]>
Commit | Line | Data |
---|---|---|
ac0630a2 RB |
1 | /* |
2 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
3 | * you may not use this file except in compliance with the License. | |
4 | * You may obtain a copy of the License at: | |
5 | * | |
6 | * http://www.apache.org/licenses/LICENSE-2.0 | |
7 | * | |
8 | * Unless required by applicable law or agreed to in writing, software | |
9 | * distributed under the License is distributed on an "AS IS" BASIS, | |
10 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
11 | * See the License for the specific language governing permissions and | |
12 | * limitations under the License. | |
13 | */ | |
14 | ||
15 | #include <config.h> | |
16 | ||
17 | #include <getopt.h> | |
18 | #include <stdlib.h> | |
19 | #include <stdio.h> | |
20 | ||
21 | #include "command-line.h" | |
67d9b930 | 22 | #include "daemon.h" |
ac0630a2 | 23 | #include "dirs.h" |
3e8a2ad1 | 24 | #include "openvswitch/dynamic-string.h" |
ac0630a2 | 25 | #include "fatal-signal.h" |
4edcdcf4 RB |
26 | #include "hash.h" |
27 | #include "hmap.h" | |
bd39395f BP |
28 | #include "json.h" |
29 | #include "ovn/lib/lex.h" | |
e3df8838 BP |
30 | #include "ovn/lib/ovn-nb-idl.h" |
31 | #include "ovn/lib/ovn-sb-idl.h" | |
ac0630a2 | 32 | #include "poll-loop.h" |
5868eb24 | 33 | #include "smap.h" |
ac0630a2 RB |
34 | #include "stream.h" |
35 | #include "stream-ssl.h" | |
7b303ff9 | 36 | #include "unixctl.h" |
ac0630a2 | 37 | #include "util.h" |
4edcdcf4 | 38 | #include "uuid.h" |
ac0630a2 RB |
39 | #include "openvswitch/vlog.h" |
40 | ||
2e2762d4 | 41 | VLOG_DEFINE_THIS_MODULE(ovn_northd); |
ac0630a2 | 42 | |
7b303ff9 AW |
43 | static unixctl_cb_func ovn_northd_exit; |
44 | ||
2e2762d4 | 45 | struct northd_context { |
f93818dd | 46 | struct ovsdb_idl *ovnnb_idl; |
ec78987f | 47 | struct ovsdb_idl *ovnsb_idl; |
f93818dd | 48 | struct ovsdb_idl_txn *ovnnb_txn; |
3c78b3ca | 49 | struct ovsdb_idl_txn *ovnsb_txn; |
f93818dd RB |
50 | }; |
51 | ||
ac0630a2 | 52 | static const char *ovnnb_db; |
ec78987f | 53 | static const char *ovnsb_db; |
ac0630a2 | 54 | |
60bdd011 RM |
55 | static const char *default_nb_db(void); |
56 | static const char *default_sb_db(void); | |
880fcd14 BP |
57 | \f |
58 | /* Pipeline stages. */ | |
ac0630a2 | 59 | |
880fcd14 BP |
60 | /* The two pipelines in an OVN logical flow table. */ |
61 | enum ovn_pipeline { | |
62 | P_IN, /* Ingress pipeline. */ | |
63 | P_OUT /* Egress pipeline. */ | |
64 | }; | |
091e3af9 | 65 | |
880fcd14 BP |
66 | /* The two purposes for which ovn-northd uses OVN logical datapaths. */ |
67 | enum ovn_datapath_type { | |
68 | DP_SWITCH, /* OVN logical switch. */ | |
69 | DP_ROUTER /* OVN logical router. */ | |
091e3af9 JP |
70 | }; |
71 | ||
880fcd14 BP |
72 | /* Returns an "enum ovn_stage" built from the arguments. |
73 | * | |
74 | * (It's better to use ovn_stage_build() for type-safety reasons, but inline | |
75 | * functions can't be used in enums or switch cases.) */ | |
76 | #define OVN_STAGE_BUILD(DP_TYPE, PIPELINE, TABLE) \ | |
77 | (((DP_TYPE) << 9) | ((PIPELINE) << 8) | (TABLE)) | |
78 | ||
79 | /* A stage within an OVN logical switch or router. | |
091e3af9 | 80 | * |
880fcd14 BP |
81 | * An "enum ovn_stage" indicates whether the stage is part of a logical switch |
82 | * or router, whether the stage is part of the ingress or egress pipeline, and | |
83 | * the table within that pipeline. The first three components are combined to | |
685f4dfe | 84 | * form the stage's full name, e.g. S_SWITCH_IN_PORT_SEC_L2, |
880fcd14 BP |
85 | * S_ROUTER_OUT_DELIVERY. */ |
86 | enum ovn_stage { | |
e0c9e58b JP |
87 | #define PIPELINE_STAGES \ |
88 | /* Logical switch ingress stages. */ \ | |
685f4dfe NS |
89 | PIPELINE_STAGE(SWITCH, IN, PORT_SEC_L2, 0, "ls_in_port_sec_l2") \ |
90 | PIPELINE_STAGE(SWITCH, IN, PORT_SEC_IP, 1, "ls_in_port_sec_ip") \ | |
91 | PIPELINE_STAGE(SWITCH, IN, PORT_SEC_ND, 2, "ls_in_port_sec_nd") \ | |
92 | PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 3, "ls_in_pre_acl") \ | |
93 | PIPELINE_STAGE(SWITCH, IN, ACL, 4, "ls_in_acl") \ | |
94 | PIPELINE_STAGE(SWITCH, IN, ARP_RSP, 5, "ls_in_arp_rsp") \ | |
95 | PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 6, "ls_in_l2_lkup") \ | |
e0c9e58b JP |
96 | \ |
97 | /* Logical switch egress stages. */ \ | |
98 | PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 0, "ls_out_pre_acl") \ | |
99 | PIPELINE_STAGE(SWITCH, OUT, ACL, 1, "ls_out_acl") \ | |
685f4dfe NS |
100 | PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_IP, 2, "ls_out_port_sec_ip") \ |
101 | PIPELINE_STAGE(SWITCH, OUT, PORT_SEC_L2, 3, "ls_out_port_sec_l2") \ | |
e0c9e58b JP |
102 | \ |
103 | /* Logical router ingress stages. */ \ | |
104 | PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") \ | |
105 | PIPELINE_STAGE(ROUTER, IN, IP_INPUT, 1, "lr_in_ip_input") \ | |
106 | PIPELINE_STAGE(ROUTER, IN, IP_ROUTING, 2, "lr_in_ip_routing") \ | |
0bac7164 BP |
107 | PIPELINE_STAGE(ROUTER, IN, ARP_RESOLVE, 3, "lr_in_arp_resolve") \ |
108 | PIPELINE_STAGE(ROUTER, IN, ARP_REQUEST, 4, "lr_in_arp_request") \ | |
e0c9e58b JP |
109 | \ |
110 | /* Logical router egress stages. */ \ | |
111 | PIPELINE_STAGE(ROUTER, OUT, DELIVERY, 0, "lr_out_delivery") | |
880fcd14 BP |
112 | |
113 | #define PIPELINE_STAGE(DP_TYPE, PIPELINE, STAGE, TABLE, NAME) \ | |
114 | S_##DP_TYPE##_##PIPELINE##_##STAGE \ | |
115 | = OVN_STAGE_BUILD(DP_##DP_TYPE, P_##PIPELINE, TABLE), | |
116 | PIPELINE_STAGES | |
117 | #undef PIPELINE_STAGE | |
091e3af9 JP |
118 | }; |
119 | ||
6bb4a18e JP |
120 | /* Due to various hard-coded priorities need to implement ACLs, the |
121 | * northbound database supports a smaller range of ACL priorities than | |
122 | * are available to logical flows. This value is added to an ACL | |
123 | * priority to determine the ACL's logical flow priority. */ | |
124 | #define OVN_ACL_PRI_OFFSET 1000 | |
125 | ||
880fcd14 BP |
126 | /* Returns an "enum ovn_stage" built from the arguments. */ |
127 | static enum ovn_stage | |
128 | ovn_stage_build(enum ovn_datapath_type dp_type, enum ovn_pipeline pipeline, | |
129 | uint8_t table) | |
130 | { | |
131 | return OVN_STAGE_BUILD(dp_type, pipeline, table); | |
132 | } | |
133 | ||
134 | /* Returns the pipeline to which 'stage' belongs. */ | |
135 | static enum ovn_pipeline | |
136 | ovn_stage_get_pipeline(enum ovn_stage stage) | |
137 | { | |
138 | return (stage >> 8) & 1; | |
139 | } | |
140 | ||
141 | /* Returns the table to which 'stage' belongs. */ | |
142 | static uint8_t | |
143 | ovn_stage_get_table(enum ovn_stage stage) | |
144 | { | |
145 | return stage & 0xff; | |
146 | } | |
147 | ||
148 | /* Returns a string name for 'stage'. */ | |
149 | static const char * | |
150 | ovn_stage_to_str(enum ovn_stage stage) | |
151 | { | |
152 | switch (stage) { | |
153 | #define PIPELINE_STAGE(DP_TYPE, PIPELINE, STAGE, TABLE, NAME) \ | |
154 | case S_##DP_TYPE##_##PIPELINE##_##STAGE: return NAME; | |
155 | PIPELINE_STAGES | |
156 | #undef PIPELINE_STAGE | |
157 | default: return "<unknown>"; | |
158 | } | |
159 | } | |
160 | \f | |
ac0630a2 RB |
161 | static void |
162 | usage(void) | |
163 | { | |
164 | printf("\ | |
165 | %s: OVN northbound management daemon\n\ | |
166 | usage: %s [OPTIONS]\n\ | |
167 | \n\ | |
168 | Options:\n\ | |
169 | --ovnnb-db=DATABASE connect to ovn-nb database at DATABASE\n\ | |
170 | (default: %s)\n\ | |
ec78987f | 171 | --ovnsb-db=DATABASE connect to ovn-sb database at DATABASE\n\ |
ac0630a2 RB |
172 | (default: %s)\n\ |
173 | -h, --help display this help message\n\ | |
174 | -o, --options list available options\n\ | |
175 | -V, --version display version information\n\ | |
60bdd011 | 176 | ", program_name, program_name, default_nb_db(), default_sb_db()); |
67d9b930 | 177 | daemon_usage(); |
ac0630a2 RB |
178 | vlog_usage(); |
179 | stream_usage("database", true, true, false); | |
180 | } | |
181 | \f | |
5868eb24 BP |
182 | struct tnlid_node { |
183 | struct hmap_node hmap_node; | |
184 | uint32_t tnlid; | |
185 | }; | |
186 | ||
187 | static void | |
188 | destroy_tnlids(struct hmap *tnlids) | |
4edcdcf4 | 189 | { |
5868eb24 BP |
190 | struct tnlid_node *node, *next; |
191 | HMAP_FOR_EACH_SAFE (node, next, hmap_node, tnlids) { | |
192 | hmap_remove(tnlids, &node->hmap_node); | |
193 | free(node); | |
194 | } | |
195 | hmap_destroy(tnlids); | |
196 | } | |
197 | ||
198 | static void | |
199 | add_tnlid(struct hmap *set, uint32_t tnlid) | |
200 | { | |
201 | struct tnlid_node *node = xmalloc(sizeof *node); | |
202 | hmap_insert(set, &node->hmap_node, hash_int(tnlid, 0)); | |
203 | node->tnlid = tnlid; | |
4edcdcf4 RB |
204 | } |
205 | ||
4edcdcf4 | 206 | static bool |
5868eb24 | 207 | tnlid_in_use(const struct hmap *set, uint32_t tnlid) |
4edcdcf4 | 208 | { |
5868eb24 BP |
209 | const struct tnlid_node *node; |
210 | HMAP_FOR_EACH_IN_BUCKET (node, hmap_node, hash_int(tnlid, 0), set) { | |
211 | if (node->tnlid == tnlid) { | |
212 | return true; | |
213 | } | |
214 | } | |
215 | return false; | |
216 | } | |
4edcdcf4 | 217 | |
5868eb24 BP |
218 | static uint32_t |
219 | allocate_tnlid(struct hmap *set, const char *name, uint32_t max, | |
220 | uint32_t *hint) | |
221 | { | |
222 | for (uint32_t tnlid = *hint + 1; tnlid != *hint; | |
223 | tnlid = tnlid + 1 <= max ? tnlid + 1 : 1) { | |
224 | if (!tnlid_in_use(set, tnlid)) { | |
225 | add_tnlid(set, tnlid); | |
226 | *hint = tnlid; | |
227 | return tnlid; | |
228 | } | |
4edcdcf4 RB |
229 | } |
230 | ||
5868eb24 BP |
231 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); |
232 | VLOG_WARN_RL(&rl, "all %s tunnel ids exhausted", name); | |
233 | return 0; | |
234 | } | |
235 | \f | |
9975d7be BP |
236 | /* The 'key' comes from nbs->header_.uuid or nbr->header_.uuid or |
237 | * sb->external_ids:logical-switch. */ | |
5868eb24 BP |
238 | struct ovn_datapath { |
239 | struct hmap_node key_node; /* Index on 'key'. */ | |
9975d7be | 240 | struct uuid key; /* (nbs/nbr)->header_.uuid. */ |
4edcdcf4 | 241 | |
9975d7be BP |
242 | const struct nbrec_logical_switch *nbs; /* May be NULL. */ |
243 | const struct nbrec_logical_router *nbr; /* May be NULL. */ | |
5868eb24 | 244 | const struct sbrec_datapath_binding *sb; /* May be NULL. */ |
4edcdcf4 | 245 | |
5868eb24 | 246 | struct ovs_list list; /* In list of similar records. */ |
4edcdcf4 | 247 | |
9975d7be | 248 | /* Logical router data (digested from nbr). */ |
0bac7164 | 249 | const struct ovn_port *gateway_port; |
9975d7be BP |
250 | ovs_be32 gateway; |
251 | ||
252 | /* Logical switch data. */ | |
86e98048 BP |
253 | struct ovn_port **router_ports; |
254 | size_t n_router_ports; | |
9975d7be | 255 | |
5868eb24 BP |
256 | struct hmap port_tnlids; |
257 | uint32_t port_key_hint; | |
258 | ||
259 | bool has_unknown; | |
260 | }; | |
261 | ||
262 | static struct ovn_datapath * | |
263 | ovn_datapath_create(struct hmap *datapaths, const struct uuid *key, | |
9975d7be BP |
264 | const struct nbrec_logical_switch *nbs, |
265 | const struct nbrec_logical_router *nbr, | |
5868eb24 BP |
266 | const struct sbrec_datapath_binding *sb) |
