2009-07-08 13:19:16 -07:00
|
|
|
|
/*
|
2017-05-31 16:06:12 -07:00
|
|
|
|
* Copyright (c) 2008-2017 Nicira, Inc.
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*
|
2009-06-15 15:11:30 -07:00
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
|
* You may obtain a copy of the License at:
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*
|
2009-06-15 15:11:30 -07:00
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
*
|
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
|
* limitations under the License.
|
2009-07-08 13:19:16 -07:00
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
#include "learning-switch.h"
|
|
|
|
|
|
|
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
|
#include <inttypes.h>
|
2017-11-06 14:42:32 -08:00
|
|
|
|
#include <sys/types.h>
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
|
#include <time.h>
|
|
|
|
|
|
|
2010-10-28 17:13:18 -07:00
|
|
|
|
#include "byte-order.h"
|
2010-11-10 14:51:49 -08:00
|
|
|
|
#include "classifier.h"
|
2015-02-22 03:21:09 -08:00
|
|
|
|
#include "dp-packet.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "flow.h"
|
2016-07-12 16:37:34 -05:00
|
|
|
|
#include "openvswitch/hmap.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "mac-learning.h"
|
|
|
|
|
|
#include "openflow/openflow.h"
|
2016-04-14 15:20:19 -07:00
|
|
|
|
#include "openvswitch/ofp-actions.h"
|
2018-02-09 10:04:26 -08:00
|
|
|
|
#include "openvswitch/ofp-connection.h"
|
2016-04-04 21:32:10 -04:00
|
|
|
|
#include "openvswitch/ofp-errors.h"
|
2018-02-09 10:04:26 -08:00
|
|
|
|
#include "openvswitch/ofp-flow.h"
|
|
|
|
|
|
#include "openvswitch/ofp-match.h"
|
2016-04-04 21:32:10 -04:00
|
|
|
|
#include "openvswitch/ofp-msgs.h"
|
2016-04-14 15:20:21 -07:00
|
|
|
|
#include "openvswitch/ofp-print.h"
|
2016-04-04 21:32:10 -04:00
|
|
|
|
#include "openvswitch/ofp-util.h"
|
2018-02-09 10:04:26 -08:00
|
|
|
|
#include "openvswitch/ofp-packet.h"
|
|
|
|
|
|
#include "openvswitch/ofp-port.h"
|
|
|
|
|
|
#include "openvswitch/ofp-switch.h"
|
2016-04-04 21:32:10 -04:00
|
|
|
|
#include "openvswitch/ofpbuf.h"
|
|
|
|
|
|
#include "openvswitch/vconn.h"
|
|
|
|
|
|
#include "openvswitch/vlog.h"
|
2017-11-03 13:53:53 +08:00
|
|
|
|
#include "openvswitch/poll-loop.h"
|
2017-08-17 00:06:24 +08:00
|
|
|
|
#include "openvswitch/rconn.h"
|
2016-07-12 16:37:34 -05:00
|
|
|
|
#include "openvswitch/shash.h"
|
2012-05-22 10:32:02 -07:00
|
|
|
|
#include "simap.h"
|
2009-07-08 13:19:16 -07:00
|
|
|
|
#include "timeval.h"
|
|
|
|
|
|
|
2010-10-19 14:47:01 -07:00
|
|
|
|
VLOG_DEFINE_THIS_MODULE(learning_switch);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2010-10-01 13:41:40 -07:00
|
|
|
|
struct lswitch_port {
|
|
|
|
|
|
struct hmap_node hmap_node; /* Hash node for port number. */
|
2013-06-19 16:58:44 -07:00
|
|
|
|
ofp_port_t port_no; /* OpenFlow port number. */
|
2010-10-01 13:41:40 -07:00
|
|
|
|
uint32_t queue_id; /* OpenFlow queue number. */
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
enum lswitch_state {
|
|
|
|
|
|
S_CONNECTING, /* Waiting for connection to complete. */
|
|
|
|
|
|
S_FEATURES_REPLY, /* Waiting for features reply. */
|
|
|
|
|
|
S_SWITCHING, /* Switching flows. */
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
struct lswitch {
|
2012-07-24 16:15:37 -07:00
|
|
|
|
struct rconn *rconn;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
enum lswitch_state state;
|
2012-07-24 16:15:37 -07:00
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
/* If nonnegative, the switch sets up flows that expire after the given
|
|
|
|
|
|
* number of seconds (or never expire, if the value is OFP_FLOW_PERMANENT).
|
|
|
|
|
|
* Otherwise, the switch processes every packet. */
|
|
|
|
|
|
int max_idle;
|
|
|
|
|
|
|
2012-07-03 22:17:14 -07:00
|
|
|
|
enum ofputil_protocol protocol;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
unsigned long long int datapath_id;
|
|
|
|
|
|
struct mac_learning *ml; /* NULL to act as hub instead of switch. */
|
2010-11-10 14:51:49 -08:00
|
|
|
|
struct flow_wildcards wc; /* Wildcards to apply to flows. */
|
2009-11-19 12:48:32 -08:00
|
|
|
|
bool action_normal; /* Use OFPP_NORMAL? */
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
|
|
|
|
|
/* Queue distribution. */
|
|
|
|
|
|
uint32_t default_queue; /* Default OpenFlow queue, or UINT32_MAX. */
|
|
|
|
|
|
struct hmap queue_numbers; /* Map from port number to lswitch_port. */
|
|
|
|
|
|
struct shash queue_names; /* Map from port name to lswitch_port. */
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
|
|
|
|
|
/* Number of outgoing queued packets on the rconn. */
|
|
|
|
|
|
struct rconn_packet_counter *queued;
|
2012-07-24 16:15:37 -07:00
|
|
|
|
|
|
|
|
|
|
/* If true, do not reply to any messages from the switch (for debugging
|
|
|
|
|
|
* fail-open mode). */
|
|
|
|
|
|
bool mute;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
|
|
|
|
|
|
/* Optional "flow mod" requests to send to the switch at connection time,
|
|
|
|
|
|
* to set up the flow table. */
|
|
|
|
|
|
const struct ofputil_flow_mod *default_flows;
|
|
|
|
|
|
size_t n_default_flows;
|
2013-08-20 18:41:45 -07:00
|
|
|
|
enum ofputil_protocol usable_protocols;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
/* The log messages here could actually be useful in debugging, so keep the
|
|
|
|
|
|
* rate limit relatively high. */
|
|
|
|
|
|
static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(30, 300);
|
|
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
static void queue_tx(struct lswitch *, struct ofpbuf *);
|
|
|
|
|
|
static void send_features_request(struct lswitch *);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
static void lswitch_process_packet(struct lswitch *, const struct ofpbuf *);
|
2012-02-15 16:33:04 -08:00
|
|
|
|
static enum ofperr process_switch_features(struct lswitch *,
|
2012-07-19 23:23:17 -07:00
|
|
|
|
struct ofp_header *);
|
2012-07-24 16:15:37 -07:00
|
|
|
|
static void process_packet_in(struct lswitch *, const struct ofp_header *);
|
|
|
|
|
|
static void process_echo_request(struct lswitch *, const struct ofp_header *);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
static ofp_port_t get_mac_entry_ofp_port(const struct mac_learning *ml,
|
|
|
|
|
|
const struct mac_entry *)
|
|
|
|
|
|
OVS_REQ_RDLOCK(ml->rwlock);
|
|
|
|
|
|
static void set_mac_entry_ofp_port(struct mac_learning *ml,
|
|
|
|
|
|
struct mac_entry *, ofp_port_t)
|
|
|
|
|
|
OVS_REQ_WRLOCK(ml->rwlock);
|
|
|
|
|
|
|
2010-09-23 14:12:09 -07:00
|
|
|
|
/* Creates and returns a new learning switch whose configuration is given by
|
|
|
|
|
|
* 'cfg'.
