This will be useful later when we add support for matching the ECN bits
within the TOS field.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Until now, OVS has handled IP fragments more awkwardly than necessary. It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present. This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly. It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset. This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers. In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG. Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments". It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
Commit d2c0fe (nicira-ext: Bump number of registers to five from four.)
broke the build on 64-bit systems. This commit fixes the problems it
introduced.
OVS already has a fairly good set of functions for working with fields that
are known at compile time, but support for working with fields that are
known only at runtime is fairly limited (and fairly unneeded). However,
with NXM identifiers becoming more and more widely used throughout Nicira
extensions, it's becoming corresponding more and more common to need to
refer to fields at runtime. This new library represents a first attempt
at a systematic approach for doing so.
nxm_read_field_bits() simplifies reading of NXM fields with an
ofs_nbits parameter. This patch updates nxm_execute_reg_move() to
use the new function. A user outside of the nx-match module will
be added in future patches.
Changing "struct flow" or its wildcards requires minor adjustments
in many places in the code. This patch adds a new FLOW_WC_SEQ
sequence number which when incremented will cause build assertion
failures aiding the developer in finding code which needs to
change.
Until now, fields writable by actions defined in terms of NXM field
numbers were special cases, but commit b3e9b2eda9a "ofproto: Optimize
datapath actions" had the side effect of making it easy to modify
additional fields. This commit takes advantage of that to make
modifiable all the fields that the kernel datapath supports modifying.
We could make other fields modifiable by adding more support to the kernel
datapath.
This patch creates two new helper functions, nxm_reg_load() and
nxm_dst_check(). The new nxm_dst_check() function may be used to
check the validity of destination fields used by actions. The new
nxm_reg_load() function may be used by actions which need to write
to NXM fields.
This patch also allows multipath and autopath to write their result
to non-register NXM fields.
nicira-ext.h documents that NXM_NX_ND_TARGET requires ND_NEIGHBOR_SOLICIT
or ND_NEIGHBOR_ADVERT, that NXM_NX_ND_SLL requires ND_NEIGHBOR_SOLICIT,
and that NXM_NX_ND_TLL requires ND_NEIGHBOR_ADVERT, but nx_put_match()
would add them to the match regardless of whether these prerequisites were
satisfied. On the other side, nx_pull_match() did check the prerequisites,
so this was a case where OVS could output flows that it would refused to
parse. This fixes the problem.
Found by inspection.
I know already that this breaks the statsfixes that were implemented by the
following commits:
827ab71c97f "ofproto: Datapath statistics accounted twice."
6f1435fc8f7 "ofproto: Resubmit statistics improperly account during..."
These were already broken in a previous merge. I will work on a fix.
The flow_wildcards_t type is defined as a distinct type from sparse's
perspective (with __attribute__((bitwise))) so that we don't accidentally
mix it with only-partially-compatible OFPFW_* flags. But we were weren't
using it quite right in a few plces. This fixes it up.
In addition to the changes to ofproto, this commit changes all of the
instances of "struct flow" in the tree so that the "in_port" member is an
OpenFlow port number. Previously, this member was an OpenFlow port number
in some cases and an ODP port number in other cases.
When an NXM wildcard entry that includes a multicast address is parsed,
it would fall through to the next case statement, which would also set
an inappropriate source mac address match.
Coverity #10717
IPv6 uses Neighbor Discovery messages in a similar manner to how IPv4
uses ARP. This commit adds support for matching deeper into the
payloads of Neighbor Solicitation (NS) and Neighbor Advertisement (NA)
messages. Currently, the matching fields include:
- NS and NA Target (nd_target)
- NS Source Link Layer Address (nd_sll)
- NA Target Link Layer Address (nd_tll)
When defining IPv6 Neighbor Discovery rules, the Nicira Extensible Match
(NXM) extension to OVS must be used.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Provides ability to match over IPv6 traffic in the same manner as IPv4.
