#include <sys/socket.h>
#include <netinet/in.h>
-#include "tnl-arp-cache.h"
+#include "tnl-neigh-cache.h"
#include "bfd.h"
#include "bitmap.h"
#include "bond.h"
#include "ofproto/ofproto-dpif-sflow.h"
#include "ofproto/ofproto-dpif.h"
#include "ofproto/ofproto-provider.h"
+#include "packets.h"
#include "ovs-router.h"
#include "tnl-ports.h"
#include "tunnel.h"
* which might lead to an infinite loop. This could happen easily
* if a tunnel is marked as 'ip_remote=flow', and the flow does not
* actually set the tun_dst field. */
- ovs_be32 orig_tunnel_ip_dst;
+ struct in6_addr orig_tunnel_ipv6_dst;
/* Stack for the push and pop actions. Each stack element is of type
* "union mf_subvalue". */
* state from the datapath should be honored after recirculation. */
bool conntracked;
+ /* Pointer to an embedded NAT action in a conntrack action, or NULL. */
+ struct ofpact_nat *ct_nat_action;
+
/* OpenFlow 1.1+ action set.
*
* 'action_set' accumulates "struct ofpact"s added by OFPACT_WRITE_ACTIONS.
XC_NORMAL,
XC_FIN_TIMEOUT,
XC_GROUP,
- XC_TNL_ARP,
+ XC_TNL_NEIGH,
};
/* xlate_cache entries hold enough information to perform the side effects of
} group;
struct {
char br_name[IFNAMSIZ];
- ovs_be32 d_ip;
- } tnl_arp_cache;
+ struct in6_addr d_ipv6;
+ } tnl_neigh_cache;
} u;
};
static int
tnl_route_lookup_flow(const struct flow *oflow,
- ovs_be32 *ip, struct xport **out_port)
+ struct in6_addr *ip, struct xport **out_port)
{
char out_dev[IFNAMSIZ];
struct xbridge *xbridge;
struct xlate_cfg *xcfg;
- ovs_be32 gw;
+ struct in6_addr gw;
+ struct in6_addr dst;
- if (!ovs_router_lookup4(oflow->tunnel.ip_dst, out_dev, &gw)) {
+ dst = flow_tnl_dst(&oflow->tunnel);
+ if (!ovs_router_lookup(&dst, out_dev, &gw)) {
return -ENOENT;
}
- if (gw) {
+ if (ipv6_addr_is_set(&gw) &&
+ (!IN6_IS_ADDR_V4MAPPED(&gw) || in6_addr_get_mapped_ipv4(&gw))) {
*ip = gw;
} else {
- *ip = oflow->tunnel.ip_dst;
+ *ip = dst;
}
xcfg = ovsrcu_get(struct xlate_cfg *, &xcfgp);
ctx->recurse, ctx->resubmits, packet);
}
+static void
+tnl_send_nd_request(struct xlate_ctx *ctx, const struct xport *out_dev,
+ const struct eth_addr eth_src,
+ struct in6_addr * ipv6_src, struct in6_addr * ipv6_dst)
+{
+ struct dp_packet packet;
+
+ dp_packet_init(&packet, 0);
+ compose_nd(&packet, eth_src, ipv6_src, ipv6_dst);
+ compose_table_xlate(ctx, out_dev, &packet);
+ dp_packet_uninit(&packet);
+}
+
static void
tnl_send_arp_request(struct xlate_ctx *ctx, const struct xport *out_dev,
const struct eth_addr eth_src,
{
struct ovs_action_push_tnl tnl_push_data;
struct xport *out_dev = NULL;
- ovs_be32 s_ip, d_ip = 0;
+ ovs_be32 s_ip = 0, d_ip = 0;
+ struct in6_addr s_ip6 = in6addr_any;
+ struct in6_addr d_ip6 = in6addr_any;
struct eth_addr smac;
struct eth_addr dmac;
int err;
+ char buf_sip6[INET6_ADDRSTRLEN];
+ char buf_dip6[INET6_ADDRSTRLEN];
- err = tnl_route_lookup_flow(flow, &d_ip, &out_dev);
+ err = tnl_route_lookup_flow(flow, &d_ip6, &out_dev);
if (err) {
xlate_report(ctx, "native tunnel routing failed");
return err;
}