|
2010-07-28 15:18:14 -07:00
|
|
|
|
*
|
2009-07-08 13:19:16 -07:00
|
|
|
|
* 'rconn' is used to send out an OpenFlow features request. */
|
|
|
|
|
|
struct lswitch *
|
2010-09-23 14:12:09 -07:00
|
|
|
|
lswitch_create(struct rconn *rconn, const struct lswitch_config *cfg)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
|
|
|
|
|
struct lswitch *sw;
|
2012-08-07 11:30:46 -07:00
|
|
|
|
uint32_t ofpfw;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2009-09-28 13:56:42 -07:00
|
|
|
|
sw = xzalloc(sizeof *sw);
|
2012-07-24 16:15:37 -07:00
|
|
|
|
sw->rconn = rconn;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
sw->state = S_CONNECTING;
|
2010-09-23 14:12:09 -07:00
|
|
|
|
sw->max_idle = cfg->max_idle;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
sw->datapath_id = 0;
|
2012-02-01 15:04:51 -08:00
|
|
|
|
sw->ml = (cfg->mode == LSW_LEARN
|
|
|
|
|
|
? mac_learning_create(MAC_ENTRY_DEFAULT_IDLE_TIME)
|
|
|
|
|
|
: NULL);
|
2010-09-23 14:12:09 -07:00
|
|
|
|
sw->action_normal = cfg->mode == LSW_NORMAL;
|
2010-11-10 14:51:49 -08:00
|
|
|
|
|
2012-08-07 11:30:46 -07:00
|
|
|
|
switch (cfg->wildcards) {
|
|
|
|
|
|
case 0:
|
|
|
|
|
|
ofpfw = 0;
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case UINT32_MAX:
|
|
|
|
|
|
/* Try to wildcard as many fields as possible, but we cannot
|
|
|
|
|
|
* wildcard all fields. We need in_port to detect moves. We need
|
|
|
|
|
|
* Ethernet source and dest and VLAN VID to do L2 learning. */
|
|
|
|
|
|
ofpfw = (OFPFW10_DL_TYPE | OFPFW10_DL_VLAN_PCP
|
|
|
|
|
|
| OFPFW10_NW_SRC_ALL | OFPFW10_NW_DST_ALL
|
|
|
|
|
|
| OFPFW10_NW_TOS | OFPFW10_NW_PROTO
|
|
|
|
|
|
| OFPFW10_TP_SRC | OFPFW10_TP_DST);
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
|
ofpfw = cfg->wildcards;
|
|
|
|
|
|
break;
|
2010-07-15 16:20:37 -07:00
|
|
|
|
}
|
2012-08-07 11:30:46 -07:00
|
|
|
|
ofputil_wildcard_from_ofpfw10(ofpfw, &sw->wc);
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
|
|
|
|
|
sw->default_queue = cfg->default_queue;
|
|
|
|
|
|
hmap_init(&sw->queue_numbers);
|
|
|
|
|
|
shash_init(&sw->queue_names);
|
|
|
|
|
|
if (cfg->port_queues) {
|
2012-05-22 10:32:02 -07:00
|
|
|
|
struct simap_node *node;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
2012-05-22 10:32:02 -07:00
|
|
|
|
SIMAP_FOR_EACH (node, cfg->port_queues) {
|
2010-10-01 13:41:40 -07:00
|
|
|
|
struct lswitch_port *port = xmalloc(sizeof *port);
|
|
|
|
|
|
hmap_node_nullify(&port->hmap_node);
|
2012-05-22 10:32:02 -07:00
|
|
|
|
port->queue_id = node->data;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
shash_add(&sw->queue_names, node->name, port);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
sw->default_flows = cfg->default_flows;
|
|
|
|
|
|
sw->n_default_flows = cfg->n_default_flows;
|
2013-08-20 18:41:45 -07:00
|
|
|
|
sw->usable_protocols = cfg->usable_protocols;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
sw->queued = rconn_packet_counter_create();
|
2012-08-07 10:38:35 -07:00
|
|
|
|
|
|
|
|
|
|
return sw;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
|
lswitch_handshake(struct lswitch *sw)
|
|
|
|
|
|
{
|
|
|
|
|
|
enum ofputil_protocol protocol;
|
2014-07-16 13:28:40 -07:00
|
|
|
|
enum ofp_version version;
|
2012-08-07 10:38:35 -07:00
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
send_features_request(sw);
|
2010-09-23 14:08:13 -07:00
|
|
|
|
|
2014-07-16 13:28:40 -07:00
|
|
|
|
version = rconn_get_version(sw->rconn);
|
|
|
|
|
|
protocol = ofputil_protocol_from_ofp_version(version);
|
|
|
|
|
|
if (version >= OFP13_VERSION) {
|
|
|
|
|
|
/* OpenFlow 1.3 and later by default drop packets that miss in the flow
|
|
|
|
|
|
* table. Set up a flow to send packets to the controller by
|
|
|
|
|
|
* default. */
|
|
|
|
|
|
struct ofpact_output output;
|
|
|
|
|
|
struct ofpbuf *msg;
|
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
|
|
ofpact_init_OUTPUT(&output);
|
|
|
|
|
|
output.port = OFPP_CONTROLLER;
|
|
|
|
|
|
output.max_len = OFP_DEFAULT_MISS_SEND_LEN;
|
|
|
|
|
|
|
2016-01-04 11:36:14 -08:00
|
|
|
|
struct ofputil_flow_mod fm = {
|
|
|
|
|
|
.match = MATCH_CATCHALL_INITIALIZER,
|
|
|
|
|
|
.priority = 0,
|
|
|
|
|
|
.table_id = 0,
|
|
|
|
|
|
.command = OFPFC_ADD,
|
|
|
|
|
|
.buffer_id = UINT32_MAX,
|
|
|
|
|
|
.out_port = OFPP_NONE,
|
|
|
|
|
|
.out_group = OFPG_ANY,
|
|
|
|
|
|
.ofpacts = &output.ofpact,
|
|
|
|
|
|
.ofpacts_len = sizeof output,
|
|
|
|
|
|
};
|
2014-07-16 13:28:40 -07:00
|
|
|
|
|
|
|
|
|
|
msg = ofputil_encode_flow_mod(&fm, protocol);
|
|
|
|
|
|
error = rconn_send(sw->rconn, msg, NULL);
|
|
|
|
|
|
if (error) {
|
|
|
|
|
|
VLOG_INFO_RL(&rl, "%s: failed to add default flow (%s)",
|
|
|
|
|
|
rconn_get_name(sw->rconn), ovs_strerror(error));
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2012-08-07 10:38:35 -07:00
|
|
|
|
if (sw->default_flows) {
|
2012-02-10 13:30:23 -08:00
|
|
|
|
struct ofpbuf *msg = NULL;
|
|
|
|
|
|
int error = 0;
|
|
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
|
|
|
|
/* If the initial protocol isn't good enough for default_flows, then
|
|
|
|
|
|
* pick one that will work and encode messages to set up that
|
|
|
|
|
|
* protocol.
