/*
- * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 Nicira, Inc.
+ * Copyright (c) 2008-2016 Nicira, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*/
#include <config.h>
+#include <netinet/in.h>
+
#include "ofp-actions.h"
#include "bundle.h"
#include "byte-order.h"
#include "meta-flow.h"
#include "multipath.h"
#include "nx-match.h"
+#include "odp-netlink.h"
#include "ofp-parse.h"
+#include "ofp-prop.h"
#include "ofp-util.h"
#include "ofpbuf.h"
#include "unaligned.h"
/* NX1.0+(20): struct nx_action_controller. */
NXAST_RAW_CONTROLLER,
+ /* NX1.0+(37): struct nx_action_controller2, ... */
+ NXAST_RAW_CONTROLLER2,
/* NX1.0+(22): struct nx_action_write_metadata. */
NXAST_RAW_WRITE_METADATA,
/* NX1.0+(34): struct nx_action_conjunction. */
NXAST_RAW_CONJUNCTION,
+ /* NX1.0+(35): struct nx_action_conntrack, ... */
+ NXAST_RAW_CT,
+
+ /* NX1.0+(36): struct nx_action_nat, ... */
+ NXAST_RAW_NAT,
+
/* ## ------------------ ## */
/* ## Debugging actions. ## */
/* ## ------------------ ## */
static char *OVS_WARN_UNUSED_RESULT ofpacts_parse(
char *str, struct ofpbuf *ofpacts, enum ofputil_protocol *usable_protocols,
bool allow_instructions, enum ofpact_type outer_action);
+static enum ofperr ofpacts_pull_openflow_actions__(
+ struct ofpbuf *openflow, unsigned int actions_len,
+ enum ofp_version version, uint32_t allowed_ovsinsts,
+ struct ofpbuf *ofpacts, enum ofpact_type outer_action);
+static char * OVS_WARN_UNUSED_RESULT ofpacts_parse_copy(
+ const char *s_, struct ofpbuf *ofpacts,
+ enum ofputil_protocol *usable_protocols,
+ bool allow_instructions, enum ofpact_type outer_action);
+
+/* Returns the ofpact following 'ofpact', except that if 'ofpact' contains
+ * nested ofpacts it returns the first one. */
+struct ofpact *
+ofpact_next_flattened(const struct ofpact *ofpact)
+{
+ switch (ofpact->type) {
+ case OFPACT_OUTPUT:
+ case OFPACT_GROUP:
+ case OFPACT_CONTROLLER:
+ case OFPACT_ENQUEUE:
+ case OFPACT_OUTPUT_REG:
+ case OFPACT_BUNDLE:
+ case OFPACT_SET_FIELD:
+ case OFPACT_SET_VLAN_VID:
+ case OFPACT_SET_VLAN_PCP:
+ case OFPACT_STRIP_VLAN:
+ case OFPACT_PUSH_VLAN:
+ case OFPACT_SET_ETH_SRC:
+ case OFPACT_SET_ETH_DST:
+ case OFPACT_SET_IPV4_SRC:
+ case OFPACT_SET_IPV4_DST:
+ case OFPACT_SET_IP_DSCP:
+ case OFPACT_SET_IP_ECN:
+ case OFPACT_SET_IP_TTL:
+ case OFPACT_SET_L4_SRC_PORT:
+ case OFPACT_SET_L4_DST_PORT:
+ case OFPACT_REG_MOVE:
+ case OFPACT_STACK_PUSH:
+ case OFPACT_STACK_POP:
+ case OFPACT_DEC_TTL:
+ case OFPACT_SET_MPLS_LABEL:
+ case OFPACT_SET_MPLS_TC:
+ case OFPACT_SET_MPLS_TTL:
+ case OFPACT_DEC_MPLS_TTL:
+ case OFPACT_PUSH_MPLS:
+ case OFPACT_POP_MPLS:
+ case OFPACT_SET_TUNNEL:
+ case OFPACT_SET_QUEUE:
+ case OFPACT_POP_QUEUE:
+ case OFPACT_FIN_TIMEOUT:
+ case OFPACT_RESUBMIT:
+ case OFPACT_LEARN:
+ case OFPACT_CONJUNCTION:
+ case OFPACT_MULTIPATH:
+ case OFPACT_NOTE:
+ case OFPACT_EXIT:
+ case OFPACT_SAMPLE:
+ case OFPACT_UNROLL_XLATE:
+ case OFPACT_DEBUG_RECIRC:
+ case OFPACT_METER:
+ case OFPACT_CLEAR_ACTIONS:
+ case OFPACT_WRITE_METADATA:
+ case OFPACT_GOTO_TABLE:
+ case OFPACT_NAT:
+ return ofpact_next(ofpact);
+
+ case OFPACT_CT:
+ return ofpact_get_CT(ofpact)->actions;
+
+ case OFPACT_WRITE_ACTIONS:
+ return ofpact_get_WRITE_ACTIONS(ofpact)->actions;
+ }
+
+ OVS_NOT_REACHED();
+}
/* Pull off existing actions or instructions. Used by nesting actions to keep
* ofpacts_parse() oblivious of actions nesting.
{
size_t ofs;
- ofpact_pad(ofpacts);
ofs = ofpacts->size;
ofpbuf_pull(ofpacts, ofs);
};
OFP_ASSERT(sizeof(struct nx_action_controller) == 16);
+/* Properties for NXAST_CONTROLLER2.
+ *
+ * For more information on the effect of NXAC2PT_PAUSE, see the large comment
+ * on NXT_PACKET_IN2 in nicira-ext.h */
+enum nx_action_controller2_prop_type {
+ NXAC2PT_MAX_LEN, /* ovs_be16 max bytes to send (default all). */
+ NXAC2PT_CONTROLLER_ID, /* ovs_be16 dest controller ID (default 0). */
+ NXAC2PT_REASON, /* uint8_t reason (OFPR_*), default 0. */
+ NXAC2PT_USERDATA, /* Data to copy into NXPINT_USERDATA. */
+ NXAC2PT_PAUSE, /* Flag to pause pipeline to resume later. */
+};
+
+/* Action structure for NXAST_CONTROLLER2.
