]>
Commit | Line | Data |
---|---|---|
ac0630a2 RB |
1 | /* |
2 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
3 | * you may not use this file except in compliance with the License. | |
4 | * You may obtain a copy of the License at: | |
5 | * | |
6 | * http://www.apache.org/licenses/LICENSE-2.0 | |
7 | * | |
8 | * Unless required by applicable law or agreed to in writing, software | |
9 | * distributed under the License is distributed on an "AS IS" BASIS, | |
10 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
11 | * See the License for the specific language governing permissions and | |
12 | * limitations under the License. | |
13 | */ | |
14 | ||
15 | #include <config.h> | |
16 | ||
17 | #include <getopt.h> | |
18 | #include <stdlib.h> | |
19 | #include <stdio.h> | |
20 | ||
b511690b | 21 | #include "bitmap.h" |
ac0630a2 | 22 | #include "command-line.h" |
67d9b930 | 23 | #include "daemon.h" |
ac0630a2 | 24 | #include "dirs.h" |
3e8a2ad1 | 25 | #include "openvswitch/dynamic-string.h" |
ac0630a2 | 26 | #include "fatal-signal.h" |
4edcdcf4 | 27 | #include "hash.h" |
ee89ea7b TW |
28 | #include "openvswitch/hmap.h" |
29 | #include "openvswitch/json.h" | |
8b2ed684 | 30 | #include "ovn/lex.h" |
281977f7 | 31 | #include "ovn/lib/ovn-dhcp.h" |
e3df8838 BP |
32 | #include "ovn/lib/ovn-nb-idl.h" |
33 | #include "ovn/lib/ovn-sb-idl.h" | |
218351dd | 34 | #include "ovn/lib/ovn-util.h" |
a6095f81 | 35 | #include "ovn/actions.h" |
064d7f84 | 36 | #include "packets.h" |
ac0630a2 | 37 | #include "poll-loop.h" |
5868eb24 | 38 | #include "smap.h" |
7a15be69 | 39 | #include "sset.h" |
ac0630a2 RB |
40 | #include "stream.h" |
41 | #include "stream-ssl.h" | |
7b303ff9 | 42 | #include "unixctl.h" |
ac0630a2 | 43 | #include "util.h" |
4edcdcf4 | 44 | #include "uuid.h" |
ac0630a2 RB |
45 | #include "openvswitch/vlog.h" |
46 | ||
2e2762d4 | 47 | VLOG_DEFINE_THIS_MODULE(ovn_northd); |
ac0630a2 | 48 | |
7b303ff9 AW |
49 | static unixctl_cb_func ovn_northd_exit; |
50 | ||
2e2762d4 | 51 | struct northd_context { |
f93818dd | 52 | struct ovsdb_idl *ovnnb_idl; |
ec78987f | 53 | struct ovsdb_idl *ovnsb_idl; |
f93818dd | 54 | struct ovsdb_idl_txn *ovnnb_txn; |
3c78b3ca | 55 | struct ovsdb_idl_txn *ovnsb_txn; |
f93818dd RB |
56 | }; |
57 | ||
ac0630a2 | 58 | static const char *ovnnb_db; |
ec78987f | 59 | static const char *ovnsb_db; |
ac0630a2 | 60 | |
8639f9be ND |
61 | #define MAC_ADDR_PREFIX 0x0A0000000000ULL |
62 | #define MAC_ADDR_SPACE 0xffffff | |
63 | ||
64 | /* MAC address management (macam) table of "struct eth_addr"s, that holds the | |
65 | * MAC addresses allocated by the OVN ipam module. */ | |
66 | static struct hmap macam = HMAP_INITIALIZER(&macam); | |
b511690b GS |
67 | |
68 | #define MAX_OVN_TAGS 4096 | |
880fcd14 BP |
69 | \f |
70 | /* Pipeline stages. */ | |
ac0630a2 | 71 | |
880fcd14 BP |
72 | /* The two pipelines in an OVN logical flow table. */ |
73 | enum ovn_pipeline { | |
74 | P_IN, /* Ingress pipeline. */ | |
75 | P_OUT /* Egress pipeline. */ | |
76 | }; | |
091e3af9 | 77 | |
880fcd14 BP |
78 | /* The two purposes for which ovn-northd uses OVN logical datapaths. */ |
79 | enum ovn_datapath_type { | |
80 | DP_SWITCH, /* OVN logical switch. */ | |
81 | DP_ROUTER /* OVN logical router. */ | |
091e3af9 JP |
82 | }; |
83 | ||
880fcd14 BP |
84 | /* Returns an "enum ovn_stage" built from the arguments. |
85 | * | |
86 | * (It's better to use ovn_stage_build() for type-safety reasons, but inline | |
87 | * functions can't be used in enums or switch cases.) */ | |
88 | #define OVN_STAGE_BUILD(DP_TYPE, PIPELINE, TABLE) \ | |
89 | (((DP_TYPE) << 9) | ((PIPELINE) << 8) | (TABLE)) | |
90 | ||
91 | /* A stage within an OVN logical switch or router. | |
091e3af9 | 92 | * |
880fcd14 BP |
93 | * An "enum ovn_stage" indicates whether the stage is part of a logical switch |
94 | * or router, whether the stage is part of the ingress or egress pipeline, and | |
95 | * the table within that pipeline. The first three components are combined to | |
685f4dfe | 96 | * form the stage's full name, e.g. S_SWITCH_IN_PORT_SEC_L2, |
880fcd14 BP |
97 | * S_ROUTER_OUT_DELIVERY. */ |
98 | enum ovn_stage { | |
1a03fc7d BS |
99 | #define PIPELINE_STAGES \ |
100 | /* Logical switch ingress stages. */ \ | |
101 | PIPELINE_STAGE(SWITCH, IN, PORT_SEC_L2, 0, "ls_in_port_sec_l2") \ | |
102 | PIPELINE_STAGE(SWITCH, IN, PORT_SEC_IP, 1, "ls_in_port_sec_ip") \ | |
103 | PIPELINE_STAGE(SWITCH, IN, PORT_SEC_ND, 2, "ls_in_port_sec_nd") \ | |
104 | PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 3, "ls_in_pre_acl") \ | |
105 | PIPELINE_STAGE(SWITCH, IN, PRE_LB, 4, "ls_in_pre_lb") \ | |
106 | PIPELINE_STAGE(SWITCH, IN, PRE_STATEFUL, 5, "ls_in_pre_stateful") \ | |
107 | PIPELINE_STAGE(SWITCH, IN, ACL, 6, "ls_in_acl") \ | |
108 | PIPELINE_STAGE(SWITCH, IN, QOS_MARK, 7, "ls_in_qos_mark") \ | |
109 | PIPELINE_STAGE(SWITCH, IN, LB, 8, "ls_in_lb") \ | |
110 | PIPELINE_STAGE(SWITCH, IN, STATEFUL, 9, "ls_in_stateful") \ | |
111 | PIPELINE_STAGE(SWITCH, IN, ARP_ND_RSP, 10, "ls_in_arp_rsp") \ | |
112 | PIPELINE_STAGE(SWITCH, IN, DHCP_OPTIONS, 11, "ls_in_dhcp_options") \ | |
113 | PIPELINE_STAGE(SWITCH, IN, DHCP_RESPONSE, 12, "ls_in_dhcp_response") \ | |
114 | PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 13, "ls_in_l2_lkup") \ | |
e0c9e58b JP |
115 | \ |
116 | /* Logical switch egress stages. */ \ | |
7a15be69 GS |
117 | PIPELINE_STAGE(SWITCH, OUT, PRE_LB, 0, "ls_out_pre_lb") \ |
118 | PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 1, "ls_out_pre_acl") \ | |
119 | PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") \ | |
120 | PIPELINE_STAGE(SWITCH, OUT, LB, 3, "ls_out_lb") \ | |
121 | PIPELINE_STAGE(SWITCH, OUT, ACL, 4, "ls_out_acl") \ | |
1a03fc7d BS |
122 | PIPELINE_STAGE(SWITCH, OUT, QOS_MARK, 5, "ls_out_qos_mark") \ |
123 | PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 6, "ls_out_stateful") \ | |
124 | PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP, 7, "ls_out_port_sec_ip") \ | |
125 | PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2, 8, "ls_out_port_sec_l2") \ | |
e0c9e58b JP |
126 | \ |
127 | /* Logical router ingress stages. */ \ | |
128 | PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") \ | |
129 | PIPELINE_STAGE(ROUTER, IN, IP_INPUT, 1, "lr_in_ip_input") \ | |
cc4583aa GS |
130 | PIPELINE_STAGE(ROUTER, IN, DEFRAG, 2, "lr_in_defrag") \ |
131 | PIPELINE_STAGE(ROUTER, IN, UNSNAT, 3, "lr_in_unsnat") \ | |
132 | PIPELINE_STAGE(ROUTER, IN, DNAT, 4, "lr_in_dnat") \ | |
133 | PIPELINE_STAGE(ROUTER, IN, IP_ROUTING, 5, "lr_in_ip_routing") \ | |
134 | PIPELINE_STAGE(ROUTER, IN, ARP_RESOLVE, 6, "lr_in_arp_resolve") \ | |
135 | PIPELINE_STAGE(ROUTER, IN, ARP_REQUEST, 7, "lr_in_arp_request") \ | |
e0c9e58b JP |
136 | \ |
137 | /* Logical router egress stages. */ \ | |
de297547 GS |
138 | PIPELINE_STAGE(ROUTER, OUT, SNAT, 0, "lr_out_snat") \ |
139 | PIPELINE_STAGE(ROUTER, OUT, DELIVERY, 1, "lr_out_delivery") | |
880fcd14 BP |
140 | |
141 | #define PIPELINE_STAGE(DP_TYPE, PIPELINE, STAGE, TABLE, NAME) \ | |
142 | S_##DP_TYPE##_##PIPELINE##_##STAGE \ | |
143 | = OVN_STAGE_BUILD(DP_##DP_TYPE, P_##PIPELINE, TABLE), | |
144 | PIPELINE_STAGES | |
145 | #undef PIPELINE_STAGE | |
091e3af9 JP |
146 | }; |
147 | ||
6bb4a18e JP |
148 | /* Due to various hard-coded priorities need to implement ACLs, the |
149 | * northbound database supports a smaller range of ACL priorities than | |
150 | * are available to logical flows. This value is added to an ACL | |
151 | * priority to determine the ACL's logical flow priority. */ | |
152 | #define OVN_ACL_PRI_OFFSET 1000 | |
153 | ||
facf8652 | 154 | #define REGBIT_CONNTRACK_DEFRAG "reg0[0]" |
fa313a8c | 155 | #define REGBIT_CONNTRACK_COMMIT "reg0[1]" |
7a15be69 | 156 | #define REGBIT_CONNTRACK_NAT "reg0[2]" |
281977f7 | 157 | #define REGBIT_DHCP_OPTS_RESULT "reg0[3]" |
facf8652 | 158 | |
880fcd14 BP |
159 | /* Returns an "enum ovn_stage" built from the arguments. */ |
160 | static enum ovn_stage | |
161 | ovn_stage_build(enum ovn_datapath_type dp_type, enum ovn_pipeline pipeline, | |
162 | uint8_t table) | |
163 | { | |
164 | return OVN_STAGE_BUILD(dp_type, pipeline, table); | |
165 | } | |
166 | ||
167 | /* Returns the pipeline to which 'stage' belongs. */ | |
168 | static enum ovn_pipeline | |
169 | ovn_stage_get_pipeline(enum ovn_stage stage) | |
170 | { | |
171 | return (stage >> 8) & 1; | |
172 | } | |
173 | ||
174 | /* Returns the table to which 'stage' belongs. */ | |
175 | static uint8_t | |
176 | ovn_stage_get_table(enum ovn_stage stage) | |
177 | { | |
178 | return stage & 0xff; | |
179 | } | |
180 | ||
181 | /* Returns a string name for 'stage'. */ | |
182 | static const char * | |
183 | ovn_stage_to_str(enum ovn_stage stage) | |
184 | { | |
185 | switch (stage) { | |
186 | #define PIPELINE_STAGE(DP_TYPE, PIPELINE, STAGE, TABLE, NAME) \ | |
187 | case S_##DP_TYPE##_##PIPELINE##_##STAGE: return NAME; | |
188 | PIPELINE_STAGES | |
189 | #undef PIPELINE_STAGE | |
190 | default: return "<unknown>"; | |
191 | } | |
192 | } | |
9a9961d2 BP |
193 | |
194 | /* Returns the type of the datapath to which a flow with the given 'stage' may | |
195 | * be added. */ | |
196 | static enum ovn_datapath_type | |
197 | ovn_stage_to_datapath_type(enum ovn_stage stage) | |
198 | { | |
199 | switch (stage) { | |
200 | #define PIPELINE_STAGE(DP_TYPE, PIPELINE, STAGE, TABLE, NAME) \ | |
201 | case S_##DP_TYPE##_##PIPELINE##_##STAGE: return DP_##DP_TYPE; | |
202 | PIPELINE_STAGES | |
203 | #undef PIPELINE_STAGE | |
204 | default: OVS_NOT_REACHED(); | |
205 | } | |
206 | } | |
880fcd14 | 207 | \f |
ac0630a2 RB |
208 | static void |
209 | usage(void) | |
210 | { | |
211 | printf("\ | |
212 | %s: OVN northbound management daemon\n\ | |
213 | usage: %s [OPTIONS]\n\ | |
214 | \n\ | |
215 | Options:\n\ | |
216 | --ovnnb-db=DATABASE connect to ovn-nb database at DATABASE\n\ | |
217 | (default: %s)\n\ | |
ec78987f | 218 | --ovnsb-db=DATABASE connect to ovn-sb database at DATABASE\n\ |
ac0630a2 RB |
219 | (default: %s)\n\ |
220 | -h, --help display this help message\n\ | |
221 | -o, --options list available options\n\ | |
222 | -V, --version display version information\n\ | |
60bdd011 | 223 | ", program_name, program_name, default_nb_db(), default_sb_db()); |
67d9b930 | 224 | daemon_usage(); |
ac0630a2 RB |
225 | vlog_usage(); |
226 | stream_usage("database", true, true, false); | |
227 | } | |
228 | \f | |
5868eb24 BP |
229 | struct tnlid_node { |
230 | struct hmap_node hmap_node; | |
231 | uint32_t tnlid; | |
232 | }; | |
233 | ||
234 | static void | |
235 | destroy_tnlids(struct hmap *tnlids) | |
4edcdcf4 | 236 | { |
4ec3d7c7 DDP |
237 | struct tnlid_node *node; |
238 | HMAP_FOR_EACH_POP (node, hmap_node, tnlids) { | |
5868eb24 BP |
239 | free(node); |
240 | } | |
241 | hmap_destroy(tnlids); | |
242 | } | |
243 | ||
244 | static void | |
245 | add_tnlid(struct hmap *set, uint32_t tnlid) | |
246 | { | |
247 | struct tnlid_node *node = xmalloc(sizeof *node); | |
248 | hmap_insert(set, &node->hmap_node, hash_int(tnlid, 0)); | |
249 | node->tnlid = tnlid; | |
4edcdcf4 RB |
250 | } |
251 | ||
4edcdcf4 | 252 | static bool |
5868eb24 | 253 | tnlid_in_use(const struct hmap *set, uint32_t tnlid) |
4edcdcf4 | 254 | { |
5868eb24 BP |
255 | const struct tnlid_node *node; |
256 | HMAP_FOR_EACH_IN_BUCKET (node, hmap_node, hash_int(tnlid, 0), set) { | |
257 | if (node->tnlid == tnlid) { | |
258 | return true; | |
259 | } | |
260 | } | |
261 | return false; | |
262 | } | |
4edcdcf4 | 263 | |
5868eb24 BP |
264 | static uint32_t |
265 | allocate_tnlid(struct hmap *set, const char *name, uint32_t max, | |
266 | uint32_t *hint) | |
267 | { | |
268 | for (uint32_t tnlid = *hint + 1; tnlid != *hint; | |
269 | tnlid = tnlid + 1 <= max ? tnlid + 1 : 1) { | |
270 | if (!tnlid_in_use(set, tnlid)) { | |
271 | add_tnlid(set, tnlid); | |
272 | *hint = tnlid; | |
273 | return tnlid; | |
274 | } | |
4edcdcf4 RB |
275 | } |
276 | ||
5868eb24 BP |
277 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); |
278 | VLOG_WARN_RL(&rl, "all %s tunnel ids exhausted", name); | |
279 | return 0; | |
280 | } | |
281 | \f | |
a6095f81 BS |
282 | struct ovn_chassis_qdisc_queues { |
283 | struct hmap_node key_node; | |
284 | uint32_t queue_id; | |
285 | struct uuid chassis_uuid; | |
286 | }; | |
287 | ||
288 | static void | |
289 | destroy_chassis_queues(struct hmap *set) | |
290 | { | |
291 | struct ovn_chassis_qdisc_queues *node; | |
292 | HMAP_FOR_EACH_POP (node, key_node, set) { | |
293 | free(node); | |
294 | } | |
295 | hmap_destroy(set); | |
296 | } | |
297 | ||
298 | static void | |
299 | add_chassis_queue(struct hmap *set, struct uuid *chassis_uuid, | |
300 | uint32_t queue_id) | |
301 | { | |
302 | struct ovn_chassis_qdisc_queues *node = xmalloc(sizeof *node); | |
303 | node->queue_id = queue_id; | |
304 | memcpy(&node->chassis_uuid, chassis_uuid, sizeof node->chassis_uuid); | |
305 | hmap_insert(set, &node->key_node, uuid_hash(chassis_uuid)); | |
306 | } | |
307 | ||
308 | static bool | |
309 | chassis_queueid_in_use(const struct hmap *set, struct uuid *chassis_uuid, | |
310 | uint32_t queue_id) | |
311 | { | |
312 | const struct ovn_chassis_qdisc_queues *node; | |
313 | HMAP_FOR_EACH_WITH_HASH (node, key_node, uuid_hash(chassis_uuid), set) { | |
314 | if (uuid_equals(chassis_uuid, &node->chassis_uuid) | |
315 | && node->queue_id == queue_id) { | |
316 | return true; | |
317 | } | |
318 | } | |
319 | return false; | |
320 | } | |
321 | ||
322 | static uint32_t | |
323 | allocate_chassis_queueid(struct hmap *set, struct sbrec_chassis *chassis) | |
324 | { | |
325 | for (uint32_t queue_id = QDISC_MIN_QUEUE_ID + 1; | |
326 | queue_id <= QDISC_MAX_QUEUE_ID; | |
327 | queue_id++) { | |
328 | if (!chassis_queueid_in_use(set, &chassis->header_.uuid, queue_id)) { | |
329 | add_chassis_queue(set, &chassis->header_.uuid, queue_id); | |
330 | return queue_id; | |
331 | } | |
332 | } | |
333 | ||
334 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); | |
335 | VLOG_WARN_RL(&rl, "all %s queue ids exhausted", chassis->name); | |
336 | return 0; | |
337 | } | |
338 | ||
339 | static void | |
340 | free_chassis_queueid(struct hmap *set, struct sbrec_chassis *chassis, | |
341 | uint32_t queue_id) | |
342 | { | |
343 | struct ovn_chassis_qdisc_queues *node; | |
344 | HMAP_FOR_EACH_WITH_HASH (node, key_node, | |
345 | uuid_hash(&chassis->header_.uuid), | |
346 | set) { | |
347 | if (uuid_equals(&chassis->header_.uuid, &node->chassis_uuid) | |
348 | && node->queue_id == queue_id) { | |
349 | hmap_remove(set, &node->key_node); | |
350 | break; | |
351 | } | |
352 | } | |
353 | } | |
354 | ||
355 | static inline bool | |
356 | port_has_qos_params(const struct smap *opts) | |
357 | { | |
358 | return (smap_get(opts, "qos_max_rate") || | |
359 | smap_get(opts, "qos_burst")); | |
360 | } | |
361 | \f | |
9975d7be BP |
362 | /* The 'key' comes from nbs->header_.uuid or nbr->header_.uuid or |
363 | * sb->external_ids:logical-switch. */ | |
5868eb24 BP |
364 | struct ovn_datapath { |
365 | struct hmap_node key_node; /* Index on 'key'. */ | |
9975d7be | 366 | struct uuid key; /* (nbs/nbr)->header_.uuid. */ |
4edcdcf4 | 367 | |
9975d7be BP |
368 | const struct nbrec_logical_switch *nbs; /* May be NULL. */ |
369 | const struct nbrec_logical_router *nbr; /* May be NULL. */ | |
5868eb24 | 370 | const struct sbrec_datapath_binding *sb; /* May be NULL. */ |
4edcdcf4 | 371 | |
5868eb24 | 372 | struct ovs_list list; /* In list of similar records. */ |
4edcdcf4 | 373 | |
9975d7be | 374 | /* Logical switch data. */ |
86e98048 BP |
375 | struct ovn_port **router_ports; |
376 | size_t n_router_ports; | |
9975d7be | 377 | |
5868eb24 BP |
378 | struct hmap port_tnlids; |
379 | uint32_t port_key_hint; | |
380 | ||
381 | bool has_unknown; | |
8639f9be ND |
382 | |
383 | /* IPAM data. */ | |
384 | struct hmap ipam; | |
385 | }; | |
386 | ||
387 | struct macam_node { | |
388 | struct hmap_node hmap_node; | |
389 | struct eth_addr mac_addr; /* Allocated MAC address. */ | |
5868eb24 BP |
390 | }; |
391 | ||
8639f9be ND |
392 | static void |
393 | cleanup_macam(struct hmap *macam) | |
394 | { | |
395 | struct macam_node *node; | |
396 | HMAP_FOR_EACH_POP (node, hmap_node, macam) { | |
397 | free(node); | |
398 | } | |
399 | } | |
400 | ||
401 | struct ipam_node { | |
402 | struct hmap_node hmap_node; | |
403 | uint32_t ip_addr; /* Allocated IP address. */ | |
404 | }; | |
405 | ||
406 | static void | |
407 | destroy_ipam(struct hmap *ipam) | |
408 | { | |
409 | struct ipam_node *node; | |
410 | HMAP_FOR_EACH_POP (node, hmap_node, ipam) { | |
411 | free(node); | |
412 | } | |
413 | hmap_destroy(ipam); | |
414 | } | |
415 | ||
5868eb24 BP |
416 | static struct ovn_datapath * |
417 | ovn_datapath_create(struct hmap *datapaths, const struct uuid *key, | |
9975d7be BP |
418 | const struct nbrec_logical_switch *nbs, |
419 | const struct nbrec_logical_router *nbr, | |
5868eb24 BP |
420 | const struct sbrec_datapath_binding *sb) |
421 | { | |
422 | struct ovn_datapath *od = xzalloc(sizeof *od); | |
423 | od->key = *key; | |
424 | od->sb = sb; | |
9975d7be BP |
425 | od->nbs = nbs; |
426 | od->nbr = nbr; | |
5868eb24 | 427 | hmap_init(&od->port_tnlids); |
8639f9be | 428 | hmap_init(&od->ipam); |
5868eb24 BP |
429 | od->port_key_hint = 0; |
430 | hmap_insert(datapaths, &od->key_node, uuid_hash(&od->key)); | |
431 | return od; | |
432 | } | |
433 | ||
434 | static void | |
435 | ovn_datapath_destroy(struct hmap *datapaths, struct ovn_datapath *od) | |
436 | { | |
437 | if (od) { | |
438 | /* Don't remove od->list. It is used within build_datapaths() as a | |
439 | * private list and once we've exited that function it is not safe to | |
440 | * use it. */ | |
441 | hmap_remove(datapaths, &od->key_node); | |
442 | destroy_tnlids(&od->port_tnlids); | |
8639f9be | 443 | destroy_ipam(&od->ipam); |
86e98048 | 444 | free(od->router_ports); |
5868eb24 BP |
445 | free(od); |
446 | } | |
447 | } | |
448 | ||
9a9961d2 BP |
449 | /* Returns 'od''s datapath type. */ |
450 | static enum ovn_datapath_type | |
451 | ovn_datapath_get_type(const struct ovn_datapath *od) | |
452 | { | |
453 | return od->nbs ? DP_SWITCH : DP_ROUTER; | |
454 | } | |
455 | ||
5868eb24 BP |
456 | static struct ovn_datapath * |
457 | ovn_datapath_find(struct hmap *datapaths, const struct uuid *uuid) | |
458 | { | |
459 | struct ovn_datapath *od; | |
460 | ||
461 | HMAP_FOR_EACH_WITH_HASH (od, key_node, uuid_hash(uuid), datapaths) { | |
462 | if (uuid_equals(uuid, &od->key)) { | |
463 | return od; | |
464 | } | |
465 | } | |
466 | return NULL; | |
467 | } | |
468 | ||
469 | static struct ovn_datapath * | |
470 | ovn_datapath_from_sbrec(struct hmap *datapaths, | |
471 | const struct sbrec_datapath_binding *sb) | |
472 | { | |
473 | struct uuid key; | |
474 | ||
9975d7be BP |
475 | if (!smap_get_uuid(&sb->external_ids, "logical-switch", &key) && |
476 | !smap_get_uuid(&sb->external_ids, "logical-router", &key)) { | |
5868eb24 BP |
477 | return NULL; |
478 | } | |
479 | return ovn_datapath_find(datapaths, &key); | |
480 | } | |
481 | ||
5412db30 J |
482 | static bool |
483 | lrouter_is_enabled(const struct nbrec_logical_router *lrouter) | |
484 | { | |
485 | return !lrouter->enabled || *lrouter->enabled; | |
486 | } | |
487 | ||
5868eb24 BP |
488 | static void |
489 | join_datapaths(struct northd_context *ctx, struct hmap *datapaths, | |
490 | struct ovs_list *sb_only, struct ovs_list *nb_only, | |
491 | struct ovs_list *both) | |
492 | { | |
493 | hmap_init(datapaths); | |
417e7e66 BW |
494 | ovs_list_init(sb_only); |
495 | ovs_list_init(nb_only); | |
496 | ovs_list_init(both); | |
5868eb24 BP |
497 | |
498 | const struct sbrec_datapath_binding *sb, *sb_next; | |
499 | SBREC_DATAPATH_BINDING_FOR_EACH_SAFE (sb, sb_next, ctx->ovnsb_idl) { | |
500 | struct uuid key; | |
9975d7be BP |
501 | if (!smap_get_uuid(&sb->external_ids, "logical-switch", &key) && |
502 | !smap_get_uuid(&sb->external_ids, "logical-router", &key)) { | |
503 | ovsdb_idl_txn_add_comment( | |
504 | ctx->ovnsb_txn, | |
505 | "deleting Datapath_Binding "UUID_FMT" that lacks " | |
506 | "external-ids:logical-switch and " | |
507 | "external-ids:logical-router", | |
508 | UUID_ARGS(&sb->header_.uuid)); | |
5868eb24 BP |
509 | sbrec_datapath_binding_delete(sb); |
510 | continue; | |
511 | } | |
512 | ||
513 | if (ovn_datapath_find(datapaths, &key)) { | |
514 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
9975d7be BP |
515 | VLOG_INFO_RL( |
516 | &rl, "deleting Datapath_Binding "UUID_FMT" with " | |
517 | "duplicate external-ids:logical-switch/router "UUID_FMT, | |
518 | UUID_ARGS(&sb->header_.uuid), UUID_ARGS(&key)); | |
5868eb24 BP |
519 | sbrec_datapath_binding_delete(sb); |
520 | continue; | |
521 | } | |
522 | ||
523 | struct ovn_datapath *od = ovn_datapath_create(datapaths, &key, | |
9975d7be | 524 | NULL, NULL, sb); |
417e7e66 | 525 | ovs_list_push_back(sb_only, &od->list); |
5868eb24 BP |
526 | } |
527 | ||
9975d7be BP |
528 | const struct nbrec_logical_switch *nbs; |
529 | NBREC_LOGICAL_SWITCH_FOR_EACH (nbs, ctx->ovnnb_idl) { | |
5868eb24 | 530 | struct ovn_datapath *od = ovn_datapath_find(datapaths, |
9975d7be | 531 | &nbs->header_.uuid); |
5868eb24 | 532 | if (od) { |
9975d7be | 533 | od->nbs = nbs; |
417e7e66 BW |
534 | ovs_list_remove(&od->list); |
535 | ovs_list_push_back(both, &od->list); | |
5868eb24 | 536 | } else { |
9975d7be BP |
537 | od = ovn_datapath_create(datapaths, &nbs->header_.uuid, |
538 | nbs, NULL, NULL); | |
417e7e66 | 539 | ovs_list_push_back(nb_only, &od->list); |
5868eb24 BP |
540 | } |
541 | } | |
9975d7be BP |
542 | |
543 | const struct nbrec_logical_router *nbr; | |
544 | NBREC_LOGICAL_ROUTER_FOR_EACH (nbr, ctx->ovnnb_idl) { | |
5412db30 J |
545 | if (!lrouter_is_enabled(nbr)) { |
546 | continue; | |
547 | } | |
548 | ||
9975d7be BP |
549 | struct ovn_datapath *od = ovn_datapath_find(datapaths, |
550 | &nbr->header_.uuid); | |
551 | if (od) { | |
552 | if (!od->nbs) { | |
553 | od->nbr = nbr; | |
417e7e66 BW |
554 | ovs_list_remove(&od->list); |
555 | ovs_list_push_back(both, &od->list); | |
9975d7be BP |
556 | } else { |
557 | /* Can't happen! */ | |
558 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
559 | VLOG_WARN_RL(&rl, | |
560 | "duplicate UUID "UUID_FMT" in OVN_Northbound", | |
561 | UUID_ARGS(&nbr->header_.uuid)); | |
562 | continue; | |
563 | } | |
564 | } else { | |
565 | od = ovn_datapath_create(datapaths, &nbr->header_.uuid, | |
566 | NULL, nbr, NULL); | |
417e7e66 | 567 | ovs_list_push_back(nb_only, &od->list); |
9975d7be | 568 | } |
9975d7be | 569 | } |
5868eb24 BP |
570 | } |
571 | ||
572 | static uint32_t | |
573 | ovn_datapath_allocate_key(struct hmap *dp_tnlids) | |
574 | { | |
575 | static uint32_t hint; | |
576 | return allocate_tnlid(dp_tnlids, "datapath", (1u << 24) - 1, &hint); | |
577 | } | |
578 | ||
0bac7164 BP |
579 | /* Updates the southbound Datapath_Binding table so that it contains the |
580 | * logical switches and routers specified by the northbound database. | |
581 | * | |
582 | * Initializes 'datapaths' to contain a "struct ovn_datapath" for every logical | |
583 | * switch and router. */ | |
5868eb24 BP |
584 | static void |
585 | build_datapaths(struct northd_context *ctx, struct hmap *datapaths) | |
586 | { | |
587 | struct ovs_list sb_only, nb_only, both; | |
588 | ||
589 | join_datapaths(ctx, datapaths, &sb_only, &nb_only, &both); | |
590 | ||
417e7e66 | 591 | if (!ovs_list_is_empty(&nb_only)) { |
5868eb24 BP |
592 | /* First index the in-use datapath tunnel IDs. */ |
593 | struct hmap dp_tnlids = HMAP_INITIALIZER(&dp_tnlids); | |
594 | struct ovn_datapath *od; | |
595 | LIST_FOR_EACH (od, list, &both) { | |
596 | add_tnlid(&dp_tnlids, od->sb->tunnel_key); | |
597 | } | |
598 | ||
599 | /* Add southbound record for each unmatched northbound record. */ | |
600 | LIST_FOR_EACH (od, list, &nb_only) { | |
601 | uint16_t tunnel_key = ovn_datapath_allocate_key(&dp_tnlids); | |
602 | if (!tunnel_key) { | |
603 | break; | |
604 | } | |
605 | ||
606 | od->sb = sbrec_datapath_binding_insert(ctx->ovnsb_txn); | |
607 | ||
0f8e9c12 BP |
608 | /* Get the logical-switch or logical-router UUID to set in |
609 | * external-ids. */ | |
5868eb24 | 610 | char uuid_s[UUID_LEN + 1]; |
9975d7be BP |
611 | sprintf(uuid_s, UUID_FMT, UUID_ARGS(&od->key)); |
612 | const char *key = od->nbs ? "logical-switch" : "logical-router"; | |
0f8e9c12 BP |
613 | |
614 | /* Get name to set in external-ids. */ | |
615 | const char *name = od->nbs ? od->nbs->name : od->nbr->name; | |
616 | ||
617 | /* Set external-ids. */ | |
618 | struct smap ids = SMAP_INITIALIZER(&ids); | |
619 | smap_add(&ids, key, uuid_s); | |
620 | if (*name) { | |
621 | smap_add(&ids, "name", name); | |
622 | } | |
623 | sbrec_datapath_binding_set_external_ids(od->sb, &ids); | |
624 | smap_destroy(&ids); | |
5868eb24 BP |
625 | |
626 | sbrec_datapath_binding_set_tunnel_key(od->sb, tunnel_key); | |
627 | } | |
628 | destroy_tnlids(&dp_tnlids); | |
629 | } | |
630 | ||
631 | /* Delete southbound records without northbound matches. */ | |
632 | struct ovn_datapath *od, *next; | |
633 | LIST_FOR_EACH_SAFE (od, next, list, &sb_only) { | |
417e7e66 | 634 | ovs_list_remove(&od->list); |
5868eb24 BP |
635 | sbrec_datapath_binding_delete(od->sb); |
636 | ovn_datapath_destroy(datapaths, od); | |
637 | } | |
638 | } | |
639 | \f | |
640 | struct ovn_port { | |
641 | struct hmap_node key_node; /* Index on 'key'. */ | |
9975d7be BP |
642 | char *key; /* nbs->name, nbr->name, sb->logical_port. */ |
