]>
Commit | Line | Data |
---|---|---|
ac0630a2 RB |
1 | /* |
2 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
3 | * you may not use this file except in compliance with the License. | |
4 | * You may obtain a copy of the License at: | |
5 | * | |
6 | * http://www.apache.org/licenses/LICENSE-2.0 | |
7 | * | |
8 | * Unless required by applicable law or agreed to in writing, software | |
9 | * distributed under the License is distributed on an "AS IS" BASIS, | |
10 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
11 | * See the License for the specific language governing permissions and | |
12 | * limitations under the License. | |
13 | */ | |
14 | ||
15 | #include <config.h> | |
16 | ||
17 | #include <getopt.h> | |
18 | #include <stdlib.h> | |
19 | #include <stdio.h> | |
20 | ||
21 | #include "command-line.h" | |
67d9b930 | 22 | #include "daemon.h" |
ac0630a2 | 23 | #include "dirs.h" |
3e8a2ad1 | 24 | #include "openvswitch/dynamic-string.h" |
ac0630a2 | 25 | #include "fatal-signal.h" |
4edcdcf4 RB |
26 | #include "hash.h" |
27 | #include "hmap.h" | |
bd39395f BP |
28 | #include "json.h" |
29 | #include "ovn/lib/lex.h" | |
e3df8838 BP |
30 | #include "ovn/lib/ovn-nb-idl.h" |
31 | #include "ovn/lib/ovn-sb-idl.h" | |
218351dd | 32 | #include "ovn/lib/ovn-util.h" |
064d7f84 | 33 | #include "packets.h" |
ac0630a2 | 34 | #include "poll-loop.h" |
5868eb24 | 35 | #include "smap.h" |
ac0630a2 RB |
36 | #include "stream.h" |
37 | #include "stream-ssl.h" | |
7b303ff9 | 38 | #include "unixctl.h" |
ac0630a2 | 39 | #include "util.h" |
4edcdcf4 | 40 | #include "uuid.h" |
ac0630a2 RB |
41 | #include "openvswitch/vlog.h" |
42 | ||
2e2762d4 | 43 | VLOG_DEFINE_THIS_MODULE(ovn_northd); |
ac0630a2 | 44 | |
7b303ff9 AW |
45 | static unixctl_cb_func ovn_northd_exit; |
46 | ||
2e2762d4 | 47 | struct northd_context { |
f93818dd | 48 | struct ovsdb_idl *ovnnb_idl; |
ec78987f | 49 | struct ovsdb_idl *ovnsb_idl; |
f93818dd | 50 | struct ovsdb_idl_txn *ovnnb_txn; |
3c78b3ca | 51 | struct ovsdb_idl_txn *ovnsb_txn; |
f93818dd RB |
52 | }; |
53 | ||
ac0630a2 | 54 | static const char *ovnnb_db; |
ec78987f | 55 | static const char *ovnsb_db; |
ac0630a2 | 56 | |
60bdd011 RM |
57 | static const char *default_nb_db(void); |
58 | static const char *default_sb_db(void); | |
880fcd14 BP |
59 | \f |
60 | /* Pipeline stages. */ | |
ac0630a2 | 61 | |
880fcd14 BP |
62 | /* The two pipelines in an OVN logical flow table. */ |
63 | enum ovn_pipeline { | |
64 | P_IN, /* Ingress pipeline. */ | |
65 | P_OUT /* Egress pipeline. */ | |
66 | }; | |
091e3af9 | 67 | |
880fcd14 BP |
68 | /* The two purposes for which ovn-northd uses OVN logical datapaths. */ |
69 | enum ovn_datapath_type { | |
70 | DP_SWITCH, /* OVN logical switch. */ | |
71 | DP_ROUTER /* OVN logical router. */ | |
091e3af9 JP |
72 | }; |
73 | ||
880fcd14 BP |
74 | /* Returns an "enum ovn_stage" built from the arguments. |
75 | * | |
76 | * (It's better to use ovn_stage_build() for type-safety reasons, but inline | |
77 | * functions can't be used in enums or switch cases.) */ | |
78 | #define OVN_STAGE_BUILD(DP_TYPE, PIPELINE, TABLE) \ | |
79 | (((DP_TYPE) << 9) | ((PIPELINE) << 8) | (TABLE)) | |
80 | ||
81 | /* A stage within an OVN logical switch or router. | |
091e3af9 | 82 | * |
880fcd14 BP |
83 | * An "enum ovn_stage" indicates whether the stage is part of a logical switch |
84 | * or router, whether the stage is part of the ingress or egress pipeline, and | |
85 | * the table within that pipeline. The first three components are combined to | |
685f4dfe | 86 | * form the stage's full name, e.g. S_SWITCH_IN_PORT_SEC_L2, |
880fcd14 BP |
87 | * S_ROUTER_OUT_DELIVERY. */ |
88 | enum ovn_stage { | |
e0c9e58b JP |
89 | #define PIPELINE_STAGES \ |
90 | /* Logical switch ingress stages. */ \ | |
685f4dfe NS |
91 | PIPELINE_STAGE(SWITCH, IN, PORT_SEC_L2, 0, "ls_in_port_sec_l2") \ |
92 | PIPELINE_STAGE(SWITCH, IN, PORT_SEC_IP, 1, "ls_in_port_sec_ip") \ | |
93 | PIPELINE_STAGE(SWITCH, IN, PORT_SEC_ND, 2, "ls_in_port_sec_nd") \ | |
94 | PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 3, "ls_in_pre_acl") \ | |
95 | PIPELINE_STAGE(SWITCH, IN, ACL, 4, "ls_in_acl") \ | |
96 | PIPELINE_STAGE(SWITCH, IN, ARP_RSP, 5, "ls_in_arp_rsp") \ | |
97 | PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 6, "ls_in_l2_lkup") \ | |
e0c9e58b JP |
98 | \ |
99 | /* Logical switch egress stages. */ \ | |
100 | PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 0, "ls_out_pre_acl") \ | |
101 | PIPELINE_STAGE(SWITCH, OUT, ACL, 1, "ls_out_acl") \ | |
685f4dfe NS |
102 | PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP, 2, "ls_out_port_sec_ip") \ |
103 | PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2, 3, "ls_out_port_sec_l2") \ | |
e0c9e58b JP |
104 | \ |
105 | /* Logical router ingress stages. */ \ | |
106 | PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") \ | |
107 | PIPELINE_STAGE(ROUTER, IN, IP_INPUT, 1, "lr_in_ip_input") \ | |
108 | PIPELINE_STAGE(ROUTER, IN, IP_ROUTING, 2, "lr_in_ip_routing") \ | |
0bac7164 BP |
109 | PIPELINE_STAGE(ROUTER, IN, ARP_RESOLVE, 3, "lr_in_arp_resolve") \ |
110 | PIPELINE_STAGE(ROUTER, IN, ARP_REQUEST, 4, "lr_in_arp_request") \ | |
e0c9e58b JP |
111 | \ |
112 | /* Logical router egress stages. */ \ | |
113 | PIPELINE_STAGE(ROUTER, OUT, DELIVERY, 0, "lr_out_delivery") | |
880fcd14 BP |
114 | |
115 | #define PIPELINE_STAGE(DP_TYPE, PIPELINE, STAGE, TABLE, NAME) \ | |
116 | S_##DP_TYPE##_##PIPELINE##_##STAGE \ | |
117 | = OVN_STAGE_BUILD(DP_##DP_TYPE, P_##PIPELINE, TABLE), | |
118 | PIPELINE_STAGES | |
119 | #undef PIPELINE_STAGE | |
091e3af9 JP |
120 | }; |
121 | ||
6bb4a18e JP |
122 | /* Due to various hard-coded priorities need to implement ACLs, the |
123 | * northbound database supports a smaller range of ACL priorities than | |
124 | * are available to logical flows. This value is added to an ACL | |
125 | * priority to determine the ACL's logical flow priority. */ | |
126 | #define OVN_ACL_PRI_OFFSET 1000 | |
127 | ||
880fcd14 BP |
128 | /* Returns an "enum ovn_stage" built from the arguments. */ |
129 | static enum ovn_stage | |
130 | ovn_stage_build(enum ovn_datapath_type dp_type, enum ovn_pipeline pipeline, | |
131 | uint8_t table) | |
132 | { | |
133 | return OVN_STAGE_BUILD(dp_type, pipeline, table); | |
134 | } | |
135 | ||
136 | /* Returns the pipeline to which 'stage' belongs. */ | |
137 | static enum ovn_pipeline | |
138 | ovn_stage_get_pipeline(enum ovn_stage stage) | |
139 | { | |
140 | return (stage >> 8) & 1; | |
141 | } | |
142 | ||
143 | /* Returns the table to which 'stage' belongs. */ | |
144 | static uint8_t | |
145 | ovn_stage_get_table(enum ovn_stage stage) | |
146 | { | |
147 | return stage & 0xff; | |
148 | } | |
149 | ||
150 | /* Returns a string name for 'stage'. */ | |
151 | static const char * | |
152 | ovn_stage_to_str(enum ovn_stage stage) | |
153 | { | |
154 | switch (stage) { | |
155 | #define PIPELINE_STAGE(DP_TYPE, PIPELINE, STAGE, TABLE, NAME) \ | |
156 | case S_##DP_TYPE##_##PIPELINE##_##STAGE: return NAME; | |
157 | PIPELINE_STAGES | |
158 | #undef PIPELINE_STAGE | |
159 | default: return "<unknown>"; | |
160 | } | |
161 | } | |
162 | \f | |
ac0630a2 RB |
163 | static void |
164 | usage(void) | |
165 | { | |
166 | printf("\ | |
167 | %s: OVN northbound management daemon\n\ | |
168 | usage: %s [OPTIONS]\n\ | |
169 | \n\ | |
170 | Options:\n\ | |
171 | --ovnnb-db=DATABASE connect to ovn-nb database at DATABASE\n\ | |
172 | (default: %s)\n\ | |
ec78987f | 173 | --ovnsb-db=DATABASE connect to ovn-sb database at DATABASE\n\ |
ac0630a2 RB |
174 | (default: %s)\n\ |
175 | -h, --help display this help message\n\ | |
176 | -o, --options list available options\n\ | |
177 | -V, --version display version information\n\ | |
60bdd011 | 178 | ", program_name, program_name, default_nb_db(), default_sb_db()); |
67d9b930 | 179 | daemon_usage(); |
ac0630a2 RB |
180 | vlog_usage(); |
181 | stream_usage("database", true, true, false); | |
182 | } | |
183 | \f | |
5868eb24 BP |
184 | struct tnlid_node { |
185 | struct hmap_node hmap_node; | |
186 | uint32_t tnlid; | |
187 | }; | |
188 | ||
189 | static void | |
190 | destroy_tnlids(struct hmap *tnlids) | |
4edcdcf4 | 191 | { |
4ec3d7c7 DDP |
192 | struct tnlid_node *node; |
193 | HMAP_FOR_EACH_POP (node, hmap_node, tnlids) { | |
5868eb24 BP |
194 | free(node); |
195 | } | |
196 | hmap_destroy(tnlids); | |
197 | } | |
198 | ||
199 | static void | |
200 | add_tnlid(struct hmap *set, uint32_t tnlid) | |
201 | { | |
202 | struct tnlid_node *node = xmalloc(sizeof *node); | |
203 | hmap_insert(set, &node->hmap_node, hash_int(tnlid, 0)); | |
204 | node->tnlid = tnlid; | |
4edcdcf4 RB |
205 | } |
206 | ||
4edcdcf4 | 207 | static bool |
5868eb24 | 208 | tnlid_in_use(const struct hmap *set, uint32_t tnlid) |
4edcdcf4 | 209 | { |
5868eb24 BP |
210 | const struct tnlid_node *node; |
211 | HMAP_FOR_EACH_IN_BUCKET (node, hmap_node, hash_int(tnlid, 0), set) { | |
212 | if (node->tnlid == tnlid) { | |
213 | return true; | |
214 | } | |
215 | } | |
216 | return false; | |
217 | } | |
4edcdcf4 | 218 | |
5868eb24 BP |
219 | static uint32_t |
220 | allocate_tnlid(struct hmap *set, const char *name, uint32_t max, | |
221 | uint32_t *hint) | |
222 | { | |
223 | for (uint32_t tnlid = *hint + 1; tnlid != *hint; | |
224 | tnlid = tnlid + 1 <= max ? tnlid + 1 : 1) { | |
225 | if (!tnlid_in_use(set, tnlid)) { | |
226 | add_tnlid(set, tnlid); | |
227 | *hint = tnlid; | |
228 | return tnlid; | |
229 | } | |
4edcdcf4 RB |
230 | } |
231 | ||
5868eb24 BP |
232 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); |
233 | VLOG_WARN_RL(&rl, "all %s tunnel ids exhausted", name); | |
234 | return 0; | |
235 | } | |
236 | \f | |
9975d7be BP |
237 | /* The 'key' comes from nbs->header_.uuid or nbr->header_.uuid or |
238 | * sb->external_ids:logical-switch. */ | |
5868eb24 BP |
239 | struct ovn_datapath { |
240 | struct hmap_node key_node; /* Index on 'key'. */ | |
9975d7be | 241 | struct uuid key; /* (nbs/nbr)->header_.uuid. */ |
4edcdcf4 | 242 | |
9975d7be BP |
243 | const struct nbrec_logical_switch *nbs; /* May be NULL. */ |
244 | const struct nbrec_logical_router *nbr; /* May be NULL. */ | |
5868eb24 | 245 | const struct sbrec_datapath_binding *sb; /* May be NULL. */ |
4edcdcf4 | 246 | |
5868eb24 | 247 | struct ovs_list list; /* In list of similar records. */ |
4edcdcf4 | 248 | |
9975d7be | 249 | /* Logical router data (digested from nbr). */ |
0bac7164 | 250 | const struct ovn_port *gateway_port; |
9975d7be BP |
251 | ovs_be32 gateway; |
252 | ||
253 | /* Logical switch data. */ | |
86e98048 BP |
254 | struct ovn_port **router_ports; |
255 | size_t n_router_ports; | |
9975d7be | 256 | |
5868eb24 BP |
257 | struct hmap port_tnlids; |
258 | uint32_t port_key_hint; | |
259 | ||
260 | bool has_unknown; | |
261 | }; | |
262 | ||
263 | static struct ovn_datapath * | |
264 | ovn_datapath_create(struct hmap *datapaths, const struct uuid *key, | |
9975d7be BP |
265 | const struct nbrec_logical_switch *nbs, |
266 | const struct nbrec_logical_router *nbr, | |
5868eb24 BP |
267 | const struct sbrec_datapath_binding *sb) |
268 | { | |
269 | struct ovn_datapath *od = xzalloc(sizeof *od); | |
270 | od->key = *key; | |
271 | od->sb = sb; | |
9975d7be BP |
272 | od->nbs = nbs; |
273 | od->nbr = nbr; | |
5868eb24 BP |
274 | hmap_init(&od->port_tnlids); |
275 | od->port_key_hint = 0; | |
276 | hmap_insert(datapaths, &od->key_node, uuid_hash(&od->key)); | |
277 | return od; | |
278 | } | |
279 | ||
280 | static void | |
281 | ovn_datapath_destroy(struct hmap *datapaths, struct ovn_datapath *od) | |
282 | { | |
283 | if (od) { | |
284 | /* Don't remove od->list. It is used within build_datapaths() as a | |
285 | * private list and once we've exited that function it is not safe to | |
286 | * use it. */ | |
287 | hmap_remove(datapaths, &od->key_node); | |
288 | destroy_tnlids(&od->port_tnlids); | |
86e98048 | 289 | free(od->router_ports); |
5868eb24 BP |
290 | free(od); |
291 | } | |
292 | } | |
293 | ||
294 | static struct ovn_datapath * | |
295 | ovn_datapath_find(struct hmap *datapaths, const struct uuid *uuid) | |
296 | { | |
297 | struct ovn_datapath *od; | |
298 | ||
299 | HMAP_FOR_EACH_WITH_HASH (od, key_node, uuid_hash(uuid), datapaths) { | |
300 | if (uuid_equals(uuid, &od->key)) { | |
301 | return od; | |
302 | } | |
303 | } | |
304 | return NULL; | |
305 | } | |
306 | ||
307 | static struct ovn_datapath * | |
308 | ovn_datapath_from_sbrec(struct hmap *datapaths, | |
309 | const struct sbrec_datapath_binding *sb) | |
310 | { | |
311 | struct uuid key; | |
312 | ||
9975d7be BP |
313 | if (!smap_get_uuid(&sb->external_ids, "logical-switch", &key) && |
