/* NX1.0+(34): struct nx_action_conjunction. */
NXAST_RAW_CONJUNCTION,
+ /* NX1.0+(35): struct nx_action_conntrack, ... */
+ NXAST_RAW_CT,
+
/* ## ------------------ ## */
/* ## Debugging actions. ## */
/* ## ------------------ ## */
static char *OVS_WARN_UNUSED_RESULT ofpacts_parse(
char *str, struct ofpbuf *ofpacts, enum ofputil_protocol *usable_protocols,
bool allow_instructions, enum ofpact_type outer_action);
+static enum ofperr ofpacts_pull_openflow_actions__(
+ struct ofpbuf *openflow, unsigned int actions_len,
+ enum ofp_version version, uint32_t allowed_ovsinsts,
+ struct ofpbuf *ofpacts, enum ofpact_type outer_action);
+static char * OVS_WARN_UNUSED_RESULT ofpacts_parse_copy(
+ const char *s_, struct ofpbuf *ofpacts,
+ enum ofputil_protocol *usable_protocols,
+ bool allow_instructions, enum ofpact_type outer_action);
/* Pull off existing actions or instructions. Used by nesting actions to keep
* ofpacts_parse() oblivious of actions nesting.
static enum ofperr
decode_OFPAT_RAW10_OUTPUT(const struct ofp10_action_output *oao,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
struct ofpact_output *output;
static enum ofperr
decode_OFPAT_RAW11_OUTPUT(const struct ofp11_action_output *oao,
- struct ofpbuf *out)
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
struct ofpact_output *output;
enum ofperr error;
/* Group actions. */
static enum ofperr
-decode_OFPAT_RAW11_GROUP(uint32_t group_id, struct ofpbuf *out)
+decode_OFPAT_RAW11_GROUP(uint32_t group_id,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
ofpact_put_GROUP(out)->group_id = group_id;
return 0;
static enum ofperr
decode_NXAST_RAW_CONTROLLER(const struct nx_action_controller *nac,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
struct ofpact_controller *oc;
static enum ofperr
decode_OFPAT_RAW10_ENQUEUE(const struct ofp10_action_enqueue *oae,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
struct ofpact_enqueue *enqueue;
static enum ofperr
decode_NXAST_RAW_OUTPUT_REG(const struct nx_action_output_reg *naor,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
struct ofpact_output_reg *output_reg;
static enum ofperr
decode_NXAST_RAW_OUTPUT_REG2(const struct nx_action_output_reg2 *naor,
- struct ofpbuf *out)
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
struct ofpact_output_reg *output_reg;
enum ofperr error;
}
static enum ofperr
-decode_NXAST_RAW_BUNDLE(const struct nx_action_bundle *nab, struct ofpbuf *out)
+decode_NXAST_RAW_BUNDLE(const struct nx_action_bundle *nab,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
return decode_bundle(false, nab, out);
}
static enum ofperr
decode_NXAST_RAW_BUNDLE_LOAD(const struct nx_action_bundle *nab,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
return decode_bundle(true, nab, out);
}
static enum ofperr
-decode_OFPAT_RAW10_SET_VLAN_VID(uint16_t vid, struct ofpbuf *out)
+decode_OFPAT_RAW10_SET_VLAN_VID(uint16_t vid,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
return decode_set_vlan_vid(vid, true, out);
}
static enum ofperr
-decode_OFPAT_RAW11_SET_VLAN_VID(uint16_t vid, struct ofpbuf *out)
+decode_OFPAT_RAW11_SET_VLAN_VID(uint16_t vid,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
return decode_set_vlan_vid(vid, false, out);
}
}
static enum ofperr
-decode_OFPAT_RAW10_SET_VLAN_PCP(uint8_t pcp, struct ofpbuf *out)
+decode_OFPAT_RAW10_SET_VLAN_PCP(uint8_t pcp,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
