diff options
| author | Joe Stringer <joestringer@nicira.com> | 2015-08-26 14:31:48 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-08-27 14:40:43 -0400 |
| commit | 7f8a436eaa2c3ddd8e1ff2fbca267e6275085536 (patch) | |
| tree | 44fa82400d8fc974e52788ff20689eab4f2fb7eb /include/uapi/linux | |
| parent | e79e259588a414589a016edc428ee8dd308f81ad (diff) | |
openvswitch: Add conntrack action
Expose the kernel connection tracker via OVS. Userspace components can
make use of the CT action to populate the connection state (ct_state)
field for a flow. This state can be subsequently matched.
Exposed connection states are OVS_CS_F_*:
- NEW (0x01) - Beginning of a new connection.
- ESTABLISHED (0x02) - Part of an existing connection.
- RELATED (0x04) - Related to an established connection.
- INVALID (0x20) - Could not track the connection for this packet.
- REPLY_DIR (0x40) - This packet is in the reply direction for the flow.
- TRACKED (0x80) - This packet has been sent through conntrack.
When the CT action is executed by itself, it will send the packet
through the connection tracker and populate the ct_state field with one
or more of the connection state flags above. The CT action will always
set the TRACKED bit.
When the COMMIT flag is passed to the conntrack action, this specifies
that information about the connection should be stored. This allows
subsequent packets for the same (or related) connections to be
correlated with this connection. Sending subsequent packets for the
connection through conntrack allows the connection tracker to consider
the packets as ESTABLISHED, RELATED, and/or REPLY_DIR.
The CT action may optionally take a zone to track the flow within. This
allows connections with the same 5-tuple to be kept logically separate
from connections in other zones. If the zone is specified, then the
"ct_zone" match field will be subsequently populated with the zone id.
IP fragments are handled by transparently assembling them as part of the
CT action. The maximum received unit (MRU) size is tracked so that
refragmentation can occur during output.
IP frag handling contributed by Andy Zhou.
Based on original design by Justin Pettit.
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/uapi/linux')
| -rw-r--r-- | include/uapi/linux/openvswitch.h | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/include/uapi/linux/openvswitch.h b/include/uapi/linux/openvswitch.h index d6b885460187..55f599792673 100644 --- a/include/uapi/linux/openvswitch.h +++ b/include/uapi/linux/openvswitch.h | |||
| @@ -164,6 +164,9 @@ enum ovs_packet_cmd { | |||
| 164 | * %OVS_USERSPACE_ATTR_EGRESS_TUN_PORT attribute, which is sent only if the | 164 | * %OVS_USERSPACE_ATTR_EGRESS_TUN_PORT attribute, which is sent only if the |
| 165 | * output port is actually a tunnel port. Contains the output tunnel key | 165 | * output port is actually a tunnel port. Contains the output tunnel key |
| 166 | * extracted from the packet as nested %OVS_TUNNEL_KEY_ATTR_* attributes. | 166 | * extracted from the packet as nested %OVS_TUNNEL_KEY_ATTR_* attributes. |
| 167 | * @OVS_PACKET_ATTR_MRU: Present for an %OVS_PACKET_CMD_ACTION and | ||
| 168 | * %OVS_PACKET_ATTR_USERSPACE action specify the Maximum received fragment | ||
| 169 | * size. | ||
| 167 | * | 170 | * |
| 168 | * These attributes follow the &struct ovs_header within the Generic Netlink | 171 | * These attributes follow the &struct ovs_header within the Generic Netlink |
| 169 | * payload for %OVS_PACKET_* commands. | 172 | * payload for %OVS_PACKET_* commands. |
| @@ -180,6 +183,7 @@ enum ovs_packet_attr { | |||
| 180 | OVS_PACKET_ATTR_UNUSED2, | 183 | OVS_PACKET_ATTR_UNUSED2, |
| 181 | OVS_PACKET_ATTR_PROBE, /* Packet operation is a feature probe, | 184 | OVS_PACKET_ATTR_PROBE, /* Packet operation is a feature probe, |
| 182 | error logging should be suppressed. */ | 185 | error logging should be suppressed. */ |
| 186 | OVS_PACKET_ATTR_MRU, /* Maximum received IP fragment size. */ | ||
| 183 | __OVS_PACKET_ATTR_MAX | 187 | __OVS_PACKET_ATTR_MAX |
| 184 | }; | 188 | }; |
| 185 | 189 | ||
| @@ -319,6 +323,8 @@ enum ovs_key_attr { | |||
| 319 | OVS_KEY_ATTR_MPLS, /* array of struct ovs_key_mpls. | 323 | OVS_KEY_ATTR_MPLS, /* array of struct ovs_key_mpls. |
| 320 | * The implementation may restrict | 324 | * The implementation may restrict |