|
|
|
|
|
|
*
|
|
|
|
|
|
* This could be improved by actually negotiating a mutually acceptable
|
|
|
|
|
|
* flow format with the switch, but that would require an asynchronous
|
|
|
|
|
|
* state machine. This version ought to work fine in practice. */
|
2013-08-20 18:41:45 -07:00
|
|
|
|
if (!(protocol & sw->usable_protocols)) {
|
|
|
|
|
|
enum ofputil_protocol want = rightmost_1bit(sw->usable_protocols);
|
2012-02-10 13:30:23 -08:00
|
|
|
|
while (!error) {
|
|
|
|
|
|
msg = ofputil_encode_set_protocol(protocol, want, &protocol);
|
|
|
|
|
|
if (!msg) {
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
2012-08-07 10:38:35 -07:00
|
|
|
|
error = rconn_send(sw->rconn, msg, NULL);
|
2011-06-01 10:53:53 -07:00
|
|
|
|
}
|
2010-12-06 10:03:31 -08:00
|
|
|
|
}
|
2013-08-20 18:41:45 -07:00
|
|
|
|
if (protocol & sw->usable_protocols) {
|
2012-11-15 22:09:07 -08:00
|
|
|
|
for (i = 0; !error && i < sw->n_default_flows; i++) {
|
|
|
|
|
|
msg = ofputil_encode_flow_mod(&sw->default_flows[i], protocol);
|
|
|
|
|
|
error = rconn_send(sw->rconn, msg, NULL);
|
|
|
|
|
|
}
|
2012-02-10 13:30:23 -08:00
|
|
|
|
|
2012-11-15 22:09:07 -08:00
|
|
|
|
if (error) {
|
|
|
|
|
|
VLOG_INFO_RL(&rl, "%s: failed to queue default flows (%s)",
|
2013-06-24 10:54:49 -07:00
|
|
|
|
rconn_get_name(sw->rconn), ovs_strerror(error));
|
2012-11-15 22:09:07 -08:00
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
VLOG_INFO_RL(&rl, "%s: failed to set usable protocol",
|
|
|
|
|
|
rconn_get_name(sw->rconn));
|
2012-02-10 13:30:23 -08:00
|
|
|
|
}
|
2010-12-06 10:03:31 -08:00
|
|
|
|
}
|
2012-07-03 22:17:14 -07:00
|
|
|
|
sw->protocol = protocol;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
bool
|
|
|
|
|
|
lswitch_is_alive(const struct lswitch *sw)
|
|
|
|
|
|
{
|
|
|
|
|
|
return rconn_is_alive(sw->rconn);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
/* Destroys 'sw'. */
|
|
|
|
|
|
void
|
|
|
|
|
|
lswitch_destroy(struct lswitch *sw)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (sw) {
|
2016-04-06 18:53:59 -07:00
|
|
|
|
struct lswitch_port *node;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
rconn_destroy(sw->rconn);
|
2016-04-06 18:53:59 -07:00
|
|
|
|
HMAP_FOR_EACH_POP (node, hmap_node, &sw->queue_numbers) {
|
2010-10-01 13:41:40 -07:00
|
|
|
|
free(node);
|
|
|
|
|
|
}
|
|
|
|
|
|
shash_destroy(&sw->queue_names);
|
2013-06-18 19:41:51 -07:00
|
|
|
|
mac_learning_unref(sw->ml);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
rconn_packet_counter_destroy(sw->queued);
|
|
|
|
|
|
free(sw);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Takes care of necessary 'sw' activity, except for receiving packets (which
|
|
|
|
|
|
* the caller must do). */
|
|
|
|
|
|
void
|
2010-08-11 17:24:13 -07:00
|
|
|
|
lswitch_run(struct lswitch *sw)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-07-24 16:15:37 -07:00
|
|
|
|
int i;
|
|
|
|
|
|
|
2009-07-08 13:19:16 -07:00
|
|
|
|
if (sw->ml) {
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_wrlock(&sw->ml->rwlock);
|
2013-08-01 18:04:07 -07:00
|
|
|
|
mac_learning_run(sw->ml);
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2012-07-24 16:15:37 -07:00
|
|
|
|
|
|
|
|
|
|
rconn_run(sw->rconn);
|
|
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
if (sw->state == S_CONNECTING) {
|
|
|
|
|
|
if (rconn_get_version(sw->rconn) != -1) {
|
|
|
|
|
|
lswitch_handshake(sw);
|
|
|
|
|
|
sw->state = S_FEATURES_REPLY;
|
|
|
|
|
|
}
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
for (i = 0; i < 50; i++) {
|
|
|
|
|
|
struct ofpbuf *msg;
|
|
|
|
|
|
|
|
|
|
|
|
msg = rconn_recv(sw->rconn);
|
|
|
|
|
|
if (!msg) {
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (!sw->mute) {
|
|
|
|
|
|
lswitch_process_packet(sw, msg);
|
|
|
|
|
|
}
|
|
|
|
|
|
ofpbuf_delete(msg);
|
|
|
|
|
|
}
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
|
lswitch_wait(struct lswitch *sw)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (sw->ml) {
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_rdlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
mac_learning_wait(sw->ml);
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2012-08-07 10:38:35 -07:00
|
|
|
|
rconn_run_wait(sw->rconn);
|
2012-07-24 16:15:37 -07:00
|
|
|
|
rconn_recv_wait(sw->rconn);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Processes 'msg', which should be an OpenFlow received on 'rconn', according
|
|
|
|
|
|
* to the learning switch state in 'sw'. The most likely result of processing
|
|
|
|
|
|
* is that flow-setup and packet-out OpenFlow messages will be sent out on
|
|
|
|
|
|
* 'rconn'. */
|
2012-07-24 16:15:37 -07:00
|
|
|
|
static void
|
|
|
|
|
|
lswitch_process_packet(struct lswitch *sw, const struct ofpbuf *msg)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-07-19 23:23:17 -07:00
|
|
|
|
enum ofptype type;
|
|
