->fmap.bits[aux->unit];
|
2014-10-07 12:59:14 -07:00
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
if (OVS_LIKELY(*fmap & rm1bit)) {
|
|
|
|
|
|
map_t trash = *fmap & (rm1bit - 1);
|
2015-07-17 15:18:43 -07:00
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
*fmap -= trash;
|
|
|
|
|
|
/* count_1bits() is fast for systems where speed matters (e.g.,
|
|
|
|
|
|
* DPDK), so we don't try avoid using it.
|
|
|
|
|
|
* Advance 'aux->values' to point to the value for 'rm1bit'. */
|
|
|
|
|
|
aux->values += count_1bits(trash);
|
2015-07-17 15:18:43 -07:00
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
*value = *aux->values;
|
|
|
|
|
|
} else {
|
|
|
|
|
|
*value = 0;
|
2014-04-18 08:26:56 -07:00
|
|
|
|
}
|
2015-08-25 13:55:03 -07:00
|
|
|
|
return true;
|
2014-04-18 08:26:56 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
/* Iterate through miniflow u64 values specified by 'FLOWMAP'. */
|
|
|
|
|
|
#define MINIFLOW_FOR_EACH_IN_FLOWMAP(VALUE, FLOW, FLOWMAP) \
|
2015-07-17 15:18:43 -07:00
|
|
|
|
for (struct mf_for_each_in_map_aux aux__ = \
|
2015-08-25 13:55:03 -07:00
|
|
|
|
{ 0, (FLOW)->map, (FLOWMAP), miniflow_get_values(FLOW) }; \
|
2015-07-17 15:18:43 -07:00
|
|
|
|
mf_get_next_in_map(&aux__, &(VALUE));)
|
2014-04-18 08:26:56 -07:00
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
/* This can be used when it is known that 'idx' is set in 'map'. */
|
2015-07-17 15:18:43 -07:00
|
|
|
|
static inline const uint64_t *
|
2015-08-25 13:55:03 -07:00
|
|
|
|
miniflow_values_get__(const uint64_t *values, map_t map, size_t idx)
|
2014-11-26 15:17:26 -08:00
|
|
|
|
{
|
2015-08-25 13:55:03 -07:00
|
|
|
|
return values + count_1bits(map & ((MAP_1 << idx) - 1));
|
2014-11-26 15:17:26 -08:00
|
|
|
|
}
|
|
|
|
|
|
|
2015-01-06 11:10:42 -08:00
|
|
|
|
/* This can be used when it is known that 'u64_idx' is set in
|
2014-11-26 15:17:26 -08:00
|
|
|
|
* the map of 'mf'. */
|
2015-07-17 15:18:43 -07:00
|
|
|
|
static inline const uint64_t *
|
2015-08-25 13:55:03 -07:00
|
|
|
|
miniflow_get__(const struct miniflow *mf, size_t idx)
|
|
|
|
|
|
{
|
|
|
|
|
|
const uint64_t *values = miniflow_get_values(mf);
|
|
|
|
|
|
const map_t *map = mf->map.bits;
|
|
|
|
|
|
|
|
|
|
|
|
while (idx >= MAP_T_BITS) {
|
|
|
|
|
|
idx -= MAP_T_BITS;
|
|
|
|
|
|
values += count_1bits(*map++);
|
|
|
|
|
|
}
|
|
|
|
|
|
return miniflow_values_get__(values, *map, idx);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#define MINIFLOW_IN_MAP(MF, IDX) flowmap_is_set(&(MF)->map, IDX)
|
|
|
|
|
|
|
|
|
|
|
|
/* Get the value of the struct flow 'FIELD' as up to 8 byte wide integer type
|
|
|
|
|
|
* 'TYPE' from miniflow 'MF'. */
|
|
|
|
|
|
#define MINIFLOW_GET_TYPE(MF, TYPE, FIELD) \
|
|
|
|
|
|
(MINIFLOW_IN_MAP(MF, FLOW_U64_OFFSET(FIELD)) \
|
|
|
|
|
|
? ((OVS_FORCE const TYPE *)miniflow_get__(MF, FLOW_U64_OFFSET(FIELD))) \
|
|
|
|
|
|
[FLOW_U64_OFFREM(FIELD) / sizeof(TYPE)] \
|
2015-07-17 15:18:43 -07:00
|
|
|
|
: 0)
|
2014-04-29 15:50:38 -07:00
|
|
|
|
|
2015-11-11 11:39:49 -08:00
|
|
|
|
#define MINIFLOW_GET_U128(FLOW, FIELD) \
|
|
|
|
|
|
(ovs_u128) { .u64 = { \
|
|
|
|
|
|
(MINIFLOW_IN_MAP(FLOW, FLOW_U64_OFFSET(FIELD)) ? \
|
|
|
|
|
|
*miniflow_get__(FLOW, FLOW_U64_OFFSET(FIELD)) : 0), \
|
|
|
|
|
|
(MINIFLOW_IN_MAP(FLOW, FLOW_U64_OFFSET(FIELD) + 1) ? \
|
|
|
|
|
|
*miniflow_get__(FLOW, FLOW_U64_OFFSET(FIELD) + 1) : 0) } }
|
Add connection tracking label support.