267 | { | |
268 | struct ovn_datapath *od = xzalloc(sizeof *od); | |
269 | od->key = *key; | |
270 | od->sb = sb; | |
9975d7be BP |
271 | od->nbs = nbs; |
272 | od->nbr = nbr; | |
5868eb24 BP |
273 | hmap_init(&od->port_tnlids); |
274 | od->port_key_hint = 0; | |
275 | hmap_insert(datapaths, &od->key_node, uuid_hash(&od->key)); | |
276 | return od; | |
277 | } | |
278 | ||
279 | static void | |
280 | ovn_datapath_destroy(struct hmap *datapaths, struct ovn_datapath *od) | |
281 | { | |
282 | if (od) { | |
283 | /* Don't remove od->list. It is used within build_datapaths() as a | |
284 | * private list and once we've exited that function it is not safe to | |
285 | * use it. */ | |
286 | hmap_remove(datapaths, &od->key_node); | |
287 | destroy_tnlids(&od->port_tnlids); | |
86e98048 | 288 | free(od->router_ports); |
5868eb24 BP |
289 | free(od); |
290 | } | |
291 | } | |
292 | ||
293 | static struct ovn_datapath * | |
294 | ovn_datapath_find(struct hmap *datapaths, const struct uuid *uuid) | |
295 | { | |
296 | struct ovn_datapath *od; | |
297 | ||
298 | HMAP_FOR_EACH_WITH_HASH (od, key_node, uuid_hash(uuid), datapaths) { | |
299 | if (uuid_equals(uuid, &od->key)) { | |
300 | return od; | |
301 | } | |
302 | } | |
303 | return NULL; | |
304 | } | |
305 | ||
306 | static struct ovn_datapath * | |
307 | ovn_datapath_from_sbrec(struct hmap *datapaths, | |
308 | const struct sbrec_datapath_binding *sb) | |
309 | { | |
310 | struct uuid key; | |
311 | ||
9975d7be BP |
312 | if (!smap_get_uuid(&sb->external_ids, "logical-switch", &key) && |
313 | !smap_get_uuid(&sb->external_ids, "logical-router", &key)) { | |
5868eb24 BP |
314 | return NULL; |
315 | } | |
316 | return ovn_datapath_find(datapaths, &key); | |
317 | } | |
318 | ||
319 | static void | |
320 | join_datapaths(struct northd_context *ctx, struct hmap *datapaths, | |
321 | struct ovs_list *sb_only, struct ovs_list *nb_only, | |
322 | struct ovs_list *both) | |
323 | { | |
324 | hmap_init(datapaths); | |
417e7e66 BW |
325 | ovs_list_init(sb_only); |
326 | ovs_list_init(nb_only); | |
327 | ovs_list_init(both); | |
5868eb24 BP |
328 | |
329 | const struct sbrec_datapath_binding *sb, *sb_next; | |
330 | SBREC_DATAPATH_BINDING_FOR_EACH_SAFE (sb, sb_next, ctx->ovnsb_idl) { | |
331 | struct uuid key; | |
9975d7be BP |
332 | if (!smap_get_uuid(&sb->external_ids, "logical-switch", &key) && |
333 | !smap_get_uuid(&sb->external_ids, "logical-router", &key)) { | |
334 | ovsdb_idl_txn_add_comment( | |
335 | ctx->ovnsb_txn, | |
336 | "deleting Datapath_Binding "UUID_FMT" that lacks " | |
337 | "external-ids:logical-switch and " | |
338 | "external-ids:logical-router", | |
339 | UUID_ARGS(&sb->header_.uuid)); | |
5868eb24 BP |
340 | sbrec_datapath_binding_delete(sb); |
341 | continue; | |
342 | } | |
343 | ||
344 | if (ovn_datapath_find(datapaths, &key)) { | |
345 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
9975d7be BP |
346 | VLOG_INFO_RL( |
347 | &rl, "deleting Datapath_Binding "UUID_FMT" with " | |
348 | "duplicate external-ids:logical-switch/router "UUID_FMT, | |
349 | UUID_ARGS(&sb->header_.uuid), UUID_ARGS(&key)); | |
5868eb24 BP |
350 | sbrec_datapath_binding_delete(sb); |
351 | continue; | |
352 | } | |
353 | ||
354 | struct ovn_datapath *od = ovn_datapath_create(datapaths, &key, | |
9975d7be | 355 | NULL, NULL, sb); |
417e7e66 | 356 | ovs_list_push_back(sb_only, &od->list); |
5868eb24 BP |
357 | } |
358 | ||
9975d7be BP |
359 | const struct nbrec_logical_switch *nbs; |
360 | NBREC_LOGICAL_SWITCH_FOR_EACH (nbs, ctx->ovnnb_idl) { | |
5868eb24 | 361 | struct ovn_datapath *od = ovn_datapath_find(datapaths, |
9975d7be | 362 | &nbs->header_.uuid); |
5868eb24 | 363 | if (od) { |
9975d7be | 364 | od->nbs = nbs; |
417e7e66 BW |
365 | ovs_list_remove(&od->list); |
366 | ovs_list_push_back(both, &od->list); | |
5868eb24 | 367 | } else { |
9975d7be BP |
368 | od = ovn_datapath_create(datapaths, &nbs->header_.uuid, |
369 | nbs, NULL, NULL); | |
417e7e66 | 370 | ovs_list_push_back(nb_only, &od->list); |
5868eb24 BP |
371 | } |
372 | } | |
9975d7be BP |
373 | |
374 | const struct nbrec_logical_router *nbr; | |
375 | NBREC_LOGICAL_ROUTER_FOR_EACH (nbr, ctx->ovnnb_idl) { | |
376 | struct ovn_datapath *od = ovn_datapath_find(datapaths, | |
377 | &nbr->header_.uuid); | |
378 | if (od) { | |
379 | if (!od->nbs) { | |
380 | od->nbr = nbr; | |
417e7e66 BW |
381 | ovs_list_remove(&od->list); |
382 | ovs_list_push_back(both, &od->list); | |
9975d7be BP |
383 | } else { |
384 | /* Can't happen! */ | |
385 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
386 | VLOG_WARN_RL(&rl, | |
387 | "duplicate UUID "UUID_FMT" in OVN_Northbound", | |
388 | UUID_ARGS(&nbr->header_.uuid)); | |
389 | continue; | |
390 | } | |
391 | } else { | |
392 | od = ovn_datapath_create(datapaths, &nbr->header_.uuid, | |
393 | NULL, nbr, NULL); | |
417e7e66 | 394 | ovs_list_push_back(nb_only, &od->list); |
9975d7be BP |
395 | } |
396 | ||
397 | od->gateway = 0; | |
398 | if (nbr->default_gw) { | |
0bac7164 BP |
399 | ovs_be32 ip; |
400 | if (!ip_parse(nbr->default_gw, &ip) || !ip) { | |
401 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); | |
9975d7be | 402 | VLOG_WARN_RL(&rl, "bad 'gateway' %s", nbr->default_gw); |
9975d7be BP |
403 | } else { |
404 | od->gateway = ip; | |
405 | } | |
406 | } | |
0bac7164 BP |
407 | |
408 | /* Set the gateway port to NULL. If there is a gateway, it will get | |
409 | * filled in as we go through the ports later. */ | |
410 | od->gateway_port = NULL; | |
9975d7be | 411 | } |
5868eb24 BP |
412 | } |
413 | ||
414 | static uint32_t | |
415 | ovn_datapath_allocate_key(struct hmap *dp_tnlids) | |
416 | { | |
417 | static uint32_t hint; | |
418 | return allocate_tnlid(dp_tnlids, "datapath", (1u << 24) - 1, &hint); | |
419 | } | |
420 | ||
0bac7164 BP |
421 | /* Updates the southbound Datapath_Binding table so that it contains the |
422 | * logical switches and routers specified by the northbound database. | |
423 | * | |
424 | * Initializes 'datapaths' to contain a "struct ovn_datapath" for every logical | |
425 | * switch and router. */ | |
5868eb24 BP |
426 | static void |
427 | build_datapaths(struct northd_context *ctx, struct hmap *datapaths) | |
428 | { | |
429 | struct ovs_list sb_only, nb_only, both; | |
430 | ||
431 | join_datapaths(ctx, datapaths, &sb_only, &nb_only, &both); | |
432 | ||
417e7e66 | 433 | if (!ovs_list_is_empty(&nb_only)) { |
5868eb24 BP |
434 | /* First index the in-use datapath tunnel IDs. */ |
435 | struct hmap dp_tnlids = HMAP_INITIALIZER(&dp_tnlids); | |
436 | struct ovn_datapath *od; | |
437 | LIST_FOR_EACH (od, list, &both) { | |
438 | add_tnlid(&dp_tnlids, od->sb->tunnel_key); | |
439 | } | |
440 | ||
441 | /* Add southbound record for each unmatched northbound record. */ | |
442 | LIST_FOR_EACH (od, list, &nb_only) { | |
443 | uint16_t tunnel_key = ovn_datapath_allocate_key(&dp_tnlids); | |
444 | if (!tunnel_key) { | |
445 | break; | |
446 | } | |
447 | ||
448 | od->sb = sbrec_datapath_binding_insert(ctx->ovnsb_txn); | |
449 | ||
5868eb24 | 450 | char uuid_s[UUID_LEN + 1]; |
9975d7be BP |
451 | sprintf(uuid_s, UUID_FMT, UUID_ARGS(&od->key)); |
452 | const char *key = od->nbs ? "logical-switch" : "logical-router"; | |
453 | const struct smap id = SMAP_CONST1(&id, key, uuid_s); | |
aaf881c6 | 454 | sbrec_datapath_binding_set_external_ids(od->sb, &id); |
5868eb24 BP |
455 | |
456 | sbrec_datapath_binding_set_tunnel_key(od->sb, tunnel_key); | |
457 | } | |
458 | destroy_tnlids(&dp_tnlids); | |
459 | } | |
460 | ||
461 | /* Delete southbound records without northbound matches. */ | |
462 | struct ovn_datapath *od, *next; | |
463 | LIST_FOR_EACH_SAFE (od, next, list, &sb_only) { | |
417e7e66 | 464 | ovs_list_remove(&od->list); |
5868eb24 BP |
465 | sbrec_datapath_binding_delete(od->sb); |
466 | ovn_datapath_destroy(datapaths, od); | |
467 | } | |
468 | } | |
469 | \f | |
470 | struct ovn_port { | |
471 | struct hmap_node key_node; /* Index on 'key'. */ | |
9975d7be BP |
472 | char *key; /* nbs->name, nbr->name, sb->logical_port. */ |
473 | char *json_key; /* 'key', quoted for use in JSON. */ | |
5868eb24 | 474 | |
9975d7be BP |
475 | const struct nbrec_logical_port *nbs; /* May be NULL. */ |
476 | const struct nbrec_logical_router_port *nbr; /* May be NULL. */ | |
477 | const struct sbrec_port_binding *sb; /* May be NULL. */ | |
478 | ||
479 | /* Logical router port data. */ | |
480 | ovs_be32 ip, mask; /* 192.168.10.123/24. */ | |
481 | ovs_be32 network; /* 192.168.10.0. */ | |
482 | ovs_be32 bcast; /* 192.168.10.255. */ | |
483 | struct eth_addr mac; | |
484 | struct ovn_port *peer; | |
5868eb24 BP |
485 | |
486 | struct ovn_datapath *od; | |
487 | ||
488 | struct ovs_list list; /* In list of similar records. */ | |
489 | }; | |
490 | ||
491 | static struct ovn_port * | |
492 | ovn_port_create(struct hmap *ports, const char *key, | |
9975d7be BP |
493 | const struct nbrec_logical_port *nbs, |
494 | const struct nbrec_logical_router_port *nbr, | |
5868eb24 BP |
495 | const struct sbrec_port_binding *sb) |
496 | { | |
497 | struct ovn_port *op = xzalloc(sizeof *op); | |
9975d7be BP |
498 | |
499 | struct ds json_key = DS_EMPTY_INITIALIZER; | |
500 | json_string_escape(key, &json_key); | |
501 | op->json_key = ds_steal_cstr(&json_key); | |
502 | ||
503 | op->key = xstrdup(key); | |
5868eb24 | 504 | op->sb = sb; |
9975d7be BP |
505 | op->nbs = nbs; |
506 | op->nbr = nbr; | |
5868eb24 BP |
507 | hmap_insert(ports, &op->key_node, hash_string(op->key, 0)); |
508 | return op; | |
509 | } | |
510 | ||
511 | static void | |
512 | ovn_port_destroy(struct hmap *ports, struct ovn_port *port) | |
513 | { | |
514 | if (port) { | |
515 | /* Don't remove port->list. It is used within build_ports() as a | |
516 | * private list and once we've exited that function it is not safe to | |
517 | * use it. */ | |
518 | hmap_remove(ports, &port->key_node); | |
9975d7be BP |
519 | free(port->json_key); |
520 | free(port->key); | |
5868eb24 BP |
521 | free(port); |
522 | } | |
523 | } | |
524 | ||
525 | static struct ovn_port * | |
526 | ovn_port_find(struct hmap *ports, const char *name) | |
527 | { | |
528 | struct ovn_port *op; | |
529 | ||
530 | HMAP_FOR_EACH_WITH_HASH (op, key_node, hash_string(name, 0), ports) { | |
531 | if (!strcmp(op->key, name)) { | |
532 | return op; | |
533 | } | |
534 | } | |
535 | return NULL; | |
536 | } | |
537 | ||
538 | static uint32_t | |
539 | ovn_port_allocate_key(struct ovn_datapath *od) | |
540 | { | |
541 | return allocate_tnlid(&od->port_tnlids, "port", | |
542 | (1u << 15) - 1, &od->port_key_hint); | |
543 | } | |
544 | ||
545 | static void | |
546 | join_logical_ports(struct northd_context *ctx, | |
547 | struct hmap *datapaths, struct hmap *ports, | |
548 | struct ovs_list *sb_only, struct ovs_list *nb_only, | |
549 | struct ovs_list *both) | |
550 | { | |
551 | hmap_init(ports); | |
417e7e66 BW |
552 | ovs_list_init(sb_only); |
553 | ovs_list_init(nb_only); | |
554 | ovs_list_init(both); | |
5868eb24 BP |
555 | |
556 | const struct sbrec_port_binding *sb; | |
