mirror of
https://github.com/torvalds/linux
synced 2024-11-05 18:23:50 +00:00
9dd7f8907c
Add the fields of the conntrack original direction 5-tuple to struct sw_flow_key. The new fields are initially marked as non-existent, and are populated whenever a conntrack action is executed and either finds or generates a conntrack entry. This means that these fields exist for all packets that were not rejected by conntrack as untrackable. The original tuple fields in the sw_flow_key are filled from the original direction tuple of the conntrack entry relating to the current packet, or from the original direction tuple of the master conntrack entry, if the current conntrack entry has a master. Generally, expected connections of connections having an assigned helper (e.g., FTP), have a master conntrack entry. The main purpose of the new conntrack original tuple fields is to allow matching on them for policy decision purposes, with the premise that the admissibility of tracked connections reply packets (as well as original direction packets), and both direction packets of any related connections may be based on ACL rules applying to the master connection's original direction 5-tuple. This also makes it easier to make policy decisions when the actual packet headers might have been transformed by NAT, as the original direction 5-tuple represents the packet headers before any such transformation. When using the original direction 5-tuple the admissibility of return and/or related packets need not be based on the mere existence of a conntrack entry, allowing separation of admission policy from the established conntrack state. While existence of a conntrack entry is required for admission of the return or related packets, policy changes can render connections that were initially admitted to be rejected or dropped afterwards. If the admission of the return and related packets was based on mere conntrack state (e.g., connection being in an established state), a policy change that would make the connection rejected or dropped would need to find and delete all conntrack entries affected by such a change. When using the original direction 5-tuple matching the affected conntrack entries can be allowed to time out instead, as the established state of the connection would not need to be the basis for packet admission any more. It should be noted that the directionality of related connections may be the same or different than that of the master connection, and neither the original direction 5-tuple nor the conntrack state bits carry this information. If needed, the directionality of the master connection can be stored in master's conntrack mark or labels, which are automatically inherited by the expected related connections. The fact that neither ARP nor ND packets are trackable by conntrack allows mutual exclusion between ARP/ND and the new conntrack original tuple fields. Hence, the IP addresses are overlaid in union with ARP and ND fields. This allows the sw_flow_key to not grow much due to this patch, but it also means that we must be careful to never use the new key fields with ARP or ND packets. ARP is easy to distinguish and keep mutually exclusive based on the ethernet type, but ND being an ICMPv6 protocol requires a bit more attention. Signed-off-by: Jarno Rajahalme <jarno@ovn.org> Acked-by: Joe Stringer <joe@ovn.org> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net>
82 lines
2.9 KiB
C
82 lines
2.9 KiB
C
/*
|
|
* Copyright (c) 2007-2013 Nicira, Inc.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
* License as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301, USA
|
|
*/
|
|
|
|
|
|
#ifndef FLOW_NETLINK_H
|
|
#define FLOW_NETLINK_H 1
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/netlink.h>
|
|
#include <linux/openvswitch.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/types.h>
|
|
#include <linux/rcupdate.h>
|
|
#include <linux/if_ether.h>
|
|
#include <linux/in6.h>
|
|
#include <linux/jiffies.h>
|
|
#include <linux/time.h>
|
|
#include <linux/flex_array.h>
|
|
|
|
#include <net/inet_ecn.h>
|
|
#include <net/ip_tunnels.h>
|
|
|
|
#include "flow.h"
|
|
|
|
size_t ovs_tun_key_attr_size(void);
|
|
size_t ovs_key_attr_size(void);
|
|
|
|
void ovs_match_init(struct sw_flow_match *match,
|
|
struct sw_flow_key *key, bool reset_key,
|
|
struct sw_flow_mask *mask);
|
|
|
|
int ovs_nla_put_key(const struct sw_flow_key *, const struct sw_flow_key *,
|
|
int attr, bool is_mask, struct sk_buff *);
|
|
int parse_flow_nlattrs(const struct nlattr *attr, const struct nlattr *a[],
|
|
u64 *attrsp, bool log);
|
|
int ovs_nla_get_flow_metadata(struct net *net,
|
|
const struct nlattr *a[OVS_KEY_ATTR_MAX + 1],
|
|
u64 attrs, struct sw_flow_key *key, bool log);
|
|
|
|
int ovs_nla_put_identifier(const struct sw_flow *flow, struct sk_buff *skb);
|
|
int ovs_nla_put_masked_key(const struct sw_flow *flow, struct sk_buff *skb);
|
|
int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb);
|
|
|
|
int ovs_nla_get_match(struct net *, struct sw_flow_match *,
|
|
const struct nlattr *key, const struct nlattr *mask,
|
|
bool log);
|
|
|
|
int ovs_nla_put_tunnel_info(struct sk_buff *skb,
|
|
struct ip_tunnel_info *tun_info);
|
|
|
|
bool ovs_nla_get_ufid(struct sw_flow_id *, const struct nlattr *, bool log);
|
|
int ovs_nla_get_identifier(struct sw_flow_id *sfid, const struct nlattr *ufid,
|
|
const struct sw_flow_key *key, bool log);
|
|
u32 ovs_nla_get_ufid_flags(const struct nlattr *attr);
|
|
|
|
int ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
|
|
const struct sw_flow_key *key,
|
|
struct sw_flow_actions **sfa, bool log);
|
|
int ovs_nla_add_action(struct sw_flow_actions **sfa, int attrtype,
|
|
void *data, int len, bool log);
|
|
int ovs_nla_put_actions(const struct nlattr *attr,
|
|
int len, struct sk_buff *skb);
|
|
|
|
void ovs_nla_free_flow_actions(struct sw_flow_actions *);
|
|
void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *);
|
|
|
|
#endif /* flow_netlink.h */
|