This patch adds a new 128-bit metadata field to the connection tracking
interface. When a label is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_label" field in the flow.
For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a label with
those connections:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_label)),2
table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
table=1,in_port=2,ct_state=+trk,ct_label=1,tcp,action=1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-10-13 11:13:10 -07:00
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
#define MINIFLOW_GET_U8(FLOW, FIELD) \
|
|
|
|
|
|
MINIFLOW_GET_TYPE(FLOW, uint8_t, FIELD)
|
|
|
|
|
|
#define MINIFLOW_GET_U16(FLOW, FIELD) \
|
|
|
|
|
|
MINIFLOW_GET_TYPE(FLOW, uint16_t, FIELD)
|
|
|
|
|
|
#define MINIFLOW_GET_BE16(FLOW, FIELD) \
|
|
|
|
|
|
MINIFLOW_GET_TYPE(FLOW, ovs_be16, FIELD)
|
|
|
|
|
|
#define MINIFLOW_GET_U32(FLOW, FIELD) \
|
|
|
|
|
|
MINIFLOW_GET_TYPE(FLOW, uint32_t, FIELD)
|
|
|
|
|
|
#define MINIFLOW_GET_BE32(FLOW, FIELD) \
|
|
|
|
|
|
MINIFLOW_GET_TYPE(FLOW, ovs_be32, FIELD)
|
|
|
|
|
|
#define MINIFLOW_GET_U64(FLOW, FIELD) \
|
|
|
|
|
|
MINIFLOW_GET_TYPE(FLOW, uint64_t, FIELD)
|
|
|
|
|
|
#define MINIFLOW_GET_BE64(FLOW, FIELD) \
|
|
|
|
|
|
MINIFLOW_GET_TYPE(FLOW, ovs_be64, FIELD)
|
2015-01-06 11:10:42 -08:00
|
|
|
|
|
|
|
|
|
|
static inline uint64_t miniflow_get(const struct miniflow *,
|
|
|
|
|
|
unsigned int u64_ofs);
|
|
|
|
|
|
static inline uint32_t miniflow_get_u32(const struct miniflow *,
|
|
|
|
|
|
unsigned int u32_ofs);
|
|
|
|
|
|
static inline ovs_be32 miniflow_get_be32(const struct miniflow *,
|
|
|
|
|
|
unsigned int be32_ofs);
|
2014-04-18 08:26:56 -07:00
|
|
|
|
static inline uint16_t miniflow_get_vid(const struct miniflow *);
|
|
|
|
|
|
static inline uint16_t miniflow_get_tcp_flags(const struct miniflow *);
|
2013-09-25 15:07:21 -07:00
|
|
|
|
static inline ovs_be64 miniflow_get_metadata(const struct miniflow *);
|
2012-09-04 12:43:53 -07:00
|
|
|
|
|
|
|
|
|
|
bool miniflow_equal(const struct miniflow *a, const struct miniflow *b);
|
|
|
|
|
|
bool miniflow_equal_in_minimask(const struct miniflow *a,
|
|
|
|
|
|
const struct miniflow *b,
|
|
|
|
|
|
const struct minimask *);
|
|
|
|
|
|
bool miniflow_equal_flow_in_minimask(const struct miniflow *a,
|
|
|
|
|
|
const struct flow *b,
|
|
|
|
|
|
const struct minimask *);
|
2014-04-18 08:26:57 -07:00
|
|
|
|
uint32_t miniflow_hash_5tuple(const struct miniflow *flow, uint32_t basis);
|
2013-12-20 08:16:31 -08:00
|
|
|
|
|
2012-09-04 12:43:53 -07:00
|
|
|
|
�
|
|
|
|
|
|
/* Compressed flow wildcards. */
|
|
|
|
|
|
|
|
|
|
|
|
/* A sparse representation of a "struct flow_wildcards".