557 | SBREC_PORT_BINDING_FOR_EACH (sb, ctx->ovnsb_idl) { | |
558 | struct ovn_port *op = ovn_port_create(ports, sb->logical_port, | |
9975d7be | 559 | NULL, NULL, sb); |
417e7e66 | 560 | ovs_list_push_back(sb_only, &op->list); |
5868eb24 BP |
561 | } |
562 | ||
563 | struct ovn_datapath *od; | |
564 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
9975d7be BP |
565 | if (od->nbs) { |
566 | for (size_t i = 0; i < od->nbs->n_ports; i++) { | |
567 | const struct nbrec_logical_port *nbs = od->nbs->ports[i]; | |
568 | struct ovn_port *op = ovn_port_find(ports, nbs->name); | |
569 | if (op) { | |
570 | if (op->nbs || op->nbr) { | |
571 | static struct vlog_rate_limit rl | |
572 | = VLOG_RATE_LIMIT_INIT(5, 1); | |
573 | VLOG_WARN_RL(&rl, "duplicate logical port %s", | |
574 | nbs->name); | |
575 | continue; | |
576 | } | |
577 | op->nbs = nbs; | |
417e7e66 BW |
578 | ovs_list_remove(&op->list); |
579 | ovs_list_push_back(both, &op->list); | |
9975d7be BP |
580 | } else { |
581 | op = ovn_port_create(ports, nbs->name, nbs, NULL, NULL); | |
417e7e66 | 582 | ovs_list_push_back(nb_only, &op->list); |
9975d7be BP |
583 | } |
584 | ||
585 | op->od = od; | |
586 | } | |
587 | } else { | |
588 | for (size_t i = 0; i < od->nbr->n_ports; i++) { | |
589 | const struct nbrec_logical_router_port *nbr | |
590 | = od->nbr->ports[i]; | |
591 | ||
592 | struct eth_addr mac; | |
593 | if (!eth_addr_from_string(nbr->mac, &mac)) { | |
594 | static struct vlog_rate_limit rl | |
595 | = VLOG_RATE_LIMIT_INIT(5, 1); | |
596 | VLOG_WARN_RL(&rl, "bad 'mac' %s", nbr->mac); | |
597 | continue; | |
598 | } | |
599 | ||
600 | ovs_be32 ip, mask; | |
601 | char *error = ip_parse_masked(nbr->network, &ip, &mask); | |
602 | if (error || mask == OVS_BE32_MAX || !ip_is_cidr(mask)) { | |
603 | static struct vlog_rate_limit rl | |
604 | = VLOG_RATE_LIMIT_INIT(5, 1); | |
605 | VLOG_WARN_RL(&rl, "bad 'network' %s", nbr->network); | |
606 | free(error); | |
607 | continue; | |
608 | } | |
609 | ||
00007447 | 610 | struct ovn_port *op = ovn_port_find(ports, nbr->name); |
9975d7be BP |
611 | if (op) { |
612 | if (op->nbs || op->nbr) { | |
613 | static struct vlog_rate_limit rl | |
614 | = VLOG_RATE_LIMIT_INIT(5, 1); | |
615 | VLOG_WARN_RL(&rl, "duplicate logical router port %s", | |
00007447 | 616 | nbr->name); |
9975d7be BP |
617 | continue; |
618 | } | |
619 | op->nbr = nbr; | |
417e7e66 BW |
620 | ovs_list_remove(&op->list); |
621 | ovs_list_push_back(both, &op->list); | |
9975d7be | 622 | } else { |
00007447 | 623 | op = ovn_port_create(ports, nbr->name, NULL, nbr, NULL); |
417e7e66 | 624 | ovs_list_push_back(nb_only, &op->list); |
9975d7be BP |
625 | } |
626 | ||
627 | op->ip = ip; | |
628 | op->mask = mask; | |
629 | op->network = ip & mask; | |
630 | op->bcast = ip | ~mask; | |
631 | op->mac = mac; | |
632 | ||
633 | op->od = od; | |
0bac7164 BP |
634 | |
635 | /* If 'od' has a gateway and 'op' routes to it... */ | |
636 | if (od->gateway && !((op->network ^ od->gateway) & op->mask)) { | |
637 | /* ...and if 'op' is a longer match than the current | |
638 | * choice... */ | |
639 | const struct ovn_port *gw = od->gateway_port; | |
640 | int len = gw ? ip_count_cidr_bits(gw->mask) : 0; | |
641 | if (ip_count_cidr_bits(op->mask) > len) { | |
642 | /* ...then it's the default gateway port. */ | |
643 | od->gateway_port = op; | |
644 | } | |
645 | } | |
5868eb24 | 646 | } |
9975d7be BP |
647 | } |
648 | } | |
649 | ||
650 | /* Connect logical router ports, and logical switch ports of type "router", | |
651 | * to their peers. */ | |
652 | struct ovn_port *op; | |
653 | HMAP_FOR_EACH (op, key_node, ports) { | |
654 | if (op->nbs && !strcmp(op->nbs->type, "router")) { | |
655 | const char *peer_name = smap_get(&op->nbs->options, "router-port"); | |
656 | if (!peer_name) { | |
657 | continue; | |
658 | } | |
659 | ||
660 | struct ovn_port *peer = ovn_port_find(ports, peer_name); | |
661 | if (!peer || !peer->nbr) { | |
662 | continue; | |
663 | } | |
664 | ||
665 | peer->peer = op; | |
666 | op->peer = peer; | |
86e98048 BP |
667 | op->od->router_ports = xrealloc( |
668 | op->od->router_ports, | |
669 | sizeof *op->od->router_ports * (op->od->n_router_ports + 1)); | |
670 | op->od->router_ports[op->od->n_router_ports++] = op; | |
9975d7be | 671 | } else if (op->nbr && op->nbr->peer) { |
509afdc3 | 672 | op->peer = ovn_port_find(ports, op->nbr->peer); |
5868eb24 BP |
673 | } |
674 | } | |
675 | } | |
676 | ||
677 | static void | |
678 | ovn_port_update_sbrec(const struct ovn_port *op) | |
679 | { | |
680 | sbrec_port_binding_set_datapath(op->sb, op->od->sb); | |
9975d7be BP |
681 | if (op->nbr) { |
682 | sbrec_port_binding_set_type(op->sb, "patch"); | |
683 | ||
684 | const char *peer = op->peer ? op->peer->key : "<error>"; | |
685 | const struct smap ids = SMAP_CONST1(&ids, "peer", peer); | |
686 | sbrec_port_binding_set_options(op->sb, &ids); | |
687 | ||
688 | sbrec_port_binding_set_parent_port(op->sb, NULL); | |
689 | sbrec_port_binding_set_tag(op->sb, NULL, 0); | |
690 | sbrec_port_binding_set_mac(op->sb, NULL, 0); | |
691 | } else { | |
692 | if (strcmp(op->nbs->type, "router")) { | |
693 | sbrec_port_binding_set_type(op->sb, op->nbs->type); | |
694 | sbrec_port_binding_set_options(op->sb, &op->nbs->options); | |
695 | } else { | |
696 | sbrec_port_binding_set_type(op->sb, "patch"); | |
697 | ||
698 | const char *router_port = smap_get(&op->nbs->options, | |
699 | "router-port"); | |
700 | if (!router_port) { | |
701 | router_port = "<error>"; | |
702 | } | |
703 | const struct smap ids = SMAP_CONST1(&ids, "peer", router_port); | |
704 | sbrec_port_binding_set_options(op->sb, &ids); | |
705 | } | |
706 | sbrec_port_binding_set_parent_port(op->sb, op->nbs->parent_name); | |
707 | sbrec_port_binding_set_tag(op->sb, op->nbs->tag, op->nbs->n_tag); | |
708 | sbrec_port_binding_set_mac(op->sb, (const char **) op->nbs->addresses, | |
709 | op->nbs->n_addresses); | |
710 | } | |
5868eb24 BP |
711 | } |
712 | ||
0bac7164 BP |
713 | /* Updates the southbound Port_Binding table so that it contains the logical |
714 | * ports specified by the northbound database. | |
715 | * | |
716 | * Initializes 'ports' to contain a "struct ovn_port" for every logical port, | |
717 | * using the "struct ovn_datapath"s in 'datapaths' to look up logical | |
718 | * datapaths. */ | |
5868eb24 BP |
719 | static void |
720 | build_ports(struct northd_context *ctx, struct hmap *datapaths, | |
721 | struct hmap *ports) | |
722 | { | |
723 | struct ovs_list sb_only, nb_only, both; | |
724 | ||
725 | join_logical_ports(ctx, datapaths, ports, &sb_only, &nb_only, &both); | |
726 | ||
727 | /* For logical ports that are in both databases, update the southbound | |
728 | * record based on northbound data. Also index the in-use tunnel_keys. */ | |
729 | struct ovn_port *op, *next; | |
730 | LIST_FOR_EACH_SAFE (op, next, list, &both) { | |
731 | ovn_port_update_sbrec(op); | |
732 | ||
733 | add_tnlid(&op->od->port_tnlids, op->sb->tunnel_key); | |
734 | if (op->sb->tunnel_key > op->od->port_key_hint) { | |
735 | op->od->port_key_hint = op->sb->tunnel_key; | |
736 | } | |
737 | } | |
738 | ||
739 | /* Add southbound record for each unmatched northbound record. */ | |
740 | LIST_FOR_EACH_SAFE (op, next, list, &nb_only) { | |
741 | uint16_t tunnel_key = ovn_port_allocate_key(op->od); | |
742 | if (!tunnel_key) { | |
743 | continue; | |
744 | } | |
745 | ||
746 | op->sb = sbrec_port_binding_insert(ctx->ovnsb_txn); | |
747 | ovn_port_update_sbrec(op); | |
748 | ||
749 | sbrec_port_binding_set_logical_port(op->sb, op->key); | |
750 | sbrec_port_binding_set_tunnel_key(op->sb, tunnel_key); | |
751 | } | |
752 | ||
753 | /* Delete southbound records without northbound matches. */ | |
754 | LIST_FOR_EACH_SAFE(op, next, list, &sb_only) { | |
417e7e66 | 755 | ovs_list_remove(&op->list); |
5868eb24 BP |
756 | sbrec_port_binding_delete(op->sb); |
757 | ovn_port_destroy(ports, op); | |
758 | } | |
759 | } | |
760 | \f | |
761 | #define OVN_MIN_MULTICAST 32768 | |
762 | #define OVN_MAX_MULTICAST 65535 | |
763 | ||
764 | struct multicast_group { | |
765 | const char *name; | |
766 | uint16_t key; /* OVN_MIN_MULTICAST...OVN_MAX_MULTICAST. */ | |
767 | }; | |
768 | ||
769 | #define MC_FLOOD "_MC_flood" | |
770 | static const struct multicast_group mc_flood = { MC_FLOOD, 65535 }; | |
771 | ||
772 | #define MC_UNKNOWN "_MC_unknown" | |
773 | static const struct multicast_group mc_unknown = { MC_UNKNOWN, 65534 }; | |
774 | ||
775 | static bool | |
776 | multicast_group_equal(const struct multicast_group *a, | |
777 | const struct multicast_group *b) | |
778 | { | |
779 | return !strcmp(a->name, b->name) && a->key == b->key; | |
780 | } | |
781 | ||
782 | /* Multicast group entry. */ | |
783 | struct ovn_multicast { | |
784 | struct hmap_node hmap_node; /* Index on 'datapath' and 'key'. */ | |
785 | struct ovn_datapath *datapath; | |
786 | const struct multicast_group *group; | |
787 | ||
788 | struct ovn_port **ports; | |
789 | size_t n_ports, allocated_ports; | |
790 | }; | |
791 | ||
792 | static uint32_t | |
793 | ovn_multicast_hash(const struct ovn_datapath *datapath, | |
794 | const struct multicast_group *group) | |
795 | { | |
796 | return hash_pointer(datapath, group->key); | |
797 | } | |
798 | ||
799 | static struct ovn_multicast * | |
800 | ovn_multicast_find(struct hmap *mcgroups, struct ovn_datapath *datapath, | |
801 | const struct multicast_group *group) | |
802 | { | |
803 | struct ovn_multicast *mc; | |
804 | ||
805 | HMAP_FOR_EACH_WITH_HASH (mc, hmap_node, | |
806 | ovn_multicast_hash(datapath, group), mcgroups) { | |
807 | if (mc->datapath == datapath | |
808 | && multicast_group_equal(mc->group, group)) { | |
809 | return mc; | |
4edcdcf4 RB |
810 | } |
811 | } | |
5868eb24 BP |
812 | return NULL; |
813 | } | |
814 | ||
815 | static void | |
816 | ovn_multicast_add(struct hmap *mcgroups, const struct multicast_group *group, | |
817 | struct ovn_port *port) | |
818 | { | |
819 | struct ovn_datapath *od = port->od; | |
820 | struct ovn_multicast *mc = ovn_multicast_find(mcgroups, od, group); | |
821 | if (!mc) { | |
822 | mc = xmalloc(sizeof *mc); | |
823 | hmap_insert(mcgroups, &mc->hmap_node, ovn_multicast_hash(od, group)); | |
824 | mc->datapath = od; | |
825 | mc->group = group; | |
826 | mc->n_ports = 0; | |
827 | mc->allocated_ports = 4; | |
828 | mc->ports = xmalloc(mc->allocated_ports * sizeof *mc->ports); | |
829 | } | |
830 | if (mc->n_ports >= mc->allocated_ports) { | |
831 | mc->ports = x2nrealloc(mc->ports, &mc->allocated_ports, | |
832 | sizeof *mc->ports); | |
833 | } | |
834 | mc->ports[mc->n_ports++] = port; | |
835 | } | |
4edcdcf4 | 836 | |
5868eb24 BP |
837 | static void |
838 | ovn_multicast_destroy(struct hmap *mcgroups, struct ovn_multicast *mc) | |
839 | { | |
840 | if (mc) { | |
841 | hmap_remove(mcgroups, &mc->hmap_node); | |
842 | free(mc->ports); | |
843 | free(mc); | |
844 | } | |
845 | } | |
4edcdcf4 | 846 | |
5868eb24 BP |
847 | static void |
848 | ovn_multicast_update_sbrec(const struct ovn_multicast *mc, | |
