This series adds support for sending packets through a connection tracker,
which allows OVS to perform stateful firewalling functions. The functionality
added in this series works in conjunction with the interface that is available
in the latest upstream Linux kernel development releases that will become
Linux-4.3. The linux datapath backport is not included at this time.
The functionality is manipulated through a new action "CT" and several new NXM
fields: ct_state, ct_zone, ct_mark, ct_label. The CT action allows these fields
to be populated, and for connections that match the flow to be tracked. Later
patches in the series also allow metadata to be attached to these connections.
When a flow is sent through the connection tracker, there are two common
functions to perform. Firstly, match packets from port 1 and do a lookup:
ovs-ofctl add-flow br0 "in_port=1,actions=ct(table=1)"
When the "table" table is specified, the ct action performs similarly to an
output action, in that a copy of the packet is "output" to the connection
tracker. When the connection tracker has finished processing the packet,
processing will continue in the table specified. The connection tracking NXM
fields will be populated when the processing continues, which allows fields
such as the state to be matched on.
The connection state, as represented in the ct_state field, consists of a
collection of flags, including:
- Tracked (trk): Connection tracking has occurred.
- Reply (rpl): The flow is in the reply direction.
- Invalid (inv): The connection tracker couldn't identify the connection.
- New (new): This is the beginning of a new connection.
- Established (est): This is part of an already existing connection.
- Related (rel): This connection is related to an existing connection.
When the first packets for a new connection are sent through the connection
tracker, the ct_state will have the "+trk+new" flags set. The OpenFlow
controller may specify a policy to match new connections and allow or deny
them.
The second function of the ct action is to "commit" the connections. This
signals to the connection tracker that this connection should be tracked on an
ongoing basis, so that subsequent packets may be identified as belonging to
this connection. For instance, to allow new connections from port 1->2:
ovs-ofctl add-flow br0 \
"in_port=1,ip,conn_state=+trk+new,action=ct(commit),2"
Later packets in the connection will have the "+est" flag set, so existing
connections may be allowed as so:
ovs-ofctl add-flow br0 "in_port=1,ip,conn_state=+trk+est,action=2"
In addition to the above, several other parameters may be provided to the ct
action:
- zone: A 16-bit value or NXM field to retrieve the zone from. Each zone is an
independent connection tracking context. Connections which are committed to
zone A will not be remembered in zone B, unless the connection is also
explicitly committed to zone B.
eg: actions=ct(zone=1),ct(zone=NXM_NX_REG0[0..15])
- exec: Execute a nested set of actions. This allows additional functions to be
performed as part of the connection tracking execution. In this series, the
set_field, reg_move and reg_load actions are supported with two connection
tracking metadata fields: ct_mark and ct_label.
eg: actions=ct(commit,exec(set_field:1->ct_mark))
- alg: Specify an ALG to assist connection tracking. Some protocols consist of
multiple traffic streams that are impossible to associate without additional
context. This parameter provides that context to the connection tracker to
make it possible to track, for instance, FTP data connections.
eg: actions=ct(commit,alg=ftp)
Further examples are available in the commit messages for each patch, the
ovs-ofctl(8) man pages, and the traffic testsuite in tests/system-traffic.at.
---
Version 1 got a conditional ack from Jarno, if the feedback is addressed and
the OpenFlow interface gets an additional review (Ben?). If that does not
require significant changes, I would expect to be able to push the series
soon. A datapath backport will be forthcoming.
This series depends on the ofproto.at test patch here:
https://github.com/openvswitch/ovs/pull/73
This series is also available at the following branch:
https://github.com/joestringer/openvswitch dev/ct_20150917
---
v2: Applied patches 1-2.
Expand NXM_NX_CT_STATE to 16 bits (datapath remains 8 bits).
Extend interface documentation, particularly in meta-flow and ofp-actions.
Addressed feedback from v1.
v1: First non-RFC post, based on upstream merged datapath interface.
Andy Zhou (1):
dpif-netlink: Allow MRU packet attribute.
Daniele Di Proietto (1):
lib: Introduce ovs_u128_is_zero().
Joe Stringer (4):
Add support for connection tracking.
Add connection tracking mark support.
Add connection tracking label support.
Add support for connection tracking helper/ALGs.
NEWS | 3 +
build-aux/extract-ofp-fields | 3 +
datapath/flow_netlink.c | 2 +-
datapath/linux/compat/include/linux/openvswitch.h | 59 ++
include/sparse/netinet/in.h | 2 +
include/windows/netinet/in.h | 1 +
lib/dpif-netdev.c | 13 +
lib/dpif-netlink.c | 5 +
lib/dpif.c | 3 +
lib/dpif.h | 3 +
lib/flow.c | 59 +-
lib/flow.h | 27 +-
lib/match.c | 112 ++-
lib/match.h | 7 +
lib/meta-flow.c | 173 ++++
lib/meta-flow.h | 106 +++
lib/netlink.c | 11 +
lib/netlink.h | 2 +
lib/nx-match.c | 30 +-
lib/odp-execute.c | 10 +
lib/odp-util.c | 405 +++++++++
lib/odp-util.h | 16 +-
lib/ofp-actions.c | 393 +++++++-
lib/ofp-actions.h | 55 ++
lib/ofp-parse.c | 15 +
lib/ofp-parse.h | 1 +
lib/ofp-util.c | 2 +-
lib/packets.c | 21 +
lib/packets.h | 40 +-
lib/util.h | 7 +
ofproto/ofproto-dpif-rid.c | 2 +
ofproto/ofproto-dpif-rid.h | 3 +-
ofproto/ofproto-dpif-sflow.c | 5 +
ofproto/ofproto-dpif-upcall.c | 17 +-
ofproto/ofproto-dpif-xlate.c | 159 +++-
ofproto/ofproto-dpif.c | 90 ++
ofproto/ofproto-unixctl.man | 8 +
tests/atlocal.in | 14 +
tests/automake.mk | 1 +
tests/dpif-netdev.at | 2 +-
tests/odp.at | 17 +
tests/ofproto-dpif.at | 4 +-
tests/ofproto.at | 6 +-
tests/system-common-macros.at | 18 +
tests/system-kmod-macros.at | 16 +
tests/system-traffic.at | 1009 +++++++++++++++++++++
tests/system-userspace-macros.at | 9 +
tests/test-l7.py | 72 ++
tests/test-odp.c | 4 +
utilities/ovs-ofctl.8.in | 120 +++
50 files changed, 3120 insertions(+), 42 deletions(-)
create mode 100755 tests/test-l7.py
--
2.1.4
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