|
|
|
|
|
|
*
|
2013-12-20 08:16:31 -08:00
|
|
|
|
* See the large comment on struct miniflow for details.
|
|
|
|
|
|
*
|
|
|
|
|
|
* Note: While miniflow can have zero data for a 1-bit in the map,
|
|
|
|
|
|
* a minimask may not! We rely on this in the implementation. */
|
2012-09-04 12:43:53 -07:00
|
|
|
|
struct minimask {
|
|
|
|
|
|
struct miniflow masks;
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2015-07-15 13:17:01 -07:00
|
|
|
|
void minimask_init(struct minimask *, const struct flow_wildcards *);
|
2015-07-15 13:17:01 -07:00
|
|
|
|
struct minimask * minimask_create(const struct flow_wildcards *);
|
2012-09-04 12:43:53 -07:00
|
|
|
|
void minimask_combine(struct minimask *dst,
|
|
|
|
|
|
const struct minimask *a, const struct minimask *b,
|
2015-01-06 11:10:42 -08:00
|
|
|
|
uint64_t storage[FLOW_U64S]);
|
2012-09-04 12:43:53 -07:00
|
|
|
|
|
|
|
|
|
|
void minimask_expand(const struct minimask *, struct flow_wildcards *);
|
|
|
|
|
|
|
2015-01-06 11:10:42 -08:00
|
|
|
|
static inline uint32_t minimask_get_u32(const struct minimask *,
|
|
|
|
|
|
unsigned int u32_ofs);
|
|
|
|
|
|
static inline ovs_be32 minimask_get_be32(const struct minimask *,
|
|
|
|
|
|
unsigned int be32_ofs);
|
2014-04-18 08:26:56 -07:00
|
|
|
|
static inline uint16_t minimask_get_vid_mask(const struct minimask *);
|
2013-09-25 15:07:21 -07:00
|
|
|
|
static inline ovs_be64 minimask_get_metadata_mask(const struct minimask *);
|
2012-09-04 12:43:53 -07:00
|
|
|
|
|
|
|
|
|
|
bool minimask_equal(const struct minimask *a, const struct minimask *b);
|
|
|
|
|
|
bool minimask_has_extra(const struct minimask *, const struct minimask *);
|
2014-04-29 15:50:38 -07:00
|
|
|
|
|
2014-04-29 15:50:39 -07:00
|
|
|
|
�
|
2014-04-29 15:50:38 -07:00
|
|
|
|
/* Returns true if 'mask' matches every packet, false if 'mask' fixes any bits
|
|
|
|
|
|
* or fields. */
|
|
|
|
|
|
static inline bool
|
|
|
|
|
|
minimask_is_catchall(const struct minimask *mask)
|
|
|
|
|
|
{
|
|
|
|
|
|
/* For every 1-bit in mask's map, the corresponding value is non-zero,
|
|
|
|
|
|
* so the only way the mask can not fix any bits or fields is for the
|
|
|
|
|
|
* map the be zero. */
|
2015-08-25 13:55:03 -07:00
|
|
|
|
return flowmap_is_empty(mask->masks.map);
|
2014-04-29 15:50:38 -07:00
|
|
|
|
}
|
2014-04-29 15:50:38 -07:00
|
|
|
|
|
2015-01-06 11:10:42 -08:00
|
|
|
|
/* Returns the uint64_t that would be at byte offset '8 * u64_ofs' if 'flow'
|
|
|
|
|
|
* were expanded into a "struct flow". */
|
|
|
|
|
|
static inline uint64_t miniflow_get(const struct miniflow *flow,
|
|
|
|
|
|
unsigned int u64_ofs)
|
|
|
|
|
|
{
|
2015-08-25 13:55:03 -07:00
|
|
|
|
return MINIFLOW_IN_MAP(flow, u64_ofs) ? *miniflow_get__(flow, u64_ofs) : 0;
|
2015-01-06 11:10:42 -08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline uint32_t miniflow_get_u32(const struct miniflow *flow,