- xlate_report(ctx, "tunneling to "IP_FMT" via %s",
- IP_ARGS(d_ip), netdev_get_name(out_dev->netdev));
+
+ xlate_report(ctx, "tunneling to %s via %s",
+ ipv6_string_mapped(buf_dip6, &d_ip6),
+ netdev_get_name(out_dev->netdev));
/* Use mac addr of bridge port of the peer. */
err = netdev_get_etheraddr(out_dev->netdev, &smac);
return err;
}
- err = netdev_get_in4(out_dev->netdev, (struct in_addr *) &s_ip, NULL);
- if (err) {
- xlate_report(ctx, "tunnel output device lacks IPv4 address");
- return err;
+ d_ip = in6_addr_get_mapped_ipv4(&d_ip6);
+ if (d_ip) {
+ err = netdev_get_in4(out_dev->netdev, (struct in_addr *) &s_ip, NULL);
+ if (err) {
+ xlate_report(ctx, "tunnel output device lacks IPv4 address");
+ return err;
+ }
+ in6_addr_set_mapped_ipv4(&s_ip6, s_ip);
+ } else {
+ err = netdev_get_in6(out_dev->netdev, &s_ip6);
+ if (err) {
+ xlate_report(ctx, "tunnel output device lacks IPv6 address");
+ return err;
+ }
}
- err = tnl_arp_lookup(out_dev->xbridge->name, d_ip, &dmac);
+ err = tnl_neigh_lookup(out_dev->xbridge->name, &d_ip6, &dmac);
if (err) {
- xlate_report(ctx, "ARP cache miss for "IP_FMT" on bridge %s, "
- "sending ARP request",
- IP_ARGS(d_ip), out_dev->xbridge->name);
- tnl_send_arp_request(ctx, out_dev, smac, s_ip, d_ip);
+ xlate_report(ctx, "neighbor cache miss for %s on bridge %s, "
+ "sending %s request",
+ buf_dip6, out_dev->xbridge->name, d_ip ? "ARP" : "ND");
+ if (d_ip) {
+ tnl_send_arp_request(ctx, out_dev, smac, s_ip, d_ip);
+ } else {
+ tnl_send_nd_request(ctx, out_dev, smac, &s_ip6, &d_ip6);
+ }
return err;
}
+
if (ctx->xin->xcache) {
struct xc_entry *entry;
- entry = xlate_cache_add_entry(ctx->xin->xcache, XC_TNL_ARP);
- ovs_strlcpy(entry->u.tnl_arp_cache.br_name, out_dev->xbridge->name,
- sizeof entry->u.tnl_arp_cache.br_name);
- entry->u.tnl_arp_cache.d_ip = d_ip;
+ entry = xlate_cache_add_entry(ctx->xin->xcache, XC_TNL_NEIGH);
+ ovs_strlcpy(entry->u.tnl_neigh_cache.br_name, out_dev->xbridge->name,
+ sizeof entry->u.tnl_neigh_cache.br_name);
+ entry->u.tnl_neigh_cache.d_ipv6 = d_ip6;
}
- xlate_report(ctx, "tunneling from "ETH_ADDR_FMT" "IP_FMT
- " to "ETH_ADDR_FMT" "IP_FMT,
- ETH_ADDR_ARGS(smac), IP_ARGS(s_ip),
- ETH_ADDR_ARGS(dmac), IP_ARGS(d_ip));
+ xlate_report(ctx, "tunneling from "ETH_ADDR_FMT" %s"
+ " to "ETH_ADDR_FMT" %s",
+ ETH_ADDR_ARGS(smac), ipv6_string_mapped(buf_sip6, &s_ip6),
+ ETH_ADDR_ARGS(dmac), buf_dip6);
+
err = tnl_port_build_header(xport->ofport, flow,
- dmac, smac, s_ip, &tnl_push_data);
+ dmac, smac, &s_ip6, &tnl_push_data);
if (err) {
return err;
}
/* If 'struct flow' gets additional metadata, we'll need to zero it out
* before traversing a patch port. */
- BUILD_ASSERT_DECL(FLOW_WC_SEQ == 34);
+ BUILD_ASSERT_DECL(FLOW_WC_SEQ == 35);
memset(&flow_tnl, 0, sizeof flow_tnl);
if (!xport) {
}
if (xport->is_tunnel) {
+ struct in6_addr dst;
/* Save tunnel metadata so that changes made due to
* the Logical (tunnel) Port are not visible for any further
* matches, while explicit set actions on tunnel metadata are.