return decode_set_vlan_pcp(pcp, true, out);
}
static enum ofperr
-decode_OFPAT_RAW11_SET_VLAN_PCP(uint8_t pcp, struct ofpbuf *out)
+decode_OFPAT_RAW11_SET_VLAN_PCP(uint8_t pcp,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
return decode_set_vlan_pcp(pcp, false, out);
}
/* Push VLAN action. */
static enum ofperr
-decode_OFPAT_RAW11_PUSH_VLAN(ovs_be16 eth_type, struct ofpbuf *out)
+decode_OFPAT_RAW11_PUSH_VLAN(ovs_be16 eth_type,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
if (eth_type != htons(ETH_TYPE_VLAN_8021Q)) {
/* XXX 802.1AD(QinQ) isn't supported at the moment */
static enum ofperr
decode_OFPAT_RAW_SET_DL_SRC(const struct ofp_action_dl_addr *a,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
ofpact_put_SET_ETH_SRC(out)->mac = a->dl_addr;
static enum ofperr
decode_OFPAT_RAW_SET_DL_DST(const struct ofp_action_dl_addr *a,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
ofpact_put_SET_ETH_DST(out)->mac = a->dl_addr;
/* Set IPv4 address actions. */
static enum ofperr
-decode_OFPAT_RAW_SET_NW_SRC(ovs_be32 ipv4, struct ofpbuf *out)
+decode_OFPAT_RAW_SET_NW_SRC(ovs_be32 ipv4,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
ofpact_put_SET_IPV4_SRC(out)->ipv4 = ipv4;
return 0;
}
static enum ofperr
-decode_OFPAT_RAW_SET_NW_DST(ovs_be32 ipv4, struct ofpbuf *out)
+decode_OFPAT_RAW_SET_NW_DST(ovs_be32 ipv4,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
ofpact_put_SET_IPV4_DST(out)->ipv4 = ipv4;
return 0;
/* Set IPv4/v6 TOS actions. */
static enum ofperr
-decode_OFPAT_RAW_SET_NW_TOS(uint8_t dscp, struct ofpbuf *out)
+decode_OFPAT_RAW_SET_NW_TOS(uint8_t dscp,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
if (dscp & ~IP_DSCP_MASK) {
return OFPERR_OFPBAC_BAD_ARGUMENT;
/* Set IPv4/v6 ECN actions. */
static enum ofperr
-decode_OFPAT_RAW11_SET_NW_ECN(uint8_t ecn, struct ofpbuf *out)
+decode_OFPAT_RAW11_SET_NW_ECN(uint8_t ecn,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
if (ecn & ~IP_ECN_MASK) {
return OFPERR_OFPBAC_BAD_ARGUMENT;
/* Set IPv4/v6 TTL actions. */
static enum ofperr
-decode_OFPAT_RAW11_SET_NW_TTL(uint8_t ttl, struct ofpbuf *out)
+decode_OFPAT_RAW11_SET_NW_TTL(uint8_t ttl,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
ofpact_put_SET_IP_TTL(out)->ttl = ttl;
return 0;
/* Set TCP/UDP/SCTP port actions. */
static enum ofperr
-decode_OFPAT_RAW_SET_TP_SRC(ovs_be16 port, struct ofpbuf *out)
+decode_OFPAT_RAW_SET_TP_SRC(ovs_be16 port,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
ofpact_put_SET_L4_SRC_PORT(out)->port = ntohs(port);
return 0;
}
static enum ofperr
-decode_OFPAT_RAW_SET_TP_DST(ovs_be16 port, struct ofpbuf *out)
+decode_OFPAT_RAW_SET_TP_DST(ovs_be16 port,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
ofpact_put_SET_L4_DST_PORT(out)->port = ntohs(port);
return 0;
static enum ofperr
decode_OFPAT_RAW15_COPY_FIELD(const struct ofp15_action_copy_field *oacf,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *ofpacts)
{
return decode_copy_field__(oacf->src_offset, oacf->dst_offset,
static enum ofperr
decode_ONFACT_RAW13_COPY_FIELD(const struct onf_action_copy_field *oacf,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *ofpacts)
{
return decode_copy_field__(oacf->src_offset, oacf->dst_offset,
static enum ofperr
decode_NXAST_RAW_REG_MOVE(const struct nx_action_reg_move *narm,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *ofpacts)
{
struct ofpact_reg_move *move;
static enum ofperr