|
|
|
|
|
|
unsigned int u32_ofs)
|
|
|
|
|
|
{
|
|
|
|
|
|
uint64_t value = miniflow_get(flow, u32_ofs / 2);
|
|
|
|
|
|
|
|
|
|
|
|
#if WORDS_BIGENDIAN
|
|
|
|
|
|
return (u32_ofs & 1) ? value : value >> 32;
|
|
|
|
|
|
#else
|
|
|
|
|
|
return (u32_ofs & 1) ? value >> 32 : value;
|
|
|
|
|
|
#endif
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline ovs_be32 miniflow_get_be32(const struct miniflow *flow,
|
|
|
|
|
|
unsigned int be32_ofs)
|
|
|
|
|
|
{
|
|
|
|
|
|
return (OVS_FORCE ovs_be32)miniflow_get_u32(flow, be32_ofs);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2014-04-18 08:26:56 -07:00
|
|
|
|
/* Returns the VID within the vlan_tci member of the "struct flow" represented
|
|
|
|
|
|
* by 'flow'. */
|
|
|
|
|
|
static inline uint16_t
|
|
|
|
|
|
miniflow_get_vid(const struct miniflow *flow)
|
|
|
|
|
|
{
|
2014-04-29 15:50:38 -07:00
|
|
|
|
ovs_be16 tci = MINIFLOW_GET_BE16(flow, vlan_tci);
|
2014-04-18 08:26:56 -07:00
|
|
|
|
return vlan_tci_to_vid(tci);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2015-01-06 11:10:42 -08:00
|
|
|
|
/* Returns the uint32_t that would be at byte offset '4 * u32_ofs' if 'mask'
|
|
|
|
|
|
* were expanded into a "struct flow_wildcards". */
|
|
|
|
|
|
static inline uint32_t
|
|
|
|
|
|
minimask_get_u32(const struct minimask *mask, unsigned int u32_ofs)
|
|
|
|
|
|
{
|
|
|
|
|
|
return miniflow_get_u32(&mask->masks, u32_ofs);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline ovs_be32
|
|
|
|
|
|
minimask_get_be32(const struct minimask *mask, unsigned int be32_ofs)
|
|
|
|
|
|
{
|
|
|
|
|
|
return (OVS_FORCE ovs_be32)minimask_get_u32(mask, be32_ofs);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2014-04-18 08:26:56 -07:00
|
|
|
|
/* Returns the VID mask within the vlan_tci member of the "struct
|
|
|
|
|
|
* flow_wildcards" represented by 'mask'. */
|
|
|
|
|
|
static inline uint16_t
|
|
|
|
|
|
minimask_get_vid_mask(const struct minimask *mask)
|
|
|
|
|
|
{
|
|
|
|
|
|
return miniflow_get_vid(&mask->masks);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Returns the value of the "tcp_flags" field in 'flow'. */
|
|
|
|
|
|
static inline uint16_t
|
|
|
|
|
|
miniflow_get_tcp_flags(const struct miniflow *flow)
|
|
|
|
|
|
{
|
2014-04-29 15:50:38 -07:00
|
|
|
|
return ntohs(MINIFLOW_GET_BE16(flow, tcp_flags));
|
2014-04-18 08:26:56 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2013-09-25 15:07:21 -07:00
|
|
|
|
/* Returns the value of the OpenFlow 1.1+ "metadata" field in 'flow'. */
|
|
|
|
|
|
static inline ovs_be64
|
|
|
|
|
|
miniflow_get_metadata(const struct miniflow *flow)
|
|
|
|
|
|
{
|
2015-01-06 11:10:42 -08:00
|
|
|
|
return MINIFLOW_GET_BE64(flow, metadata);
|
2013-09-25 15:07:21 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Returns the mask for the OpenFlow 1.1+ "metadata" field in 'mask'.