+ *
+ * This replacement for NXAST_CONTROLLER makes it extensible via properties. */
+struct nx_action_controller2 {
+ ovs_be16 type; /* OFPAT_VENDOR. */
+ ovs_be16 len; /* Length is 16 or more. */
+ ovs_be32 vendor; /* NX_VENDOR_ID. */
+ ovs_be16 subtype; /* NXAST_CONTROLLER2. */
+ uint8_t zeros[6]; /* Must be zero. */
+ /* Followed by NXAC2PT_* properties. */
+};
+OFP_ASSERT(sizeof(struct nx_action_controller2) == 16);
+
static enum ofperr
decode_NXAST_RAW_CONTROLLER(const struct nx_action_controller *nac,
enum ofp_version ofp_version OVS_UNUSED,
struct ofpact_controller *oc;
oc = ofpact_put_CONTROLLER(out);
+ oc->ofpact.raw = NXAST_RAW_CONTROLLER;
oc->max_len = ntohs(nac->max_len);
oc->controller_id = ntohs(nac->controller_id);
oc->reason = nac->reason;
+ ofpact_finish(out, &oc->ofpact);
+
+ return 0;
+}
+
+static enum ofperr
+decode_NXAST_RAW_CONTROLLER2(const struct nx_action_controller2 *nac2,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
+{
+ if (!is_all_zeros(nac2->zeros, sizeof nac2->zeros)) {
+ return OFPERR_NXBRC_MUST_BE_ZERO;
+ }
+
+ size_t start_ofs = out->size;
+ struct ofpact_controller *oc = ofpact_put_CONTROLLER(out);
+ oc->ofpact.raw = NXAST_RAW_CONTROLLER2;
+ oc->max_len = UINT16_MAX;
+ oc->reason = OFPR_ACTION;
+
+ struct ofpbuf properties;
+ ofpbuf_use_const(&properties, nac2, ntohs(nac2->len));
+ ofpbuf_pull(&properties, sizeof *nac2);
+
+ while (properties.size > 0) {
+ struct ofpbuf payload;
+ uint64_t type;
+
+ enum ofperr error = ofpprop_pull(&properties, &payload, &type);
+ if (error) {
+ return error;
+ }
+
+ switch (type) {
+ case NXAC2PT_MAX_LEN:
+ error = ofpprop_parse_u16(&payload, &oc->max_len);
+ break;
+
+ case NXAC2PT_CONTROLLER_ID:
+ error = ofpprop_parse_u16(&payload, &oc->controller_id);
+ break;
+
+ case NXAC2PT_REASON: {
+ uint8_t u8;
+ error = ofpprop_parse_u8(&payload, &u8);
+ oc->reason = u8;
+ break;
+ }
+
+ case NXAC2PT_USERDATA:
+ out->size = start_ofs + OFPACT_CONTROLLER_SIZE;
+ ofpbuf_put(out, payload.msg, ofpbuf_msgsize(&payload));
+ oc = ofpbuf_at_assert(out, start_ofs, sizeof *oc);
+ oc->userdata_len = ofpbuf_msgsize(&payload);
+ break;
+
+ case NXAC2PT_PAUSE:
+ oc->pause = true;
+ break;
+
+ default:
+ error = OFPPROP_UNKNOWN(false, "NXAST_RAW_CONTROLLER2", type);
+ break;
+ }
+ if (error) {
+ return error;
+ }
+ }
+
+ ofpact_finish(out, &oc->ofpact);
+
return 0;
}
enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
- struct nx_action_controller *nac;
+ if (controller->userdata_len
+ || controller->pause
+ || controller->ofpact.raw == NXAST_RAW_CONTROLLER2) {
+ size_t start_ofs = out->size;
+ put_NXAST_CONTROLLER2(out);
+ if (controller->max_len != UINT16_MAX) {
+ ofpprop_put_u16(out, NXAC2PT_MAX_LEN, controller->max_len);
+ }
+ if (controller->controller_id != 0) {
+ ofpprop_put_u16(out, NXAC2PT_CONTROLLER_ID,
+ controller->controller_id);
+ }
+ if (controller->reason != OFPR_ACTION) {
+ ofpprop_put_u8(out, NXAC2PT_REASON, controller->reason);
+ }
+ if (controller->userdata_len != 0) {
+ ofpprop_put(out, NXAC2PT_USERDATA, controller->userdata,
+ controller->userdata_len);
+ }
+ if (controller->pause) {
+ ofpprop_put_flag(out, NXAC2PT_PAUSE);
+ }
+ pad_ofpat(out, start_ofs);
+ } else {
+ struct nx_action_controller *nac;
- nac = put_NXAST_CONTROLLER(out);
- nac->max_len = htons(controller->max_len);
- nac->controller_id = htons(controller->controller_id);
- nac->reason = controller->reason;
+ nac = put_NXAST_CONTROLLER(out);
+ nac->max_len = htons(controller->max_len);
+ nac->controller_id = htons(controller->controller_id);
+ nac->reason = controller->reason;
+ }
}
static char * OVS_WARN_UNUSED_RESULT
enum ofp_packet_in_reason reason = OFPR_ACTION;
uint16_t controller_id = 0;
uint16_t max_len = UINT16_MAX;
+ const char *userdata = NULL;
+ bool pause = false;
if (!arg[0]) {
/* Use defaults. */
if (error) {
return error;
}
+ } else if (!strcmp(name, "userdata")) {
+ userdata = value;
+ } else if (!strcmp(name, "pause")) {
+ pause = true;
} else {
return xasprintf("unknown key \"%s\" parsing controller "
"action", name);
}
}
- if (reason == OFPR_ACTION && controller_id == 0) {
+ if (reason == OFPR_ACTION && controller_id == 0 && !userdata && !pause) {
struct ofpact_output *output;
output = ofpact_put_OUTPUT(ofpacts);
controller->max_len = max_len;
controller->reason = reason;
controller->controller_id = controller_id;
+ controller->pause = pause;
+
+ if (userdata) {
+ size_t start_ofs = ofpacts->size;
+ const char *end = ofpbuf_put_hex(ofpacts, userdata, NULL);
+ if (*end) {
+ return xstrdup("bad hex digit in `controller' "
+ "action `userdata'");
+ }
+ size_t userdata_len = ofpacts->size - start_ofs;
+ controller = ofpacts->header;
+ controller->userdata_len = userdata_len;
+ }
+ ofpact_finish(ofpacts, &controller->ofpact);
}
return NULL;
}
+static void
+format_hex_arg(struct ds *s, const uint8_t *data, size_t len)
+{
+ for (size_t i = 0; i < len; i++) {
+ if (i) {
+ ds_put_char(s, '.');
+ }
+ ds_put_format(s, "%02"PRIx8, data[i]);
+ }
+}
+
static void
format_CONTROLLER(const struct ofpact_controller *a, struct ds *s)
{
- if (a->reason == OFPR_ACTION && a->controller_id == 0) {
+ if (a->reason == OFPR_ACTION && !a->controller_id && !a->userdata_len
+ && !a->pause) {
ds_put_format(s, "CONTROLLER:%"PRIu16, a->max_len);
} else {
enum ofp_packet_in_reason reason = a->reason;
if (a->controller_id != 0) {
ds_put_format(s, "id=%"PRIu16",", a->controller_id);
}
+ if (a->userdata_len) {
+ ds_put_cstr(s, "userdata=");
+ format_hex_arg(s, a->userdata, a->userdata_len);
+ ds_put_char(s, ',');
+ }
+ if (a->pause) {
+ ds_put_cstr(s, "pause,");
+ }
ds_chomp(s, ',');
ds_put_char(s, ')');
}
struct ofpbuf *out)
{
struct ofpact_output_reg *output_reg;
- enum ofperr error;
- struct ofpbuf b;
-
output_reg = ofpact_put_OUTPUT_REG(out);
output_reg->ofpact.raw = NXAST_RAW_OUTPUT_REG2;
output_reg->src.ofs = nxm_decode_ofs(naor->ofs_nbits);
output_reg->src.n_bits = nxm_decode_n_bits(naor->ofs_nbits);
output_reg->max_len = ntohs(naor->max_len);
- ofpbuf_use_const(&b, naor, ntohs(naor->len));
+ struct ofpbuf b = ofpbuf_const_initializer(naor, ntohs(naor->len));
ofpbuf_pull(&b, OBJECT_OFFSETOF(naor, pad));
- error = nx_pull_header(&b, &output_reg->src.field, NULL);
+
+ enum ofperr error = nx_pull_header(&b, &output_reg->src.field, NULL);
if (error) {
return error;
}
}
bundle = ofpacts->header;
- ofpact_update_len(ofpacts, &bundle->ofpact);
+ ofpact_finish(ofpacts, &bundle->ofpact);
if (!error) {
error = bundle_check(bundle, OFPP_MAX, NULL);
* - NXM_OF_TCP_DST
* - NXM_OF_UDP_SRC
* - NXM_OF_UDP_DST
+ * - NXM_OF_ICMP_TYPE
+ * - NXM_OF_ICMP_CODE
+ * - NXM_NX_ICMPV6_TYPE
+ * - NXM_NX_ICMPV6_CODE
* - NXM_NX_ARP_SHA
* - NXM_NX_ARP_THA
* - NXM_OF_ARP_OP