decode_OFPAT_RAW12_SET_FIELD(const struct ofp12_action_set_field *oasf,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *ofpacts)
{
return decode_ofpat_set_field(oasf, false, ofpacts);
static enum ofperr
decode_OFPAT_RAW15_SET_FIELD(const struct ofp12_action_set_field *oasf,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *ofpacts)
{
return decode_ofpat_set_field(oasf, true, ofpacts);
static enum ofperr
decode_NXAST_RAW_REG_LOAD(const struct nx_action_reg_load *narl,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
struct ofpact_set_field *sf = ofpact_put_reg_load(out);
static enum ofperr
decode_NXAST_RAW_REG_LOAD2(const struct nx_action_reg_load2 *narl,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
struct ofpact_set_field *sf;
static enum ofperr
decode_NXAST_RAW_STACK_PUSH(const struct nx_action_stack *nasp,
- struct ofpbuf *ofpacts)
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *ofpacts)
{
struct ofpact_stack *push = ofpact_put_STACK_PUSH(ofpacts);
enum ofperr error = decode_stack_action(nasp, push);
static enum ofperr
decode_NXAST_RAW_STACK_POP(const struct nx_action_stack *nasp,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *ofpacts)
{
struct ofpact_stack *pop = ofpact_put_STACK_POP(ofpacts);
static enum ofperr
decode_NXAST_RAW_DEC_TTL_CNT_IDS(const struct nx_action_cnt_ids *nac_ids,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
struct ofpact_cnt_ids *ids;
/* Set MPLS label actions. */
static enum ofperr
-decode_OFPAT_RAW_SET_MPLS_LABEL(ovs_be32 label, struct ofpbuf *out)
+decode_OFPAT_RAW_SET_MPLS_LABEL(ovs_be32 label,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
ofpact_put_SET_MPLS_LABEL(out)->label = label;
return 0;
/* Set MPLS TC actions. */
static enum ofperr
-decode_OFPAT_RAW_SET_MPLS_TC(uint8_t tc, struct ofpbuf *out)
+decode_OFPAT_RAW_SET_MPLS_TC(uint8_t tc,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
ofpact_put_SET_MPLS_TC(out)->tc = tc;
return 0;
/* Set MPLS TTL actions. */
static enum ofperr
-decode_OFPAT_RAW_SET_MPLS_TTL(uint8_t ttl, struct ofpbuf *out)
+decode_OFPAT_RAW_SET_MPLS_TTL(uint8_t ttl,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
ofpact_put_SET_MPLS_TTL(out)->ttl = ttl;
return 0;
/* Push MPLS label action. */
static enum ofperr
-decode_OFPAT_RAW_PUSH_MPLS(ovs_be16 ethertype, struct ofpbuf *out)
+decode_OFPAT_RAW_PUSH_MPLS(ovs_be16 ethertype,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
struct ofpact_push_mpls *oam;
/* Pop MPLS label action. */
static enum ofperr
-decode_OFPAT_RAW_POP_MPLS(ovs_be16 ethertype, struct ofpbuf *out)
+decode_OFPAT_RAW_POP_MPLS(ovs_be16 ethertype,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
ofpact_put_POP_MPLS(out)->ethertype = ethertype;
return 0;
/* Set tunnel ID actions. */
static enum ofperr
-decode_NXAST_RAW_SET_TUNNEL(uint32_t tun_id, struct ofpbuf *out)
+decode_NXAST_RAW_SET_TUNNEL(uint32_t tun_id,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
struct ofpact_tunnel *tunnel = ofpact_put_SET_TUNNEL(out);
tunnel->ofpact.raw = NXAST_RAW_SET_TUNNEL;
}
static enum ofperr
-decode_NXAST_RAW_SET_TUNNEL64(uint64_t tun_id, struct ofpbuf *out)
+decode_NXAST_RAW_SET_TUNNEL64(uint64_t tun_id,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
struct ofpact_tunnel *tunnel = ofpact_put_SET_TUNNEL(out);
tunnel->ofpact.raw = NXAST_RAW_SET_TUNNEL64;
/* Set queue action. */
static enum ofperr
-decode_OFPAT_RAW_SET_QUEUE(uint32_t queue_id, struct ofpbuf *out)
