diff options
| author | Jarno Rajahalme <jarno@ovn.org> | 2017-02-09 14:21:59 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-02-09 22:59:34 -0500 |
| commit | 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc (patch) | |
| tree | 9330b1d7ffe29ec0f1c06bf8ff73c5c7d1c258ce /net/openvswitch/flow.c | |
| parent | 09aa98ad496d6b11a698b258bc64d7f64c55d682 (diff) | |
openvswitch: Add original direction conntrack tuple to sw_flow_key.
Add the fields of the conntrack original direction 5-tuple to struct
sw_flow_key. The new fields are initially marked as non-existent, and
are populated whenever a conntrack action is executed and either finds
or generates a conntrack entry. This means that these fields exist
for all packets that were not rejected by conntrack as untrackable.
The original tuple fields in the sw_flow_key are filled from the
original direction tuple of the conntrack entry relating to the
current packet, or from the original direction tuple of the master
conntrack entry, if the current conntrack entry has a master.
Generally, expected connections of connections having an assigned
helper (e.g., FTP), have a master conntrack entry.
The main purpose of the new conntrack original tuple fields is to
allow matching on them for policy decision purposes, with the premise
that the admissibility of tracked connections reply packets (as well
as original direction packets), and both direction packets of any
related connections may be based on ACL rules applying to the master
connection's original direction 5-tuple. This also makes it easier to
make policy decisions when the actual packet headers might have been
transformed by NAT, as the original direction 5-tuple represents the
packet headers before any such transformation.
When using the original direction 5-tuple the admissibility of return
and/or related packets need not be based on the mere existence of a
conntrack entry, allowing separation of admission policy from the
established conntrack state. While existence of a conntrack entry is
required for admission of the return or related packets, policy
changes can render connections that were initially admitted to be
rejected or dropped afterwards. If the admission of the return and
related packets was based on mere conntrack state (e.g., connection
being in an established state), a policy change that would make the
connection rejected or dropped would need to find and delete all
conntrack entries affected by such a change. When using the original
direction 5-tuple matching the affected conntrack entries can be
allowed to time out instead, as the established state of the
connection would not need to be the basis for packet admission any
more.
It should be noted that the directionality of related connections may
be the same or different than that of the master connection, and
neither the original direction 5-tuple nor the conntrack state bits
carry this information. If needed, the directionality of the master
connection can be stored in master's conntrack mark or labels, which
are automatically inherited by the expected related connections.
The fact that neither ARP nor ND packets are trackable by conntrack
allows mutual exclusion between ARP/ND and the new conntrack original
tuple fields. Hence, the IP addresses are overlaid in union with ARP
and ND fields. This allows the sw_flow_key to not grow much due to
this patch, but it also means that we must be careful to never use the
new key fields with ARP or ND packets. ARP is easy to distinguish and
keep mutually exclusive based on the ethernet type, but ND being an
ICMPv6 protocol requires a bit more attention.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/openvswitch/flow.c')