314 | !smap_get_uuid(&sb->external_ids, "logical-router", &key)) { | |
5868eb24 BP |
315 | return NULL; |
316 | } | |
317 | return ovn_datapath_find(datapaths, &key); | |
318 | } | |
319 | ||
5412db30 J |
320 | static bool |
321 | lrouter_is_enabled(const struct nbrec_logical_router *lrouter) | |
322 | { | |
323 | return !lrouter->enabled || *lrouter->enabled; | |
324 | } | |
325 | ||
5868eb24 BP |
326 | static void |
327 | join_datapaths(struct northd_context *ctx, struct hmap *datapaths, | |
328 | struct ovs_list *sb_only, struct ovs_list *nb_only, | |
329 | struct ovs_list *both) | |
330 | { | |
331 | hmap_init(datapaths); | |
417e7e66 BW |
332 | ovs_list_init(sb_only); |
333 | ovs_list_init(nb_only); | |
334 | ovs_list_init(both); | |
5868eb24 BP |
335 | |
336 | const struct sbrec_datapath_binding *sb, *sb_next; | |
337 | SBREC_DATAPATH_BINDING_FOR_EACH_SAFE (sb, sb_next, ctx->ovnsb_idl) { | |
338 | struct uuid key; | |
9975d7be BP |
339 | if (!smap_get_uuid(&sb->external_ids, "logical-switch", &key) && |
340 | !smap_get_uuid(&sb->external_ids, "logical-router", &key)) { | |
341 | ovsdb_idl_txn_add_comment( | |
342 | ctx->ovnsb_txn, | |
343 | "deleting Datapath_Binding "UUID_FMT" that lacks " | |
344 | "external-ids:logical-switch and " | |
345 | "external-ids:logical-router", | |
346 | UUID_ARGS(&sb->header_.uuid)); | |
5868eb24 BP |
347 | sbrec_datapath_binding_delete(sb); |
348 | continue; | |
349 | } | |
350 | ||
351 | if (ovn_datapath_find(datapaths, &key)) { | |
352 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
9975d7be BP |
353 | VLOG_INFO_RL( |
354 | &rl, "deleting Datapath_Binding "UUID_FMT" with " | |
355 | "duplicate external-ids:logical-switch/router "UUID_FMT, | |
356 | UUID_ARGS(&sb->header_.uuid), UUID_ARGS(&key)); | |
5868eb24 BP |
357 | sbrec_datapath_binding_delete(sb); |
358 | continue; | |
359 | } | |
360 | ||
361 | struct ovn_datapath *od = ovn_datapath_create(datapaths, &key, | |
9975d7be | 362 | NULL, NULL, sb); |
417e7e66 | 363 | ovs_list_push_back(sb_only, &od->list); |
5868eb24 BP |
364 | } |
365 | ||
9975d7be BP |
366 | const struct nbrec_logical_switch *nbs; |
367 | NBREC_LOGICAL_SWITCH_FOR_EACH (nbs, ctx->ovnnb_idl) { | |
5868eb24 | 368 | struct ovn_datapath *od = ovn_datapath_find(datapaths, |
9975d7be | 369 | &nbs->header_.uuid); |
5868eb24 | 370 | if (od) { |
9975d7be | 371 | od->nbs = nbs; |
417e7e66 BW |
372 | ovs_list_remove(&od->list); |
373 | ovs_list_push_back(both, &od->list); | |
5868eb24 | 374 | } else { |
9975d7be BP |
375 | od = ovn_datapath_create(datapaths, &nbs->header_.uuid, |
376 | nbs, NULL, NULL); | |
417e7e66 | 377 | ovs_list_push_back(nb_only, &od->list); |
5868eb24 BP |
378 | } |
379 | } | |
9975d7be BP |
380 | |
381 | const struct nbrec_logical_router *nbr; | |
382 | NBREC_LOGICAL_ROUTER_FOR_EACH (nbr, ctx->ovnnb_idl) { | |
5412db30 J |
383 | if (!lrouter_is_enabled(nbr)) { |
384 | continue; | |
385 | } | |
386 | ||
9975d7be BP |
387 | struct ovn_datapath *od = ovn_datapath_find(datapaths, |
388 | &nbr->header_.uuid); | |
389 | if (od) { | |
390 | if (!od->nbs) { | |
391 | od->nbr = nbr; | |
417e7e66 BW |
392 | ovs_list_remove(&od->list); |
393 | ovs_list_push_back(both, &od->list); | |
9975d7be BP |
394 | } else { |
395 | /* Can't happen! */ | |
396 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
397 | VLOG_WARN_RL(&rl, | |
398 | "duplicate UUID "UUID_FMT" in OVN_Northbound", | |
399 | UUID_ARGS(&nbr->header_.uuid)); | |
400 | continue; | |
401 | } | |
402 | } else { | |
403 | od = ovn_datapath_create(datapaths, &nbr->header_.uuid, | |
404 | NULL, nbr, NULL); | |
417e7e66 | 405 | ovs_list_push_back(nb_only, &od->list); |
9975d7be BP |
406 | } |
407 | ||
408 | od->gateway = 0; | |
409 | if (nbr->default_gw) { | |
0bac7164 BP |
410 | ovs_be32 ip; |
411 | if (!ip_parse(nbr->default_gw, &ip) || !ip) { | |
412 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
9975d7be | 413 | VLOG_WARN_RL(&rl, "bad 'gateway' %s", nbr->default_gw); |
9975d7be BP |
414 | } else { |
415 | od->gateway = ip; | |
416 | } | |
417 | } | |
0bac7164 BP |
418 | |
419 | /* Set the gateway port to NULL. If there is a gateway, it will get | |
420 | * filled in as we go through the ports later. */ | |
421 | od->gateway_port = NULL; | |
9975d7be | 422 | } |
5868eb24 BP |
423 | } |
424 | ||
425 | static uint32_t | |
426 | ovn_datapath_allocate_key(struct hmap *dp_tnlids) | |
427 | { | |
428 | static uint32_t hint; | |
429 | return allocate_tnlid(dp_tnlids, "datapath", (1u << 24) - 1, &hint); | |
430 | } | |
431 | ||
0bac7164 BP |
432 | /* Updates the southbound Datapath_Binding table so that it contains the |
433 | * logical switches and routers specified by the northbound database. | |
434 | * | |
435 | * Initializes 'datapaths' to contain a "struct ovn_datapath" for every logical | |
436 | * switch and router. */ | |
5868eb24 BP |
437 | static void |
438 | build_datapaths(struct northd_context *ctx, struct hmap *datapaths) | |
439 | { | |
440 | struct ovs_list sb_only, nb_only, both; | |
441 | ||
442 | join_datapaths(ctx, datapaths, &sb_only, &nb_only, &both); | |
443 | ||
417e7e66 | 444 | if (!ovs_list_is_empty(&nb_only)) { |
5868eb24 BP |
445 | /* First index the in-use datapath tunnel IDs. */ |
446 | struct hmap dp_tnlids = HMAP_INITIALIZER(&dp_tnlids); | |
447 | struct ovn_datapath *od; | |
448 | LIST_FOR_EACH (od, list, &both) { | |
449 | add_tnlid(&dp_tnlids, od->sb->tunnel_key); | |
450 | } | |
451 | ||
452 | /* Add southbound record for each unmatched northbound record. */ | |
453 | LIST_FOR_EACH (od, list, &nb_only) { | |
454 | uint16_t tunnel_key = ovn_datapath_allocate_key(&dp_tnlids); | |
455 | if (!tunnel_key) { | |
456 | break; | |
457 | } | |
458 | ||
459 | od->sb = sbrec_datapath_binding_insert(ctx->ovnsb_txn); | |
460 | ||
5868eb24 | 461 | char uuid_s[UUID_LEN + 1]; |
9975d7be BP |
462 | sprintf(uuid_s, UUID_FMT, UUID_ARGS(&od->key)); |
463 | const char *key = od->nbs ? "logical-switch" : "logical-router"; | |
464 | const struct smap id = SMAP_CONST1(&id, key, uuid_s); | |
aaf881c6 | 465 | sbrec_datapath_binding_set_external_ids(od->sb, &id); |
5868eb24 BP |
466 | |
467 | sbrec_datapath_binding_set_tunnel_key(od->sb, tunnel_key); | |
468 | } | |
469 | destroy_tnlids(&dp_tnlids); | |
470 | } | |
471 | ||
472 | /* Delete southbound records without northbound matches. */ | |
473 | struct ovn_datapath *od, *next; | |
474 | LIST_FOR_EACH_SAFE (od, next, list, &sb_only) { | |
417e7e66 | 475 | ovs_list_remove(&od->list); |
5868eb24 BP |
476 | sbrec_datapath_binding_delete(od->sb); |
477 | ovn_datapath_destroy(datapaths, od); | |
478 | } | |
479 | } | |
480 | \f | |
481 | struct ovn_port { | |
482 | struct hmap_node key_node; /* Index on 'key'. */ | |
9975d7be BP |
483 | char *key; /* nbs->name, nbr->name, sb->logical_port. */ |
484 | char *json_key; /* 'key', quoted for use in JSON. */ | |
5868eb24 | 485 | |
9975d7be BP |
486 | const struct nbrec_logical_port *nbs; /* May be NULL. */ |
487 | const struct nbrec_logical_router_port *nbr; /* May be NULL. */ | |
488 | const struct sbrec_port_binding *sb; /* May be NULL. */ | |
489 | ||
490 | /* Logical router port data. */ | |
491 | ovs_be32 ip, mask; /* 192.168.10.123/24. */ | |
492 | ovs_be32 network; /* 192.168.10.0. */ | |
493 | ovs_be32 bcast; /* 192.168.10.255. */ | |
494 | struct eth_addr mac; | |
495 | struct ovn_port *peer; | |
5868eb24 BP |
496 | |
497 | struct ovn_datapath *od; | |
498 | ||
499 | struct ovs_list list; /* In list of similar records. */ | |
500 | }; | |
501 | ||
502 | static struct ovn_port * | |
503 | ovn_port_create(struct hmap *ports, const char *key, | |
9975d7be BP |
504 | const struct nbrec_logical_port *nbs, |
505 | const struct nbrec_logical_router_port *nbr, | |
5868eb24 BP |
506 | const struct sbrec_port_binding *sb) |
507 | { | |
508 | struct ovn_port *op = xzalloc(sizeof *op); | |
9975d7be BP |
509 | |
510 | struct ds json_key = DS_EMPTY_INITIALIZER; | |
511 | json_string_escape(key, &json_key); | |
512 | op->json_key = ds_steal_cstr(&json_key); | |
513 | ||
514 | op->key = xstrdup(key); | |
5868eb24 | 515 | op->sb = sb; |
9975d7be BP |
516 | op->nbs = nbs; |
517 | op->nbr = nbr; | |
5868eb24 BP |
518 | hmap_insert(ports, &op->key_node, hash_string(op->key, 0)); |
519 | return op; | |
520 | } | |
521 | ||
522 | static void | |
523 | ovn_port_destroy(struct hmap *ports, struct ovn_port *port) | |
524 | { | |
525 | if (port) { | |
526 | /* Don't remove port->list. It is used within build_ports() as a | |
527 | * private list and once we've exited that function it is not safe to | |
528 | * use it. */ | |
529 | hmap_remove(ports, &port->key_node); | |
9975d7be BP |
530 | free(port->json_key); |
531 | free(port->key); | |
5868eb24 BP |
532 | free(port); |
533 | } | |
534 | } | |
535 | ||
536 | static struct ovn_port * | |
537 | ovn_port_find(struct hmap *ports, const char *name) | |
538 | { | |
539 | struct ovn_port *op; | |
540 | ||
541 | HMAP_FOR_EACH_WITH_HASH (op, key_node, hash_string(name, 0), ports) { | |
542 | if (!strcmp(op->key, name)) { | |
543 | return op; | |
544 | } | |
545 | } | |
546 | return NULL; | |
547 | } | |
548 | ||
549 | static uint32_t | |
550 | ovn_port_allocate_key(struct ovn_datapath *od) | |
551 | { | |
552 | return allocate_tnlid(&od->port_tnlids, "port", | |
553 | (1u << 15) - 1, &od->port_key_hint); | |
554 | } | |
555 | ||
556 | static void | |
557 | join_logical_ports(struct northd_context *ctx, | |
558 | struct hmap *datapaths, struct hmap *ports, | |
559 | struct ovs_list *sb_only, struct ovs_list *nb_only, | |
560 | struct ovs_list *both) | |
561 | { | |
562 | hmap_init(ports); | |
417e7e66 BW |
563 | ovs_list_init(sb_only); |
564 | ovs_list_init(nb_only); | |
565 | ovs_list_init(both); | |
5868eb24 BP |
566 | |
567 | const struct sbrec_port_binding *sb; | |
568 | SBREC_PORT_BINDING_FOR_EACH (sb, ctx->ovnsb_idl) { | |
569 | struct ovn_port *op = ovn_port_create(ports, sb->logical_port, | |
9975d7be | 570 | NULL, NULL, sb); |
417e7e66 | 571 | ovs_list_push_back(sb_only, &op->list); |
5868eb24 BP |
572 | } |
573 | ||
574 | struct ovn_datapath *od; | |
575 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
9975d7be BP |
576 | if (od->nbs) { |
577 | for (size_t i = 0; i < od->nbs->n_ports; i++) { | |
578 | const struct nbrec_logical_port *nbs = od->nbs->ports[i]; | |
579 | struct ovn_port *op = ovn_port_find(ports, nbs->name); | |
580 | if (op) { | |
581 | if (op->nbs || op->nbr) { | |
582 | static struct vlog_rate_limit rl | |
583 | = VLOG_RATE_LIMIT_INIT(5, 1); | |
584 | VLOG_WARN_RL(&rl, "duplicate logical port %s", | |
585 | nbs->name); | |
586 | continue; | |
587 | } | |
588 | op->nbs = nbs; | |
417e7e66 BW |
589 | ovs_list_remove(&op->list); |
590 | ovs_list_push_back(both, &op->list); | |
9975d7be BP |
591 | } else { |
592 | op = ovn_port_create(ports, nbs->name, nbs, NULL, NULL); | |
417e7e66 | 593 | ovs_list_push_back(nb_only, &op->list); |
9975d7be BP |
594 | } |
595 | ||
596 | op->od = od; | |
597 | } | |
598 | } else { | |
599 | for (size_t i = 0; i < od->nbr->n_ports; i++) { | |
600 | const struct nbrec_logical_router_port *nbr | |
601 | = od->nbr->ports[i]; | |
602 | ||
603 | struct eth_addr mac; | |
604 | if (!eth_addr_from_string(nbr->mac, &mac)) { | |
605 | static struct vlog_rate_limit rl | |
606 | = VLOG_RATE_LIMIT_INIT(5, 1); | |
607 | VLOG_WARN_RL(&rl, "bad 'mac' %s", nbr->mac); | |
608 | continue; | |
609 | } | |
610 | ||
611 | ovs_be32 ip, mask; | |
612 | char *error = ip_parse_masked(nbr->network, &ip, &mask); | |
613 | if (error || mask == OVS_BE32_MAX || !ip_is_cidr(mask)) { | |
614 | static struct vlog_rate_limit rl | |
615 | = VLOG_RATE_LIMIT_INIT(5, 1); | |
616 | VLOG_WARN_RL(&rl, "bad 'network' %s", nbr->network); | |
617 | free(error); | |
618 | continue; | |
619 | } | |
620 | ||
00007447 | 621 | struct ovn_port *op = ovn_port_find(ports, nbr->name); |
9975d7be BP |
622 | if (op) { |
623 | if (op->nbs || op->nbr) { | |
624 | static struct vlog_rate_limit rl | |
625 | = VLOG_RATE_LIMIT_INIT(5, 1); | |
626 | VLOG_WARN_RL(&rl, "duplicate logical router port %s", | |
00007447 | 627 | nbr->name); |
9975d7be BP |
628 | continue; |
629 | } | |
630 | op->nbr = nbr; | |
417e7e66 BW |
631 | ovs_list_remove(&op->list); |
632 | ovs_list_push_back(both, &op->list); | |
9975d7be | 633 | } else { |
00007447 | 634 | op = ovn_port_create(ports, nbr->name, NULL, nbr, NULL); |
417e7e66 | 635 | ovs_list_push_back(nb_only, &op->list); |
9975d7be BP |
636 | } |
637 | ||
638 | op->ip = ip; | |
639 | op->mask = mask; | |
640 | op->network = ip & mask; | |
641 | op->bcast = ip | ~mask; | |
642 | op->mac = mac; | |