849 | const struct sbrec_multicast_group *sb) | |
850 | { | |
851 | struct sbrec_port_binding **ports = xmalloc(mc->n_ports * sizeof *ports); | |
852 | for (size_t i = 0; i < mc->n_ports; i++) { | |
853 | ports[i] = CONST_CAST(struct sbrec_port_binding *, mc->ports[i]->sb); | |
854 | } | |
855 | sbrec_multicast_group_set_ports(sb, ports, mc->n_ports); | |
856 | free(ports); | |
4edcdcf4 | 857 | } |
bd39395f | 858 | \f |
48605550 | 859 | /* Logical flow generation. |
bd39395f | 860 | * |
48605550 | 861 | * This code generates the Logical_Flow table in the southbound database, as a |
bd39395f BP |
862 | * function of most of the northbound database. |
863 | */ | |
864 | ||
5868eb24 BP |
865 | struct ovn_lflow { |
866 | struct hmap_node hmap_node; | |
bd39395f | 867 | |
5868eb24 | 868 | struct ovn_datapath *od; |
880fcd14 | 869 | enum ovn_stage stage; |
5868eb24 BP |
870 | uint16_t priority; |
871 | char *match; | |
872 | char *actions; | |
bd39395f BP |
873 | }; |
874 | ||
875 | static size_t | |
5868eb24 | 876 | ovn_lflow_hash(const struct ovn_lflow *lflow) |
bd39395f | 877 | { |
5868eb24 | 878 | size_t hash = uuid_hash(&lflow->od->key); |
880fcd14 | 879 | hash = hash_2words((lflow->stage << 16) | lflow->priority, hash); |
5868eb24 BP |
880 | hash = hash_string(lflow->match, hash); |
881 | return hash_string(lflow->actions, hash); | |
bd39395f BP |
882 | } |
883 | ||
5868eb24 BP |
884 | static bool |
885 | ovn_lflow_equal(const struct ovn_lflow *a, const struct ovn_lflow *b) | |
886 | { | |
887 | return (a->od == b->od | |
880fcd14 | 888 | && a->stage == b->stage |
5868eb24 BP |
889 | && a->priority == b->priority |
890 | && !strcmp(a->match, b->match) | |
891 | && !strcmp(a->actions, b->actions)); | |
892 | } | |
893 | ||
894 | static void | |
895 | ovn_lflow_init(struct ovn_lflow *lflow, struct ovn_datapath *od, | |
880fcd14 | 896 | enum ovn_stage stage, uint16_t priority, |
5868eb24 | 897 | char *match, char *actions) |
bd39395f | 898 | { |
5868eb24 | 899 | lflow->od = od; |
880fcd14 | 900 | lflow->stage = stage; |
5868eb24 BP |
901 | lflow->priority = priority; |
902 | lflow->match = match; | |
903 | lflow->actions = actions; | |
bd39395f BP |
904 | } |
905 | ||
48605550 | 906 | /* Adds a row with the specified contents to the Logical_Flow table. */ |
bd39395f | 907 | static void |
5868eb24 | 908 | ovn_lflow_add(struct hmap *lflow_map, struct ovn_datapath *od, |
880fcd14 | 909 | enum ovn_stage stage, uint16_t priority, |
5868eb24 BP |
910 | const char *match, const char *actions) |
911 | { | |
912 | struct ovn_lflow *lflow = xmalloc(sizeof *lflow); | |
880fcd14 | 913 | ovn_lflow_init(lflow, od, stage, priority, |
5868eb24 BP |
914 | xstrdup(match), xstrdup(actions)); |
915 | hmap_insert(lflow_map, &lflow->hmap_node, ovn_lflow_hash(lflow)); | |
916 | } | |
917 | ||
918 | static struct ovn_lflow * | |
919 | ovn_lflow_find(struct hmap *lflows, struct ovn_datapath *od, | |
880fcd14 | 920 | enum ovn_stage stage, uint16_t priority, |
5868eb24 BP |
921 | const char *match, const char *actions) |
922 | { | |
923 | struct ovn_lflow target; | |
880fcd14 | 924 | ovn_lflow_init(&target, od, stage, priority, |
5868eb24 BP |
925 | CONST_CAST(char *, match), CONST_CAST(char *, actions)); |
926 | ||
927 | struct ovn_lflow *lflow; | |
928 | HMAP_FOR_EACH_WITH_HASH (lflow, hmap_node, ovn_lflow_hash(&target), | |
929 | lflows) { | |
930 | if (ovn_lflow_equal(lflow, &target)) { | |
931 | return lflow; | |
bd39395f BP |
932 | } |
933 | } | |
5868eb24 BP |
934 | return NULL; |
935 | } | |
bd39395f | 936 | |
5868eb24 BP |
937 | static void |
938 | ovn_lflow_destroy(struct hmap *lflows, struct ovn_lflow *lflow) | |
939 | { | |
940 | if (lflow) { | |
941 | hmap_remove(lflows, &lflow->hmap_node); | |
942 | free(lflow->match); | |
943 | free(lflow->actions); | |
944 | free(lflow); | |
945 | } | |
bd39395f BP |
946 | } |
947 | ||
7dc88496 NS |
948 | struct ipv4_netaddr { |
949 | ovs_be32 addr; | |
950 | unsigned int plen; | |
951 | }; | |
952 | ||
953 | struct ipv6_netaddr { | |
954 | struct in6_addr addr; | |
955 | unsigned int plen; | |
956 | }; | |
957 | ||
958 | struct lport_addresses { | |
959 | struct eth_addr ea; | |
960 | size_t n_ipv4_addrs; | |
961 | struct ipv4_netaddr *ipv4_addrs; | |
962 | size_t n_ipv6_addrs; | |
963 | struct ipv6_netaddr *ipv6_addrs; | |
964 | }; | |
965 | ||
966 | /* | |
967 | * Extracts the mac, ipv4 and ipv6 addresses from the input param 'address' | |
968 | * which should be of the format 'MAC [IP1 IP2 ..]" where IPn should be | |
969 | * a valid IPv4 or IPv6 address and stores them in the 'ipv4_addrs' and | |
970 | * 'ipv6_addrs' fields of input param 'laddrs'. | |
971 | * The caller has to free the 'ipv4_addrs' and 'ipv6_addrs' fields. | |
972 | * If input param 'store_ipv6' is true only then extracted ipv6 addresses | |
973 | * are stored in 'ipv6_addrs' fields. | |
974 | * Return true if at least 'MAC' is found in 'address', false otherwise. | |
975 | * Eg 1. | |
976 | * If 'address' = '00:00:00:00:00:01 10.0.0.4 fe80::ea2a:eaff:fe28:3390/64 | |
977 | * 30.0.0.3/23' and 'store_ipv6' = true | |
978 | * then returns true with laddrs->n_ipv4_addrs = 2, naddrs->n_ipv6_addrs = 1. | |
979 | * | |
980 | * Eg. 2 | |
981 | * If 'address' = '00:00:00:00:00:01 10.0.0.4 fe80::ea2a:eaff:fe28:3390/64 | |
982 | * 30.0.0.3/23' and 'store_ipv6' = false | |
983 | * then returns true with laddrs->n_ipv4_addrs = 2, naddrs->n_ipv6_addrs = 0. | |
984 | * | |
985 | * Eg 3. If 'address' = '00:00:00:00:00:01 10.0.0.4 addr 30.0.0.4', then | |
986 | * returns true with laddrs->n_ipv4_addrs = 1 and laddrs->n_ipv6_addrs = 0. | |
987 | */ | |
988 | static bool | |
989 | extract_lport_addresses(char *address, struct lport_addresses *laddrs, | |
990 | bool store_ipv6) | |
991 | { | |
992 | char *buf = address; | |
993 | int buf_index = 0; | |
994 | char *buf_end = buf + strlen(address); | |
995 | if (!ovs_scan_len(buf, &buf_index, ETH_ADDR_SCAN_FMT, | |
996 | ETH_ADDR_SCAN_ARGS(laddrs->ea))) { | |
7dc88496 NS |
997 | return false; |
998 | } | |
999 | ||
1000 | ovs_be32 ip4; | |
1001 | struct in6_addr ip6; | |
1002 | unsigned int plen; | |
1003 | char *error; | |
1004 | ||
1005 | laddrs->n_ipv4_addrs = 0; | |
1006 | laddrs->n_ipv6_addrs = 0; | |
1007 | laddrs->ipv4_addrs = NULL; | |
1008 | laddrs->ipv6_addrs = NULL; | |
1009 | ||
1010 | /* Loop through the buffer and extract the IPv4/IPv6 addresses | |
1011 | * and store in the 'laddrs'. Break the loop if invalid data is found. | |
1012 | */ | |
1013 | buf += buf_index; | |
1014 | while (buf < buf_end) { | |
1015 | buf_index = 0; | |
1016 | error = ip_parse_cidr_len(buf, &buf_index, &ip4, &plen); | |
1017 | if (!error) { | |
1018 | laddrs->n_ipv4_addrs++; | |
1019 | laddrs->ipv4_addrs = xrealloc( | |
1020 | laddrs->ipv4_addrs, | |
1021 | sizeof (struct ipv4_netaddr) * laddrs->n_ipv4_addrs); | |
1022 | laddrs->ipv4_addrs[laddrs->n_ipv4_addrs - 1].addr = ip4; | |
1023 | laddrs->ipv4_addrs[laddrs->n_ipv4_addrs - 1].plen = plen; | |
1024 | buf += buf_index; | |
1025 | continue; | |
1026 | } | |
1027 | free(error); | |
1028 | error = ipv6_parse_cidr_len(buf, &buf_index, &ip6, &plen); | |
1029 | if (!error && store_ipv6) { | |
1030 | laddrs->n_ipv6_addrs++; | |
1031 | laddrs->ipv6_addrs = xrealloc( | |
1032 | laddrs->ipv6_addrs, | |
1033 | sizeof(struct ipv6_netaddr) * laddrs->n_ipv6_addrs); | |
1034 | memcpy(&laddrs->ipv6_addrs[laddrs->n_ipv6_addrs - 1].addr, &ip6, | |
1035 | sizeof(struct in6_addr)); | |
1036 | laddrs->ipv6_addrs[laddrs->n_ipv6_addrs - 1].plen = plen; | |
1037 | } | |
1038 | ||
1039 | if (error) { | |
1040 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); | |
1041 | VLOG_INFO_RL(&rl, "invalid syntax '%s' in address", address); | |
1042 | free(error); | |
1043 | break; | |
1044 | } | |
1045 | buf += buf_index; | |
1046 | } | |
1047 | ||
1048 | return true; | |
1049 | } | |
1050 | ||
bd39395f BP |
1051 | /* Appends port security constraints on L2 address field 'eth_addr_field' |
1052 | * (e.g. "eth.src" or "eth.dst") to 'match'. 'port_security', with | |
1053 | * 'n_port_security' elements, is the collection of port_security constraints | |
f7cb14cd | 1054 | * from an OVN_NB Logical_Port row. */ |
bd39395f | 1055 | static void |
685f4dfe NS |
1056 | build_port_security_l2(const char *eth_addr_field, |
1057 | char **port_security, size_t n_port_security, | |
1058 | struct ds *match) | |
bd39395f BP |
1059 | { |
1060 | size_t base_len = match->length; | |
1061 | ds_put_format(match, " && %s == {", eth_addr_field); | |
1062 | ||
1063 | size_t n = 0; | |
1064 | for (size_t i = 0; i < n_port_security; i++) { | |
74ff3298 | 1065 | struct eth_addr ea; |
f7cb14cd | 1066 | |
74ff3298 | 1067 | if (eth_addr_from_string(port_security[i], &ea)) { |
f7cb14cd | 1068 | ds_put_format(match, ETH_ADDR_FMT, ETH_ADDR_ARGS(ea)); |
bd39395f BP |
1069 | ds_put_char(match, ' '); |
1070 | n++; | |
1071 | } | |
1072 | } | |
f7cb14cd | 1073 | ds_chomp(match, ' '); |
bd39395f | 1074 | ds_put_cstr(match, "}"); |
4edcdcf4 | 1075 | |
bd39395f BP |
1076 | if (!n) { |
1077 | match->length = base_len; | |
1078 | } | |
1079 | } | |
1080 | ||
685f4dfe NS |
1081 | static void |
1082 | build_port_security_ipv6_nd_flow( | |
1083 | struct ds *match, struct eth_addr ea, struct ipv6_netaddr *ipv6_addrs, | |
1084 | int n_ipv6_addrs) | |
1085 | { | |
1086 | ds_put_format(match, " && ip6 && nd && ((nd.sll == "ETH_ADDR_FMT" || " | |
1087 | "nd.sll == "ETH_ADDR_FMT") || ((nd.tll == "ETH_ADDR_FMT" || " | |
1088 | "nd.tll == "ETH_ADDR_FMT")", ETH_ADDR_ARGS(eth_addr_zero), | |
1089 | ETH_ADDR_ARGS(ea), ETH_ADDR_ARGS(eth_addr_zero), | |
1090 | ETH_ADDR_ARGS(ea)); | |
1091 | if (!n_ipv6_addrs) { | |
1092 | ds_put_cstr(match, "))"); | |
1093 | return; | |
1094 | } | |
1095 | ||
1096 | char ip6_str[INET6_ADDRSTRLEN + 1]; | |
1097 | struct in6_addr lla; | |
1098 | in6_generate_lla(ea, &lla); | |
1099 | memset(ip6_str, 0, sizeof(ip6_str)); | |
1100 | ipv6_string_mapped(ip6_str, &lla); | |
1101 | ds_put_format(match, " && (nd.target == %s", ip6_str); | |
1102 | ||
1103 | for(int i = 0; i < n_ipv6_addrs; i++) { | |
1104 | memset(ip6_str, 0, sizeof(ip6_str)); | |
1105 | ipv6_string_mapped(ip6_str, &ipv6_addrs[i].addr); | |
1106 | ds_put_format(match, " || nd.target == %s", ip6_str); | |
1107 | } | |
1108 | ||
1109 | ds_put_format(match, ")))"); | |
1110 | } | |
1111 | ||
1112 | static void | |
1113 | build_port_security_ipv6_flow( | |
1114 | enum ovn_pipeline pipeline, struct ds *match, struct eth_addr ea, | |
1115 | struct ipv6_netaddr *ipv6_addrs, int n_ipv6_addrs) | |
1116 | { | |
1117 | char ip6_str[INET6_ADDRSTRLEN + 1]; | |
1118 | ||
1119 | ds_put_format(match, " && %s == {", | |
1120 | pipeline == P_IN ? "ip6.src" : "ip6.dst"); | |
1121 | ||
1122 | /* Allow link-local address. */ | |
1123 | struct in6_addr lla; | |
1124 | in6_generate_lla(ea, &lla); | |
1125 | ipv6_string_mapped(ip6_str, &lla); | |
1126 | ds_put_format(match, "%s, ", ip6_str); | |
1127 | ||
1128 | /* Allow ip6.src=:: and ip6.dst=ff00::/8 for ND packets */ | |
1129 | ds_put_cstr(match, pipeline == P_IN ? "::" : "ff00::/8"); | |