643 | char *json_key; /* 'key', quoted for use in JSON. */ | |
5868eb24 | 644 | |
9975d7be BP |
645 | const struct sbrec_port_binding *sb; /* May be NULL. */ |
646 | ||
e93b43d6 | 647 | /* Logical switch port data. */ |
0ee00741 | 648 | const struct nbrec_logical_switch_port *nbsp; /* May be NULL. */ |
e93b43d6 JP |
649 | |
650 | struct lport_addresses *lsp_addrs; /* Logical switch port addresses. */ | |
651 | unsigned int n_lsp_addrs; | |
652 | ||
653 | struct lport_addresses *ps_addrs; /* Port security addresses. */ | |
654 | unsigned int n_ps_addrs; | |
655 | ||
9975d7be | 656 | /* Logical router port data. */ |
0ee00741 | 657 | const struct nbrec_logical_router_port *nbrp; /* May be NULL. */ |
e93b43d6 | 658 | |
4685e523 | 659 | struct lport_addresses lrp_networks; |
c9bdf7bd | 660 | |
ad386c3f BP |
661 | /* The port's peer: |
662 | * | |
663 | * - A switch port S of type "router" has a router port R as a peer, | |
664 | * and R in turn has S has its peer. | |
665 | * | |
666 | * - Two connected logical router ports have each other as peer. */ | |
9975d7be | 667 | struct ovn_port *peer; |
5868eb24 BP |
668 | |
669 | struct ovn_datapath *od; | |
670 | ||
671 | struct ovs_list list; /* In list of similar records. */ | |
672 | }; | |
673 | ||
674 | static struct ovn_port * | |
675 | ovn_port_create(struct hmap *ports, const char *key, | |
0ee00741 HK |
676 | const struct nbrec_logical_switch_port *nbsp, |
677 | const struct nbrec_logical_router_port *nbrp, | |
5868eb24 BP |
678 | const struct sbrec_port_binding *sb) |
679 | { | |
680 | struct ovn_port *op = xzalloc(sizeof *op); | |
9975d7be BP |
681 | |
682 | struct ds json_key = DS_EMPTY_INITIALIZER; | |
683 | json_string_escape(key, &json_key); | |
684 | op->json_key = ds_steal_cstr(&json_key); | |
685 | ||
686 | op->key = xstrdup(key); | |
5868eb24 | 687 | op->sb = sb; |
0ee00741 HK |
688 | op->nbsp = nbsp; |
689 | op->nbrp = nbrp; | |
5868eb24 BP |
690 | hmap_insert(ports, &op->key_node, hash_string(op->key, 0)); |
691 | return op; | |
692 | } | |
693 | ||
694 | static void | |
695 | ovn_port_destroy(struct hmap *ports, struct ovn_port *port) | |
696 | { | |
697 | if (port) { | |
698 | /* Don't remove port->list. It is used within build_ports() as a | |
699 | * private list and once we've exited that function it is not safe to | |
700 | * use it. */ | |
701 | hmap_remove(ports, &port->key_node); | |
e93b43d6 JP |
702 | |
703 | for (int i = 0; i < port->n_lsp_addrs; i++) { | |
704 | destroy_lport_addresses(&port->lsp_addrs[i]); | |
705 | } | |
706 | free(port->lsp_addrs); | |
707 | ||
708 | for (int i = 0; i < port->n_ps_addrs; i++) { | |
709 | destroy_lport_addresses(&port->ps_addrs[i]); | |
710 | } | |
711 | free(port->ps_addrs); | |
712 | ||
4685e523 | 713 | destroy_lport_addresses(&port->lrp_networks); |
9975d7be BP |
714 | free(port->json_key); |
715 | free(port->key); | |
5868eb24 BP |
716 | free(port); |
717 | } | |
718 | } | |
719 | ||
720 | static struct ovn_port * | |
721 | ovn_port_find(struct hmap *ports, const char *name) | |
722 | { | |
723 | struct ovn_port *op; | |
724 | ||
725 | HMAP_FOR_EACH_WITH_HASH (op, key_node, hash_string(name, 0), ports) { | |
726 | if (!strcmp(op->key, name)) { | |
727 | return op; | |
728 | } | |
729 | } | |
730 | return NULL; | |
731 | } | |
732 | ||
733 | static uint32_t | |
734 | ovn_port_allocate_key(struct ovn_datapath *od) | |
735 | { | |
736 | return allocate_tnlid(&od->port_tnlids, "port", | |
737 | (1u << 15) - 1, &od->port_key_hint); | |
738 | } | |
739 | ||
8639f9be ND |
740 | static bool |
741 | ipam_is_duplicate_mac(struct eth_addr *ea, uint64_t mac64, bool warn) | |
742 | { | |
743 | struct macam_node *macam_node; | |
744 | HMAP_FOR_EACH_WITH_HASH (macam_node, hmap_node, hash_uint64(mac64), | |
745 | &macam) { | |
746 | if (eth_addr_equals(*ea, macam_node->mac_addr)) { | |
747 | if (warn) { | |
748 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); | |
749 | VLOG_WARN_RL(&rl, "Duplicate MAC set: "ETH_ADDR_FMT, | |
750 | ETH_ADDR_ARGS(macam_node->mac_addr)); | |
751 | } | |
752 | return true; | |
753 | } | |
754 | } | |
755 | return false; | |
756 | } | |
757 | ||
758 | static bool | |
759 | ipam_is_duplicate_ip(struct ovn_datapath *od, uint32_t ip, bool warn) | |
760 | { | |
761 | struct ipam_node *ipam_node; | |
762 | HMAP_FOR_EACH_WITH_HASH (ipam_node, hmap_node, hash_int(ip, 0), | |
763 | &od->ipam) { | |
764 | if (ipam_node->ip_addr == ip) { | |
765 | if (warn) { | |
766 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); | |
767 | VLOG_WARN_RL(&rl, "Duplicate IP set: "IP_FMT, | |
768 | IP_ARGS(htonl(ip))); | |
769 | } | |
770 | return true; | |
771 | } | |
772 | } | |
773 | return false; | |
774 | } | |
775 | ||
776 | static void | |
777 | ipam_insert_mac(struct eth_addr *ea, bool check) | |
778 | { | |
779 | if (!ea) { | |
780 | return; | |
781 | } | |
782 | ||
783 | uint64_t mac64 = eth_addr_to_uint64(*ea); | |
784 | /* If the new MAC was not assigned by this address management system or | |
785 | * check is true and the new MAC is a duplicate, do not insert it into the | |
786 | * macam hmap. */ | |
787 | if (((mac64 ^ MAC_ADDR_PREFIX) >> 24) | |
788 | || (check && ipam_is_duplicate_mac(ea, mac64, true))) { | |
789 | return; | |
790 | } | |
791 | ||
792 | struct macam_node *new_macam_node = xmalloc(sizeof *new_macam_node); | |
793 | new_macam_node->mac_addr = *ea; | |
794 | hmap_insert(&macam, &new_macam_node->hmap_node, hash_uint64(mac64)); | |
795 | } | |
796 | ||
797 | static void | |
798 | ipam_insert_ip(struct ovn_datapath *od, uint32_t ip, bool check) | |
799 | { | |
800 | if (!od) { | |
801 | return; | |
802 | } | |
803 | ||
804 | if (check && ipam_is_duplicate_ip(od, ip, true)) { | |
805 | return; | |
806 | } | |
807 | ||
808 | struct ipam_node *new_ipam_node = xmalloc(sizeof *new_ipam_node); | |
809 | new_ipam_node->ip_addr = ip; | |
810 | hmap_insert(&od->ipam, &new_ipam_node->hmap_node, hash_int(ip, 0)); | |
811 | } | |
812 | ||
813 | static void | |
814 | ipam_insert_lsp_addresses(struct ovn_datapath *od, struct ovn_port *op, | |
815 | char *address) | |
816 | { | |
817 | if (!od || !op || !address || !strcmp(address, "unknown") | |
6374d518 | 818 | || is_dynamic_lsp_address(address)) { |
8639f9be ND |
819 | return; |
820 | } | |
821 | ||
822 | struct lport_addresses laddrs; | |
823 | if (!extract_lsp_addresses(address, &laddrs)) { | |
824 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); | |
825 | VLOG_WARN_RL(&rl, "Extract addresses failed."); | |
826 | return; | |
827 | } | |
828 | ipam_insert_mac(&laddrs.ea, true); | |
829 | ||
830 | /* IP is only added to IPAM if the switch's subnet option | |
831 | * is set, whereas MAC is always added to MACAM. */ | |
832 | if (!smap_get(&od->nbs->other_config, "subnet")) { | |
833 | destroy_lport_addresses(&laddrs); | |
834 | return; | |
835 | } | |
836 | ||
837 | for (size_t j = 0; j < laddrs.n_ipv4_addrs; j++) { | |
838 | uint32_t ip = ntohl(laddrs.ipv4_addrs[j].addr); | |
839 | ipam_insert_ip(od, ip, true); | |
840 | } | |
841 | ||
842 | destroy_lport_addresses(&laddrs); | |
843 | } | |
844 | ||
845 | static void | |
846 | ipam_add_port_addresses(struct ovn_datapath *od, struct ovn_port *op) | |
847 | { | |
848 | if (!od || !op) { | |
849 | return; | |
850 | } | |
851 | ||
852 | if (op->nbsp) { | |
853 | /* Add all the port's addresses to address data structures. */ | |
854 | for (size_t i = 0; i < op->nbsp->n_addresses; i++) { | |
855 | ipam_insert_lsp_addresses(od, op, op->nbsp->addresses[i]); | |
856 | } | |
857 | if (op->nbsp->dynamic_addresses) { | |
858 | ipam_insert_lsp_addresses(od, op, op->nbsp->dynamic_addresses); | |
859 | } | |
860 | } else if (op->nbrp) { | |
861 | struct lport_addresses lrp_networks; | |
862 | if (!extract_lrp_networks(op->nbrp, &lrp_networks)) { | |
863 | static struct vlog_rate_limit rl | |
864 | = VLOG_RATE_LIMIT_INIT(1, 1); | |
865 | VLOG_WARN_RL(&rl, "Extract addresses failed."); | |
866 | return; | |
867 | } | |
868 | ipam_insert_mac(&lrp_networks.ea, true); | |
869 | ||
870 | if (!op->peer || !op->peer->nbsp || !op->peer->od || !op->peer->od->nbs | |
871 | || !smap_get(&op->peer->od->nbs->other_config, "subnet")) { | |
872 | destroy_lport_addresses(&lrp_networks); | |
873 | return; | |
874 | } | |
875 | ||
876 | for (size_t i = 0; i < lrp_networks.n_ipv4_addrs; i++) { | |
877 | uint32_t ip = ntohl(lrp_networks.ipv4_addrs[i].addr); | |
878 | ipam_insert_ip(op->peer->od, ip, true); | |
879 | } | |
880 | ||
881 | destroy_lport_addresses(&lrp_networks); | |
882 | } | |
883 | } | |
884 | ||
885 | static uint64_t | |
886 | ipam_get_unused_mac(void) | |
887 | { | |
888 | /* Stores the suffix of the most recently ipam-allocated MAC address. */ | |
889 | static uint32_t last_mac; | |
890 | ||
891 | uint64_t mac64; | |
892 | struct eth_addr mac; | |
893 | uint32_t mac_addr_suffix, i; | |
894 | for (i = 0; i < MAC_ADDR_SPACE - 1; i++) { | |
895 | /* The tentative MAC's suffix will be in the interval (1, 0xfffffe). */ | |
896 | mac_addr_suffix = ((last_mac + i) % (MAC_ADDR_SPACE - 1)) + 1; | |
897 | mac64 = MAC_ADDR_PREFIX | mac_addr_suffix; | |
898 | eth_addr_from_uint64(mac64, &mac); | |
899 | if (!ipam_is_duplicate_mac(&mac, mac64, false)) { | |
900 | last_mac = mac_addr_suffix; | |
901 | break; | |
902 | } | |
903 | } | |
904 | ||
905 | if (i == MAC_ADDR_SPACE) { | |
906 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
907 | VLOG_WARN_RL(&rl, "MAC address space exhausted."); | |
908 | mac64 = 0; | |
909 | } | |
910 | ||
911 | return mac64; | |
912 | } | |
913 | ||
914 | static uint32_t | |
915 | ipam_get_unused_ip(struct ovn_datapath *od, uint32_t subnet, uint32_t mask) | |
916 | { | |
917 | if (!od) { | |
918 | return 0; | |
919 | } | |
920 | ||
921 | uint32_t ip = 0; | |
922 | ||
923 | /* Find an unused IP address in subnet. x.x.x.1 is reserved for a | |
924 | * logical router port. */ | |
925 | for (uint32_t i = 2; i < ~mask; i++) { | |
926 | uint32_t tentative_ip = subnet + i; | |
927 | if (!ipam_is_duplicate_ip(od, tentative_ip, false)) { | |
928 | ip = tentative_ip; | |
929 | break; | |
930 | } | |
931 | } | |
932 | ||
933 | if (!ip) { | |
934 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
935 | VLOG_WARN_RL( &rl, "Subnet address space has been exhausted."); | |
936 | } | |
937 | ||
938 | return ip; | |
939 | } | |
940 | ||
941 | static bool | |
942 | ipam_allocate_addresses(struct ovn_datapath *od, struct ovn_port *op, | |
6374d518 | 943 | const char *addrspec, ovs_be32 subnet, ovs_be32 mask) |
8639f9be ND |
944 | { |
945 | if (!od || !op || !op->nbsp) { | |
946 | return false; | |
947 | } | |
948 | ||
949 | uint32_t ip = ipam_get_unused_ip(od, ntohl(subnet), ntohl(mask)); | |
950 | if (!ip) { | |
951 | return false; | |
952 | } | |
953 | ||
954 | struct eth_addr mac; | |
6374d518 LR |
955 | bool check_mac; |
956 | int n = 0; | |
957 | ||
958 | if (ovs_scan(addrspec, ETH_ADDR_SCAN_FMT" dynamic%n", | |
959 | ETH_ADDR_SCAN_ARGS(mac), &n) | |
960 | && addrspec[n] == '\0') { | |
961 | check_mac = true; | |
962 | } else { | |
963 | uint64_t mac64 = ipam_get_unused_mac(); | |
964 | if (!mac64) { | |
965 | return false; | |
966 | } | |
967 | eth_addr_from_uint64(mac64, &mac); | |
968 | check_mac = false; | |
8639f9be | 969 | } |
8639f9be ND |
970 | |
971 | /* Add MAC/IP to MACAM/IPAM hmaps if both addresses were allocated | |
972 | * successfully. */ | |
973 | ipam_insert_ip(od, ip, false); | |
6374d518 | 974 | ipam_insert_mac(&mac, check_mac); |
8639f9be ND |
975 | |
976 | char *new_addr = xasprintf(ETH_ADDR_FMT" "IP_FMT, | |
977 | ETH_ADDR_ARGS(mac), IP_ARGS(htonl(ip))); | |
978 | nbrec_logical_switch_port_set_dynamic_addresses(op->nbsp, new_addr); | |
979 | free(new_addr); | |
980 | ||
981 | return true; | |
982 | } | |
983 | ||
984 | static void | |
b511690b | 985 | build_ipam(struct hmap *datapaths, struct hmap *ports) |
8639f9be ND |
986 | { |
987 | /* IPAM generally stands for IP address management. In non-virtualized | |
988 | * world, MAC addresses come with the hardware. But, with virtualized | |
989 | * workloads, they need to be assigned and managed. This function | |
990 | * does both IP address management (ipam) and MAC address management | |
991 | * (macam). */ | |
992 | ||
8639f9be ND |
993 | /* If the switch's other_config:subnet is set, allocate new addresses for |
994 | * ports that have the "dynamic" keyword in their addresses column. */ | |
995 | struct ovn_datapath *od; | |
996 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
997 | if (od->nbs) { | |
998 | const char *subnet_str = smap_get(&od->nbs->other_config, | |
999 | "subnet"); | |
1000 | if (!subnet_str) { | |
1001 | continue; | |
1002 | } | |
1003 | ||
1004 | ovs_be32 subnet, mask; | |
1005 | char *error = ip_parse_masked(subnet_str, &subnet, &mask); | |
1006 | if (error || mask == OVS_BE32_MAX || !ip_is_cidr(mask)) { | |
1007 | static struct vlog_rate_limit rl | |
1008 | = VLOG_RATE_LIMIT_INIT(5, 1); | |
1009 | VLOG_WARN_RL(&rl, "bad 'subnet' %s", subnet_str); | |
1010 | free(error); | |
1011 | continue; | |
1012 | } | |
1013 | ||
1014 | struct ovn_port *op; | |
1015 | for (size_t i = 0; i < od->nbs->n_ports; i++) { | |
1016 | const struct nbrec_logical_switch_port *nbsp = | |
1017 | od->nbs->ports[i]; | |
1018 | ||
1019 | if (!nbsp) { | |
1020 | continue; | |
1021 | } | |
1022 | ||
1023 | op = ovn_port_find(ports, nbsp->name); | |
1024 | if (!op || (op->nbsp && op->peer)) { | |
1025 | /* Do not allocate addresses for logical switch ports that | |
1026 | * have a peer. */ | |
1027 | continue; | |
1028 | } | |
1029 | ||
1030 | for (size_t j = 0; j < nbsp->n_addresses; j++) { | |
6374d518 | 1031 | if (is_dynamic_lsp_address(nbsp->addresses[j]) |
8639f9be | 1032 | && !nbsp->dynamic_addresses) { |
6374d518 LR |
1033 | if (!ipam_allocate_addresses(od, op, |
1034 | nbsp->addresses[j], subnet, mask) | |
8639f9be ND |
1035 | || !extract_lsp_addresses(nbsp->dynamic_addresses, |
1036 | &op->lsp_addrs[op->n_lsp_addrs])) { | |
1037 | static struct vlog_rate_limit rl | |
1038 | = VLOG_RATE_LIMIT_INIT(1, 1); | |
1039 | VLOG_INFO_RL(&rl, "Failed to allocate address."); | |
1040 | } else { | |
1041 | op->n_lsp_addrs++; | |
1042 | } | |
1043 | break; | |
1044 | } | |
1045 | } | |
1046 | } | |
1047 | } | |
1048 | } | |
1049 | } | |
1050 | \f | |
b511690b GS |
1051 | /* Tag allocation for nested containers. |
1052 | * | |
1053 | * For a logical switch port with 'parent_name' and a request to allocate tags, | |
1054 | * keeps a track of all allocated tags. */ | |
1055 | struct tag_alloc_node { | |
1056 | struct hmap_node hmap_node; | |
1057 | char *parent_name; | |
1058 | unsigned long *allocated_tags; /* A bitmap to track allocated tags. */ | |
1059 | }; | |
1060 | ||
1061 | static void | |
1062 | tag_alloc_destroy(struct hmap *tag_alloc_table) | |
1063 | { | |
1064 | struct tag_alloc_node *node; | |
1065 | HMAP_FOR_EACH_POP (node, hmap_node, tag_alloc_table) { | |
1066 | bitmap_free(node->allocated_tags); | |
1067 | free(node->parent_name); | |
1068 | free(node); | |
1069 | } | |
1070 | hmap_destroy(tag_alloc_table); | |
1071 | } | |
1072 | ||
1073 | static struct tag_alloc_node * | |
1074 | tag_alloc_get_node(struct hmap *tag_alloc_table, const char *parent_name) | |
1075 | { | |
1076 | /* If a node for the 'parent_name' exists, return it. */ | |
1077 | struct tag_alloc_node *tag_alloc_node; | |
1078 | HMAP_FOR_EACH_WITH_HASH (tag_alloc_node, hmap_node, | |
1079 | hash_string(parent_name, 0), | |
1080 | tag_alloc_table) { | |
1081 | if (!strcmp(tag_alloc_node->parent_name, parent_name)) { | |
1082 | return tag_alloc_node; | |
1083 | } | |
1084 | } | |
1085 | ||
1086 | /* Create a new node. */ | |
1087 | tag_alloc_node = xmalloc(sizeof *tag_alloc_node); | |
1088 | tag_alloc_node->parent_name = xstrdup(parent_name); | |
1089 | tag_alloc_node->allocated_tags = bitmap_allocate(MAX_OVN_TAGS); | |
1090 | /* Tag 0 is invalid for nested containers. */ | |
1091 | bitmap_set1(tag_alloc_node->allocated_tags, 0); | |
1092 | hmap_insert(tag_alloc_table, &tag_alloc_node->hmap_node, | |
1093 | hash_string(parent_name, 0)); | |
1094 | ||
1095 | return tag_alloc_node; | |
1096 | } | |
1097 | ||
1098 | static void | |
1099 | tag_alloc_add_existing_tags(struct hmap *tag_alloc_table, | |
1100 | const struct nbrec_logical_switch_port *nbsp) | |
1101 | { | |
1102 | /* Add the tags of already existing nested containers. If there is no | |
1103 | * 'nbsp->parent_name' or no 'nbsp->tag' set, there is nothing to do. */ | |
1104 | if (!nbsp->parent_name || !nbsp->parent_name[0] || !nbsp->tag) { | |
1105 | return; | |
1106 | } | |
1107 | ||
1108 | struct tag_alloc_node *tag_alloc_node; | |
1109 | tag_alloc_node = tag_alloc_get_node(tag_alloc_table, nbsp->parent_name); | |
1110 | bitmap_set1(tag_alloc_node->allocated_tags, *nbsp->tag); | |
1111 | } | |
1112 | ||
1113 | static void | |
1114 | tag_alloc_create_new_tag(struct hmap *tag_alloc_table, | |
1115 | const struct nbrec_logical_switch_port *nbsp) | |
1116 | { | |
1117 | if (!nbsp->tag_request) { | |
1118 | return; | |
1119 | } | |
1120 | ||
1121 | if (nbsp->parent_name && nbsp->parent_name[0] | |
1122 | && *nbsp->tag_request == 0) { | |
1123 | /* For nested containers that need allocation, do the allocation. */ | |
1124 | ||
1125 | if (nbsp->tag) { | |
1126 | /* This has already been allocated. */ | |
1127 | return; | |
1128 | } | |
1129 | ||
1130 | struct tag_alloc_node *tag_alloc_node; | |
1131 | int64_t tag; | |
1132 | tag_alloc_node = tag_alloc_get_node(tag_alloc_table, | |
1133 | nbsp->parent_name); | |
1134 | tag = bitmap_scan(tag_alloc_node->allocated_tags, 0, 1, MAX_OVN_TAGS); | |
1135 | if (tag == MAX_OVN_TAGS) { | |
1136 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); | |
1137 | VLOG_ERR_RL(&rl, "out of vlans for logical switch ports with " | |
1138 | "parent %s", nbsp->parent_name); | |
1139 | return; | |
1140 | } | |
1141 | bitmap_set1(tag_alloc_node->allocated_tags, tag); | |
1142 | nbrec_logical_switch_port_set_tag(nbsp, &tag, 1); | |
1143 | } else if (*nbsp->tag_request != 0) { | |
1144 | /* For everything else, copy the contents of 'tag_request' to 'tag'. */ | |
1145 | nbrec_logical_switch_port_set_tag(nbsp, nbsp->tag_request, 1); | |
1146 | } | |
1147 | } | |
1148 | \f | |
8639f9be | 1149 | |
5868eb24 BP |
1150 | static void |
1151 | join_logical_ports(struct northd_context *ctx, | |
1152 | struct hmap *datapaths, struct hmap *ports, | |
a6095f81 | 1153 | struct hmap *chassis_qdisc_queues, |
b511690b GS |
1154 | struct hmap *tag_alloc_table, struct ovs_list *sb_only, |
1155 | struct ovs_list *nb_only, struct ovs_list *both) | |
5868eb24 BP |
1156 | { |
1157 | hmap_init(ports); | |
417e7e66 BW |
1158 | ovs_list_init(sb_only); |
1159 | ovs_list_init(nb_only); | |
1160 | ovs_list_init(both); | |
5868eb24 BP |
1161 | |
1162 | const struct sbrec_port_binding *sb; | |
1163 | SBREC_PORT_BINDING_FOR_EACH (sb, ctx->ovnsb_idl) { | |
1164 | struct ovn_port *op = ovn_port_create(ports, sb->logical_port, | |
9975d7be | 1165 | NULL, NULL, sb); |
417e7e66 | 1166 | ovs_list_push_back(sb_only, &op->list); |
5868eb24 BP |
1167 | } |
1168 | ||
1169 | struct ovn_datapath *od; | |
1170 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
9975d7be BP |
1171 | if (od->nbs) { |
1172 | for (size_t i = 0; i < od->nbs->n_ports; i++) { | |
0ee00741 HK |
1173 | const struct nbrec_logical_switch_port *nbsp |
1174 | = od->nbs->ports[i]; | |
1175 | struct ovn_port *op = ovn_port_find(ports, nbsp->name); | |
9975d7be | 1176 | if (op) { |
0ee00741 | 1177 | if (op->nbsp || op->nbrp) { |
9975d7be BP |
1178 | static struct vlog_rate_limit rl |
1179 | = VLOG_RATE_LIMIT_INIT(5, 1); | |
1180 | VLOG_WARN_RL(&rl, "duplicate logical port %s", | |
0ee00741 | 1181 | nbsp->name); |
9975d7be BP |
1182 | continue; |
1183 | } | |
0ee00741 | 1184 | op->nbsp = nbsp; |
417e7e66 | 1185 | ovs_list_remove(&op->list); |
a6095f81 BS |
1186 | |
1187 | uint32_t queue_id = smap_get_int(&op->sb->options, | |
1188 | "qdisc_queue_id", 0); | |
1189 | if (queue_id && op->sb->chassis) { | |
1190 | add_chassis_queue( | |
1191 | chassis_qdisc_queues, &op->sb->chassis->header_.uuid, | |
1192 | queue_id); | |
1193 | } | |
1194 | ||
417e7e66 | 1195 | ovs_list_push_back(both, &op->list); |
e93b43d6 JP |
1196 | |
1197 | /* This port exists due to a SB binding, but should | |
1198 | * not have been initialized fully. */ | |
1199 | ovs_assert(!op->n_lsp_addrs && !op->n_ps_addrs); | |
9975d7be | 1200 | } else { |
0ee00741 | 1201 | op = ovn_port_create(ports, nbsp->name, nbsp, NULL, NULL); |
417e7e66 | 1202 | ovs_list_push_back(nb_only, &op->list); |
9975d7be BP |
1203 | } |
1204 | ||
e93b43d6 | 1205 | op->lsp_addrs |
0ee00741 HK |
1206 | = xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses); |
1207 | for (size_t j = 0; j < nbsp->n_addresses; j++) { | |
1208 | if (!strcmp(nbsp->addresses[j], "unknown")) { | |
e93b43d6 JP |
1209 | continue; |
1210 | } | |
6374d518 | 1211 | if (is_dynamic_lsp_address(nbsp->addresses[j])) { |
8639f9be ND |
1212 | if (nbsp->dynamic_addresses) { |
1213 | if (!extract_lsp_addresses(nbsp->dynamic_addresses, | |
1214 | &op->lsp_addrs[op->n_lsp_addrs])) { | |
1215 | static struct vlog_rate_limit rl | |
1216 | = VLOG_RATE_LIMIT_INIT(1, 1); | |
1217 | VLOG_INFO_RL(&rl, "invalid syntax '%s' in " | |
1218 | "logical switch port " | |
1219 | "dynamic_addresses. No " | |
1220 | "MAC address found", | |
1221 | op->nbsp->dynamic_addresses); | |
1222 | continue; | |
1223 | } | |
1224 | } else { | |
1225 | continue; | |
1226 | } | |
1227 | } else if (!extract_lsp_addresses(nbsp->addresses[j], | |
e93b43d6 JP |
1228 | &op->lsp_addrs[op->n_lsp_addrs])) { |
1229 | static struct vlog_rate_limit rl | |
1230 | = VLOG_RATE_LIMIT_INIT(1, 1); | |
1231 | VLOG_INFO_RL(&rl, "invalid syntax '%s' in logical " | |
1232 | "switch port addresses. No MAC " | |
1233 | "address found", | |
0ee00741 | 1234 | op->nbsp->addresses[j]); |
e93b43d6 JP |
1235 | continue; |
1236 | } | |
1237 | op->n_lsp_addrs++; | |
1238 | } | |
1239 | ||
1240 | op->ps_addrs | |
0ee00741 HK |
1241 | = xmalloc(sizeof *op->ps_addrs * nbsp->n_port_security); |
1242 | for (size_t j = 0; j < nbsp->n_port_security; j++) { | |
1243 | if (!extract_lsp_addresses(nbsp->port_security[j], | |
e93b43d6 JP |
1244 | &op->ps_addrs[op->n_ps_addrs])) { |
1245 | static struct vlog_rate_limit rl | |
1246 | = VLOG_RATE_LIMIT_INIT(1, 1); | |
1247 | VLOG_INFO_RL(&rl, "invalid syntax '%s' in port " | |
1248 | "security. No MAC address found", | |
0ee00741 | 1249 | op->nbsp->port_security[j]); |
e93b43d6 JP |
1250 | continue; |
1251 | } | |
1252 | op->n_ps_addrs++; | |
1253 | } | |
1254 | ||
9975d7be | 1255 | op->od = od; |
8639f9be | 1256 | ipam_add_port_addresses(od, op); |
b511690b | 1257 | tag_alloc_add_existing_tags(tag_alloc_table, nbsp); |
9975d7be BP |
1258 | } |
1259 | } else { | |
1260 | for (size_t i = 0; i < od->nbr->n_ports; i++) { | |
0ee00741 HK |
1261 | const struct nbrec_logical_router_port *nbrp |
1262 | = od->nbr->ports[i]; | |
9975d7be | 1263 | |
4685e523 | 1264 | struct lport_addresses lrp_networks; |
0ee00741 | 1265 | if (!extract_lrp_networks(nbrp, &lrp_networks)) { |
9975d7be BP |
1266 | static struct vlog_rate_limit rl |
1267 | = VLOG_RATE_LIMIT_INIT(5, 1); | |
0ee00741 | 1268 | VLOG_WARN_RL(&rl, "bad 'mac' %s", nbrp->mac); |
9975d7be BP |
1269 | continue; |
1270 | } | |
1271 | ||
4685e523 | 1272 | if (!lrp_networks.n_ipv4_addrs && !lrp_networks.n_ipv6_addrs) { |
9975d7be BP |
1273 | continue; |
1274 | } | |
1275 | ||
0ee00741 | 1276 | struct ovn_port *op = ovn_port_find(ports, nbrp->name); |
9975d7be | 1277 | if (op) { |
0ee00741 | 1278 | if (op->nbsp || op->nbrp) { |
9975d7be BP |
1279 | static struct vlog_rate_limit rl |
1280 | = VLOG_RATE_LIMIT_INIT(5, 1); | |
1281 | VLOG_WARN_RL(&rl, "duplicate logical router port %s", | |
0ee00741 | 1282 | nbrp->name); |
9975d7be BP |
1283 | continue; |
1284 | } | |
0ee00741 | 1285 | op->nbrp = nbrp; |
417e7e66 BW |
1286 | ovs_list_remove(&op->list); |
1287 | ovs_list_push_back(both, &op->list); | |
4685e523 JP |
1288 | |
1289 | /* This port exists but should not have been | |
1290 | * initialized fully. */ | |
1291 | ovs_assert(!op->lrp_networks.n_ipv4_addrs | |
1292 | && !op->lrp_networks.n_ipv6_addrs); | |
9975d7be | 1293 | } else { |
0ee00741 | 1294 | op = ovn_port_create(ports, nbrp->name, NULL, nbrp, NULL); |
417e7e66 | 1295 | ovs_list_push_back(nb_only, &op->list); |
9975d7be BP |
1296 | } |
1297 | ||
4685e523 | 1298 | op->lrp_networks = lrp_networks; |
9975d7be | 1299 | op->od = od; |
8639f9be | 1300 | ipam_add_port_addresses(op->od, op); |
5868eb24 | 1301 | } |
9975d7be BP |
1302 | } |
1303 | } | |
1304 | ||
1305 | /* Connect logical router ports, and logical switch ports of type "router", | |
1306 | * to their peers. */ | |
1307 | struct ovn_port *op; | |
1308 | HMAP_FOR_EACH (op, key_node, ports) { | |
0ee00741 HK |
1309 | if (op->nbsp && !strcmp(op->nbsp->type, "router")) { |
1310 | const char *peer_name = smap_get(&op->nbsp->options, "router-port"); | |
9975d7be BP |
1311 | if (!peer_name) { |
1312 | continue; | |
1313 | } | |
1314 | ||
1315 | struct ovn_port *peer = ovn_port_find(ports, peer_name); | |
0ee00741 | 1316 | if (!peer || !peer->nbrp) { |
9975d7be BP |
1317 | continue; |
1318 | } | |
1319 | ||
1320 | peer->peer = op; | |
1321 | op->peer = peer; | |
86e98048 BP |
1322 | op->od->router_ports = xrealloc( |
1323 | op->od->router_ports, | |
1324 | sizeof *op->od->router_ports * (op->od->n_router_ports + 1)); | |