+decode_OFPAT_RAW_SET_QUEUE(uint32_t queue_id,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
ofpact_put_SET_QUEUE(out)->queue_id = queue_id;
return 0;
static enum ofperr
decode_NXAST_RAW_FIN_TIMEOUT(const struct nx_action_fin_timeout *naft,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
struct ofpact_fin_timeout *oft;
OFP_ASSERT(sizeof(struct nx_action_resubmit) == 16);
static enum ofperr
-decode_NXAST_RAW_RESUBMIT(uint16_t port, struct ofpbuf *out)
+decode_NXAST_RAW_RESUBMIT(uint16_t port,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
struct ofpact_resubmit *resubmit;
static enum ofperr
decode_NXAST_RAW_RESUBMIT_TABLE(const struct nx_action_resubmit *nar,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
struct ofpact_resubmit *resubmit;
* 'ofpacts'. Returns 0 if successful, otherwise an OFPERR_*. */
static enum ofperr
decode_NXAST_RAW_LEARN(const struct nx_action_learn *nal,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *ofpacts)
{
struct ofpact_learn *learn;
static enum ofperr
decode_NXAST_RAW_CONJUNCTION(const struct nx_action_conjunction *nac,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
if (nac->n_clauses < 2 || nac->n_clauses > 64
static enum ofperr
decode_NXAST_RAW_MULTIPATH(const struct nx_action_multipath *nam,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
uint32_t n_links = ntohs(nam->max_link) + 1;
OFP_ASSERT(sizeof(struct nx_action_note) == 16);
static enum ofperr
-decode_NXAST_RAW_NOTE(const struct nx_action_note *nan, struct ofpbuf *out)
+decode_NXAST_RAW_NOTE(const struct nx_action_note *nan,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
struct ofpact_note *note;
unsigned int length;
OFP_ASSERT(sizeof(struct nx_action_sample) == 24);
static enum ofperr
-decode_NXAST_RAW_SAMPLE(const struct nx_action_sample *nas, struct ofpbuf *out)
+decode_NXAST_RAW_SAMPLE(const struct nx_action_sample *nas,
+ enum ofp_version ofp_version OVS_UNUSED,
+ struct ofpbuf *out)
{
struct ofpact_sample *sample;
{
ds_put_cstr(s, "debug_recirc");
}
+
+/* Action structure for NXAST_CT.
+ *
+ * Pass traffic to the connection tracker.
+ *
+ * There are two important concepts to understanding the connection tracking
+ * interface: Packet state and Connection state. Packets may be "Untracked" or
+ * "Tracked". Connections may be "Uncommitted" or "Committed".
+ *
+ * - Packet State:
+ *
+ * Untracked packets have not yet passed through the connection tracker,
+ * and the connection state for such packets is unknown. In most cases,
+ * packets entering the OpenFlow pipeline will initially be in the
+ * untracked state. Untracked packets may become tracked by executing
+ * NXAST_CT with a "recirc_table" specified. This makes various aspects
+ * about the connection available, in particular the connection state.
+ *
+ * Tracked packets have previously passed through the connection tracker.
+ * These packets will remain tracked through until the end of the OpenFlow
+ * pipeline. Tracked packets which have NXAST_CT executed with a
+ * "recirc_table" specified will return to the tracked state.
+ *
+ * The packet state is only significant for the duration of packet
+ * processing within the OpenFlow pipeline.
+ *
+ * - Connection State:
+ *
+ * Multiple packets may be associated with a single connection. Initially,
+ * all connections are uncommitted. The connection state corresponding to
+ * a packet is available in the NXM_NX_CT_STATE field for tracked packets.
