mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-31 06:15:47 +00:00
Code Issues Releases Wiki Activity

Add connection tracking mark support.

Browse Source 
This patch adds a new 32-bit metadata field to the connection tracking
interface. When a mark is specified as part of the ct action and the
connection is committed, the value is saved with the current connection.
Subsequent ct lookups with the table specified will expose this metadata
as the "ct_mark" field in the flow.

For example, to allow new TCP connections from port 1->2 and only allow
established connections from port 2->1, and to associate a mark with those
connections:

    table=0,priority=1,action=drop
    table=0,arp,action=normal
    table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
    table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
    table=1,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
This commit is contained in:
Joe Stringer
2015-09-18 13:58:00 -07:00
parent 07659514c3
commit 8e53fe8cf7
30 changed files with 550 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lib/flow.c
View File

@@ -483,6 +483,11 @@ miniflow_extract(struct dp_packet *packet, struct miniflow *dst)
miniflow_push_uint16(mf, ct_zone, md->ct_zone);
}
if (md->ct_state) {
miniflow_push_uint32(mf, ct_mark, md->ct_mark);
miniflow_pad_to_64(mf, pad1);
}
/* Initialize packet's layer pointer and offsets. */
l2 = data;
dp_packet_reset_offsets(packet);
@@ -839,6 +844,9 @@ flow_get_metadata(const struct flow *flow, struct match *flow_metadata)
if (flow->ct_zone != 0) {
match_set_ct_zone(flow_metadata, flow->ct_zone);
}
if (flow->ct_mark != 0) {
match_set_ct_mark(flow_metadata, flow->ct_mark);
}
}
const char *ct_state_to_string(uint32_t state)
@@ -1140,6 +1148,9 @@ flow_format(struct ds *ds, const struct flow *flow)
if (!flow->ct_zone) {
WC_UNMASK_FIELD(wc, ct_zone);
}
if (!flow->ct_mark) {
WC_UNMASK_FIELD(wc, ct_mark);
}
for (int i = 0; i < FLOW_N_REGS; i++) {
if (!flow->regs[i]) {
WC_UNMASK_FIELD(wc, regs[i]);
@@ -1216,6 +1227,7 @@ void flow_wildcards_init_for_packet(struct flow_wildcards *wc,
WC_MASK_FIELD(wc, pkt_mark);
WC_MASK_FIELD(wc, ct_state);
WC_MASK_FIELD(wc, ct_zone);
WC_MASK_FIELD(wc, ct_mark);
WC_MASK_FIELD(wc, recirc_id);
WC_MASK_FIELD(wc, dp_hash);
WC_MASK_FIELD(wc, in_port);
@@ -1321,6 +1333,7 @@ flow_wc_map(const struct flow *flow, struct flowmap *map)
FLOWMAP_SET(map, vlan_tci);
FLOWMAP_SET(map, ct_state);
FLOWMAP_SET(map, ct_zone);
FLOWMAP_SET(map, ct_mark);
/* Ethertype-dependent fields. */
if (OVS_LIKELY(flow->dl_type == htons(ETH_TYPE_IP))) {