1325 | op->od->router_ports[op->od->n_router_ports++] = op; | |
0ee00741 | 1326 | } else if (op->nbrp && op->nbrp->peer) { |
ad386c3f BP |
1327 | struct ovn_port *peer = ovn_port_find(ports, op->nbrp->peer); |
1328 | if (peer) { | |
1329 | if (peer->nbrp) { | |
1330 | op->peer = peer; | |
60fa6dbb | 1331 | } else if (peer->nbsp) { |
ad386c3f BP |
1332 | /* An ovn_port for a switch port of type "router" does have |
1333 | * a router port as its peer (see the case above for | |
1334 | * "router" ports), but this is set via options:router-port | |
1335 | * in Logical_Switch_Port and does not involve the | |
1336 | * Logical_Router_Port's 'peer' column. */ | |
1337 | static struct vlog_rate_limit rl = | |
1338 | VLOG_RATE_LIMIT_INIT(5, 1); | |
1339 | VLOG_WARN_RL(&rl, "Bad configuration: The peer of router " | |
1340 | "port %s is a switch port", op->key); | |
1341 | } | |
1342 | } | |
5868eb24 BP |
1343 | } |
1344 | } | |
1345 | } | |
1346 | ||
1347 | static void | |
a6095f81 BS |
1348 | ovn_port_update_sbrec(const struct ovn_port *op, |
1349 | struct hmap *chassis_qdisc_queues) | |
5868eb24 BP |
1350 | { |
1351 | sbrec_port_binding_set_datapath(op->sb, op->od->sb); | |
0ee00741 | 1352 | if (op->nbrp) { |
c1645003 | 1353 | /* If the router is for l3 gateway, it resides on a chassis |
17bac0ff | 1354 | * and its port type is "l3gateway". */ |
c1645003 GS |
1355 | const char *chassis = smap_get(&op->od->nbr->options, "chassis"); |
1356 | if (chassis) { | |
17bac0ff | 1357 | sbrec_port_binding_set_type(op->sb, "l3gateway"); |
c1645003 GS |
1358 | } else { |
1359 | sbrec_port_binding_set_type(op->sb, "patch"); | |
1360 | } | |
9975d7be BP |
1361 | |
1362 | const char *peer = op->peer ? op->peer->key : "<error>"; | |
c1645003 GS |
1363 | struct smap new; |
1364 | smap_init(&new); | |
1365 | smap_add(&new, "peer", peer); | |
1366 | if (chassis) { | |
17bac0ff | 1367 | smap_add(&new, "l3gateway-chassis", chassis); |
c1645003 GS |
1368 | } |
1369 | sbrec_port_binding_set_options(op->sb, &new); | |
1370 | smap_destroy(&new); | |
9975d7be BP |
1371 | |
1372 | sbrec_port_binding_set_parent_port(op->sb, NULL); | |
1373 | sbrec_port_binding_set_tag(op->sb, NULL, 0); | |
1374 | sbrec_port_binding_set_mac(op->sb, NULL, 0); | |
1375 | } else { | |
0ee00741 | 1376 | if (strcmp(op->nbsp->type, "router")) { |
a6095f81 BS |
1377 | uint32_t queue_id = smap_get_int( |
1378 | &op->sb->options, "qdisc_queue_id", 0); | |
1379 | bool has_qos = port_has_qos_params(&op->nbsp->options); | |
1380 | struct smap options; | |
1381 | ||
1382 | if (op->sb->chassis && has_qos && !queue_id) { | |
1383 | queue_id = allocate_chassis_queueid(chassis_qdisc_queues, | |
1384 | op->sb->chassis); | |
1385 | } else if (!has_qos && queue_id) { | |
1386 | free_chassis_queueid(chassis_qdisc_queues, | |
1387 | op->sb->chassis, | |
1388 | queue_id); | |
1389 | queue_id = 0; | |
1390 | } | |
1391 | ||
1392 | smap_clone(&options, &op->nbsp->options); | |
1393 | if (queue_id) { | |
1394 | smap_add_format(&options, | |
1395 | "qdisc_queue_id", "%d", queue_id); | |
1396 | } | |
1397 | sbrec_port_binding_set_options(op->sb, &options); | |
1398 | smap_destroy(&options); | |
0ee00741 | 1399 | sbrec_port_binding_set_type(op->sb, op->nbsp->type); |
9975d7be | 1400 | } else { |
c1645003 GS |
1401 | const char *chassis = NULL; |
1402 | if (op->peer && op->peer->od && op->peer->od->nbr) { | |
1403 | chassis = smap_get(&op->peer->od->nbr->options, "chassis"); | |
1404 | } | |
1405 | ||
1406 | /* A switch port connected to a gateway router is also of | |
17bac0ff | 1407 | * type "l3gateway". */ |
c1645003 | 1408 | if (chassis) { |
17bac0ff | 1409 | sbrec_port_binding_set_type(op->sb, "l3gateway"); |
c1645003 GS |
1410 | } else { |
1411 | sbrec_port_binding_set_type(op->sb, "patch"); | |
1412 | } | |
9975d7be | 1413 | |
f99f67bd BP |
1414 | const char *router_port = smap_get_def(&op->nbsp->options, |
1415 | "router-port", "<error>"); | |
c1645003 GS |
1416 | struct smap new; |
1417 | smap_init(&new); | |
1418 | smap_add(&new, "peer", router_port); | |
1419 | if (chassis) { | |
17bac0ff | 1420 | smap_add(&new, "l3gateway-chassis", chassis); |
c1645003 | 1421 | } |
8439c2eb CSV |
1422 | |
1423 | const char *nat_addresses = smap_get(&op->nbsp->options, | |
1424 | "nat-addresses"); | |
1425 | if (nat_addresses) { | |
1426 | struct lport_addresses laddrs; | |
1427 | if (!extract_lsp_addresses(nat_addresses, &laddrs)) { | |
1428 | static struct vlog_rate_limit rl = | |
1429 | VLOG_RATE_LIMIT_INIT(1, 1); | |
1430 | VLOG_WARN_RL(&rl, "Error extracting nat-addresses."); | |
1431 | } else { | |
1432 | smap_add(&new, "nat-addresses", nat_addresses); | |
1433 | destroy_lport_addresses(&laddrs); | |
1434 | } | |
1435 | } | |
c1645003 GS |
1436 | sbrec_port_binding_set_options(op->sb, &new); |
1437 | smap_destroy(&new); | |
9975d7be | 1438 | } |
0ee00741 HK |
1439 | sbrec_port_binding_set_parent_port(op->sb, op->nbsp->parent_name); |
1440 | sbrec_port_binding_set_tag(op->sb, op->nbsp->tag, op->nbsp->n_tag); | |
1441 | sbrec_port_binding_set_mac(op->sb, (const char **) op->nbsp->addresses, | |
1442 | op->nbsp->n_addresses); | |
9975d7be | 1443 | } |
5868eb24 BP |
1444 | } |
1445 | ||
6e31816f CSV |
1446 | /* Remove mac_binding entries that refer to logical_ports which are |
1447 | * deleted. */ | |
1448 | static void | |
1449 | cleanup_mac_bindings(struct northd_context *ctx, struct hmap *ports) | |
1450 | { | |
1451 | const struct sbrec_mac_binding *b, *n; | |
1452 | SBREC_MAC_BINDING_FOR_EACH_SAFE (b, n, ctx->ovnsb_idl) { | |
1453 | if (!ovn_port_find(ports, b->logical_port)) { | |
1454 | sbrec_mac_binding_delete(b); | |
1455 | } | |
1456 | } | |
1457 | } | |
1458 | ||
0bac7164 | 1459 | /* Updates the southbound Port_Binding table so that it contains the logical |
80f408f4 | 1460 | * switch ports specified by the northbound database. |
0bac7164 BP |
1461 | * |
1462 | * Initializes 'ports' to contain a "struct ovn_port" for every logical port, | |
1463 | * using the "struct ovn_datapath"s in 'datapaths' to look up logical | |
1464 | * datapaths. */ | |
5868eb24 BP |
1465 | static void |
1466 | build_ports(struct northd_context *ctx, struct hmap *datapaths, | |
1467 | struct hmap *ports) | |
1468 | { | |
1469 | struct ovs_list sb_only, nb_only, both; | |
a6095f81 BS |
1470 | struct hmap tag_alloc_table = HMAP_INITIALIZER(&tag_alloc_table); |
1471 | struct hmap chassis_qdisc_queues = HMAP_INITIALIZER(&chassis_qdisc_queues); | |
5868eb24 | 1472 | |
a6095f81 BS |
1473 | join_logical_ports(ctx, datapaths, ports, &chassis_qdisc_queues, |
1474 | &tag_alloc_table, &sb_only, &nb_only, &both); | |
5868eb24 | 1475 | |
5868eb24 | 1476 | struct ovn_port *op, *next; |
b511690b GS |
1477 | /* For logical ports that are in both databases, update the southbound |
1478 | * record based on northbound data. Also index the in-use tunnel_keys. | |
1479 | * For logical ports that are in NB database, do any tag allocation | |
1480 | * needed. */ | |
5868eb24 | 1481 | LIST_FOR_EACH_SAFE (op, next, list, &both) { |
b511690b GS |
1482 | if (op->nbsp) { |
1483 | tag_alloc_create_new_tag(&tag_alloc_table, op->nbsp); | |
1484 | } | |
a6095f81 | 1485 | ovn_port_update_sbrec(op, &chassis_qdisc_queues); |
5868eb24 BP |
1486 | |
1487 | add_tnlid(&op->od->port_tnlids, op->sb->tunnel_key); | |
1488 | if (op->sb->tunnel_key > op->od->port_key_hint) { | |
1489 | op->od->port_key_hint = op->sb->tunnel_key; | |
1490 | } | |
1491 | } | |
1492 | ||
1493 | /* Add southbound record for each unmatched northbound record. */ | |
1494 | LIST_FOR_EACH_SAFE (op, next, list, &nb_only) { | |
1495 | uint16_t tunnel_key = ovn_port_allocate_key(op->od); | |
1496 | if (!tunnel_key) { | |
1497 | continue; | |
1498 | } | |
1499 | ||
1500 | op->sb = sbrec_port_binding_insert(ctx->ovnsb_txn); | |
a6095f81 | 1501 | ovn_port_update_sbrec(op, &chassis_qdisc_queues); |
5868eb24 BP |
1502 | |
1503 | sbrec_port_binding_set_logical_port(op->sb, op->key); | |
1504 | sbrec_port_binding_set_tunnel_key(op->sb, tunnel_key); | |
1505 | } | |
1506 | ||
6e31816f CSV |
1507 | bool remove_mac_bindings = false; |
1508 | if (!ovs_list_is_empty(&sb_only)) { | |
1509 | remove_mac_bindings = true; | |
1510 | } | |
1511 | ||
5868eb24 BP |
1512 | /* Delete southbound records without northbound matches. */ |
1513 | LIST_FOR_EACH_SAFE(op, next, list, &sb_only) { | |
417e7e66 | 1514 | ovs_list_remove(&op->list); |
5868eb24 BP |
1515 | sbrec_port_binding_delete(op->sb); |
1516 | ovn_port_destroy(ports, op); | |
1517 | } | |
6e31816f CSV |
1518 | if (remove_mac_bindings) { |
1519 | cleanup_mac_bindings(ctx, ports); | |
1520 | } | |
b511690b GS |
1521 | |
1522 | tag_alloc_destroy(&tag_alloc_table); | |
a6095f81 | 1523 | destroy_chassis_queues(&chassis_qdisc_queues); |
5868eb24 BP |
1524 | } |
1525 | \f | |
1526 | #define OVN_MIN_MULTICAST 32768 | |
1527 | #define OVN_MAX_MULTICAST 65535 | |
1528 | ||
1529 | struct multicast_group { | |
1530 | const char *name; | |
1531 | uint16_t key; /* OVN_MIN_MULTICAST...OVN_MAX_MULTICAST. */ | |
1532 | }; | |
1533 | ||
1534 | #define MC_FLOOD "_MC_flood" | |
1535 | static const struct multicast_group mc_flood = { MC_FLOOD, 65535 }; | |
1536 | ||
1537 | #define MC_UNKNOWN "_MC_unknown" | |
1538 | static const struct multicast_group mc_unknown = { MC_UNKNOWN, 65534 }; | |
1539 | ||
1540 | static bool | |
1541 | multicast_group_equal(const struct multicast_group *a, | |
1542 | const struct multicast_group *b) | |
1543 | { | |
1544 | return !strcmp(a->name, b->name) && a->key == b->key; | |
1545 | } | |
1546 | ||
1547 | /* Multicast group entry. */ | |
1548 | struct ovn_multicast { | |
1549 | struct hmap_node hmap_node; /* Index on 'datapath' and 'key'. */ | |
1550 | struct ovn_datapath *datapath; | |
1551 | const struct multicast_group *group; | |
1552 | ||
1553 | struct ovn_port **ports; | |
1554 | size_t n_ports, allocated_ports; | |
1555 | }; | |
1556 | ||
1557 | static uint32_t | |
1558 | ovn_multicast_hash(const struct ovn_datapath *datapath, | |
1559 | const struct multicast_group *group) | |
1560 | { | |
1561 | return hash_pointer(datapath, group->key); | |
1562 | } | |
1563 | ||
1564 | static struct ovn_multicast * | |
1565 | ovn_multicast_find(struct hmap *mcgroups, struct ovn_datapath *datapath, | |
1566 | const struct multicast_group *group) | |
1567 | { | |
1568 | struct ovn_multicast *mc; | |
1569 | ||
1570 | HMAP_FOR_EACH_WITH_HASH (mc, hmap_node, | |
1571 | ovn_multicast_hash(datapath, group), mcgroups) { | |
1572 | if (mc->datapath == datapath | |
1573 | && multicast_group_equal(mc->group, group)) { | |
1574 | return mc; | |
4edcdcf4 RB |
1575 | } |
1576 | } | |
5868eb24 BP |
1577 | return NULL; |
1578 | } | |
1579 | ||
1580 | static void | |
1581 | ovn_multicast_add(struct hmap *mcgroups, const struct multicast_group *group, | |
1582 | struct ovn_port *port) | |
1583 | { | |
1584 | struct ovn_datapath *od = port->od; | |
1585 | struct ovn_multicast *mc = ovn_multicast_find(mcgroups, od, group); | |
1586 | if (!mc) { | |
1587 | mc = xmalloc(sizeof *mc); | |
1588 | hmap_insert(mcgroups, &mc->hmap_node, ovn_multicast_hash(od, group)); | |
1589 | mc->datapath = od; | |
1590 | mc->group = group; | |
1591 | mc->n_ports = 0; | |
1592 | mc->allocated_ports = 4; | |
1593 | mc->ports = xmalloc(mc->allocated_ports * sizeof *mc->ports); | |
1594 | } | |
1595 | if (mc->n_ports >= mc->allocated_ports) { | |
1596 | mc->ports = x2nrealloc(mc->ports, &mc->allocated_ports, | |
1597 | sizeof *mc->ports); | |
1598 | } | |
1599 | mc->ports[mc->n_ports++] = port; | |
1600 | } | |
4edcdcf4 | 1601 | |
5868eb24 BP |
1602 | static void |
1603 | ovn_multicast_destroy(struct hmap *mcgroups, struct ovn_multicast *mc) | |
1604 | { | |
1605 | if (mc) { | |
1606 | hmap_remove(mcgroups, &mc->hmap_node); | |
1607 | free(mc->ports); | |
1608 | free(mc); | |
1609 | } | |
1610 | } | |
4edcdcf4 | 1611 | |
5868eb24 BP |
1612 | static void |
1613 | ovn_multicast_update_sbrec(const struct ovn_multicast *mc, | |
1614 | const struct sbrec_multicast_group *sb) | |
1615 | { | |
1616 | struct sbrec_port_binding **ports = xmalloc(mc->n_ports * sizeof *ports); | |
1617 | for (size_t i = 0; i < mc->n_ports; i++) { | |
1618 | ports[i] = CONST_CAST(struct sbrec_port_binding *, mc->ports[i]->sb); | |
1619 | } | |
1620 | sbrec_multicast_group_set_ports(sb, ports, mc->n_ports); | |
1621 | free(ports); | |
4edcdcf4 | 1622 | } |
bd39395f | 1623 | \f |
48605550 | 1624 | /* Logical flow generation. |
bd39395f | 1625 | * |
48605550 | 1626 | * This code generates the Logical_Flow table in the southbound database, as a |
bd39395f BP |
1627 | * function of most of the northbound database. |
1628 | */ | |
1629 | ||
5868eb24 BP |
1630 | struct ovn_lflow { |
1631 | struct hmap_node hmap_node; | |
bd39395f | 1632 | |
5868eb24 | 1633 | struct ovn_datapath *od; |
880fcd14 | 1634 | enum ovn_stage stage; |
5868eb24 BP |
1635 | uint16_t priority; |
1636 | char *match; | |
1637 | char *actions; | |
bd39395f BP |
1638 | }; |
1639 | ||
1640 | static size_t | |
5868eb24 | 1641 | ovn_lflow_hash(const struct ovn_lflow *lflow) |
bd39395f | 1642 | { |
5868eb24 | 1643 | size_t hash = uuid_hash(&lflow->od->key); |
880fcd14 | 1644 | hash = hash_2words((lflow->stage << 16) | lflow->priority, hash); |
5868eb24 BP |
1645 | hash = hash_string(lflow->match, hash); |
1646 | return hash_string(lflow->actions, hash); | |
bd39395f BP |
1647 | } |
1648 | ||
5868eb24 BP |
1649 | static bool |
1650 | ovn_lflow_equal(const struct ovn_lflow *a, const struct ovn_lflow *b) | |
1651 | { | |
1652 | return (a->od == b->od | |
880fcd14 | 1653 | && a->stage == b->stage |
5868eb24 BP |
1654 | && a->priority == b->priority |
1655 | && !strcmp(a->match, b->match) | |
1656 | && !strcmp(a->actions, b->actions)); | |
1657 | } | |
1658 | ||
1659 | static void | |
1660 | ovn_lflow_init(struct ovn_lflow *lflow, struct ovn_datapath *od, | |
880fcd14 | 1661 | enum ovn_stage stage, uint16_t priority, |
5868eb24 | 1662 | char *match, char *actions) |
bd39395f | 1663 | { |
5868eb24 | 1664 | lflow->od = od; |
880fcd14 | 1665 | lflow->stage = stage; |
5868eb24 BP |
1666 | lflow->priority = priority; |
1667 | lflow->match = match; | |
1668 | lflow->actions = actions; | |
bd39395f BP |
1669 | } |
1670 | ||
48605550 | 1671 | /* Adds a row with the specified contents to the Logical_Flow table. */ |
bd39395f | 1672 | static void |
5868eb24 | 1673 | ovn_lflow_add(struct hmap *lflow_map, struct ovn_datapath *od, |
880fcd14 | 1674 | enum ovn_stage stage, uint16_t priority, |
5868eb24 BP |
1675 | const char *match, const char *actions) |
1676 | { | |
9a9961d2 BP |
1677 | ovs_assert(ovn_stage_to_datapath_type(stage) == ovn_datapath_get_type(od)); |
1678 | ||
5868eb24 | 1679 | struct ovn_lflow *lflow = xmalloc(sizeof *lflow); |
880fcd14 | 1680 | ovn_lflow_init(lflow, od, stage, priority, |
5868eb24 BP |
1681 | xstrdup(match), xstrdup(actions)); |
1682 | hmap_insert(lflow_map, &lflow->hmap_node, ovn_lflow_hash(lflow)); | |
1683 | } | |
1684 | ||
1685 | static struct ovn_lflow * | |
1686 | ovn_lflow_find(struct hmap *lflows, struct ovn_datapath *od, | |
880fcd14 | 1687 | enum ovn_stage stage, uint16_t priority, |
5868eb24 BP |
1688 | const char *match, const char *actions) |
1689 | { | |
1690 | struct ovn_lflow target; | |
880fcd14 | 1691 | ovn_lflow_init(&target, od, stage, priority, |
5868eb24 BP |
1692 | CONST_CAST(char *, match), CONST_CAST(char *, actions)); |
1693 | ||
1694 | struct ovn_lflow *lflow; | |
1695 | HMAP_FOR_EACH_WITH_HASH (lflow, hmap_node, ovn_lflow_hash(&target), | |
1696 | lflows) { | |
1697 | if (ovn_lflow_equal(lflow, &target)) { | |
1698 | return lflow; | |
bd39395f BP |
1699 | } |
1700 | } | |
5868eb24 BP |
1701 | return NULL; |
1702 | } | |
bd39395f | 1703 | |
5868eb24 BP |
1704 | static void |
1705 | ovn_lflow_destroy(struct hmap *lflows, struct ovn_lflow *lflow) | |
1706 | { | |
1707 | if (lflow) { | |
1708 | hmap_remove(lflows, &lflow->hmap_node); | |
1709 | free(lflow->match); | |
1710 | free(lflow->actions); | |
1711 | free(lflow); | |
1712 | } | |
bd39395f BP |
1713 | } |
1714 | ||
bd39395f | 1715 | /* Appends port security constraints on L2 address field 'eth_addr_field' |
e93b43d6 JP |
1716 | * (e.g. "eth.src" or "eth.dst") to 'match'. 'ps_addrs', with 'n_ps_addrs' |
1717 | * elements, is the collection of port_security constraints from an | |
1718 | * OVN_NB Logical_Switch_Port row generated by extract_lsp_addresses(). */ | |
bd39395f | 1719 | static void |
685f4dfe | 1720 | build_port_security_l2(const char *eth_addr_field, |
e93b43d6 JP |
1721 | struct lport_addresses *ps_addrs, |
1722 | unsigned int n_ps_addrs, | |
685f4dfe | 1723 | struct ds *match) |
bd39395f | 1724 | { |
e93b43d6 JP |
1725 | if (!n_ps_addrs) { |
1726 | return; | |
1727 | } | |
bd39395f | 1728 | |
e93b43d6 | 1729 | ds_put_format(match, " && %s == {", eth_addr_field); |
f7cb14cd | 1730 | |
e93b43d6 JP |
1731 | for (size_t i = 0; i < n_ps_addrs; i++) { |
1732 | ds_put_format(match, "%s ", ps_addrs[i].ea_s); | |
bd39395f | 1733 | } |
f7cb14cd | 1734 | ds_chomp(match, ' '); |
bd39395f | 1735 | ds_put_cstr(match, "}"); |
bd39395f BP |
1736 | } |
1737 | ||
685f4dfe NS |
1738 | static void |
1739 | build_port_security_ipv6_nd_flow( | |
1740 | struct ds *match, struct eth_addr ea, struct ipv6_netaddr *ipv6_addrs, | |
1741 | int n_ipv6_addrs) | |
1742 | { | |
1743 | ds_put_format(match, " && ip6 && nd && ((nd.sll == "ETH_ADDR_FMT" || " | |
1744 | "nd.sll == "ETH_ADDR_FMT") || ((nd.tll == "ETH_ADDR_FMT" || " | |
1745 | "nd.tll == "ETH_ADDR_FMT")", ETH_ADDR_ARGS(eth_addr_zero), | |
1746 | ETH_ADDR_ARGS(ea), ETH_ADDR_ARGS(eth_addr_zero), | |
1747 | ETH_ADDR_ARGS(ea)); | |
1748 | if (!n_ipv6_addrs) { | |
1749 | ds_put_cstr(match, "))"); | |
1750 | return; | |
1751 | } | |
1752 | ||
1753 | char ip6_str[INET6_ADDRSTRLEN + 1]; | |
1754 | struct in6_addr lla; | |
1755 | in6_generate_lla(ea, &lla); | |
1756 | memset(ip6_str, 0, sizeof(ip6_str)); | |
1757 | ipv6_string_mapped(ip6_str, &lla); | |
1758 | ds_put_format(match, " && (nd.target == %s", ip6_str); | |
1759 | ||
1760 | for(int i = 0; i < n_ipv6_addrs; i++) { | |
1761 | memset(ip6_str, 0, sizeof(ip6_str)); | |
1762 | ipv6_string_mapped(ip6_str, &ipv6_addrs[i].addr); | |
1763 | ds_put_format(match, " || nd.target == %s", ip6_str); | |
1764 | } | |
1765 | ||
1766 | ds_put_format(match, ")))"); | |
1767 | } | |
1768 | ||
1769 | static void | |
1770 | build_port_security_ipv6_flow( | |
1771 | enum ovn_pipeline pipeline, struct ds *match, struct eth_addr ea, | |
1772 | struct ipv6_netaddr *ipv6_addrs, int n_ipv6_addrs) | |
1773 | { | |
1774 | char ip6_str[INET6_ADDRSTRLEN + 1]; | |
1775 | ||
1776 | ds_put_format(match, " && %s == {", | |
1777 | pipeline == P_IN ? "ip6.src" : "ip6.dst"); | |
1778 | ||
1779 | /* Allow link-local address. */ | |
1780 | struct in6_addr lla; | |
1781 | in6_generate_lla(ea, &lla); | |
1782 | ipv6_string_mapped(ip6_str, &lla); | |
1783 | ds_put_format(match, "%s, ", ip6_str); | |
1784 | ||
9e687b23 DL |
1785 | /* Allow ip6.dst=ff00::/8 for multicast packets */ |
1786 | if (pipeline == P_OUT) { | |
1787 | ds_put_cstr(match, "ff00::/8, "); | |
1788 | } | |
685f4dfe NS |
1789 | for(int i = 0; i < n_ipv6_addrs; i++) { |
1790 | ipv6_string_mapped(ip6_str, &ipv6_addrs[i].addr); | |
9e687b23 | 1791 | ds_put_format(match, "%s, ", ip6_str); |
685f4dfe | 1792 | } |
9e687b23 DL |
1793 | /* Replace ", " by "}". */ |
1794 | ds_chomp(match, ' '); | |
1795 | ds_chomp(match, ','); | |
685f4dfe NS |
1796 | ds_put_cstr(match, "}"); |
1797 | } | |
1798 | ||
1799 | /** | |
1800 | * Build port security constraints on ARP and IPv6 ND fields | |
1801 | * and add logical flows to S_SWITCH_IN_PORT_SEC_ND stage. | |
1802 | * | |
1803 | * For each port security of the logical port, following | |
1804 | * logical flows are added | |
1805 | * - If the port security has no IP (both IPv4 and IPv6) or | |
1806 | * if it has IPv4 address(es) | |
1807 | * - Priority 90 flow to allow ARP packets for known MAC addresses | |
1808 | * in the eth.src and arp.spa fields. If the port security | |
1809 | * has IPv4 addresses, allow known IPv4 addresses in the arp.tpa field. | |
1810 | * | |
1811 | * - If the port security has no IP (both IPv4 and IPv6) or | |
1812 | * if it has IPv6 address(es) | |
1813 | * - Priority 90 flow to allow IPv6 ND packets for known MAC addresses | |
1814 | * in the eth.src and nd.sll/nd.tll fields. If the port security | |
1815 | * has IPv6 addresses, allow known IPv6 addresses in the nd.target field | |
1816 | * for IPv6 Neighbor Advertisement packet. | |
1817 | * | |
1818 | * - Priority 80 flow to drop ARP and IPv6 ND packets. | |
1819 | */ | |
1820 | static void | |
1821 | build_port_security_nd(struct ovn_port *op, struct hmap *lflows) | |
1822 | { | |
e93b43d6 JP |
1823 | struct ds match = DS_EMPTY_INITIALIZER; |
1824 | ||
1825 | for (size_t i = 0; i < op->n_ps_addrs; i++) { | |
1826 | struct lport_addresses *ps = &op->ps_addrs[i]; | |
685f4dfe | 1827 | |
e93b43d6 | 1828 | bool no_ip = !(ps->n_ipv4_addrs || ps->n_ipv6_addrs); |
685f4dfe | 1829 | |
e93b43d6 JP |
1830 | ds_clear(&match); |
1831 | if (ps->n_ipv4_addrs || no_ip) { | |
1832 | ds_put_format(&match, | |
1833 | "inport == %s && eth.src == %s && arp.sha == %s", | |
1834 | op->json_key, ps->ea_s, ps->ea_s); | |
685f4dfe | 1835 | |
e93b43d6 JP |
1836 | if (ps->n_ipv4_addrs) { |
1837 | ds_put_cstr(&match, " && arp.spa == {"); | |
f95523c0 | 1838 | for (size_t j = 0; j < ps->n_ipv4_addrs; j++) { |
7d9d86ad NS |
1839 | /* When the netmask is applied, if the host portion is |
1840 | * non-zero, the host can only use the specified | |
1841 | * address in the arp.spa. If zero, the host is allowed | |
1842 | * to use any address in the subnet. */ | |
f95523c0 JP |
1843 | if (ps->ipv4_addrs[j].plen == 32 |
1844 | || ps->ipv4_addrs[j].addr & ~ps->ipv4_addrs[j].mask) { | |
1845 | ds_put_cstr(&match, ps->ipv4_addrs[j].addr_s); | |
7d9d86ad | 1846 | } else { |
e93b43d6 | 1847 | ds_put_format(&match, "%s/%d", |
f95523c0 JP |
1848 | ps->ipv4_addrs[j].network_s, |
1849 | ps->ipv4_addrs[j].plen); | |
7d9d86ad | 1850 | } |
e93b43d6 | 1851 | ds_put_cstr(&match, ", "); |
685f4dfe NS |
1852 | } |
1853 | ds_chomp(&match, ' '); | |
e93b43d6 JP |
1854 | ds_chomp(&match, ','); |
1855 | ds_put_cstr(&match, "}"); | |
685f4dfe NS |
1856 | } |
1857 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND, 90, | |
1858 | ds_cstr(&match), "next;"); | |
685f4dfe NS |
1859 | } |
1860 | ||
e93b43d6 JP |
1861 | if (ps->n_ipv6_addrs || no_ip) { |
1862 | ds_clear(&match); | |
1863 | ds_put_format(&match, "inport == %s && eth.src == %s", | |
1864 | op->json_key, ps->ea_s); | |
1865 | build_port_security_ipv6_nd_flow(&match, ps->ea, ps->ipv6_addrs, | |
1866 | ps->n_ipv6_addrs); | |
685f4dfe NS |
1867 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND, 90, |
1868 | ds_cstr(&match), "next;"); | |
685f4dfe | 1869 | } |
685f4dfe NS |
1870 | } |
1871 | ||
e93b43d6 JP |
1872 | ds_clear(&match); |
1873 | ds_put_format(&match, "inport == %s && (arp || nd)", op->json_key); | |
685f4dfe | 1874 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND, 80, |
e93b43d6 JP |
1875 | ds_cstr(&match), "drop;"); |
1876 | ds_destroy(&match); | |
685f4dfe NS |
1877 | } |
1878 | ||
1879 | /** | |
1880 | * Build port security constraints on IPv4 and IPv6 src and dst fields | |
1881 | * and add logical flows to S_SWITCH_(IN/OUT)_PORT_SEC_IP stage. | |
1882 | * | |
1883 | * For each port security of the logical port, following | |
1884 | * logical flows are added | |
1885 | * - If the port security has IPv4 addresses, | |
1886 | * - Priority 90 flow to allow IPv4 packets for known IPv4 addresses | |
1887 | * | |
1888 | * - If the port security has IPv6 addresses, | |
1889 | * - Priority 90 flow to allow IPv6 packets for known IPv6 addresses | |
1890 | * | |
1891 | * - If the port security has IPv4 addresses or IPv6 addresses or both | |
1892 | * - Priority 80 flow to drop all IPv4 and IPv6 traffic | |
1893 | */ | |
1894 | static void | |
1895 | build_port_security_ip(enum ovn_pipeline pipeline, struct ovn_port *op, | |
1896 | struct hmap *lflows) | |
1897 | { | |
1898 | char *port_direction; | |
1899 | enum ovn_stage stage; | |
1900 | if (pipeline == P_IN) { | |
1901 | port_direction = "inport"; | |
1902 | stage = S_SWITCH_IN_PORT_SEC_IP; | |
1903 | } else { | |
1904 | port_direction = "outport"; | |
1905 | stage = S_SWITCH_OUT_PORT_SEC_IP; | |
1906 | } | |
1907 | ||
e93b43d6 JP |
1908 | for (size_t i = 0; i < op->n_ps_addrs; i++) { |
1909 | struct lport_addresses *ps = &op->ps_addrs[i]; | |
685f4dfe | 1910 | |
e93b43d6 | 1911 | if (!(ps->n_ipv4_addrs || ps->n_ipv6_addrs)) { |
685f4dfe NS |
1912 | continue; |
1913 | } | |
1914 | ||
e93b43d6 | 1915 | if (ps->n_ipv4_addrs) { |
685f4dfe NS |
1916 | struct ds match = DS_EMPTY_INITIALIZER; |
1917 | if (pipeline == P_IN) { | |
9e687b23 DL |
1918 | /* Permit use of the unspecified address for DHCP discovery */ |
1919 | struct ds dhcp_match = DS_EMPTY_INITIALIZER; | |
1920 | ds_put_format(&dhcp_match, "inport == %s" | |
e93b43d6 | 1921 | " && eth.src == %s" |
9e687b23 DL |
1922 | " && ip4.src == 0.0.0.0" |
1923 | " && ip4.dst == 255.255.255.255" | |
e93b43d6 JP |
1924 | " && udp.src == 68 && udp.dst == 67", |
1925 | op->json_key, ps->ea_s); | |
9e687b23 DL |
1926 | ovn_lflow_add(lflows, op->od, stage, 90, |
1927 | ds_cstr(&dhcp_match), "next;"); | |
1928 | ds_destroy(&dhcp_match); | |
e93b43d6 | 1929 | ds_put_format(&match, "inport == %s && eth.src == %s" |