| 321 | * the accepted length of the array. */ | 325 | * the accepted length of the array. */ |
| 326 | OVS_KEY_ATTR_CT_STATE, /* u8 bitmask of OVS_CS_F_* */ | ||
| 327 | OVS_KEY_ATTR_CT_ZONE, /* u16 connection tracking zone. */ | ||
| 322 | 328 | ||
| 323 | #ifdef __KERNEL__ | 329 | #ifdef __KERNEL__ |
| 324 | OVS_KEY_ATTR_TUNNEL_INFO, /* struct ip_tunnel_info */ | 330 | OVS_KEY_ATTR_TUNNEL_INFO, /* struct ip_tunnel_info */ |
| @@ -431,6 +437,15 @@ struct ovs_key_nd { | |||
| 431 | __u8 nd_tll[ETH_ALEN]; | 437 | __u8 nd_tll[ETH_ALEN]; |
| 432 | }; | 438 | }; |
| 433 | 439 | ||
| 440 | /* OVS_KEY_ATTR_CT_STATE flags */ | ||
| 441 | #define OVS_CS_F_NEW 0x01 /* Beginning of a new connection. */ | ||
| 442 | #define OVS_CS_F_ESTABLISHED 0x02 /* Part of an existing connection. */ | ||
| 443 | #define OVS_CS_F_RELATED 0x04 /* Related to an established | ||
| 444 | * connection. */ | ||
| 445 | #define OVS_CS_F_INVALID 0x20 /* Could not track connection. */ | ||
| 446 | #define OVS_CS_F_REPLY_DIR 0x40 /* Flow is in the reply direction. */ | ||
| 447 | #define OVS_CS_F_TRACKED 0x80 /* Conntrack has occurred. */ | ||
| 448 | |||
| 434 | /** | 449 | /** |
| 435 | * enum ovs_flow_attr - attributes for %OVS_FLOW_* commands. | 450 | * enum ovs_flow_attr - attributes for %OVS_FLOW_* commands. |
| 436 | * @OVS_FLOW_ATTR_KEY: Nested %OVS_KEY_ATTR_* attributes specifying the flow | 451 | * @OVS_FLOW_ATTR_KEY: Nested %OVS_KEY_ATTR_* attributes specifying the flow |
| @@ -595,6 +610,28 @@ struct ovs_action_hash { | |||
| 595 | }; | 610 | }; |
| 596 | 611 | ||
| 597 | /** | 612 | /** |
| 613 | * enum ovs_ct_attr - Attributes for %OVS_ACTION_ATTR_CT action. | ||
| 614 | * @OVS_CT_ATTR_FLAGS: u32 connection tracking flags. | ||
| 615 | * @OVS_CT_ATTR_ZONE: u16 connection tracking zone. | ||
| 616 | */ | ||
| 617 | enum ovs_ct_attr { | ||
| 618 | OVS_CT_ATTR_UNSPEC, | ||
| 619 | OVS_CT_ATTR_FLAGS, /* u8 bitmask of OVS_CT_F_*. */ | ||
| 620 | OVS_CT_ATTR_ZONE, /* u16 zone id. */ | ||
| 621 | __OVS_CT_ATTR_MAX | ||
| 622 | }; | ||
| 623 | |||
| 624 | #define OVS_CT_ATTR_MAX (__OVS_CT_ATTR_MAX - 1) | ||
| 625 | |||
| 626 | /* | ||
| 627 | * OVS_CT_ATTR_FLAGS flags - bitmask of %OVS_CT_F_* | ||
| 628 | * @OVS_CT_F_COMMIT: Commits the flow to the conntrack table. This allows | ||
| 629 | * future packets for the same connection to be identified as 'established' | ||
| 630 | * or 'related'. | ||
| 631 | */ | ||
| 632 | #define OVS_CT_F_COMMIT 0x01 | ||
| 633 | |||
| 634 | /** | ||
| 598 | * enum ovs_action_attr - Action types. | 635 | * enum ovs_action_attr - Action types. |
| 599 | * | 636 | * |
| 600 | * @OVS_ACTION_ATTR_OUTPUT: Output packet to port. | 637 | * @OVS_ACTION_ATTR_OUTPUT: Output packet to port. |
| @@ -623,6 +660,8 @@ struct ovs_action_hash { | |||
| 623 | * indicate the new packet contents. This could potentially still be | 660 | * indicate the new packet contents. This could potentially still be |
| 624 | * %ETH_P_MPLS if the resulting MPLS label stack is not empty. If there | 661 | * %ETH_P_MPLS if the resulting MPLS label stack is not empty. If there |
| 625 | * is no MPLS label stack, as determined by ethertype, no action is taken. | 662 | * is no MPLS label stack, as determined by ethertype, no action is taken. |
| 663 | * @OVS_ACTION_ATTR_CT: Track the connection. Populate the conntrack-related | ||
| 664 | * entries in the flow key. | ||
| 626 | * | 665 | * |
| 627 | * Only a single header can be set with a single %OVS_ACTION_ATTR_SET. Not all | 666 | * Only a single header can be set with a single %OVS_ACTION_ATTR_SET. Not all |
| 628 | * fields within a header are modifiable, e.g. the IPv4 protocol and fragment | 667 | * fields within a header are modifiable, e.g. the IPv4 protocol and fragment |
| @@ -648,6 +687,7 @@ enum ovs_action_attr { | |||
| 648 | * data immediately followed by a mask. | 687 | * data immediately followed by a mask. |
| 649 | * The data must be zero for the unmasked | 688 | * The data must be zero for the unmasked |
| 650 | * bits. */ | 689 | * bits. */ |
| 690 | OVS_ACTION_ATTR_CT, /* One nested OVS_CT_ATTR_* . */ | ||
| 651 | 691 | ||
| 652 | __OVS_ACTION_ATTR_MAX, /* Nothing past this will be accepted | 692 | __OVS_ACTION_ATTR_MAX, /* Nothing past this will be accepted |
| 653 | * from userspace. */ | 693 | * from userspace. */ |