Currently, the matching fields include:
- IPv6 source and destination addresses (ipv6_src and ipv6_dst)
- Traffic Class (nw_tos)
- Next Header (nw_proto)
- ICMPv6 Type and Code (icmp_type and icmp_code)
- TCP and UDP Ports over IPv6 (tp_src and tp_dst)
When defining IPv6 rules, the Nicira Extensible Match (NXM) extension to
OVS must be used.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
OpenFlow 1.0 doesn't allow matching on the ARP source and target
hardware address. This has caused us to introduce hacks such as the
Drop Spoofed ARP action. Now that we have extensible match, we can
match on more fields within ARP:
- Source Hardware Address (arp_sha)
- Target Hardware Address (arp_tha)
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
A few common IP protocol types were defined in "lib/packets.h". However,
we already assume the existence of <netinet/in.h> which contains a more
exhaustive list and should be available on POSIX systems.
One of the goals for Open vSwitch is to decouple kernel and userspace
software, so that either one can be upgraded or rolled back independent of
the other. To do this in full generality, it must be possible to change
the kernel's idea of the flow key separately from the userspace version.
In turn, that means that flow keys must become variable-length. This
commit makes that change using Netlink attribute sequences.
This commit does not actually make userspace flexible enough to handle
changes in the kernel flow key structure, because userspace doesn't yet
have enough information to do that intelligently. Upcoming commits will
fix that.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
NXM_NX_TUN_ID and NXM_OF_VLAN_TCI were already allowed on NXAST_REG_MOVE,
but not on NXAST_REG_LOAD. This makes them valid on both.
Requested-by: Pankaj Thakkar <thakkar@nicira.com>
cls_rule_format() prints register values are printed in hex, but the "load"
action was printing them in decimal. This makes it consistent.
Requested-by: Paul Ingram <paul@nicira.com>
Bug #4249.
A few of the printf format specifiers didn't match the type that
they were printing. On 32-bit platforms there is some overlap
but on 64-bit they cause a mismatch.
We have a need to identify tunnels with keys longer than 32 bits. This
commit adds basic datapath and OpenFlow support for such keys. It doesn't
actually add any tunnel protocols that support 64-bit keys, so this is not
very useful yet.
The 'arg' member of struct odp_msg had to be expanded to 64-bits also,
because it sometimes contains a tunnel ID. This member also contains the
argument passed to ODPAT_CONTROLLER, so I expanded that action's argument
to 64 bits also so that it can use the full width of the expanded 'arg'.
Userspace doesn't take advantage of the new space though (it was only
using 16 bits anyhow).
This commit has been tested only to the extent that it doesn't disrupt
basic Open vSwitch operation. I have not tested it with tunnel traffic.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Feature #3976.
These accessors are semantically identical to the ones for uint<N>_t data,
but the names are more informative to readers, and the types provide
annotations for sparse.
Since the Nicira Extended Match was specified nicira-ext.h has claimed that
arbitrary masks are allowed, but in fact only certain masks were actually
implemented. This commit implements general masking for the 802.1Q VLAN
TCI field.
Originally, wildcards were just the OpenFlow OFPFW_* bits. Then, when
OpenFlow added CIDR masks for IP addresses, struct flow_wildcards was born
with additional members for those masks, derived from the wildcard bits.
Then, when OVS added support for tunnels, we added another bit
NXFW_TUN_ID that coexisted with the OFPFW_*. Later we added even more bits
that do not appear in the OpenFlow 1.0 match structure at all. This had
become really confusing, and the difficulties were especially visible in
the long list of invariants in comments on struct flow_wildcards.
This commit cleanly separates the OpenFlow 1.0 wildcard bits from the
bits used inside Open vSwitch, by defining a new set of bits that are
used only internally to Open vSwitch and converting to and from those
wildcard bits at the point where data comes off or goes onto the wire.
It also moves those functions into ofp-util.[ch] since they are only for
dealing with OpenFlow wire protocol now.
