The exit action causes the switch to immediately halt processing of
further actions. It's intended to be used in conjunction with
multi table support. It allows a table to force tables which call
it to discontinue processing a flow.
There are a few loose ends here. First, learning actions cause too much
flow revalidation. Upcoming commits will fix that problem. The following
additional issues have not yet been addressed:
* Resource limits: nothing yet limits the maximum number of flows that
can be learned. It is possible to exhaust all system memory.
* Age reporting: there is no way to find out how soon a learned table
entry is due to be evicted.
To try this action out, here's a recipe for a very simple-minded MAC
learning switch. It uses a 10-second MAC expiration time to make it easier
to see what's going on:
ovs-vsctl del-controller br0
ovs-ofctl del-flows br0
ovs-ofctl add-flow br0 "table=0 actions=learn(table=1, hard_timeout=10, \
NXM_OF_VLAN_TCI[0..11], NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[], \
output:NXM_OF_IN_PORT[]), resubmit(,1)"
ovs-ofctl add-flow br0 "table=1 priority=0 actions=flood"
You can then dump the MAC learning table with:
ovs-ofctl dump-flows br0 table=1
OVS already has a fairly good set of functions for working with fields that
are known at compile time, but support for working with fields that are
known only at runtime is fairly limited (and fairly unneeded). However,
with NXM identifiers becoming more and more widely used throughout Nicira
extensions, it's becoming corresponding more and more common to need to
refer to fields at runtime. This new library represents a first attempt
at a systematic approach for doing so.
When a new action is added, compiler warnings show most of the places that
need new code to handle that action. The action parsing code in
ofp-parse.c was the one remaining missing case. This commit fixes that.
The other cls_rule_*() functions that take IPv6 addresses take a pointer
to an in6_addr, so cls_rule_set_nd_target() should as well for consistency.
Possibly this is more efficient also, although I guess it doesn't really
make much of a difference either way.
Changing "struct flow" or its wildcards requires minor adjustments
in many places in the code. This patch adds a new FLOW_WC_SEQ
sequence number which when incremented will cause build assertion
failures aiding the developer in finding code which needs to
change.
This patch creates a new action called "bundle". Bundles are a way
to implement a simple form of multipath in OpenFlow by grouping
several ports in a single output-like action.
OpenFlow commands have several idiosyncratic fields that are used in some
cases and ignored in others. Until now, ovs-ofctl has been lax about
allowing some of them in places where they are ignored. This commit
tightens the checks to exactly what is allowed.
Bug #5979.
Reported-by: Reid Price <reid@nicira.com>
When an error is encountered while parsing flows from a file, ovs-ofctl doesn't
print the erroneous flow, so it's not always obvious which flow is causing
the error. Print the flow before the error message to make it clear.
It's reasonable to want to dump a flow table with "dump-flows" and then
later use that output as input to other commands that read flows, but until
now that hasn't been directly possible because "dump-flows" adds extra
fields that other commands reject on input. This changes the flow parser
to just ignore those extra fields.
The NXAST_DROP_SPOOFED_ARP action has been deprecated in favor of
defining flows using the NXM_NX_ARP_SHA flow match for a while. This
commit removes it.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
This makes it possible to add flows that match on the Ethernet multicast
bit with ovs-ofctl.
CC: Paul Ingram <paul@nicira.com>
CC: Amar Padmanabhan <amar@nicira.com>
Commit 0b3f27253 (ovs-ofctl: Warn about flows not in normal form) made
ovs-ofctl warn about non-normalized flows, that is, flows some of whose
specified fields will be ignored by the switch. This was convenient for
users, who are understandably confused by flow normalization. However,
later commit 8050b31d6 (ofp-parse: Refactor flow parsing) accidentally
deleted the warning. This commit restores it and adds a test to ensure
that it doesn't get deleted again later.
Reported-by: Reid Price <reid@nicira.com>
Bug #5029.
This implements basic multiple table support in ofproto and supporting
libraries and utilities. The design is the same as the one that has been
on the Open vSwitch "wdp" branch for a long time. There is no support for
multiple tables in the software switch implementation (ofproto-dpif), only
a set of hooks for other switch implementations to use.
To allow controllers to add flows in a particular table, Open vSwitch adds
an OpenFlow 1.0 extension called NXT_FLOW_MOD_TABLE_ID.