xlate_report(ctx, "Tunneling decided against output");
goto out; /* restore flow_nw_tos */
}
- if (flow->tunnel.ip_dst == ctx->orig_tunnel_ip_dst) {
+ dst = flow_tnl_dst(&flow->tunnel);
+ if (ipv6_addr_equals(&dst, &ctx->orig_tunnel_ipv6_dst)) {
xlate_report(ctx, "Not tunneling to our own address");
goto out; /* restore flow_nw_tos */
}
struct dp_packet *packet;
ctx->xout->slow |= SLOW_CONTROLLER;
+ xlate_commit_actions(ctx);
if (!ctx->xin->packet) {
return;
}
packet = dp_packet_clone(ctx->xin->packet);
- xlate_commit_actions(ctx);
-
odp_execute_actions(NULL, &packet, 1, false,
ctx->odp_actions->data, ctx->odp_actions->size, NULL);
.ofpacts = ctx->action_set.data,
};
- /* Only allocate recirculation ID if we have a packet. */
- if (ctx->xin->packet) {
- /* Allocate a unique recirc id for the given metadata state in the
- * flow. The life-cycle of this recirc id is managed by associating it
- * with the udpif key ('ukey') created for each new datapath flow. */
- id = recirc_alloc_id_ctx(&state);
- if (!id) {
- XLATE_REPORT_ERROR(ctx, "Failed to allocate recirculation id");
- ctx->error = XLATE_NO_RECIRCULATION_CONTEXT;
- return;
- }
- xlate_out_add_recirc(ctx->xout, id);
- } else {
- /* Look up an existing recirc id for the given metadata state in the
- * flow. No new reference is taken, as the ID is RCU protected and is
- * only required temporarily for verification.
- * If flow tables have changed sufficiently this can fail and we will
- * delete the old datapath flow. */
- id = recirc_find_id(&state);
- if (!id) {
- ctx->error = XLATE_NO_RECIRCULATION_CONTEXT;
- return;
- }
+ /* Allocate a unique recirc id for the given metadata state in the
+ * flow. An existing id, with a new reference to the corresponding
+ * recirculation context, will be returned if possible.
+ * The life-cycle of this recirc id is managed by associating it
+ * with the udpif key ('ukey') created for each new datapath flow. */
+ id = recirc_alloc_id_ctx(&state);
+ if (!id) {
+ XLATE_REPORT_ERROR(ctx, "Failed to allocate recirculation id");
+ ctx->error = XLATE_NO_RECIRCULATION_CONTEXT;
+ return;
}
+ recirc_refs_add(&ctx->xout->recircs, id);
nl_msg_put_u32(ctx->odp_actions, OVS_ACTION_ATTR_RECIRC, id);
}
ofpbuf_put(&ctx->action_set, on->actions, on_len);
- ofpact_pad(&ctx->action_set);
}
static void
case OFPACT_SAMPLE:
case OFPACT_DEBUG_RECIRC:
case OFPACT_CT:
+ case OFPACT_NAT:
break;
/* These need not be copied for restoration. */
}
}
+static void
+put_ct_nat(struct xlate_ctx *ctx)
+{
+ struct ofpact_nat *ofn = ctx->ct_nat_action;
+ size_t nat_offset;
+
+ if (!ofn) {
+ return;
+ }
+
+ nat_offset = nl_msg_start_nested(ctx->odp_actions, OVS_CT_ATTR_NAT);
+ if (ofn->flags & NX_NAT_F_SRC || ofn->flags & NX_NAT_F_DST) {
+ nl_msg_put_flag(ctx->odp_actions, ofn->flags & NX_NAT_F_SRC
+ ? OVS_NAT_ATTR_SRC : OVS_NAT_ATTR_DST);
+ if (ofn->flags & NX_NAT_F_PERSISTENT) {
+ nl_msg_put_flag(ctx->odp_actions, OVS_NAT_ATTR_PERSISTENT);
+ }
+ if (ofn->flags & NX_NAT_F_PROTO_HASH) {
+ nl_msg_put_flag(ctx->odp_actions, OVS_NAT_ATTR_PROTO_HASH);
+ } else if (ofn->flags & NX_NAT_F_PROTO_RANDOM) {
+ nl_msg_put_flag(ctx->odp_actions, OVS_NAT_ATTR_PROTO_RANDOM);
+ }
+ if (ofn->range_af == AF_INET) {
+ nl_msg_put_be32(ctx->odp_actions, OVS_NAT_ATTR_IP_MIN,
+ ofn->range.addr.ipv4.min);
+ if (ofn->range.addr.ipv4.max &&
+ (ntohl(ofn->range.addr.ipv4.max)
+ > ntohl(ofn->range.addr.ipv4.min))) {