+ *
+ * Uncommitted connections have no state stored about them. Uncommitted
+ * connections may transition into the committed state by executing
+ * NXAST_CT with the NX_CT_F_COMMIT flag.
+ *
+ * Once a connection becomes committed, information may be gathered about
+ * the connection by passing subsequent packets through the connection
+ * tracker, and the state of the connection will be stored beyond the
+ * lifetime of packet processing.
+ *
+ * Connections may transition back into the uncommitted state due to
+ * external timers, or due to the contents of packets that are sent to the
+ * connection tracker. This behaviour is outside of the scope of the
+ * OpenFlow interface.
+ *
+ * The "zone" specifies a context within which the tracking is done:
+ *
+ * The connection tracking zone is a 16-bit number. Each zone is an
+ * independent connection tracking context. The connection state for each
+ * connection is completely separate for each zone, so if a connection
+ * is committed to zone A, then it will remain uncommitted in zone B.
+ * If NXAST_CT is executed with the same zone multiple times, later
+ * executions have no effect.
+ *
+ * If 'zone_src' is nonzero, this specifies that the zone should be
+ * sourced from a field zone_src[ofs:ofs+nbits]. The format and semantics
+ * of 'zone_src' and 'zone_ofs_nbits' are similar to those for the
+ * NXAST_REG_LOAD action. The acceptable nxm_header values for 'zone_src'
+ * are the same as the acceptable nxm_header values for the 'src' field of
+ * NXAST_REG_MOVE.
+ *
+ * If 'zone_src' is zero, then the value of 'zone_imm' will be used as the
+ * connection tracking zone.
+ *
+ * The "recirc_table" allows NXM_NX_CT_* fields to become available:
+ *
+ * If "recirc_table" has a value other than NX_CT_RECIRC_NONE, then the
+ * packet will be logically cloned prior to executing this action. One
+ * copy will be sent to the connection tracker, then will be re-injected
+ * into the OpenFlow pipeline beginning at the OpenFlow table specified in
+ * this field. When the packet re-enters the pipeline, the NXM_NX_CT_*
+ * fields will be populated. The original instance of the packet will
+ * continue the current actions list. This can be thought of as similar to
+ * the effect of the "output" action: One copy is sent out (in this case,
+ * to the connection tracker), but the current copy continues processing.
+ *
+ * It is strongly recommended that this table is later than the current
+ * table, to prevent loops.
+ *
+ * Zero or more actions may immediately follow this action. These actions will
+ * be executed within the context of the connection tracker, and they require
+ * the NX_CT_F_COMMIT flag to be set.
+ */
+struct nx_action_conntrack {
+ ovs_be16 type; /* OFPAT_VENDOR. */
+ ovs_be16 len; /* At least 24. */
+ ovs_be32 vendor; /* NX_VENDOR_ID. */
+ ovs_be16 subtype; /* NXAST_CT. */
+ ovs_be16 flags; /* Zero or more NX_CT_F_* flags.