In addition to the changes to ofproto, this commit changes all of the
instances of "struct flow" in the tree so that the "in_port" member is an
OpenFlow port number. Previously, this member was an OpenFlow port number
in some cases and an ODP port number in other cases.
The "tun_id_from_cookie" OpenFlow extension predated NXM and supports only
a fraction of its features. Nothing (at Nicira, anyway) uses it any
longer. Support for it had been broken since January and it took until a
few days ago for anyone to complain, so it cannot be too important. This
commit removes it.
The ctype functions often need casts to be fully C standards compliant.
Here's the full explanation that I used to post to comp.lang.c from time
to time when the issue came up:
With the to*() and is*() functions, you should be careful to cast
`char' arguments to `unsigned char' before calling them. Type `char'
may be signed or unsigned, depending on your compiler or its
configuration. If `char' is signed, then some characters have
negative values; however, the arguments to is*() and to*() functions
must be nonnegative (or EOF). Casting to `unsigned char' fixes this
problem by forcing the character to the corresponding positive value.
This fixes the following warnings from some version of GCC:
lib/ofp-parse.c:828: warning: array subscript has type 'char'
lib/ofp-print.c:617: warning: array subscript has type 'char'
Reported-by: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Some actions checked that 'arg' was nonnull before attempting to parse it
but a lot of them didn't. This commit avoids the segfault by substituting
an empty string when no argument is given. It also updates a few of the
action implementations to correspond.
Reported-by: Reid Price <reid@nicira.com>
Bug #4462.
Coverity #10712.
IPv6 uses Neighbor Discovery messages in a similar manner to how IPv4
uses ARP. This commit adds support for matching deeper into the
payloads of Neighbor Solicitation (NS) and Neighbor Advertisement (NA)
messages. Currently, the matching fields include:
- NS and NA Target (nd_target)
- NS Source Link Layer Address (nd_sll)
- NA Target Link Layer Address (nd_tll)
When defining IPv6 Neighbor Discovery rules, the Nicira Extensible Match
(NXM) extension to OVS must be used.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Provides ability to match over IPv6 traffic in the same manner as IPv4.
Currently, the matching fields include:
- IPv6 source and destination addresses (ipv6_src and ipv6_dst)
- Traffic Class (nw_tos)
- Next Header (nw_proto)
- ICMPv6 Type and Code (icmp_type and icmp_code)
- TCP and UDP Ports over IPv6 (tp_src and tp_dst)
When defining IPv6 rules, the Nicira Extensible Match (NXM) extension to
OVS must be used.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
OpenFlow 1.0 doesn't allow matching on the ARP source and target
hardware address. This has caused us to introduce hacks such as the
Drop Spoofed ARP action. Now that we have extensible match, we can
match on more fields within ARP:
- Source Hardware Address (arp_sha)
- Target Hardware Address (arp_tha)
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
A few common IP protocol types were defined in "lib/packets.h". However,
we already assume the existence of <netinet/in.h> which contains a more
exhaustive list and should be available on POSIX systems.
The str_to_action function of ofp-parse was not properly
incrementing it's actions counter. Thus it did not enforce the
requirement that DROP actions not be preceded by other actions.
We have a need to identify tunnels with keys longer than 32 bits. This
commit adds basic datapath and OpenFlow support for such keys. It doesn't
actually add any tunnel protocols that support 64-bit keys, so this is not
very useful yet.
The 'arg' member of struct odp_msg had to be expanded to 64-bits also,
because it sometimes contains a tunnel ID. This member also contains the
argument passed to ODPAT_CONTROLLER, so I expanded that action's argument
to 64 bits also so that it can use the full width of the expanded 'arg'.
Userspace doesn't take advantage of the new space though (it was only
using 16 bits anyhow).
This commit has been tested only to the extent that it doesn't disrupt
basic Open vSwitch operation. I have not tested it with tunnel traffic.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Feature #3976.
"ovs-ofctl del-flows br0" segfaulted because do_flow_mod__() assumed that
it always had a "flow" argument, which is not true for the del-flows
command.
Beyond that, parse_ofp_flow_mod_str() rejected "ovs-ofctl del-flows
br0" because no actions were supplied, even though supplying actions
doesn't make sense for deleting flows.
This commit fixes both problems and adds a simple test that would have
caught both problems.
Bug #4112.