9e687b23 | 1930 | " && ip4.src == {", op->json_key, |
e93b43d6 | 1931 | ps->ea_s); |
685f4dfe | 1932 | } else { |
e93b43d6 | 1933 | ds_put_format(&match, "outport == %s && eth.dst == %s" |
685f4dfe | 1934 | " && ip4.dst == {255.255.255.255, 224.0.0.0/4, ", |
e93b43d6 | 1935 | op->json_key, ps->ea_s); |
685f4dfe NS |
1936 | } |
1937 | ||
f95523c0 JP |
1938 | for (int j = 0; j < ps->n_ipv4_addrs; j++) { |
1939 | ovs_be32 mask = ps->ipv4_addrs[j].mask; | |
7d9d86ad NS |
1940 | /* When the netmask is applied, if the host portion is |
1941 | * non-zero, the host can only use the specified | |
1942 | * address. If zero, the host is allowed to use any | |
1943 | * address in the subnet. | |
e93b43d6 | 1944 | */ |
f95523c0 JP |
1945 | if (ps->ipv4_addrs[j].plen == 32 |
1946 | || ps->ipv4_addrs[j].addr & ~mask) { | |
1947 | ds_put_format(&match, "%s", ps->ipv4_addrs[j].addr_s); | |
1948 | if (pipeline == P_OUT && ps->ipv4_addrs[j].plen != 32) { | |
e93b43d6 JP |
1949 | /* Host is also allowed to receive packets to the |
1950 | * broadcast address in the specified subnet. */ | |
1951 | ds_put_format(&match, ", %s", | |
f95523c0 | 1952 | ps->ipv4_addrs[j].bcast_s); |
7d9d86ad NS |
1953 | } |
1954 | } else { | |
1955 | /* host portion is zero */ | |
f95523c0 JP |
1956 | ds_put_format(&match, "%s/%d", ps->ipv4_addrs[j].network_s, |
1957 | ps->ipv4_addrs[j].plen); | |
7d9d86ad NS |
1958 | } |
1959 | ds_put_cstr(&match, ", "); | |
685f4dfe NS |
1960 | } |
1961 | ||
1962 | /* Replace ", " by "}". */ | |
1963 | ds_chomp(&match, ' '); | |
1964 | ds_chomp(&match, ','); | |
1965 | ds_put_cstr(&match, "}"); | |
1966 | ovn_lflow_add(lflows, op->od, stage, 90, ds_cstr(&match), "next;"); | |
1967 | ds_destroy(&match); | |
685f4dfe NS |
1968 | } |
1969 | ||
e93b43d6 | 1970 | if (ps->n_ipv6_addrs) { |
685f4dfe | 1971 | struct ds match = DS_EMPTY_INITIALIZER; |
9e687b23 DL |
1972 | if (pipeline == P_IN) { |
1973 | /* Permit use of unspecified address for duplicate address | |
1974 | * detection */ | |
1975 | struct ds dad_match = DS_EMPTY_INITIALIZER; | |
1976 | ds_put_format(&dad_match, "inport == %s" | |
e93b43d6 | 1977 | " && eth.src == %s" |
9e687b23 DL |
1978 | " && ip6.src == ::" |
1979 | " && ip6.dst == ff02::/16" | |
1980 | " && icmp6.type == {131, 135, 143}", op->json_key, | |
e93b43d6 | 1981 | ps->ea_s); |
9e687b23 DL |
1982 | ovn_lflow_add(lflows, op->od, stage, 90, |
1983 | ds_cstr(&dad_match), "next;"); | |
1984 | ds_destroy(&dad_match); | |
1985 | } | |
e93b43d6 | 1986 | ds_put_format(&match, "%s == %s && %s == %s", |
685f4dfe | 1987 | port_direction, op->json_key, |
e93b43d6 JP |
1988 | pipeline == P_IN ? "eth.src" : "eth.dst", ps->ea_s); |
1989 | build_port_security_ipv6_flow(pipeline, &match, ps->ea, | |
1990 | ps->ipv6_addrs, ps->n_ipv6_addrs); | |
685f4dfe NS |
1991 | ovn_lflow_add(lflows, op->od, stage, 90, |
1992 | ds_cstr(&match), "next;"); | |
1993 | ds_destroy(&match); | |
685f4dfe NS |
1994 | } |
1995 | ||
e93b43d6 JP |
1996 | char *match = xasprintf("%s == %s && %s == %s && ip", |
1997 | port_direction, op->json_key, | |
1998 | pipeline == P_IN ? "eth.src" : "eth.dst", | |
1999 | ps->ea_s); | |
685f4dfe NS |
2000 | ovn_lflow_add(lflows, op->od, stage, 80, match, "drop;"); |
2001 | free(match); | |
2002 | } | |
f2a715b5 | 2003 | |
685f4dfe NS |
2004 | } |
2005 | ||
95a9a275 | 2006 | static bool |
80f408f4 | 2007 | lsp_is_enabled(const struct nbrec_logical_switch_port *lsp) |
95a9a275 | 2008 | { |
80f408f4 | 2009 | return !lsp->enabled || *lsp->enabled; |
95a9a275 RB |
2010 | } |
2011 | ||
4c7bf534 | 2012 | static bool |
80f408f4 | 2013 | lsp_is_up(const struct nbrec_logical_switch_port *lsp) |
4c7bf534 | 2014 | { |
80f408f4 | 2015 | return !lsp->up || *lsp->up; |
4c7bf534 NS |
2016 | } |
2017 | ||
281977f7 NS |
2018 | static bool |
2019 | build_dhcpv4_action(struct ovn_port *op, ovs_be32 offer_ip, | |
2020 | struct ds *options_action, struct ds *response_action) | |
2021 | { | |
2022 | if (!op->nbsp->dhcpv4_options) { | |
2023 | /* CMS has disabled native DHCPv4 for this lport. */ | |
2024 | return false; | |
2025 | } | |
2026 | ||
2027 | ovs_be32 host_ip, mask; | |
2028 | char *error = ip_parse_masked(op->nbsp->dhcpv4_options->cidr, &host_ip, | |
2029 | &mask); | |
2030 | if (error || ((offer_ip ^ host_ip) & mask)) { | |
2031 | /* Either | |
2032 | * - cidr defined is invalid or | |
2033 | * - the offer ip of the logical port doesn't belong to the cidr | |
2034 | * defined in the DHCPv4 options. | |
2035 | * */ | |
2036 | free(error); | |
2037 | return false; | |
2038 | } | |
2039 | ||
2040 | const char *server_ip = smap_get( | |
2041 | &op->nbsp->dhcpv4_options->options, "server_id"); | |
2042 | const char *server_mac = smap_get( | |
2043 | &op->nbsp->dhcpv4_options->options, "server_mac"); | |
2044 | const char *lease_time = smap_get( | |
2045 | &op->nbsp->dhcpv4_options->options, "lease_time"); | |
2046 | const char *router = smap_get( | |
2047 | &op->nbsp->dhcpv4_options->options, "router"); | |
2048 | ||
2049 | if (!(server_ip && server_mac && lease_time && router)) { | |
2050 | /* "server_id", "server_mac", "lease_time" and "router" should be | |
2051 | * present in the dhcp_options. */ | |
2052 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5); | |
2053 | VLOG_WARN_RL(&rl, "Required DHCPv4 options not defined for lport - %s", | |
2054 | op->json_key); | |
2055 | return false; | |
2056 | } | |
2057 | ||
2058 | struct smap dhcpv4_options = SMAP_INITIALIZER(&dhcpv4_options); | |
2059 | smap_clone(&dhcpv4_options, &op->nbsp->dhcpv4_options->options); | |
2060 | ||
2061 | /* server_mac is not DHCPv4 option, delete it from the smap. */ | |
2062 | smap_remove(&dhcpv4_options, "server_mac"); | |
2063 | char *netmask = xasprintf(IP_FMT, IP_ARGS(mask)); | |
2064 | smap_add(&dhcpv4_options, "netmask", netmask); | |
2065 | free(netmask); | |
2066 | ||
2067 | ds_put_format(options_action, | |
2068 | REGBIT_DHCP_OPTS_RESULT" = put_dhcp_opts(offerip = " | |
2069 | IP_FMT", ", IP_ARGS(offer_ip)); | |
2070 | struct smap_node *node; | |
2071 | SMAP_FOR_EACH(node, &dhcpv4_options) { | |
2072 | ds_put_format(options_action, "%s = %s, ", node->key, node->value); | |
2073 | } | |
2074 | ||
2075 | ds_chomp(options_action, ' '); | |
2076 | ds_chomp(options_action, ','); | |
2077 | ds_put_cstr(options_action, "); next;"); | |
2078 | ||
2079 | ds_put_format(response_action, "eth.dst = eth.src; eth.src = %s; " | |
2080 | "ip4.dst = "IP_FMT"; ip4.src = %s; udp.src = 67; " | |
bf143492 JP |
2081 | "udp.dst = 68; outport = inport; flags.loopback = 1; " |
2082 | "output;", | |
281977f7 NS |
2083 | server_mac, IP_ARGS(offer_ip), server_ip); |
2084 | ||
2085 | smap_destroy(&dhcpv4_options); | |
2086 | return true; | |
2087 | } | |
2088 | ||
33ac3c83 NS |
2089 | static bool |
2090 | build_dhcpv6_action(struct ovn_port *op, struct in6_addr *offer_ip, | |
2091 | struct ds *options_action, struct ds *response_action) | |
2092 | { | |
2093 | if (!op->nbsp->dhcpv6_options) { | |
2094 | /* CMS has disabled native DHCPv6 for this lport. */ | |
2095 | return false; | |
2096 | } | |
2097 | ||
2098 | struct in6_addr host_ip, mask; | |
2099 | ||
2100 | char *error = ipv6_parse_masked(op->nbsp->dhcpv6_options->cidr, &host_ip, | |
2101 | &mask); | |
2102 | if (error) { | |
2103 | free(error); | |
2104 | return false; | |
2105 | } | |
2106 | struct in6_addr ip6_mask = ipv6_addr_bitxor(offer_ip, &host_ip); | |
2107 | ip6_mask = ipv6_addr_bitand(&ip6_mask, &mask); | |
2108 | if (!ipv6_mask_is_any(&ip6_mask)) { | |
2109 | /* offer_ip doesn't belongs to the cidr defined in lport's DHCPv6 | |
2110 | * options.*/ | |
2111 | return false; | |
2112 | } | |
2113 | ||
2114 | /* "server_id" should be the MAC address. */ | |
2115 | const char *server_mac = smap_get(&op->nbsp->dhcpv6_options->options, | |
2116 | "server_id"); | |
2117 | struct eth_addr ea; | |
2118 | if (!server_mac || !eth_addr_from_string(server_mac, &ea)) { | |
2119 | /* "server_id" should be present in the dhcpv6_options. */ | |
2120 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
2121 | VLOG_WARN_RL(&rl, "server_id not present in the DHCPv6 options" | |
2122 | " for lport %s", op->json_key); | |
2123 | return false; | |
2124 | } | |
2125 | ||
2126 | /* Get the link local IP of the DHCPv6 server from the server MAC. */ | |
2127 | struct in6_addr lla; | |
2128 | in6_generate_lla(ea, &lla); | |
2129 | ||
2130 | char server_ip[INET6_ADDRSTRLEN + 1]; | |
2131 | ipv6_string_mapped(server_ip, &lla); | |
2132 | ||
2133 | char ia_addr[INET6_ADDRSTRLEN + 1]; | |
2134 | ipv6_string_mapped(ia_addr, offer_ip); | |
2135 | ||
2136 | ds_put_format(options_action, | |
40df4566 ZKL |
2137 | REGBIT_DHCP_OPTS_RESULT" = put_dhcpv6_opts("); |
2138 | ||
2139 | /* Check whether the dhcpv6 options should be configured as stateful. | |
2140 | * Only reply with ia_addr option for dhcpv6 stateful address mode. */ | |
2141 | if (!smap_get_bool(&op->nbsp->dhcpv6_options->options, | |
2142 | "dhcpv6_stateless", false)) { | |
2143 | char ia_addr[INET6_ADDRSTRLEN + 1]; | |
2144 | ipv6_string_mapped(ia_addr, offer_ip); | |
2145 | ||
2146 | ds_put_format(options_action, "ia_addr = %s, ", ia_addr); | |
2147 | } | |
2148 | ||
33ac3c83 NS |
2149 | struct smap_node *node; |
2150 | SMAP_FOR_EACH (node, &op->nbsp->dhcpv6_options->options) { | |
40df4566 ZKL |
2151 | if (strcmp(node->key, "dhcpv6_stateless")) { |
2152 | ds_put_format(options_action, "%s = %s, ", node->key, node->value); | |
2153 | } | |
33ac3c83 NS |
2154 | } |
2155 | ds_chomp(options_action, ' '); | |
2156 | ds_chomp(options_action, ','); | |
2157 | ds_put_cstr(options_action, "); next;"); | |
2158 | ||
2159 | ds_put_format(response_action, "eth.dst = eth.src; eth.src = %s; " | |
2160 | "ip6.dst = ip6.src; ip6.src = %s; udp.src = 547; " | |
2161 | "udp.dst = 546; outport = inport; flags.loopback = 1; " | |
2162 | "output;", | |
2163 | server_mac, server_ip); | |
40df4566 | 2164 | |
33ac3c83 NS |
2165 | return true; |
2166 | } | |
2167 | ||
78aab811 JP |
2168 | static bool |
2169 | has_stateful_acl(struct ovn_datapath *od) | |
2170 | { | |
9975d7be BP |
2171 | for (size_t i = 0; i < od->nbs->n_acls; i++) { |
2172 | struct nbrec_acl *acl = od->nbs->acls[i]; | |
78aab811 JP |
2173 | if (!strcmp(acl->action, "allow-related")) { |
2174 | return true; | |
2175 | } | |
2176 | } | |
2177 | ||
2178 | return false; | |
2179 | } | |
2180 | ||
2181 | static void | |
9ab989b7 | 2182 | build_pre_acls(struct ovn_datapath *od, struct hmap *lflows) |
78aab811 JP |
2183 | { |
2184 | bool has_stateful = has_stateful_acl(od); | |
2185 | ||
2186 | /* Ingress and Egress Pre-ACL Table (Priority 0): Packets are | |
2187 | * allowed by default. */ | |
880fcd14 BP |
2188 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 0, "1", "next;"); |
2189 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 0, "1", "next;"); | |
78aab811 | 2190 | |
c132fca0 | 2191 | /* If there are any stateful ACL rules in this datapath, we must |
78aab811 JP |
2192 | * send all IP packets through the conntrack action, which handles |
2193 | * defragmentation, in order to match L4 headers. */ | |
2194 | if (has_stateful) { | |
9ab989b7 BP |
2195 | for (size_t i = 0; i < od->n_router_ports; i++) { |
2196 | struct ovn_port *op = od->router_ports[i]; | |
2197 | /* Can't use ct() for router ports. Consider the | |
2198 | * following configuration: lp1(10.0.0.2) on | |
2199 | * hostA--ls1--lr0--ls2--lp2(10.0.1.2) on hostB, For a | |
2200 | * ping from lp1 to lp2, First, the response will go | |
2201 | * through ct() with a zone for lp2 in the ls2 ingress | |
2202 | * pipeline on hostB. That ct zone knows about this | |
2203 | * connection. Next, it goes through ct() with the zone | |
2204 | * for the router port in the egress pipeline of ls2 on | |
2205 | * hostB. This zone does not know about the connection, | |
2206 | * as the icmp request went through the logical router | |
2207 | * on hostA, not hostB. This would only work with | |
2208 | * distributed conntrack state across all chassis. */ | |
2209 | struct ds match_in = DS_EMPTY_INITIALIZER; | |
2210 | struct ds match_out = DS_EMPTY_INITIALIZER; | |
2211 | ||
2212 | ds_put_format(&match_in, "ip && inport == %s", op->json_key); | |
2213 | ds_put_format(&match_out, "ip && outport == %s", op->json_key); | |
2214 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, | |
2215 | ds_cstr(&match_in), "next;"); | |
2216 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, | |
2217 | ds_cstr(&match_out), "next;"); | |
2218 | ||
2219 | ds_destroy(&match_in); | |
2220 | ds_destroy(&match_out); | |
48fcdb47 | 2221 | } |
2d018f9b GS |
2222 | /* Ingress and Egress Pre-ACL Table (Priority 110). |
2223 | * | |
2224 | * Not to do conntrack on ND packets. */ | |
2225 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, "nd", "next;"); | |
2226 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, "nd", "next;"); | |
48fcdb47 | 2227 | |
78aab811 JP |
2228 | /* Ingress and Egress Pre-ACL Table (Priority 100). |
2229 | * | |
2230 | * Regardless of whether the ACL is "from-lport" or "to-lport", | |
2231 | * we need rules in both the ingress and egress table, because | |
facf8652 GS |
2232 | * the return traffic needs to be followed. |
2233 | * | |
2234 | * 'REGBIT_CONNTRACK_DEFRAG' is set to let the pre-stateful table send | |
2235 | * it to conntrack for tracking and defragmentation. */ | |
2236 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 100, "ip", | |
2237 | REGBIT_CONNTRACK_DEFRAG" = 1; next;"); | |
2238 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip", | |
2239 | REGBIT_CONNTRACK_DEFRAG" = 1; next;"); | |
2d018f9b GS |
2240 | } |
2241 | } | |
78aab811 | 2242 | |
7a15be69 GS |
2243 | /* For a 'key' of the form "IP:port" or just "IP", sets 'port' and |
2244 | * 'ip_address'. The caller must free() the memory allocated for | |
2245 | * 'ip_address'. */ | |
2246 | static void | |
2247 | ip_address_and_port_from_lb_key(const char *key, char **ip_address, | |
2248 | uint16_t *port) | |
2249 | { | |
2250 | char *ip_str, *start, *next; | |
2251 | *ip_address = NULL; | |
2252 | *port = 0; | |
2253 | ||
2254 | next = start = xstrdup(key); | |
2255 | ip_str = strsep(&next, ":"); | |
2256 | if (!ip_str || !ip_str[0]) { | |
2257 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
2258 | VLOG_WARN_RL(&rl, "bad ip address for load balancer key %s", key); | |
2259 | free(start); | |
2260 | return; | |
2261 | } | |
2262 | ||
2263 | ovs_be32 ip, mask; | |
2264 | char *error = ip_parse_masked(ip_str, &ip, &mask); | |
2265 | if (error || mask != OVS_BE32_MAX) { | |
2266 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
2267 | VLOG_WARN_RL(&rl, "bad ip address for load balancer key %s", key); | |
2268 | free(start); | |
2269 | free(error); | |
2270 | return; | |
2271 | } | |
2272 | ||
2273 | int l4_port = 0; | |
2274 | if (next && next[0]) { | |
2275 | if (!str_to_int(next, 0, &l4_port) || l4_port < 0 || l4_port > 65535) { | |
2276 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
2277 | VLOG_WARN_RL(&rl, "bad ip port for load balancer key %s", key); | |
2278 | free(start); | |
2279 | return; | |
2280 | } | |
2281 | } | |
2282 | ||
2283 | *port = l4_port; | |
2284 | *ip_address = strdup(ip_str); | |
2285 | free(start); | |
2286 | } | |
2287 | ||
2288 | static void | |
2289 | build_pre_lb(struct ovn_datapath *od, struct hmap *lflows) | |
2290 | { | |
2291 | /* Allow all packets to go to next tables by default. */ | |
2292 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;"); | |
2293 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;"); | |
2294 | ||
2295 | struct sset all_ips = SSET_INITIALIZER(&all_ips); | |
61591ad9 GS |
2296 | bool vip_configured = false; |
2297 | for (int i = 0; i < od->nbs->n_load_balancer; i++) { | |
2298 | struct nbrec_load_balancer *lb = od->nbs->load_balancer[i]; | |
7a15be69 GS |
2299 | struct smap *vips = &lb->vips; |
2300 | struct smap_node *node; | |
7a15be69 GS |
2301 | |
2302 | SMAP_FOR_EACH (node, vips) { | |
2303 | vip_configured = true; | |
2304 | ||
2305 | /* node->key contains IP:port or just IP. */ | |
2306 | char *ip_address = NULL; | |
2307 | uint16_t port; | |
2308 | ip_address_and_port_from_lb_key(node->key, &ip_address, &port); | |
2309 | if (!ip_address) { | |
2310 | continue; | |
2311 | } | |
2312 | ||
2313 | if (!sset_contains(&all_ips, ip_address)) { | |
2314 | sset_add(&all_ips, ip_address); | |
2315 | } | |
2316 | ||
2317 | free(ip_address); | |
2318 | ||
2319 | /* Ignore L4 port information in the key because fragmented packets | |
2320 | * may not have L4 information. The pre-stateful table will send | |
2321 | * the packet through ct() action to de-fragment. In stateful | |
2322 | * table, we will eventually look at L4 information. */ | |
2323 | } | |
61591ad9 | 2324 | } |
7a15be69 | 2325 | |
61591ad9 GS |
2326 | /* 'REGBIT_CONNTRACK_DEFRAG' is set to let the pre-stateful table send |
2327 | * packet to conntrack for defragmentation. */ | |
2328 | const char *ip_address; | |
2329 | SSET_FOR_EACH(ip_address, &all_ips) { | |
2330 | char *match = xasprintf("ip && ip4.dst == %s", ip_address); | |
2331 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, | |
2332 | 100, match, REGBIT_CONNTRACK_DEFRAG" = 1; next;"); | |
2333 | free(match); | |
2334 | } | |
7a15be69 | 2335 | |
61591ad9 | 2336 | sset_destroy(&all_ips); |
7a15be69 | 2337 | |
61591ad9 GS |
2338 | if (vip_configured) { |
2339 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, | |
2340 | 100, "ip", REGBIT_CONNTRACK_DEFRAG" = 1; next;"); | |
7a15be69 GS |
2341 | } |
2342 | } | |
2343 | ||
facf8652 GS |
2344 | static void |
2345 | build_pre_stateful(struct ovn_datapath *od, struct hmap *lflows) | |
2346 | { | |
2347 | /* Ingress and Egress pre-stateful Table (Priority 0): Packets are | |
2348 | * allowed by default. */ | |
2349 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 0, "1", "next;"); | |
2350 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 0, "1", "next;"); | |
2351 | ||
2352 | /* If REGBIT_CONNTRACK_DEFRAG is set as 1, then the packets should be | |
2353 | * sent to conntrack for tracking and defragmentation. */ | |
2354 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 100, | |
2355 | REGBIT_CONNTRACK_DEFRAG" == 1", "ct_next;"); | |
2356 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 100, | |
2357 | REGBIT_CONNTRACK_DEFRAG" == 1", "ct_next;"); | |
2358 | } | |
2359 | ||
2d018f9b GS |
2360 | static void |
2361 | build_acls(struct ovn_datapath *od, struct hmap *lflows) | |
2362 | { | |
2363 | bool has_stateful = has_stateful_acl(od); | |
e75451fe | 2364 | |
2d018f9b GS |
2365 | /* Ingress and Egress ACL Table (Priority 0): Packets are allowed by |
2366 | * default. A related rule at priority 1 is added below if there | |
2367 | * are any stateful ACLs in this datapath. */ | |
2368 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", "next;"); | |
2369 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", "next;"); | |
2370 | ||
2371 | if (has_stateful) { | |
78aab811 JP |
2372 | /* Ingress and Egress ACL Table (Priority 1). |
2373 | * | |
2374 | * By default, traffic is allowed. This is partially handled by | |
2375 | * the Priority 0 ACL flows added earlier, but we also need to | |
2376 | * commit IP flows. This is because, while the initiater's | |
2377 | * direction may not have any stateful rules, the server's may | |
2378 | * and then its return traffic would not have an associated | |
cc58e1f2 RB |
2379 | * conntrack entry and would return "+invalid". |
2380 | * | |
2381 | * We use "ct_commit" for a connection that is not already known | |
2382 | * by the connection tracker. Once a connection is committed, | |
2383 | * subsequent packets will hit the flow at priority 0 that just | |
2384 | * uses "next;" | |
2385 | * | |
b73db61d | 2386 | * We also check for established connections that have ct_label.blocked |
cc58e1f2 RB |
2387 | * set on them. That's a connection that was disallowed, but is |
2388 | * now allowed by policy again since it hit this default-allow flow. | |
b73db61d | 2389 | * We need to set ct_label.blocked=0 to let the connection continue, |
cc58e1f2 RB |
2390 | * which will be done by ct_commit() in the "stateful" stage. |
2391 | * Subsequent packets will hit the flow at priority 0 that just | |
2392 | * uses "next;". */ | |
2393 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, | |
b73db61d | 2394 | "ip && (!ct.est || (ct.est && ct_label.blocked == 1))", |
cc58e1f2 RB |
2395 | REGBIT_CONNTRACK_COMMIT" = 1; next;"); |
2396 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, | |
b73db61d | 2397 | "ip && (!ct.est || (ct.est && ct_label.blocked == 1))", |
cc58e1f2 | 2398 | REGBIT_CONNTRACK_COMMIT" = 1; next;"); |
78aab811 JP |
2399 | |
2400 | /* Ingress and Egress ACL Table (Priority 65535). | |
2401 | * | |
cc58e1f2 RB |
2402 | * Always drop traffic that's in an invalid state. Also drop |
2403 | * reply direction packets for connections that have been marked | |
2404 | * for deletion (bit 0 of ct_label is set). | |
2405 | * | |
2406 | * This is enforced at a higher priority than ACLs can be defined. */ | |
880fcd14 | 2407 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, |
b73db61d | 2408 | "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)", |
cc58e1f2 | 2409 | "drop;"); |
880fcd14 | 2410 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, |
b73db61d | 2411 | "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)", |
cc58e1f2 | 2412 | "drop;"); |
78aab811 JP |
2413 | |
2414 | /* Ingress and Egress ACL Table (Priority 65535). | |
2415 | * | |
cc58e1f2 RB |
2416 | * Allow reply traffic that is part of an established |
2417 | * conntrack entry that has not been marked for deletion | |
2418 | * (bit 0 of ct_label). We only match traffic in the | |
2419 | * reply direction because we want traffic in the request | |
2420 | * direction to hit the currently defined policy from ACLs. | |
2421 | * | |
2422 | * This is enforced at a higher priority than ACLs can be defined. */ | |
880fcd14 | 2423 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, |
cc58e1f2 | 2424 | "ct.est && !ct.rel && !ct.new && !ct.inv " |
b73db61d | 2425 | "&& ct.rpl && ct_label.blocked == 0", |
78aab811 | 2426 | "next;"); |
880fcd14 | 2427 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, |
cc58e1f2 | 2428 | "ct.est && !ct.rel && !ct.new && !ct.inv " |
b73db61d | 2429 | "&& ct.rpl && ct_label.blocked == 0", |
78aab811 JP |
2430 | "next;"); |
2431 | ||
2432 | /* Ingress and Egress ACL Table (Priority 65535). | |
2433 | * | |
cc58e1f2 RB |
2434 | * Allow traffic that is related to an existing conntrack entry that |
2435 | * has not been marked for deletion (bit 0 of ct_label). | |
2436 | * | |
2437 | * This is enforced at a higher priority than ACLs can be defined. | |
78aab811 JP |
2438 | * |
2439 | * NOTE: This does not support related data sessions (eg, | |
2440 | * a dynamically negotiated FTP data channel), but will allow | |
2441 | * related traffic such as an ICMP Port Unreachable through | |
2442 | * that's generated from a non-listening UDP port. */ | |
880fcd14 | 2443 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, |
cc58e1f2 | 2444 | "!ct.est && ct.rel && !ct.new && !ct.inv " |
b73db61d | 2445 | "&& ct_label.blocked == 0", |
78aab811 | 2446 | "next;"); |
880fcd14 | 2447 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, |
cc58e1f2 | 2448 | "!ct.est && ct.rel && !ct.new && !ct.inv " |
b73db61d | 2449 | "&& ct_label.blocked == 0", |
78aab811 | 2450 | "next;"); |
e75451fe ZKL |
2451 | |
2452 | /* Ingress and Egress ACL Table (Priority 65535). | |
2453 | * | |
2454 | * Not to do conntrack on ND packets. */ | |
2455 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, "nd", "next;"); | |
2456 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, "nd", "next;"); | |
78aab811 JP |
2457 | } |
2458 | ||
2459 | /* Ingress or Egress ACL Table (Various priorities). */ | |
9975d7be BP |
2460 | for (size_t i = 0; i < od->nbs->n_acls; i++) { |
2461 | struct nbrec_acl *acl = od->nbs->acls[i]; | |
78aab811 | 2462 | bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; |
880fcd14 | 2463 | enum ovn_stage stage = ingress ? S_SWITCH_IN_ACL : S_SWITCH_OUT_ACL; |
78aab811 | 2464 | |
cc58e1f2 RB |
2465 | if (!strcmp(acl->action, "allow") |
2466 | || !strcmp(acl->action, "allow-related")) { | |
78aab811 JP |
2467 | /* If there are any stateful flows, we must even commit "allow" |
2468 | * actions. This is because, while the initiater's | |
2469 | * direction may not have any stateful rules, the server's | |
2470 | * may and then its return traffic would not have an | |
2471 | * associated conntrack entry and would return "+invalid". */ | |
cc58e1f2 RB |
2472 | if (!has_stateful) { |
2473 | ovn_lflow_add(lflows, od, stage, | |
2474 | acl->priority + OVN_ACL_PRI_OFFSET, | |
2475 | acl->match, "next;"); | |
2476 | } else { | |
2477 | struct ds match = DS_EMPTY_INITIALIZER; | |
2478 | ||
2479 | /* Commit the connection tracking entry if it's a new | |
2480 | * connection that matches this ACL. After this commit, | |
2481 | * the reply traffic is allowed by a flow we create at | |
2482 | * priority 65535, defined earlier. | |
2483 | * | |
2484 | * It's also possible that a known connection was marked for | |
2485 | * deletion after a policy was deleted, but the policy was | |
2486 | * re-added while that connection is still known. We catch | |
b73db61d | 2487 | * that case here and un-set ct_label.blocked (which will be done |