+ * Unspecified flag bits must be zero. */
+ ovs_be32 zone_src; /* Connection tracking context. */
+ union {
+ ovs_be16 zone_ofs_nbits;/* Range to use from source field. */
+ ovs_be16 zone_imm; /* Immediate value for zone. */
+ };
+ uint8_t recirc_table; /* Recirculate to a specific table, or
+ NX_CT_RECIRC_NONE for no recirculation. */
+ uint8_t pad[5]; /* Zeroes */
+ /* Followed by a sequence of zero or more OpenFlow actions. The length of
+ * these is included in 'len'. */
+};
+OFP_ASSERT(sizeof(struct nx_action_conntrack) == 24);
+
+static enum ofperr
+decode_ct_zone(const struct nx_action_conntrack *nac,
+ struct ofpact_conntrack *out)
+{
+ if (nac->zone_src) {
+ enum ofperr error;
+
+ out->zone_src.field = mf_from_nxm_header(ntohl(nac->zone_src));
+ out->zone_src.ofs = nxm_decode_ofs(nac->zone_ofs_nbits);
+ out->zone_src.n_bits = nxm_decode_n_bits(nac->zone_ofs_nbits);
+ error = mf_check_src(&out->zone_src, NULL);
+ if (error) {
+ return error;
+ }
+
+ if (out->zone_src.n_bits != 16) {
+ VLOG_WARN_RL(&rl, "zone n_bits %d not within valid range [16..16]",
+ out->zone_src.n_bits);
+ return OFPERR_OFPBAC_BAD_SET_LEN;
+ }
+ } else {
+ out->zone_src.field = NULL;
+ out->zone_imm = ntohs(nac->zone_imm);
+ }
+
+ return 0;
+}
+
+static enum ofperr
+decode_NXAST_RAW_CT(const struct nx_action_conntrack *nac,
+ enum ofp_version ofp_version, struct ofpbuf *out)
+{
+ const size_t ct_offset = ofpacts_pull(out);
+ struct ofpact_conntrack *conntrack;
+ struct ofpbuf openflow;
+ int error = 0;
+
+ conntrack = ofpact_put_CT(out);
+ conntrack->flags = ntohs(nac->flags);
+ error = decode_ct_zone(nac, conntrack);
+ if (error) {
+ goto out;
+ }
+ conntrack->recirc_table = nac->recirc_table;
+
+ ofpbuf_pull(out, sizeof(*conntrack));
+
+ ofpbuf_use_const(&openflow, nac + 1, ntohs(nac->len) - sizeof(*nac));
+ error = ofpacts_pull_openflow_actions__(&openflow, openflow.size,
+ ofp_version,
+ 1u << OVSINST_OFPIT11_APPLY_ACTIONS,
+ out, OFPACT_CT);
+ if (error) {
+ goto out;
+ }
+
+ conntrack = ofpbuf_push_uninit(out, sizeof(*conntrack));
+ out->header = &conntrack->ofpact;
+ ofpact_update_len(out, &conntrack->ofpact);
+
+ if (conntrack->ofpact.len > sizeof(*conntrack)
+ && !(conntrack->flags & NX_CT_F_COMMIT)) {
+ VLOG_WARN_RL(&rl, "CT action requires commit flag if actions are "
+ "specified.");
+ error = OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+
+out:
+ ofpbuf_push_uninit(out, ct_offset);
+ return error;
+}
+
+static void
+encode_CT(const struct ofpact_conntrack *conntrack,
+ enum ofp_version ofp_version, struct ofpbuf *out)
+{
+ struct nx_action_conntrack *nac;
+ const size_t ofs = out->size;
+ size_t len;
+
+ nac = put_NXAST_CT(out);
+ nac->flags = htons(conntrack->flags);
+ if (conntrack->zone_src.field) {
+ nac->zone_src = htonl(mf_nxm_header(conntrack->zone_src.field->id));
+ nac->zone_ofs_nbits = nxm_encode_ofs_nbits(conntrack->zone_src.ofs,
+ conntrack->zone_src.n_bits);
+ } else {
+ nac->zone_src = htonl(0);
+ nac->zone_imm = htons(conntrack->zone_imm);
+ }
+ nac->recirc_table = conntrack->recirc_table;
+
+ len = ofpacts_put_openflow_actions(conntrack->actions,
+ ofpact_ct_get_action_len(conntrack),
+ out, ofp_version);
+ len += sizeof(*nac);
+ nac = ofpbuf_at(out, ofs, sizeof(*nac));
+ nac->len = htons(len);
+}
+
+/* Parses 'arg' as the argument to a "ct" action, and appends such an
+ * action to 'ofpacts'.