643 | ||
644 | op->od = od; | |
0bac7164 BP |
645 | |
646 | /* If 'od' has a gateway and 'op' routes to it... */ | |
647 | if (od->gateway && !((op->network ^ od->gateway) & op->mask)) { | |
648 | /* ...and if 'op' is a longer match than the current | |
649 | * choice... */ | |
650 | const struct ovn_port *gw = od->gateway_port; | |
651 | int len = gw ? ip_count_cidr_bits(gw->mask) : 0; | |
652 | if (ip_count_cidr_bits(op->mask) > len) { | |
653 | /* ...then it's the default gateway port. */ | |
654 | od->gateway_port = op; | |
655 | } | |
656 | } | |
5868eb24 | 657 | } |
9975d7be BP |
658 | } |
659 | } | |
660 | ||
661 | /* Connect logical router ports, and logical switch ports of type "router", | |
662 | * to their peers. */ | |
663 | struct ovn_port *op; | |
664 | HMAP_FOR_EACH (op, key_node, ports) { | |
665 | if (op->nbs && !strcmp(op->nbs->type, "router")) { | |
666 | const char *peer_name = smap_get(&op->nbs->options, "router-port"); | |
667 | if (!peer_name) { | |
668 | continue; | |
669 | } | |
670 | ||
671 | struct ovn_port *peer = ovn_port_find(ports, peer_name); | |
672 | if (!peer || !peer->nbr) { | |
673 | continue; | |
674 | } | |
675 | ||
676 | peer->peer = op; | |
677 | op->peer = peer; | |
86e98048 BP |
678 | op->od->router_ports = xrealloc( |
679 | op->od->router_ports, | |
680 | sizeof *op->od->router_ports * (op->od->n_router_ports + 1)); | |
681 | op->od->router_ports[op->od->n_router_ports++] = op; | |
9975d7be | 682 | } else if (op->nbr && op->nbr->peer) { |
509afdc3 | 683 | op->peer = ovn_port_find(ports, op->nbr->peer); |
5868eb24 BP |
684 | } |
685 | } | |
686 | } | |
687 | ||
688 | static void | |
689 | ovn_port_update_sbrec(const struct ovn_port *op) | |
690 | { | |
691 | sbrec_port_binding_set_datapath(op->sb, op->od->sb); | |
9975d7be BP |
692 | if (op->nbr) { |
693 | sbrec_port_binding_set_type(op->sb, "patch"); | |
694 | ||
695 | const char *peer = op->peer ? op->peer->key : "<error>"; | |
696 | const struct smap ids = SMAP_CONST1(&ids, "peer", peer); | |
697 | sbrec_port_binding_set_options(op->sb, &ids); | |
698 | ||
699 | sbrec_port_binding_set_parent_port(op->sb, NULL); | |
700 | sbrec_port_binding_set_tag(op->sb, NULL, 0); | |
701 | sbrec_port_binding_set_mac(op->sb, NULL, 0); | |
702 | } else { | |
703 | if (strcmp(op->nbs->type, "router")) { | |
704 | sbrec_port_binding_set_type(op->sb, op->nbs->type); | |
705 | sbrec_port_binding_set_options(op->sb, &op->nbs->options); | |
706 | } else { | |
707 | sbrec_port_binding_set_type(op->sb, "patch"); | |
708 | ||
709 | const char *router_port = smap_get(&op->nbs->options, | |
710 | "router-port"); | |
711 | if (!router_port) { | |
712 | router_port = "<error>"; | |
713 | } | |
714 | const struct smap ids = SMAP_CONST1(&ids, "peer", router_port); | |
715 | sbrec_port_binding_set_options(op->sb, &ids); | |
716 | } | |
717 | sbrec_port_binding_set_parent_port(op->sb, op->nbs->parent_name); | |
718 | sbrec_port_binding_set_tag(op->sb, op->nbs->tag, op->nbs->n_tag); | |
719 | sbrec_port_binding_set_mac(op->sb, (const char **) op->nbs->addresses, | |
720 | op->nbs->n_addresses); | |
721 | } | |
5868eb24 BP |
722 | } |
723 | ||
0bac7164 BP |
724 | /* Updates the southbound Port_Binding table so that it contains the logical |
725 | * ports specified by the northbound database. | |
726 | * | |
727 | * Initializes 'ports' to contain a "struct ovn_port" for every logical port, | |
728 | * using the "struct ovn_datapath"s in 'datapaths' to look up logical | |
729 | * datapaths. */ | |
5868eb24 BP |
730 | static void |
731 | build_ports(struct northd_context *ctx, struct hmap *datapaths, | |
732 | struct hmap *ports) | |
733 | { | |
734 | struct ovs_list sb_only, nb_only, both; | |
735 | ||
736 | join_logical_ports(ctx, datapaths, ports, &sb_only, &nb_only, &both); | |
737 | ||
738 | /* For logical ports that are in both databases, update the southbound | |
739 | * record based on northbound data. Also index the in-use tunnel_keys. */ | |
740 | struct ovn_port *op, *next; | |
741 | LIST_FOR_EACH_SAFE (op, next, list, &both) { | |
742 | ovn_port_update_sbrec(op); | |
743 | ||
744 | add_tnlid(&op->od->port_tnlids, op->sb->tunnel_key); | |
745 | if (op->sb->tunnel_key > op->od->port_key_hint) { | |
746 | op->od->port_key_hint = op->sb->tunnel_key; | |
747 | } | |
748 | } | |
749 | ||
750 | /* Add southbound record for each unmatched northbound record. */ | |
751 | LIST_FOR_EACH_SAFE (op, next, list, &nb_only) { | |
752 | uint16_t tunnel_key = ovn_port_allocate_key(op->od); | |
753 | if (!tunnel_key) { | |
754 | continue; | |
755 | } | |
756 | ||
757 | op->sb = sbrec_port_binding_insert(ctx->ovnsb_txn); | |
758 | ovn_port_update_sbrec(op); | |
759 | ||
760 | sbrec_port_binding_set_logical_port(op->sb, op->key); | |
761 | sbrec_port_binding_set_tunnel_key(op->sb, tunnel_key); | |
762 | } | |
763 | ||
764 | /* Delete southbound records without northbound matches. */ | |
765 | LIST_FOR_EACH_SAFE(op, next, list, &sb_only) { | |
417e7e66 | 766 | ovs_list_remove(&op->list); |
5868eb24 BP |
767 | sbrec_port_binding_delete(op->sb); |
768 | ovn_port_destroy(ports, op); | |
769 | } | |
770 | } | |
771 | \f | |
772 | #define OVN_MIN_MULTICAST 32768 | |
773 | #define OVN_MAX_MULTICAST 65535 | |
774 | ||
775 | struct multicast_group { | |
776 | const char *name; | |
777 | uint16_t key; /* OVN_MIN_MULTICAST...OVN_MAX_MULTICAST. */ | |
778 | }; | |
779 | ||
780 | #define MC_FLOOD "_MC_flood" | |
781 | static const struct multicast_group mc_flood = { MC_FLOOD, 65535 }; | |
782 | ||
783 | #define MC_UNKNOWN "_MC_unknown" | |
784 | static const struct multicast_group mc_unknown = { MC_UNKNOWN, 65534 }; | |
785 | ||
786 | static bool | |
787 | multicast_group_equal(const struct multicast_group *a, | |
788 | const struct multicast_group *b) | |
789 | { | |
790 | return !strcmp(a->name, b->name) && a->key == b->key; | |
791 | } | |
792 | ||
793 | /* Multicast group entry. */ | |
794 | struct ovn_multicast { | |
795 | struct hmap_node hmap_node; /* Index on 'datapath' and 'key'. */ | |
796 | struct ovn_datapath *datapath; | |
797 | const struct multicast_group *group; | |
798 | ||
799 | struct ovn_port **ports; | |
800 | size_t n_ports, allocated_ports; | |
801 | }; | |
802 | ||
803 | static uint32_t | |
804 | ovn_multicast_hash(const struct ovn_datapath *datapath, | |
805 | const struct multicast_group *group) | |
806 | { | |
807 | return hash_pointer(datapath, group->key); | |
808 | } | |
809 | ||
810 | static struct ovn_multicast * | |
811 | ovn_multicast_find(struct hmap *mcgroups, struct ovn_datapath *datapath, | |
812 | const struct multicast_group *group) | |
813 | { | |
814 | struct ovn_multicast *mc; | |
815 | ||
816 | HMAP_FOR_EACH_WITH_HASH (mc, hmap_node, | |
817 | ovn_multicast_hash(datapath, group), mcgroups) { | |
818 | if (mc->datapath == datapath | |
819 | && multicast_group_equal(mc->group, group)) { | |
820 | return mc; | |
4edcdcf4 RB |
821 | } |
822 | } | |
5868eb24 BP |
823 | return NULL; |
824 | } | |
825 | ||
826 | static void | |
827 | ovn_multicast_add(struct hmap *mcgroups, const struct multicast_group *group, | |
828 | struct ovn_port *port) | |
829 | { | |
830 | struct ovn_datapath *od = port->od; | |
831 | struct ovn_multicast *mc = ovn_multicast_find(mcgroups, od, group); | |
832 | if (!mc) { | |
833 | mc = xmalloc(sizeof *mc); | |
834 | hmap_insert(mcgroups, &mc->hmap_node, ovn_multicast_hash(od, group)); | |
835 | mc->datapath = od; | |
836 | mc->group = group; | |
837 | mc->n_ports = 0; | |
838 | mc->allocated_ports = 4; | |
839 | mc->ports = xmalloc(mc->allocated_ports * sizeof *mc->ports); | |
840 | } | |
841 | if (mc->n_ports >= mc->allocated_ports) { | |
842 | mc->ports = x2nrealloc(mc->ports, &mc->allocated_ports, | |
843 | sizeof *mc->ports); | |
844 | } | |
845 | mc->ports[mc->n_ports++] = port; | |
846 | } | |
4edcdcf4 | 847 | |
5868eb24 BP |
848 | static void |
849 | ovn_multicast_destroy(struct hmap *mcgroups, struct ovn_multicast *mc) | |
850 | { | |
851 | if (mc) { | |
852 | hmap_remove(mcgroups, &mc->hmap_node); | |
853 | free(mc->ports); | |
854 | free(mc); | |
855 | } | |
856 | } | |
4edcdcf4 | 857 | |
5868eb24 BP |
858 | static void |
859 | ovn_multicast_update_sbrec(const struct ovn_multicast *mc, | |
860 | const struct sbrec_multicast_group *sb) | |
861 | { | |
862 | struct sbrec_port_binding **ports = xmalloc(mc->n_ports * sizeof *ports); | |
863 | for (size_t i = 0; i < mc->n_ports; i++) { | |
864 | ports[i] = CONST_CAST(struct sbrec_port_binding *, mc->ports[i]->sb); | |
865 | } | |
866 | sbrec_multicast_group_set_ports(sb, ports, mc->n_ports); | |
867 | free(ports); | |
4edcdcf4 | 868 | } |
bd39395f | 869 | \f |
48605550 | 870 | /* Logical flow generation. |
bd39395f | 871 | * |
48605550 | 872 | * This code generates the Logical_Flow table in the southbound database, as a |
bd39395f BP |
873 | * function of most of the northbound database. |
874 | */ | |
875 | ||
5868eb24 BP |
876 | struct ovn_lflow { |
877 | struct hmap_node hmap_node; | |
bd39395f | 878 | |
5868eb24 | 879 | struct ovn_datapath *od; |
880fcd14 | 880 | enum ovn_stage stage; |
5868eb24 BP |
881 | uint16_t priority; |
882 | char *match; | |
883 | char *actions; | |
bd39395f BP |
884 | }; |
885 | ||
886 | static size_t | |
5868eb24 | 887 | ovn_lflow_hash(const struct ovn_lflow *lflow) |
bd39395f | 888 | { |
5868eb24 | 889 | size_t hash = uuid_hash(&lflow->od->key); |
880fcd14 | 890 | hash = hash_2words((lflow->stage << 16) | lflow->priority, hash); |
5868eb24 BP |
891 | hash = hash_string(lflow->match, hash); |
892 | return hash_string(lflow->actions, hash); | |
bd39395f BP |
893 | } |
894 | ||
5868eb24 BP |
895 | static bool |
896 | ovn_lflow_equal(const struct ovn_lflow *a, const struct ovn_lflow *b) | |
897 | { | |
898 | return (a->od == b->od | |
880fcd14 | 899 | && a->stage == b->stage |
5868eb24 BP |
900 | && a->priority == b->priority |
901 | && !strcmp(a->match, b->match) | |
902 | && !strcmp(a->actions, b->actions)); | |
903 | } | |
904 | ||
905 | static void | |
906 | ovn_lflow_init(struct ovn_lflow *lflow, struct ovn_datapath *od, | |
880fcd14 | 907 | enum ovn_stage stage, uint16_t priority, |
5868eb24 | 908 | char *match, char *actions) |
bd39395f | 909 | { |
5868eb24 | 910 | lflow->od = od; |
880fcd14 | 911 | lflow->stage = stage; |
5868eb24 BP |
912 | lflow->priority = priority; |
913 | lflow->match = match; | |
914 | lflow->actions = actions; | |
bd39395f BP |
915 | } |
916 | ||
48605550 | 917 | /* Adds a row with the specified contents to the Logical_Flow table. */ |
bd39395f | 918 | static void |
5868eb24 | 919 | ovn_lflow_add(struct hmap *lflow_map, struct ovn_datapath *od, |
880fcd14 | 920 | enum ovn_stage stage, uint16_t priority, |
5868eb24 BP |
921 | const char *match, const char *actions) |
922 | { | |
923 | struct ovn_lflow *lflow = xmalloc(sizeof *lflow); | |
880fcd14 | 924 | ovn_lflow_init(lflow, od, stage, priority, |
5868eb24 BP |
925 | xstrdup(match), xstrdup(actions)); |
926 | hmap_insert(lflow_map, &lflow->hmap_node, ovn_lflow_hash(lflow)); | |
927 | } | |
928 | ||
929 | static struct ovn_lflow * | |
930 | ovn_lflow_find(struct hmap *lflows, struct ovn_datapath *od, | |
880fcd14 | 931 | enum ovn_stage stage, uint16_t priority, |
5868eb24 BP |
932 | const char *match, const char *actions) |
933 | { | |
934 | struct ovn_lflow target; | |
880fcd14 | 935 | ovn_lflow_init(&target, od, stage, priority, |
5868eb24 BP |
936 | CONST_CAST(char *, match), CONST_CAST(char *, actions)); |
937 | ||
938 | struct ovn_lflow *lflow; | |
939 | HMAP_FOR_EACH_WITH_HASH (lflow, hmap_node, ovn_lflow_hash(&target), | |
940 | lflows) { | |
941 | if (ovn_lflow_equal(lflow, &target)) { | |
942 | return lflow; | |
bd39395f BP |
943 | } |
944 | } | |
5868eb24 BP |
945 | return NULL; |
946 | } | |
bd39395f | 947 | |
5868eb24 BP |
948 | static void |
949 | ovn_lflow_destroy(struct hmap *lflows, struct ovn_lflow *lflow) | |
950 | { | |
951 | if (lflow) { | |
952 | hmap_remove(lflows, &lflow->hmap_node); | |
953 | free(lflow->match); | |
954 | free(lflow->actions); | |
955 | free(lflow); | |
956 | } | |
bd39395f BP |
957 | } |
958 | ||
bd39395f BP |
959 | /* Appends port security constraints on L2 address field 'eth_addr_field' |
960 | * (e.g. "eth.src" or "eth.dst") to 'match'. 'port_security', with | |
961 | * 'n_port_security' elements, is the collection of port_security constraints | |
f7cb14cd | 962 | * from an OVN_NB Logical_Port row. */ |
bd39395f | 963 | static void |
685f4dfe NS |
964 | build_port_security_l2(const char *eth_addr_field, |
965 | char **port_security, size_t n_port_security, | |
966 | struct ds *match) | |
bd39395f BP |
967 | { |
