Age | Commit message (Collapse) | Author |
|
Replaced all instances of Nicira Networks(, Inc) to Nicira, Inc.
Feature #10593
Signed-off-by: Raju Subramanian <rsubramanian@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
This commit adds support to specify a mask in CIDR format for
the nd_target field.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
|
|
Most flow tables have some kind of "catchall" rule that matches every
packet. For this table, the cost of copying, zeroing, and hashing the
input flow is significant. This patch avoids these costs.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
Bug #8827.
Signed-off-by: Ben Pfaff <blp@nicira.com>
|
|
Signed-off-by: Ethan Jackson <ethan@nicira.com>
|
|
The meta-flow code enforces IPv4/IPv6 masks, so there's no reason to do
it again in the classifier. This allows a number of functions to be
removed, since the only callers were in this classifier code.
|
|
Most of the members in structures referring to network elements indicate
the layer (e.g., "tl_", "nw_", "tp_"). The "frag" and "tos" members
didn't, so this commit add them.
|
|
Add support matching the IPv4 TTL and IPv6 hop limit fields. This
commit also adds support for modifying the IPv4 TTL. Modifying the IPv6
hop limit isn't currently supported, since we don't support modifying
IPv6 headers.
We will likely want to change the user-space interface, since basic
matching and setting the TTL are not generally useful. We will probably
want the ability to match on extraordinary events (such as TTL of 0 or 1)
and a decrement action.
Feature #8024
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
|
|
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
|
|
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
|
|
Until now, OVS has handled IP fragments more awkwardly than necessary. It
has not been possible to match on L4 headers, even in fragments with offset
0 where they are actually present. This means that there was no way to
implement ACLs that treat, say, different TCP ports differently, on
fragmented traffic; instead, all decisions for fragment forwarding had to
be made on the basis of L2 and L3 headers alone.
This commit improves the situation significantly. It is still not possible
to match on L4 headers in fragments with nonzero offset, because that
information is simply not present in such fragments, but this commit adds
the ability to match on L4 headers for fragments with zero offset. This
means that it becomes possible to implement ACLs that drop such "first
fragments" on the basis of L4 headers. In practice, that effectively
blocks even fragmented traffic on an L4 basis, because the receiving IP
stack cannot reassemble a full packet when the first fragment is missing.
This commit works by adding a new "fragment type" to the kernel flow match
and making it available through OpenFlow as a new NXM field named
NXM_NX_IP_FRAG. Because OpenFlow 1.0 explicitly says that the L4 fields
are always 0 for IP fragments, it adds a new OpenFlow fragment handling
mode that fills in the L4 fields for "first fragments". It also enhances
ovs-ofctl to allow users to configure this new fragment handling mode and
to parse the new field.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Bug #7557.
|
|
Without this commit, every NXAST_LEARN action that adds a flow causes every
facet to be revalidated. With this commit, as long as the "Usage Advice"
in the large comment on struct nx_action_learn in nicira-ext.h is followed,
this no longer happens.
|
|
The other cls_rule_*() functions that take IPv6 addresses take a pointer
to an in6_addr, so cls_rule_set_nd_target() should as well for consistency.
Possibly this is more efficient also, although I guess it doesn't really
make much of a difference either way.
|
|
|
|
This commit makes several library headers suitable for inclusion in C++.
It adds [extern "C"] guards and makes minor changes to fix casting and
keyword issues.
|
|
An upcoming commit will introduce the first use.
|
|
I think that this makes nx-match.c a little easier to read. The new
functions added here will have more users in an upcoming patch.
|
|
Before, ->rule_construct() both created the rule and inserted into the
flow table, but ->rule_destruct() only destroyed the rule. This makes
->rule_destruct() also remove the rule from the flow table.
|
|
IPv6 uses Neighbor Discovery messages in a similar manner to how IPv4
uses ARP. This commit adds support for matching deeper into the
payloads of Neighbor Solicitation (NS) and Neighbor Advertisement (NA)
messages. Currently, the matching fields include:
- NS and NA Target (nd_target)
- NS Source Link Layer Address (nd_sll)
- NA Target Link Layer Address (nd_tll)
When defining IPv6 Neighbor Discovery rules, the Nicira Extensible Match
(NXM) extension to OVS must be used.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
|
Provides ability to match over IPv6 traffic in the same manner as IPv4.
Currently, the matching fields include:
- IPv6 source and destination addresses (ipv6_src and ipv6_dst)
- Traffic Class (nw_tos)
- Next Header (nw_proto)
- ICMPv6 Type and Code (icmp_type and icmp_code)
- TCP and UDP Ports over IPv6 (tp_src and tp_dst)
When defining IPv6 rules, the Nicira Extensible Match (NXM) extension to
OVS must be used.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
|
OpenFlow 1.0 doesn't allow matching on the ARP source and target
hardware address. This has caused us to introduce hacks such as the
Drop Spoofed ARP action. Now that we have extensible match, we can
match on more fields within ARP:
- Source Hardware Address (arp_sha)
- Target Hardware Address (arp_tha)
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
|
|
This was documented to work, but not implemented.