const void *action, ovs_be16 action_len, size_t oxm_offset,
struct ofpbuf *ofpacts)
{
- struct ofpact_reg_move *move;
- enum ofperr error;
- struct ofpbuf b;
-
- move = ofpact_put_REG_MOVE(ofpacts);
+ struct ofpact_reg_move *move = ofpact_put_REG_MOVE(ofpacts);
move->ofpact.raw = ONFACT_RAW13_COPY_FIELD;
move->src.ofs = ntohs(src_offset);
move->src.n_bits = ntohs(n_bits);
move->dst.ofs = ntohs(dst_offset);
move->dst.n_bits = ntohs(n_bits);
- ofpbuf_use_const(&b, action, ntohs(action_len));
+ struct ofpbuf b = ofpbuf_const_initializer(action, ntohs(action_len));
ofpbuf_pull(&b, oxm_offset);
- error = nx_pull_header(&b, &move->src.field, NULL);
+
+ enum ofperr error = nx_pull_header(&b, &move->src.field, NULL);
if (error) {
return error;
}
enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *ofpacts)
{
- struct ofpact_reg_move *move;
- enum ofperr error;
- struct ofpbuf b;
-
- move = ofpact_put_REG_MOVE(ofpacts);
+ struct ofpact_reg_move *move = ofpact_put_REG_MOVE(ofpacts);
move->ofpact.raw = NXAST_RAW_REG_MOVE;
move->src.ofs = ntohs(narm->src_ofs);
move->src.n_bits = ntohs(narm->n_bits);
move->dst.ofs = ntohs(narm->dst_ofs);
move->dst.n_bits = ntohs(narm->n_bits);
- ofpbuf_use_const(&b, narm, ntohs(narm->len));
+ struct ofpbuf b = ofpbuf_const_initializer(narm, ntohs(narm->len));
ofpbuf_pull(&b, sizeof *narm);
- error = nx_pull_header(&b, &move->src.field, NULL);
+
+ enum ofperr error = nx_pull_header(&b, &move->src.field, NULL);
if (error) {
return error;
}
decode_ofpat_set_field(const struct ofp12_action_set_field *oasf,
bool may_mask, struct ofpbuf *ofpacts)
{
- struct ofpact_set_field *sf;
- enum ofperr error;
- struct ofpbuf b;
-
- sf = ofpact_put_SET_FIELD(ofpacts);
-
- ofpbuf_use_const(&b, oasf, ntohs(oasf->len));
+ struct ofpbuf b = ofpbuf_const_initializer(oasf, ntohs(oasf->len));
ofpbuf_pull(&b, OBJECT_OFFSETOF(oasf, pad));
- error = nx_pull_entry(&b, &sf->field, &sf->value,
- may_mask ? &sf->mask : NULL);
+
+ struct ofpact_set_field *sf = ofpact_put_SET_FIELD(ofpacts);
+ enum ofperr error = nx_pull_entry(&b, &sf->field, &sf->value,
+ may_mask ? &sf->mask : NULL);
if (error) {
return (error == OFPERR_OFPBMC_BAD_MASK
? OFPERR_OFPBAC_BAD_SET_MASK
enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
- struct ofpact_set_field *sf;
- enum ofperr error;
- struct ofpbuf b;
-
- sf = ofpact_put_SET_FIELD(out);
+ struct ofpact_set_field *sf = ofpact_put_SET_FIELD(out);
sf->ofpact.raw = NXAST_RAW_REG_LOAD2;
- ofpbuf_use_const(&b, narl, ntohs(narl->len));
+ struct ofpbuf b = ofpbuf_const_initializer(narl, ntohs(narl->len));
ofpbuf_pull(&b, OBJECT_OFFSETOF(narl, pad));
- error = nx_pull_entry(&b, &sf->field, &sf->value, &sf->mask);
+
+ enum ofperr error = nx_pull_entry(&b, &sf->field, &sf->value, &sf->mask);
if (error) {
return error;
}
decode_stack_action(const struct nx_action_stack *nasp,
struct ofpact_stack *stack_action)
{
- enum ofperr error;
- struct ofpbuf b;
-
stack_action->subfield.ofs = ntohs(nasp->offset);
- ofpbuf_use_const(&b, nasp, sizeof *nasp);
+ struct ofpbuf b = ofpbuf_const_initializer(nasp, sizeof *nasp);
ofpbuf_pull(&b, OBJECT_OFFSETOF(nasp, pad));
- error = nx_pull_header(&b, &stack_action->subfield.field, NULL);
+ enum ofperr error = nx_pull_header(&b, &stack_action->subfield.field,
+ NULL);
if (error) {
return error;
}
ids->n_controllers = 1;
ofpbuf_put(out, &id, sizeof id);
ids = out->header;
- ofpact_update_len(out, &ids->ofpact);
+ ofpact_finish(out, &ids->ofpact);
return error;
}
ids = out->header;
}
- ofpact_update_len(out, &ids->ofpact);
+ ofpact_finish(out, &ids->ofpact);
return 0;
}
ofpbuf_put(ofpacts, &id, sizeof id);
ids = ofpacts->header;
ids->n_controllers++;
- ofpact_update_len(ofpacts, &ids->ofpact);
+ ofpact_finish(ofpacts, &ids->ofpact);
}
static char * OVS_WARN_UNUSED_RESULT
return xstrdup("dec_ttl_cnt_ids: expected at least one controller "
"id.");
}
- ofpact_update_len(ofpacts, &ids->ofpact);
+ ofpact_finish(ofpacts, &ids->ofpact);
}
return NULL;
}
get_subfield(spec->n_bits, &p, &spec->dst);
}
}
- ofpact_update_len(ofpacts, &learn->ofpact);
+ ofpact_finish(ofpacts, &learn->ofpact);
if (!is_all_zeros(p, (char *) end - (char *) p)) {
return OFPERR_OFPBAC_BAD_ARGUMENT;
unsigned int length;
length = ntohs(nan->len) - offsetof(struct nx_action_note, note);
- note = ofpact_put(out, OFPACT_NOTE,
- offsetof(struct ofpact_note, data) + length);
+ note = ofpact_put_NOTE(out);
note->length = length;
- memcpy(note->data, nan->note, length);
+ ofpbuf_put(out, nan->note, length);
+ ofpact_finish(out, out->header);
return 0;
}
{
size_t start_ofs = out->size;
struct nx_action_note *nan;
- unsigned int remainder;
- unsigned int len;
put_NXAST_NOTE(out);
out->size = out->size - sizeof nan->note;
ofpbuf_put(out, note->data, note->length);
-
- len = out->size - start_ofs;
- remainder = len % OFP_ACTION_ALIGN;
- if (remainder) {
- ofpbuf_put_zeros(out, OFP_ACTION_ALIGN - remainder);
- }
- nan = ofpbuf_at(out, start_ofs, sizeof *nan);
- nan->len = htons(out->size - start_ofs);
+ pad_ofpat(out, start_ofs);
}
static char * OVS_WARN_UNUSED_RESULT
parse_NOTE(const char *arg, struct ofpbuf *ofpacts,
enum ofputil_protocol *usable_protocols OVS_UNUSED)
{
- struct ofpact_note *note;
-
- note = ofpact_put_NOTE(ofpacts);
- while (*arg != '\0') {
- uint8_t byte;
- bool ok;
-
- if (*arg == '.') {
- arg++;
- }
- if (*arg == '\0') {
- break;
- }
-
- byte = hexits_value(arg, 2, &ok);
- if (!ok) {
- return xstrdup("bad hex digit in `note' argument");
- }
- ofpbuf_put(ofpacts, &byte, 1);
-
- note = ofpacts->header;
- note->length++;
-
- arg += 2;
+ size_t start_ofs = ofpacts->size;
+ ofpact_put_NOTE(ofpacts);
+ arg = ofpbuf_put_hex(ofpacts, arg, NULL);
+ if (arg[0]) {
+ return xstrdup("bad hex digit in `note' argument");
}
- ofpact_update_len(ofpacts, ¬e->ofpact);
+ struct ofpact_note *note = ofpbuf_at_assert(ofpacts, start_ofs,
+ sizeof *note);
+ note->length = ofpacts->size - (start_ofs + sizeof *note);
+ ofpact_finish(ofpacts, ¬e->ofpact);
return NULL;
}
static void
format_NOTE(const struct ofpact_note *a, struct ds *s)
{
- size_t i;
-
ds_put_cstr(s, "note:");
- for (i = 0; i < a->length; i++) {
- if (i) {
- ds_put_char(s, '.');
- }
- ds_put_format(s, "%02"PRIx8, a->data[i]);
- }
+ format_hex_arg(s, a->data, a->length);
}
\f
/* Exit action. */
}
static void
-format_UNROLL_XLATE(const struct ofpact_unroll_xlate *a OVS_UNUSED,
- struct ds *s)
+format_UNROLL_XLATE(const struct ofpact_unroll_xlate *a, struct ds *s)
{
- ds_put_cstr(s, "unroll_xlate");
+ ds_put_format(s, "unroll_xlate(table=%"PRIu8", cookie=%"PRIu64")",
+ a->rule_table_id, ntohll(a->rule_cookie));
}
\f
/* Action structure for NXAST_SAMPLE.
{
ds_put_cstr(s, "debug_recirc");
}
+
+/* Action structure for NXAST_CT.
+ *
+ * Pass traffic to the connection tracker.