968 | size_t base_len = match->length; | |
969 | ds_put_format(match, " && %s == {", eth_addr_field); | |
970 | ||
971 | size_t n = 0; | |
972 | for (size_t i = 0; i < n_port_security; i++) { | |
74ff3298 | 973 | struct eth_addr ea; |
f7cb14cd | 974 | |
74ff3298 | 975 | if (eth_addr_from_string(port_security[i], &ea)) { |
f7cb14cd | 976 | ds_put_format(match, ETH_ADDR_FMT, ETH_ADDR_ARGS(ea)); |
bd39395f BP |
977 | ds_put_char(match, ' '); |
978 | n++; | |
979 | } | |
980 | } | |
f7cb14cd | 981 | ds_chomp(match, ' '); |
bd39395f | 982 | ds_put_cstr(match, "}"); |
4edcdcf4 | 983 | |
bd39395f BP |
984 | if (!n) { |
985 | match->length = base_len; | |
986 | } | |
987 | } | |
988 | ||
685f4dfe NS |
989 | static void |
990 | build_port_security_ipv6_nd_flow( | |
991 | struct ds *match, struct eth_addr ea, struct ipv6_netaddr *ipv6_addrs, | |
992 | int n_ipv6_addrs) | |
993 | { | |
994 | ds_put_format(match, " && ip6 && nd && ((nd.sll == "ETH_ADDR_FMT" || " | |
995 | "nd.sll == "ETH_ADDR_FMT") || ((nd.tll == "ETH_ADDR_FMT" || " | |
996 | "nd.tll == "ETH_ADDR_FMT")", ETH_ADDR_ARGS(eth_addr_zero), | |
997 | ETH_ADDR_ARGS(ea), ETH_ADDR_ARGS(eth_addr_zero), | |
998 | ETH_ADDR_ARGS(ea)); | |
999 | if (!n_ipv6_addrs) { | |
1000 | ds_put_cstr(match, "))"); | |
1001 | return; | |
1002 | } | |
1003 | ||
1004 | char ip6_str[INET6_ADDRSTRLEN + 1]; | |
1005 | struct in6_addr lla; | |
1006 | in6_generate_lla(ea, &lla); | |
1007 | memset(ip6_str, 0, sizeof(ip6_str)); | |
1008 | ipv6_string_mapped(ip6_str, &lla); | |
1009 | ds_put_format(match, " && (nd.target == %s", ip6_str); | |
1010 | ||
1011 | for(int i = 0; i < n_ipv6_addrs; i++) { | |
1012 | memset(ip6_str, 0, sizeof(ip6_str)); | |
1013 | ipv6_string_mapped(ip6_str, &ipv6_addrs[i].addr); | |
1014 | ds_put_format(match, " || nd.target == %s", ip6_str); | |
1015 | } | |
1016 | ||
1017 | ds_put_format(match, ")))"); | |
1018 | } | |
1019 | ||
1020 | static void | |
1021 | build_port_security_ipv6_flow( | |
1022 | enum ovn_pipeline pipeline, struct ds *match, struct eth_addr ea, | |
1023 | struct ipv6_netaddr *ipv6_addrs, int n_ipv6_addrs) | |
1024 | { | |
1025 | char ip6_str[INET6_ADDRSTRLEN + 1]; | |
1026 | ||
1027 | ds_put_format(match, " && %s == {", | |
1028 | pipeline == P_IN ? "ip6.src" : "ip6.dst"); | |
1029 | ||
1030 | /* Allow link-local address. */ | |
1031 | struct in6_addr lla; | |
1032 | in6_generate_lla(ea, &lla); | |
1033 | ipv6_string_mapped(ip6_str, &lla); | |
1034 | ds_put_format(match, "%s, ", ip6_str); | |
1035 | ||
1036 | /* Allow ip6.src=:: and ip6.dst=ff00::/8 for ND packets */ | |
1037 | ds_put_cstr(match, pipeline == P_IN ? "::" : "ff00::/8"); | |
1038 | for(int i = 0; i < n_ipv6_addrs; i++) { | |
1039 | ipv6_string_mapped(ip6_str, &ipv6_addrs[i].addr); | |
1040 | ds_put_format(match, ", %s", ip6_str); | |
1041 | } | |
1042 | ds_put_cstr(match, "}"); | |
1043 | } | |
1044 | ||
1045 | /** | |
1046 | * Build port security constraints on ARP and IPv6 ND fields | |
1047 | * and add logical flows to S_SWITCH_IN_PORT_SEC_ND stage. | |
1048 | * | |
1049 | * For each port security of the logical port, following | |
1050 | * logical flows are added | |
1051 | * - If the port security has no IP (both IPv4 and IPv6) or | |
1052 | * if it has IPv4 address(es) | |
1053 | * - Priority 90 flow to allow ARP packets for known MAC addresses | |
1054 | * in the eth.src and arp.spa fields. If the port security | |
1055 | * has IPv4 addresses, allow known IPv4 addresses in the arp.tpa field. | |
1056 | * | |
1057 | * - If the port security has no IP (both IPv4 and IPv6) or | |
1058 | * if it has IPv6 address(es) | |
1059 | * - Priority 90 flow to allow IPv6 ND packets for known MAC addresses | |
1060 | * in the eth.src and nd.sll/nd.tll fields. If the port security | |
1061 | * has IPv6 addresses, allow known IPv6 addresses in the nd.target field | |
1062 | * for IPv6 Neighbor Advertisement packet. | |
1063 | * | |
1064 | * - Priority 80 flow to drop ARP and IPv6 ND packets. | |
1065 | */ | |
1066 | static void | |
1067 | build_port_security_nd(struct ovn_port *op, struct hmap *lflows) | |
1068 | { | |
1069 | for (size_t i = 0; i < op->nbs->n_port_security; i++) { | |
1070 | struct lport_addresses ps; | |
1071 | if (!extract_lport_addresses(op->nbs->port_security[i], &ps, true)) { | |
1072 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); | |
1073 | VLOG_INFO_RL(&rl, "invalid syntax '%s' in port security. No MAC" | |
1074 | " address found", op->nbs->port_security[i]); | |
1075 | continue; | |
1076 | } | |
1077 | ||
1078 | bool no_ip = !(ps.n_ipv4_addrs || ps.n_ipv6_addrs); | |
1079 | struct ds match = DS_EMPTY_INITIALIZER; | |
1080 | ||
1081 | if (ps.n_ipv4_addrs || no_ip) { | |
1082 | ds_put_format( | |
1083 | &match, "inport == %s && eth.src == "ETH_ADDR_FMT" && arp.sha == " | |
1084 | ETH_ADDR_FMT, op->json_key, ETH_ADDR_ARGS(ps.ea), | |
1085 | ETH_ADDR_ARGS(ps.ea)); | |
1086 | ||
1087 | if (ps.n_ipv4_addrs) { | |
1088 | ds_put_cstr(&match, " && ("); | |
1089 | for (size_t i = 0; i < ps.n_ipv4_addrs; i++) { | |
7d9d86ad NS |
1090 | ds_put_cstr(&match, "arp.spa == "); |
1091 | ovs_be32 mask = be32_prefix_mask(ps.ipv4_addrs[i].plen); | |
1092 | /* When the netmask is applied, if the host portion is | |
1093 | * non-zero, the host can only use the specified | |
1094 | * address in the arp.spa. If zero, the host is allowed | |
1095 | * to use any address in the subnet. */ | |
1096 | if (ps.ipv4_addrs[i].addr & ~mask) { | |
1097 | ds_put_format(&match, IP_FMT, | |
1098 | IP_ARGS(ps.ipv4_addrs[i].addr)); | |
1099 | } else { | |
1100 | ip_format_masked(ps.ipv4_addrs[i].addr & mask, mask, | |
1101 | &match); | |
1102 | } | |
1103 | ds_put_cstr(&match, " || "); | |
685f4dfe NS |
1104 | } |
1105 | ds_chomp(&match, ' '); | |
1106 | ds_chomp(&match, '|'); | |
1107 | ds_chomp(&match, '|'); | |
1108 | ds_put_cstr(&match, ")"); | |
1109 | } | |
1110 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND, 90, | |
1111 | ds_cstr(&match), "next;"); | |
1112 | ds_destroy(&match); | |
1113 | } | |
1114 | ||
1115 | if (ps.n_ipv6_addrs || no_ip) { | |
1116 | ds_init(&match); | |
1117 | ds_put_format(&match, "inport == %s && eth.src == "ETH_ADDR_FMT, | |
1118 | op->json_key, ETH_ADDR_ARGS(ps.ea)); | |
1119 | build_port_security_ipv6_nd_flow(&match, ps.ea, ps.ipv6_addrs, | |
1120 | ps.n_ipv6_addrs); | |
1121 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND, 90, | |
1122 | ds_cstr(&match), "next;"); | |
1123 | ds_destroy(&match); | |
1124 | } | |
1125 | free(ps.ipv4_addrs); | |
1126 | free(ps.ipv6_addrs); | |
1127 | } | |
1128 | ||
1129 | char *match = xasprintf("inport == %s && (arp || nd)", op->json_key); | |
1130 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND, 80, | |
1131 | match, "drop;"); | |
1132 | free(match); | |
1133 | } | |
1134 | ||
1135 | /** | |
1136 | * Build port security constraints on IPv4 and IPv6 src and dst fields | |
1137 | * and add logical flows to S_SWITCH_(IN/OUT)_PORT_SEC_IP stage. | |
1138 | * | |
1139 | * For each port security of the logical port, following | |
1140 | * logical flows are added | |
1141 | * - If the port security has IPv4 addresses, | |
1142 | * - Priority 90 flow to allow IPv4 packets for known IPv4 addresses | |
1143 | * | |
1144 | * - If the port security has IPv6 addresses, | |
1145 | * - Priority 90 flow to allow IPv6 packets for known IPv6 addresses | |
1146 | * | |
1147 | * - If the port security has IPv4 addresses or IPv6 addresses or both | |
1148 | * - Priority 80 flow to drop all IPv4 and IPv6 traffic | |
1149 | */ | |
1150 | static void | |
1151 | build_port_security_ip(enum ovn_pipeline pipeline, struct ovn_port *op, | |
1152 | struct hmap *lflows) | |
1153 | { | |
1154 | char *port_direction; | |
1155 | enum ovn_stage stage; | |
1156 | if (pipeline == P_IN) { | |
1157 | port_direction = "inport"; | |
1158 | stage = S_SWITCH_IN_PORT_SEC_IP; | |
1159 | } else { | |
1160 | port_direction = "outport"; | |
1161 | stage = S_SWITCH_OUT_PORT_SEC_IP; | |
1162 | } | |
1163 | ||
1164 | for (size_t i = 0; i < op->nbs->n_port_security; i++) { | |
1165 | struct lport_addresses ps; | |
1166 | if (!extract_lport_addresses(op->nbs->port_security[i], &ps, true)) { | |
1167 | continue; | |
1168 | } | |
1169 | ||
1170 | if (!(ps.n_ipv4_addrs || ps.n_ipv6_addrs)) { | |
1171 | continue; | |
1172 | } | |
1173 | ||
1174 | if (ps.n_ipv4_addrs) { | |
1175 | struct ds match = DS_EMPTY_INITIALIZER; | |
1176 | if (pipeline == P_IN) { | |
1177 | ds_put_format(&match, "inport == %s && eth.src == "ETH_ADDR_FMT | |
1178 | " && ip4.src == {0.0.0.0, ", op->json_key, | |
1179 | ETH_ADDR_ARGS(ps.ea)); | |
1180 | } else { | |
1181 | ds_put_format(&match, "outport == %s && eth.dst == "ETH_ADDR_FMT | |
1182 | " && ip4.dst == {255.255.255.255, 224.0.0.0/4, ", | |
1183 | op->json_key, ETH_ADDR_ARGS(ps.ea)); | |
1184 | } | |
1185 | ||
1186 | for (int i = 0; i < ps.n_ipv4_addrs; i++) { | |
7d9d86ad NS |
1187 | ovs_be32 mask = be32_prefix_mask(ps.ipv4_addrs[i].plen); |
1188 | /* When the netmask is applied, if the host portion is | |
1189 | * non-zero, the host can only use the specified | |
1190 | * address. If zero, the host is allowed to use any | |
1191 | * address in the subnet. | |
1192 | * */ | |
1193 | if (ps.ipv4_addrs[i].addr & ~mask) { | |
1194 | ds_put_format(&match, IP_FMT, | |
1195 | IP_ARGS(ps.ipv4_addrs[i].addr)); | |
1196 | if (pipeline == P_OUT && ps.ipv4_addrs[i].plen != 32) { | |
1197 | /* Host is also allowed to receive packets to the | |
1198 | * broadcast address in the specified subnet. | |
1199 | */ | |
1200 | ds_put_format(&match, ", "IP_FMT, | |
1201 | IP_ARGS(ps.ipv4_addrs[i].addr | ~mask)); | |
1202 | } | |
1203 | } else { | |
1204 | /* host portion is zero */ | |
1205 | ip_format_masked(ps.ipv4_addrs[i].addr & mask, mask, | |
1206 | &match); | |
1207 | } | |
1208 | ds_put_cstr(&match, ", "); | |
685f4dfe NS |
1209 | } |
1210 | ||
1211 | /* Replace ", " by "}". */ | |
1212 | ds_chomp(&match, ' '); | |
1213 | ds_chomp(&match, ','); | |
1214 | ds_put_cstr(&match, "}"); | |
1215 | ovn_lflow_add(lflows, op->od, stage, 90, ds_cstr(&match), "next;"); | |
1216 | ds_destroy(&match); | |
1217 | free(ps.ipv4_addrs); | |
1218 | } | |
1219 | ||
1220 | if (ps.n_ipv6_addrs) { | |
1221 | struct ds match = DS_EMPTY_INITIALIZER; | |
1222 | ds_put_format(&match, "%s == %s && %s == "ETH_ADDR_FMT"", | |
1223 | port_direction, op->json_key, | |
1224 | pipeline == P_IN ? "eth.src" : "eth.dst", | |
1225 | ETH_ADDR_ARGS(ps.ea)); | |
1226 | build_port_security_ipv6_flow(pipeline, &match, ps.ea, | |
1227 | ps.ipv6_addrs, ps.n_ipv6_addrs); | |
1228 | ovn_lflow_add(lflows, op->od, stage, 90, | |
1229 | ds_cstr(&match), "next;"); | |
1230 | ds_destroy(&match); | |
1231 | free(ps.ipv6_addrs); | |
1232 | } | |
1233 | ||
1234 | char *match = xasprintf( | |
1235 | "%s == %s && %s == "ETH_ADDR_FMT" && ip", port_direction, | |
1236 | op->json_key, pipeline == P_IN ? "eth.src" : "eth.dst", | |
1237 | ETH_ADDR_ARGS(ps.ea)); | |
1238 | ovn_lflow_add(lflows, op->od, stage, 80, match, "drop;"); | |
1239 | free(match); | |
1240 | } | |
1241 | } | |
1242 | ||
95a9a275 RB |
1243 | static bool |
1244 | lport_is_enabled(const struct nbrec_logical_port *lport) | |
1245 | { | |
1246 | return !lport->enabled || *lport->enabled; | |
1247 | } | |
1248 | ||
4c7bf534 NS |
1249 | static bool |
1250 | lport_is_up(const struct nbrec_logical_port *lport) | |
1251 | { | |
1252 | return !lport->up || *lport->up; | |
1253 | } | |
1254 | ||
78aab811 JP |
1255 | static bool |
1256 | has_stateful_acl(struct ovn_datapath *od) | |
1257 | { | |
9975d7be BP |
1258 | for (size_t i = 0; i < od->nbs->n_acls; i++) { |
1259 | struct nbrec_acl *acl = od->nbs->acls[i]; | |
78aab811 JP |
1260 | if (!strcmp(acl->action, "allow-related")) { |
1261 | return true; | |
1262 | } | |
1263 | } | |
1264 | ||
1265 | return false; | |
1266 | } | |
1267 | ||
1268 | static void | |
48fcdb47 | 1269 | build_acls(struct ovn_datapath *od, struct hmap *lflows, struct hmap *ports) |
78aab811 JP |
1270 | { |
1271 | bool has_stateful = has_stateful_acl(od); | |
48fcdb47 | 1272 | struct ovn_port *op; |
78aab811 JP |
1273 | |
1274 | /* Ingress and Egress Pre-ACL Table (Priority 0): Packets are | |
1275 | * allowed by default. */ | |
880fcd14 BP |
1276 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 0, "1", "next;"); |
1277 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 0, "1", "next;"); | |
78aab811 JP |
1278 | |
1279 | /* Ingress and Egress ACL Table (Priority 0): Packets are allowed by | |
1280 | * default. A related rule at priority 1 is added below if there | |
1281 | * are any stateful ACLs in this datapath. */ | |