1130 | for(int i = 0; i < n_ipv6_addrs; i++) { | |
1131 | ipv6_string_mapped(ip6_str, &ipv6_addrs[i].addr); | |
1132 | ds_put_format(match, ", %s", ip6_str); | |
1133 | } | |
1134 | ds_put_cstr(match, "}"); | |
1135 | } | |
1136 | ||
1137 | /** | |
1138 | * Build port security constraints on ARP and IPv6 ND fields | |
1139 | * and add logical flows to S_SWITCH_IN_PORT_SEC_ND stage. | |
1140 | * | |
1141 | * For each port security of the logical port, following | |
1142 | * logical flows are added | |
1143 | * - If the port security has no IP (both IPv4 and IPv6) or | |
1144 | * if it has IPv4 address(es) | |
1145 | * - Priority 90 flow to allow ARP packets for known MAC addresses | |
1146 | * in the eth.src and arp.spa fields. If the port security | |
1147 | * has IPv4 addresses, allow known IPv4 addresses in the arp.tpa field. | |
1148 | * | |
1149 | * - If the port security has no IP (both IPv4 and IPv6) or | |
1150 | * if it has IPv6 address(es) | |
1151 | * - Priority 90 flow to allow IPv6 ND packets for known MAC addresses | |
1152 | * in the eth.src and nd.sll/nd.tll fields. If the port security | |
1153 | * has IPv6 addresses, allow known IPv6 addresses in the nd.target field | |
1154 | * for IPv6 Neighbor Advertisement packet. | |
1155 | * | |
1156 | * - Priority 80 flow to drop ARP and IPv6 ND packets. | |
1157 | */ | |
1158 | static void | |
1159 | build_port_security_nd(struct ovn_port *op, struct hmap *lflows) | |
1160 | { | |
1161 | for (size_t i = 0; i < op->nbs->n_port_security; i++) { | |
1162 | struct lport_addresses ps; | |
1163 | if (!extract_lport_addresses(op->nbs->port_security[i], &ps, true)) { | |
1164 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); | |
1165 | VLOG_INFO_RL(&rl, "invalid syntax '%s' in port security. No MAC" | |
1166 | " address found", op->nbs->port_security[i]); | |
1167 | continue; | |
1168 | } | |
1169 | ||
1170 | bool no_ip = !(ps.n_ipv4_addrs || ps.n_ipv6_addrs); | |
1171 | struct ds match = DS_EMPTY_INITIALIZER; | |
1172 | ||
1173 | if (ps.n_ipv4_addrs || no_ip) { | |
1174 | ds_put_format( | |
1175 | &match, "inport == %s && eth.src == "ETH_ADDR_FMT" && arp.sha == " | |
1176 | ETH_ADDR_FMT, op->json_key, ETH_ADDR_ARGS(ps.ea), | |
1177 | ETH_ADDR_ARGS(ps.ea)); | |
1178 | ||
1179 | if (ps.n_ipv4_addrs) { | |
1180 | ds_put_cstr(&match, " && ("); | |
1181 | for (size_t i = 0; i < ps.n_ipv4_addrs; i++) { | |
1182 | ds_put_format(&match, "arp.spa == "IP_FMT" || ", | |
1183 | IP_ARGS(ps.ipv4_addrs[i].addr)); | |
1184 | } | |
1185 | ds_chomp(&match, ' '); | |
1186 | ds_chomp(&match, '|'); | |
1187 | ds_chomp(&match, '|'); | |
1188 | ds_put_cstr(&match, ")"); | |
1189 | } | |
1190 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND, 90, | |
1191 | ds_cstr(&match), "next;"); | |
1192 | ds_destroy(&match); | |
1193 | } | |
1194 | ||
1195 | if (ps.n_ipv6_addrs || no_ip) { | |
1196 | ds_init(&match); | |
1197 | ds_put_format(&match, "inport == %s && eth.src == "ETH_ADDR_FMT, | |
1198 | op->json_key, ETH_ADDR_ARGS(ps.ea)); | |
1199 | build_port_security_ipv6_nd_flow(&match, ps.ea, ps.ipv6_addrs, | |
1200 | ps.n_ipv6_addrs); | |
1201 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND, 90, | |
1202 | ds_cstr(&match), "next;"); | |
1203 | ds_destroy(&match); | |
1204 | } | |
1205 | free(ps.ipv4_addrs); | |
1206 | free(ps.ipv6_addrs); | |
1207 | } | |
1208 | ||
1209 | char *match = xasprintf("inport == %s && (arp || nd)", op->json_key); | |
1210 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_ND, 80, | |
1211 | match, "drop;"); | |
1212 | free(match); | |
1213 | } | |
1214 | ||
1215 | /** | |
1216 | * Build port security constraints on IPv4 and IPv6 src and dst fields | |
1217 | * and add logical flows to S_SWITCH_(IN/OUT)_PORT_SEC_IP stage. | |
1218 | * | |
1219 | * For each port security of the logical port, following | |
1220 | * logical flows are added | |
1221 | * - If the port security has IPv4 addresses, | |
1222 | * - Priority 90 flow to allow IPv4 packets for known IPv4 addresses | |
1223 | * | |
1224 | * - If the port security has IPv6 addresses, | |
1225 | * - Priority 90 flow to allow IPv6 packets for known IPv6 addresses | |
1226 | * | |
1227 | * - If the port security has IPv4 addresses or IPv6 addresses or both | |
1228 | * - Priority 80 flow to drop all IPv4 and IPv6 traffic | |
1229 | */ | |
1230 | static void | |
1231 | build_port_security_ip(enum ovn_pipeline pipeline, struct ovn_port *op, | |
1232 | struct hmap *lflows) | |
1233 | { | |
1234 | char *port_direction; | |
1235 | enum ovn_stage stage; | |
1236 | if (pipeline == P_IN) { | |
1237 | port_direction = "inport"; | |
1238 | stage = S_SWITCH_IN_PORT_SEC_IP; | |
1239 | } else { | |
1240 | port_direction = "outport"; | |
1241 | stage = S_SWITCH_OUT_PORT_SEC_IP; | |
1242 | } | |
1243 | ||
1244 | for (size_t i = 0; i < op->nbs->n_port_security; i++) { | |
1245 | struct lport_addresses ps; | |
1246 | if (!extract_lport_addresses(op->nbs->port_security[i], &ps, true)) { | |
1247 | continue; | |
1248 | } | |
1249 | ||
1250 | if (!(ps.n_ipv4_addrs || ps.n_ipv6_addrs)) { | |
1251 | continue; | |
1252 | } | |
1253 | ||
1254 | if (ps.n_ipv4_addrs) { | |
1255 | struct ds match = DS_EMPTY_INITIALIZER; | |
1256 | if (pipeline == P_IN) { | |
1257 | ds_put_format(&match, "inport == %s && eth.src == "ETH_ADDR_FMT | |
1258 | " && ip4.src == {0.0.0.0, ", op->json_key, | |
1259 | ETH_ADDR_ARGS(ps.ea)); | |
1260 | } else { | |
1261 | ds_put_format(&match, "outport == %s && eth.dst == "ETH_ADDR_FMT | |
1262 | " && ip4.dst == {255.255.255.255, 224.0.0.0/4, ", | |
1263 | op->json_key, ETH_ADDR_ARGS(ps.ea)); | |
1264 | } | |
1265 | ||
1266 | for (int i = 0; i < ps.n_ipv4_addrs; i++) { | |
1267 | ds_put_format(&match, IP_FMT", ", IP_ARGS(ps.ipv4_addrs[i].addr)); | |
1268 | } | |
1269 | ||
1270 | /* Replace ", " by "}". */ | |
1271 | ds_chomp(&match, ' '); | |
1272 | ds_chomp(&match, ','); | |
1273 | ds_put_cstr(&match, "}"); | |
1274 | ovn_lflow_add(lflows, op->od, stage, 90, ds_cstr(&match), "next;"); | |
1275 | ds_destroy(&match); | |
1276 | free(ps.ipv4_addrs); | |
1277 | } | |
1278 | ||
1279 | if (ps.n_ipv6_addrs) { | |
1280 | struct ds match = DS_EMPTY_INITIALIZER; | |
1281 | ds_put_format(&match, "%s == %s && %s == "ETH_ADDR_FMT"", | |
1282 | port_direction, op->json_key, | |
1283 | pipeline == P_IN ? "eth.src" : "eth.dst", | |
1284 | ETH_ADDR_ARGS(ps.ea)); | |
1285 | build_port_security_ipv6_flow(pipeline, &match, ps.ea, | |
1286 | ps.ipv6_addrs, ps.n_ipv6_addrs); | |
1287 | ovn_lflow_add(lflows, op->od, stage, 90, | |
1288 | ds_cstr(&match), "next;"); | |
1289 | ds_destroy(&match); | |
1290 | free(ps.ipv6_addrs); | |
1291 | } | |
1292 | ||
1293 | char *match = xasprintf( | |
1294 | "%s == %s && %s == "ETH_ADDR_FMT" && ip", port_direction, | |
1295 | op->json_key, pipeline == P_IN ? "eth.src" : "eth.dst", | |
1296 | ETH_ADDR_ARGS(ps.ea)); | |
1297 | ovn_lflow_add(lflows, op->od, stage, 80, match, "drop;"); | |
1298 | free(match); | |
1299 | } | |
1300 | } | |
1301 | ||
95a9a275 RB |
1302 | static bool |
1303 | lport_is_enabled(const struct nbrec_logical_port *lport) | |
1304 | { | |
1305 | return !lport->enabled || *lport->enabled; | |
1306 | } | |
1307 | ||
4c7bf534 NS |
1308 | static bool |
1309 | lport_is_up(const struct nbrec_logical_port *lport) | |
1310 | { | |
1311 | return !lport->up || *lport->up; | |
1312 | } | |
1313 | ||
78aab811 JP |
1314 | static bool |
1315 | has_stateful_acl(struct ovn_datapath *od) | |
1316 | { | |
9975d7be BP |
1317 | for (size_t i = 0; i < od->nbs->n_acls; i++) { |
1318 | struct nbrec_acl *acl = od->nbs->acls[i]; | |
78aab811 JP |
1319 | if (!strcmp(acl->action, "allow-related")) { |
1320 | return true; | |
1321 | } | |
1322 | } | |
1323 | ||
1324 | return false; | |
1325 | } | |
1326 | ||
1327 | static void | |
48fcdb47 | 1328 | build_acls(struct ovn_datapath *od, struct hmap *lflows, struct hmap *ports) |
78aab811 JP |
1329 | { |
1330 | bool has_stateful = has_stateful_acl(od); | |
48fcdb47 | 1331 | struct ovn_port *op; |
78aab811 JP |
1332 | |
1333 | /* Ingress and Egress Pre-ACL Table (Priority 0): Packets are | |
1334 | * allowed by default. */ | |
880fcd14 BP |
1335 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 0, "1", "next;"); |
1336 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 0, "1", "next;"); | |
78aab811 JP |
1337 | |
1338 | /* Ingress and Egress ACL Table (Priority 0): Packets are allowed by | |
1339 | * default. A related rule at priority 1 is added below if there | |
1340 | * are any stateful ACLs in this datapath. */ | |
880fcd14 BP |
1341 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", "next;"); |
1342 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", "next;"); | |
78aab811 JP |
1343 | |
1344 | /* If there are any stateful ACL rules in this dapapath, we must | |
1345 | * send all IP packets through the conntrack action, which handles | |
1346 | * defragmentation, in order to match L4 headers. */ | |
1347 | if (has_stateful) { | |
48fcdb47 WL |
1348 | HMAP_FOR_EACH (op, key_node, ports) { |
1349 | if (op->od == od && !strcmp(op->nbs->type, "router")) { | |
501f95e1 JP |
1350 | /* Can't use ct() for router ports. Consider the |
1351 | * following configuration: lp1(10.0.0.2) on | |
1352 | * hostA--ls1--lr0--ls2--lp2(10.0.1.2) on hostB, For a | |
1353 | * ping from lp1 to lp2, First, the response will go | |
1354 | * through ct() with a zone for lp2 in the ls2 ingress | |
1355 | * pipeline on hostB. That ct zone knows about this | |
1356 | * connection. Next, it goes through ct() with the zone | |
1357 | * for the router port in the egress pipeline of ls2 on | |
1358 | * hostB. This zone does not know about the connection, | |
1359 | * as the icmp request went through the logical router | |
1360 | * on hostA, not hostB. This would only work with | |
1361 | * distributed conntrack state across all chassis. */ | |
1362 | struct ds match_in = DS_EMPTY_INITIALIZER; | |
1363 | struct ds match_out = DS_EMPTY_INITIALIZER; | |
1364 | ||
48fcdb47 WL |
1365 | ds_put_format(&match_in, "ip && inport == %s", op->json_key); |
1366 | ds_put_format(&match_out, "ip && outport == %s", op->json_key); | |
501f95e1 JP |
1367 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, |
1368 | ds_cstr(&match_in), "next;"); | |
1369 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, | |
1370 | ds_cstr(&match_out), "next;"); | |
48fcdb47 WL |
1371 | |
1372 | ds_destroy(&match_in); | |
1373 | ds_destroy(&match_out); | |
1374 | } | |
1375 | } | |
1376 | ||
78aab811 JP |
1377 | /* Ingress and Egress Pre-ACL Table (Priority 100). |
1378 | * | |
1379 | * Regardless of whether the ACL is "from-lport" or "to-lport", | |
1380 | * we need rules in both the ingress and egress table, because | |
1381 | * the return traffic needs to be followed. */ | |
880fcd14 BP |
1382 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 100, "ip", "ct_next;"); |
1383 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip", "ct_next;"); | |
78aab811 JP |
1384 | |
1385 | /* Ingress and Egress ACL Table (Priority 1). | |