+ *
+ * There are two important concepts to understanding the connection tracking
+ * interface: Packet state and Connection state. Packets may be "Untracked" or
+ * "Tracked". Connections may be "Uncommitted" or "Committed".
+ *
+ * - Packet State:
+ *
+ * Untracked packets have not yet passed through the connection tracker,
+ * and the connection state for such packets is unknown. In most cases,
+ * packets entering the OpenFlow pipeline will initially be in the
+ * untracked state. Untracked packets may become tracked by executing
+ * NXAST_CT with a "recirc_table" specified. This makes various aspects
+ * about the connection available, in particular the connection state.
+ *
+ * Tracked packets have previously passed through the connection tracker.
+ * These packets will remain tracked through until the end of the OpenFlow
+ * pipeline. Tracked packets which have NXAST_CT executed with a
+ * "recirc_table" specified will return to the tracked state.
+ *
+ * The packet state is only significant for the duration of packet
+ * processing within the OpenFlow pipeline.
+ *
+ * - Connection State:
+ *
+ * Multiple packets may be associated with a single connection. Initially,
+ * all connections are uncommitted. The connection state corresponding to
+ * a packet is available in the NXM_NX_CT_STATE field for tracked packets.
+ *
+ * Uncommitted connections have no state stored about them. Uncommitted
+ * connections may transition into the committed state by executing
+ * NXAST_CT with the NX_CT_F_COMMIT flag.
+ *
+ * Once a connection becomes committed, information may be gathered about
+ * the connection by passing subsequent packets through the connection
+ * tracker, and the state of the connection will be stored beyond the
+ * lifetime of packet processing.
+ *
+ * Connections may transition back into the uncommitted state due to
+ * external timers, or due to the contents of packets that are sent to the
+ * connection tracker. This behaviour is outside of the scope of the
+ * OpenFlow interface.
+ *
+ * The "zone" specifies a context within which the tracking is done:
+ *
+ * The connection tracking zone is a 16-bit number. Each zone is an
+ * independent connection tracking context. The connection state for each
+ * connection is completely separate for each zone, so if a connection
+ * is committed to zone A, then it will remain uncommitted in zone B.
+ * If NXAST_CT is executed with the same zone multiple times, later
+ * executions have no effect.
+ *
+ * If 'zone_src' is nonzero, this specifies that the zone should be
+ * sourced from a field zone_src[ofs:ofs+nbits]. The format and semantics
+ * of 'zone_src' and 'zone_ofs_nbits' are similar to those for the
+ * NXAST_REG_LOAD action. The acceptable nxm_header values for 'zone_src'
+ * are the same as the acceptable nxm_header values for the 'src' field of
+ * NXAST_REG_MOVE.
+ *
+ * If 'zone_src' is zero, then the value of 'zone_imm' will be used as the
+ * connection tracking zone.
+ *
+ * The "recirc_table" allows NXM_NX_CT_* fields to become available:
+ *
+ * If "recirc_table" has a value other than NX_CT_RECIRC_NONE, then the
+ * packet will be logically cloned prior to executing this action. One
+ * copy will be sent to the connection tracker, then will be re-injected
+ * into the OpenFlow pipeline beginning at the OpenFlow table specified in
+ * this field. When the packet re-enters the pipeline, the NXM_NX_CT_*
+ * fields will be populated. The original instance of the packet will
+ * continue the current actions list. This can be thought of as similar to
+ * the effect of the "output" action: One copy is sent out (in this case,
+ * to the connection tracker), but the current copy continues processing.
+ *
+ * It is strongly recommended that this table is later than the current
+ * table, to prevent loops.
+ *
+ * The "alg" attaches protocol-specific behaviour to this action:
+ *
+ * The ALG is a 16-bit number which specifies that additional
+ * processing should be applied to this traffic.
+ *
+ * Protocol | Value | Meaning
+ * --------------------------------------------------------------------
+ * None | 0 | No protocol-specific behaviour.
+ * FTP | 21 | Parse FTP control connections and observe the
+ * | | negotiation of related data connections.
+ * Other | Other | Unsupported protocols.
+ *
+ * By way of example, if FTP control connections have this action applied
+ * with the ALG set to FTP (21), then the connection tracker will observe
+ * the negotiation of data connections. This allows the connection
+ * tracker to identify subsequent data connections as "related" to this
+ * existing connection. The "related" flag will be populated in the
+ * NXM_NX_CT_STATE field for such connections if the 'recirc_table' is
+ * specified.
+ *
+ * Zero or more actions may immediately follow this action. These actions will
+ * be executed within the context of the connection tracker, and they require
+ * the NX_CT_F_COMMIT flag to be set.
+ */
+struct nx_action_conntrack {
+ ovs_be16 type; /* OFPAT_VENDOR. */
+ ovs_be16 len; /* At least 24. */
+ ovs_be32 vendor; /* NX_VENDOR_ID. */
+ ovs_be16 subtype; /* NXAST_CT. */
+ ovs_be16 flags; /* Zero or more NX_CT_F_* flags.
+ * Unspecified flag bits must be zero. */
+ ovs_be32 zone_src; /* Connection tracking context. */
+ union {
+ ovs_be16 zone_ofs_nbits;/* Range to use from source field. */
+ ovs_be16 zone_imm; /* Immediate value for zone. */
+ };
+ uint8_t recirc_table; /* Recirculate to a specific table, or
+ NX_CT_RECIRC_NONE for no recirculation. */
+ uint8_t pad[3]; /* Zeroes */
+ ovs_be16 alg; /* Well-known port number for the protocol.
+ * 0 indicates no ALG is required. */
+ /* Followed by a sequence of zero or more OpenFlow actions. The length of
+ * these is included in 'len'. */
+};
+OFP_ASSERT(sizeof(struct nx_action_conntrack) == 24);
+
+static enum ofperr
+decode_ct_zone(const struct nx_action_conntrack *nac,
+ struct ofpact_conntrack *out)
+{
+ if (nac->zone_src) {
+ enum ofperr error;
+
+ out->zone_src.field = mf_from_nxm_header(ntohl(nac->zone_src));
+ out->zone_src.ofs = nxm_decode_ofs(nac->zone_ofs_nbits);
+ out->zone_src.n_bits = nxm_decode_n_bits(nac->zone_ofs_nbits);
+ error = mf_check_src(&out->zone_src, NULL);
+ if (error) {
+ return error;
+ }
+
+ if (out->zone_src.n_bits != 16) {
+ VLOG_WARN_RL(&rl, "zone n_bits %d not within valid range [16..16]",
+ out->zone_src.n_bits);
+ return OFPERR_OFPBAC_BAD_SET_LEN;
+ }
+ } else {
+ out->zone_src.field = NULL;
+ out->zone_imm = ntohs(nac->zone_imm);
+ }
+
+ return 0;
+}
+
+static enum ofperr
+decode_NXAST_RAW_CT(const struct nx_action_conntrack *nac,
+ enum ofp_version ofp_version, struct ofpbuf *out)
+{
+ const size_t ct_offset = ofpacts_pull(out);
+ struct ofpact_conntrack *conntrack = ofpact_put_CT(out);
+ conntrack->flags = ntohs(nac->flags);
+
+ int error = decode_ct_zone(nac, conntrack);
+ if (error) {
+ goto out;
+ }
+ conntrack->recirc_table = nac->recirc_table;
+ conntrack->alg = ntohs(nac->alg);
+
+ ofpbuf_pull(out, sizeof(*conntrack));
+
+ struct ofpbuf openflow = ofpbuf_const_initializer(
+ nac + 1, ntohs(nac->len) - sizeof(*nac));
+ error = ofpacts_pull_openflow_actions__(&openflow, openflow.size,
+ ofp_version,
+ 1u << OVSINST_OFPIT11_APPLY_ACTIONS,
+ out, OFPACT_CT);
+ if (error) {
+ goto out;
+ }
+
+ conntrack = ofpbuf_push_uninit(out, sizeof(*conntrack));
+ out->header = &conntrack->ofpact;
+ ofpact_finish(out, &conntrack->ofpact);
+
+ if (conntrack->ofpact.len > sizeof(*conntrack)
+ && !(conntrack->flags & NX_CT_F_COMMIT)) {
+ const struct ofpact *a;
+ size_t ofpacts_len = conntrack->ofpact.len - sizeof(*conntrack);
+
+ OFPACT_FOR_EACH (a, conntrack->actions, ofpacts_len) {
+ if (a->type != OFPACT_NAT || ofpact_get_NAT(a)->flags
+ || ofpact_get_NAT(a)->range_af != AF_UNSPEC) {
+ VLOG_WARN_RL(&rl, "CT action requires commit flag if actions "
+ "other than NAT without arguments are specified.");
+ error = OFPERR_OFPBAC_BAD_ARGUMENT;
+ goto out;
+ }
+ }
+ }
+
+out:
+ ofpbuf_push_uninit(out, ct_offset);
+ return error;
+}
+
+static void
+encode_CT(const struct ofpact_conntrack *conntrack,
+ enum ofp_version ofp_version, struct ofpbuf *out)
+{
+ struct nx_action_conntrack *nac;
+ const size_t ofs = out->size;
+ size_t len;
+
+ nac = put_NXAST_CT(out);
+ nac->flags = htons(conntrack->flags);
+ if (conntrack->zone_src.field) {
+ nac->zone_src = htonl(mf_nxm_header(conntrack->zone_src.field->id));
+ nac->zone_ofs_nbits = nxm_encode_ofs_nbits(conntrack->zone_src.ofs,
+ conntrack->zone_src.n_bits);
+ } else {
+ nac->zone_src = htonl(0);
+ nac->zone_imm = htons(conntrack->zone_imm);
+ }
+ nac->recirc_table = conntrack->recirc_table;
+ nac->alg = htons(conntrack->alg);
+
+ len = ofpacts_put_openflow_actions(conntrack->actions,
+ ofpact_ct_get_action_len(conntrack),
+ out, ofp_version);
+ len += sizeof(*nac);
+ nac = ofpbuf_at(out, ofs, sizeof(*nac));
+ nac->len = htons(len);
+}
+
+static char * OVS_WARN_UNUSED_RESULT parse_NAT(char *arg, struct ofpbuf *,
+ enum ofputil_protocol * OVS_UNUSED);
+
+/* Parses 'arg' as the argument to a "ct" action, and appends such an
+ * action to 'ofpacts'.