| -rw-r--r-- | net/openvswitch/flow.c | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c index 2c0a00f7f1b7..9d4bb8eb63f2 100644 --- a/net/openvswitch/flow.c +++ b/net/openvswitch/flow.c | |||
| @@ -765,7 +765,7 @@ static int key_extract_mac_proto(struct sk_buff *skb) | |||
| 765 | int ovs_flow_key_extract(const struct ip_tunnel_info *tun_info, | 765 | int ovs_flow_key_extract(const struct ip_tunnel_info *tun_info, |
| 766 | struct sk_buff *skb, struct sw_flow_key *key) | 766 | struct sk_buff *skb, struct sw_flow_key *key) |
| 767 | { | 767 | { |
| 768 | int res; | 768 | int res, err; |
| 769 | 769 | ||
| 770 | /* Extract metadata from packet. */ | 770 | /* Extract metadata from packet. */ |
| 771 | if (tun_info) { | 771 | if (tun_info) { |
| @@ -792,7 +792,6 @@ int ovs_flow_key_extract(const struct ip_tunnel_info *tun_info, | |||
| 792 | key->phy.priority = skb->priority; | 792 | key->phy.priority = skb->priority; |
| 793 | key->phy.in_port = OVS_CB(skb)->input_vport->port_no; | 793 | key->phy.in_port = OVS_CB(skb)->input_vport->port_no; |
| 794 | key->phy.skb_mark = skb->mark; | 794 | key->phy.skb_mark = skb->mark; |
| 795 | ovs_ct_fill_key(skb, key); | ||
| 796 | key->ovs_flow_hash = 0; | 795 | key->ovs_flow_hash = 0; |
| 797 | res = key_extract_mac_proto(skb); | 796 | res = key_extract_mac_proto(skb); |
| 798 | if (res < 0) | 797 | if (res < 0) |
| @@ -800,17 +799,26 @@ int ovs_flow_key_extract(const struct ip_tunnel_info *tun_info, | |||
| 800 | key->mac_proto = res; | 799 | key->mac_proto = res; |
| 801 | key->recirc_id = 0; | 800 | key->recirc_id = 0; |
| 802 | 801 | ||
| 803 | return key_extract(skb, key); | 802 | err = key_extract(skb, key); |
| 803 | if (!err) | ||
| 804 | ovs_ct_fill_key(skb, key); /* Must be after key_extract(). */ | ||
| 805 | return err; | ||
| 804 | } | 806 | } |
| 805 | 807 | ||
| 806 | int ovs_flow_key_extract_userspace(struct net *net, const struct nlattr *attr, | 808 | int ovs_flow_key_extract_userspace(struct net *net, const struct nlattr *attr, |
| 807 | struct sk_buff *skb, | 809 | struct sk_buff *skb, |
| 808 | struct sw_flow_key *key, bool log) | 810 | struct sw_flow_key *key, bool log) |
| 809 | { | 811 | { |
| 812 | const struct nlattr *a[OVS_KEY_ATTR_MAX + 1]; | ||
| 813 | u64 attrs = 0; | ||
| 810 | int err; | 814 | int err; |
| 811 | 815 | ||
| 816 | err = parse_flow_nlattrs(attr, a, &attrs, log); | ||
| 817 | if (err) | ||
| 818 | return -EINVAL; | ||
| 819 | |||
| 812 | /* Extract metadata from netlink attributes. */ | 820 | /* Extract metadata from netlink attributes. */ |
| 813 | err = ovs_nla_get_flow_metadata(net, attr, key, log); | 821 | err = ovs_nla_get_flow_metadata(net, a, attrs, key, log); |
| 814 | if (err) | 822 | if (err) |
| 815 | return err; | 823 | return err; |
| 816 | 824 | ||
| @@ -824,5 +832,21 @@ int ovs_flow_key_extract_userspace(struct net *net, const struct nlattr *attr, | |||
| 824 | */ | 832 | */ |
| 825 | 833 | ||
| 826 | skb->protocol = key->eth.type; | 834 | skb->protocol = key->eth.type; |
| 827 | return key_extract(skb, key); | 835 | err = key_extract(skb, key); |
| 836 | if (err) | ||
| 837 | return err; | ||
| 838 | |||
| 839 | /* Check that we have conntrack original direction tuple metadata only | ||
| 840 | * for packets for which it makes sense. Otherwise the key may be | ||
| 841 | * corrupted due to overlapping key fields. | ||
| 842 | */ | ||
| 843 | if (attrs & (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4) && | ||
| 844 | key->eth.type != htons(ETH_P_IP)) | ||
| 845 | return -EINVAL; | ||
| 846 | if (attrs & (1 << OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6) && | ||
| 847 | (key->eth.type != htons(ETH_P_IPV6) || | ||
| 848 | sw_flow_key_is_nd(key))) | ||
| 849 | return -EINVAL; | ||
| 850 | |||
| 851 | return 0; | ||
| 828 | } | 852 | } |