cc58e1f2 RB |
2488 | * by ct_commit in the "stateful" stage) to indicate that the |
2489 | * connection should be allowed to resume. | |
2490 | */ | |
2491 | ds_put_format(&match, "((ct.new && !ct.est)" | |
2492 | " || (!ct.new && ct.est && !ct.rpl " | |
b73db61d | 2493 | "&& ct_label.blocked == 1)) " |
cc58e1f2 RB |
2494 | "&& (%s)", acl->match); |
2495 | ovn_lflow_add(lflows, od, stage, | |
2496 | acl->priority + OVN_ACL_PRI_OFFSET, | |
2497 | ds_cstr(&match), | |
2498 | REGBIT_CONNTRACK_COMMIT" = 1; next;"); | |
2499 | ||
2500 | /* Match on traffic in the request direction for an established | |
2501 | * connection tracking entry that has not been marked for | |
2502 | * deletion. There is no need to commit here, so we can just | |
2503 | * proceed to the next table. We use this to ensure that this | |
2504 | * connection is still allowed by the currently defined | |
2505 | * policy. */ | |
2506 | ds_clear(&match); | |
2507 | ds_put_format(&match, | |
2508 | "!ct.new && ct.est && !ct.rpl" | |
b73db61d | 2509 | " && ct_label.blocked == 0 && (%s)", |
cc58e1f2 RB |
2510 | acl->match); |
2511 | ovn_lflow_add(lflows, od, stage, | |
2512 | acl->priority + OVN_ACL_PRI_OFFSET, | |
2513 | ds_cstr(&match), "next;"); | |
2514 | ||
2515 | ds_destroy(&match); | |
2516 | } | |
2517 | } else if (!strcmp(acl->action, "drop") | |
2518 | || !strcmp(acl->action, "reject")) { | |
78aab811 JP |
2519 | struct ds match = DS_EMPTY_INITIALIZER; |
2520 | ||
cc58e1f2 RB |
2521 | /* XXX Need to support "reject", treat it as "drop;" for now. */ |
2522 | if (!strcmp(acl->action, "reject")) { | |
2523 | VLOG_INFO("reject is not a supported action"); | |
2524 | } | |
78aab811 | 2525 | |
cc58e1f2 RB |
2526 | /* The implementation of "drop" differs if stateful ACLs are in |
2527 | * use for this datapath. In that case, the actions differ | |
2528 | * depending on whether the connection was previously committed | |
2529 | * to the connection tracker with ct_commit. */ | |
2530 | if (has_stateful) { | |
2531 | /* If the packet is not part of an established connection, then | |
2532 | * we can simply drop it. */ | |
2533 | ds_put_format(&match, | |
b73db61d | 2534 | "(!ct.est || (ct.est && ct_label.blocked == 1)) " |
cc58e1f2 RB |
2535 | "&& (%s)", |
2536 | acl->match); | |
2537 | ovn_lflow_add(lflows, od, stage, acl->priority + | |
2538 | OVN_ACL_PRI_OFFSET, ds_cstr(&match), "drop;"); | |
2539 | ||
2540 | /* For an existing connection without ct_label set, we've | |
2541 | * encountered a policy change. ACLs previously allowed | |
2542 | * this connection and we committed the connection tracking | |
2543 | * entry. Current policy says that we should drop this | |
2544 | * connection. First, we set bit 0 of ct_label to indicate | |
2545 | * that this connection is set for deletion. By not | |
2546 | * specifying "next;", we implicitly drop the packet after | |
2547 | * updating conntrack state. We would normally defer | |
2548 | * ct_commit() to the "stateful" stage, but since we're | |
2549 | * dropping the packet, we go ahead and do it here. */ | |
2550 | ds_clear(&match); | |
2551 | ds_put_format(&match, | |
b73db61d | 2552 | "ct.est && ct_label.blocked == 0 && (%s)", |
cc58e1f2 RB |
2553 | acl->match); |
2554 | ovn_lflow_add(lflows, od, stage, | |
2555 | acl->priority + OVN_ACL_PRI_OFFSET, | |
2556 | ds_cstr(&match), "ct_commit(ct_label=1/1);"); | |
2557 | ||
2558 | ds_destroy(&match); | |
2559 | } else { | |
2560 | /* There are no stateful ACLs in use on this datapath, | |
2561 | * so a "drop" ACL is simply the "drop" logical flow action | |
2562 | * in all cases. */ | |
2563 | ovn_lflow_add(lflows, od, stage, | |
2564 | acl->priority + OVN_ACL_PRI_OFFSET, | |
2565 | acl->match, "drop;"); | |
2566 | } | |
78aab811 JP |
2567 | } |
2568 | } | |
281977f7 NS |
2569 | |
2570 | /* Add 34000 priority flow to allow DHCP reply from ovn-controller to all | |
2571 | * logical ports of the datapath if the CMS has configured DHCPv4 options*/ | |
052fa3ac BP |
2572 | for (size_t i = 0; i < od->nbs->n_ports; i++) { |
2573 | if (od->nbs->ports[i]->dhcpv4_options) { | |
2574 | const char *server_id = smap_get( | |
2575 | &od->nbs->ports[i]->dhcpv4_options->options, "server_id"); | |
2576 | const char *server_mac = smap_get( | |
2577 | &od->nbs->ports[i]->dhcpv4_options->options, "server_mac"); | |
2578 | const char *lease_time = smap_get( | |
2579 | &od->nbs->ports[i]->dhcpv4_options->options, "lease_time"); | |
2580 | const char *router = smap_get( | |
2581 | &od->nbs->ports[i]->dhcpv4_options->options, "router"); | |
2582 | if (server_id && server_mac && lease_time && router) { | |
2583 | struct ds match = DS_EMPTY_INITIALIZER; | |
2584 | const char *actions = | |
2585 | has_stateful ? "ct_commit; next;" : "next;"; | |
2586 | ds_put_format(&match, "outport == \"%s\" && eth.src == %s " | |
2587 | "&& ip4.src == %s && udp && udp.src == 67 " | |
2588 | "&& udp.dst == 68", od->nbs->ports[i]->name, | |
2589 | server_mac, server_id); | |
2590 | ovn_lflow_add( | |
2591 | lflows, od, S_SWITCH_OUT_ACL, 34000, ds_cstr(&match), | |
2592 | actions); | |
75e82c17 | 2593 | ds_destroy(&match); |
281977f7 | 2594 | } |
052fa3ac | 2595 | } |
33ac3c83 | 2596 | |
052fa3ac BP |
2597 | if (od->nbs->ports[i]->dhcpv6_options) { |
2598 | const char *server_mac = smap_get( | |
2599 | &od->nbs->ports[i]->dhcpv6_options->options, "server_id"); | |
2600 | struct eth_addr ea; | |
2601 | if (server_mac && eth_addr_from_string(server_mac, &ea)) { | |
2602 | /* Get the link local IP of the DHCPv6 server from the | |
2603 | * server MAC. */ | |
2604 | struct in6_addr lla; | |
2605 | in6_generate_lla(ea, &lla); | |
2606 | ||
2607 | char server_ip[INET6_ADDRSTRLEN + 1]; | |
2608 | ipv6_string_mapped(server_ip, &lla); | |
2609 | ||
2610 | struct ds match = DS_EMPTY_INITIALIZER; | |
2611 | const char *actions = has_stateful ? "ct_commit; next;" : | |
2612 | "next;"; | |
2613 | ds_put_format(&match, "outport == \"%s\" && eth.src == %s " | |
2614 | "&& ip6.src == %s && udp && udp.src == 547 " | |
2615 | "&& udp.dst == 546", od->nbs->ports[i]->name, | |
2616 | server_mac, server_ip); | |
2617 | ovn_lflow_add( | |
2618 | lflows, od, S_SWITCH_OUT_ACL, 34000, ds_cstr(&match), | |
2619 | actions); | |
75e82c17 | 2620 | ds_destroy(&match); |
33ac3c83 | 2621 | } |
281977f7 NS |
2622 | } |
2623 | } | |
78aab811 JP |
2624 | } |
2625 | ||
1a03fc7d BS |
2626 | static void |
2627 | build_qos(struct ovn_datapath *od, struct hmap *lflows) { | |
2628 | ovn_lflow_add(lflows, od, S_SWITCH_IN_QOS_MARK, 0, "1", "next;"); | |
2629 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_QOS_MARK, 0, "1", "next;"); | |
2630 | ||
2631 | for (size_t i = 0; i < od->nbs->n_qos_rules; i++) { | |
2632 | struct nbrec_qos *qos = od->nbs->qos_rules[i]; | |
2633 | bool ingress = !strcmp(qos->direction, "from-lport") ? true :false; | |
2634 | enum ovn_stage stage = ingress ? S_SWITCH_IN_QOS_MARK : S_SWITCH_OUT_QOS_MARK; | |
2635 | ||
2636 | if (!strcmp(qos->key_action, "dscp")) { | |
2637 | struct ds dscp_action = DS_EMPTY_INITIALIZER; | |
2638 | ||
2639 | ds_put_format(&dscp_action, "ip.dscp = %d; next;", | |
2640 | (uint8_t)qos->value_action); | |
2641 | ovn_lflow_add(lflows, od, stage, | |
2642 | qos->priority, | |
2643 | qos->match, ds_cstr(&dscp_action)); | |
2644 | ds_destroy(&dscp_action); | |
2645 | } | |
2646 | } | |
2647 | } | |
2648 | ||
7a15be69 GS |
2649 | static void |
2650 | build_lb(struct ovn_datapath *od, struct hmap *lflows) | |
2651 | { | |
2652 | /* Ingress and Egress LB Table (Priority 0): Packets are allowed by | |
2653 | * default. */ | |
2654 | ovn_lflow_add(lflows, od, S_SWITCH_IN_LB, 0, "1", "next;"); | |
2655 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_LB, 0, "1", "next;"); | |
2656 | ||
2657 | if (od->nbs->load_balancer) { | |
2658 | /* Ingress and Egress LB Table (Priority 65535). | |
2659 | * | |
2660 | * Send established traffic through conntrack for just NAT. */ | |
2661 | ovn_lflow_add(lflows, od, S_SWITCH_IN_LB, UINT16_MAX, | |
2662 | "ct.est && !ct.rel && !ct.new && !ct.inv", | |
2663 | REGBIT_CONNTRACK_NAT" = 1; next;"); | |
2664 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_LB, UINT16_MAX, | |
2665 | "ct.est && !ct.rel && !ct.new && !ct.inv", | |
2666 | REGBIT_CONNTRACK_NAT" = 1; next;"); | |
2667 | } | |
2668 | } | |
2669 | ||
fa313a8c GS |
2670 | static void |
2671 | build_stateful(struct ovn_datapath *od, struct hmap *lflows) | |
2672 | { | |
2673 | /* Ingress and Egress stateful Table (Priority 0): Packets are | |
2674 | * allowed by default. */ | |
2675 | ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 0, "1", "next;"); | |
2676 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 0, "1", "next;"); | |
2677 | ||
2678 | /* If REGBIT_CONNTRACK_COMMIT is set as 1, then the packets should be | |
b73db61d | 2679 | * committed to conntrack. We always set ct_label.blocked to 0 here as |
cc58e1f2 RB |
2680 | * any packet that makes it this far is part of a connection we |
2681 | * want to allow to continue. */ | |
fa313a8c | 2682 | ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100, |
cc58e1f2 | 2683 | REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_label=0/1); next;"); |
fa313a8c | 2684 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 100, |
cc58e1f2 | 2685 | REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_label=0/1); next;"); |
7a15be69 GS |
2686 | |
2687 | /* If REGBIT_CONNTRACK_NAT is set as 1, then packets should just be sent | |
2688 | * through nat (without committing). | |
2689 | * | |
2690 | * REGBIT_CONNTRACK_COMMIT is set for new connections and | |
2691 | * REGBIT_CONNTRACK_NAT is set for established connections. So they | |
2692 | * don't overlap. | |
2693 | */ | |
2694 | ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100, | |
2695 | REGBIT_CONNTRACK_NAT" == 1", "ct_lb;"); | |
2696 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 100, | |
2697 | REGBIT_CONNTRACK_NAT" == 1", "ct_lb;"); | |
2698 | ||
2699 | /* Load balancing rules for new connections get committed to conntrack | |
2700 | * table. So even if REGBIT_CONNTRACK_COMMIT is set in a previous table | |
2701 | * a higher priority rule for load balancing below also commits the | |
2702 | * connection, so it is okay if we do not hit the above match on | |
2703 | * REGBIT_CONNTRACK_COMMIT. */ | |
61591ad9 GS |
2704 | for (int i = 0; i < od->nbs->n_load_balancer; i++) { |
2705 | struct nbrec_load_balancer *lb = od->nbs->load_balancer[i]; | |
7a15be69 GS |
2706 | struct smap *vips = &lb->vips; |
2707 | struct smap_node *node; | |
2708 | ||
2709 | SMAP_FOR_EACH (node, vips) { | |
2710 | uint16_t port = 0; | |
2711 | ||
2712 | /* node->key contains IP:port or just IP. */ | |
2713 | char *ip_address = NULL; | |
2714 | ip_address_and_port_from_lb_key(node->key, &ip_address, &port); | |
2715 | if (!ip_address) { | |
2716 | continue; | |
2717 | } | |
2718 | ||
2719 | /* New connections in Ingress table. */ | |
2720 | char *action = xasprintf("ct_lb(%s);", node->value); | |
2721 | struct ds match = DS_EMPTY_INITIALIZER; | |
2722 | ds_put_format(&match, "ct.new && ip && ip4.dst == %s", ip_address); | |
2723 | if (port) { | |
2724 | if (lb->protocol && !strcmp(lb->protocol, "udp")) { | |
546f1ff3 | 2725 | ds_put_format(&match, " && udp && udp.dst == %d", port); |
7a15be69 | 2726 | } else { |
546f1ff3 | 2727 | ds_put_format(&match, " && tcp && tcp.dst == %d", port); |
7a15be69 GS |
2728 | } |
2729 | ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, | |
2730 | 120, ds_cstr(&match), action); | |
2731 | } else { | |
2732 | ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, | |
2733 | 110, ds_cstr(&match), action); | |
2734 | } | |
2735 | ||
7443e4ec | 2736 | free(ip_address); |
7a15be69 GS |
2737 | ds_destroy(&match); |
2738 | free(action); | |
2739 | } | |
2740 | } | |
fa313a8c GS |
2741 | } |
2742 | ||
bd39395f | 2743 | static void |
9975d7be BP |
2744 | build_lswitch_flows(struct hmap *datapaths, struct hmap *ports, |
2745 | struct hmap *lflows, struct hmap *mcgroups) | |
bd39395f | 2746 | { |
5cff6b99 BP |
2747 | /* This flow table structure is documented in ovn-northd(8), so please |
2748 | * update ovn-northd.8.xml if you change anything. */ | |
2749 | ||
09b39248 JP |
2750 | struct ds match = DS_EMPTY_INITIALIZER; |
2751 | struct ds actions = DS_EMPTY_INITIALIZER; | |
2752 | ||
9975d7be | 2753 | /* Build pre-ACL and ACL tables for both ingress and egress. |
1a03fc7d | 2754 | * Ingress tables 3 through 9. Egress tables 0 through 6. */ |
5868eb24 BP |
2755 | struct ovn_datapath *od; |
2756 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
9975d7be BP |
2757 | if (!od->nbs) { |
2758 | continue; | |
2759 | } | |
2760 | ||
9ab989b7 | 2761 | build_pre_acls(od, lflows); |
7a15be69 | 2762 | build_pre_lb(od, lflows); |
facf8652 | 2763 | build_pre_stateful(od, lflows); |
2d018f9b | 2764 | build_acls(od, lflows); |
1a03fc7d | 2765 | build_qos(od, lflows); |
7a15be69 | 2766 | build_lb(od, lflows); |
fa313a8c | 2767 | build_stateful(od, lflows); |
9975d7be BP |
2768 | } |
2769 | ||
2770 | /* Logical switch ingress table 0: Admission control framework (priority | |
2771 | * 100). */ | |
2772 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
2773 | if (!od->nbs) { | |
2774 | continue; | |
2775 | } | |
2776 | ||
bd39395f | 2777 | /* Logical VLANs not supported. */ |
685f4dfe | 2778 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "vlan.present", |
091e3af9 | 2779 | "drop;"); |
bd39395f BP |
2780 | |
2781 | /* Broadcast/multicast source address is invalid. */ | |
685f4dfe | 2782 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "eth.src[40]", |
091e3af9 | 2783 | "drop;"); |
bd39395f | 2784 | |
35060cdc BP |
2785 | /* Port security flows have priority 50 (see below) and will continue |
2786 | * to the next table if packet source is acceptable. */ | |
bd39395f BP |
2787 | } |
2788 | ||
685f4dfe NS |
2789 | /* Logical switch ingress table 0: Ingress port security - L2 |
2790 | * (priority 50). | |
2791 | * Ingress table 1: Ingress port security - IP (priority 90 and 80) | |
2792 | * Ingress table 2: Ingress port security - ND (priority 90 and 80) | |
2793 | */ | |
5868eb24 BP |
2794 | struct ovn_port *op; |
2795 | HMAP_FOR_EACH (op, key_node, ports) { | |
0ee00741 | 2796 | if (!op->nbsp) { |
9975d7be BP |
2797 | continue; |
2798 | } | |
2799 | ||
0ee00741 | 2800 | if (!lsp_is_enabled(op->nbsp)) { |
96af668a BP |
2801 | /* Drop packets from disabled logical ports (since logical flow |
2802 | * tables are default-drop). */ | |
2803 | continue; | |
2804 | } | |
2805 | ||
09b39248 | 2806 | ds_clear(&match); |
a6095f81 | 2807 | ds_clear(&actions); |
9975d7be | 2808 | ds_put_format(&match, "inport == %s", op->json_key); |
e93b43d6 JP |
2809 | build_port_security_l2("eth.src", op->ps_addrs, op->n_ps_addrs, |
2810 | &match); | |
a6095f81 BS |
2811 | |
2812 | const char *queue_id = smap_get(&op->sb->options, "qdisc_queue_id"); | |
2813 | if (queue_id) { | |
2814 | ds_put_format(&actions, "set_queue(%s); ", queue_id); | |
2815 | } | |
2816 | ds_put_cstr(&actions, "next;"); | |
685f4dfe | 2817 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, |
a6095f81 | 2818 | ds_cstr(&match), ds_cstr(&actions)); |
685f4dfe | 2819 | |
0ee00741 | 2820 | if (op->nbsp->n_port_security) { |
685f4dfe NS |
2821 | build_port_security_ip(P_IN, op, lflows); |
2822 | build_port_security_nd(op, lflows); | |
2823 | } | |
2824 | } | |
2825 | ||
2826 | /* Ingress table 1 and 2: Port security - IP and ND, by default goto next. | |
2827 | * (priority 0)*/ | |
2828 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
2829 | if (!od->nbs) { | |
2830 | continue; | |
2831 | } | |
2832 | ||
2833 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_ND, 0, "1", "next;"); | |
2834 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_IP, 0, "1", "next;"); | |
5868eb24 | 2835 | } |
445a266a | 2836 | |
1a03fc7d | 2837 | /* Ingress table 10: ARP/ND responder, skip requests coming from localnet |
281977f7 | 2838 | * ports. (priority 100). */ |
fa128126 | 2839 | HMAP_FOR_EACH (op, key_node, ports) { |
0ee00741 | 2840 | if (!op->nbsp) { |
fa128126 HZ |
2841 | continue; |
2842 | } | |
2843 | ||
0ee00741 | 2844 | if (!strcmp(op->nbsp->type, "localnet")) { |
09b39248 JP |
2845 | ds_clear(&match); |
2846 | ds_put_format(&match, "inport == %s", op->json_key); | |
e75451fe | 2847 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, 100, |
09b39248 | 2848 | ds_cstr(&match), "next;"); |
fa128126 HZ |
2849 | } |
2850 | } | |
2851 | ||
1a03fc7d | 2852 | /* Ingress table 10: ARP/ND responder, reply for known IPs. |
fa128126 | 2853 | * (priority 50). */ |
57d143eb | 2854 | HMAP_FOR_EACH (op, key_node, ports) { |
0ee00741 | 2855 | if (!op->nbsp) { |
57d143eb HZ |
2856 | continue; |
2857 | } | |
2858 | ||
4c7bf534 | 2859 | /* |
e75451fe | 2860 | * Add ARP/ND reply flows if either the |
4c7bf534 NS |
2861 | * - port is up or |
2862 | * - port type is router | |
2863 | */ | |
0ee00741 | 2864 | if (!lsp_is_up(op->nbsp) && strcmp(op->nbsp->type, "router")) { |
4c7bf534 NS |
2865 | continue; |
2866 | } | |
2867 | ||
e93b43d6 JP |
2868 | for (size_t i = 0; i < op->n_lsp_addrs; i++) { |
2869 | for (size_t j = 0; j < op->lsp_addrs[i].n_ipv4_addrs; j++) { | |
09b39248 | 2870 | ds_clear(&match); |
e93b43d6 JP |
2871 | ds_put_format(&match, "arp.tpa == %s && arp.op == 1", |
2872 | op->lsp_addrs[i].ipv4_addrs[j].addr_s); | |
09b39248 JP |
2873 | ds_clear(&actions); |
2874 | ds_put_format(&actions, | |
57d143eb | 2875 | "eth.dst = eth.src; " |
e93b43d6 | 2876 | "eth.src = %s; " |
57d143eb HZ |
2877 | "arp.op = 2; /* ARP reply */ " |
2878 | "arp.tha = arp.sha; " | |
e93b43d6 | 2879 | "arp.sha = %s; " |
57d143eb | 2880 | "arp.tpa = arp.spa; " |
e93b43d6 | 2881 | "arp.spa = %s; " |
57d143eb | 2882 | "outport = inport; " |
bf143492 | 2883 | "flags.loopback = 1; " |
57d143eb | 2884 | "output;", |
e93b43d6 JP |
2885 | op->lsp_addrs[i].ea_s, op->lsp_addrs[i].ea_s, |
2886 | op->lsp_addrs[i].ipv4_addrs[j].addr_s); | |
e75451fe | 2887 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, 50, |
09b39248 | 2888 | ds_cstr(&match), ds_cstr(&actions)); |
9fcb6a18 BP |
2889 | |
2890 | /* Do not reply to an ARP request from the port that owns the | |
2891 | * address (otherwise a DHCP client that ARPs to check for a | |
2892 | * duplicate address will fail). Instead, forward it the usual | |
2893 | * way. | |
2894 | * | |
2895 | * (Another alternative would be to simply drop the packet. If | |
2896 | * everything is working as it is configured, then this would | |
2897 | * produce equivalent results, since no one should reply to the | |
2898 | * request. But ARPing for one's own IP address is intended to | |
2899 | * detect situations where the network is not working as | |
2900 | * configured, so dropping the request would frustrate that | |
2901 | * intent.) */ | |
2902 | ds_put_format(&match, " && inport == %s", op->json_key); | |
2903 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, 100, | |
2904 | ds_cstr(&match), "next;"); | |
57d143eb | 2905 | } |
7dc88496 | 2906 | |
6fdb7cd6 JP |
2907 | /* For ND solicitations, we need to listen for both the |
2908 | * unicast IPv6 address and its all-nodes multicast address, | |
2909 | * but always respond with the unicast IPv6 address. */ | |
2910 | for (size_t j = 0; j < op->lsp_addrs[i].n_ipv6_addrs; j++) { | |
09b39248 | 2911 | ds_clear(&match); |
6fdb7cd6 JP |
2912 | ds_put_format(&match, |
2913 | "nd_ns && ip6.dst == {%s, %s} && nd.target == %s", | |
2914 | op->lsp_addrs[i].ipv6_addrs[j].addr_s, | |
2915 | op->lsp_addrs[i].ipv6_addrs[j].sn_addr_s, | |
2916 | op->lsp_addrs[i].ipv6_addrs[j].addr_s); | |
2917 | ||
09b39248 JP |
2918 | ds_clear(&actions); |
2919 | ds_put_format(&actions, | |
6fdb7cd6 JP |
2920 | "nd_na { " |
2921 | "eth.src = %s; " | |
2922 | "ip6.src = %s; " | |
2923 | "nd.target = %s; " | |
2924 | "nd.tll = %s; " | |
2925 | "outport = inport; " | |
bf143492 | 2926 | "flags.loopback = 1; " |
6fdb7cd6 JP |
2927 | "output; " |
2928 | "};", | |
2929 | op->lsp_addrs[i].ea_s, | |
2930 | op->lsp_addrs[i].ipv6_addrs[j].addr_s, | |
2931 | op->lsp_addrs[i].ipv6_addrs[j].addr_s, | |
2932 | op->lsp_addrs[i].ea_s); | |
e75451fe | 2933 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, 50, |
09b39248 | 2934 | ds_cstr(&match), ds_cstr(&actions)); |
9fcb6a18 BP |
2935 | |
2936 | /* Do not reply to a solicitation from the port that owns the | |
2937 | * address (otherwise DAD detection will fail). */ | |
2938 | ds_put_format(&match, " && inport == %s", op->json_key); | |
2939 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, 100, | |
2940 | ds_cstr(&match), "next;"); | |
e75451fe | 2941 | } |
57d143eb HZ |
2942 | } |
2943 | } | |
2944 | ||
1a03fc7d | 2945 | /* Ingress table 10: ARP/ND responder, by default goto next. |
fa128126 HZ |
2946 | * (priority 0)*/ |
2947 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
2948 | if (!od->nbs) { | |
2949 | continue; | |
2950 | } | |
2951 | ||
e75451fe | 2952 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ARP_ND_RSP, 0, "1", "next;"); |
fa128126 HZ |
2953 | } |
2954 | ||
1a03fc7d | 2955 | /* Logical switch ingress table 11 and 12: DHCP options and response |
281977f7 NS |
2956 | * priority 100 flows. */ |
2957 | HMAP_FOR_EACH (op, key_node, ports) { | |
2958 | if (!op->nbsp) { | |
2959 | continue; | |
2960 | } | |
2961 | ||
2962 | if (!lsp_is_enabled(op->nbsp) || !strcmp(op->nbsp->type, "router")) { | |
2963 | /* Don't add the DHCP flows if the port is not enabled or if the | |
2964 | * port is a router port. */ | |
2965 | continue; | |
2966 | } | |
2967 | ||
33ac3c83 NS |
2968 | if (!op->nbsp->dhcpv4_options && !op->nbsp->dhcpv6_options) { |
2969 | /* CMS has disabled both native DHCPv4 and DHCPv6 for this lport. | |
2970 | */ | |
281977f7 NS |
2971 | continue; |
2972 | } | |
2973 | ||
2974 | for (size_t i = 0; i < op->n_lsp_addrs; i++) { | |
2975 | for (size_t j = 0; j < op->lsp_addrs[i].n_ipv4_addrs; j++) { | |
2976 | struct ds options_action = DS_EMPTY_INITIALIZER; | |
2977 | struct ds response_action = DS_EMPTY_INITIALIZER; | |
2978 | if (build_dhcpv4_action( | |
2979 | op, op->lsp_addrs[i].ipv4_addrs[j].addr, | |
2980 | &options_action, &response_action)) { | |
2981 | struct ds match = DS_EMPTY_INITIALIZER; | |
2982 | ds_put_format( | |
2983 | &match, "inport == %s && eth.src == %s && " | |
2984 | "ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && " | |
2985 | "udp.src == 68 && udp.dst == 67", op->json_key, | |
2986 | op->lsp_addrs[i].ea_s); | |
2987 | ||
2988 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_DHCP_OPTIONS, | |
2989 | 100, ds_cstr(&match), | |
2990 | ds_cstr(&options_action)); | |
2991 | /* If REGBIT_DHCP_OPTS_RESULT is set, it means the | |
2992 | * put_dhcp_opts action is successful */ | |
2993 | ds_put_cstr(&match, " && "REGBIT_DHCP_OPTS_RESULT); | |
2994 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_DHCP_RESPONSE, | |
2995 | 100, ds_cstr(&match), | |
2996 | ds_cstr(&response_action)); | |
2997 | ds_destroy(&match); | |
2998 | ds_destroy(&options_action); | |
2999 | ds_destroy(&response_action); | |
3000 | break; | |
3001 | } | |
3002 | } | |
33ac3c83 NS |
3003 | |
3004 | for (size_t j = 0; j < op->lsp_addrs[i].n_ipv6_addrs; j++) { | |
3005 | struct ds options_action = DS_EMPTY_INITIALIZER; | |
3006 | struct ds response_action = DS_EMPTY_INITIALIZER; | |
3007 | if (build_dhcpv6_action( | |
3008 | op, &op->lsp_addrs[i].ipv6_addrs[j].addr, | |
3009 | &options_action, &response_action)) { | |
3010 | struct ds match = DS_EMPTY_INITIALIZER; | |
3011 | ds_put_format( | |
3012 | &match, "inport == %s && eth.src == %s" | |
3013 | " && ip6.dst == ff02::1:2 && udp.src == 546 &&" | |
3014 | " udp.dst == 547", op->json_key, | |
3015 | op->lsp_addrs[i].ea_s); | |
3016 | ||
3017 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_DHCP_OPTIONS, 100, | |
3018 | ds_cstr(&match), ds_cstr(&options_action)); | |
3019 | ||
3020 | /* If REGBIT_DHCP_OPTS_RESULT is set to 1, it means the | |
3021 | * put_dhcpv6_opts action is successful */ | |
3022 | ds_put_cstr(&match, " && "REGBIT_DHCP_OPTS_RESULT); | |
3023 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_DHCP_RESPONSE, 100, | |
3024 | ds_cstr(&match), ds_cstr(&response_action)); | |
3025 | ds_destroy(&match); | |
3026 | ds_destroy(&options_action); | |
3027 | ds_destroy(&response_action); | |
3028 | break; | |
3029 | } | |
3030 | } | |
281977f7 NS |
3031 | } |
3032 | } | |
3033 | ||
1a03fc7d | 3034 | /* Ingress table 11 and 12: DHCP options and response, by default goto next. |
281977f7 NS |
3035 | * (priority 0). */ |
3036 | ||
3037 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
3038 | if (!od->nbs) { | |
3039 | continue; | |
3040 | } | |
3041 | ||
3042 | ovn_lflow_add(lflows, od, S_SWITCH_IN_DHCP_OPTIONS, 0, "1", "next;"); | |
3043 | ovn_lflow_add(lflows, od, S_SWITCH_IN_DHCP_RESPONSE, 0, "1", "next;"); | |
3044 | } | |
3045 | ||
1a03fc7d | 3046 | /* Ingress table 13: Destination lookup, broadcast and multicast handling |
5868eb24 BP |
3047 | * (priority 100). */ |
3048 | HMAP_FOR_EACH (op, key_node, ports) { | |
0ee00741 | 3049 | if (!op->nbsp) { |
9975d7be BP |
3050 | continue; |
3051 | } | |
3052 | ||
0ee00741 | 3053 | if (lsp_is_enabled(op->nbsp)) { |
9975d7be | 3054 | ovn_multicast_add(mcgroups, &mc_flood, op); |
445a266a | 3055 | } |
5868eb24 BP |
3056 | } |
3057 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
9975d7be BP |