+ *
+ * Returns NULL if successful, otherwise a malloc()'d string describing the
+ * error. The caller is responsible for freeing the returned string. */
+static char * OVS_WARN_UNUSED_RESULT
+parse_CT(char *arg, struct ofpbuf *ofpacts,
+ enum ofputil_protocol *usable_protocols)
+{
+ const size_t ct_offset = ofpacts_pull(ofpacts);
+ struct ofpact_conntrack *oc;
+ char *error = NULL;
+ char *key, *value;
+
+ oc = ofpact_put_CT(ofpacts);
+ oc->flags = 0;
+ oc->recirc_table = NX_CT_RECIRC_NONE;
+ while (ofputil_parse_key_value(&arg, &key, &value)) {
+ if (!strcmp(key, "commit")) {
+ oc->flags |= NX_CT_F_COMMIT;
+ } else if (!strcmp(key, "table")) {
+ error = str_to_u8(value, "recirc_table", &oc->recirc_table);
+ if (!error && oc->recirc_table == NX_CT_RECIRC_NONE) {
+ error = xasprintf("invalid table %#"PRIx16, oc->recirc_table);
+ }
+ } else if (!strcmp(key, "zone")) {
+ error = str_to_u16(value, "zone", &oc->zone_imm);
+
+ if (error) {
+ free(error);
+ error = mf_parse_subfield(&oc->zone_src, value);
+ if (error) {
+ return error;
+ }
+ }
+ } else if (!strcmp(key, "alg")) {
+ error = str_to_connhelper(value, &oc->alg);
+ } else if (!strcmp(key, "nat")) {
+ const size_t nat_offset = ofpacts_pull(ofpacts);
+
+ error = parse_NAT(value, ofpacts, usable_protocols);
+ /* Update CT action pointer and length. */
+ ofpacts->header = ofpbuf_push_uninit(ofpacts, nat_offset);
+ oc = ofpacts->header;
+ } else if (!strcmp(key, "exec")) {
+ /* Hide existing actions from ofpacts_parse_copy(), so the
+ * nesting can be handled transparently. */
+ enum ofputil_protocol usable_protocols2;
+ const size_t exec_offset = ofpacts_pull(ofpacts);
+
+ /* Initializes 'usable_protocol2', fold it back to
+ * '*usable_protocols' afterwards, so that we do not lose
+ * restrictions already in there. */
+ error = ofpacts_parse_copy(value, ofpacts, &usable_protocols2,
+ false, OFPACT_CT);
+ *usable_protocols &= usable_protocols2;
+ ofpacts->header = ofpbuf_push_uninit(ofpacts, exec_offset);
+ oc = ofpacts->header;
+ } else {
+ error = xasprintf("invalid argument to \"ct\" action: `%s'", key);
+ }
+ if (error) {
+ break;
+ }
+ }
+
+ ofpact_finish(ofpacts, &oc->ofpact);
+ ofpbuf_push_uninit(ofpacts, ct_offset);
+ return error;
+}
+
+static void
+format_alg(int port, struct ds *s)
+{
+ if (port == IPPORT_FTP) {
+ ds_put_format(s, "alg=ftp,");
+ } else if (port) {
+ ds_put_format(s, "alg=%d,", port);
+ }
+}
+
+static void format_NAT(const struct ofpact_nat *a, struct ds *ds);
+
+static void
+format_CT(const struct ofpact_conntrack *a, struct ds *s)
+{
+ ds_put_cstr(s, "ct(");
+ if (a->flags & NX_CT_F_COMMIT) {
+ ds_put_cstr(s, "commit,");
+ }
+ if (a->recirc_table != NX_CT_RECIRC_NONE) {
+ ds_put_format(s, "table=%"PRIu8",", a->recirc_table);
+ }
+ if (a->zone_src.field) {
+ ds_put_format(s, "zone=");
+ mf_format_subfield(&a->zone_src, s);
+ ds_put_char(s, ',');
+ } else if (a->zone_imm) {
+ ds_put_format(s, "zone=%"PRIu16",", a->zone_imm);
+ }
+ /* If the first action is a NAT action, format it outside of the 'exec'
+ * envelope. */
+ const struct ofpact *action = a->actions;
+ size_t actions_len = ofpact_ct_get_action_len(a);
+ if (actions_len && action->type == OFPACT_NAT) {
+ format_NAT(ofpact_get_NAT(action), s);
+ ds_put_char(s, ',');
+ actions_len -= OFPACT_ALIGN(action->len);
+ action = ofpact_next(action);
+ }
+ if (actions_len) {
+ ds_put_cstr(s, "exec(");
+ ofpacts_format(action, actions_len, s);
+ ds_put_cstr(s, "),");
+ }
+ format_alg(a->alg, s);
+ ds_chomp(s, ',');
+ ds_put_char(s, ')');
+}
+\f
+/* NAT action. */
+
+/* Which optional fields are present? */
+enum nx_nat_range {
+ NX_NAT_RANGE_IPV4_MIN = 1 << 0, /* ovs_be32 */
+ NX_NAT_RANGE_IPV4_MAX = 1 << 1, /* ovs_be32 */
+ NX_NAT_RANGE_IPV6_MIN = 1 << 2, /* struct in6_addr */
+ NX_NAT_RANGE_IPV6_MAX = 1 << 3, /* struct in6_addr */
+ NX_NAT_RANGE_PROTO_MIN = 1 << 4, /* ovs_be16 */
+ NX_NAT_RANGE_PROTO_MAX = 1 << 5, /* ovs_be16 */
+};
+
+/* Action structure for NXAST_NAT. */
+struct nx_action_nat {
+ ovs_be16 type; /* OFPAT_VENDOR. */
+ ovs_be16 len; /* At least 16. */
+ ovs_be32 vendor; /* NX_VENDOR_ID. */
+ ovs_be16 subtype; /* NXAST_NAT. */
+ uint8_t pad[2]; /* Must be zero. */
+ ovs_be16 flags; /* Zero or more NX_NAT_F_* flags.
