diff options
| author | Jarno Rajahalme <jarno@ovn.org> | 2017-02-09 14:21:59 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-02-09 22:59:34 -0500 |
| commit | 9dd7f8907c3705dc7a7a375d1c6e30b06e6daffc (patch) | |
| tree | 9330b1d7ffe29ec0f1c06bf8ff73c5c7d1c258ce /net/openvswitch/flow.h | |
| parent | 09aa98ad496d6b11a698b258bc64d7f64c55d682 (diff) | |
openvswitch: Add original direction conntrack tuple to sw_flow_key.
Add the fields of the conntrack original direction 5-tuple to struct
sw_flow_key. The new fields are initially marked as non-existent, and
are populated whenever a conntrack action is executed and either finds
or generates a conntrack entry. This means that these fields exist
for all packets that were not rejected by conntrack as untrackable.
The original tuple fields in the sw_flow_key are filled from the
original direction tuple of the conntrack entry relating to the
current packet, or from the original direction tuple of the master
conntrack entry, if the current conntrack entry has a master.
Generally, expected connections of connections having an assigned
helper (e.g., FTP), have a master conntrack entry.
The main purpose of the new conntrack original tuple fields is to
allow matching on them for policy decision purposes, with the premise
that the admissibility of tracked connections reply packets (as well
as original direction packets), and both direction packets of any
related connections may be based on ACL rules applying to the master
connection's original direction 5-tuple. This also makes it easier to
make policy decisions when the actual packet headers might have been
transformed by NAT, as the original direction 5-tuple represents the
packet headers before any such transformation.
When using the original direction 5-tuple the admissibility of return
and/or related packets need not be based on the mere existence of a
conntrack entry, allowing separation of admission policy from the
established conntrack state. While existence of a conntrack entry is
required for admission of the return or related packets, policy
changes can render connections that were initially admitted to be
rejected or dropped afterwards. If the admission of the return and
related packets was based on mere conntrack state (e.g., connection
being in an established state), a policy change that would make the
connection rejected or dropped would need to find and delete all
conntrack entries affected by such a change. When using the original
direction 5-tuple matching the affected conntrack entries can be
allowed to time out instead, as the established state of the
connection would not need to be the basis for packet admission any
more.
It should be noted that the directionality of related connections may
be the same or different than that of the master connection, and
neither the original direction 5-tuple nor the conntrack state bits
carry this information. If needed, the directionality of the master
connection can be stored in master's conntrack mark or labels, which
are automatically inherited by the expected related connections.
The fact that neither ARP nor ND packets are trackable by conntrack
allows mutual exclusion between ARP/ND and the new conntrack original
tuple fields. Hence, the IP addresses are overlaid in union with ARP
and ND fields. This allows the sw_flow_key to not grow much due to
this patch, but it also means that we must be careful to never use the
new key fields with ARP or ND packets. ARP is easy to distinguish and
keep mutually exclusive based on the ethernet type, but ND being an
ICMPv6 protocol requires a bit more attention.
Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Acked-by: Joe Stringer <joe@ovn.org>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/openvswitch/flow.h')
| -rw-r--r-- | net/openvswitch/flow.h | 49 |
1 files changed, 38 insertions, 11 deletions
diff --git a/net/openvswitch/flow.h b/net/openvswitch/flow.h index f61cae7f9030..76e05b25f030 100644 --- a/net/openvswitch/flow.h +++ b/net/openvswitch/flow.h | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | /* | 1 | /* |
| 2 | * Copyright (c) 2007-2014 Nicira, Inc. | 2 | * Copyright (c) 2007-2017 Nicira, Inc. |
| 3 | * | 3 | * |
| 4 | * This program is free software; you can redistribute it and/or | 4 | * This program is free software; you can redistribute it and/or |
| 5 | * modify it under the terms of version 2 of the GNU General Public | 5 | * modify it under the terms of version 2 of the GNU General Public |
| @@ -107,10 +107,16 @@ struct sw_flow_key { | |||
| 107 | __be32 src; /* IP source address. */ | 107 | __be32 src; /* IP source address. */ |
| 108 | __be32 dst; /* IP destination address. */ | 108 | __be32 dst; /* IP destination address. */ |
| 109 | } addr; | 109 | } addr; |
| 110 | struct { | 110 | union { |
| 111 | u8 sha[ETH_ALEN]; /* ARP source hardware address. */ | 111 | struct { |
| 112 | u8 tha[ETH_ALEN]; /* ARP target hardware address. */ | 112 | __be32 src; |
| 113 | } arp; | 113 | __be32 dst; |
| 114 | } ct_orig; /* Conntrack original direction fields. */ | ||
| 115 | struct { | ||
| 116 | u8 sha[ETH_ALEN]; /* ARP source hardware address. */ | ||
| 117 | u8 tha[ETH_ALEN]; /* ARP target hardware address. */ | ||
| 118 | } arp; | ||
| 119 | }; | ||
| 114 | } ipv4; | 120 | } ipv4; |
| 115 | struct { | 121 | struct { |
| 116 | struct { | 122 | struct { |
| @@ -118,23 +124,44 @@ struct sw_flow_key { | |||
| 118 | struct in6_addr dst; /* IPv6 destination address. */ | 124 | struct in6_addr dst; /* IPv6 destination address. */ |
| 119 | } addr; | 125 | } addr; |
| 120 | __be32 label; /* IPv6 flow label. */ | 126 | __be32 label; /* IPv6 flow label. */ |
| 121 | struct { | 127 | union { |
| 122 | struct in6_addr target; /* ND target address. */ | 128 | struct { |
| 123 | u8 sll[ETH_ALEN]; /* ND source link layer address. */ | 129 | struct in6_addr src; |
| 124 | u8 tll[ETH_ALEN]; /* ND target link layer address. */ | 130 | struct in6_addr dst; |
| 125 | } nd; | 131 | } ct_orig; /* Conntrack original direction fields. */ |
| 132 | struct { | ||
| 133 | struct in6_addr target; /* ND target address. */ | ||
| 134 | u8 sll[ETH_ALEN]; /* ND source link layer address. */ | ||
| 135 | u8 tll[ETH_ALEN]; /* ND target link layer address. */ | ||
| 136 | } nd; | ||
| 137 | }; | ||
| 126 | } ipv6; | 138 | } ipv6; |
| 127 | }; | 139 | }; |
| 128 | struct { | 140 | struct { |
| 129 | /* Connection tracking fields. */ | 141 | /* Connection tracking fields. */ |
| 142 | u8 state; | ||
| 143 | u8 orig_proto; /* CT orig tuple IP protocol. */ | ||
| 130 | u16 zone; | 144 | u16 zone; |
| 131 | u32 mark; | 145 | u32 mark; |
| 132 | u8 state; | 146 | struct { |
| 147 | __be16 src; /* CT orig tuple tp src port. */ | ||
| 148 | __be16 dst; /* CT orig tuple tp dst port. */ | ||
| 149 | } orig_tp; | ||
| 150 | |||
| 133 | struct ovs_key_ct_labels labels; | 151 | struct ovs_key_ct_labels labels; |
| 134 | } ct; | 152 | } ct; |
| 135 | 153 | ||
| 136 | } __aligned(BITS_PER_LONG/8); /* Ensure that we can do comparisons as longs. */ | 154 | } __aligned(BITS_PER_LONG/8); /* Ensure that we can do comparisons as longs. */ |
| 137 | 155 | ||
| 156 | static inline bool sw_flow_key_is_nd(const struct sw_flow_key *key) | ||
| 157 | { | ||
| 158 | return key->eth.type == htons(ETH_P_IPV6) && | ||
| 159 | key->ip.proto == NEXTHDR_ICMP && | ||
| 160 | key->tp.dst == 0 && | ||
| 161 | (key->tp.src == htons(NDISC_NEIGHBOUR_SOLICITATION) || | ||
| 162 | key->tp.src == htons(NDISC_NEIGHBOUR_ADVERTISEMENT)); | ||
| 163 | } | ||
| 164 | |||
| 138 | struct sw_flow_key_range { | 165 | struct sw_flow_key_range { |
| 139 | unsigned short int start; | 166 | unsigned short int start; |
| 140 | unsigned short int end; | 167 | unsigned short int end; |