3058 | if (!od->nbs) { |
3059 | continue; | |
3060 | } | |
3061 | ||
3062 | ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 100, "eth.mcast", | |
5868eb24 | 3063 | "outport = \""MC_FLOOD"\"; output;"); |
bd39395f | 3064 | } |
bd39395f | 3065 | |
1a03fc7d | 3066 | /* Ingress table 13: Destination lookup, unicast handling (priority 50), */ |
5868eb24 | 3067 | HMAP_FOR_EACH (op, key_node, ports) { |
0ee00741 | 3068 | if (!op->nbsp) { |
9975d7be BP |
3069 | continue; |
3070 | } | |
3071 | ||
0ee00741 | 3072 | for (size_t i = 0; i < op->nbsp->n_addresses; i++) { |
10c3fcdf | 3073 | /* Addresses are owned by the logical port. |
3074 | * Ethernet address followed by zero or more IPv4 | |
3075 | * or IPv6 addresses (or both). */ | |
74ff3298 | 3076 | struct eth_addr mac; |
10c3fcdf | 3077 | if (ovs_scan(op->nbsp->addresses[i], |
3078 | ETH_ADDR_SCAN_FMT, ETH_ADDR_SCAN_ARGS(mac))) { | |
09b39248 | 3079 | ds_clear(&match); |
9975d7be BP |
3080 | ds_put_format(&match, "eth.dst == "ETH_ADDR_FMT, |
3081 | ETH_ADDR_ARGS(mac)); | |
5868eb24 | 3082 | |
09b39248 | 3083 | ds_clear(&actions); |
9975d7be BP |
3084 | ds_put_format(&actions, "outport = %s; output;", op->json_key); |
3085 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_L2_LKUP, 50, | |
5868eb24 | 3086 | ds_cstr(&match), ds_cstr(&actions)); |
0ee00741 HK |
3087 | } else if (!strcmp(op->nbsp->addresses[i], "unknown")) { |
3088 | if (lsp_is_enabled(op->nbsp)) { | |
9975d7be | 3089 | ovn_multicast_add(mcgroups, &mc_unknown, op); |
96af668a BP |
3090 | op->od->has_unknown = true; |
3091 | } | |
6374d518 | 3092 | } else if (is_dynamic_lsp_address(op->nbsp->addresses[i])) { |
8639f9be | 3093 | if (!op->nbsp->dynamic_addresses |
10c3fcdf | 3094 | || !ovs_scan(op->nbsp->dynamic_addresses, |
3095 | ETH_ADDR_SCAN_FMT, ETH_ADDR_SCAN_ARGS(mac))) { | |
8639f9be ND |
3096 | continue; |
3097 | } | |
3098 | ds_clear(&match); | |
3099 | ds_put_format(&match, "eth.dst == "ETH_ADDR_FMT, | |
3100 | ETH_ADDR_ARGS(mac)); | |
3101 | ||
3102 | ds_clear(&actions); | |
3103 | ds_put_format(&actions, "outport = %s; output;", op->json_key); | |
3104 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_L2_LKUP, 50, | |
3105 | ds_cstr(&match), ds_cstr(&actions)); | |
5868eb24 BP |
3106 | } else { |
3107 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); | |
445a266a | 3108 | |
2fa326a3 BP |
3109 | VLOG_INFO_RL(&rl, |
3110 | "%s: invalid syntax '%s' in addresses column", | |
0ee00741 | 3111 | op->nbsp->name, op->nbsp->addresses[i]); |
445a266a BP |
3112 | } |
3113 | } | |
bd39395f BP |
3114 | } |
3115 | ||
1a03fc7d | 3116 | /* Ingress table 13: Destination lookup for unknown MACs (priority 0). */ |
5868eb24 | 3117 | HMAP_FOR_EACH (od, key_node, datapaths) { |
9975d7be BP |
3118 | if (!od->nbs) { |
3119 | continue; | |
3120 | } | |
3121 | ||
5868eb24 | 3122 | if (od->has_unknown) { |
9975d7be | 3123 | ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 0, "1", |
5868eb24 | 3124 | "outport = \""MC_UNKNOWN"\"; output;"); |
445a266a | 3125 | } |
bd39395f BP |
3126 | } |
3127 | ||
94300e09 JP |
3128 | /* Egress tables 6: Egress port security - IP (priority 0) |
3129 | * Egress table 7: Egress port security L2 - multicast/broadcast | |
3130 | * (priority 100). */ | |
5868eb24 | 3131 | HMAP_FOR_EACH (od, key_node, datapaths) { |
9975d7be BP |
3132 | if (!od->nbs) { |
3133 | continue; | |
3134 | } | |
3135 | ||
685f4dfe NS |
3136 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_IP, 0, "1", "next;"); |
3137 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_L2, 100, "eth.mcast", | |
091e3af9 | 3138 | "output;"); |
48f42f3a RB |
3139 | } |
3140 | ||
94300e09 | 3141 | /* Egress table 6: Egress port security - IP (priorities 90 and 80) |
685f4dfe NS |
3142 | * if port security enabled. |
3143 | * | |
94300e09 | 3144 | * Egress table 7: Egress port security - L2 (priorities 50 and 150). |
d770a830 BP |
3145 | * |
3146 | * Priority 50 rules implement port security for enabled logical port. | |
3147 | * | |
3148 | * Priority 150 rules drop packets to disabled logical ports, so that they | |
3149 | * don't even receive multicast or broadcast packets. */ | |
5868eb24 | 3150 | HMAP_FOR_EACH (op, key_node, ports) { |
0ee00741 | 3151 | if (!op->nbsp) { |
9975d7be BP |
3152 | continue; |
3153 | } | |
3154 | ||
09b39248 | 3155 | ds_clear(&match); |
9975d7be | 3156 | ds_put_format(&match, "outport == %s", op->json_key); |
0ee00741 | 3157 | if (lsp_is_enabled(op->nbsp)) { |
e93b43d6 JP |
3158 | build_port_security_l2("eth.dst", op->ps_addrs, op->n_ps_addrs, |
3159 | &match); | |
685f4dfe | 3160 | ovn_lflow_add(lflows, op->od, S_SWITCH_OUT_PORT_SEC_L2, 50, |
d770a830 BP |
3161 | ds_cstr(&match), "output;"); |
3162 | } else { | |
685f4dfe | 3163 | ovn_lflow_add(lflows, op->od, S_SWITCH_OUT_PORT_SEC_L2, 150, |
d770a830 BP |
3164 | ds_cstr(&match), "drop;"); |
3165 | } | |
eb00399e | 3166 | |
0ee00741 | 3167 | if (op->nbsp->n_port_security) { |
685f4dfe NS |
3168 | build_port_security_ip(P_OUT, op, lflows); |
3169 | } | |
eb00399e | 3170 | } |
09b39248 JP |
3171 | |
3172 | ds_destroy(&match); | |
3173 | ds_destroy(&actions); | |
9975d7be | 3174 | } |
eb00399e | 3175 | |
9975d7be BP |
3176 | static bool |
3177 | lrport_is_enabled(const struct nbrec_logical_router_port *lrport) | |
3178 | { | |
3179 | return !lrport->enabled || *lrport->enabled; | |
3180 | } | |
3181 | ||
4685e523 JP |
3182 | /* Returns a string of the IP address of the router port 'op' that |
3183 | * overlaps with 'ip_s". If one is not found, returns NULL. | |
3184 | * | |
3185 | * The caller must not free the returned string. */ | |
3186 | static const char * | |
3187 | find_lrp_member_ip(const struct ovn_port *op, const char *ip_s) | |
3188 | { | |
6fdb7cd6 | 3189 | bool is_ipv4 = strchr(ip_s, '.') ? true : false; |
4685e523 | 3190 | |
6fdb7cd6 JP |
3191 | if (is_ipv4) { |
3192 | ovs_be32 ip; | |
4685e523 | 3193 | |
6fdb7cd6 JP |
3194 | if (!ip_parse(ip_s, &ip)) { |
3195 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
3196 | VLOG_WARN_RL(&rl, "bad ip address %s", ip_s); | |
3197 | return NULL; | |
3198 | } | |
4685e523 | 3199 | |
6fdb7cd6 JP |
3200 | for (int i = 0; i < op->lrp_networks.n_ipv4_addrs; i++) { |
3201 | const struct ipv4_netaddr *na = &op->lrp_networks.ipv4_addrs[i]; | |
3202 | ||
3203 | if (!((na->network ^ ip) & na->mask)) { | |
3204 | /* There should be only 1 interface that matches the | |
3205 | * supplied IP. Otherwise, it's a configuration error, | |
3206 | * because subnets of a router's interfaces should NOT | |
3207 | * overlap. */ | |
3208 | return na->addr_s; | |
3209 | } | |
3210 | } | |
3211 | } else { | |
3212 | struct in6_addr ip6; | |
3213 | ||
3214 | if (!ipv6_parse(ip_s, &ip6)) { | |
3215 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
3216 | VLOG_WARN_RL(&rl, "bad ipv6 address %s", ip_s); | |
3217 | return NULL; | |
3218 | } | |
3219 | ||
3220 | for (int i = 0; i < op->lrp_networks.n_ipv6_addrs; i++) { | |
3221 | const struct ipv6_netaddr *na = &op->lrp_networks.ipv6_addrs[i]; | |
3222 | struct in6_addr xor_addr = ipv6_addr_bitxor(&na->network, &ip6); | |
3223 | struct in6_addr and_addr = ipv6_addr_bitand(&xor_addr, &na->mask); | |
3224 | ||
3225 | if (ipv6_is_zero(&and_addr)) { | |
3226 | /* There should be only 1 interface that matches the | |
3227 | * supplied IP. Otherwise, it's a configuration error, | |
3228 | * because subnets of a router's interfaces should NOT | |
3229 | * overlap. */ | |
3230 | return na->addr_s; | |
3231 | } | |
4685e523 JP |
3232 | } |
3233 | } | |
3234 | ||
3235 | return NULL; | |
3236 | } | |
3237 | ||
9975d7be | 3238 | static void |
0bac7164 | 3239 | add_route(struct hmap *lflows, const struct ovn_port *op, |
4685e523 JP |
3240 | const char *lrp_addr_s, const char *network_s, int plen, |
3241 | const char *gateway) | |
9975d7be | 3242 | { |
6fdb7cd6 | 3243 | bool is_ipv4 = strchr(network_s, '.') ? true : false; |
a63f7235 | 3244 | struct ds match = DS_EMPTY_INITIALIZER; |
6fdb7cd6 | 3245 | |
a63f7235 JP |
3246 | /* IPv6 link-local addresses must be scoped to the local router port. */ |
3247 | if (!is_ipv4) { | |
3248 | struct in6_addr network; | |
3249 | ovs_assert(ipv6_parse(network_s, &network)); | |
3250 | if (in6_is_lla(&network)) { | |
3251 | ds_put_format(&match, "inport == %s && ", op->json_key); | |
3252 | } | |
3253 | } | |
3254 | ds_put_format(&match, "ip%s.dst == %s/%d", is_ipv4 ? "4" : "6", | |
3255 | network_s, plen); | |
9975d7be BP |
3256 | |
3257 | struct ds actions = DS_EMPTY_INITIALIZER; | |
6fdb7cd6 JP |
3258 | ds_put_format(&actions, "ip.ttl--; %sreg0 = ", is_ipv4 ? "" : "xx"); |
3259 | ||
9975d7be | 3260 | if (gateway) { |
c9bdf7bd | 3261 | ds_put_cstr(&actions, gateway); |
9975d7be | 3262 | } else { |
6fdb7cd6 | 3263 | ds_put_format(&actions, "ip%s.dst", is_ipv4 ? "4" : "6"); |
9975d7be | 3264 | } |
4685e523 | 3265 | ds_put_format(&actions, "; " |
6fdb7cd6 | 3266 | "%sreg1 = %s; " |
4685e523 | 3267 | "eth.src = %s; " |
0bac7164 | 3268 | "outport = %s; " |
bf143492 | 3269 | "flags.loopback = 1; " |
0bac7164 | 3270 | "next;", |
6fdb7cd6 | 3271 | is_ipv4 ? "" : "xx", |
4685e523 JP |
3272 | lrp_addr_s, |
3273 | op->lrp_networks.ea_s, | |
3274 | op->json_key); | |
9975d7be BP |
3275 | |
3276 | /* The priority here is calculated to implement longest-prefix-match | |
3277 | * routing. */ | |
a63f7235 JP |
3278 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_ROUTING, plen, |
3279 | ds_cstr(&match), ds_cstr(&actions)); | |
3280 | ds_destroy(&match); | |
9975d7be | 3281 | ds_destroy(&actions); |
9975d7be BP |
3282 | } |
3283 | ||
28dc3fe9 SR |
3284 | static void |
3285 | build_static_route_flow(struct hmap *lflows, struct ovn_datapath *od, | |
3286 | struct hmap *ports, | |
3287 | const struct nbrec_logical_router_static_route *route) | |
3288 | { | |
6fdb7cd6 | 3289 | ovs_be32 nexthop; |
4685e523 | 3290 | const char *lrp_addr_s; |
6fdb7cd6 JP |
3291 | unsigned int plen; |
3292 | bool is_ipv4; | |
28dc3fe9 | 3293 | |
6fdb7cd6 JP |
3294 | /* Verify that the next hop is an IP address with an all-ones mask. */ |
3295 | char *error = ip_parse_cidr(route->nexthop, &nexthop, &plen); | |
3296 | if (!error) { | |
3297 | if (plen != 32) { | |
3298 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
3299 | VLOG_WARN_RL(&rl, "bad next hop mask %s", route->nexthop); | |
3300 | return; | |
3301 | } | |
3302 | is_ipv4 = true; | |
3303 | } else { | |
28dc3fe9 | 3304 | free(error); |
6fdb7cd6 JP |
3305 | |
3306 | struct in6_addr ip6; | |
3307 | char *error = ipv6_parse_cidr(route->nexthop, &ip6, &plen); | |
3308 | if (!error) { | |
3309 | if (plen != 128) { | |
3310 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
3311 | VLOG_WARN_RL(&rl, "bad next hop mask %s", route->nexthop); | |
3312 | return; | |
3313 | } | |
3314 | is_ipv4 = false; | |
3315 | } else { | |
3316 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
3317 | VLOG_WARN_RL(&rl, "bad next hop ip address %s", route->nexthop); | |
3318 | free(error); | |
3319 | return; | |
3320 | } | |
28dc3fe9 SR |
3321 | } |
3322 | ||
6fdb7cd6 JP |
3323 | char *prefix_s; |
3324 | if (is_ipv4) { | |
3325 | ovs_be32 prefix; | |
3326 | /* Verify that ip prefix is a valid IPv4 address. */ | |
3327 | error = ip_parse_cidr(route->ip_prefix, &prefix, &plen); | |
3328 | if (error) { | |
3329 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
3330 | VLOG_WARN_RL(&rl, "bad 'ip_prefix' in static routes %s", | |
3331 | route->ip_prefix); | |
3332 | free(error); | |
3333 | return; | |
3334 | } | |
3335 | prefix_s = xasprintf(IP_FMT, IP_ARGS(prefix & be32_prefix_mask(plen))); | |
3336 | } else { | |
3337 | /* Verify that ip prefix is a valid IPv6 address. */ | |
3338 | struct in6_addr prefix; | |
3339 | error = ipv6_parse_cidr(route->ip_prefix, &prefix, &plen); | |
3340 | if (error) { | |
3341 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
3342 | VLOG_WARN_RL(&rl, "bad 'ip_prefix' in static routes %s", | |
3343 | route->ip_prefix); | |
3344 | free(error); | |
3345 | return; | |
3346 | } | |
3347 | struct in6_addr mask = ipv6_create_mask(plen); | |
3348 | struct in6_addr network = ipv6_addr_bitand(&prefix, &mask); | |
3349 | prefix_s = xmalloc(INET6_ADDRSTRLEN); | |
3350 | inet_ntop(AF_INET6, &network, prefix_s, INET6_ADDRSTRLEN); | |
28dc3fe9 SR |
3351 | } |
3352 | ||
3353 | /* Find the outgoing port. */ | |
3354 | struct ovn_port *out_port = NULL; | |
3355 | if (route->output_port) { | |
3356 | out_port = ovn_port_find(ports, route->output_port); | |
3357 | if (!out_port) { | |
3358 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
3359 | VLOG_WARN_RL(&rl, "Bad out port %s for static route %s", | |
3360 | route->output_port, route->ip_prefix); | |
6fdb7cd6 | 3361 | goto free_prefix_s; |
28dc3fe9 | 3362 | } |
4685e523 | 3363 | lrp_addr_s = find_lrp_member_ip(out_port, route->nexthop); |
28dc3fe9 SR |
3364 | } else { |
3365 | /* output_port is not specified, find the | |
3366 | * router port matching the next hop. */ | |
3367 | int i; | |
3368 | for (i = 0; i < od->nbr->n_ports; i++) { | |
3369 | struct nbrec_logical_router_port *lrp = od->nbr->ports[i]; | |
3370 | out_port = ovn_port_find(ports, lrp->name); | |
3371 | if (!out_port) { | |
3372 | /* This should not happen. */ | |
3373 | continue; | |
3374 | } | |
3375 | ||
4685e523 JP |
3376 | lrp_addr_s = find_lrp_member_ip(out_port, route->nexthop); |
3377 | if (lrp_addr_s) { | |
28dc3fe9 SR |
3378 | break; |
3379 | } | |
3380 | } | |
28dc3fe9 SR |
3381 | } |
3382 | ||
4685e523 JP |
3383 | if (!lrp_addr_s) { |
3384 | /* There is no matched out port. */ | |
3385 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
3386 | VLOG_WARN_RL(&rl, "No path for static route %s; next hop %s", | |
3387 | route->ip_prefix, route->nexthop); | |
6fdb7cd6 | 3388 | goto free_prefix_s; |
4685e523 JP |
3389 | } |
3390 | ||
6fdb7cd6 JP |
3391 | add_route(lflows, out_port, lrp_addr_s, prefix_s, plen, route->nexthop); |
3392 | ||
3393 | free_prefix_s: | |
c9bdf7bd | 3394 | free(prefix_s); |
28dc3fe9 SR |
3395 | } |
3396 | ||
4685e523 | 3397 | static void |
6fdb7cd6 | 3398 | op_put_v4_networks(struct ds *ds, const struct ovn_port *op, bool add_bcast) |
4685e523 JP |
3399 | { |
3400 | if (!add_bcast && op->lrp_networks.n_ipv4_addrs == 1) { | |
3401 | ds_put_format(ds, "%s", op->lrp_networks.ipv4_addrs[0].addr_s); | |
3402 | return; | |
3403 | } | |
3404 | ||
3405 | ds_put_cstr(ds, "{"); | |
3406 | for (int i = 0; i < op->lrp_networks.n_ipv4_addrs; i++) { | |
3407 | ds_put_format(ds, "%s, ", op->lrp_networks.ipv4_addrs[i].addr_s); | |
3408 | if (add_bcast) { | |
3409 | ds_put_format(ds, "%s, ", op->lrp_networks.ipv4_addrs[i].bcast_s); | |
3410 | } | |
3411 | } | |
3412 | ds_chomp(ds, ' '); | |
3413 | ds_chomp(ds, ','); | |
3414 | ds_put_cstr(ds, "}"); | |
3415 | } | |
3416 | ||
6fdb7cd6 JP |
3417 | static void |
3418 | op_put_v6_networks(struct ds *ds, const struct ovn_port *op) | |
3419 | { | |
3420 | if (op->lrp_networks.n_ipv6_addrs == 1) { | |
3421 | ds_put_format(ds, "%s", op->lrp_networks.ipv6_addrs[0].addr_s); | |
3422 | return; | |
3423 | } | |
3424 | ||
3425 | ds_put_cstr(ds, "{"); | |
3426 | for (int i = 0; i < op->lrp_networks.n_ipv6_addrs; i++) { | |
3427 | ds_put_format(ds, "%s, ", op->lrp_networks.ipv6_addrs[i].addr_s); | |
3428 | } | |
3429 | ds_chomp(ds, ' '); | |
3430 | ds_chomp(ds, ','); | |
3431 | ds_put_cstr(ds, "}"); | |
3432 | } | |
3433 | ||
9975d7be BP |
3434 | static void |
3435 | build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, | |
3436 | struct hmap *lflows) | |
3437 | { | |
3438 | /* This flow table structure is documented in ovn-northd(8), so please | |
3439 | * update ovn-northd.8.xml if you change anything. */ | |
3440 | ||
09b39248 JP |
3441 | struct ds match = DS_EMPTY_INITIALIZER; |
3442 | struct ds actions = DS_EMPTY_INITIALIZER; | |
3443 | ||
9975d7be BP |
3444 | /* Logical router ingress table 0: Admission control framework. */ |
3445 | struct ovn_datapath *od; | |
3446 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
3447 | if (!od->nbr) { | |
3448 | continue; | |
3449 | } | |
3450 | ||
3451 | /* Logical VLANs not supported. | |
3452 | * Broadcast/multicast source address is invalid. */ | |
3453 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ADMISSION, 100, | |
3454 | "vlan.present || eth.src[40]", "drop;"); | |
3455 | } | |
3456 | ||
3457 | /* Logical router ingress table 0: match (priority 50). */ | |
3458 | struct ovn_port *op; | |
3459 | HMAP_FOR_EACH (op, key_node, ports) { | |
0ee00741 | 3460 | if (!op->nbrp) { |
9975d7be BP |
3461 | continue; |
3462 | } | |
3463 | ||
0ee00741 | 3464 | if (!lrport_is_enabled(op->nbrp)) { |
9975d7be BP |
3465 | /* Drop packets from disabled logical ports (since logical flow |
3466 | * tables are default-drop). */ | |
3467 | continue; | |
3468 | } | |
3469 | ||
09b39248 | 3470 | ds_clear(&match); |
4685e523 JP |
3471 | ds_put_format(&match, "(eth.mcast || eth.dst == %s) && inport == %s", |
3472 | op->lrp_networks.ea_s, op->json_key); | |
9975d7be | 3473 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_ADMISSION, 50, |
09b39248 | 3474 | ds_cstr(&match), "next;"); |
9975d7be BP |
3475 | } |
3476 | ||
3477 | /* Logical router ingress table 1: IP Input. */ | |
78aab811 | 3478 | HMAP_FOR_EACH (od, key_node, datapaths) { |
9975d7be BP |
3479 | if (!od->nbr) { |
3480 | continue; | |
3481 | } | |
3482 | ||
3483 | /* L3 admission control: drop multicast and broadcast source, localhost | |
3484 | * source or destination, and zero network source or destination | |
3485 | * (priority 100). */ | |
3486 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 100, | |
3487 | "ip4.mcast || " | |
3488 | "ip4.src == 255.255.255.255 || " | |
3489 | "ip4.src == 127.0.0.0/8 || " | |
3490 | "ip4.dst == 127.0.0.0/8 || " | |
3491 | "ip4.src == 0.0.0.0/8 || " | |
3492 | "ip4.dst == 0.0.0.0/8", | |
3493 | "drop;"); | |
3494 | ||
0bac7164 BP |
3495 | /* ARP reply handling. Use ARP replies to populate the logical |
3496 | * router's ARP table. */ | |
3497 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 90, "arp.op == 2", | |
3498 | "put_arp(inport, arp.spa, arp.sha);"); | |
3499 | ||
9975d7be BP |
3500 | /* Drop Ethernet local broadcast. By definition this traffic should |
3501 | * not be forwarded.*/ | |
3502 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 50, | |
3503 | "eth.bcast", "drop;"); | |
3504 | ||
9975d7be BP |
3505 | /* TTL discard. |
3506 | * | |
3507 | * XXX Need to send ICMP time exceeded if !ip.later_frag. */ | |
09b39248 JP |
3508 | ds_clear(&match); |
3509 | ds_put_cstr(&match, "ip4 && ip.ttl == {0, 1}"); | |
3510 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 30, | |
3511 | ds_cstr(&match), "drop;"); | |
9975d7be | 3512 | |
c34a87b6 JP |
3513 | /* ND advertisement handling. Use advertisements to populate |
3514 | * the logical router's ARP/ND table. */ | |
3515 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 90, "nd_na", | |
3516 | "put_nd(inport, nd.target, nd.tll);"); | |
3517 | ||
3518 | /* Lean from neighbor solicitations that were not directed at | |
3519 | * us. (A priority-90 flow will respond to requests to us and | |
3520 | * learn the sender's mac address. */ | |
3521 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 80, "nd_ns", | |
3522 | "put_nd(inport, ip6.src, nd.sll);"); | |
3523 | ||
9975d7be BP |
3524 | /* Pass other traffic not already handled to the next table for |
3525 | * routing. */ | |
3526 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 0, "1", "next;"); | |
78aab811 JP |
3527 | } |
3528 | ||
6fdb7cd6 | 3529 | /* Logical router ingress table 1: IP Input for IPv4. */ |
9975d7be | 3530 | HMAP_FOR_EACH (op, key_node, ports) { |
0ee00741 | 3531 | if (!op->nbrp) { |
9975d7be BP |
3532 | continue; |
3533 | } | |
3534 | ||
9975d7be | 3535 | |
6fdb7cd6 JP |
3536 | if (op->lrp_networks.n_ipv4_addrs) { |
3537 | /* L3 admission control: drop packets that originate from an | |
3538 | * IPv4 address owned by the router or a broadcast address | |
3539 | * known to the router (priority 100). */ | |
3540 | ds_clear(&match); | |
3541 | ds_put_cstr(&match, "ip4.src == "); | |
3542 | op_put_v4_networks(&match, op, true); | |
3543 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 100, | |
3544 | ds_cstr(&match), "drop;"); | |
3545 | ||
3546 | /* ICMP echo reply. These flows reply to ICMP echo requests | |
3547 | * received for the router's IP address. Since packets only | |
3548 | * get here as part of the logical router datapath, the inport | |
3549 | * (i.e. the incoming locally attached net) does not matter. | |
3550 | * The ip.ttl also does not matter (RFC1812 section 4.2.2.9) */ | |
3551 | ds_clear(&match); | |
3552 | ds_put_cstr(&match, "ip4.dst == "); | |
3553 | op_put_v4_networks(&match, op, false); | |
3554 | ds_put_cstr(&match, " && icmp4.type == 8 && icmp4.code == 0"); | |
3555 | ||
3556 | ds_clear(&actions); | |
3557 | ds_put_format(&actions, | |
3558 | "ip4.dst <-> ip4.src; " | |
3559 | "ip.ttl = 255; " | |
3560 | "icmp4.type = 0; " | |
bf143492 | 3561 | "flags.loopback = 1; " |
6fdb7cd6 JP |
3562 | "next; "); |
3563 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 90, | |
3564 | ds_cstr(&match), ds_cstr(&actions)); | |
3565 | } | |
dd7652e6 | 3566 | |
9975d7be BP |
3567 | /* ARP reply. These flows reply to ARP requests for the router's own |
3568 | * IP address. */ | |
4685e523 JP |
3569 | for (int i = 0; i < op->lrp_networks.n_ipv4_addrs; i++) { |
3570 | ds_clear(&match); | |
3571 | ds_put_format(&match, | |
3572 | "inport == %s && arp.tpa == %s && arp.op == 1", | |
3573 | op->json_key, op->lrp_networks.ipv4_addrs[i].addr_s); | |
3574 | ||
3575 | ds_clear(&actions); | |
3576 | ds_put_format(&actions, | |
3577 | "eth.dst = eth.src; " | |
3578 | "eth.src = %s; " | |
3579 | "arp.op = 2; /* ARP reply */ " | |
3580 | "arp.tha = arp.sha; " | |
3581 | "arp.sha = %s; " | |
3582 | "arp.tpa = arp.spa; " | |
3583 | "arp.spa = %s; " | |
3584 | "outport = %s; " | |
bf143492 | 3585 | "flags.loopback = 1; " |
4685e523 JP |
3586 | "output;", |
3587 | op->lrp_networks.ea_s, | |
3588 | op->lrp_networks.ea_s, | |
3589 | op->lrp_networks.ipv4_addrs[i].addr_s, | |
3590 | op->json_key); | |
3591 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 90, | |
3592 | ds_cstr(&match), ds_cstr(&actions)); | |
3593 | } | |
9975d7be | 3594 | |
cc4583aa GS |
3595 | /* A set to hold all load-balancer vips that need ARP responses. */ |
3596 | struct sset all_ips = SSET_INITIALIZER(&all_ips); | |
3597 | ||
3598 | for (int i = 0; i < op->od->nbr->n_load_balancer; i++) { | |
3599 | struct nbrec_load_balancer *lb = op->od->nbr->load_balancer[i]; | |
3600 | struct smap *vips = &lb->vips; | |
3601 | struct smap_node *node; | |
3602 | ||
3603 | SMAP_FOR_EACH (node, vips) { | |
3604 | /* node->key contains IP:port or just IP. */ | |
3605 | char *ip_address = NULL; | |
3606 | uint16_t port; | |
3607 | ||
3608 | ip_address_and_port_from_lb_key(node->key, &ip_address, &port); | |
3609 | if (!ip_address) { | |
3610 | continue; | |
3611 | } | |
3612 | ||
3613 | if (!sset_contains(&all_ips, ip_address)) { | |
3614 | sset_add(&all_ips, ip_address); | |
3615 | } | |
3616 | ||
3617 | free(ip_address); | |
3618 | } | |
3619 | } | |
3620 | ||
3621 | const char *ip_address; | |
3622 | SSET_FOR_EACH(ip_address, &all_ips) { | |
3623 | ovs_be32 ip; | |
3624 | if (!ip_parse(ip_address, &ip) || !ip) { | |
3625 | continue; | |
3626 | } | |
3627 | ||
3628 | ds_clear(&match); | |
3629 | ds_put_format(&match, | |
3630 | "inport == %s && arp.tpa == "IP_FMT" && arp.op == 1", | |
3631 | op->json_key, IP_ARGS(ip)); | |
3632 | ||
3633 | ds_clear(&actions); | |
3634 | ds_put_format(&actions, | |
3635 | "eth.dst = eth.src; " | |
3636 | "eth.src = %s; " | |
3637 | "arp.op = 2; /* ARP reply */ " | |
3638 | "arp.tha = arp.sha; " | |
3639 | "arp.sha = %s; " | |
3640 | "arp.tpa = arp.spa; " | |
3641 | "arp.spa = "IP_FMT"; " | |
3642 | "outport = %s; " | |
3643 | "flags.loopback = 1; " | |
3644 | "output;", | |
3645 | op->lrp_networks.ea_s, | |
3646 | op->lrp_networks.ea_s, | |
3647 | IP_ARGS(ip), | |
3648 | op->json_key); | |
3649 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 90, | |
3650 | ds_cstr(&match), ds_cstr(&actions)); | |
3651 | } | |
3652 | ||
3653 | sset_destroy(&all_ips); | |
3654 | ||
dde5ea7b GS |
3655 | ovs_be32 *snat_ips = xmalloc(sizeof *snat_ips * op->od->nbr->n_nat); |
3656 | size_t n_snat_ips = 0; | |
de297547 GS |
3657 | for (int i = 0; i < op->od->nbr->n_nat; i++) { |
3658 | const struct nbrec_nat *nat; | |
3659 | ||
3660 | nat = op->od->nbr->nat[i]; | |
3661 | ||
de297547 GS |
3662 | ovs_be32 ip; |
3663 | if (!ip_parse(nat->external_ip, &ip) || !ip) { | |
3664 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
dde5ea7b | 3665 | VLOG_WARN_RL(&rl, "bad ip address %s in nat configuration " |
de297547 GS |
3666 | "for router %s", nat->external_ip, op->key); |
3667 | continue; | |
3668 | } | |
3669 | ||
dde5ea7b GS |
3670 | if (!strcmp(nat->type, "snat")) { |
3671 | snat_ips[n_snat_ips++] = ip; | |
3672 | continue; | |
3673 | } | |
3674 | ||
3675 | /* ARP handling for external IP addresses. | |
3676 | * | |
3677 | * DNAT IP addresses are external IP addresses that need ARP | |
3678 | * handling. */ | |
09b39248 JP |
3679 | ds_clear(&match); |
3680 | ds_put_format(&match, | |
3681 | "inport == %s && arp.tpa == "IP_FMT" && arp.op == 1", | |
3682 | op->json_key, IP_ARGS(ip)); | |
4685e523 | 3683 | |
09b39248 JP |
3684 | ds_clear(&actions); |
3685 | ds_put_format(&actions, | |