880fcd14 BP |
1282 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", "next;"); |
1283 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", "next;"); | |
78aab811 JP |
1284 | |
1285 | /* If there are any stateful ACL rules in this dapapath, we must | |
1286 | * send all IP packets through the conntrack action, which handles | |
1287 | * defragmentation, in order to match L4 headers. */ | |
1288 | if (has_stateful) { | |
48fcdb47 WL |
1289 | HMAP_FOR_EACH (op, key_node, ports) { |
1290 | if (op->od == od && !strcmp(op->nbs->type, "router")) { | |
501f95e1 JP |
1291 | /* Can't use ct() for router ports. Consider the |
1292 | * following configuration: lp1(10.0.0.2) on | |
1293 | * hostA--ls1--lr0--ls2--lp2(10.0.1.2) on hostB, For a | |
1294 | * ping from lp1 to lp2, First, the response will go | |
1295 | * through ct() with a zone for lp2 in the ls2 ingress | |
1296 | * pipeline on hostB. That ct zone knows about this | |
1297 | * connection. Next, it goes through ct() with the zone | |
1298 | * for the router port in the egress pipeline of ls2 on | |
1299 | * hostB. This zone does not know about the connection, | |
1300 | * as the icmp request went through the logical router | |
1301 | * on hostA, not hostB. This would only work with | |
1302 | * distributed conntrack state across all chassis. */ | |
1303 | struct ds match_in = DS_EMPTY_INITIALIZER; | |
1304 | struct ds match_out = DS_EMPTY_INITIALIZER; | |
1305 | ||
48fcdb47 WL |
1306 | ds_put_format(&match_in, "ip && inport == %s", op->json_key); |
1307 | ds_put_format(&match_out, "ip && outport == %s", op->json_key); | |
501f95e1 JP |
1308 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, |
1309 | ds_cstr(&match_in), "next;"); | |
1310 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, | |
1311 | ds_cstr(&match_out), "next;"); | |
48fcdb47 WL |
1312 | |
1313 | ds_destroy(&match_in); | |
1314 | ds_destroy(&match_out); | |
1315 | } | |
1316 | } | |
1317 | ||
78aab811 JP |
1318 | /* Ingress and Egress Pre-ACL Table (Priority 100). |
1319 | * | |
1320 | * Regardless of whether the ACL is "from-lport" or "to-lport", | |
1321 | * we need rules in both the ingress and egress table, because | |
1322 | * the return traffic needs to be followed. */ | |
880fcd14 BP |
1323 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 100, "ip", "ct_next;"); |
1324 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip", "ct_next;"); | |
78aab811 JP |
1325 | |
1326 | /* Ingress and Egress ACL Table (Priority 1). | |
1327 | * | |
1328 | * By default, traffic is allowed. This is partially handled by | |
1329 | * the Priority 0 ACL flows added earlier, but we also need to | |
1330 | * commit IP flows. This is because, while the initiater's | |
1331 | * direction may not have any stateful rules, the server's may | |
1332 | * and then its return traffic would not have an associated | |
1333 | * conntrack entry and would return "+invalid". */ | |
880fcd14 | 1334 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, "ip", |
78aab811 | 1335 | "ct_commit; next;"); |
880fcd14 | 1336 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, "ip", |
78aab811 JP |
1337 | "ct_commit; next;"); |
1338 | ||
1339 | /* Ingress and Egress ACL Table (Priority 65535). | |
1340 | * | |
1341 | * Always drop traffic that's in an invalid state. This is | |
1342 | * enforced at a higher priority than ACLs can be defined. */ | |
880fcd14 | 1343 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, |
78aab811 | 1344 | "ct.inv", "drop;"); |
880fcd14 | 1345 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, |
78aab811 JP |
1346 | "ct.inv", "drop;"); |
1347 | ||
1348 | /* Ingress and Egress ACL Table (Priority 65535). | |
1349 | * | |
1350 | * Always allow traffic that is established to a committed | |
1351 | * conntrack entry. This is enforced at a higher priority than | |
1352 | * ACLs can be defined. */ | |
880fcd14 | 1353 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, |
78aab811 JP |
1354 | "ct.est && !ct.rel && !ct.new && !ct.inv", |
1355 | "next;"); | |
880fcd14 | 1356 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, |
78aab811 JP |
1357 | "ct.est && !ct.rel && !ct.new && !ct.inv", |
1358 | "next;"); | |
1359 | ||
1360 | /* Ingress and Egress ACL Table (Priority 65535). | |
1361 | * | |
1362 | * Always allow traffic that is related to an existing conntrack | |
1363 | * entry. This is enforced at a higher priority than ACLs can | |
1364 | * be defined. | |
1365 | * | |
1366 | * NOTE: This does not support related data sessions (eg, | |
1367 | * a dynamically negotiated FTP data channel), but will allow | |
1368 | * related traffic such as an ICMP Port Unreachable through | |
1369 | * that's generated from a non-listening UDP port. */ | |
880fcd14 | 1370 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, |
78aab811 JP |
1371 | "!ct.est && ct.rel && !ct.new && !ct.inv", |
1372 | "next;"); | |
880fcd14 | 1373 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, |
78aab811 JP |
1374 | "!ct.est && ct.rel && !ct.new && !ct.inv", |
1375 | "next;"); | |
1376 | } | |
1377 | ||
1378 | /* Ingress or Egress ACL Table (Various priorities). */ | |
9975d7be BP |
1379 | for (size_t i = 0; i < od->nbs->n_acls; i++) { |
1380 | struct nbrec_acl *acl = od->nbs->acls[i]; | |
78aab811 | 1381 | bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; |
880fcd14 | 1382 | enum ovn_stage stage = ingress ? S_SWITCH_IN_ACL : S_SWITCH_OUT_ACL; |
78aab811 JP |
1383 | |
1384 | if (!strcmp(acl->action, "allow")) { | |
1385 | /* If there are any stateful flows, we must even commit "allow" | |
1386 | * actions. This is because, while the initiater's | |
1387 | * direction may not have any stateful rules, the server's | |
1388 | * may and then its return traffic would not have an | |
1389 | * associated conntrack entry and would return "+invalid". */ | |
1390 | const char *actions = has_stateful ? "ct_commit; next;" : "next;"; | |
6bb4a18e JP |
1391 | ovn_lflow_add(lflows, od, stage, |
1392 | acl->priority + OVN_ACL_PRI_OFFSET, | |
78aab811 JP |
1393 | acl->match, actions); |
1394 | } else if (!strcmp(acl->action, "allow-related")) { | |
1395 | struct ds match = DS_EMPTY_INITIALIZER; | |
1396 | ||
1397 | /* Commit the connection tracking entry, which allows all | |
1398 | * other traffic related to this entry to flow due to the | |
1399 | * 65535 priority flow defined earlier. */ | |
1400 | ds_put_format(&match, "ct.new && (%s)", acl->match); | |
6bb4a18e JP |
1401 | ovn_lflow_add(lflows, od, stage, |
1402 | acl->priority + OVN_ACL_PRI_OFFSET, | |
78aab811 JP |
1403 | ds_cstr(&match), "ct_commit; next;"); |
1404 | ||
1405 | ds_destroy(&match); | |
1406 | } else if (!strcmp(acl->action, "drop")) { | |
6bb4a18e JP |
1407 | ovn_lflow_add(lflows, od, stage, |
1408 | acl->priority + OVN_ACL_PRI_OFFSET, | |
78aab811 JP |
1409 | acl->match, "drop;"); |
1410 | } else if (!strcmp(acl->action, "reject")) { | |
1411 | /* xxx Need to support "reject". */ | |
1412 | VLOG_INFO("reject is not a supported action"); | |
6bb4a18e JP |
1413 | ovn_lflow_add(lflows, od, stage, |
1414 | acl->priority + OVN_ACL_PRI_OFFSET, | |
78aab811 JP |
1415 | acl->match, "drop;"); |
1416 | } | |
1417 | } | |
1418 | } | |
1419 | ||
bd39395f | 1420 | static void |
9975d7be BP |
1421 | build_lswitch_flows(struct hmap *datapaths, struct hmap *ports, |
1422 | struct hmap *lflows, struct hmap *mcgroups) | |
bd39395f | 1423 | { |
5cff6b99 BP |
1424 | /* This flow table structure is documented in ovn-northd(8), so please |
1425 | * update ovn-northd.8.xml if you change anything. */ | |
1426 | ||
9975d7be | 1427 | /* Build pre-ACL and ACL tables for both ingress and egress. |
685f4dfe | 1428 | * Ingress tables 3 and 4. Egress tables 0 and 1. */ |
5868eb24 BP |
1429 | struct ovn_datapath *od; |
1430 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
9975d7be BP |
1431 | if (!od->nbs) { |
1432 | continue; | |
1433 | } | |
1434 | ||
48fcdb47 | 1435 | build_acls(od, lflows, ports); |
9975d7be BP |
1436 | } |
1437 | ||
1438 | /* Logical switch ingress table 0: Admission control framework (priority | |
1439 | * 100). */ | |
1440 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
1441 | if (!od->nbs) { | |
1442 | continue; | |
1443 | } | |
1444 | ||
bd39395f | 1445 | /* Logical VLANs not supported. */ |
685f4dfe | 1446 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "vlan.present", |
091e3af9 | 1447 | "drop;"); |
bd39395f BP |
1448 | |
1449 | /* Broadcast/multicast source address is invalid. */ | |
685f4dfe | 1450 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "eth.src[40]", |
091e3af9 | 1451 | "drop;"); |
bd39395f | 1452 | |
35060cdc BP |
1453 | /* Port security flows have priority 50 (see below) and will continue |
1454 | * to the next table if packet source is acceptable. */ | |
bd39395f BP |
1455 | } |
1456 | ||
685f4dfe NS |
1457 | /* Logical switch ingress table 0: Ingress port security - L2 |
1458 | * (priority 50). | |
1459 | * Ingress table 1: Ingress port security - IP (priority 90 and 80) | |
1460 | * Ingress table 2: Ingress port security - ND (priority 90 and 80) | |
1461 | */ | |
5868eb24 BP |
1462 | struct ovn_port *op; |
1463 | HMAP_FOR_EACH (op, key_node, ports) { | |
9975d7be BP |
1464 | if (!op->nbs) { |
1465 | continue; | |
1466 | } | |
1467 | ||
1468 | if (!lport_is_enabled(op->nbs)) { | |
96af668a BP |
1469 | /* Drop packets from disabled logical ports (since logical flow |
1470 | * tables are default-drop). */ | |
1471 | continue; | |
1472 | } | |
1473 | ||
5868eb24 | 1474 | struct ds match = DS_EMPTY_INITIALIZER; |
9975d7be | 1475 | ds_put_format(&match, "inport == %s", op->json_key); |
685f4dfe NS |
1476 | build_port_security_l2( |
1477 | "eth.src", op->nbs->port_security, op->nbs->n_port_security, | |
1478 | &match); | |
1479 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, | |
96af668a | 1480 | ds_cstr(&match), "next;"); |
5868eb24 | 1481 | ds_destroy(&match); |
685f4dfe NS |
1482 | |
1483 | if (op->nbs->n_port_security) { | |
1484 | build_port_security_ip(P_IN, op, lflows); | |
1485 | build_port_security_nd(op, lflows); | |
1486 | } | |
1487 | } | |
1488 | ||
1489 | /* Ingress table 1 and 2: Port security - IP and ND, by default goto next. | |
1490 | * (priority 0)*/ | |
1491 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
1492 | if (!od->nbs) { | |
1493 | continue; | |
1494 | } | |
1495 | ||
1496 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_ND, 0, "1", "next;"); | |
1497 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_IP, 0, "1", "next;"); | |
5868eb24 | 1498 | } |
445a266a | 1499 | |
fa128126 HZ |
1500 | /* Ingress table 3: ARP responder, skip requests coming from localnet ports. |
1501 | * (priority 100). */ | |
1502 | HMAP_FOR_EACH (op, key_node, ports) { | |
1503 | if (!op->nbs) { | |
1504 | continue; | |
1505 | } | |
1506 | ||
1507 | if (!strcmp(op->nbs->type, "localnet")) { | |
1508 | char *match = xasprintf("inport == %s", op->json_key); | |
1509 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_ARP_RSP, 100, | |
1510 | match, "next;"); | |
1511 | free(match); | |
1512 | } | |
1513 | } | |
1514 | ||
685f4dfe | 1515 | /* Ingress table 5: ARP responder, reply for known IPs. |
fa128126 | 1516 | * (priority 50). */ |
57d143eb HZ |
1517 | HMAP_FOR_EACH (op, key_node, ports) { |
1518 | if (!op->nbs) { | |
1519 | continue; | |
1520 | } | |
1521 | ||
4c7bf534 NS |
1522 | /* |
1523 | * Add ARP reply flows if either the | |
1524 | * - port is up or | |
1525 | * - port type is router | |
1526 | */ | |
1527 | if (!lport_is_up(op->nbs) && strcmp(op->nbs->type, "router")) { | |
1528 | continue; | |
1529 | } | |
1530 | ||
57d143eb | 1531 | for (size_t i = 0; i < op->nbs->n_addresses; i++) { |
7dc88496 NS |
1532 | struct lport_addresses laddrs; |
1533 | if (!extract_lport_addresses(op->nbs->addresses[i], &laddrs, | |
1534 | false)) { | |
1535 | continue; | |
1536 | } | |
1537 | for (size_t j = 0; j < laddrs.n_ipv4_addrs; j++) { | |
57d143eb | 1538 | char *match = xasprintf( |
7dc88496 NS |
1539 | "arp.tpa == "IP_FMT" && arp.op == 1", |
1540 | IP_ARGS(laddrs.ipv4_addrs[j].addr)); | |
57d143eb HZ |
1541 | char *actions = xasprintf( |
1542 | "eth.dst = eth.src; " | |
1543 | "eth.src = "ETH_ADDR_FMT"; " | |
1544 | "arp.op = 2; /* ARP reply */ " | |
1545 | "arp.tha = arp.sha; " | |
1546 | "arp.sha = "ETH_ADDR_FMT"; " | |
1547 | "arp.tpa = arp.spa; " | |
1548 | "arp.spa = "IP_FMT"; " | |
1549 | "outport = inport; " | |
1550 | "inport = \"\"; /* Allow sending out inport. */ " | |
1551 | "output;", | |
7dc88496 NS |
1552 | ETH_ADDR_ARGS(laddrs.ea), |
1553 | ETH_ADDR_ARGS(laddrs.ea), | |