|
|
|
|
struct ofpbuf b;
|
|
|
|
|
|
|
|
|
|
|
|
b = *msg;
|
|
|
|
|
|
if (ofptype_pull(&type, &b)) {
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
2010-12-06 10:20:20 -08:00
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
if (sw->state == S_FEATURES_REPLY
|
2012-07-19 23:23:17 -07:00
|
|
|
|
&& type != OFPTYPE_ECHO_REQUEST
|
|
|
|
|
|
&& type != OFPTYPE_FEATURES_REPLY) {
|
2009-07-08 13:19:16 -07:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2016-01-18 14:49:47 -08:00
|
|
|
|
if (type == OFPTYPE_ECHO_REQUEST) {
|
2015-03-02 17:29:44 -08:00
|
|
|
|
process_echo_request(sw, msg->data);
|
2016-01-18 14:49:47 -08:00
|
|
|
|
} else if (type == OFPTYPE_FEATURES_REPLY) {
|
2012-08-07 10:38:35 -07:00
|
|
|
|
if (sw->state == S_FEATURES_REPLY) {
|
2015-03-02 17:29:44 -08:00
|
|
|
|
if (!process_switch_features(sw, msg->data)) {
|
2012-08-07 10:38:35 -07:00
|
|
|
|
sw->state = S_SWITCHING;
|
|
|
|
|
|
} else {
|
|
|
|
|
|
rconn_disconnect(sw->rconn);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2016-01-18 14:49:47 -08:00
|
|
|
|
} else if (type == OFPTYPE_PACKET_IN) {
|
2015-03-02 17:29:44 -08:00
|
|
|
|
process_packet_in(sw, msg->data);
|
2016-01-18 14:49:47 -08:00
|
|
|
|
} else if (type == OFPTYPE_FLOW_REMOVED) {
|
2010-12-06 10:20:20 -08:00
|
|
|
|
/* Nothing to do. */
|
2016-01-18 14:49:47 -08:00
|
|
|
|
} else if (VLOG_IS_DBG_ENABLED()) {
|
Support accepting and displaying table names in OVS tools.
OpenFlow has little-known support for naming tables. Open vSwitch has
supported table names for ages, but it has never used or displayed them
outside of commands dedicated to table manipulation. This commit adds
support for table names in ovs-ofctl. When a table has a name, it displays
that name in flows and actions, so that, for example, the following:
table=1, arp, actions=resubmit(,2)
might become:
table=ingress_acl, arp, actions=resubmit(,mac_learning)
given appropriately named tables.
For backward compatibility, only interactive ovs-ofctl commands by default
display table names; to display them in scripts, use the new --names
option.
This feature was inspired by a talk that Kei Nohguchi presented at Open
vSwitch 2017 Fall Conference.
CC: Kei Nohguchi <kei@nohguchi.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
Reviewed-by: Yifeng Sun <pkusunyifeng@gmail.com>
2018-01-05 16:59:13 -08:00
|
|
|
|
char *s = ofp_to_string(msg->data, msg->size, NULL, NULL, 2);
|
2016-01-18 14:49:47 -08:00
|
|
|
|
VLOG_DBG_RL(&rl, "%016llx: OpenFlow packet ignored: %s",
|
|
|
|
|
|
sw->datapath_id, s);
|
|
|
|
|
|
free(s);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
�
|
|
|
|
|
|
static void
|
2012-07-24 16:15:37 -07:00
|
|
|
|
send_features_request(struct lswitch *sw)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-08-07 10:38:35 -07:00
|
|
|
|
struct ofpbuf *b;
|
|
|
|
|
|
int ofp_version = rconn_get_version(sw->rconn);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-11-06 13:14:55 -08:00
|
|
|
|
ovs_assert(ofp_version > 0 && ofp_version < 0xff);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
/* Send OFPT_FEATURES_REQUEST. */
|
|
|
|
|
|
b = ofpraw_alloc(OFPRAW_OFPT_FEATURES_REQUEST, ofp_version, 0);
|
|
|
|
|
|
queue_tx(sw, b);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2012-08-07 10:38:35 -07:00
|
|
|
|
/* Send OFPT_SET_CONFIG. */
|
2015-12-21 15:39:10 -08:00
|
|
|
|
struct ofputil_switch_config config = {
|
|
|
|
|
|
.miss_send_len = OFP_DEFAULT_MISS_SEND_LEN
|
|
|
|
|
|
};
|
|
|
|
|
|
queue_tx(sw, ofputil_encode_set_config(&config, ofp_version));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2012-07-24 16:15:37 -07:00
|
|
|
|
queue_tx(struct lswitch *sw, struct ofpbuf *b)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-07-24 16:15:37 -07:00
|
|
|
|
int retval = rconn_send_with_limit(sw->rconn, b, sw->queued, 10);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
if (retval && retval != ENOTCONN) {
|
|
|
|
|
|
if (retval == EAGAIN) {
|
2009-11-13 13:21:13 -08:00
|
|
|
|
VLOG_INFO_RL(&rl, "%016llx: %s: tx queue overflow",
|
2012-07-24 16:15:37 -07:00
|
|
|
|
sw->datapath_id, rconn_get_name(sw->rconn));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
} else {
|
2009-11-13 13:21:13 -08:00
|
|
|
|
VLOG_WARN_RL(&rl, "%016llx: %s: send: %s",
|
2012-07-24 16:15:37 -07:00
|
|
|
|
sw->datapath_id, rconn_get_name(sw->rconn),
|
2013-06-24 10:54:49 -07:00
|
|
|
|
ovs_strerror(retval));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-02-15 16:33:04 -08:00
|
|
|
|
static enum ofperr
|
2012-07-19 23:23:17 -07:00
|
|
|
|
process_switch_features(struct lswitch *sw, struct ofp_header *oh)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-02-15 16:33:04 -08:00
|
|
|
|
struct ofputil_switch_features features;
|
|
|
|
|
|
struct ofputil_phy_port port;
|
|
|
|
|
|
|
2016-02-18 15:13:09 -08:00
|
|
|
|