1386 | * | |
1387 | * By default, traffic is allowed. This is partially handled by | |
1388 | * the Priority 0 ACL flows added earlier, but we also need to | |
1389 | * commit IP flows. This is because, while the initiater's | |
1390 | * direction may not have any stateful rules, the server's may | |
1391 | * and then its return traffic would not have an associated | |
1392 | * conntrack entry and would return "+invalid". */ | |
880fcd14 | 1393 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1, "ip", |
78aab811 | 1394 | "ct_commit; next;"); |
880fcd14 | 1395 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1, "ip", |
78aab811 JP |
1396 | "ct_commit; next;"); |
1397 | ||
1398 | /* Ingress and Egress ACL Table (Priority 65535). | |
1399 | * | |
1400 | * Always drop traffic that's in an invalid state. This is | |
1401 | * enforced at a higher priority than ACLs can be defined. */ | |
880fcd14 | 1402 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, |
78aab811 | 1403 | "ct.inv", "drop;"); |
880fcd14 | 1404 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, |
78aab811 JP |
1405 | "ct.inv", "drop;"); |
1406 | ||
1407 | /* Ingress and Egress ACL Table (Priority 65535). | |
1408 | * | |
1409 | * Always allow traffic that is established to a committed | |
1410 | * conntrack entry. This is enforced at a higher priority than | |
1411 | * ACLs can be defined. */ | |
880fcd14 | 1412 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, |
78aab811 JP |
1413 | "ct.est && !ct.rel && !ct.new && !ct.inv", |
1414 | "next;"); | |
880fcd14 | 1415 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, |
78aab811 JP |
1416 | "ct.est && !ct.rel && !ct.new && !ct.inv", |
1417 | "next;"); | |
1418 | ||
1419 | /* Ingress and Egress ACL Table (Priority 65535). | |
1420 | * | |
1421 | * Always allow traffic that is related to an existing conntrack | |
1422 | * entry. This is enforced at a higher priority than ACLs can | |
1423 | * be defined. | |
1424 | * | |
1425 | * NOTE: This does not support related data sessions (eg, | |
1426 | * a dynamically negotiated FTP data channel), but will allow | |
1427 | * related traffic such as an ICMP Port Unreachable through | |
1428 | * that's generated from a non-listening UDP port. */ | |
880fcd14 | 1429 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX, |
78aab811 JP |
1430 | "!ct.est && ct.rel && !ct.new && !ct.inv", |
1431 | "next;"); | |
880fcd14 | 1432 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX, |
78aab811 JP |
1433 | "!ct.est && ct.rel && !ct.new && !ct.inv", |
1434 | "next;"); | |
1435 | } | |
1436 | ||
1437 | /* Ingress or Egress ACL Table (Various priorities). */ | |
9975d7be BP |
1438 | for (size_t i = 0; i < od->nbs->n_acls; i++) { |
1439 | struct nbrec_acl *acl = od->nbs->acls[i]; | |
78aab811 | 1440 | bool ingress = !strcmp(acl->direction, "from-lport") ? true :false; |
880fcd14 | 1441 | enum ovn_stage stage = ingress ? S_SWITCH_IN_ACL : S_SWITCH_OUT_ACL; |
78aab811 JP |
1442 | |
1443 | if (!strcmp(acl->action, "allow")) { | |
1444 | /* If there are any stateful flows, we must even commit "allow" | |
1445 | * actions. This is because, while the initiater's | |
1446 | * direction may not have any stateful rules, the server's | |
1447 | * may and then its return traffic would not have an | |
1448 | * associated conntrack entry and would return "+invalid". */ | |
1449 | const char *actions = has_stateful ? "ct_commit; next;" : "next;"; | |
6bb4a18e JP |
1450 | ovn_lflow_add(lflows, od, stage, |
1451 | acl->priority + OVN_ACL_PRI_OFFSET, | |
78aab811 JP |
1452 | acl->match, actions); |
1453 | } else if (!strcmp(acl->action, "allow-related")) { | |
1454 | struct ds match = DS_EMPTY_INITIALIZER; | |
1455 | ||
1456 | /* Commit the connection tracking entry, which allows all | |
1457 | * other traffic related to this entry to flow due to the | |
1458 | * 65535 priority flow defined earlier. */ | |
1459 | ds_put_format(&match, "ct.new && (%s)", acl->match); | |
6bb4a18e JP |
1460 | ovn_lflow_add(lflows, od, stage, |
1461 | acl->priority + OVN_ACL_PRI_OFFSET, | |
78aab811 JP |
1462 | ds_cstr(&match), "ct_commit; next;"); |
1463 | ||
1464 | ds_destroy(&match); | |
1465 | } else if (!strcmp(acl->action, "drop")) { | |
6bb4a18e JP |
1466 | ovn_lflow_add(lflows, od, stage, |
1467 | acl->priority + OVN_ACL_PRI_OFFSET, | |
78aab811 JP |
1468 | acl->match, "drop;"); |
1469 | } else if (!strcmp(acl->action, "reject")) { | |
1470 | /* xxx Need to support "reject". */ | |
1471 | VLOG_INFO("reject is not a supported action"); | |
6bb4a18e JP |
1472 | ovn_lflow_add(lflows, od, stage, |
1473 | acl->priority + OVN_ACL_PRI_OFFSET, | |
78aab811 JP |
1474 | acl->match, "drop;"); |
1475 | } | |
1476 | } | |
1477 | } | |
1478 | ||
bd39395f | 1479 | static void |
9975d7be BP |
1480 | build_lswitch_flows(struct hmap *datapaths, struct hmap *ports, |
1481 | struct hmap *lflows, struct hmap *mcgroups) | |
bd39395f | 1482 | { |
5cff6b99 BP |
1483 | /* This flow table structure is documented in ovn-northd(8), so please |
1484 | * update ovn-northd.8.xml if you change anything. */ | |
1485 | ||
9975d7be | 1486 | /* Build pre-ACL and ACL tables for both ingress and egress. |
685f4dfe | 1487 | * Ingress tables 3 and 4. Egress tables 0 and 1. */ |
5868eb24 BP |
1488 | struct ovn_datapath *od; |
1489 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
9975d7be BP |
1490 | if (!od->nbs) { |
1491 | continue; | |
1492 | } | |
1493 | ||
48fcdb47 | 1494 | build_acls(od, lflows, ports); |
9975d7be BP |
1495 | } |
1496 | ||
1497 | /* Logical switch ingress table 0: Admission control framework (priority | |
1498 | * 100). */ | |
1499 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
1500 | if (!od->nbs) { | |
1501 | continue; | |
1502 | } | |
1503 | ||
bd39395f | 1504 | /* Logical VLANs not supported. */ |
685f4dfe | 1505 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "vlan.present", |
091e3af9 | 1506 | "drop;"); |
bd39395f BP |
1507 | |
1508 | /* Broadcast/multicast source address is invalid. */ | |
685f4dfe | 1509 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "eth.src[40]", |
091e3af9 | 1510 | "drop;"); |
bd39395f | 1511 | |
35060cdc BP |
1512 | /* Port security flows have priority 50 (see below) and will continue |
1513 | * to the next table if packet source is acceptable. */ | |
bd39395f BP |
1514 | } |
1515 | ||
685f4dfe NS |
1516 | /* Logical switch ingress table 0: Ingress port security - L2 |
1517 | * (priority 50). | |
1518 | * Ingress table 1: Ingress port security - IP (priority 90 and 80) | |
1519 | * Ingress table 2: Ingress port security - ND (priority 90 and 80) | |
1520 | */ | |
5868eb24 BP |
1521 | struct ovn_port *op; |
1522 | HMAP_FOR_EACH (op, key_node, ports) { | |
9975d7be BP |
1523 | if (!op->nbs) { |
1524 | continue; | |
1525 | } | |
1526 | ||
1527 | if (!lport_is_enabled(op->nbs)) { | |
96af668a BP |
1528 | /* Drop packets from disabled logical ports (since logical flow |
1529 | * tables are default-drop). */ | |
1530 | continue; | |
1531 | } | |
1532 | ||
5868eb24 | 1533 | struct ds match = DS_EMPTY_INITIALIZER; |
9975d7be | 1534 | ds_put_format(&match, "inport == %s", op->json_key); |
685f4dfe NS |
1535 | build_port_security_l2( |
1536 | "eth.src", op->nbs->port_security, op->nbs->n_port_security, | |
1537 | &match); | |
1538 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, | |
96af668a | 1539 | ds_cstr(&match), "next;"); |
5868eb24 | 1540 | ds_destroy(&match); |
685f4dfe NS |
1541 | |
1542 | if (op->nbs->n_port_security) { | |
1543 | build_port_security_ip(P_IN, op, lflows); | |
1544 | build_port_security_nd(op, lflows); | |
1545 | } | |
1546 | } | |
1547 | ||
1548 | /* Ingress table 1 and 2: Port security - IP and ND, by default goto next. | |
1549 | * (priority 0)*/ | |
1550 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
1551 | if (!od->nbs) { | |
1552 | continue; | |
1553 | } | |
1554 | ||
1555 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_ND, 0, "1", "next;"); | |
1556 | ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_IP, 0, "1", "next;"); | |
5868eb24 | 1557 | } |
445a266a | 1558 | |
fa128126 HZ |
1559 | /* Ingress table 3: ARP responder, skip requests coming from localnet ports. |
1560 | * (priority 100). */ | |
1561 | HMAP_FOR_EACH (op, key_node, ports) { | |
1562 | if (!op->nbs) { | |
1563 | continue; | |
1564 | } | |
1565 | ||
1566 | if (!strcmp(op->nbs->type, "localnet")) { | |
1567 | char *match = xasprintf("inport == %s", op->json_key); | |
1568 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_ARP_RSP, 100, | |
1569 | match, "next;"); | |
1570 | free(match); | |
1571 | } | |
1572 | } | |
1573 | ||
685f4dfe | 1574 | /* Ingress table 5: ARP responder, reply for known IPs. |
fa128126 | 1575 | * (priority 50). */ |
57d143eb HZ |
1576 | HMAP_FOR_EACH (op, key_node, ports) { |
1577 | if (!op->nbs) { | |
1578 | continue; | |
1579 | } | |
1580 | ||
4c7bf534 NS |
1581 | /* |
1582 | * Add ARP reply flows if either the | |
1583 | * - port is up or | |
1584 | * - port type is router | |
1585 | */ | |
1586 | if (!lport_is_up(op->nbs) && strcmp(op->nbs->type, "router")) { | |
1587 | continue; | |
1588 | } | |
1589 | ||
57d143eb | 1590 | for (size_t i = 0; i < op->nbs->n_addresses; i++) { |
7dc88496 NS |
1591 | struct lport_addresses laddrs; |
1592 | if (!extract_lport_addresses(op->nbs->addresses[i], &laddrs, | |
1593 | false)) { | |
1594 | continue; | |
1595 | } | |
1596 | for (size_t j = 0; j < laddrs.n_ipv4_addrs; j++) { | |
57d143eb | 1597 | char *match = xasprintf( |
7dc88496 NS |
1598 | "arp.tpa == "IP_FMT" && arp.op == 1", |
1599 | IP_ARGS(laddrs.ipv4_addrs[j].addr)); | |
57d143eb HZ |
1600 | char *actions = xasprintf( |
1601 | "eth.dst = eth.src; " | |
1602 | "eth.src = "ETH_ADDR_FMT"; " | |
1603 | "arp.op = 2; /* ARP reply */ " | |
1604 | "arp.tha = arp.sha; " | |
1605 | "arp.sha = "ETH_ADDR_FMT"; " | |
1606 | "arp.tpa = arp.spa; " | |
1607 | "arp.spa = "IP_FMT"; " | |
1608 | "outport = inport; " | |
1609 | "inport = \"\"; /* Allow sending out inport. */ " | |
1610 | "output;", | |
7dc88496 NS |
1611 | ETH_ADDR_ARGS(laddrs.ea), |
1612 | ETH_ADDR_ARGS(laddrs.ea), | |
1613 | IP_ARGS(laddrs.ipv4_addrs[j].addr)); | |
fa128126 | 1614 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_ARP_RSP, 50, |
57d143eb HZ |
1615 | match, actions); |
1616 | free(match); | |
1617 | free(actions); | |
1618 | } | |
7dc88496 NS |
1619 | |
1620 | free(laddrs.ipv4_addrs); | |
57d143eb HZ |
1621 | } |
1622 | } | |
1623 | ||
685f4dfe | 1624 | /* Ingress table 5: ARP responder, by default goto next. |
fa128126 HZ |
1625 | * (priority 0)*/ |
1626 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
1627 | if (!od->nbs) { | |
1628 | continue; | |
1629 | } | |
1630 | ||
1631 | ovn_lflow_add(lflows, od, S_SWITCH_IN_ARP_RSP, 0, "1", "next;"); | |
1632 | } | |
1633 | ||
685f4dfe | 1634 | /* Ingress table 6: Destination lookup, broadcast and multicast handling |
5868eb24 BP |
1635 | * (priority 100). */ |
1636 | HMAP_FOR_EACH (op, key_node, ports) { | |
9975d7be BP |
1637 | if (!op->nbs) { |