1554 | IP_ARGS(laddrs.ipv4_addrs[j].addr)); | |
fa128126 | 1555 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_ARP_RSP, 50, |
57d143eb HZ |
1556 | match, actions); |
1557 | free(match); | |
1558 | free(actions); | |
1559 | } | |
7dc88496 NS |
1560 | |
1561 | free(laddrs.ipv4_addrs); | |
57d143eb HZ |
1562 | } |
1563 | } | |
1564 | ||
685f4dfe | 1565 | /* Ingress table 5: ARP responder, by default goto next. |
fa128126 HZ |
1566 | * (priority 0)*/ |
1567 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
1568 | if (!od->nbs) { | |
1569 | continue; | |
1570 | } | |
1571 | ||
1572 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ARP_RSP, 0, "1", "next;"); | |
1573 | } | |
1574 | ||
685f4dfe | 1575 | /* Ingress table 6: Destination lookup, broadcast and multicast handling |
5868eb24 BP |
1576 | * (priority 100). */ |
1577 | HMAP_FOR_EACH (op, key_node, ports) { | |
9975d7be BP |
1578 | if (!op->nbs) { |
1579 | continue; | |
1580 | } | |
1581 | ||
1582 | if (lport_is_enabled(op->nbs)) { | |
1583 | ovn_multicast_add(mcgroups, &mc_flood, op); | |
445a266a | 1584 | } |
5868eb24 BP |
1585 | } |
1586 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
9975d7be BP |
1587 | if (!od->nbs) { |
1588 | continue; | |
1589 | } | |
1590 | ||
1591 | ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 100, "eth.mcast", | |
5868eb24 | 1592 | "outport = \""MC_FLOOD"\"; output;"); |
bd39395f | 1593 | } |
bd39395f | 1594 | |
685f4dfe | 1595 | /* Ingress table 6: Destination lookup, unicast handling (priority 50), */ |
5868eb24 | 1596 | HMAP_FOR_EACH (op, key_node, ports) { |
9975d7be BP |
1597 | if (!op->nbs) { |
1598 | continue; | |
1599 | } | |
1600 | ||
1601 | for (size_t i = 0; i < op->nbs->n_addresses; i++) { | |
74ff3298 | 1602 | struct eth_addr mac; |
5868eb24 | 1603 | |
9975d7be | 1604 | if (eth_addr_from_string(op->nbs->addresses[i], &mac)) { |
5868eb24 BP |
1605 | struct ds match, actions; |
1606 | ||
1607 | ds_init(&match); | |
9975d7be BP |
1608 | ds_put_format(&match, "eth.dst == "ETH_ADDR_FMT, |
1609 | ETH_ADDR_ARGS(mac)); | |
5868eb24 BP |
1610 | |
1611 | ds_init(&actions); | |
9975d7be BP |
1612 | ds_put_format(&actions, "outport = %s; output;", op->json_key); |
1613 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_L2_LKUP, 50, | |
5868eb24 BP |
1614 | ds_cstr(&match), ds_cstr(&actions)); |
1615 | ds_destroy(&actions); | |
1616 | ds_destroy(&match); | |
9975d7be BP |
1617 | } else if (!strcmp(op->nbs->addresses[i], "unknown")) { |
1618 | if (lport_is_enabled(op->nbs)) { | |
1619 | ovn_multicast_add(mcgroups, &mc_unknown, op); | |
96af668a BP |
1620 | op->od->has_unknown = true; |
1621 | } | |
5868eb24 BP |
1622 | } else { |
1623 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); | |
445a266a | 1624 | |
2fa326a3 BP |
1625 | VLOG_INFO_RL(&rl, |
1626 | "%s: invalid syntax '%s' in addresses column", | |
9975d7be | 1627 | op->nbs->name, op->nbs->addresses[i]); |
445a266a BP |
1628 | } |
1629 | } | |
bd39395f BP |
1630 | } |
1631 | ||
685f4dfe | 1632 | /* Ingress table 6: Destination lookup for unknown MACs (priority 0). */ |
5868eb24 | 1633 | HMAP_FOR_EACH (od, key_node, datapaths) { |
9975d7be BP |
1634 | if (!od->nbs) { |
1635 | continue; | |
1636 | } | |
1637 | ||
5868eb24 | 1638 | if (od->has_unknown) { |
9975d7be | 1639 | ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 0, "1", |
5868eb24 | 1640 | "outport = \""MC_UNKNOWN"\"; output;"); |
445a266a | 1641 | } |
bd39395f BP |
1642 | } |
1643 | ||
685f4dfe NS |
1644 | /* Egress table 2: Egress port security - IP (priority 0) |
1645 | * port security L2 - multicast/broadcast (priority | |
5868eb24 BP |
1646 | * 100). */ |
1647 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
9975d7be BP |
1648 | if (!od->nbs) { |
1649 | continue; | |
1650 | } | |
1651 | ||
685f4dfe NS |
1652 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_IP, 0, "1", "next;"); |
1653 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_L2, 100, "eth.mcast", | |
091e3af9 | 1654 | "output;"); |
48f42f3a RB |
1655 | } |
1656 | ||
685f4dfe NS |
1657 | /* Egress table 2: Egress port security - IP (priorities 90 and 80) |
1658 | * if port security enabled. | |
1659 | * | |
1660 | * Egress table 3: Egress port security - L2 (priorities 50 and 150). | |
d770a830 BP |
1661 | * |
1662 | * Priority 50 rules implement port security for enabled logical port. | |
1663 | * | |
1664 | * Priority 150 rules drop packets to disabled logical ports, so that they | |
1665 | * don't even receive multicast or broadcast packets. */ | |
5868eb24 | 1666 | HMAP_FOR_EACH (op, key_node, ports) { |
9975d7be BP |
1667 | if (!op->nbs) { |
1668 | continue; | |
1669 | } | |
1670 | ||
1671 | struct ds match = DS_EMPTY_INITIALIZER; | |
1672 | ds_put_format(&match, "outport == %s", op->json_key); | |
1673 | if (lport_is_enabled(op->nbs)) { | |
685f4dfe NS |
1674 | build_port_security_l2("eth.dst", op->nbs->port_security, |
1675 | op->nbs->n_port_security, &match); | |
1676 | ovn_lflow_add(lflows, op->od, S_SWITCH_OUT_PORT_SEC_L2, 50, | |
d770a830 BP |
1677 | ds_cstr(&match), "output;"); |
1678 | } else { | |
685f4dfe | 1679 | ovn_lflow_add(lflows, op->od, S_SWITCH_OUT_PORT_SEC_L2, 150, |
d770a830 BP |
1680 | ds_cstr(&match), "drop;"); |
1681 | } | |
eb00399e | 1682 | |
5868eb24 | 1683 | ds_destroy(&match); |
685f4dfe NS |
1684 | |
1685 | if (op->nbs->n_port_security) { | |
1686 | build_port_security_ip(P_OUT, op, lflows); | |
1687 | } | |
eb00399e | 1688 | } |
9975d7be | 1689 | } |
eb00399e | 1690 | |
9975d7be BP |
1691 | static bool |
1692 | lrport_is_enabled(const struct nbrec_logical_router_port *lrport) | |
1693 | { | |
1694 | return !lrport->enabled || *lrport->enabled; | |
1695 | } | |
1696 | ||
1697 | static void | |
0bac7164 | 1698 | add_route(struct hmap *lflows, const struct ovn_port *op, |
9975d7be BP |
1699 | ovs_be32 network, ovs_be32 mask, ovs_be32 gateway) |
1700 | { | |
1701 | char *match = xasprintf("ip4.dst == "IP_FMT"/"IP_FMT, | |
1702 | IP_ARGS(network), IP_ARGS(mask)); | |
1703 | ||
1704 | struct ds actions = DS_EMPTY_INITIALIZER; | |
47f3b59b | 1705 | ds_put_cstr(&actions, "ip.ttl--; reg0 = "); |
9975d7be BP |
1706 | if (gateway) { |
1707 | ds_put_format(&actions, IP_FMT, IP_ARGS(gateway)); | |
1708 | } else { | |
1709 | ds_put_cstr(&actions, "ip4.dst"); | |
1710 | } | |
0bac7164 BP |
1711 | ds_put_format(&actions, |
1712 | "; " | |
1713 | "reg1 = "IP_FMT"; " | |
1714 | "eth.src = "ETH_ADDR_FMT"; " | |
1715 | "outport = %s; " | |
1716 | "next;", | |
1717 | IP_ARGS(op->ip), ETH_ADDR_ARGS(op->mac), op->json_key); | |
9975d7be BP |
1718 | |
1719 | /* The priority here is calculated to implement longest-prefix-match | |
1720 | * routing. */ | |
0bac7164 | 1721 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_ROUTING, |
9975d7be BP |
1722 | count_1bits(ntohl(mask)), match, ds_cstr(&actions)); |
1723 | ds_destroy(&actions); | |
1724 | free(match); | |
1725 | } | |
1726 | ||
28dc3fe9 SR |
1727 | static void |
1728 | build_static_route_flow(struct hmap *lflows, struct ovn_datapath *od, | |
1729 | struct hmap *ports, | |
1730 | const struct nbrec_logical_router_static_route *route) | |
1731 | { | |
1732 | ovs_be32 prefix, next_hop, mask; | |
1733 | ||
1734 | /* Verify that next hop is an IP address with 32 bits mask. */ | |
1735 | char *error = ip_parse_masked(route->nexthop, &next_hop, &mask); | |
1736 | if (error || mask != OVS_BE32_MAX) { | |
1737 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
1738 | VLOG_WARN_RL(&rl, "bad next hop ip address %s", route->nexthop); | |
1739 | free(error); | |
1740 | return; | |
1741 | } | |
1742 | ||
1743 | /* Verify that ip prefix is a valid CIDR address. */ | |
1744 | error = ip_parse_masked(route->ip_prefix, &prefix, &mask); | |
1745 | if (error || !ip_is_cidr(mask)) { | |
1746 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
1747 | VLOG_WARN_RL(&rl, "bad 'network' in static routes %s", | |
1748 | route->ip_prefix); | |
1749 | free(error); | |
1750 | return; | |
1751 | } | |
1752 | ||
1753 | /* Find the outgoing port. */ | |
1754 | struct ovn_port *out_port = NULL; | |
1755 | if (route->output_port) { | |
1756 | out_port = ovn_port_find(ports, route->output_port); | |
1757 | if (!out_port) { | |
1758 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
1759 | VLOG_WARN_RL(&rl, "Bad out port %s for static route %s", | |
1760 | route->output_port, route->ip_prefix); | |
1761 | return; | |
1762 | } | |
1763 | } else { | |
1764 | /* output_port is not specified, find the | |
1765 | * router port matching the next hop. */ | |
1766 | int i; | |
1767 | for (i = 0; i < od->nbr->n_ports; i++) { | |
1768 | struct nbrec_logical_router_port *lrp = od->nbr->ports[i]; | |
1769 | out_port = ovn_port_find(ports, lrp->name); | |
1770 | if (!out_port) { | |
1771 | /* This should not happen. */ | |
1772 | continue; | |
1773 | } | |
1774 | ||
1775 | if (out_port->network | |
1776 | && !((out_port->network ^ next_hop) & out_port->mask)) { | |
1777 | /* There should be only 1 interface that matches the next hop. | |
1778 | * Otherwise, it's a configuration error, because subnets of | |
1779 | * router's interfaces should NOT overlap. */ | |
1780 | break; | |
1781 | } | |
1782 | } | |
1783 | if (i == od->nbr->n_ports) { | |
1784 | /* There is no matched out port. */ | |
1785 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
1786 | VLOG_WARN_RL(&rl, "No path for static route %s; next hop %s", | |
1787 | route->ip_prefix, route->nexthop); | |
1788 | return; | |
1789 | } | |
1790 | } | |
1791 | ||
1792 | add_route(lflows, out_port, prefix, mask, next_hop); | |
1793 | } | |
1794 | ||
9975d7be BP |
1795 | static void |
1796 | build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, | |
1797 | struct hmap *lflows) | |
1798 | { | |
1799 | /* This flow table structure is documented in ovn-northd(8), so please | |
1800 | * update ovn-northd.8.xml if you change anything. */ | |
1801 | ||
9975d7be BP |
1802 | /* Logical router ingress table 0: Admission control framework. */ |
1803 | struct ovn_datapath *od; | |
1804 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
1805 | if (!od->nbr) { | |
1806 | continue; | |
1807 | } | |
1808 | ||
1809 | /* Logical VLANs not supported. | |
1810 | * Broadcast/multicast source address is invalid. */ | |
1811 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ADMISSION, 100, | |
1812 | "vlan.present || eth.src[40]", "drop;"); | |
1813 | } | |
1814 | ||
1815 | /* Logical router ingress table 0: match (priority 50). */ | |
1816 | struct ovn_port *op; | |
1817 | HMAP_FOR_EACH (op, key_node, ports) { | |
1818 | if (!op->nbr) { | |
1819 | continue; | |
1820 | } | |
1821 | ||
1822 | if (!lrport_is_enabled(op->nbr)) { | |
1823 | /* Drop packets from disabled logical ports (since logical flow | |
1824 | * tables are default-drop). */ | |
1825 | continue; | |
1826 | } | |
1827 | ||
1828 | char *match = xasprintf( | |
1829 | "(eth.mcast || eth.dst == "ETH_ADDR_FMT") && inport == %s", | |
1830 | ETH_ADDR_ARGS(op->mac), op->json_key); | |
1831 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_ADMISSION, 50, | |
1832 | match, "next;"); | |
e2229be9 | 1833 | free(match); |
9975d7be BP |
1834 | } |
1835 | ||
1836 | /* Logical router ingress table 1: IP Input. */ | |
78aab811 | 1837 | HMAP_FOR_EACH (od, key_node, datapaths) { |
9975d7be BP |
1838 | if (!od->nbr) { |
1839 | continue; | |
1840 | } | |
1841 | ||
1842 | /* L3 admission control: drop multicast and broadcast source, localhost | |
1843 | * source or destination, and zero network source or destination | |
1844 | * (priority 100). */ | |
1845 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 100, | |
1846 | "ip4.mcast || " | |
1847 | "ip4.src == 255.255.255.255 || " | |
1848 | "ip4.src == 127.0.0.0/8 || " | |
1849 | "ip4.dst == 127.0.0.0/8 || " | |
1850 | "ip4.src == 0.0.0.0/8 || " | |
1851 | "ip4.dst == 0.0.0.0/8", | |
1852 | "drop;"); | |
1853 | ||
0bac7164 BP |
1854 | /* ARP reply handling. Use ARP replies to populate the logical |
1855 | * router's ARP table. */ | |
1856 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 90, "arp.op == 2", | |
1857 | "put_arp(inport, arp.spa, arp.sha);"); | |
1858 | ||
9975d7be BP |
1859 | /* Drop Ethernet local broadcast. By definition this traffic should |
1860 | * not be forwarded.*/ | |
1861 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 50, | |
1862 | "eth.bcast", "drop;"); | |
1863 | ||
1864 | /* Drop IP multicast. */ | |
1865 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 50, | |
1866 | "ip4.mcast", "drop;"); | |
1867 | ||
1868 | /* TTL discard. | |
1869 | * | |
1870 | * XXX Need to send ICMP time exceeded if !ip.later_frag. */ | |