|
|
|
|
|
|
*
|
|
|
|
|
|
* The return value is all-1-bits if 'mask' matches on the whole value of the
|
|
|
|
|
|
* metadata field, all-0-bits if 'mask' entirely wildcards the metadata field,
|
|
|
|
|
|
* or some other value if the metadata field is partially matched, partially
|
|
|
|
|
|
* wildcarded. */
|
|
|
|
|
|
static inline ovs_be64
|
|
|
|
|
|
minimask_get_metadata_mask(const struct minimask *mask)
|
|
|
|
|
|
{
|
2015-01-06 11:10:42 -08:00
|
|
|
|
return MINIFLOW_GET_BE64(&mask->masks, metadata);
|
2013-09-25 15:07:21 -07:00
|
|
|
|
}
|
2012-08-07 13:43:18 -07:00
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
/* Perform a bitwise OR of miniflow 'src' flow data specified in 'subset' with
|
|
|
|
|
|
* the equivalent fields in 'dst', storing the result in 'dst'. 'subset' must
|
|
|
|
|
|
* be a subset of 'src's map. */
|
2014-04-29 15:50:38 -07:00
|
|
|
|
static inline void
|
2015-08-25 13:55:03 -07:00
|
|
|
|
flow_union_with_miniflow_subset(struct flow *dst, const struct miniflow *src,
|
|
|
|
|
|
struct flowmap subset)
|
2014-04-29 15:50:38 -07:00
|
|
|
|
{
|
2015-01-06 11:10:42 -08:00
|
|
|
|
uint64_t *dst_u64 = (uint64_t *) dst;
|
2015-07-16 17:42:24 -07:00
|
|
|
|
const uint64_t *p = miniflow_get_values(src);
|
2015-08-25 13:55:03 -07:00
|
|
|
|
map_t map;
|
2014-04-29 15:50:38 -07:00
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
FLOWMAP_FOR_EACH_MAP (map, subset) {
|
|
|
|
|
|
size_t idx;
|
|
|
|
|
|
|
|
|
|
|
|
MAP_FOR_EACH_INDEX(idx, map) {
|
|
|
|
|
|
dst_u64[idx] |= *p++;
|
|
|
|
|
|
}
|
|
|
|
|
|
dst_u64 += MAP_T_BITS;
|
2014-04-29 15:50:38 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2015-08-25 13:55:03 -07:00
|
|
|
|
/* Perform a bitwise OR of miniflow 'src' flow data with the equivalent
|
|
|
|
|
|
* fields in 'dst', storing the result in 'dst'. */
|
|
|
|
|
|
static inline void
|
|
|
|
|
|
flow_union_with_miniflow(struct flow *dst, const struct miniflow *src)
|
|
|
|
|
|
{
|
|
|
|
|
|
flow_union_with_miniflow_subset(dst, src, src->map);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2015-02-22 03:21:09 -08:00
|
|
|
|
static inline void
|
|
|
|
|
|
pkt_metadata_from_flow(struct pkt_metadata *md, const struct flow *flow)
|
|
|
|
|
|
{
|
|
|
|
|
|
md->recirc_id = flow->recirc_id;
|
|
|
|
|
|
md->dp_hash = flow->dp_hash;
|
2015-08-25 13:55:03 -07:00
|
|
|
|
flow_tnl_copy__(&md->tunnel, &flow->tunnel);
|
2015-02-22 03:21:09 -08:00
|
|
|
|
md->skb_priority = flow->skb_priority;
|
|
|
|
|
|
md->pkt_mark = flow->pkt_mark;
|
|
|
|
|
|
md->in_port = flow->in_port;
|
Add support for connection tracking.
This patch adds a new action and fields to OVS that allow connection
tracking to be performed. This support works in conjunction with the
Linux kernel support merged into the Linux-4.3 development cycle.
Packets have two possible states with respect to connection tracking:
Untracked packets have not previously passed through the connection
tracker, while tracked packets have previously been through the
connection tracker. For OpenFlow pipeline processing, untracked packets
can become tracked, and they will remain tracked until the end of the
pipeline. Tracked packets cannot become untracked.
Connections can be unknown, uncommitted, or committed. Packets which are
untracked have unknown connection state. To know the connection state,
the packet must become tracked. Uncommitted connections have no
connection state stored about them, so it is only possible for the
connection tracker to identify whether they are a new connection or
whether they are invalid. Committed connections have connection state
stored beyond the lifetime of the packet, which allows later packets in
the same connection to be identified as part of the same established
connection, or related to an existing connection - for instance ICMP
error responses.
The new 'ct' action transitions the packet from "untracked" to
"tracked" by sending this flow through the connection tracker.
The following parameters are supported initally:
- "commit": When commit is executed, the connection moves from
uncommitted state to committed state. This signals that information
about the connection should be stored beyond the lifetime of the
packet within the pipeline. This allows future packets in the same
connection to be recognized as part of the same "established" (est)
connection, as well as identifying packets in the reply (rpl)
direction, or packets related to an existing connection (rel).
- "zone=[u16|NXM]": Perform connection tracking in the zone specified.
Each zone is an independent connection tracking context. When the
"commit" parameter is used, the connection will only be committed in
the specified zone, and not in other zones. This is 0 by default.