de297547 | 3686 | "eth.dst = eth.src; " |
4685e523 | 3687 | "eth.src = %s; " |
de297547 GS |
3688 | "arp.op = 2; /* ARP reply */ " |
3689 | "arp.tha = arp.sha; " | |
4685e523 | 3690 | "arp.sha = %s; " |
de297547 GS |
3691 | "arp.tpa = arp.spa; " |
3692 | "arp.spa = "IP_FMT"; " | |
3693 | "outport = %s; " | |
bf143492 | 3694 | "flags.loopback = 1; " |
de297547 | 3695 | "output;", |
4685e523 JP |
3696 | op->lrp_networks.ea_s, |
3697 | op->lrp_networks.ea_s, | |
de297547 GS |
3698 | IP_ARGS(ip), |
3699 | op->json_key); | |
3700 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 90, | |
09b39248 | 3701 | ds_cstr(&match), ds_cstr(&actions)); |
de297547 GS |
3702 | } |
3703 | ||
4685e523 JP |
3704 | ds_clear(&match); |
3705 | ds_put_cstr(&match, "ip4.dst == {"); | |
3706 | bool has_drop_ips = false; | |
3707 | for (int i = 0; i < op->lrp_networks.n_ipv4_addrs; i++) { | |
49da9ec0 | 3708 | bool snat_ip_is_router_ip = false; |
dde5ea7b GS |
3709 | for (int j = 0; j < n_snat_ips; j++) { |
3710 | /* Packets to SNAT IPs should not be dropped. */ | |
3711 | if (op->lrp_networks.ipv4_addrs[i].addr == snat_ips[j]) { | |
49da9ec0 CSV |
3712 | snat_ip_is_router_ip = true; |
3713 | break; | |
4685e523 | 3714 | } |
4ef48e9d | 3715 | } |
49da9ec0 CSV |
3716 | if (snat_ip_is_router_ip) { |
3717 | continue; | |
3718 | } | |
4685e523 JP |
3719 | ds_put_format(&match, "%s, ", |
3720 | op->lrp_networks.ipv4_addrs[i].addr_s); | |
3721 | has_drop_ips = true; | |
4ef48e9d | 3722 | } |
4685e523 JP |
3723 | ds_chomp(&match, ' '); |
3724 | ds_chomp(&match, ','); | |
3725 | ds_put_cstr(&match, "}"); | |
4ef48e9d | 3726 | |
4685e523 JP |
3727 | if (has_drop_ips) { |
3728 | /* Drop IP traffic to this router. */ | |
09b39248 JP |
3729 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 60, |
3730 | ds_cstr(&match), "drop;"); | |
4ef48e9d | 3731 | } |
4685e523 | 3732 | |
dde5ea7b | 3733 | free(snat_ips); |
9975d7be BP |
3734 | } |
3735 | ||
6fdb7cd6 JP |
3736 | /* Logical router ingress table 1: IP Input for IPv6. */ |
3737 | HMAP_FOR_EACH (op, key_node, ports) { | |
3738 | if (!op->nbrp) { | |
3739 | continue; | |
3740 | } | |
3741 | ||
3742 | if (op->lrp_networks.n_ipv6_addrs) { | |
3743 | /* L3 admission control: drop packets that originate from an | |
3744 | * IPv6 address owned by the router (priority 100). */ | |
3745 | ds_clear(&match); | |
3746 | ds_put_cstr(&match, "ip6.src == "); | |
3747 | op_put_v6_networks(&match, op); | |
3748 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 100, | |
3749 | ds_cstr(&match), "drop;"); | |
3750 | ||
3751 | /* ICMPv6 echo reply. These flows reply to echo requests | |
3752 | * received for the router's IP address. */ | |
3753 | ds_clear(&match); | |
3754 | ds_put_cstr(&match, "ip6.dst == "); | |
3755 | op_put_v6_networks(&match, op); | |
3756 | ds_put_cstr(&match, " && icmp6.type == 128 && icmp6.code == 0"); | |
3757 | ||
3758 | ds_clear(&actions); | |
3759 | ds_put_cstr(&actions, | |
3760 | "ip6.dst <-> ip6.src; " | |
3761 | "ip.ttl = 255; " | |
3762 | "icmp6.type = 129; " | |
bf143492 | 3763 | "flags.loopback = 1; " |
6fdb7cd6 JP |
3764 | "next; "); |
3765 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 90, | |
3766 | ds_cstr(&match), ds_cstr(&actions)); | |
3767 | ||
3768 | /* Drop IPv6 traffic to this router. */ | |
3769 | ds_clear(&match); | |
3770 | ds_put_cstr(&match, "ip6.dst == "); | |
3771 | op_put_v6_networks(&match, op); | |
3772 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 60, | |
3773 | ds_cstr(&match), "drop;"); | |
3774 | } | |
3775 | ||
3776 | /* ND reply. These flows reply to ND solicitations for the | |
3777 | * router's own IP address. */ | |
3778 | for (int i = 0; i < op->lrp_networks.n_ipv6_addrs; i++) { | |
3779 | ds_clear(&match); | |
3780 | ds_put_format(&match, | |
3781 | "inport == %s && nd_ns && ip6.dst == {%s, %s} " | |
3782 | "&& nd.target == %s", | |
3783 | op->json_key, | |
3784 | op->lrp_networks.ipv6_addrs[i].addr_s, | |
3785 | op->lrp_networks.ipv6_addrs[i].sn_addr_s, | |
3786 | op->lrp_networks.ipv6_addrs[i].addr_s); | |
3787 | ||
3788 | ds_clear(&actions); | |
3789 | ds_put_format(&actions, | |
c34a87b6 | 3790 | "put_nd(inport, ip6.src, nd.sll); " |
6fdb7cd6 JP |
3791 | "nd_na { " |
3792 | "eth.src = %s; " | |
3793 | "ip6.src = %s; " | |
3794 | "nd.target = %s; " | |
3795 | "nd.tll = %s; " | |
3796 | "outport = inport; " | |
bf143492 | 3797 | "flags.loopback = 1; " |
6fdb7cd6 JP |
3798 | "output; " |
3799 | "};", | |
3800 | op->lrp_networks.ea_s, | |
3801 | op->lrp_networks.ipv6_addrs[i].addr_s, | |
3802 | op->lrp_networks.ipv6_addrs[i].addr_s, | |
3803 | op->lrp_networks.ea_s); | |
3804 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 90, | |
3805 | ds_cstr(&match), ds_cstr(&actions)); | |
3806 | } | |
3807 | } | |
3808 | ||
cc4583aa | 3809 | /* NAT, Defrag and load balancing in Gateway routers. */ |
de297547 GS |
3810 | HMAP_FOR_EACH (od, key_node, datapaths) { |
3811 | if (!od->nbr) { | |
3812 | continue; | |
3813 | } | |
3814 | ||
3815 | /* Packets are allowed by default. */ | |
cc4583aa | 3816 | ovn_lflow_add(lflows, od, S_ROUTER_IN_DEFRAG, 0, "1", "next;"); |
de297547 GS |
3817 | ovn_lflow_add(lflows, od, S_ROUTER_IN_UNSNAT, 0, "1", "next;"); |
3818 | ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 0, "1", "next;"); | |
3819 | ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 0, "1", "next;"); | |
3820 | ||
cc4583aa GS |
3821 | /* NAT rules, packet defrag and load balancing are only valid on |
3822 | * Gateway routers. */ | |
de297547 GS |
3823 | if (!smap_get(&od->nbr->options, "chassis")) { |
3824 | continue; | |
3825 | } | |
3826 | ||
cc4583aa GS |
3827 | /* A set to hold all ips that need defragmentation and tracking. */ |
3828 | struct sset all_ips = SSET_INITIALIZER(&all_ips); | |
3829 | ||
3830 | for (int i = 0; i < od->nbr->n_load_balancer; i++) { | |
3831 | struct nbrec_load_balancer *lb = od->nbr->load_balancer[i]; | |
3832 | struct smap *vips = &lb->vips; | |
3833 | struct smap_node *node; | |
3834 | ||
3835 | SMAP_FOR_EACH (node, vips) { | |
3836 | uint16_t port = 0; | |
3837 | ||
3838 | /* node->key contains IP:port or just IP. */ | |
3839 | char *ip_address = NULL; | |
3840 | ip_address_and_port_from_lb_key(node->key, &ip_address, &port); | |
3841 | if (!ip_address) { | |
3842 | continue; | |
3843 | } | |
3844 | ||
3845 | if (!sset_contains(&all_ips, ip_address)) { | |
3846 | sset_add(&all_ips, ip_address); | |
3847 | } | |
3848 | ||
3849 | /* Higher priority rules are added in DNAT table to match on | |
3850 | * ct.new which in-turn have group id as an action for load | |
3851 | * balancing. */ | |
3852 | ds_clear(&actions); | |
3853 | ds_put_format(&actions, "ct_lb(%s);", node->value); | |
3854 | ||
3855 | ds_clear(&match); | |
3856 | ds_put_format(&match, "ct.new && ip && ip4.dst == %s", | |
3857 | ip_address); | |
3858 | free(ip_address); | |
3859 | ||
3860 | if (port) { | |
3861 | if (lb->protocol && !strcmp(lb->protocol, "udp")) { | |
546f1ff3 GS |
3862 | ds_put_format(&match, " && udp && udp.dst == %d", |
3863 | port); | |
cc4583aa | 3864 | } else { |
546f1ff3 GS |
3865 | ds_put_format(&match, " && tcp && tcp.dst == %d", |
3866 | port); | |
cc4583aa GS |
3867 | } |
3868 | ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, | |
3869 | 120, ds_cstr(&match), ds_cstr(&actions)); | |
3870 | } else { | |
3871 | ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, | |
3872 | 110, ds_cstr(&match), ds_cstr(&actions)); | |
3873 | } | |
3874 | } | |
3875 | } | |
3876 | ||
3877 | /* If there are any load balancing rules, we should send the | |
3878 | * packet to conntrack for defragmentation and tracking. This helps | |
3879 | * with two things. | |
3880 | * | |
3881 | * 1. With tracking, we can send only new connections to pick a | |
3882 | * DNAT ip address from a group. | |
3883 | * 2. If there are L4 ports in load balancing rules, we need the | |
3884 | * defragmentation to match on L4 ports. */ | |
3885 | const char *ip_address; | |
3886 | SSET_FOR_EACH(ip_address, &all_ips) { | |
3887 | ds_clear(&match); | |
3888 | ds_put_format(&match, "ip && ip4.dst == %s", ip_address); | |
3889 | ovn_lflow_add(lflows, od, S_ROUTER_IN_DEFRAG, | |
3890 | 100, ds_cstr(&match), "ct_next;"); | |
3891 | } | |
3892 | ||
3893 | sset_destroy(&all_ips); | |
3894 | ||
de297547 GS |
3895 | for (int i = 0; i < od->nbr->n_nat; i++) { |
3896 | const struct nbrec_nat *nat; | |
3897 | ||
3898 | nat = od->nbr->nat[i]; | |
3899 | ||
3900 | ovs_be32 ip, mask; | |
3901 | ||
3902 | char *error = ip_parse_masked(nat->external_ip, &ip, &mask); | |
3903 | if (error || mask != OVS_BE32_MAX) { | |
3904 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
3905 | VLOG_WARN_RL(&rl, "bad external ip %s for nat", | |
3906 | nat->external_ip); | |
3907 | free(error); | |
3908 | continue; | |
3909 | } | |
3910 | ||
3911 | /* Check the validity of nat->logical_ip. 'logical_ip' can | |
3912 | * be a subnet when the type is "snat". */ | |
3913 | error = ip_parse_masked(nat->logical_ip, &ip, &mask); | |
3914 | if (!strcmp(nat->type, "snat")) { | |
3915 | if (error) { | |
3916 | static struct vlog_rate_limit rl = | |
3917 | VLOG_RATE_LIMIT_INIT(5, 1); | |
3918 | VLOG_WARN_RL(&rl, "bad ip network or ip %s for snat " | |
3919 | "in router "UUID_FMT"", | |
3920 | nat->logical_ip, UUID_ARGS(&od->key)); | |
3921 | free(error); | |
3922 | continue; | |
3923 | } | |
3924 | } else { | |
3925 | if (error || mask != OVS_BE32_MAX) { | |
3926 | static struct vlog_rate_limit rl = | |
3927 | VLOG_RATE_LIMIT_INIT(5, 1); | |
3928 | VLOG_WARN_RL(&rl, "bad ip %s for dnat in router " | |
3929 | ""UUID_FMT"", nat->logical_ip, UUID_ARGS(&od->key)); | |
3930 | free(error); | |
3931 | continue; | |
3932 | } | |
3933 | } | |
3934 | ||
de297547 GS |
3935 | /* Ingress UNSNAT table: It is for already established connections' |
3936 | * reverse traffic. i.e., SNAT has already been done in egress | |
3937 | * pipeline and now the packet has entered the ingress pipeline as | |
3938 | * part of a reply. We undo the SNAT here. | |
3939 | * | |
3940 | * Undoing SNAT has to happen before DNAT processing. This is | |
3941 | * because when the packet was DNATed in ingress pipeline, it did | |
3942 | * not know about the possibility of eventual additional SNAT in | |
3943 | * egress pipeline. */ | |
3944 | if (!strcmp(nat->type, "snat") | |
3945 | || !strcmp(nat->type, "dnat_and_snat")) { | |
09b39248 JP |
3946 | ds_clear(&match); |
3947 | ds_put_format(&match, "ip && ip4.dst == %s", nat->external_ip); | |
de297547 | 3948 | ovn_lflow_add(lflows, od, S_ROUTER_IN_UNSNAT, 100, |
09b39248 | 3949 | ds_cstr(&match), "ct_snat; next;"); |
de297547 GS |
3950 | } |
3951 | ||
3952 | /* Ingress DNAT table: Packets enter the pipeline with destination | |
3953 | * IP address that needs to be DNATted from a external IP address | |
3954 | * to a logical IP address. */ | |
3955 | if (!strcmp(nat->type, "dnat") | |
3956 | || !strcmp(nat->type, "dnat_and_snat")) { | |
3957 | /* Packet when it goes from the initiator to destination. | |
3958 | * We need to zero the inport because the router can | |
3959 | * send the packet back through the same interface. */ | |
09b39248 JP |
3960 | ds_clear(&match); |
3961 | ds_put_format(&match, "ip && ip4.dst == %s", nat->external_ip); | |
3962 | ds_clear(&actions); | |
bf143492 | 3963 | ds_put_format(&actions,"flags.loopback = 1; ct_dnat(%s);", |
09b39248 | 3964 | nat->logical_ip); |
de297547 | 3965 | ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 100, |
09b39248 | 3966 | ds_cstr(&match), ds_cstr(&actions)); |
de297547 GS |
3967 | } |
3968 | ||
3969 | /* Egress SNAT table: Packets enter the egress pipeline with | |
3970 | * source ip address that needs to be SNATted to a external ip | |
3971 | * address. */ | |
3972 | if (!strcmp(nat->type, "snat") | |
3973 | || !strcmp(nat->type, "dnat_and_snat")) { | |
09b39248 JP |
3974 | ds_clear(&match); |
3975 | ds_put_format(&match, "ip && ip4.src == %s", nat->logical_ip); | |
3976 | ds_clear(&actions); | |
3977 | ds_put_format(&actions, "ct_snat(%s);", nat->external_ip); | |
de297547 GS |
3978 | |
3979 | /* The priority here is calculated such that the | |
3980 | * nat->logical_ip with the longest mask gets a higher | |
3981 | * priority. */ | |
3982 | ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, | |
09b39248 JP |
3983 | count_1bits(ntohl(mask)) + 1, |
3984 | ds_cstr(&match), ds_cstr(&actions)); | |
de297547 GS |
3985 | } |
3986 | } | |
3987 | ||
3988 | /* Re-circulate every packet through the DNAT zone. | |
cc4583aa | 3989 | * This helps with three things. |
de297547 GS |
3990 | * |
3991 | * 1. Any packet that needs to be unDNATed in the reverse | |
3992 | * direction gets unDNATed. Ideally this could be done in | |
3993 | * the egress pipeline. But since the gateway router | |
3994 | * does not have any feature that depends on the source | |
3995 | * ip address being external IP address for IP routing, | |
3996 | * we can do it here, saving a future re-circulation. | |
3997 | * | |
cc4583aa GS |
3998 | * 2. Established load-balanced connections automatically get |
3999 | * DNATed. | |
4000 | * | |
4001 | * 3. Any packet that was sent through SNAT zone in the | |
de297547 GS |
4002 | * previous table automatically gets re-circulated to get |
4003 | * back the new destination IP address that is needed for | |
4004 | * routing in the openflow pipeline. */ | |
4005 | ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 50, | |
bf143492 | 4006 | "ip", "flags.loopback = 1; ct_dnat;"); |
de297547 GS |
4007 | } |
4008 | ||
94300e09 | 4009 | /* Logical router ingress table 4: IP Routing. |
9975d7be BP |
4010 | * |
4011 | * A packet that arrives at this table is an IP packet that should be | |
6fdb7cd6 JP |
4012 | * routed to the address in 'ip[46].dst'. This table sets outport to |
4013 | * the correct output port, eth.src to the output port's MAC | |
4014 | * address, and '[xx]reg0' to the next-hop IP address (leaving | |
4015 | * 'ip[46].dst', the packet’s final destination, unchanged), and | |
4016 | * advances to the next table for ARP/ND resolution. */ | |
9975d7be | 4017 | HMAP_FOR_EACH (op, key_node, ports) { |
0ee00741 | 4018 | if (!op->nbrp) { |
9975d7be BP |
4019 | continue; |
4020 | } | |
4021 | ||
4685e523 JP |
4022 | for (int i = 0; i < op->lrp_networks.n_ipv4_addrs; i++) { |
4023 | add_route(lflows, op, op->lrp_networks.ipv4_addrs[i].addr_s, | |
4024 | op->lrp_networks.ipv4_addrs[i].network_s, | |
4025 | op->lrp_networks.ipv4_addrs[i].plen, NULL); | |
4026 | } | |
6fdb7cd6 JP |
4027 | |
4028 | for (int i = 0; i < op->lrp_networks.n_ipv6_addrs; i++) { | |
4029 | add_route(lflows, op, op->lrp_networks.ipv6_addrs[i].addr_s, | |
4030 | op->lrp_networks.ipv6_addrs[i].network_s, | |
4031 | op->lrp_networks.ipv6_addrs[i].plen, NULL); | |
4032 | } | |
9975d7be | 4033 | } |
4685e523 | 4034 | |
6fdb7cd6 | 4035 | /* Convert the static routes to flows. */ |
9975d7be BP |
4036 | HMAP_FOR_EACH (od, key_node, datapaths) { |
4037 | if (!od->nbr) { | |
4038 | continue; | |
4039 | } | |
4040 | ||
28dc3fe9 SR |
4041 | for (int i = 0; i < od->nbr->n_static_routes; i++) { |
4042 | const struct nbrec_logical_router_static_route *route; | |
4043 | ||
4044 | route = od->nbr->static_routes[i]; | |
4045 | build_static_route_flow(lflows, od, ports, route); | |
4046 | } | |
9975d7be | 4047 | } |
6fdb7cd6 | 4048 | |
9975d7be BP |
4049 | /* XXX destination unreachable */ |
4050 | ||
94300e09 | 4051 | /* Local router ingress table 5: ARP Resolution. |
9975d7be BP |
4052 | * |
4053 | * Any packet that reaches this table is an IP packet whose next-hop IP | |
4054 | * address is in reg0. (ip4.dst is the final destination.) This table | |
4055 | * resolves the IP address in reg0 into an output port in outport and an | |
4056 | * Ethernet address in eth.dst. */ | |
4057 | HMAP_FOR_EACH (op, key_node, ports) { | |
0ee00741 | 4058 | if (op->nbrp) { |
6fdb7cd6 JP |
4059 | /* This is a logical router port. If next-hop IP address in |
4060 | * '[xx]reg0' matches IP address of this router port, then | |
4061 | * the packet is intended to eventually be sent to this | |
4062 | * logical port. Set the destination mac address using this | |
4063 | * port's mac address. | |
509afdc3 GS |
4064 | * |
4065 | * The packet is still in peer's logical pipeline. So the match | |
4066 | * should be on peer's outport. */ | |
6fdb7cd6 JP |
4067 | if (op->peer && op->nbrp->peer) { |
4068 | if (op->lrp_networks.n_ipv4_addrs) { | |
4069 | ds_clear(&match); | |
4070 | ds_put_format(&match, "outport == %s && reg0 == ", | |
4071 | op->peer->json_key); | |
4072 | op_put_v4_networks(&match, op, false); | |
4073 | ||
4074 | ds_clear(&actions); | |
4075 | ds_put_format(&actions, "eth.dst = %s; next;", | |
4076 | op->lrp_networks.ea_s); | |
4077 | ovn_lflow_add(lflows, op->peer->od, S_ROUTER_IN_ARP_RESOLVE, | |
4078 | 100, ds_cstr(&match), ds_cstr(&actions)); | |
4079 | } | |
4685e523 | 4080 | |
6fdb7cd6 JP |
4081 | if (op->lrp_networks.n_ipv6_addrs) { |
4082 | ds_clear(&match); | |
4083 | ds_put_format(&match, "outport == %s && xxreg0 == ", | |
4084 | op->peer->json_key); | |
4085 | op_put_v6_networks(&match, op); | |
4086 | ||
4087 | ds_clear(&actions); | |
4088 | ds_put_format(&actions, "eth.dst = %s; next;", | |
4089 | op->lrp_networks.ea_s); | |
4090 | ovn_lflow_add(lflows, op->peer->od, S_ROUTER_IN_ARP_RESOLVE, | |
4091 | 100, ds_cstr(&match), ds_cstr(&actions)); | |
4092 | } | |
509afdc3 | 4093 | } |
0ee00741 | 4094 | } else if (op->od->n_router_ports && strcmp(op->nbsp->type, "router")) { |
75cf9d2b GS |
4095 | /* This is a logical switch port that backs a VM or a container. |
4096 | * Extract its addresses. For each of the address, go through all | |
4097 | * the router ports attached to the switch (to which this port | |
4098 | * connects) and if the address in question is reachable from the | |
6fdb7cd6 | 4099 | * router port, add an ARP/ND entry in that router's pipeline. */ |
75cf9d2b | 4100 | |
e93b43d6 | 4101 | for (size_t i = 0; i < op->n_lsp_addrs; i++) { |
4685e523 | 4102 | const char *ea_s = op->lsp_addrs[i].ea_s; |
e93b43d6 | 4103 | for (size_t j = 0; j < op->lsp_addrs[i].n_ipv4_addrs; j++) { |
4685e523 | 4104 | const char *ip_s = op->lsp_addrs[i].ipv4_addrs[j].addr_s; |
e93b43d6 | 4105 | for (size_t k = 0; k < op->od->n_router_ports; k++) { |
80f408f4 JP |
4106 | /* Get the Logical_Router_Port that the |
4107 | * Logical_Switch_Port is connected to, as | |
4108 | * 'peer'. */ | |
86e98048 | 4109 | const char *peer_name = smap_get( |
0ee00741 | 4110 | &op->od->router_ports[k]->nbsp->options, |
86e98048 BP |
4111 | "router-port"); |
4112 | if (!peer_name) { | |
4113 | continue; | |
4114 | } | |
4115 | ||
e93b43d6 | 4116 | struct ovn_port *peer = ovn_port_find(ports, peer_name); |
0ee00741 | 4117 | if (!peer || !peer->nbrp) { |
86e98048 BP |
4118 | continue; |
4119 | } | |
4120 | ||
4685e523 | 4121 | if (!find_lrp_member_ip(peer, ip_s)) { |
86e98048 BP |
4122 | continue; |
4123 | } | |
4124 | ||
09b39248 | 4125 | ds_clear(&match); |
e93b43d6 | 4126 | ds_put_format(&match, "outport == %s && reg0 == %s", |
4685e523 JP |
4127 | peer->json_key, ip_s); |
4128 | ||
09b39248 | 4129 | ds_clear(&actions); |
4685e523 | 4130 | ds_put_format(&actions, "eth.dst = %s; next;", ea_s); |
86e98048 | 4131 | ovn_lflow_add(lflows, peer->od, |
09b39248 JP |
4132 | S_ROUTER_IN_ARP_RESOLVE, 100, |
4133 | ds_cstr(&match), ds_cstr(&actions)); | |
86e98048 | 4134 | } |
9975d7be | 4135 | } |
6fdb7cd6 JP |
4136 | |
4137 | for (size_t j = 0; j < op->lsp_addrs[i].n_ipv6_addrs; j++) { | |
4138 | const char *ip_s = op->lsp_addrs[i].ipv6_addrs[j].addr_s; | |
4139 | for (size_t k = 0; k < op->od->n_router_ports; k++) { | |
4140 | /* Get the Logical_Router_Port that the | |
4141 | * Logical_Switch_Port is connected to, as | |
4142 | * 'peer'. */ | |
4143 | const char *peer_name = smap_get( | |
4144 | &op->od->router_ports[k]->nbsp->options, | |
4145 | "router-port"); | |
4146 | if (!peer_name) { | |
4147 | continue; | |
4148 | } | |
4149 | ||
4150 | struct ovn_port *peer = ovn_port_find(ports, peer_name); | |
4151 | if (!peer || !peer->nbrp) { | |
4152 | continue; | |
4153 | } | |
4154 | ||
4155 | if (!find_lrp_member_ip(peer, ip_s)) { | |
4156 | continue; | |
4157 | } | |
4158 | ||
4159 | ds_clear(&match); | |
4160 | ds_put_format(&match, "outport == %s && xxreg0 == %s", | |
4161 | peer->json_key, ip_s); | |
4162 | ||
4163 | ds_clear(&actions); | |
4164 | ds_put_format(&actions, "eth.dst = %s; next;", ea_s); | |
4165 | ovn_lflow_add(lflows, peer->od, | |
4166 | S_ROUTER_IN_ARP_RESOLVE, 100, | |
4167 | ds_cstr(&match), ds_cstr(&actions)); | |
4168 | } | |
4169 | } | |
9975d7be | 4170 | } |
0ee00741 | 4171 | } else if (!strcmp(op->nbsp->type, "router")) { |
75cf9d2b GS |
4172 | /* This is a logical switch port that connects to a router. */ |
4173 | ||
4174 | /* The peer of this switch port is the router port for which | |
4175 | * we need to add logical flows such that it can resolve | |
4176 | * ARP entries for all the other router ports connected to | |
4177 | * the switch in question. */ | |
4178 | ||
0ee00741 | 4179 | const char *peer_name = smap_get(&op->nbsp->options, |
75cf9d2b GS |
4180 | "router-port"); |
4181 | if (!peer_name) { | |
4182 | continue; | |
4183 | } | |
4184 | ||
4185 | struct ovn_port *peer = ovn_port_find(ports, peer_name); | |
0ee00741 | 4186 | if (!peer || !peer->nbrp) { |
75cf9d2b GS |
4187 | continue; |
4188 | } | |
4189 | ||
4685e523 | 4190 | for (size_t i = 0; i < op->od->n_router_ports; i++) { |
75cf9d2b | 4191 | const char *router_port_name = smap_get( |
0ee00741 | 4192 | &op->od->router_ports[i]->nbsp->options, |
75cf9d2b GS |
4193 | "router-port"); |
4194 | struct ovn_port *router_port = ovn_port_find(ports, | |
4195 | router_port_name); | |
0ee00741 | 4196 | if (!router_port || !router_port->nbrp) { |
75cf9d2b GS |
4197 | continue; |
4198 | } | |
4199 | ||
4200 | /* Skip the router port under consideration. */ | |
4201 | if (router_port == peer) { | |
4202 | continue; | |
4203 | } | |
4204 | ||
6fdb7cd6 JP |
4205 | if (router_port->lrp_networks.n_ipv4_addrs) { |
4206 | ds_clear(&match); | |
4207 | ds_put_format(&match, "outport == %s && reg0 == ", | |
4208 | peer->json_key); | |
4209 | op_put_v4_networks(&match, router_port, false); | |
4210 | ||
4211 | ds_clear(&actions); | |
4212 | ds_put_format(&actions, "eth.dst = %s; next;", | |
4213 | router_port->lrp_networks.ea_s); | |
4214 | ovn_lflow_add(lflows, peer->od, S_ROUTER_IN_ARP_RESOLVE, | |
4215 | 100, ds_cstr(&match), ds_cstr(&actions)); | |
4216 | } | |
4685e523 | 4217 | |
6fdb7cd6 JP |
4218 | if (router_port->lrp_networks.n_ipv6_addrs) { |
4219 | ds_clear(&match); | |
4220 | ds_put_format(&match, "outport == %s && xxreg0 == ", | |
4221 | peer->json_key); | |
4222 | op_put_v6_networks(&match, router_port); | |
4223 | ||
4224 | ds_clear(&actions); | |
4225 | ds_put_format(&actions, "eth.dst = %s; next;", | |
4226 | router_port->lrp_networks.ea_s); | |
4227 | ovn_lflow_add(lflows, peer->od, S_ROUTER_IN_ARP_RESOLVE, | |
4228 | 100, ds_cstr(&match), ds_cstr(&actions)); | |
4229 | } | |
75cf9d2b | 4230 | } |
9975d7be BP |
4231 | } |
4232 | } | |
75cf9d2b | 4233 | |
0bac7164 BP |
4234 | HMAP_FOR_EACH (od, key_node, datapaths) { |
4235 | if (!od->nbr) { | |
4236 | continue; | |
4237 | } | |
4238 | ||
c34a87b6 JP |
4239 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 0, "ip4", |
4240 | "get_arp(outport, reg0); next;"); | |
4241 | ||
4242 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 0, "ip6", | |
4243 | "get_nd(outport, xxreg0); next;"); | |
0bac7164 BP |
4244 | } |
4245 | ||
94300e09 | 4246 | /* Local router ingress table 6: ARP request. |
0bac7164 BP |
4247 | * |
4248 | * In the common case where the Ethernet destination has been resolved, | |
94300e09 JP |
4249 | * this table outputs the packet (priority 0). Otherwise, it composes |
4250 | * and sends an ARP request (priority 100). */ | |
0bac7164 BP |
4251 | HMAP_FOR_EACH (od, key_node, datapaths) { |
4252 | if (!od->nbr) { | |
4253 | continue; | |
4254 | } | |
4255 | ||
4256 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_REQUEST, 100, | |
4257 | "eth.dst == 00:00:00:00:00:00", | |
4258 | "arp { " | |
4259 | "eth.dst = ff:ff:ff:ff:ff:ff; " | |
4260 | "arp.spa = reg1; " | |
47021598 | 4261 | "arp.tpa = reg0; " |
0bac7164 BP |
4262 | "arp.op = 1; " /* ARP request */ |
4263 | "output; " | |
4264 | "};"); | |
4265 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_REQUEST, 0, "1", "output;"); | |
4266 | } | |
9975d7be | 4267 | |
de297547 | 4268 | /* Logical router egress table 1: Delivery (priority 100). |
9975d7be BP |
4269 | * |
4270 | * Priority 100 rules deliver packets to enabled logical ports. */ | |
4271 | HMAP_FOR_EACH (op, key_node, ports) { | |
0ee00741 | 4272 | if (!op->nbrp) { |
9975d7be BP |
4273 | continue; |
4274 | } | |
4275 | ||
0ee00741 | 4276 | if (!lrport_is_enabled(op->nbrp)) { |
9975d7be BP |
4277 | /* Drop packets to disabled logical ports (since logical flow |
4278 | * tables are default-drop). */ | |
4279 | continue; | |
4280 | } | |
4281 | ||
09b39248 JP |
4282 | ds_clear(&match); |
4283 | ds_put_format(&match, "outport == %s", op->json_key); | |
9975d7be | 4284 | ovn_lflow_add(lflows, op->od, S_ROUTER_OUT_DELIVERY, 100, |
09b39248 | 4285 | ds_cstr(&match), "output;"); |
9975d7be | 4286 | } |
09b39248 JP |
4287 | |
4288 | ds_destroy(&match); | |
4289 | ds_destroy(&actions); | |
9975d7be BP |
4290 | } |
4291 | ||