1638 | continue; | |
1639 | } | |
1640 | ||
1641 | if (lport_is_enabled(op->nbs)) { | |
1642 | ovn_multicast_add(mcgroups, &mc_flood, op); | |
445a266a | 1643 | } |
5868eb24 BP |
1644 | } |
1645 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
9975d7be BP |
1646 | if (!od->nbs) { |
1647 | continue; | |
1648 | } | |
1649 | ||
1650 | ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 100, "eth.mcast", | |
5868eb24 | 1651 | "outport = \""MC_FLOOD"\"; output;"); |
bd39395f | 1652 | } |
bd39395f | 1653 | |
685f4dfe | 1654 | /* Ingress table 6: Destination lookup, unicast handling (priority 50), */ |
5868eb24 | 1655 | HMAP_FOR_EACH (op, key_node, ports) { |
9975d7be BP |
1656 | if (!op->nbs) { |
1657 | continue; | |
1658 | } | |
1659 | ||
1660 | for (size_t i = 0; i < op->nbs->n_addresses; i++) { | |
74ff3298 | 1661 | struct eth_addr mac; |
5868eb24 | 1662 | |
9975d7be | 1663 | if (eth_addr_from_string(op->nbs->addresses[i], &mac)) { |
5868eb24 BP |
1664 | struct ds match, actions; |
1665 | ||
1666 | ds_init(&match); | |
9975d7be BP |
1667 | ds_put_format(&match, "eth.dst == "ETH_ADDR_FMT, |
1668 | ETH_ADDR_ARGS(mac)); | |
5868eb24 BP |
1669 | |
1670 | ds_init(&actions); | |
9975d7be BP |
1671 | ds_put_format(&actions, "outport = %s; output;", op->json_key); |
1672 | ovn_lflow_add(lflows, op->od, S_SWITCH_IN_L2_LKUP, 50, | |
5868eb24 BP |
1673 | ds_cstr(&match), ds_cstr(&actions)); |
1674 | ds_destroy(&actions); | |
1675 | ds_destroy(&match); | |
9975d7be BP |
1676 | } else if (!strcmp(op->nbs->addresses[i], "unknown")) { |
1677 | if (lport_is_enabled(op->nbs)) { | |
1678 | ovn_multicast_add(mcgroups, &mc_unknown, op); | |
96af668a BP |
1679 | op->od->has_unknown = true; |
1680 | } | |
5868eb24 BP |
1681 | } else { |
1682 | static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1); | |
445a266a | 1683 | |
2fa326a3 BP |
1684 | VLOG_INFO_RL(&rl, |
1685 | "%s: invalid syntax '%s' in addresses column", | |
9975d7be | 1686 | op->nbs->name, op->nbs->addresses[i]); |
445a266a BP |
1687 | } |
1688 | } | |
bd39395f BP |
1689 | } |
1690 | ||
685f4dfe | 1691 | /* Ingress table 6: Destination lookup for unknown MACs (priority 0). */ |
5868eb24 | 1692 | HMAP_FOR_EACH (od, key_node, datapaths) { |
9975d7be BP |
1693 | if (!od->nbs) { |
1694 | continue; | |
1695 | } | |
1696 | ||
5868eb24 | 1697 | if (od->has_unknown) { |
9975d7be | 1698 | ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 0, "1", |
5868eb24 | 1699 | "outport = \""MC_UNKNOWN"\"; output;"); |
445a266a | 1700 | } |
bd39395f BP |
1701 | } |
1702 | ||
685f4dfe NS |
1703 | /* Egress table 2: Egress port security - IP (priority 0) |
1704 | * port security L2 - multicast/broadcast (priority | |
5868eb24 BP |
1705 | * 100). */ |
1706 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
9975d7be BP |
1707 | if (!od->nbs) { |
1708 | continue; | |
1709 | } | |
1710 | ||
685f4dfe NS |
1711 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_IP, 0, "1", "next;"); |
1712 | ovn_lflow_add(lflows, od, S_SWITCH_OUT_PORT_SEC_L2, 100, "eth.mcast", | |
091e3af9 | 1713 | "output;"); |
48f42f3a RB |
1714 | } |
1715 | ||
685f4dfe NS |
1716 | /* Egress table 2: Egress port security - IP (priorities 90 and 80) |
1717 | * if port security enabled. | |
1718 | * | |
1719 | * Egress table 3: Egress port security - L2 (priorities 50 and 150). | |
d770a830 BP |
1720 | * |
1721 | * Priority 50 rules implement port security for enabled logical port. | |
1722 | * | |
1723 | * Priority 150 rules drop packets to disabled logical ports, so that they | |
1724 | * don't even receive multicast or broadcast packets. */ | |
5868eb24 | 1725 | HMAP_FOR_EACH (op, key_node, ports) { |
9975d7be BP |
1726 | if (!op->nbs) { |
1727 | continue; | |
1728 | } | |
1729 | ||
1730 | struct ds match = DS_EMPTY_INITIALIZER; | |
1731 | ds_put_format(&match, "outport == %s", op->json_key); | |
1732 | if (lport_is_enabled(op->nbs)) { | |
685f4dfe NS |
1733 | build_port_security_l2("eth.dst", op->nbs->port_security, |
1734 | op->nbs->n_port_security, &match); | |
1735 | ovn_lflow_add(lflows, op->od, S_SWITCH_OUT_PORT_SEC_L2, 50, | |
d770a830 BP |
1736 | ds_cstr(&match), "output;"); |
1737 | } else { | |
685f4dfe | 1738 | ovn_lflow_add(lflows, op->od, S_SWITCH_OUT_PORT_SEC_L2, 150, |
d770a830 BP |
1739 | ds_cstr(&match), "drop;"); |
1740 | } | |
eb00399e | 1741 | |
5868eb24 | 1742 | ds_destroy(&match); |
685f4dfe NS |
1743 | |
1744 | if (op->nbs->n_port_security) { | |
1745 | build_port_security_ip(P_OUT, op, lflows); | |
1746 | } | |
eb00399e | 1747 | } |
9975d7be | 1748 | } |
eb00399e | 1749 | |
9975d7be BP |
1750 | static bool |
1751 | lrport_is_enabled(const struct nbrec_logical_router_port *lrport) | |
1752 | { | |
1753 | return !lrport->enabled || *lrport->enabled; | |
1754 | } | |
1755 | ||
1756 | static void | |
0bac7164 | 1757 | add_route(struct hmap *lflows, const struct ovn_port *op, |
9975d7be BP |
1758 | ovs_be32 network, ovs_be32 mask, ovs_be32 gateway) |
1759 | { | |
1760 | char *match = xasprintf("ip4.dst == "IP_FMT"/"IP_FMT, | |
1761 | IP_ARGS(network), IP_ARGS(mask)); | |
1762 | ||
1763 | struct ds actions = DS_EMPTY_INITIALIZER; | |
47f3b59b | 1764 | ds_put_cstr(&actions, "ip.ttl--; reg0 = "); |
9975d7be BP |
1765 | if (gateway) { |
1766 | ds_put_format(&actions, IP_FMT, IP_ARGS(gateway)); | |
1767 | } else { | |
1768 | ds_put_cstr(&actions, "ip4.dst"); | |
1769 | } | |
0bac7164 BP |
1770 | ds_put_format(&actions, |
1771 | "; " | |
1772 | "reg1 = "IP_FMT"; " | |
1773 | "eth.src = "ETH_ADDR_FMT"; " | |
1774 | "outport = %s; " | |
1775 | "next;", | |
1776 | IP_ARGS(op->ip), ETH_ADDR_ARGS(op->mac), op->json_key); | |
9975d7be BP |
1777 | |
1778 | /* The priority here is calculated to implement longest-prefix-match | |
1779 | * routing. */ | |
0bac7164 | 1780 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_ROUTING, |
9975d7be BP |
1781 | count_1bits(ntohl(mask)), match, ds_cstr(&actions)); |
1782 | ds_destroy(&actions); | |
1783 | free(match); | |
1784 | } | |
1785 | ||
1786 | static void | |
1787 | build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, | |
1788 | struct hmap *lflows) | |
1789 | { | |
1790 | /* This flow table structure is documented in ovn-northd(8), so please | |
1791 | * update ovn-northd.8.xml if you change anything. */ | |
1792 | ||
9975d7be BP |
1793 | /* Logical router ingress table 0: Admission control framework. */ |
1794 | struct ovn_datapath *od; | |
1795 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
1796 | if (!od->nbr) { | |
1797 | continue; | |
1798 | } | |
1799 | ||
1800 | /* Logical VLANs not supported. | |
1801 | * Broadcast/multicast source address is invalid. */ | |
1802 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ADMISSION, 100, | |
1803 | "vlan.present || eth.src[40]", "drop;"); | |
1804 | } | |
1805 | ||
1806 | /* Logical router ingress table 0: match (priority 50). */ | |
1807 | struct ovn_port *op; | |
1808 | HMAP_FOR_EACH (op, key_node, ports) { | |
1809 | if (!op->nbr) { | |
1810 | continue; | |
1811 | } | |
1812 | ||
1813 | if (!lrport_is_enabled(op->nbr)) { | |
1814 | /* Drop packets from disabled logical ports (since logical flow | |
1815 | * tables are default-drop). */ | |
1816 | continue; | |
1817 | } | |
1818 | ||
1819 | char *match = xasprintf( | |
1820 | "(eth.mcast || eth.dst == "ETH_ADDR_FMT") && inport == %s", | |
1821 | ETH_ADDR_ARGS(op->mac), op->json_key); | |
1822 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_ADMISSION, 50, | |
1823 | match, "next;"); | |
e2229be9 | 1824 | free(match); |
9975d7be BP |
1825 | } |
1826 | ||
1827 | /* Logical router ingress table 1: IP Input. */ | |
78aab811 | 1828 | HMAP_FOR_EACH (od, key_node, datapaths) { |
9975d7be BP |
1829 | if (!od->nbr) { |
1830 | continue; | |
1831 | } | |
1832 | ||
1833 | /* L3 admission control: drop multicast and broadcast source, localhost | |
1834 | * source or destination, and zero network source or destination | |
1835 | * (priority 100). */ | |
1836 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 100, | |
1837 | "ip4.mcast || " | |
1838 | "ip4.src == 255.255.255.255 || " | |
1839 | "ip4.src == 127.0.0.0/8 || " | |
1840 | "ip4.dst == 127.0.0.0/8 || " | |
1841 | "ip4.src == 0.0.0.0/8 || " | |
1842 | "ip4.dst == 0.0.0.0/8", | |
1843 | "drop;"); | |
1844 | ||
0bac7164 BP |
1845 | /* ARP reply handling. Use ARP replies to populate the logical |
1846 | * router's ARP table. */ | |
1847 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 90, "arp.op == 2", | |
1848 | "put_arp(inport, arp.spa, arp.sha);"); | |
1849 | ||
9975d7be BP |
1850 | /* Drop Ethernet local broadcast. By definition this traffic should |
1851 | * not be forwarded.*/ | |
1852 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 50, | |
1853 | "eth.bcast", "drop;"); | |
1854 | ||
1855 | /* Drop IP multicast. */ | |
1856 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 50, | |
1857 | "ip4.mcast", "drop;"); | |
1858 | ||
1859 | /* TTL discard. | |
1860 | * | |
1861 | * XXX Need to send ICMP time exceeded if !ip.later_frag. */ | |
1862 | char *match = xasprintf("ip4 && ip.ttl == {0, 1}"); | |
1863 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 30, match, "drop;"); | |
1864 | free(match); | |
1865 | ||
1866 | /* Pass other traffic not already handled to the next table for | |
1867 | * routing. */ | |
1868 | ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_INPUT, 0, "1", "next;"); | |
78aab811 JP |
1869 | } |
1870 | ||
9975d7be BP |
1871 | HMAP_FOR_EACH (op, key_node, ports) { |
1872 | if (!op->nbr) { | |
1873 | continue; | |
1874 | } | |
1875 | ||
1876 | /* L3 admission control: drop packets that originate from an IP address | |
1877 | * owned by the router or a broadcast address known to the router | |
1878 | * (priority 100). */ | |
1879 | char *match = xasprintf("ip4.src == {"IP_FMT", "IP_FMT"}", | |
1880 | IP_ARGS(op->ip), IP_ARGS(op->bcast)); | |
1881 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 100, | |
1882 | match, "drop;"); | |
1883 | free(match); | |
1884 | ||
dd7652e6 JP |
1885 | /* ICMP echo reply. These flows reply to ICMP echo requests |
1886 | * received for the router's IP address. */ | |
1887 | match = xasprintf( | |
1888 | "inport == %s && (ip4.dst == "IP_FMT" || ip4.dst == "IP_FMT") && " | |
1889 | "icmp4.type == 8 && icmp4.code == 0", | |
1890 | op->json_key, IP_ARGS(op->ip), IP_ARGS(op->bcast)); | |
1891 | char *actions = xasprintf( | |
1892 | "ip4.dst = ip4.src; " | |
1893 | "ip4.src = "IP_FMT"; " | |
1894 | "ip.ttl = 255; " | |
1895 | "icmp4.type = 0; " | |
1896 | "inport = \"\"; /* Allow sending out inport. */ " | |
1897 | "next; ", | |
1898 | IP_ARGS(op->ip)); | |
1899 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 90, | |
1900 | match, actions); | |
1901 | free(match); | |
1902 | free(actions); | |
1903 | ||
9975d7be BP |
1904 | /* ARP reply. These flows reply to ARP requests for the router's own |
1905 | * IP address. */ | |
1906 | match = xasprintf( | |
1907 | "inport == %s && arp.tpa == "IP_FMT" && arp.op == 1", | |
1908 | op->json_key, IP_ARGS(op->ip)); | |
