conntrack: New userspace connection tracker.

This commit adds the conntrack module. It is a connection tracker that resides entirely in userspace. Its primary user will be the dpif-netdev datapath. The module main goal is to provide conntrack_execute(), which offers a convenient interface to implement the datapath ct() action. The conntrack module uses two submodules to deal with the l4 protocol details (conntrack-other for UDP and ICMP, conntrack-tcp for TCP). The conntrack-tcp submodule implementation is adapted from FreeBSD's pf subsystem, therefore it's BSD licensed. It has been slightly altered to match the OVS coding style and to allow the pickup of already established connections. Signed-off-by: Daniele Di Proietto <[email protected]> Acked-by: Antonio Fischetti <[email protected]> Acked-by: Joe Stringer <[email protected]>
Dragmaf93 · Jul 28, 2016 · a489b16 · a489b16
1 parent 206b60d
commit a489b16
Show file tree

Hide file tree

Showing 10 changed files with 1,699 additions and 0 deletions.
diff --git a/COPYING b/COPYING
@@ -25,6 +25,7 @@ License, version 2.
 The following files are licensed under the 2-clause BSD license.
     include/windows/getopt.h
     lib/getopt_long.c
+    lib/conntrack-tcp.c
 
 The following files are licensed under the 3-clause BSD-license
     include/windows/netinet/icmp6.h

diff --git a/debian/copyright.in b/debian/copyright.in
@@ -21,6 +21,9 @@ Upstream Copyright Holders:
 	Copyright (c) 2014 Michael Chapman
 	Copyright (c) 2014 WindRiver, Inc.
 	Copyright (c) 2014 Avaya, Inc.
+	Copyright (c) 2001 Daniel Hartmeier
+	Copyright (c) 2002 - 2008 Henning Brauer
+	Copyright (c) 2012 Gleb Smirnoff <[email protected]>
 
 License:
 
@@ -90,6 +93,7 @@ License:
 	lib/getopt_long.c
 	include/windows/getopt.h
 	datapath-windows/ovsext/Conntrack-tcp.c
+	lib/conntrack-tcp.c
 
 * The following files are licensed under the 3-clause BSD-license
 

diff --git a/include/openvswitch/types.h b/include/openvswitch/types.h
@@ -108,6 +108,10 @@ static const ovs_u128 OVS_U128_MAX = { { UINT32_MAX, UINT32_MAX,
                                          UINT32_MAX, UINT32_MAX } };
 static const ovs_be128 OVS_BE128_MAX OVS_UNUSED = { { OVS_BE32_MAX, OVS_BE32_MAX,
                                            OVS_BE32_MAX, OVS_BE32_MAX } };
+static const ovs_u128 OVS_U128_MIN OVS_UNUSED = { {0, 0, 0, 0} };
+static const ovs_u128 OVS_BE128_MIN OVS_UNUSED = { {0, 0, 0, 0} };
+
+#define OVS_U128_ZERO OVS_U128_MIN
 
 /* A 64-bit value, in network byte order, that is only aligned on a 32-bit
  * boundary. */

diff --git a/lib/automake.mk b/lib/automake.mk
@@ -49,6 +49,11 @@ lib_libopenvswitch_la_SOURCES = \
 	lib/compiler.h \
 	lib/connectivity.c \
 	lib/connectivity.h \
+	lib/conntrack-private.h \
+	lib/conntrack-tcp.c \
+	lib/conntrack-other.c \
+	lib/conntrack.c \
+	lib/conntrack.h \
 	lib/coverage.c \
 	lib/coverage.h \
 	lib/crc32c.c \