+ *
+ * Returns NULL if successful, otherwise a malloc()'d string describing the
+ * error. The caller is responsible for freeing the returned string. */
+static char * OVS_WARN_UNUSED_RESULT
+parse_CT(char *arg, struct ofpbuf *ofpacts,
+ enum ofputil_protocol *usable_protocols)
+{
+ const size_t ct_offset = ofpacts_pull(ofpacts);
+ struct ofpact_conntrack *oc;
+ char *error = NULL;
+ char *key, *value;
+
+ oc = ofpact_put_CT(ofpacts);
+ oc->flags = 0;
+ oc->recirc_table = NX_CT_RECIRC_NONE;
+ while (ofputil_parse_key_value(&arg, &key, &value)) {
+ if (!strcmp(key, "commit")) {
+ oc->flags |= NX_CT_F_COMMIT;
+ } else if (!strcmp(key, "table")) {
+ error = str_to_u8(value, "recirc_table", &oc->recirc_table);
+ if (!error && oc->recirc_table == NX_CT_RECIRC_NONE) {
+ error = xasprintf("invalid table %#"PRIx16, oc->recirc_table);
+ }
+ } else if (!strcmp(key, "zone")) {
+ error = str_to_u16(value, "zone", &oc->zone_imm);
+
+ if (error) {
+ free(error);
+ error = mf_parse_subfield(&oc->zone_src, value);
+ if (error) {
+ return error;
+ }
+ }
+ } else if (!strcmp(key, "exec")) {
+ /* Hide existing actions from ofpacts_parse_copy(), so the
+ * nesting can be handled transparently. */
+ ofpbuf_pull(ofpacts, sizeof(*oc));
+ error = ofpacts_parse_copy(value, ofpacts, usable_protocols, false,
+ OFPACT_CT);
+ ofpact_pad(ofpacts);
+ ofpacts->header = ofpbuf_push_uninit(ofpacts, sizeof(*oc));
+ oc = ofpacts->header;
+ } else {
+ error = xasprintf("invalid argument to \"ct\" action: `%s'", key);
+ }
+ if (error) {
+ break;
+ }
+ }
+
+ ofpact_update_len(ofpacts, &oc->ofpact);
+ ofpbuf_push_uninit(ofpacts, ct_offset);
+ return error;
+}
+
+static void
+format_CT(const struct ofpact_conntrack *a, struct ds *s)
+{
+ ds_put_cstr(s, "ct(");
+ if (a->flags & NX_CT_F_COMMIT) {
+ ds_put_cstr(s, "commit,");
+ }
+ if (a->recirc_table != NX_CT_RECIRC_NONE) {
+ ds_put_format(s, "table=%"PRIu8",", a->recirc_table);
+ }
+ if (a->zone_src.field) {
+ ds_put_format(s, "zone=");
+ mf_format_subfield(&a->zone_src, s);
+ ds_put_char(s, ',');
+ } else if (a->zone_imm) {
+ ds_put_format(s, "zone=%"PRIu16",", a->zone_imm);
+ }
+ if (ofpact_ct_get_action_len(a)) {
+ ds_put_cstr(s, "exec(");
+ ofpacts_format(a->actions, ofpact_ct_get_action_len(a), s);
+ ds_put_format(s, "),");
+ }
+ ds_chomp(s, ',');
+ ds_put_char(s, ')');
+}
\f
/* Meter instruction. */
static enum ofperr
decode_NXAST_RAW_WRITE_METADATA(const struct nx_action_write_metadata *nawm,
+ enum ofp_version ofp_version OVS_UNUSED,
struct ofpbuf *out)
{
struct ofpact_metadata *om;
error = ofpact_pull_raw(&openflow, ofp_version, &raw, &arg);
if (!error) {
- error = ofpact_decode(action, raw, arg, ofpacts);
+ error = ofpact_decode(action, raw, ofp_version, arg, ofpacts);
}
if (error) {
return true;
case OFPACT_BUNDLE:
case OFPACT_CLEAR_ACTIONS:
+ case OFPACT_CT:
case OFPACT_CONTROLLER:
case OFPACT_DEC_MPLS_TTL:
case OFPACT_DEC_TTL:
* in the action set is undefined. */
case OFPACT_BUNDLE:
case OFPACT_CONTROLLER:
+ case OFPACT_CT:
case OFPACT_ENQUEUE:
case OFPACT_EXIT:
case OFPACT_UNROLL_XLATE:
case OFPACT_UNROLL_XLATE:
case OFPACT_SAMPLE:
case OFPACT_DEBUG_RECIRC:
+ case OFPACT_CT:
default:
return OVSINST_OFPIT11_APPLY_ACTIONS;
}
case OFPACT_SAMPLE:
return 0;
+ case OFPACT_CT: {
+ struct ofpact_conntrack *oc = ofpact_get_CT(a);
+ enum ofputil_protocol p = *usable_protocols;
+
+ if (!dl_type_is_ip_any(flow->dl_type)
+ || (flow->ct_state & CS_INVALID && oc->flags & NX_CT_F_COMMIT)) {
+ inconsistent_match(usable_protocols);
+ }
+
+ if (oc->zone_src.field) {
+ return mf_check_src(&oc->zone_src, flow);
+ }
+
+ return ofpacts_check(oc->actions, ofpact_ct_get_action_len(oc),
+ flow, max_ports, table_id, n_tables, &p);
+ }
+
case OFPACT_CLEAR_ACTIONS:
return 0;
: 0);
}
+static const struct mf_field *
+ofpact_get_mf_field(enum ofpact_type type, const void *ofpact)
+{
+ if (type == OFPACT_SET_FIELD) {
+ const struct ofpact_set_field *orl = ofpact;
+
+ return orl->field;
+ } else if (type == OFPACT_REG_MOVE) {
+ const struct ofpact_reg_move *orm = ofpact;
+
+ return orm->dst.field;
+ }
+
+ return NULL;
+}
+
+static enum ofperr
+unsupported_nesting(enum ofpact_type action, enum ofpact_type outer_action)
+{
+ VLOG_WARN("%s action doesn't support nested action %s",
+ ofpact_name(outer_action), ofpact_name(action));
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+}
+
+static bool
+field_requires_ct(enum mf_field_id field)
+{
+ return field == MFF_CT_MARK;
+}
+
+/* Apply nesting constraints for actions */
static enum ofperr
ofpacts_verify_nested(const struct ofpact *a, enum ofpact_type outer_action)
{
- if (outer_action != OFPACT_WRITE_ACTIONS) {
- VLOG_WARN("\"%s\" action doesn't support nested action \"%s\"",
- ofpact_name(outer_action), ofpact_name(a->type));
- return OFPERR_OFPBAC_BAD_ARGUMENT;
+ const struct mf_field *field = ofpact_get_mf_field(a->type, a);
+
+ if (field && field_requires_ct(field->id) && outer_action != OFPACT_CT) {
+ VLOG_WARN("cannot set CT fields outside of ct action");
+ return OFPERR_OFPBAC_BAD_SET_ARGUMENT;
+ }
+
+ if (outer_action) {
+ ovs_assert(outer_action == OFPACT_WRITE_ACTIONS
+ || outer_action == OFPACT_CT);
+
+ if (outer_action == OFPACT_CT) {
+ if (!field) {
+ return unsupported_nesting(a->type, outer_action);
+ } else if (!field_requires_ct(field->id)) {
+ VLOG_WARN("%s action doesn't support nested modification "
+ "of %s", ofpact_name(outer_action), field->name);
+ return OFPERR_OFPBAC_BAD_ARGUMENT;
+ }
+ }
}
return 0;
inst = OVSINST_OFPIT13_METER;
OFPACT_FOR_EACH (a, ofpacts, ofpacts_len) {
enum ovs_instruction_type next;
+ enum ofperr error;
if (a->type == OFPACT_CONJUNCTION) {
OFPACT_FOR_EACH (a, ofpacts, ofpacts_len) {
return 0;
}
- if (outer_action) {
- enum ofperr error = ofpacts_verify_nested(a, outer_action);
-
- if (error) {
- return error;
- }
+ error = ofpacts_verify_nested(a, outer_action);
+ if (error) {
+ return error;
}
next = ovs_instruction_type_from_ofpact_type(a->type);
case OFPACT_METER:
case OFPACT_GROUP:
case OFPACT_DEBUG_RECIRC:
+ case OFPACT_CT:
default:
return false;
}