struct ofpbuf b = ofpbuf_const_initializer(oh, ntohs(oh->length));
|
|
|
|
|
|
enum ofperr error = ofputil_pull_switch_features(&b, &features);
|
2012-02-15 16:33:04 -08:00
|
|
|
|
if (error) {
|
|
|
|
|
|
VLOG_ERR("received invalid switch feature reply (%s)",
|
|
|
|
|
|
ofperr_to_string(error));
|
|
|
|
|
|
return error;
|
|
|
|
|
|
}
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
2012-02-15 16:33:04 -08:00
|
|
|
|
sw->datapath_id = features.datapath_id;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
|
2012-07-19 23:23:17 -07:00
|
|
|
|
while (!ofputil_pull_phy_port(oh->version, &b, &port)) {
|
2012-02-15 16:33:04 -08:00
|
|
|
|
struct lswitch_port *lp = shash_find_data(&sw->queue_names, port.name);
|
2010-10-01 13:41:40 -07:00
|
|
|
|
if (lp && hmap_node_is_null(&lp->hmap_node)) {
|
2012-02-15 16:33:04 -08:00
|
|
|
|
lp->port_no = port.port_no;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
hmap_insert(&sw->queue_numbers, &lp->hmap_node,
|
2013-06-22 10:33:27 -07:00
|
|
|
|
hash_ofp_port(lp->port_no));
|
2010-10-01 13:41:40 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2012-02-15 16:33:04 -08:00
|
|
|
|
return 0;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2013-06-19 16:58:44 -07:00
|
|
|
|
static ofp_port_t
|
2010-09-03 11:30:02 -07:00
|
|
|
|
lswitch_choose_destination(struct lswitch *sw, const struct flow *flow)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2013-06-19 16:58:44 -07:00
|
|
|
|
ofp_port_t out_port;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Learn the source MAC. */
|
2013-10-08 23:52:40 +08:00
|
|
|
|
if (sw->ml) {
|
|
|
|
|
|
ovs_rwlock_wrlock(&sw->ml->rwlock);
|
|
|
|
|
|
if (mac_learning_may_learn(sw->ml, flow->dl_src, 0)) {
|
|
|
|
|
|
struct mac_entry *mac = mac_learning_insert(sw->ml, flow->dl_src,
|
|
|
|
|
|
0);
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
if (get_mac_entry_ofp_port(sw->ml, mac)
|
|
|
|
|
|
!= flow->in_port.ofp_port) {
|
2013-10-08 23:52:40 +08:00
|
|
|
|
VLOG_DBG_RL(&rl, "%016llx: learned that "ETH_ADDR_FMT" is on "
|
2017-01-13 17:51:00 -08:00
|
|
|
|
"port %"PRIu32, sw->datapath_id,
|
2013-10-08 23:52:40 +08:00
|
|
|
|
ETH_ADDR_ARGS(flow->dl_src),
|
|
|
|
|
|
flow->in_port.ofp_port);
|
|
|
|
|
|
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
set_mac_entry_ofp_port(sw->ml, mac, flow->in_port.ofp_port);
|
2013-10-08 23:52:40 +08:00
|
|
|
|
}
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2013-10-08 23:52:40 +08:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-15 16:02:46 -07:00
|
|
|
|
/* Drop frames for reserved multicast addresses. */
|
2010-07-20 11:10:45 -07:00
|
|
|
|
if (eth_addr_is_reserved(flow->dl_dst)) {
|
|
|
|
|
|
return OFPP_NONE;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
out_port = OFPP_FLOOD;
|
2009-07-08 13:19:16 -07:00
|
|
|
|
if (sw->ml) {
|
2011-03-22 09:47:02 -07:00
|
|
|
|
struct mac_entry *mac;
|
|
|
|
|
|
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_rdlock(&sw->ml->rwlock);
|
2013-08-01 18:04:07 -07:00
|
|
|
|
mac = mac_learning_lookup(sw->ml, flow->dl_dst, 0);
|
2011-03-22 09:47:02 -07:00
|
|
|
|
if (mac) {
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
out_port = get_mac_entry_ofp_port(sw->ml, mac);
|
2013-06-19 16:58:44 -07:00
|
|
|
|
if (out_port == flow->in_port.ofp_port) {
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Don't send a packet back out its input port. */
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2010-07-20 11:10:45 -07:00
|
|
|
|
return OFPP_NONE;
|
|
|
|
|
|
}
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
2013-07-22 11:11:54 -07:00
|
|
|
|
ovs_rwlock_unlock(&sw->ml->rwlock);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Check if we need to use "NORMAL" action. */
|
|
|
|
|
|
if (sw->action_normal && out_port != OFPP_FLOOD) {
|
|
|
|
|
|
return OFPP_NORMAL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return out_port;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2010-10-01 13:41:40 -07:00
|
|
|
|
static uint32_t
|
2013-06-19 16:58:44 -07:00
|
|
|
|
get_queue_id(const struct lswitch *sw, ofp_port_t in_port)
|
2010-10-01 13:41:40 -07:00
|
|
|
|
{
|
|
|
|
|
|
const struct lswitch_port *port;
|
|
|
|
|
|
|
2013-06-22 10:33:27 -07:00
|
|
|
|
HMAP_FOR_EACH_WITH_HASH (port, hmap_node, hash_ofp_port(in_port),
|
2010-10-01 13:41:40 -07:00
|
|
|
|
&sw->queue_numbers) {
|
|
|
|
|
|
if (port->port_no == in_port) {
|
|
|
|
|
|
return port->queue_id;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return sw->default_queue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
static void
|
2012-07-24 16:15:37 -07:00
|
|
|
|
process_packet_in(struct lswitch *sw, const struct ofp_header *oh)
|
2010-07-20 11:10:45 -07:00
|
|
|
|
{
|
2012-07-03 22:17:14 -07:00
|
|
|
|
struct ofputil_packet_in pi;
|
openflow: Better abstract handling of packet-in messages.