+ * Unspecified flag bits must be zero. */
+ ovs_be16 range_present; /* NX_NAT_RANGE_* */
+ /* Followed by optional parameters as specified by 'range_present' */
+};
+OFP_ASSERT(sizeof(struct nx_action_nat) == 16);
+
+static void
+encode_NAT(const struct ofpact_nat *nat,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
+{
+ struct nx_action_nat *nan;
+ const size_t ofs = out->size;
+ uint16_t range_present = 0;
+
+ nan = put_NXAST_NAT(out);
+ nan->flags = htons(nat->flags);
+ if (nat->range_af == AF_INET) {
+ if (nat->range.addr.ipv4.min) {
+ ovs_be32 *min = ofpbuf_put_uninit(out, sizeof *min);
+ *min = nat->range.addr.ipv4.min;
+ range_present |= NX_NAT_RANGE_IPV4_MIN;
+ }
+ if (nat->range.addr.ipv4.max) {
+ ovs_be32 *max = ofpbuf_put_uninit(out, sizeof *max);
+ *max = nat->range.addr.ipv4.max;
+ range_present |= NX_NAT_RANGE_IPV4_MAX;
+ }
+ } else if (nat->range_af == AF_INET6) {
+ if (!ipv6_mask_is_any(&nat->range.addr.ipv6.min)) {
+ struct in6_addr *min = ofpbuf_put_uninit(out, sizeof *min);
+ *min = nat->range.addr.ipv6.min;
+ range_present |= NX_NAT_RANGE_IPV6_MIN;
+ }
+ if (!ipv6_mask_is_any(&nat->range.addr.ipv6.max)) {
+ struct in6_addr *max = ofpbuf_put_uninit(out, sizeof *max);
+ *max = nat->range.addr.ipv6.max;
+ range_present |= NX_NAT_RANGE_IPV6_MAX;
+ }
+ }
+ if (nat->range_af != AF_UNSPEC) {
+ if (nat->range.proto.min) {
+ ovs_be16 *min = ofpbuf_put_uninit(out, sizeof *min);
+ *min = htons(nat->range.proto.min);
+ range_present |= NX_NAT_RANGE_PROTO_MIN;
+ }
+ if (nat->range.proto.max) {
+ ovs_be16 *max = ofpbuf_put_uninit(out, sizeof *max);
+ *max = htons(nat->range.proto.max);
+ range_present |= NX_NAT_RANGE_PROTO_MAX;
+ }
+ }
+ pad_ofpat(out, ofs);
+ nan = ofpbuf_at(out, ofs, sizeof *nan);
+ nan->range_present = htons(range_present);
+}
+
+static enum ofperr
+decode_NXAST_RAW_NAT(const struct nx_action_nat *nan,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
+{
+ struct ofpact_nat *nat;
+ uint16_t range_present = ntohs(nan->range_present);
+ const char *opts = (char *)(nan + 1);
+ uint16_t len = ntohs(nan->len) - sizeof *nan;
+
+ nat = ofpact_put_NAT(out);
+ nat->flags = ntohs(nan->flags);
+
+#define NX_NAT_GET_OPT(DST, SRC, LEN, TYPE) \
+ (LEN >= sizeof(TYPE) \
+ ? (memcpy(DST, SRC, sizeof(TYPE)), LEN -= sizeof(TYPE), \
+ SRC += sizeof(TYPE)) \
+ : NULL)
+
+ nat->range_af = AF_UNSPEC;
+ if (range_present & NX_NAT_RANGE_IPV4_MIN) {
+ if (range_present & (NX_NAT_RANGE_IPV6_MIN | NX_NAT_RANGE_IPV6_MAX)) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+
+ if (!NX_NAT_GET_OPT(&nat->range.addr.ipv4.min, opts, len, ovs_be32)
+ || !nat->range.addr.ipv4.min) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+
+ nat->range_af = AF_INET;
+
+ if (range_present & NX_NAT_RANGE_IPV4_MAX) {
+ if (!NX_NAT_GET_OPT(&nat->range.addr.ipv4.max, opts, len,
+ ovs_be32)) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+ if (ntohl(nat->range.addr.ipv4.max)
+ < ntohl(nat->range.addr.ipv4.min)) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+ }
+ } else if (range_present & NX_NAT_RANGE_IPV4_MAX) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ } else if (range_present & NX_NAT_RANGE_IPV6_MIN) {
+ if (!NX_NAT_GET_OPT(&nat->range.addr.ipv6.min, opts, len,
+ struct in6_addr)
+ || ipv6_mask_is_any(&nat->range.addr.ipv6.min)) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+
+ nat->range_af = AF_INET6;
+
+ if (range_present & NX_NAT_RANGE_IPV6_MAX) {
+ if (!NX_NAT_GET_OPT(&nat->range.addr.ipv6.max, opts, len,
+ struct in6_addr)) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+ if (memcmp(&nat->range.addr.ipv6.max, &nat->range.addr.ipv6.min,
+ sizeof(struct in6_addr)) < 0) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+ }
+ } else if (range_present & NX_NAT_RANGE_IPV6_MAX) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+
+ if (range_present & NX_NAT_RANGE_PROTO_MIN) {
+ ovs_be16 proto;
+
+ if (nat->range_af == AF_UNSPEC) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+ if (!NX_NAT_GET_OPT(&proto, opts, len, ovs_be16) || proto == 0) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+ nat->range.proto.min = ntohs(proto);
+ if (range_present & NX_NAT_RANGE_PROTO_MAX) {
+ if (!NX_NAT_GET_OPT(&proto, opts, len, ovs_be16)) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+ nat->range.proto.max = ntohs(proto);
+ if (nat->range.proto.max < nat->range.proto.min) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+ }
+ } else if (range_present & NX_NAT_RANGE_PROTO_MAX) {
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+
+ return 0;
+}
+
+static void
+format_NAT(const struct ofpact_nat *a, struct ds *ds)
+{
+ ds_put_cstr(ds, "nat");
+
+ if (a->flags & (NX_NAT_F_SRC | NX_NAT_F_DST)) {
+ ds_put_char(ds, '(');
+ ds_put_cstr(ds, a->flags & NX_NAT_F_SRC ? "src" : "dst");
+
+ if (a->range_af != AF_UNSPEC) {
+ ds_put_cstr(ds, "=");
+
+ if (a->range_af == AF_INET) {
+ ds_put_format(ds, IP_FMT, IP_ARGS(a->range.addr.ipv4.min));
+
+ if (a->range.addr.ipv4.max
+ && a->range.addr.ipv4.max != a->range.addr.ipv4.min) {
+ ds_put_format(ds, "-"IP_FMT,
+ IP_ARGS(a->range.addr.ipv4.max));
+ }
+ } else if (a->range_af == AF_INET6) {
+ ipv6_format_addr_bracket(&a->range.addr.ipv6.min, ds,
+ a->range.proto.min);
+
+ if (!ipv6_mask_is_any(&a->range.addr.ipv6.max)
+ && memcmp(&a->range.addr.ipv6.max, &a->range.addr.ipv6.min,
+ sizeof(struct in6_addr)) != 0) {
+ ds_put_char(ds, '-');
+ ipv6_format_addr_bracket(&a->range.addr.ipv6.max, ds,
+ a->range.proto.min);
+ }
+ }
+ if (a->range.proto.min) {
+ ds_put_char(ds, ':');
+ ds_put_format(ds, "%"PRIu16, a->range.proto.min);
+
+ if (a->range.proto.max
+ && a->range.proto.max != a->range.proto.min) {
+ ds_put_format(ds, "-%"PRIu16, a->range.proto.max);
+ }
+ }
+ ds_put_char(ds, ',');
+
+ if (a->flags & NX_NAT_F_PERSISTENT) {
+ ds_put_cstr(ds, "persistent,");
+ }
+ if (a->flags & NX_NAT_F_PROTO_HASH) {
+ ds_put_cstr(ds, "hash,");
+ }
+ if (a->flags & NX_NAT_F_PROTO_RANDOM) {
+ ds_put_cstr(ds, "random,");
+ }
+ }
+ ds_chomp(ds, ',');
+ ds_put_char(ds, ')');
+ }
+}
+
+static char * OVS_WARN_UNUSED_RESULT
+str_to_nat_range(const char *s, struct ofpact_nat *on)
+{
+ char ipv6_s[IPV6_SCAN_LEN + 1];
+ int n = 0;
+
+ on->range_af = AF_UNSPEC;
+ if (ovs_scan_len(s, &n, IP_SCAN_FMT,
+ IP_SCAN_ARGS(&on->range.addr.ipv4.min))) {
+ on->range_af = AF_INET;
+
+ if (s[n] == '-') {
+ n++;
+ if (!ovs_scan_len(s, &n, IP_SCAN_FMT,
+ IP_SCAN_ARGS(&on->range.addr.ipv4.max))
+ || (ntohl(on->range.addr.ipv4.max)
+ < ntohl(on->range.addr.ipv4.min))) {
+ goto error;
+ }
+ }
+ } else if ((ovs_scan_len(s, &n, IPV6_SCAN_FMT, ipv6_s)
+ || ovs_scan_len(s, &n, "["IPV6_SCAN_FMT"]", ipv6_s))
+ && inet_pton(AF_INET6, ipv6_s, &on->range.addr.ipv6.min) == 1) {
+ on->range_af = AF_INET6;
+
+ if (s[n] == '-') {
+ n++;
+ if (!(ovs_scan_len(s, &n, IPV6_SCAN_FMT, ipv6_s)
+ || ovs_scan_len(s, &n, "["IPV6_SCAN_FMT"]", ipv6_s))
+ || inet_pton(AF_INET6, ipv6_s, &on->range.addr.ipv6.max) != 1
+ || memcmp(&on->range.addr.ipv6.max, &on->range.addr.ipv6.min,
+ sizeof on->range.addr.ipv6.max) < 0) {
+ goto error;
+ }
+ }
+ }
+ if (on->range_af != AF_UNSPEC && s[n] == ':') {
+ n++;
+ if (!ovs_scan_len(s, &n, "%"SCNu16, &on->range.proto.min)) {
+ goto error;
+ }
+ if (s[n] == '-') {
+ n++;
+ if (!ovs_scan_len(s, &n, "%"SCNu16, &on->range.proto.max)
+ || on->range.proto.max < on->range.proto.min) {
+ goto error;
+ }
+ }
+ }
+ if (strlen(s) != n) {
+ return xasprintf("garbage (%s) after nat range \"%s\" (pos: %d)",
+ &s[n], s, n);
+ }
+ return NULL;
+error:
+ return xasprintf("invalid nat range \"%s\"", s);
+}
+
+
+/* Parses 'arg' as the argument to a "nat" action, and appends such an
+ * action to 'ofpacts'.