4292 | /* Updates the Logical_Flow and Multicast_Group tables in the OVN_SB database, | |
4293 | * constructing their contents based on the OVN_NB database. */ | |
4294 | static void | |
4295 | build_lflows(struct northd_context *ctx, struct hmap *datapaths, | |
4296 | struct hmap *ports) | |
4297 | { | |
4298 | struct hmap lflows = HMAP_INITIALIZER(&lflows); | |
4299 | struct hmap mcgroups = HMAP_INITIALIZER(&mcgroups); | |
4300 | ||
4301 | build_lswitch_flows(datapaths, ports, &lflows, &mcgroups); | |
4302 | build_lrouter_flows(datapaths, ports, &lflows); | |
4303 | ||
5868eb24 BP |
4304 | /* Push changes to the Logical_Flow table to database. */ |
4305 | const struct sbrec_logical_flow *sbflow, *next_sbflow; | |
4306 | SBREC_LOGICAL_FLOW_FOR_EACH_SAFE (sbflow, next_sbflow, ctx->ovnsb_idl) { | |
4307 | struct ovn_datapath *od | |
4308 | = ovn_datapath_from_sbrec(datapaths, sbflow->logical_datapath); | |
4309 | if (!od) { | |
4310 | sbrec_logical_flow_delete(sbflow); | |
4311 | continue; | |
eb00399e | 4312 | } |
eb00399e | 4313 | |
9975d7be | 4314 | enum ovn_datapath_type dp_type = od->nbs ? DP_SWITCH : DP_ROUTER; |
880fcd14 BP |
4315 | enum ovn_pipeline pipeline |
4316 | = !strcmp(sbflow->pipeline, "ingress") ? P_IN : P_OUT; | |
5868eb24 | 4317 | struct ovn_lflow *lflow = ovn_lflow_find( |
880fcd14 BP |
4318 | &lflows, od, ovn_stage_build(dp_type, pipeline, sbflow->table_id), |
4319 | sbflow->priority, sbflow->match, sbflow->actions); | |
5868eb24 BP |
4320 | if (lflow) { |
4321 | ovn_lflow_destroy(&lflows, lflow); | |
4322 | } else { | |
4323 | sbrec_logical_flow_delete(sbflow); | |
4edcdcf4 RB |
4324 | } |
4325 | } | |
5868eb24 BP |
4326 | struct ovn_lflow *lflow, *next_lflow; |
4327 | HMAP_FOR_EACH_SAFE (lflow, next_lflow, hmap_node, &lflows) { | |
880fcd14 BP |
4328 | enum ovn_pipeline pipeline = ovn_stage_get_pipeline(lflow->stage); |
4329 | uint8_t table = ovn_stage_get_table(lflow->stage); | |
4330 | ||
5868eb24 BP |
4331 | sbflow = sbrec_logical_flow_insert(ctx->ovnsb_txn); |
4332 | sbrec_logical_flow_set_logical_datapath(sbflow, lflow->od->sb); | |
9975d7be BP |
4333 | sbrec_logical_flow_set_pipeline( |
4334 | sbflow, pipeline == P_IN ? "ingress" : "egress"); | |
880fcd14 | 4335 | sbrec_logical_flow_set_table_id(sbflow, table); |
5868eb24 BP |
4336 | sbrec_logical_flow_set_priority(sbflow, lflow->priority); |
4337 | sbrec_logical_flow_set_match(sbflow, lflow->match); | |
4338 | sbrec_logical_flow_set_actions(sbflow, lflow->actions); | |
091e3af9 | 4339 | |
880fcd14 BP |
4340 | const struct smap ids = SMAP_CONST1(&ids, "stage-name", |
4341 | ovn_stage_to_str(lflow->stage)); | |
aaf881c6 | 4342 | sbrec_logical_flow_set_external_ids(sbflow, &ids); |
091e3af9 | 4343 | |
5868eb24 | 4344 | ovn_lflow_destroy(&lflows, lflow); |
eb00399e | 4345 | } |
5868eb24 BP |
4346 | hmap_destroy(&lflows); |
4347 | ||
4348 | /* Push changes to the Multicast_Group table to database. */ | |
4349 | const struct sbrec_multicast_group *sbmc, *next_sbmc; | |
4350 | SBREC_MULTICAST_GROUP_FOR_EACH_SAFE (sbmc, next_sbmc, ctx->ovnsb_idl) { | |
4351 | struct ovn_datapath *od = ovn_datapath_from_sbrec(datapaths, | |
4352 | sbmc->datapath); | |
4353 | if (!od) { | |
4354 | sbrec_multicast_group_delete(sbmc); | |
4355 | continue; | |
4356 | } | |
eb00399e | 4357 | |
5868eb24 BP |
4358 | struct multicast_group group = { .name = sbmc->name, |
4359 | .key = sbmc->tunnel_key }; | |
4360 | struct ovn_multicast *mc = ovn_multicast_find(&mcgroups, od, &group); | |
4361 | if (mc) { | |
4362 | ovn_multicast_update_sbrec(mc, sbmc); | |
4363 | ovn_multicast_destroy(&mcgroups, mc); | |
4364 | } else { | |
4365 | sbrec_multicast_group_delete(sbmc); | |
4366 | } | |
4367 | } | |
4368 | struct ovn_multicast *mc, *next_mc; | |
4369 | HMAP_FOR_EACH_SAFE (mc, next_mc, hmap_node, &mcgroups) { | |
4370 | sbmc = sbrec_multicast_group_insert(ctx->ovnsb_txn); | |
4371 | sbrec_multicast_group_set_datapath(sbmc, mc->datapath->sb); | |
4372 | sbrec_multicast_group_set_name(sbmc, mc->group->name); | |
4373 | sbrec_multicast_group_set_tunnel_key(sbmc, mc->group->key); | |
4374 | ovn_multicast_update_sbrec(mc, sbmc); | |
4375 | ovn_multicast_destroy(&mcgroups, mc); | |
4edcdcf4 | 4376 | } |
5868eb24 | 4377 | hmap_destroy(&mcgroups); |
4edcdcf4 | 4378 | } |
ea382567 RB |
4379 | |
4380 | /* OVN_Northbound and OVN_Southbound have an identical Address_Set table. | |
4381 | * We always update OVN_Southbound to match the current data in | |
4382 | * OVN_Northbound, so that the address sets used in Logical_Flows in | |
4383 | * OVN_Southbound is checked against the proper set.*/ | |
4384 | static void | |
4385 | sync_address_sets(struct northd_context *ctx) | |
4386 | { | |
4387 | struct shash sb_address_sets = SHASH_INITIALIZER(&sb_address_sets); | |
4388 | ||
4389 | const struct sbrec_address_set *sb_address_set; | |
4390 | SBREC_ADDRESS_SET_FOR_EACH (sb_address_set, ctx->ovnsb_idl) { | |
4391 | shash_add(&sb_address_sets, sb_address_set->name, sb_address_set); | |
4392 | } | |
4393 | ||
4394 | const struct nbrec_address_set *nb_address_set; | |
4395 | NBREC_ADDRESS_SET_FOR_EACH (nb_address_set, ctx->ovnnb_idl) { | |
4396 | sb_address_set = shash_find_and_delete(&sb_address_sets, | |
4397 | nb_address_set->name); | |
4398 | if (!sb_address_set) { | |
4399 | sb_address_set = sbrec_address_set_insert(ctx->ovnsb_txn); | |
4400 | sbrec_address_set_set_name(sb_address_set, nb_address_set->name); | |
4401 | } | |
4402 | ||
4403 | sbrec_address_set_set_addresses(sb_address_set, | |
4404 | /* "char **" is not compatible with "const char **" */ | |
4405 | (const char **) nb_address_set->addresses, | |
4406 | nb_address_set->n_addresses); | |
4407 | } | |
4408 | ||
4409 | struct shash_node *node, *next; | |
4410 | SHASH_FOR_EACH_SAFE (node, next, &sb_address_sets) { | |
4411 | sbrec_address_set_delete(node->data); | |
4412 | shash_delete(&sb_address_sets, node); | |
4413 | } | |
4414 | shash_destroy(&sb_address_sets); | |
4415 | } | |
5868eb24 | 4416 | \f |
4edcdcf4 | 4417 | static void |
fa183acc | 4418 | ovnnb_db_run(struct northd_context *ctx, struct ovsdb_idl_loop *sb_loop) |
4edcdcf4 | 4419 | { |
b511690b | 4420 | if (!ctx->ovnsb_txn || !ctx->ovnnb_txn) { |
331e7aef NS |
4421 | return; |
4422 | } | |
5868eb24 BP |
4423 | struct hmap datapaths, ports; |
4424 | build_datapaths(ctx, &datapaths); | |
4425 | build_ports(ctx, &datapaths, &ports); | |
b511690b | 4426 | build_ipam(&datapaths, &ports); |
5868eb24 BP |
4427 | build_lflows(ctx, &datapaths, &ports); |
4428 | ||
ea382567 RB |
4429 | sync_address_sets(ctx); |
4430 | ||
5868eb24 BP |
4431 | struct ovn_datapath *dp, *next_dp; |
4432 | HMAP_FOR_EACH_SAFE (dp, next_dp, key_node, &datapaths) { | |
4433 | ovn_datapath_destroy(&datapaths, dp); | |
4434 | } | |
4435 | hmap_destroy(&datapaths); | |
4436 | ||
4437 | struct ovn_port *port, *next_port; | |
4438 | HMAP_FOR_EACH_SAFE (port, next_port, key_node, &ports) { | |
4439 | ovn_port_destroy(&ports, port); | |
4440 | } | |
4441 | hmap_destroy(&ports); | |
fa183acc BP |
4442 | |
4443 | /* Copy nb_cfg from northbound to southbound database. | |
4444 | * | |
4445 | * Also set up to update sb_cfg once our southbound transaction commits. */ | |
4446 | const struct nbrec_nb_global *nb = nbrec_nb_global_first(ctx->ovnnb_idl); | |
14338f22 GS |
4447 | if (!nb) { |
4448 | nb = nbrec_nb_global_insert(ctx->ovnnb_txn); | |
4449 | } | |
fa183acc | 4450 | const struct sbrec_sb_global *sb = sbrec_sb_global_first(ctx->ovnsb_idl); |
14338f22 GS |
4451 | if (!sb) { |
4452 | sb = sbrec_sb_global_insert(ctx->ovnsb_txn); | |
fa183acc | 4453 | } |
14338f22 GS |
4454 | sbrec_sb_global_set_nb_cfg(sb, nb->nb_cfg); |
4455 | sb_loop->next_cfg = nb->nb_cfg; | |
8639f9be ND |
4456 | |
4457 | cleanup_macam(&macam); | |
ac0630a2 RB |
4458 | } |
4459 | ||
fa183acc BP |
4460 | /* Handle changes to the 'chassis' column of the 'Port_Binding' table. When |
4461 | * this column is not empty, it means we need to set the corresponding logical | |
4462 | * port as 'up' in the northbound DB. */ | |
ac0630a2 | 4463 | static void |
fa183acc | 4464 | update_logical_port_status(struct northd_context *ctx) |
ac0630a2 | 4465 | { |
fc3113bc | 4466 | struct hmap lports_hmap; |
5868eb24 | 4467 | const struct sbrec_port_binding *sb; |
0ee00741 | 4468 | const struct nbrec_logical_switch_port *nbsp; |
fc3113bc RB |
4469 | |
4470 | struct lport_hash_node { | |
4471 | struct hmap_node node; | |
0ee00741 | 4472 | const struct nbrec_logical_switch_port *nbsp; |
4ec3d7c7 | 4473 | } *hash_node; |
f93818dd | 4474 | |
fc3113bc | 4475 | hmap_init(&lports_hmap); |
f93818dd | 4476 | |
0ee00741 | 4477 | NBREC_LOGICAL_SWITCH_PORT_FOR_EACH(nbsp, ctx->ovnnb_idl) { |
fc3113bc | 4478 | hash_node = xzalloc(sizeof *hash_node); |
0ee00741 HK |
4479 | hash_node->nbsp = nbsp; |
4480 | hmap_insert(&lports_hmap, &hash_node->node, hash_string(nbsp->name, 0)); | |
fc3113bc RB |
4481 | } |
4482 | ||
5868eb24 | 4483 | SBREC_PORT_BINDING_FOR_EACH(sb, ctx->ovnsb_idl) { |
0ee00741 | 4484 | nbsp = NULL; |
fc3113bc | 4485 | HMAP_FOR_EACH_WITH_HASH(hash_node, node, |
5868eb24 BP |
4486 | hash_string(sb->logical_port, 0), |
4487 | &lports_hmap) { | |
0ee00741 HK |
4488 | if (!strcmp(sb->logical_port, hash_node->nbsp->name)) { |
4489 | nbsp = hash_node->nbsp; | |
fc3113bc RB |
4490 | break; |
4491 | } | |
f93818dd RB |
4492 | } |
4493 | ||
0ee00741 | 4494 | if (!nbsp) { |
dcda6e0d | 4495 | /* The logical port doesn't exist for this port binding. This can |
2e2762d4 | 4496 | * happen under normal circumstances when ovn-northd hasn't gotten |
dcda6e0d | 4497 | * around to pruning the Port_Binding yet. */ |
f93818dd RB |
4498 | continue; |
4499 | } | |
4500 | ||
0ee00741 | 4501 | if (sb->chassis && (!nbsp->up || !*nbsp->up)) { |
f93818dd | 4502 | bool up = true; |
0ee00741 HK |
4503 | nbrec_logical_switch_port_set_up(nbsp, &up, 1); |
4504 | } else if (!sb->chassis && (!nbsp->up || *nbsp->up)) { | |
f93818dd | 4505 | bool up = false; |
0ee00741 | 4506 | nbrec_logical_switch_port_set_up(nbsp, &up, 1); |
f93818dd RB |
4507 | } |
4508 | } | |
fc3113bc | 4509 | |
4ec3d7c7 | 4510 | HMAP_FOR_EACH_POP(hash_node, node, &lports_hmap) { |
fc3113bc RB |
4511 | free(hash_node); |
4512 | } | |
4513 | hmap_destroy(&lports_hmap); | |
ac0630a2 | 4514 | } |
45f98d4c | 4515 | |
281977f7 NS |
4516 | static struct dhcp_opts_map supported_dhcp_opts[] = { |
4517 | OFFERIP, | |
4518 | DHCP_OPT_NETMASK, | |
4519 | DHCP_OPT_ROUTER, | |
4520 | DHCP_OPT_DNS_SERVER, | |
4521 | DHCP_OPT_LOG_SERVER, | |
4522 | DHCP_OPT_LPR_SERVER, | |
4523 | DHCP_OPT_SWAP_SERVER, | |
4524 | DHCP_OPT_POLICY_FILTER, | |
4525 | DHCP_OPT_ROUTER_SOLICITATION, | |
4526 | DHCP_OPT_NIS_SERVER, | |
4527 | DHCP_OPT_NTP_SERVER, | |
4528 | DHCP_OPT_SERVER_ID, | |
4529 | DHCP_OPT_TFTP_SERVER, | |
4530 | DHCP_OPT_CLASSLESS_STATIC_ROUTE, | |
4531 | DHCP_OPT_MS_CLASSLESS_STATIC_ROUTE, | |
4532 | DHCP_OPT_IP_FORWARD_ENABLE, | |
4533 | DHCP_OPT_ROUTER_DISCOVERY, | |
4534 | DHCP_OPT_ETHERNET_ENCAP, | |
4535 | DHCP_OPT_DEFAULT_TTL, | |
4536 | DHCP_OPT_TCP_TTL, | |
4537 | DHCP_OPT_MTU, | |
4538 | DHCP_OPT_LEASE_TIME, | |
4539 | DHCP_OPT_T1, | |
4540 | DHCP_OPT_T2 | |
4541 | }; | |
4542 | ||
33ac3c83 NS |
4543 | static struct dhcp_opts_map supported_dhcpv6_opts[] = { |
4544 | DHCPV6_OPT_IA_ADDR, | |
4545 | DHCPV6_OPT_SERVER_ID, | |
4546 | DHCPV6_OPT_DOMAIN_SEARCH, | |
4547 | DHCPV6_OPT_DNS_SERVER | |
4548 | }; | |
4549 | ||
281977f7 NS |
4550 | static void |
4551 | check_and_add_supported_dhcp_opts_to_sb_db(struct northd_context *ctx) | |
4552 | { | |
4553 | struct hmap dhcp_opts_to_add = HMAP_INITIALIZER(&dhcp_opts_to_add); | |
4554 | for (size_t i = 0; (i < sizeof(supported_dhcp_opts) / | |
4555 | sizeof(supported_dhcp_opts[0])); i++) { | |
4556 | hmap_insert(&dhcp_opts_to_add, &supported_dhcp_opts[i].hmap_node, | |
4557 | dhcp_opt_hash(supported_dhcp_opts[i].name)); | |
4558 | } | |
4559 | ||
4560 | const struct sbrec_dhcp_options *opt_row, *opt_row_next; | |
4561 | SBREC_DHCP_OPTIONS_FOR_EACH_SAFE(opt_row, opt_row_next, ctx->ovnsb_idl) { | |
4562 | struct dhcp_opts_map *dhcp_opt = | |
4563 | dhcp_opts_find(&dhcp_opts_to_add, opt_row->name); | |
4564 | if (dhcp_opt) { | |
4565 | hmap_remove(&dhcp_opts_to_add, &dhcp_opt->hmap_node); | |
4566 | } else { | |
4567 | sbrec_dhcp_options_delete(opt_row); | |
4568 | } | |
4569 | } | |
4570 | ||
4571 | struct dhcp_opts_map *opt; | |
4572 | HMAP_FOR_EACH (opt, hmap_node, &dhcp_opts_to_add) { | |
4573 | struct sbrec_dhcp_options *sbrec_dhcp_option = | |
4574 | sbrec_dhcp_options_insert(ctx->ovnsb_txn); | |
4575 | sbrec_dhcp_options_set_name(sbrec_dhcp_option, opt->name); | |
4576 | sbrec_dhcp_options_set_code(sbrec_dhcp_option, opt->code); | |
4577 | sbrec_dhcp_options_set_type(sbrec_dhcp_option, opt->type); | |
4578 | } | |
4579 | ||
4580 | hmap_destroy(&dhcp_opts_to_add); | |
4581 | } | |
4582 | ||
33ac3c83 NS |
4583 | static void |
4584 | check_and_add_supported_dhcpv6_opts_to_sb_db(struct northd_context *ctx) | |
4585 | { | |
4586 | struct hmap dhcpv6_opts_to_add = HMAP_INITIALIZER(&dhcpv6_opts_to_add); | |
4587 | for (size_t i = 0; (i < sizeof(supported_dhcpv6_opts) / | |
4588 | sizeof(supported_dhcpv6_opts[0])); i++) { | |
4589 | hmap_insert(&dhcpv6_opts_to_add, &supported_dhcpv6_opts[i].hmap_node, | |
4590 | dhcp_opt_hash(supported_dhcpv6_opts[i].name)); | |
4591 | } | |
4592 | ||
4593 | const struct sbrec_dhcpv6_options *opt_row, *opt_row_next; | |
4594 | SBREC_DHCPV6_OPTIONS_FOR_EACH_SAFE(opt_row, opt_row_next, ctx->ovnsb_idl) { | |
4595 | struct dhcp_opts_map *dhcp_opt = | |
4596 | dhcp_opts_find(&dhcpv6_opts_to_add, opt_row->name); | |
4597 | if (dhcp_opt) { | |
4598 | hmap_remove(&dhcpv6_opts_to_add, &dhcp_opt->hmap_node); | |
4599 | } else { | |
4600 | sbrec_dhcpv6_options_delete(opt_row); | |
4601 | } | |
4602 | } | |
4603 | ||
4604 | struct dhcp_opts_map *opt; | |
4605 | HMAP_FOR_EACH(opt, hmap_node, &dhcpv6_opts_to_add) { | |
4606 | struct sbrec_dhcpv6_options *sbrec_dhcpv6_option = | |
4607 | sbrec_dhcpv6_options_insert(ctx->ovnsb_txn); | |
4608 | sbrec_dhcpv6_options_set_name(sbrec_dhcpv6_option, opt->name); | |
4609 | sbrec_dhcpv6_options_set_code(sbrec_dhcpv6_option, opt->code); | |
4610 | sbrec_dhcpv6_options_set_type(sbrec_dhcpv6_option, opt->type); | |
4611 | } | |
4612 | ||
4613 | hmap_destroy(&dhcpv6_opts_to_add); | |
4614 | } | |
4615 | ||
fa183acc BP |
4616 | /* Updates the sb_cfg and hv_cfg columns in the northbound NB_Global table. */ |
4617 | static void | |
4618 | update_northbound_cfg(struct northd_context *ctx, | |
4619 | struct ovsdb_idl_loop *sb_loop) | |
4620 | { | |
4621 | /* Update northbound sb_cfg if appropriate. */ | |
4622 | const struct nbrec_nb_global *nbg = nbrec_nb_global_first(ctx->ovnnb_idl); | |
4623 | int64_t sb_cfg = sb_loop->cur_cfg; | |
4624 | if (nbg && sb_cfg && nbg->sb_cfg != sb_cfg) { | |
4625 | nbrec_nb_global_set_sb_cfg(nbg, sb_cfg); | |
4626 | } | |
4627 | ||
4628 | /* Update northbound hv_cfg if appropriate. */ | |
4629 | if (nbg) { | |
4630 | /* Find minimum nb_cfg among all chassis. */ | |
4631 | const struct sbrec_chassis *chassis; | |
4632 | int64_t hv_cfg = nbg->nb_cfg; | |
4633 | SBREC_CHASSIS_FOR_EACH (chassis, ctx->ovnsb_idl) { | |
4634 | if (chassis->nb_cfg < hv_cfg) { | |
4635 | hv_cfg = chassis->nb_cfg; | |
4636 | } | |
4637 | } | |
4638 | ||
4639 | /* Update hv_cfg. */ | |
4640 | if (nbg->hv_cfg != hv_cfg) { | |
4641 | nbrec_nb_global_set_hv_cfg(nbg, hv_cfg); | |
4642 | } | |
4643 | } | |
4644 | } | |
4645 | ||
4646 | /* Handle a fairly small set of changes in the southbound database. */ | |
4647 | static void | |
4648 | ovnsb_db_run(struct northd_context *ctx, struct ovsdb_idl_loop *sb_loop) | |
4649 | { | |
4650 | if (!ctx->ovnnb_txn || !ovsdb_idl_has_ever_connected(ctx->ovnsb_idl)) { | |
4651 | return; | |
4652 | } | |
4653 | ||
4654 | update_logical_port_status(ctx); | |
4655 | update_northbound_cfg(ctx, sb_loop); | |
4656 | } | |
4657 | \f | |
ac0630a2 RB |
4658 | static void |
4659 | parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) | |
4660 | { | |
4661 | enum { | |
67d9b930 | 4662 | DAEMON_OPTION_ENUMS, |
ac0630a2 RB |
4663 | VLOG_OPTION_ENUMS, |
4664 | }; | |
4665 | static const struct option long_options[] = { | |
ec78987f | 4666 | {"ovnsb-db", required_argument, NULL, 'd'}, |
ac0630a2 RB |
4667 | {"ovnnb-db", required_argument, NULL, 'D'}, |
4668 | {"help", no_argument, NULL, 'h'}, | |
4669 | {"options", no_argument, NULL, 'o'}, | |
4670 | {"version", no_argument, NULL, 'V'}, | |
67d9b930 | 4671 | DAEMON_LONG_OPTIONS, |
ac0630a2 RB |
4672 | VLOG_LONG_OPTIONS, |
4673 | STREAM_SSL_LONG_OPTIONS, | |
4674 | {NULL, 0, NULL, 0}, | |
4675 | }; | |
4676 | char *short_options = ovs_cmdl_long_options_to_short_options(long_options); | |
4677 | ||
4678 | for (;;) { | |
4679 | int c; | |
4680 | ||
4681 | c = getopt_long(argc, argv, short_options, long_options, NULL); | |
4682 | if (c == -1) { | |
4683 | break; | |
4684 | } | |
4685 | ||
4686 | switch (c) { | |
67d9b930 | 4687 | DAEMON_OPTION_HANDLERS; |
ac0630a2 RB |
4688 | VLOG_OPTION_HANDLERS; |
4689 | STREAM_SSL_OPTION_HANDLERS; | |
4690 | ||
4691 | case 'd': | |
ec78987f | 4692 | ovnsb_db = optarg; |
ac0630a2 RB |
4693 | break; |
4694 | ||
4695 | case 'D': | |
4696 | ovnnb_db = optarg; | |
4697 | break; | |
4698 | ||
4699 | case 'h': | |
4700 | usage(); | |
4701 | exit(EXIT_SUCCESS); | |
4702 | ||
4703 | case 'o': | |
4704 | ovs_cmdl_print_options(long_options); | |
4705 | exit(EXIT_SUCCESS); | |
4706 | ||
4707 | case 'V': | |
4708 | ovs_print_version(0, 0); | |
4709 | exit(EXIT_SUCCESS); | |
4710 | ||
4711 | default: | |
4712 | break; | |
4713 | } | |
4714 | } | |
4715 | ||
ec78987f | 4716 | if (!ovnsb_db) { |
60bdd011 | 4717 | ovnsb_db = default_sb_db(); |
ac0630a2 RB |
4718 | } |
4719 | ||
4720 | if (!ovnnb_db) { | |
60bdd011 | 4721 | ovnnb_db = default_nb_db(); |
ac0630a2 RB |
4722 | } |
4723 | ||
4724 | free(short_options); | |
4725 | } | |
4726 | ||
5868eb24 BP |
4727 | static void |
4728 | add_column_noalert(struct ovsdb_idl *idl, | |
4729 | const struct ovsdb_idl_column *column) | |
4730 | { | |
4731 | ovsdb_idl_add_column(idl, column); | |
4732 | ovsdb_idl_omit_alert(idl, column); | |
4733 | } | |
4734 | ||
ac0630a2 RB |
4735 | int |
4736 | main(int argc, char *argv[]) | |
4737 | { | |
ac0630a2 | 4738 | int res = EXIT_SUCCESS; |
7b303ff9 AW |
4739 | struct unixctl_server *unixctl; |
4740 | int retval; | |
4741 | bool exiting; | |
ac0630a2 RB |
4742 | |
4743 | fatal_ignore_sigpipe(); | |
4744 | set_program_name(argv[0]); | |
485f0696 | 4745 | service_start(&argc, &argv); |
ac0630a2 | 4746 | parse_options(argc, argv); |
67d9b930 | 4747 | |
e91b927d | 4748 | daemonize_start(false); |
7b303ff9 AW |
4749 | |
4750 | retval = unixctl_server_create(NULL, &unixctl); | |
4751 | if (retval) { | |
4752 | exit(EXIT_FAILURE); | |
4753 | } | |
4754 | unixctl_command_register("exit", "", 0, 0, ovn_northd_exit, &exiting); | |
4755 | ||
4756 | daemonize_complete(); | |
67d9b930 | 4757 | |
ac0630a2 | 4758 | nbrec_init(); |
ec78987f | 4759 | sbrec_init(); |
ac0630a2 | 4760 | |
fa183acc | 4761 | /* We want to detect (almost) all changes to the ovn-nb db. */ |
331e7aef NS |
4762 | struct ovsdb_idl_loop ovnnb_idl_loop = OVSDB_IDL_LOOP_INITIALIZER( |
4763 | ovsdb_idl_create(ovnnb_db, &nbrec_idl_class, true, true)); | |
fa183acc BP |
4764 | ovsdb_idl_omit_alert(ovnnb_idl_loop.idl, &nbrec_nb_global_col_sb_cfg); |
4765 | ovsdb_idl_omit_alert(ovnnb_idl_loop.idl, &nbrec_nb_global_col_hv_cfg); | |
331e7aef | 4766 | |
fa183acc | 4767 | /* We want to detect only selected changes to the ovn-sb db. */ |
331e7aef NS |
4768 | struct ovsdb_idl_loop ovnsb_idl_loop = OVSDB_IDL_LOOP_INITIALIZER( |
4769 | ovsdb_idl_create(ovnsb_db, &sbrec_idl_class, false, true)); | |
4770 | ||
fa183acc BP |
4771 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_sb_global); |
4772 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_sb_global_col_nb_cfg); | |
4773 | ||
331e7aef NS |
4774 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_logical_flow); |
4775 | add_column_noalert(ovnsb_idl_loop.idl, | |
4776 | &sbrec_logical_flow_col_logical_datapath); | |
4777 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_pipeline); | |
4778 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_table_id); | |
4779 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_priority); | |
4780 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_match); | |
4781 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_actions); | |
4782 | ||
4783 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_multicast_group); | |
4784 | add_column_noalert(ovnsb_idl_loop.idl, | |
4785 | &sbrec_multicast_group_col_datapath); | |
4786 | add_column_noalert(ovnsb_idl_loop.idl, | |
4787 | &sbrec_multicast_group_col_tunnel_key); | |
4788 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_multicast_group_col_name); | |
4789 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_multicast_group_col_ports); | |
4790 | ||
4791 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_datapath_binding); | |
4792 | add_column_noalert(ovnsb_idl_loop.idl, | |
4793 | &sbrec_datapath_binding_col_tunnel_key); | |
4794 | add_column_noalert(ovnsb_idl_loop.idl, | |
4795 | &sbrec_datapath_binding_col_external_ids); | |
4796 | ||
4797 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_port_binding); | |
4798 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_datapath); | |
4799 | add_column_noalert(ovnsb_idl_loop.idl, | |
4800 | &sbrec_port_binding_col_logical_port); | |
4801 | add_column_noalert(ovnsb_idl_loop.idl, | |
4802 | &sbrec_port_binding_col_tunnel_key); | |
4803 | add_column_noalert(ovnsb_idl_loop.idl, | |
4804 | &sbrec_port_binding_col_parent_port); | |
4805 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_tag); | |
4806 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_type); | |
4807 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_options); | |
4808 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_mac); | |
4809 | ovsdb_idl_add_column(ovnsb_idl_loop.idl, &sbrec_port_binding_col_chassis); | |
6e31816f CSV |
4810 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_mac_binding); |
4811 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_mac_binding_col_datapath); | |
4812 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_mac_binding_col_ip); | |
4813 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_mac_binding_col_mac); | |
4814 | add_column_noalert(ovnsb_idl_loop.idl, | |
4815 | &sbrec_mac_binding_col_logical_port); | |
281977f7 NS |
4816 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_dhcp_options); |
4817 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_dhcp_options_col_code); | |
4818 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_dhcp_options_col_type); | |
4819 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_dhcp_options_col_name); | |
33ac3c83 NS |
4820 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_dhcpv6_options); |
4821 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_dhcpv6_options_col_code); | |
4822 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_dhcpv6_options_col_type); | |
4823 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_dhcpv6_options_col_name); | |
ea382567 RB |
4824 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_address_set); |
4825 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_address_set_col_name); | |
4826 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_address_set_col_addresses); | |
4827 | ||
fa183acc BP |
4828 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_chassis); |
4829 | ovsdb_idl_add_column(ovnsb_idl_loop.idl, &sbrec_chassis_col_nb_cfg); | |
4830 | ||
331e7aef | 4831 | /* Main loop. */ |
7b303ff9 AW |
4832 | exiting = false; |
4833 | while (!exiting) { | |
331e7aef NS |
4834 | struct northd_context ctx = { |
4835 | .ovnnb_idl = ovnnb_idl_loop.idl, | |
4836 | .ovnnb_txn = ovsdb_idl_loop_run(&ovnnb_idl_loop), | |
4837 | .ovnsb_idl = ovnsb_idl_loop.idl, | |
4838 | .ovnsb_txn = ovsdb_idl_loop_run(&ovnsb_idl_loop), | |
4839 | }; | |
ac0630a2 | 4840 | |
fa183acc BP |
4841 | ovnnb_db_run(&ctx, &ovnsb_idl_loop); |
4842 | ovnsb_db_run(&ctx, &ovnsb_idl_loop); | |
281977f7 NS |
4843 | if (ctx.ovnsb_txn) { |
4844 | check_and_add_supported_dhcp_opts_to_sb_db(&ctx); | |
33ac3c83 | 4845 | check_and_add_supported_dhcpv6_opts_to_sb_db(&ctx); |
281977f7 | 4846 | } |
f93818dd | 4847 | |
331e7aef NS |
4848 | unixctl_server_run(unixctl); |
4849 | unixctl_server_wait(unixctl); | |
4850 | if (exiting) { | |
4851 | poll_immediate_wake(); | |
ac0630a2 | 4852 | } |
331e7aef NS |
4853 | ovsdb_idl_loop_commit_and_wait(&ovnnb_idl_loop); |
4854 | ovsdb_idl_loop_commit_and_wait(&ovnsb_idl_loop); | |
ac0630a2 | 4855 | |
331e7aef | 4856 | poll_block(); |
485f0696 GS |
4857 | if (should_service_stop()) { |
4858 | exiting = true; | |
4859 | } | |
ac0630a2 RB |
4860 | } |
4861 | ||
7b303ff9 | 4862 | unixctl_server_destroy(unixctl); |
331e7aef NS |
4863 | ovsdb_idl_loop_destroy(&ovnnb_idl_loop); |
4864 | ovsdb_idl_loop_destroy(&ovnsb_idl_loop); | |
485f0696 | 4865 | service_stop(); |
ac0630a2 RB |
4866 | |
4867 | exit(res); | |
4868 | } | |
7b303ff9 AW |
4869 | |
4870 | static void | |
4871 | ovn_northd_exit(struct unixctl_conn *conn, int argc OVS_UNUSED, | |
4872 | const char *argv[] OVS_UNUSED, void *exiting_) | |
4873 | { | |
4874 | bool *exiting = exiting_; | |
4875 | *exiting = true; | |
4876 | ||
4877 | unixctl_command_reply(conn, NULL); | |
4878 | } |