1871 | char *match = xasprintf("ip4 && ip.ttl == {0, 1}"); | |
1872 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 30, match, "drop;"); | |
1873 | free(match); | |
1874 | ||
1875 | /* Pass other traffic not already handled to the next table for | |
1876 | * routing. */ | |
1877 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 0, "1", "next;"); | |
78aab811 JP |
1878 | } |
1879 | ||
9975d7be BP |
1880 | HMAP_FOR_EACH (op, key_node, ports) { |
1881 | if (!op->nbr) { | |
1882 | continue; | |
1883 | } | |
1884 | ||
1885 | /* L3 admission control: drop packets that originate from an IP address | |
1886 | * owned by the router or a broadcast address known to the router | |
1887 | * (priority 100). */ | |
1888 | char *match = xasprintf("ip4.src == {"IP_FMT", "IP_FMT"}", | |
1889 | IP_ARGS(op->ip), IP_ARGS(op->bcast)); | |
1890 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 100, | |
1891 | match, "drop;"); | |
1892 | free(match); | |
1893 | ||
dd7652e6 JP |
1894 | /* ICMP echo reply. These flows reply to ICMP echo requests |
1895 | * received for the router's IP address. */ | |
1896 | match = xasprintf( | |
1897 | "inport == %s && (ip4.dst == "IP_FMT" || ip4.dst == "IP_FMT") && " | |
1898 | "icmp4.type == 8 && icmp4.code == 0", | |
1899 | op->json_key, IP_ARGS(op->ip), IP_ARGS(op->bcast)); | |
1900 | char *actions = xasprintf( | |
1901 | "ip4.dst = ip4.src; " | |
1902 | "ip4.src = "IP_FMT"; " | |
1903 | "ip.ttl = 255; " | |
1904 | "icmp4.type = 0; " | |
1905 | "inport = \"\"; /* Allow sending out inport. */ " | |
1906 | "next; ", | |
1907 | IP_ARGS(op->ip)); | |
1908 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 90, | |
1909 | match, actions); | |
1910 | free(match); | |
1911 | free(actions); | |
1912 | ||
9975d7be BP |
1913 | /* ARP reply. These flows reply to ARP requests for the router's own |
1914 | * IP address. */ | |
1915 | match = xasprintf( | |
1916 | "inport == %s && arp.tpa == "IP_FMT" && arp.op == 1", | |
1917 | op->json_key, IP_ARGS(op->ip)); | |
dd7652e6 | 1918 | actions = xasprintf( |
9975d7be BP |
1919 | "eth.dst = eth.src; " |
1920 | "eth.src = "ETH_ADDR_FMT"; " | |
1921 | "arp.op = 2; /* ARP reply */ " | |
1922 | "arp.tha = arp.sha; " | |
1923 | "arp.sha = "ETH_ADDR_FMT"; " | |
1924 | "arp.tpa = arp.spa; " | |
1925 | "arp.spa = "IP_FMT"; " | |
1926 | "outport = %s; " | |
1927 | "inport = \"\"; /* Allow sending out inport. */ " | |
1928 | "output;", | |
1929 | ETH_ADDR_ARGS(op->mac), | |
1930 | ETH_ADDR_ARGS(op->mac), | |
1931 | IP_ARGS(op->ip), | |
1932 | op->json_key); | |
1933 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 90, | |
1934 | match, actions); | |
abcec848 JP |
1935 | free(match); |
1936 | free(actions); | |
9975d7be BP |
1937 | |
1938 | /* Drop IP traffic to this router. */ | |
1939 | match = xasprintf("ip4.dst == "IP_FMT, IP_ARGS(op->ip)); | |
1940 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 60, | |
1941 | match, "drop;"); | |
1942 | free(match); | |
1943 | } | |
1944 | ||
1945 | /* Logical router ingress table 2: IP Routing. | |
1946 | * | |
1947 | * A packet that arrives at this table is an IP packet that should be | |
0bac7164 BP |
1948 | * routed to the address in ip4.dst. This table sets outport to the correct |
1949 | * output port, eth.src to the output port's MAC address, and reg0 to the | |
1950 | * next-hop IP address (leaving ip4.dst, the packet’s final destination, | |
1951 | * unchanged), and advances to the next table for ARP resolution. */ | |
9975d7be BP |
1952 | HMAP_FOR_EACH (op, key_node, ports) { |
1953 | if (!op->nbr) { | |
1954 | continue; | |
1955 | } | |
1956 | ||
0bac7164 | 1957 | add_route(lflows, op, op->network, op->mask, 0); |
9975d7be BP |
1958 | } |
1959 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
1960 | if (!od->nbr) { | |
1961 | continue; | |
1962 | } | |
1963 | ||
28dc3fe9 SR |
1964 | /* Convert the static routes to flows. */ |
1965 | for (int i = 0; i < od->nbr->n_static_routes; i++) { | |
1966 | const struct nbrec_logical_router_static_route *route; | |
1967 | ||
1968 | route = od->nbr->static_routes[i]; | |
1969 | build_static_route_flow(lflows, od, ports, route); | |
1970 | } | |
1971 | ||
0bac7164 BP |
1972 | if (od->gateway && od->gateway_port) { |
1973 | add_route(lflows, od->gateway_port, 0, 0, od->gateway); | |
9975d7be BP |
1974 | } |
1975 | } | |
1976 | /* XXX destination unreachable */ | |
1977 | ||
1978 | /* Local router ingress table 3: ARP Resolution. | |
1979 | * | |
1980 | * Any packet that reaches this table is an IP packet whose next-hop IP | |
1981 | * address is in reg0. (ip4.dst is the final destination.) This table | |
1982 | * resolves the IP address in reg0 into an output port in outport and an | |
1983 | * Ethernet address in eth.dst. */ | |
1984 | HMAP_FOR_EACH (op, key_node, ports) { | |
1985 | if (op->nbr) { | |
509afdc3 GS |
1986 | /* This is a logical router port. If next-hop IP address in 'reg0' |
1987 | * matches ip address of this router port, then the packet is | |
1988 | * intended to eventually be sent to this logical port. Set the | |
1989 | * destination mac address using this port's mac address. | |
1990 | * | |
1991 | * The packet is still in peer's logical pipeline. So the match | |
1992 | * should be on peer's outport. */ | |
1993 | if (op->nbr->peer) { | |
1994 | struct ovn_port *peer = ovn_port_find(ports, op->nbr->peer); | |
1995 | if (!peer) { | |
1996 | continue; | |
1997 | } | |
1998 | ||
1999 | if (!peer->ip || !op->ip) { | |
2000 | continue; | |
2001 | } | |
2002 | char *match = xasprintf("outport == %s && reg0 == "IP_FMT, | |
2003 | peer->json_key, IP_ARGS(op->ip)); | |
2004 | char *actions = xasprintf("eth.dst = "ETH_ADDR_FMT"; " | |
2005 | "next;", ETH_ADDR_ARGS(op->mac)); | |
2006 | ovn_lflow_add(lflows, peer->od, S_ROUTER_IN_ARP_RESOLVE, | |
2007 | 100, match, actions); | |
2008 | free(actions); | |
2009 | free(match); | |
2010 | } | |
86e98048 | 2011 | } else if (op->od->n_router_ports) { |
9975d7be | 2012 | for (size_t i = 0; i < op->nbs->n_addresses; i++) { |
7dc88496 NS |
2013 | struct lport_addresses laddrs; |
2014 | if (!extract_lport_addresses(op->nbs->addresses[i], &laddrs, | |
2015 | false)) { | |
2016 | continue; | |
2017 | } | |
9975d7be | 2018 | |
7dc88496 NS |
2019 | for (size_t k = 0; k < laddrs.n_ipv4_addrs; k++) { |
2020 | ovs_be32 ip = laddrs.ipv4_addrs[k].addr; | |
86e98048 BP |
2021 | for (size_t j = 0; j < op->od->n_router_ports; j++) { |
2022 | /* Get the Logical_Router_Port that the Logical_Port is | |
2023 | * connected to, as 'peer'. */ | |
2024 | const char *peer_name = smap_get( | |
2025 | &op->od->router_ports[j]->nbs->options, | |
2026 | "router-port"); | |
2027 | if (!peer_name) { | |
2028 | continue; | |
2029 | } | |
2030 | ||
2031 | struct ovn_port *peer | |
2032 | = ovn_port_find(ports, peer_name); | |
2033 | if (!peer || !peer->nbr) { | |
2034 | continue; | |
2035 | } | |
2036 | ||
2037 | /* Make sure that 'ip' is in 'peer''s network. */ | |
2038 | if ((ip ^ peer->network) & peer->mask) { | |
2039 | continue; | |
2040 | } | |
2041 | ||
0bac7164 BP |
2042 | char *match = xasprintf( |
2043 | "outport == %s && reg0 == "IP_FMT, | |
2044 | peer->json_key, IP_ARGS(ip)); | |
2045 | char *actions = xasprintf("eth.dst = "ETH_ADDR_FMT"; " | |
2046 | "next;", | |
2047 | ETH_ADDR_ARGS(laddrs.ea)); | |
86e98048 | 2048 | ovn_lflow_add(lflows, peer->od, |
0bac7164 BP |
2049 | S_ROUTER_IN_ARP_RESOLVE, |
2050 | 100, match, actions); | |
86e98048 BP |
2051 | free(actions); |
2052 | free(match); | |
2053 | break; | |
2054 | } | |
9975d7be | 2055 | } |
7dc88496 NS |
2056 | |
2057 | free(laddrs.ipv4_addrs); | |
9975d7be BP |
2058 | } |
2059 | } | |
2060 | } | |
0bac7164 BP |
2061 | HMAP_FOR_EACH (od, key_node, datapaths) { |
2062 | if (!od->nbr) { | |
2063 | continue; | |
2064 | } | |
2065 | ||
2066 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 0, "1", | |
2067 | "get_arp(outport, reg0); next;"); | |
2068 | } | |
2069 | ||
2070 | /* Local router ingress table 4: ARP request. | |
2071 | * | |
2072 | * In the common case where the Ethernet destination has been resolved, | |
2073 | * this table outputs the packet (priority 100). Otherwise, it composes | |
2074 | * and sends an ARP request (priority 0). */ | |
2075 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
2076 | if (!od->nbr) { | |
2077 | continue; | |
2078 | } | |
2079 | ||
2080 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_REQUEST, 100, | |
2081 | "eth.dst == 00:00:00:00:00:00", | |
2082 | "arp { " | |
2083 | "eth.dst = ff:ff:ff:ff:ff:ff; " | |
2084 | "arp.spa = reg1; " | |
2085 | "arp.op = 1; " /* ARP request */ | |
2086 | "output; " | |
2087 | "};"); | |
2088 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_REQUEST, 0, "1", "output;"); | |
2089 | } | |
9975d7be BP |
2090 | |
2091 | /* Logical router egress table 0: Delivery (priority 100). | |
2092 | * | |
2093 | * Priority 100 rules deliver packets to enabled logical ports. */ | |
2094 | HMAP_FOR_EACH (op, key_node, ports) { | |
2095 | if (!op->nbr) { | |
2096 | continue; | |
2097 | } | |
2098 | ||
2099 | if (!lrport_is_enabled(op->nbr)) { | |
2100 | /* Drop packets to disabled logical ports (since logical flow | |
2101 | * tables are default-drop). */ | |
2102 | continue; | |
2103 | } | |
2104 | ||
2105 | char *match = xasprintf("outport == %s", op->json_key); | |
2106 | ovn_lflow_add(lflows, op->od, S_ROUTER_OUT_DELIVERY, 100, | |
2107 | match, "output;"); | |
2108 | free(match); | |
2109 | } | |
2110 | } | |
2111 | ||
2112 | /* Updates the Logical_Flow and Multicast_Group tables in the OVN_SB database, | |
2113 | * constructing their contents based on the OVN_NB database. */ | |
2114 | static void | |
2115 | build_lflows(struct northd_context *ctx, struct hmap *datapaths, | |
2116 | struct hmap *ports) | |
2117 | { | |
2118 | struct hmap lflows = HMAP_INITIALIZER(&lflows); | |
2119 | struct hmap mcgroups = HMAP_INITIALIZER(&mcgroups); | |
2120 | ||
2121 | build_lswitch_flows(datapaths, ports, &lflows, &mcgroups); | |
2122 | build_lrouter_flows(datapaths, ports, &lflows); | |
2123 | ||
5868eb24 BP |
2124 | /* Push changes to the Logical_Flow table to database. */ |
2125 | const struct sbrec_logical_flow *sbflow, *next_sbflow; | |
2126 | SBREC_LOGICAL_FLOW_FOR_EACH_SAFE (sbflow, next_sbflow, ctx->ovnsb_idl) { | |
2127 | struct ovn_datapath *od | |
2128 | = ovn_datapath_from_sbrec(datapaths, sbflow->logical_datapath); | |
2129 | if (!od) { | |
2130 | sbrec_logical_flow_delete(sbflow); | |
2131 | continue; | |
eb00399e | 2132 | } |
eb00399e | 2133 | |
9975d7be | 2134 | enum ovn_datapath_type dp_type = od->nbs ? DP_SWITCH : DP_ROUTER; |
880fcd14 BP |
2135 | enum ovn_pipeline pipeline |
2136 | = !strcmp(sbflow->pipeline, "ingress") ? P_IN : P_OUT; | |
5868eb24 | 2137 | struct ovn_lflow *lflow = ovn_lflow_find( |
880fcd14 BP |
2138 | &lflows, od, ovn_stage_build(dp_type, pipeline, sbflow->table_id), |
2139 | sbflow->priority, sbflow->match, sbflow->actions); | |
5868eb24 BP |
2140 | if (lflow) { |
2141 | ovn_lflow_destroy(&lflows, lflow); | |
2142 | } else { | |
2143 | sbrec_logical_flow_delete(sbflow); | |
4edcdcf4 RB |
2144 | } |
2145 | } | |
5868eb24 BP |
2146 | struct ovn_lflow *lflow, *next_lflow; |
2147 | HMAP_FOR_EACH_SAFE (lflow, next_lflow, hmap_node, &lflows) { | |
880fcd14 BP |
2148 | enum ovn_pipeline pipeline = ovn_stage_get_pipeline(lflow->stage); |
2149 | uint8_t table = ovn_stage_get_table(lflow->stage); | |
2150 | ||
5868eb24 BP |
2151 | sbflow = sbrec_logical_flow_insert(ctx->ovnsb_txn); |
2152 | sbrec_logical_flow_set_logical_datapath(sbflow, lflow->od->sb); | |
9975d7be BP |
2153 | sbrec_logical_flow_set_pipeline( |
2154 | sbflow, pipeline == P_IN ? "ingress" : "egress"); | |
880fcd14 | 2155 | sbrec_logical_flow_set_table_id(sbflow, table); |
5868eb24 BP |
2156 | sbrec_logical_flow_set_priority(sbflow, lflow->priority); |
2157 | sbrec_logical_flow_set_match(sbflow, lflow->match); | |
2158 | sbrec_logical_flow_set_actions(sbflow, lflow->actions); | |
091e3af9 | 2159 | |
880fcd14 BP |
2160 | const struct smap ids = SMAP_CONST1(&ids, "stage-name", |
2161 | ovn_stage_to_str(lflow->stage)); | |
aaf881c6 | 2162 | sbrec_logical_flow_set_external_ids(sbflow, &ids); |
091e3af9 | 2163 | |
5868eb24 | 2164 | ovn_lflow_destroy(&lflows, lflow); |
eb00399e | 2165 | } |
5868eb24 BP |
2166 | hmap_destroy(&lflows); |
2167 | ||
2168 | /* Push changes to the Multicast_Group table to database. */ | |
2169 | const struct sbrec_multicast_group *sbmc, *next_sbmc; | |
2170 | SBREC_MULTICAST_GROUP_FOR_EACH_SAFE (sbmc, next_sbmc, ctx->ovnsb_idl) { | |