Packet-in messages have been a bit of a mess. First, their abstraction
in the form of struct ofputil_packet_in has some fields that are used
in a clear way for incoming and outgoing packet-ins, and others
(packet_len, total_len, buffer_id) have have confusing meanings or
usage pattern depending on their direction.
Second, it's very confusing how a packet-in has both a reason (OFPR_*)
and a miss type (OFPROTO_PACKET_IN_*) and how those add up to the
actual reason that is used "on the wire" for each OpenFlow version (and
even whether the packet-in is sent at all!).
Finally, there's all kind of low-level detail randomly scattered between
connmgr, ofproto-dpif-xlate, and ofp-util.
This commit attempts to clear up some of the confusion. It simplifies
the struct ofputil_packet_in abstraction by removing the members that
didn't have a clear and consistent meaning between incoming and outgoing
packet-ins. It gets rid of OFPROTO_PACKET_IN_*, instead adding a couple
of nonstandard OFPR_* reasons that add up to what OFPROTO_PACKET_IN_*
was meant to say (in what I hope is a clearer way). And it consolidates
the tricky parts into ofp-util, where I hope it will be easier to
understand all in one place.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-20 09:57:16 -08:00
|
|
|
|
uint32_t buffer_id;
|
2010-10-01 13:41:40 -07:00
|
|
|
|
uint32_t queue_id;
|
2013-06-19 16:58:44 -07:00
|
|
|
|
ofp_port_t out_port;
|
2010-07-20 11:10:45 -07:00
|
|
|
|
|
2012-07-03 22:17:14 -07:00
|
|
|
|
uint64_t ofpacts_stub[64 / 8];
|
|
|
|
|
|
struct ofpbuf ofpacts;
|
2010-07-20 11:18:24 -07:00
|
|
|
|
|
2012-02-06 14:17:49 -08:00
|
|
|
|
struct ofputil_packet_out po;
|
2012-07-03 22:17:14 -07:00
|
|
|
|
enum ofperr error;
|
2012-02-06 14:17:49 -08:00
|
|
|
|
|
2015-02-22 03:21:09 -08:00
|
|
|
|
struct dp_packet pkt;
|
2010-09-03 11:30:02 -07:00
|
|
|
|
struct flow flow;
|
2010-07-20 11:10:45 -07:00
|
|
|
|
|
2017-03-13 11:28:20 -07:00
|
|
|
|
error = ofputil_decode_packet_in(oh, true, NULL, NULL, &pi, NULL,
|
2016-04-19 18:36:04 -07:00
|
|
|
|
&buffer_id, NULL);
|
2012-07-03 22:17:14 -07:00
|
|
|
|
if (error) {
|
|
|
|
|
|
VLOG_WARN_RL(&rl, "failed to decode packet-in: %s",
|
|
|
|
|
|
ofperr_to_string(error));
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2010-08-10 11:23:02 -07:00
|
|
|
|
/* Ignore packets sent via output to OFPP_CONTROLLER. This library never
|
|
|
|
|
|
* uses such an action. You never know what experiments might be going on,
|
|
|
|
|
|
* though, and it seems best not to interfere with them. */
|
2012-07-03 22:17:14 -07:00
|
|
|
|
if (pi.reason != OFPR_NO_MATCH) {
|
2010-08-10 11:23:02 -07:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
openflow: Better abstract handling of packet-in messages.
Packet-in messages have been a bit of a mess. First, their abstraction
in the form of struct ofputil_packet_in has some fields that are used
in a clear way for incoming and outgoing packet-ins, and others
(packet_len, total_len, buffer_id) have have confusing meanings or
usage pattern depending on their direction.
Second, it's very confusing how a packet-in has both a reason (OFPR_*)
and a miss type (OFPROTO_PACKET_IN_*) and how those add up to the
actual reason that is used "on the wire" for each OpenFlow version (and
even whether the packet-in is sent at all!).
Finally, there's all kind of low-level detail randomly scattered between
connmgr, ofproto-dpif-xlate, and ofp-util.
This commit attempts to clear up some of the confusion. It simplifies
the struct ofputil_packet_in abstraction by removing the members that
didn't have a clear and consistent meaning between incoming and outgoing
packet-ins. It gets rid of OFPROTO_PACKET_IN_*, instead adding a couple
of nonstandard OFPR_* reasons that add up to what OFPROTO_PACKET_IN_*
was meant to say (in what I hope is a clearer way). And it consolidates
the tricky parts into ofp-util, where I hope it will be easier to
understand all in one place.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-20 09:57:16 -08:00
|
|
|
|
/* Extract flow data from 'pi' into 'flow'. */
|
2016-02-17 00:31:11 -08:00
|
|
|
|
dp_packet_use_const(&pkt, pi.packet, pi.packet_len);
|
2015-02-22 03:21:09 -08:00
|
|
|
|
flow_extract(&pkt, &flow);
|
2015-05-15 17:03:17 -07:00
|
|
|
|
flow.in_port.ofp_port = pi.flow_metadata.flow.in_port.ofp_port;
|
|
|
|
|
|
flow.tunnel.tun_id = pi.flow_metadata.flow.tunnel.tun_id;
|
2010-07-20 11:10:45 -07:00
|
|
|
|
|
|
|
|
|
|
/* Choose output port. */
|
|
|
|
|
|
out_port = lswitch_choose_destination(sw, &flow);
|
|
|
|
|
|
|
2010-07-20 11:18:24 -07:00
|
|
|
|
/* Make actions. */
|
2015-05-15 17:03:17 -07:00
|
|
|
|
queue_id = get_queue_id(sw, pi.flow_metadata.flow.in_port.ofp_port);
|
2012-07-03 22:17:14 -07:00
|
|
|
|
ofpbuf_use_stack(&ofpacts, ofpacts_stub, sizeof ofpacts_stub);
|
2010-07-20 11:18:24 -07:00
|
|
|
|
if (out_port == OFPP_NONE) {
|
2012-07-03 22:17:14 -07:00
|
|
|
|
/* No actions. */
|
2013-06-19 16:58:44 -07:00
|
|
|
|
} else if (queue_id == UINT32_MAX
|
|
|
|
|
|
|| ofp_to_u16(out_port) >= ofp_to_u16(OFPP_MAX)) {
|
2012-07-03 22:17:14 -07:00
|
|
|
|
ofpact_put_OUTPUT(&ofpacts)->port = out_port;
|
2010-07-20 11:18:24 -07:00
|
|
|
|
} else {
|
2012-07-03 22:17:14 -07:00
|
|
|
|
struct ofpact_enqueue *enqueue = ofpact_put_ENQUEUE(&ofpacts);
|
|
|
|
|
|
enqueue->port = out_port;
|
|
|
|
|
|
enqueue->queue = queue_id;
|
2010-07-20 11:18:24 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-02-06 14:17:49 -08:00
|
|
|
|
/* Prepare packet_out in case we need one. */
|
openflow: Better abstract handling of packet-in messages.