+ *
+ * Returns NULL if successful, otherwise a malloc()'d string describing the
+ * error. The caller is responsible for freeing the returned string. */
+static char * OVS_WARN_UNUSED_RESULT
+parse_NAT(char *arg, struct ofpbuf *ofpacts,
+ enum ofputil_protocol *usable_protocols OVS_UNUSED)
+{
+ struct ofpact_nat *on = ofpact_put_NAT(ofpacts);
+ char *key, *value;
+
+ on->flags = 0;
+ on->range_af = AF_UNSPEC;
+
+ while (ofputil_parse_key_value(&arg, &key, &value)) {
+ char *error = NULL;
+
+ if (!strcmp(key, "src")) {
+ on->flags |= NX_NAT_F_SRC;
+ error = str_to_nat_range(value, on);
+ } else if (!strcmp(key, "dst")) {
+ on->flags |= NX_NAT_F_DST;
+ error = str_to_nat_range(value, on);
+ } else if (!strcmp(key, "persistent")) {
+ on->flags |= NX_NAT_F_PERSISTENT;
+ } else if (!strcmp(key, "hash")) {
+ on->flags |= NX_NAT_F_PROTO_HASH;
+ } else if (!strcmp(key, "random")) {
+ on->flags |= NX_NAT_F_PROTO_RANDOM;
+ } else {
+ error = xasprintf("invalid key \"%s\" in \"nat\" argument",
+ key);
+ }
+ if (error) {
+ return error;
+ }
+ }
+ if (on->flags & NX_NAT_F_SRC && on->flags & NX_NAT_F_DST) {
+ return xasprintf("May only specify one of \"snat\" or \"dnat\".");
+ }
+ if (!(on->flags & NX_NAT_F_SRC || on->flags & NX_NAT_F_DST)) {
+ if (on->flags) {
+ return xasprintf("Flags allowed only with \"snat\" or \"dnat\".");
+ }
+ if (on->range_af != AF_UNSPEC) {
+ return xasprintf("Range allowed only with \"snat\" or \"dnat\".");
+ }
+ }
+ return NULL;
+}
+
\f
/* Meter instruction. */
ofpacts_decode(const void *actions, size_t actions_len,
enum ofp_version ofp_version, struct ofpbuf *ofpacts)
{
- struct ofpbuf openflow;
-
- ofpbuf_use_const(&openflow, actions, actions_len);
+ struct ofpbuf openflow = ofpbuf_const_initializer(actions, actions_len);
while (openflow.size) {
const struct ofp_action_header *action = openflow.data;
enum ofp_raw_action_type raw;
return error;
}
}
-
- ofpact_pad(ofpacts);
return 0;
}
enum ofpact_type outer_action)
{
const struct ofp_action_header *actions;
+ size_t orig_size = ofpacts->size;
enum ofperr error;
- if (!outer_action) {
- ofpbuf_clear(ofpacts);
- }
-
if (actions_len % OFP_ACTION_ALIGN != 0) {
VLOG_WARN_RL(&rl, "OpenFlow message actions length %u is not a "
"multiple of %d", actions_len, OFP_ACTION_ALIGN);
error = ofpacts_decode(actions, actions_len, version, ofpacts);
if (error) {
- ofpbuf_clear(ofpacts);
+ ofpacts->size = orig_size;
return error;
}
error = ofpacts_verify(ofpacts->data, ofpacts->size, allowed_ovsinsts,
outer_action);
if (error) {
- ofpbuf_clear(ofpacts);
+ ofpacts->size = orig_size;
}
return error;
}
-/* Attempts to convert 'actions_len' bytes of OpenFlow actions from the
- * front of 'openflow' into ofpacts. On success, replaces any existing content
- * in 'ofpacts' by the converted ofpacts; on failure, clears 'ofpacts'.
+/* Attempts to convert 'actions_len' bytes of OpenFlow actions from the front
+ * of 'openflow' into ofpacts. On success, appends the converted actions to
+ * 'ofpacts'; on failure, 'ofpacts' is unchanged (but might be reallocated) .
* Returns 0 if successful, otherwise an OpenFlow error.