diff --git a/lib/conntrack-other.c b/lib/conntrack-other.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2015, 2016 Nicira, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <config.h>
+
+#include "conntrack-private.h"
+#include "dp-packet.h"
+
+enum other_state {
+    OTHERS_FIRST,
+    OTHERS_MULTIPLE,
+    OTHERS_BIDIR,
+};
+
+struct conn_other {
+    struct conn up;
+    enum other_state state;
+};
+
+static const enum ct_timeout other_timeouts[] = {
+    [OTHERS_FIRST] = CT_TM_OTHER_FIRST,
+    [OTHERS_MULTIPLE] = CT_TM_OTHER_MULTIPLE,
+    [OTHERS_BIDIR] = CT_TM_OTHER_BIDIR,
+};
+
+static struct conn_other *
+conn_other_cast(const struct conn *conn)
+{
+    return CONTAINER_OF(conn, struct conn_other, up);
+}
+
+static enum ct_update_res
+other_conn_update(struct conn *conn_, struct dp_packet *pkt OVS_UNUSED,
+                  bool reply, long long now)
+{
+    struct conn_other *conn = conn_other_cast(conn_);
+
+    if (reply && conn->state != OTHERS_BIDIR) {
+        conn->state = OTHERS_BIDIR;
+    } else if (conn->state == OTHERS_FIRST) {
+        conn->state = OTHERS_MULTIPLE;
+    }
+
+    update_expiration(conn_, other_timeouts[conn->state], now);
+
+    return CT_UPDATE_VALID;
+}
+
+static bool
+other_valid_new(struct dp_packet *pkt OVS_UNUSED)
+{
+    return true;
+}
+
+static struct conn *
+other_new_conn(struct dp_packet *pkt OVS_UNUSED, long long now)
+{
+    struct conn_other *conn;
+
+    conn = xzalloc(sizeof *conn);
+    conn->state = OTHERS_FIRST;
+
+    update_expiration(&conn->up, other_timeouts[conn->state], now);
+
+    return &conn->up;
+}
+
+struct ct_l4_proto ct_proto_other = {
+    .new_conn = other_new_conn,
+    .valid_new = other_valid_new,
+    .conn_update = other_conn_update,
+};
diff --git a/lib/conntrack-private.h b/lib/conntrack-private.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2015, 2016 Nicira, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef CONNTRACK_PRIVATE_H
+#define CONNTRACK_PRIVATE_H 1
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netinet/ip6.h>
+
+#include "conntrack.h"
+#include "openvswitch/hmap.h"
+#include "openvswitch/list.h"
+#include "openvswitch/types.h"
+#include "packets.h"
+#include "unaligned.h"
+
+struct ct_addr {
+    union {
+        ovs_16aligned_be32 ipv4;
+        union ovs_16aligned_in6_addr ipv6;
+        ovs_be32 ipv4_aligned;
+        struct in6_addr ipv6_aligned;
+    };
+};
+
+struct ct_endpoint {
+    struct ct_addr addr;
+    ovs_be16 port;
+};
+
+/* Changes to this structure need to be reflected in conn_key_hash() */
+struct conn_key {
+    struct ct_endpoint src;
+    struct ct_endpoint dst;
+
+    ovs_be16 dl_type;
+    uint8_t nw_proto;
+    uint16_t zone;
+};
+
+struct conn {
+    struct conn_key key;
+    struct conn_key rev_key;
+    long long expiration;
+    struct ovs_list exp_node;
+    struct hmap_node node;
+    uint32_t mark;
+    ovs_u128 label;
+};
+
+enum ct_update_res {
+    CT_UPDATE_INVALID,
+    CT_UPDATE_VALID,
+    CT_UPDATE_NEW,
+};
+
+struct ct_l4_proto {
+    struct conn *(*new_conn)(struct dp_packet *pkt, long long now);
+    bool (*valid_new)(struct dp_packet *pkt);
+    enum ct_update_res (*conn_update)(struct conn *conn, struct dp_packet *pkt,
+                                      bool reply, long long now);
+};
+
+extern struct ct_l4_proto ct_proto_tcp;
+extern struct ct_l4_proto ct_proto_other;
+
+extern long long ct_timeout_val[];
+
+static inline void
+update_expiration(struct conn *conn, enum ct_timeout tm, long long now)
+{
+    conn->expiration = now + ct_timeout_val[tm];
+}
+
+#endif /* conntrack-private.h */