Requested-by: Pankaj Thakkar <thakkar@nicira.com>
|
|
We have a need to identify tunnels with keys longer than 32 bits. This
commit adds basic datapath and OpenFlow support for such keys. It doesn't
actually add any tunnel protocols that support 64-bit keys, so this is not
very useful yet.
The 'arg' member of struct odp_msg had to be expanded to 64-bits also,
because it sometimes contains a tunnel ID. This member also contains the
argument passed to ODPAT_CONTROLLER, so I expanded that action's argument
to 64 bits also so that it can use the full width of the expanded 'arg'.
Userspace doesn't take advantage of the new space though (it was only
using 16 bits anyhow).
This commit has been tested only to the extent that it doesn't disrupt
basic Open vSwitch operation. I have not tested it with tunnel traffic.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
Feature #3976.
|
|
The old formatting was only good enough for debugging, but now we need to
be able to format cls_rules as part of ofp-print.c. This new code is
modeled after ofp_match_to_string().
|
|
|
|
|
|
Since the Nicira Extended Match was specified nicira-ext.h has claimed that
arbitrary masks are allowed, but in fact only certain masks were actually
implemented. This commit implements general masking for the 802.1Q VLAN
TCI field.
|
|
Originally, wildcards were just the OpenFlow OFPFW_* bits. Then, when
OpenFlow added CIDR masks for IP addresses, struct flow_wildcards was born
with additional members for those masks, derived from the wildcard bits.
Then, when OVS added support for tunnels, we added another bit
NXFW_TUN_ID that coexisted with the OFPFW_*. Later we added even more bits
that do not appear in the OpenFlow 1.0 match structure at all. This had
become really confusing, and the difficulties were especially visible in
the long list of invariants in comments on struct flow_wildcards.
This commit cleanly separates the OpenFlow 1.0 wildcard bits from the
bits used inside Open vSwitch, by defining a new set of bits that are
used only internally to Open vSwitch and converting to and from those
wildcard bits at the point where data comes off or goes onto the wire.
It also moves those functions into ofp-util.[ch] since they are only for
dealing with OpenFlow wire protocol now.
|
|
The flow_from_match() and flow_to_match() functions have to deal with most
of the state in a cls_rule anyhow, and this will increase in upcoming
commits, to the point that we might as well just use a cls_rule anyhow.
This commit therefore deletes flow_from_match() and flow_to_match(),
integrating their code into cls_rule_from_match() and the new function
cls_rule_to_match(), respectively. It also changes each of the functions'
callers to use the new cls_rule_*() function.
|
|
|
|
These functions no longer have any users.
|
|
This is much more convenient in practice than being forced to use a
callback function.
|
|
These functions and macros are no longer used.
|
|
This type and these parameters were useful when ofproto had the need to
separately traverse exact-match rules looking for subrules, but it no
longer does that because subrules (now called "facets") are not kept in
the classifier any longer. All the callers are now passing CLS_INC_ALL
anyhow, so we might as well delete this feature and simplify the code.
|
|
|
|
These will be handy later but are not used yet.
|
|
These will be useful elsewhere later.
|
|
This is a small cleanup that will make later changes to wildcards easier.
|
|
Justin said that he found the shorter name confusing.
|
|
Upcoming commits will add more flow formats, so this needs to be
an enumerated type instead of a bool.
|
|
The old classifier was not adaptive: it required knowing the structure of
the flows that were likely to be in use to get good performance. It is
likely that it degenerated to linear search in any real-world case.
This new classifier is adaptive and should perform better in the real
world.
|
|
There's no benefit to spelling out all of the components of a cls_rule
separately. Just use cls_rule itself.
|
|
There's no benefit to spelling out all of the components of a cls_rule
separately. Just use cls_rule itself.
|
|
Merge these functions into classifier_lookup() and update its interface.
The new version of the classifier soon to be implemented naturally merges
these functions, so this commit updates the interface early.
|
|
In preparation for rewriting the classifier, remove some functions that
nothing uses and have no tests.
|
|
When userspace and the kernel were using the same structure for flows,
flow_t was a useful way to indicate that a structure was really a userspace
flow instead of a kernel one, but now it's better to just write "struct
flow" for consistency, since OVS doesn't use typedefs for structs
elsewhere.
Acked-by: Jesse Gross <jesse@nicira.com>
|
|
The CLASSIFIER_FOR_EACH_EXACT_RULE_SAFE macro was missing its "MEMBER"
argument. It doesn't currently cause any problems because no one uses
the macro.
|
|
This special case of iterating through flows is easier and presumably
faster to implement using a macro.
|
|
Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Jesse Gross <jesse@nicira.com>
|
|
Add a tun_id field which contains the ID of the encapsulating tunnel
on which a packet was received (0 if not received on a tunnel). Also
add an action which allows the tunnel ID to be set for outgoing
packets. At this point there aren't any tunnel implementations so
these fields don't have any effect.
The matching is exposed to OpenFlow by overloading the high 32 bits
of the cookie as the tunnel ID. ovs-ofctl is capable of turning
on this special behavior using a new "tun-cookie" command but this
command is intentially undocumented to avoid it being used without
a full understanding of the consequences.
|