Packet-in messages have been a bit of a mess. First, their abstraction
in the form of struct ofputil_packet_in has some fields that are used
in a clear way for incoming and outgoing packet-ins, and others
(packet_len, total_len, buffer_id) have have confusing meanings or
usage pattern depending on their direction.
Second, it's very confusing how a packet-in has both a reason (OFPR_*)
and a miss type (OFPROTO_PACKET_IN_*) and how those add up to the
actual reason that is used "on the wire" for each OpenFlow version (and
even whether the packet-in is sent at all!).
Finally, there's all kind of low-level detail randomly scattered between
connmgr, ofproto-dpif-xlate, and ofp-util.
This commit attempts to clear up some of the confusion. It simplifies
the struct ofputil_packet_in abstraction by removing the members that
didn't have a clear and consistent meaning between incoming and outgoing
packet-ins. It gets rid of OFPROTO_PACKET_IN_*, instead adding a couple
of nonstandard OFPR_* reasons that add up to what OFPROTO_PACKET_IN_*
was meant to say (in what I hope is a clearer way). And it consolidates
the tricky parts into ofp-util, where I hope it will be easier to
understand all in one place.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-20 09:57:16 -08:00
|
|
|
|
po.buffer_id = buffer_id;
|
|
|
|
|
|
if (buffer_id == UINT32_MAX) {
|
2015-02-22 03:21:09 -08:00
|
|
|
|
po.packet = dp_packet_data(&pkt);
|
|
|
|
|
|
po.packet_len = dp_packet_size(&pkt);
|
2012-02-06 14:17:49 -08:00
|
|
|
|
} else {
|
|
|
|
|
|
po.packet = NULL;
|
|
|
|
|
|
po.packet_len = 0;
|
|
|
|
|
|
}
|
2017-05-15 10:04:55 -07:00
|
|
|
|
match_set_in_port(&po.flow_metadata,
|
|
|
|
|
|
pi.flow_metadata.flow.in_port.ofp_port);
|
2015-03-02 17:29:44 -08:00
|
|
|
|
po.ofpacts = ofpacts.data;
|
|
|
|
|
|
po.ofpacts_len = ofpacts.size;
|
2012-02-06 14:17:49 -08:00
|
|
|
|
|
2010-07-20 11:10:45 -07:00
|
|
|
|
/* Send the packet, and possibly the whole flow, to the output port. */
|
|
|
|
|
|
if (sw->max_idle >= 0 && (!sw->ml || out_port != OFPP_FLOOD)) {
|
2009-07-08 13:19:16 -07:00
|
|
|
|
/* The output port is known, or we always flood everything, so add a
|
|
|
|
|
|
* new flow. */
|
2016-01-04 11:36:14 -08:00
|
|
|
|
struct ofputil_flow_mod fm = {
|
|
|
|
|
|
.priority = 1, /* Must be > 0 because of table-miss flow entry. */
|
|
|
|
|
|
.table_id = 0xff,
|
|
|
|
|
|
.command = OFPFC_ADD,
|
|
|
|
|
|
.idle_timeout = sw->max_idle,
|
openflow: Better abstract handling of packet-in messages.
Packet-in messages have been a bit of a mess. First, their abstraction
in the form of struct ofputil_packet_in has some fields that are used
in a clear way for incoming and outgoing packet-ins, and others
(packet_len, total_len, buffer_id) have have confusing meanings or
usage pattern depending on their direction.
Second, it's very confusing how a packet-in has both a reason (OFPR_*)
and a miss type (OFPROTO_PACKET_IN_*) and how those add up to the
actual reason that is used "on the wire" for each OpenFlow version (and
even whether the packet-in is sent at all!).
Finally, there's all kind of low-level detail randomly scattered between
connmgr, ofproto-dpif-xlate, and ofp-util.
This commit attempts to clear up some of the confusion. It simplifies
the struct ofputil_packet_in abstraction by removing the members that
didn't have a clear and consistent meaning between incoming and outgoing
packet-ins. It gets rid of OFPROTO_PACKET_IN_*, instead adding a couple
of nonstandard OFPR_* reasons that add up to what OFPROTO_PACKET_IN_*
was meant to say (in what I hope is a clearer way). And it consolidates
the tricky parts into ofp-util, where I hope it will be easier to
understand all in one place.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-20 09:57:16 -08:00
|
|
|
|
.buffer_id = buffer_id,
|
2016-01-04 11:36:14 -08:00
|
|
|
|
.out_port = OFPP_NONE,
|
|
|
|
|
|
.ofpacts = ofpacts.data,
|
|
|
|
|
|
.ofpacts_len = ofpacts.size,
|
|
|
|
|
|
};
|
2012-08-07 15:28:18 -07:00
|
|
|
|
match_init(&fm.match, &flow, &sw->wc);
|
|
|
|
|
|
ofputil_normalize_match_quiet(&fm.match);
|
2016-01-04 11:36:14 -08:00
|
|
|
|
|
|
|
|
|
|
struct ofpbuf *buffer = ofputil_encode_flow_mod(&fm, sw->protocol);
|
2012-07-03 22:17:14 -07:00
|
|
|
|
|
2012-07-24 16:15:37 -07:00
|
|
|
|
queue_tx(sw, buffer);
|
2009-07-08 13:19:16 -07:00
|
|
|
|
|
|
|
|
|
|
/* If the switch didn't buffer the packet, we need to send a copy. */
|
openflow: Better abstract handling of packet-in messages.
Packet-in messages have been a bit of a mess. First, their abstraction
in the form of struct ofputil_packet_in has some fields that are used
in a clear way for incoming and outgoing packet-ins, and others
(packet_len, total_len, buffer_id) have have confusing meanings or
usage pattern depending on their direction.