- "table=NUMBER": Fork pipeline processing in two. The original instance
of the packet will continue processing the current actions list as an
untracked packet. An additional instance of the packet will be sent to
the connection tracker, which will be re-injected into the OpenFlow
pipeline to resume processing in the specified table, with the
ct_state and other ct match fields set. If the table is not specified,
then the packet is submitted to the connection tracker, but the
pipeline does not fork and the ct match fields are not populated. It
is strongly recommended to specify a table later than the current
table to prevent loops.
When the "table" option is used, the packet that continues processing in
the specified table will have the ct_state populated. The ct_state may
have any of the following flags set:
- Tracked (trk): Connection tracking has occurred.
- Reply (rpl): The flow is in the reply direction.
- Invalid (inv): The connection tracker couldn't identify the connection.
- New (new): This is the beginning of a new connection.
- Established (est): This is part of an already existing connection.
- Related (rel): This connection is related to an existing connection.
For more information, consult the ovs-ofctl(8) man pages.
Below is a simple example flow table to allow outbound TCP traffic from
port 1 and drop traffic from port 2 that was not initiated by port 1:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=9),2
table=0,in_port=2,tcp,ct_state=-trk,action=ct(zone=9,table=1)
table=1,in_port=2,ct_state=+trk+est,tcp,action=1
table=1,in_port=2,ct_state=+trk+new,tcp,action=drop
Based on original design by Justin Pettit, contributions from Thomas
Graf and Daniele Di Proietto.
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-08-11 10:56:09 -07:00
|
|
|
|
md->ct_state = flow->ct_state;
|
|
|
|
|
|
md->ct_zone = flow->ct_zone;
|
Add connection tracking mark support.
This patch adds a new 32-bit metadata field to the connection tracking
interface. When a mark is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_mark" field in the flow.
For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a mark with those
connections:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
table=1,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-09-18 13:58:00 -07:00
|
|
|
|
md->ct_mark = flow->ct_mark;
|
Add connection tracking label support.
This patch adds a new 128-bit metadata field to the connection tracking
interface. When a label is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_label" field in the flow.
For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a label with
those connections:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_label)),2
table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
table=1,in_port=2,ct_state=+trk,ct_label=1,tcp,action=1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-10-13 11:13:10 -07:00
|
|
|
|
md->ct_label = flow->ct_label;
|
2014-04-18 08:26:56 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline bool is_ip_any(const struct flow *flow)
|
|
|
|
|
|
{
|
|
|
|
|
|
return dl_type_is_ip_any(flow->dl_type);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline bool is_icmpv4(const struct flow *flow)
|
|
|
|
|
|
{
|
|
|
|
|
|
return (flow->dl_type == htons(ETH_TYPE_IP)
|
|
|
|
|
|
&& flow->nw_proto == IPPROTO_ICMP);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline bool is_icmpv6(const struct flow *flow)
|
|
|
|
|
|
{
|
|
|
|
|
|
return (flow->dl_type == htons(ETH_TYPE_IPV6)
|
|
|
|
|
|
&& flow->nw_proto == IPPROTO_ICMPV6);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2015-07-01 16:12:12 -03:00
|
|
|
|
static inline bool is_igmp(const struct flow *flow)
|
|
|
|
|
|
{
|
|
|
|
|
|
return (flow->dl_type == htons(ETH_TYPE_IP)
|
|
|
|
|
|
&& flow->nw_proto == IPPROTO_IGMP);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline bool is_mld(const struct flow *flow)
|
|
|
|
|
|
{
|
|
|
|
|
|
return is_icmpv6(flow)
|
|
|
|
|
|
&& (flow->tp_src == htons(MLD_QUERY)
|
|
|
|
|
|
|| flow->tp_src == htons(MLD_REPORT)
|
|
|
|
|
|
|| flow->tp_src == htons(MLD_DONE)
|
|
|
|
|
|
|| flow->tp_src == htons(MLD2_REPORT));
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline bool is_mld_query(const struct flow *flow)
|
|
|
|
|
|
{
|
|
|
|
|
|
return is_icmpv6(flow) && flow->tp_src == htons(MLD_QUERY);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static inline bool is_mld_report(const struct flow *flow)
|
|
|
|
|
|
{
|
|
|
|
|
|
return is_mld(flow) && !is_mld_query(flow);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2014-04-24 13:18:18 -07:00
|
|
|
|
static inline bool is_stp(const struct flow *flow)
|
|
|
|
|
|
{
|
|
|
|
|
|
return (eth_addr_equals(flow->dl_dst, eth_addr_stp)
|
|
|
|
|
|
&& flow->dl_type == htons(FLOW_DL_TYPE_NONE));
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#endif /* flow.h */
|