*
* Actions are processed according to their OpenFlow version which
return true;
case OFPACT_BUNDLE:
case OFPACT_CLEAR_ACTIONS:
+ case OFPACT_CT:
+ case OFPACT_NAT:
case OFPACT_CONTROLLER:
case OFPACT_DEC_MPLS_TTL:
case OFPACT_DEC_TTL:
* in the action set is undefined. */
case OFPACT_BUNDLE:
case OFPACT_CONTROLLER:
+ case OFPACT_CT:
+ case OFPACT_NAT:
case OFPACT_ENQUEUE:
case OFPACT_EXIT:
case OFPACT_UNROLL_XLATE:
case OFPACT_UNROLL_XLATE:
case OFPACT_SAMPLE:
case OFPACT_DEBUG_RECIRC:
+ case OFPACT_CT:
+ case OFPACT_NAT:
default:
return OVSINST_OFPIT11_APPLY_ACTIONS;
}
const struct ofp11_instruction *insts[N_OVS_INSTRUCTIONS];
enum ofperr error;
+ ofpbuf_clear(ofpacts);
if (version == OFP10_VERSION) {
return ofpacts_pull_openflow_actions__(openflow, instructions_len,
version,
ofpacts, 0);
}
- ofpbuf_clear(ofpacts);
-
if (instructions_len % OFP11_INSTRUCTION_ALIGN != 0) {
VLOG_WARN_RL(&rl, "OpenFlow message instructions length %u is not a "
"multiple of %d",
struct ofpact_nest *on;
const struct ofp_action_header *actions;
size_t actions_len;
- size_t start;
-
- ofpact_pad(ofpacts);
- start = ofpacts->size;
+ size_t start = ofpacts->size;
ofpact_put(ofpacts, OFPACT_WRITE_ACTIONS,
offsetof(struct ofpact_nest, actions));
get_actions_from_instruction(insts[OVSINST_OFPIT11_WRITE_ACTIONS],
case OFPACT_SAMPLE:
return 0;
+ case OFPACT_CT: {
+ struct ofpact_conntrack *oc = ofpact_get_CT(a);
+ enum ofperr err;
+
+ if (!dl_type_is_ip_any(flow->dl_type)
+ || (flow->ct_state & CS_INVALID && oc->flags & NX_CT_F_COMMIT)) {
+ inconsistent_match(usable_protocols);
+ }
+
+ if (oc->zone_src.field) {
+ return mf_check_src(&oc->zone_src, flow);
+ }
+
+ err = ofpacts_check(oc->actions, ofpact_ct_get_action_len(oc),
+ flow, max_ports, table_id, n_tables,
+ usable_protocols);
+ return err;
+ }
+
+ case OFPACT_NAT: {
+ struct ofpact_nat *on = ofpact_get_NAT(a);
+
+ if (!dl_type_is_ip_any(flow->dl_type) ||
+ (on->range_af == AF_INET && flow->dl_type != htons(ETH_TYPE_IP)) ||
+ (on->range_af == AF_INET6
+ && flow->dl_type != htons(ETH_TYPE_IPV6))) {
+ inconsistent_match(usable_protocols);
+ }
+ return 0;
+ }
+
case OFPACT_CLEAR_ACTIONS:
return 0;
: 0);
}
+/* Returns the destination field that 'ofpact' would write to, or NULL
+ * if the action would not write to an mf_field. */
+const struct mf_field *
+ofpact_get_mf_dst(const struct ofpact *ofpact)
+{
+ if (ofpact->type == OFPACT_SET_FIELD) {
+ const struct ofpact_set_field *orl;
+
+ orl = CONTAINER_OF(ofpact, struct ofpact_set_field, ofpact);
+ return orl->field;
+ } else if (ofpact->type == OFPACT_REG_MOVE) {
+ const struct ofpact_reg_move *orm;
+
+ orm = CONTAINER_OF(ofpact, struct ofpact_reg_move, ofpact);
+ return orm->dst.field;
+ }
+
+ return NULL;
+}
+
+static enum ofperr
+unsupported_nesting(enum ofpact_type action, enum ofpact_type outer_action)
+{
+ VLOG_WARN("%s action doesn't support nested action %s",
+ ofpact_name(outer_action), ofpact_name(action));
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+}
+
+static bool
+field_requires_ct(enum mf_field_id field)
+{
+ return field == MFF_CT_MARK || field == MFF_CT_LABEL;
+}
+
+/* Apply nesting constraints for actions */
static enum ofperr
ofpacts_verify_nested(const struct ofpact *a, enum ofpact_type outer_action)
{
- if (outer_action != OFPACT_WRITE_ACTIONS) {
- VLOG_WARN("\"%s\" action doesn't support nested action \"%s\"",
- ofpact_name(outer_action), ofpact_name(a->type));
- return OFPERR_OFPBAC_BAD_ARGUMENT;
+ const struct mf_field *field = ofpact_get_mf_dst(a);
+
+ if (field && field_requires_ct(field->id) && outer_action != OFPACT_CT) {
+ VLOG_WARN("cannot set CT fields outside of ct action");
+ return OFPERR_OFPBAC_BAD_SET_ARGUMENT;
+ }
+ if (a->type == OFPACT_NAT) {
+ if (outer_action != OFPACT_CT) {
+ VLOG_WARN("Cannot have NAT action outside of \"ct\" action");
+ return OFPERR_OFPBAC_BAD_SET_ARGUMENT;
+ }
+ return 0;
+ }
+
+ if (outer_action) {
+ ovs_assert(outer_action == OFPACT_WRITE_ACTIONS
+ || outer_action == OFPACT_CT);
+
+ if (outer_action == OFPACT_CT) {
+ if (!field) {
+ return unsupported_nesting(a->type, outer_action);
+ } else if (!field_requires_ct(field->id)) {
+ VLOG_WARN("%s action doesn't support nested modification "
+ "of %s", ofpact_name(outer_action), field->name);
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+ }
}
return 0;
inst = OVSINST_OFPIT13_METER;
OFPACT_FOR_EACH (a, ofpacts, ofpacts_len) {
enum ovs_instruction_type next;
+ enum ofperr error;
if (a->type == OFPACT_CONJUNCTION) {
OFPACT_FOR_EACH (a, ofpacts, ofpacts_len) {
return 0;
}
- if (outer_action) {
- enum ofperr error = ofpacts_verify_nested(a, outer_action);
-
- if (error) {
- return error;
- }
+ error = ofpacts_verify_nested(a, outer_action);
+ if (error) {
+ return error;
}
next = ovs_instruction_type_from_ofpact_type(a->type);
case OFPACT_METER:
case OFPACT_GROUP:
case OFPACT_DEBUG_RECIRC:
+ case OFPACT_CT:
+ case OFPACT_NAT:
default:
return false;
}
{
const struct ofpact *a;
- OFPACT_FOR_EACH (a, ofpacts, ofpacts_len) {
+ OFPACT_FOR_EACH_FLATTENED (a, ofpacts, ofpacts_len) {
if (ofpact_outputs_to_port(a, port)) {
return true;
}
{
const struct ofpact *a;
- OFPACT_FOR_EACH (a, ofpacts, ofpacts_len) {
+ OFPACT_FOR_EACH_FLATTENED (a, ofpacts, ofpacts_len) {
if (a->type == OFPACT_GROUP
&& ofpact_get_GROUP(a)->group_id == group_id) {
return true;
{
struct ofpact *ofpact;
- ofpact_pad(ofpacts);
ofpacts->header = ofpbuf_put_uninit(ofpacts, len);
ofpact = ofpacts->header;
ofpact_init(ofpact, type, len);
ofpact->len = len;
}
\f
-/* Updates 'ofpact->len' to the number of bytes in the tail of 'ofpacts'
- * starting at 'ofpact'.
- *
- * This is the correct way to update a variable-length ofpact's length after
- * adding the variable-length part of the payload. (See the large comment
- * near the end of ofp-actions.h for more information.) */
+/* Finishes composing a variable-length action (begun using
+ * ofpact_put_<NAME>()), by padding the action to a multiple of OFPACT_ALIGNTO
+ * bytes and updating its embedded length field. See the large comment near
+ * the end of ofp-actions.h for more information. */
void
-ofpact_update_len(struct ofpbuf *ofpacts, struct ofpact *ofpact)
+ofpact_finish(struct ofpbuf *ofpacts, struct ofpact *ofpact)
{
ovs_assert(ofpact == ofpacts->header);
ofpact->len = (char *) ofpbuf_tail(ofpacts) - (char *) ofpact;
-}
-
-/* Pads out 'ofpacts' to a multiple of OFPACT_ALIGNTO bytes in length. Each
- * ofpact_put_<ENUM>() calls this function automatically beforehand, but the
- * client must call this itself after adding the final ofpact to an array of
- * them.
- *
- * (The consequences of failing to call this function are probably not dire.
- * OFPACT_FOR_EACH will calculate a pointer beyond the end of the ofpacts, but
- * not dereference it. That's undefined behavior, technically, but it will not
- * cause a real problem on common systems. Still, it seems better to call
- * it.) */
-void
-ofpact_pad(struct ofpbuf *ofpacts)
-{
- unsigned int pad = PAD_SIZE(ofpacts->size, OFPACT_ALIGNTO);
- if (pad) {
- ofpbuf_put_zeros(ofpacts, pad);
- }
+ ofpbuf_padto(ofpacts, OFPACT_ALIGN(ofpacts->size));
}
\f
-
-
-
static char * OVS_WARN_UNUSED_RESULT
ofpact_parse(enum ofpact_type type, char *value, struct ofpbuf *ofpacts,
enum ofputil_protocol *usable_protocols)
}
prev_inst = inst;
}
- ofpact_pad(ofpacts);
if (drop && ofpacts->size) {
return xstrdup("\"drop\" must not be accompanied by any other action "
{
struct ofp_action_header *oah;
- ofpbuf_put_zeros(openflow, PAD_SIZE(openflow->size - start_ofs, 8));
+ ofpbuf_put_zeros(openflow, PAD_SIZE(openflow->size - start_ofs,
+ OFP_ACTION_ALIGN));
oah = ofpbuf_at_assert(openflow, start_ofs, sizeof *oah);
oah->len = htons(openflow->size - start_ofs);