Second, it's very confusing how a packet-in has both a reason (OFPR_*)
and a miss type (OFPROTO_PACKET_IN_*) and how those add up to the
actual reason that is used "on the wire" for each OpenFlow version (and
even whether the packet-in is sent at all!).
Finally, there's all kind of low-level detail randomly scattered between
connmgr, ofproto-dpif-xlate, and ofp-util.
This commit attempts to clear up some of the confusion. It simplifies
the struct ofputil_packet_in abstraction by removing the members that
didn't have a clear and consistent meaning between incoming and outgoing
packet-ins. It gets rid of OFPROTO_PACKET_IN_*, instead adding a couple
of nonstandard OFPR_* reasons that add up to what OFPROTO_PACKET_IN_*
was meant to say (in what I hope is a clearer way). And it consolidates
the tricky parts into ofp-util, where I hope it will be easier to
understand all in one place.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-20 09:57:16 -08:00
|
|
|
|
if (buffer_id == UINT32_MAX && out_port != OFPP_NONE) {
|
2012-08-08 12:19:57 +09:00
|
|
|
|
queue_tx(sw, ofputil_encode_packet_out(&po, sw->protocol));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
/* We don't know that MAC, or we don't set up flows. Send along the
|
|
|
|
|
|
* packet without setting up a flow. */
|
openflow: Better abstract handling of packet-in messages.
Packet-in messages have been a bit of a mess. First, their abstraction
in the form of struct ofputil_packet_in has some fields that are used
in a clear way for incoming and outgoing packet-ins, and others
(packet_len, total_len, buffer_id) have have confusing meanings or
usage pattern depending on their direction.
Second, it's very confusing how a packet-in has both a reason (OFPR_*)
and a miss type (OFPROTO_PACKET_IN_*) and how those add up to the
actual reason that is used "on the wire" for each OpenFlow version (and
even whether the packet-in is sent at all!).
Finally, there's all kind of low-level detail randomly scattered between
connmgr, ofproto-dpif-xlate, and ofp-util.
This commit attempts to clear up some of the confusion. It simplifies
the struct ofputil_packet_in abstraction by removing the members that
didn't have a clear and consistent meaning between incoming and outgoing
packet-ins. It gets rid of OFPROTO_PACKET_IN_*, instead adding a couple
of nonstandard OFPR_* reasons that add up to what OFPROTO_PACKET_IN_*
was meant to say (in what I hope is a clearer way). And it consolidates
the tricky parts into ofp-util, where I hope it will be easier to
understand all in one place.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Jarno Rajahalme <jarno@ovn.org>
2016-01-20 09:57:16 -08:00
|
|
|
|
if (buffer_id != UINT32_MAX || out_port != OFPP_NONE) {
|
2012-08-08 12:19:57 +09:00
|
|
|
|
queue_tx(sw, ofputil_encode_packet_out(&po, sw->protocol));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2012-07-24 16:15:37 -07:00
|
|
|
|
process_echo_request(struct lswitch *sw, const struct ofp_header *rq)
|
2009-07-08 13:19:16 -07:00
|
|
|
|
{
|
2012-07-24 16:15:37 -07:00
|
|
|
|
queue_tx(sw, make_echo_reply(rq));
|
2009-07-08 13:19:16 -07:00
|
|
|
|
}
|
mac-learning: Implement per-port MAC learning fairness.
In "MAC flooding", an attacker transmits an overwhelming number of frames
with unique Ethernet source address on a switch port. The goal is to
force the switch to evict all useful MAC learning table entries, so that
its behavior degenerates to that of a hub, flooding all traffic. In turn,
that allows an attacker to eavesdrop on the traffic of other hosts attached
to the switch, with all the risks that that entails.
Before this commit, the Open vSwitch "normal" action that implements its
standalone switch behavior (and that can be used by OpenFlow controllers
as well) was vulnerable to MAC flooding attacks. This commit fixes the
problem by implementing per-port fairness for MAC table entries: when
the MAC table is at its maximum size, MAC table eviction always deletes an
entry from the port with the most entries. Thus, MAC entries will never
be evicted from ports with only a few entries if a port with a huge number
of entries exists.
Controllers could introduce their own MAC flooding vulnerabilities into
OVS. For a controller that adds destination MAC based flows to an OpenFlow
flow table as a reaction to "packet-in" events, such a bug, if it exists,
would be in the controller code itself and would need to be fixed in the
controller. For a controller that relies on the Open vSwitch "learn"
action to add destination MAC based flows, Open vSwitch has existing
support for eviction policy similar to that implemented in this commit
through the "groups" column in the Flow_Table table documented in
ovs-vswitchd.conf.db(5); we recommend that users of "learn" not already
familiar with eviction groups to read that documentation.
In addition to implementation of per-port MAC learning fairness,
this commit includes some closely related changes:
- Access to client-provided "port" data in struct mac_entry
is now abstracted through helper functions, which makes it
easier to ensure that the per-port data structures are maintained
consistently.
- The mac_learning_changed() function, which had become trivial,
vestigial, and confusing, was removed. Its functionality was folded
into the new function mac_entry_set_port().
- Many comments were added and improved; there had been a lot of
comment rot in previous versions.
CERT: VU#784996
Reported-by: "Ronny L. Bull - bullrl" <bullrl@clarkson.edu>
Reported-at: http://www.irongeek.com/i.php?page=videos/derbycon4/t314-exploring-layer-2-network-security-in-virtualized-environments-ronny-l-bull-dr-jeanna-n-matthews
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
2015-02-11 23:34:50 -08:00
|
|
|
|
|
|
|
|
|
|
static ofp_port_t
|
|
|
|
|
|
get_mac_entry_ofp_port(const struct mac_learning *ml,
|
|
|
|
|
|
const struct mac_entry *e)
|
|
|
|
|
|
OVS_REQ_RDLOCK(ml->rwlock)
|
|
|
|
|
|
{
|
|
|
|
|
|
void *port = mac_entry_get_port(ml, e);
|
|
|
|
|
|
return (OVS_FORCE ofp_port_t) (uintptr_t) port;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
|
set_mac_entry_ofp_port(struct mac_learning *ml,
|
|
|
|
|
|
struct mac_entry *e, ofp_port_t ofp_port)
|
|
|
|
|
|
OVS_REQ_WRLOCK(ml->rwlock)
|
|
|
|
|
|
{
|
|
|
|
|
|
mac_entry_set_port(ml, e, (void *) (OVS_FORCE uintptr_t) ofp_port);
|
|
|
|
|
|
}
|