2171 | struct ovn_datapath *od = ovn_datapath_from_sbrec(datapaths, | |
2172 | sbmc->datapath); | |
2173 | if (!od) { | |
2174 | sbrec_multicast_group_delete(sbmc); | |
2175 | continue; | |
2176 | } | |
eb00399e | 2177 | |
5868eb24 BP |
2178 | struct multicast_group group = { .name = sbmc->name, |
2179 | .key = sbmc->tunnel_key }; | |
2180 | struct ovn_multicast *mc = ovn_multicast_find(&mcgroups, od, &group); | |
2181 | if (mc) { | |
2182 | ovn_multicast_update_sbrec(mc, sbmc); | |
2183 | ovn_multicast_destroy(&mcgroups, mc); | |
2184 | } else { | |
2185 | sbrec_multicast_group_delete(sbmc); | |
2186 | } | |
2187 | } | |
2188 | struct ovn_multicast *mc, *next_mc; | |
2189 | HMAP_FOR_EACH_SAFE (mc, next_mc, hmap_node, &mcgroups) { | |
2190 | sbmc = sbrec_multicast_group_insert(ctx->ovnsb_txn); | |
2191 | sbrec_multicast_group_set_datapath(sbmc, mc->datapath->sb); | |
2192 | sbrec_multicast_group_set_name(sbmc, mc->group->name); | |
2193 | sbrec_multicast_group_set_tunnel_key(sbmc, mc->group->key); | |
2194 | ovn_multicast_update_sbrec(mc, sbmc); | |
2195 | ovn_multicast_destroy(&mcgroups, mc); | |
4edcdcf4 | 2196 | } |
5868eb24 | 2197 | hmap_destroy(&mcgroups); |
4edcdcf4 | 2198 | } |
5868eb24 | 2199 | \f |
4edcdcf4 | 2200 | static void |
331e7aef | 2201 | ovnnb_db_run(struct northd_context *ctx) |
4edcdcf4 | 2202 | { |
331e7aef NS |
2203 | if (!ctx->ovnsb_txn) { |
2204 | return; | |
2205 | } | |
5868eb24 BP |
2206 | struct hmap datapaths, ports; |
2207 | build_datapaths(ctx, &datapaths); | |
2208 | build_ports(ctx, &datapaths, &ports); | |
2209 | build_lflows(ctx, &datapaths, &ports); | |
2210 | ||
2211 | struct ovn_datapath *dp, *next_dp; | |
2212 | HMAP_FOR_EACH_SAFE (dp, next_dp, key_node, &datapaths) { | |
2213 | ovn_datapath_destroy(&datapaths, dp); | |
2214 | } | |
2215 | hmap_destroy(&datapaths); | |
2216 | ||
2217 | struct ovn_port *port, *next_port; | |
2218 | HMAP_FOR_EACH_SAFE (port, next_port, key_node, &ports) { | |
2219 | ovn_port_destroy(&ports, port); | |
2220 | } | |
2221 | hmap_destroy(&ports); | |
ac0630a2 RB |
2222 | } |
2223 | ||
f93818dd RB |
2224 | /* |
2225 | * The only change we get notified about is if the 'chassis' column of the | |
dcda6e0d BP |
2226 | * 'Port_Binding' table changes. When this column is not empty, it means we |
2227 | * need to set the corresponding logical port as 'up' in the northbound DB. | |
f93818dd | 2228 | */ |
ac0630a2 | 2229 | static void |
331e7aef | 2230 | ovnsb_db_run(struct northd_context *ctx) |
ac0630a2 | 2231 | { |
331e7aef NS |
2232 | if (!ctx->ovnnb_txn) { |
2233 | return; | |
2234 | } | |
fc3113bc | 2235 | struct hmap lports_hmap; |
5868eb24 BP |
2236 | const struct sbrec_port_binding *sb; |
2237 | const struct nbrec_logical_port *nb; | |
fc3113bc RB |
2238 | |
2239 | struct lport_hash_node { | |
2240 | struct hmap_node node; | |
5868eb24 | 2241 | const struct nbrec_logical_port *nb; |
4ec3d7c7 | 2242 | } *hash_node; |
f93818dd | 2243 | |
fc3113bc | 2244 | hmap_init(&lports_hmap); |
f93818dd | 2245 | |
5868eb24 | 2246 | NBREC_LOGICAL_PORT_FOR_EACH(nb, ctx->ovnnb_idl) { |
fc3113bc | 2247 | hash_node = xzalloc(sizeof *hash_node); |
5868eb24 BP |
2248 | hash_node->nb = nb; |
2249 | hmap_insert(&lports_hmap, &hash_node->node, hash_string(nb->name, 0)); | |
fc3113bc RB |
2250 | } |
2251 | ||
5868eb24 BP |
2252 | SBREC_PORT_BINDING_FOR_EACH(sb, ctx->ovnsb_idl) { |
2253 | nb = NULL; | |
fc3113bc | 2254 | HMAP_FOR_EACH_WITH_HASH(hash_node, node, |
5868eb24 BP |
2255 | hash_string(sb->logical_port, 0), |
2256 | &lports_hmap) { | |
2257 | if (!strcmp(sb->logical_port, hash_node->nb->name)) { | |
2258 | nb = hash_node->nb; | |
fc3113bc RB |
2259 | break; |
2260 | } | |
f93818dd RB |
2261 | } |
2262 | ||
5868eb24 | 2263 | if (!nb) { |
dcda6e0d | 2264 | /* The logical port doesn't exist for this port binding. This can |
2e2762d4 | 2265 | * happen under normal circumstances when ovn-northd hasn't gotten |
dcda6e0d | 2266 | * around to pruning the Port_Binding yet. */ |
f93818dd RB |
2267 | continue; |
2268 | } | |
2269 | ||
5868eb24 | 2270 | if (sb->chassis && (!nb->up || !*nb->up)) { |
f93818dd | 2271 | bool up = true; |
5868eb24 BP |
2272 | nbrec_logical_port_set_up(nb, &up, 1); |
2273 | } else if (!sb->chassis && (!nb->up || *nb->up)) { | |
f93818dd | 2274 | bool up = false; |
5868eb24 | 2275 | nbrec_logical_port_set_up(nb, &up, 1); |
f93818dd RB |
2276 | } |
2277 | } | |
fc3113bc | 2278 | |
4ec3d7c7 | 2279 | HMAP_FOR_EACH_POP(hash_node, node, &lports_hmap) { |
fc3113bc RB |
2280 | free(hash_node); |
2281 | } | |
2282 | hmap_destroy(&lports_hmap); | |
ac0630a2 RB |
2283 | } |
2284 | \f | |
45f98d4c | 2285 | |
60bdd011 | 2286 | static char *default_nb_db_; |
45f98d4c | 2287 | |
ac0630a2 | 2288 | static const char * |
60bdd011 | 2289 | default_nb_db(void) |
ac0630a2 | 2290 | { |
60bdd011 RM |
2291 | if (!default_nb_db_) { |
2292 | default_nb_db_ = xasprintf("unix:%s/ovnnb_db.sock", ovs_rundir()); | |
ac0630a2 | 2293 | } |
60bdd011 RM |
2294 | return default_nb_db_; |
2295 | } | |
2296 | ||
2297 | static char *default_sb_db_; | |
2298 | ||
2299 | static const char * | |
2300 | default_sb_db(void) | |
2301 | { | |
2302 | if (!default_sb_db_) { | |
2303 | default_sb_db_ = xasprintf("unix:%s/ovnsb_db.sock", ovs_rundir()); | |
2304 | } | |
2305 | return default_sb_db_; | |
ac0630a2 RB |
2306 | } |
2307 | ||
2308 | static void | |
2309 | parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) | |
2310 | { | |
2311 | enum { | |
67d9b930 | 2312 | DAEMON_OPTION_ENUMS, |
ac0630a2 RB |
2313 | VLOG_OPTION_ENUMS, |
2314 | }; | |
2315 | static const struct option long_options[] = { | |
ec78987f | 2316 | {"ovnsb-db", required_argument, NULL, 'd'}, |
ac0630a2 RB |
2317 | {"ovnnb-db", required_argument, NULL, 'D'}, |
2318 | {"help", no_argument, NULL, 'h'}, | |
2319 | {"options", no_argument, NULL, 'o'}, | |
2320 | {"version", no_argument, NULL, 'V'}, | |
67d9b930 | 2321 | DAEMON_LONG_OPTIONS, |
ac0630a2 RB |
2322 | VLOG_LONG_OPTIONS, |
2323 | STREAM_SSL_LONG_OPTIONS, | |
2324 | {NULL, 0, NULL, 0}, | |
2325 | }; | |
2326 | char *short_options = ovs_cmdl_long_options_to_short_options(long_options); | |
2327 | ||
2328 | for (;;) { | |
2329 | int c; | |
2330 | ||
2331 | c = getopt_long(argc, argv, short_options, long_options, NULL); | |
2332 | if (c == -1) { | |
2333 | break; | |
2334 | } | |
2335 | ||
2336 | switch (c) { | |
67d9b930 | 2337 | DAEMON_OPTION_HANDLERS; |
ac0630a2 RB |
2338 | VLOG_OPTION_HANDLERS; |
2339 | STREAM_SSL_OPTION_HANDLERS; | |
2340 | ||
2341 | case 'd': | |
ec78987f | 2342 | ovnsb_db = optarg; |
ac0630a2 RB |
2343 | break; |
2344 | ||
2345 | case 'D': | |
2346 | ovnnb_db = optarg; | |
2347 | break; | |
2348 | ||
2349 | case 'h': | |
2350 | usage(); | |
2351 | exit(EXIT_SUCCESS); | |
2352 | ||
2353 | case 'o': | |
2354 | ovs_cmdl_print_options(long_options); | |
2355 | exit(EXIT_SUCCESS); | |
2356 | ||
2357 | case 'V': | |
2358 | ovs_print_version(0, 0); | |
2359 | exit(EXIT_SUCCESS); | |
2360 | ||
2361 | default: | |
2362 | break; | |
2363 | } | |
2364 | } | |
2365 | ||
ec78987f | 2366 | if (!ovnsb_db) { |
60bdd011 | 2367 | ovnsb_db = default_sb_db(); |
ac0630a2 RB |
2368 | } |
2369 | ||
2370 | if (!ovnnb_db) { | |
60bdd011 | 2371 | ovnnb_db = default_nb_db(); |
ac0630a2 RB |
2372 | } |
2373 | ||
2374 | free(short_options); | |
2375 | } | |
2376 | ||
5868eb24 BP |
2377 | static void |
2378 | add_column_noalert(struct ovsdb_idl *idl, | |
2379 | const struct ovsdb_idl_column *column) | |
2380 | { | |
2381 | ovsdb_idl_add_column(idl, column); | |
2382 | ovsdb_idl_omit_alert(idl, column); | |
2383 | } | |
2384 | ||
ac0630a2 RB |
2385 | int |
2386 | main(int argc, char *argv[]) | |
2387 | { | |
ac0630a2 | 2388 | int res = EXIT_SUCCESS; |
7b303ff9 AW |
2389 | struct unixctl_server *unixctl; |
2390 | int retval; | |
2391 | bool exiting; | |
ac0630a2 RB |
2392 | |
2393 | fatal_ignore_sigpipe(); | |
2394 | set_program_name(argv[0]); | |
485f0696 | 2395 | service_start(&argc, &argv); |
ac0630a2 | 2396 | parse_options(argc, argv); |
67d9b930 | 2397 | |
e91b927d | 2398 | daemonize_start(false); |
7b303ff9 AW |
2399 | |
2400 | retval = unixctl_server_create(NULL, &unixctl); | |
2401 | if (retval) { | |
2402 | exit(EXIT_FAILURE); | |
2403 | } | |
2404 | unixctl_command_register("exit", "", 0, 0, ovn_northd_exit, &exiting); | |
2405 | ||
2406 | daemonize_complete(); | |
67d9b930 | 2407 | |
ac0630a2 | 2408 | nbrec_init(); |
ec78987f | 2409 | sbrec_init(); |
ac0630a2 RB |
2410 | |
2411 | /* We want to detect all changes to the ovn-nb db. */ | |
331e7aef NS |
2412 | struct ovsdb_idl_loop ovnnb_idl_loop = OVSDB_IDL_LOOP_INITIALIZER( |
2413 | ovsdb_idl_create(ovnnb_db, &nbrec_idl_class, true, true)); | |
2414 | ||
2415 | struct ovsdb_idl_loop ovnsb_idl_loop = OVSDB_IDL_LOOP_INITIALIZER( | |
2416 | ovsdb_idl_create(ovnsb_db, &sbrec_idl_class, false, true)); | |
2417 | ||
2418 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_logical_flow); | |
2419 | add_column_noalert(ovnsb_idl_loop.idl, | |
2420 | &sbrec_logical_flow_col_logical_datapath); | |
2421 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_pipeline); | |
2422 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_table_id); | |
2423 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_priority); | |
2424 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_match); | |
2425 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_actions); | |
2426 | ||
2427 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_multicast_group); | |
2428 | add_column_noalert(ovnsb_idl_loop.idl, | |
2429 | &sbrec_multicast_group_col_datapath); | |
2430 | add_column_noalert(ovnsb_idl_loop.idl, | |
2431 | &sbrec_multicast_group_col_tunnel_key); | |
2432 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_multicast_group_col_name); | |
2433 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_multicast_group_col_ports); | |
2434 | ||
2435 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_datapath_binding); | |
2436 | add_column_noalert(ovnsb_idl_loop.idl, | |
2437 | &sbrec_datapath_binding_col_tunnel_key); | |
2438 | add_column_noalert(ovnsb_idl_loop.idl, | |
2439 | &sbrec_datapath_binding_col_external_ids); | |
2440 | ||
2441 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_port_binding); | |
2442 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_datapath); | |
2443 | add_column_noalert(ovnsb_idl_loop.idl, | |
2444 | &sbrec_port_binding_col_logical_port); | |
2445 | add_column_noalert(ovnsb_idl_loop.idl, | |
2446 | &sbrec_port_binding_col_tunnel_key); | |
2447 | add_column_noalert(ovnsb_idl_loop.idl, | |
2448 | &sbrec_port_binding_col_parent_port); | |
2449 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_tag); | |
2450 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_type); | |
2451 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_options); | |
2452 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_mac); | |
2453 | ovsdb_idl_add_column(ovnsb_idl_loop.idl, &sbrec_port_binding_col_chassis); | |
2454 | ||
2455 | /* Main loop. */ | |
7b303ff9 AW |
2456 | exiting = false; |
2457 | while (!exiting) { | |
331e7aef NS |
2458 | struct northd_context ctx = { |
2459 | .ovnnb_idl = ovnnb_idl_loop.idl, | |
2460 | .ovnnb_txn = ovsdb_idl_loop_run(&ovnnb_idl_loop), | |
2461 | .ovnsb_idl = ovnsb_idl_loop.idl, | |
2462 | .ovnsb_txn = ovsdb_idl_loop_run(&ovnsb_idl_loop), | |
2463 | }; | |
ac0630a2 | 2464 | |
8c0fae89 NS |
2465 | ovnnb_db_run(&ctx); |
2466 | ovnsb_db_run(&ctx); | |
f93818dd | 2467 | |
331e7aef NS |
2468 | unixctl_server_run(unixctl); |
2469 | unixctl_server_wait(unixctl); | |
2470 | if (exiting) { | |
2471 | poll_immediate_wake(); | |
ac0630a2 | 2472 | } |
331e7aef NS |
2473 | ovsdb_idl_loop_commit_and_wait(&ovnnb_idl_loop); |
2474 | ovsdb_idl_loop_commit_and_wait(&ovnsb_idl_loop); | |
ac0630a2 | 2475 | |
331e7aef | 2476 | poll_block(); |
485f0696 GS |
2477 | if (should_service_stop()) { |
2478 | exiting = true; | |
2479 | } | |
ac0630a2 RB |
2480 | } |
2481 | ||
7b303ff9 | 2482 | unixctl_server_destroy(unixctl); |
331e7aef NS |
2483 | ovsdb_idl_loop_destroy(&ovnnb_idl_loop); |
2484 | ovsdb_idl_loop_destroy(&ovnsb_idl_loop); | |
485f0696 | 2485 | service_stop(); |
ac0630a2 | 2486 | |
60bdd011 RM |
2487 | free(default_nb_db_); |
2488 | free(default_sb_db_); | |
ac0630a2 RB |
2489 | exit(res); |
2490 | } | |
7b303ff9 AW |
2491 | |
2492 | static void | |
2493 | ovn_northd_exit(struct unixctl_conn *conn, int argc OVS_UNUSED, | |
2494 | const char *argv[] OVS_UNUSED, void *exiting_) | |
2495 | { | |
2496 | bool *exiting = exiting_; | |
2497 | *exiting = true; | |
2498 | ||
2499 | unixctl_command_reply(conn, NULL); | |
2500 | } |