+ nl_msg_put_be32(ctx->odp_actions, OVS_NAT_ATTR_IP_MAX,
+ ofn->range.addr.ipv4.max);
+ }
+ } else if (ofn->range_af == AF_INET6) {
+ nl_msg_put_unspec(ctx->odp_actions, OVS_NAT_ATTR_IP_MIN,
+ &ofn->range.addr.ipv6.min,
+ sizeof ofn->range.addr.ipv6.min);
+ if (!ipv6_mask_is_any(&ofn->range.addr.ipv6.max) &&
+ memcmp(&ofn->range.addr.ipv6.max, &ofn->range.addr.ipv6.min,
+ sizeof ofn->range.addr.ipv6.max) > 0) {
+ nl_msg_put_unspec(ctx->odp_actions, OVS_NAT_ATTR_IP_MAX,
+ &ofn->range.addr.ipv6.max,
+ sizeof ofn->range.addr.ipv6.max);
+ }
+ }
+ if (ofn->range_af != AF_UNSPEC && ofn->range.proto.min) {
+ nl_msg_put_u16(ctx->odp_actions, OVS_NAT_ATTR_PROTO_MIN,
+ ofn->range.proto.min);
+ if (ofn->range.proto.max &&
+ ofn->range.proto.max > ofn->range.proto.min) {
+ nl_msg_put_u16(ctx->odp_actions, OVS_NAT_ATTR_PROTO_MAX,
+ ofn->range.proto.max);
+ }
+ }
+ }
+ nl_msg_end_nested(ctx->odp_actions, nat_offset);
+}
+
static void
compose_conntrack_action(struct xlate_ctx *ctx, struct ofpact_conntrack *ofc)
{
xlate_commit_actions(ctx);
/* Process nested actions first, to populate the key. */
+ ctx->ct_nat_action = NULL;
do_xlate_actions(ofc->actions, ofpact_ct_get_action_len(ofc), ctx);
if (ofc->zone_src.field) {
put_ct_mark(&ctx->xin->flow, &ctx->base_flow, ctx->odp_actions, ctx->wc);
put_ct_label(&ctx->xin->flow, &ctx->base_flow, ctx->odp_actions, ctx->wc);
put_ct_helper(ctx->odp_actions, ofc);
+ put_ct_nat(ctx);
+ ctx->ct_nat_action = NULL;
nl_msg_end_nested(ctx->odp_actions, ct_offset);
/* Restore the original ct fields in the key. These should only be exposed
const struct ofpact *a;
if (ovs_native_tunneling_is_on(ctx->xbridge->ofproto)) {
- tnl_arp_snoop(flow, wc, ctx->xbridge->name);
- tnl_nd_snoop(flow, wc, ctx->xbridge->name);
+ tnl_neigh_snoop(flow, wc, ctx->xbridge->name);
}
/* dl_type already in the mask, not set below. */
compose_conntrack_action(ctx, ofpact_get_CT(a));
break;
+ case OFPACT_NAT:
+ /* This will be processed by compose_conntrack_action(). */
+ ctx->ct_nat_action = ofpact_get_NAT(a);
+ break;
+
case OFPACT_DEBUG_RECIRC:
ctx_trigger_recirculation(ctx);
a = ofpact_next(a);
xlate_out_uninit(struct xlate_out *xout)
{
if (xout) {
- xlate_out_free_recircs(xout);
+ recirc_refs_unref(&xout->recircs);
}
}
*xout = (struct xlate_out) {
.slow = 0,
.fail_open = false,
- .n_recircs = 0,
+ .recircs = RECIRC_REFS_EMPTY_INITIALIZER,
};
struct xlate_cfg *xcfg = ovsrcu_get(struct xlate_cfg *, &xcfgp);
.xin = xin,
.xout = xout,
.base_flow = *flow,
- .orig_tunnel_ip_dst = flow->tunnel.ip_dst,
+ .orig_tunnel_ipv6_dst = flow_tnl_dst(&flow->tunnel),
.xbridge = xbridge,
.stack = OFPBUF_STUB_INITIALIZER(stack_stub),
.rule = xin->rule,
.was_mpls = false,
.conntracked = false,
+ .ct_nat_action = NULL,
+
.action_set_has_group = false,
.action_set = OFPBUF_STUB_INITIALIZER(action_set_stub),
};
group_dpif_credit_stats(entry->u.group.group, entry->u.group.bucket,
stats);
break;
- case XC_TNL_ARP:
- /* Lookup arp to avoid arp timeout. */
- tnl_arp_lookup(entry->u.tnl_arp_cache.br_name,
- entry->u.tnl_arp_cache.d_ip, &dmac);
+ case XC_TNL_NEIGH:
+ /* Lookup neighbor to avoid timeout. */
+ tnl_neigh_lookup(entry->u.tnl_neigh_cache.br_name,
+ &entry->u.tnl_neigh_cache.d_ipv6, &dmac);
break;
default:
OVS_NOT_REACHED();
case XC_GROUP:
group_dpif_unref(entry->u.group.group);
break;
- case XC_TNL_ARP:
+ case XC_TNL_NEIGH:
break;
default:
OVS_NOT_REACHED();