dd7652e6 | 1909 | actions = xasprintf( |
9975d7be BP |
1910 | "eth.dst = eth.src; " |
1911 | "eth.src = "ETH_ADDR_FMT"; " | |
1912 | "arp.op = 2; /* ARP reply */ " | |
1913 | "arp.tha = arp.sha; " | |
1914 | "arp.sha = "ETH_ADDR_FMT"; " | |
1915 | "arp.tpa = arp.spa; " | |
1916 | "arp.spa = "IP_FMT"; " | |
1917 | "outport = %s; " | |
1918 | "inport = \"\"; /* Allow sending out inport. */ " | |
1919 | "output;", | |
1920 | ETH_ADDR_ARGS(op->mac), | |
1921 | ETH_ADDR_ARGS(op->mac), | |
1922 | IP_ARGS(op->ip), | |
1923 | op->json_key); | |
1924 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 90, | |
1925 | match, actions); | |
abcec848 JP |
1926 | free(match); |
1927 | free(actions); | |
9975d7be BP |
1928 | |
1929 | /* Drop IP traffic to this router. */ | |
1930 | match = xasprintf("ip4.dst == "IP_FMT, IP_ARGS(op->ip)); | |
1931 | ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 60, | |
1932 | match, "drop;"); | |
1933 | free(match); | |
1934 | } | |
1935 | ||
1936 | /* Logical router ingress table 2: IP Routing. | |
1937 | * | |
1938 | * A packet that arrives at this table is an IP packet that should be | |
0bac7164 BP |
1939 | * routed to the address in ip4.dst. This table sets outport to the correct |
1940 | * output port, eth.src to the output port's MAC address, and reg0 to the | |
1941 | * next-hop IP address (leaving ip4.dst, the packet’s final destination, | |
1942 | * unchanged), and advances to the next table for ARP resolution. */ | |
9975d7be BP |
1943 | HMAP_FOR_EACH (op, key_node, ports) { |
1944 | if (!op->nbr) { | |
1945 | continue; | |
1946 | } | |
1947 | ||
0bac7164 | 1948 | add_route(lflows, op, op->network, op->mask, 0); |
9975d7be BP |
1949 | } |
1950 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
1951 | if (!od->nbr) { | |
1952 | continue; | |
1953 | } | |
1954 | ||
0bac7164 BP |
1955 | if (od->gateway && od->gateway_port) { |
1956 | add_route(lflows, od->gateway_port, 0, 0, od->gateway); | |
9975d7be BP |
1957 | } |
1958 | } | |
1959 | /* XXX destination unreachable */ | |
1960 | ||
1961 | /* Local router ingress table 3: ARP Resolution. | |
1962 | * | |
1963 | * Any packet that reaches this table is an IP packet whose next-hop IP | |
1964 | * address is in reg0. (ip4.dst is the final destination.) This table | |
1965 | * resolves the IP address in reg0 into an output port in outport and an | |
1966 | * Ethernet address in eth.dst. */ | |
1967 | HMAP_FOR_EACH (op, key_node, ports) { | |
1968 | if (op->nbr) { | |
509afdc3 GS |
1969 | /* This is a logical router port. If next-hop IP address in 'reg0' |
1970 | * matches ip address of this router port, then the packet is | |
1971 | * intended to eventually be sent to this logical port. Set the | |
1972 | * destination mac address using this port's mac address. | |
1973 | * | |
1974 | * The packet is still in peer's logical pipeline. So the match | |
1975 | * should be on peer's outport. */ | |
1976 | if (op->nbr->peer) { | |
1977 | struct ovn_port *peer = ovn_port_find(ports, op->nbr->peer); | |
1978 | if (!peer) { | |
1979 | continue; | |
1980 | } | |
1981 | ||
1982 | if (!peer->ip || !op->ip) { | |
1983 | continue; | |
1984 | } | |
1985 | char *match = xasprintf("outport == %s && reg0 == "IP_FMT, | |
1986 | peer->json_key, IP_ARGS(op->ip)); | |
1987 | char *actions = xasprintf("eth.dst = "ETH_ADDR_FMT"; " | |
1988 | "next;", ETH_ADDR_ARGS(op->mac)); | |
1989 | ovn_lflow_add(lflows, peer->od, S_ROUTER_IN_ARP_RESOLVE, | |
1990 | 100, match, actions); | |
1991 | free(actions); | |
1992 | free(match); | |
1993 | } | |
86e98048 | 1994 | } else if (op->od->n_router_ports) { |
9975d7be | 1995 | for (size_t i = 0; i < op->nbs->n_addresses; i++) { |
7dc88496 NS |
1996 | struct lport_addresses laddrs; |
1997 | if (!extract_lport_addresses(op->nbs->addresses[i], &laddrs, | |
1998 | false)) { | |
1999 | continue; | |
2000 | } | |
9975d7be | 2001 | |
7dc88496 NS |
2002 | for (size_t k = 0; k < laddrs.n_ipv4_addrs; k++) { |
2003 | ovs_be32 ip = laddrs.ipv4_addrs[k].addr; | |
86e98048 BP |
2004 | for (size_t j = 0; j < op->od->n_router_ports; j++) { |
2005 | /* Get the Logical_Router_Port that the Logical_Port is | |
2006 | * connected to, as 'peer'. */ | |
2007 | const char *peer_name = smap_get( | |
2008 | &op->od->router_ports[j]->nbs->options, | |
2009 | "router-port"); | |
2010 | if (!peer_name) { | |
2011 | continue; | |
2012 | } | |
2013 | ||
2014 | struct ovn_port *peer | |
2015 | = ovn_port_find(ports, peer_name); | |
2016 | if (!peer || !peer->nbr) { | |
2017 | continue; | |
2018 | } | |
2019 | ||
2020 | /* Make sure that 'ip' is in 'peer''s network. */ | |
2021 | if ((ip ^ peer->network) & peer->mask) { | |
2022 | continue; | |
2023 | } | |
2024 | ||
0bac7164 BP |
2025 | char *match = xasprintf( |
2026 | "outport == %s && reg0 == "IP_FMT, | |
2027 | peer->json_key, IP_ARGS(ip)); | |
2028 | char *actions = xasprintf("eth.dst = "ETH_ADDR_FMT"; " | |
2029 | "next;", | |
2030 | ETH_ADDR_ARGS(laddrs.ea)); | |
86e98048 | 2031 | ovn_lflow_add(lflows, peer->od, |
0bac7164 BP |
2032 | S_ROUTER_IN_ARP_RESOLVE, |
2033 | 100, match, actions); | |
86e98048 BP |
2034 | free(actions); |
2035 | free(match); | |
2036 | break; | |
2037 | } | |
9975d7be | 2038 | } |
7dc88496 NS |
2039 | |
2040 | free(laddrs.ipv4_addrs); | |
9975d7be BP |
2041 | } |
2042 | } | |
2043 | } | |
0bac7164 BP |
2044 | HMAP_FOR_EACH (od, key_node, datapaths) { |
2045 | if (!od->nbr) { | |
2046 | continue; | |
2047 | } | |
2048 | ||
2049 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_RESOLVE, 0, "1", | |
2050 | "get_arp(outport, reg0); next;"); | |
2051 | } | |
2052 | ||
2053 | /* Local router ingress table 4: ARP request. | |
2054 | * | |
2055 | * In the common case where the Ethernet destination has been resolved, | |
2056 | * this table outputs the packet (priority 100). Otherwise, it composes | |
2057 | * and sends an ARP request (priority 0). */ | |
2058 | HMAP_FOR_EACH (od, key_node, datapaths) { | |
2059 | if (!od->nbr) { | |
2060 | continue; | |
2061 | } | |
2062 | ||
2063 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_REQUEST, 100, | |
2064 | "eth.dst == 00:00:00:00:00:00", | |
2065 | "arp { " | |
2066 | "eth.dst = ff:ff:ff:ff:ff:ff; " | |
2067 | "arp.spa = reg1; " | |
2068 | "arp.op = 1; " /* ARP request */ | |
2069 | "output; " | |
2070 | "};"); | |
2071 | ovn_lflow_add(lflows, od, S_ROUTER_IN_ARP_REQUEST, 0, "1", "output;"); | |
2072 | } | |
9975d7be BP |
2073 | |
2074 | /* Logical router egress table 0: Delivery (priority 100). | |
2075 | * | |
2076 | * Priority 100 rules deliver packets to enabled logical ports. */ | |
2077 | HMAP_FOR_EACH (op, key_node, ports) { | |
2078 | if (!op->nbr) { | |
2079 | continue; | |
2080 | } | |
2081 | ||
2082 | if (!lrport_is_enabled(op->nbr)) { | |
2083 | /* Drop packets to disabled logical ports (since logical flow | |
2084 | * tables are default-drop). */ | |
2085 | continue; | |
2086 | } | |
2087 | ||
2088 | char *match = xasprintf("outport == %s", op->json_key); | |
2089 | ovn_lflow_add(lflows, op->od, S_ROUTER_OUT_DELIVERY, 100, | |
2090 | match, "output;"); | |
2091 | free(match); | |
2092 | } | |
2093 | } | |
2094 | ||
2095 | /* Updates the Logical_Flow and Multicast_Group tables in the OVN_SB database, | |
2096 | * constructing their contents based on the OVN_NB database. */ | |
2097 | static void | |
2098 | build_lflows(struct northd_context *ctx, struct hmap *datapaths, | |
2099 | struct hmap *ports) | |
2100 | { | |
2101 | struct hmap lflows = HMAP_INITIALIZER(&lflows); | |
2102 | struct hmap mcgroups = HMAP_INITIALIZER(&mcgroups); | |
2103 | ||
2104 | build_lswitch_flows(datapaths, ports, &lflows, &mcgroups); | |
2105 | build_lrouter_flows(datapaths, ports, &lflows); | |
2106 | ||
5868eb24 BP |
2107 | /* Push changes to the Logical_Flow table to database. */ |
2108 | const struct sbrec_logical_flow *sbflow, *next_sbflow; | |
2109 | SBREC_LOGICAL_FLOW_FOR_EACH_SAFE (sbflow, next_sbflow, ctx->ovnsb_idl) { | |
2110 | struct ovn_datapath *od | |
2111 | = ovn_datapath_from_sbrec(datapaths, sbflow->logical_datapath); | |
2112 | if (!od) { | |
2113 | sbrec_logical_flow_delete(sbflow); | |
2114 | continue; | |
eb00399e | 2115 | } |
eb00399e | 2116 | |
9975d7be | 2117 | enum ovn_datapath_type dp_type = od->nbs ? DP_SWITCH : DP_ROUTER; |
880fcd14 BP |
2118 | enum ovn_pipeline pipeline |
2119 | = !strcmp(sbflow->pipeline, "ingress") ? P_IN : P_OUT; | |
5868eb24 | 2120 | struct ovn_lflow *lflow = ovn_lflow_find( |
880fcd14 BP |
2121 | &lflows, od, ovn_stage_build(dp_type, pipeline, sbflow->table_id), |
2122 | sbflow->priority, sbflow->match, sbflow->actions); | |
5868eb24 BP |
2123 | if (lflow) { |
2124 | ovn_lflow_destroy(&lflows, lflow); | |
2125 | } else { | |
2126 | sbrec_logical_flow_delete(sbflow); | |
4edcdcf4 RB |
2127 | } |
2128 | } | |
5868eb24 BP |
2129 | struct ovn_lflow *lflow, *next_lflow; |
2130 | HMAP_FOR_EACH_SAFE (lflow, next_lflow, hmap_node, &lflows) { | |
880fcd14 BP |
2131 | enum ovn_pipeline pipeline = ovn_stage_get_pipeline(lflow->stage); |
2132 | uint8_t table = ovn_stage_get_table(lflow->stage); | |
2133 | ||
5868eb24 BP |
2134 | sbflow = sbrec_logical_flow_insert(ctx->ovnsb_txn); |
2135 | sbrec_logical_flow_set_logical_datapath(sbflow, lflow->od->sb); | |
9975d7be BP |
2136 | sbrec_logical_flow_set_pipeline( |
2137 | sbflow, pipeline == P_IN ? "ingress" : "egress"); | |
880fcd14 | 2138 | sbrec_logical_flow_set_table_id(sbflow, table); |
5868eb24 BP |
2139 | sbrec_logical_flow_set_priority(sbflow, lflow->priority); |
2140 | sbrec_logical_flow_set_match(sbflow, lflow->match); | |
2141 | sbrec_logical_flow_set_actions(sbflow, lflow->actions); | |
091e3af9 | 2142 | |
880fcd14 BP |
2143 | const struct smap ids = SMAP_CONST1(&ids, "stage-name", |
2144 | ovn_stage_to_str(lflow->stage)); | |
aaf881c6 | 2145 | sbrec_logical_flow_set_external_ids(sbflow, &ids); |
091e3af9 | 2146 | |
5868eb24 | 2147 | ovn_lflow_destroy(&lflows, lflow); |
eb00399e | 2148 | } |
5868eb24 BP |
2149 | hmap_destroy(&lflows); |
2150 | ||
2151 | /* Push changes to the Multicast_Group table to database. */ | |
2152 | const struct sbrec_multicast_group *sbmc, *next_sbmc; | |
2153 | SBREC_MULTICAST_GROUP_FOR_EACH_SAFE (sbmc, next_sbmc, ctx->ovnsb_idl) { | |
2154 | struct ovn_datapath *od = ovn_datapath_from_sbrec(datapaths, | |
2155 | sbmc->datapath); | |
2156 | if (!od) { | |
2157 | sbrec_multicast_group_delete(sbmc); | |
2158 | continue; | |
2159 | } | |
eb00399e | 2160 | |
5868eb24 BP |
2161 | struct multicast_group group = { .name = sbmc->name, |
2162 | .key = sbmc->tunnel_key }; | |
2163 | struct ovn_multicast *mc = ovn_multicast_find(&mcgroups, od, &group); | |
2164 | if (mc) { | |
2165 | ovn_multicast_update_sbrec(mc, sbmc); | |
2166 | ovn_multicast_destroy(&mcgroups, mc); | |
2167 | } else { | |
2168 | sbrec_multicast_group_delete(sbmc); | |
2169 | } | |
2170 | } | |
2171 | struct ovn_multicast *mc, *next_mc; | |
2172 | HMAP_FOR_EACH_SAFE (mc, next_mc, hmap_node, &mcgroups) { | |
2173 | sbmc = sbrec_multicast_group_insert(ctx->ovnsb_txn); | |
2174 | sbrec_multicast_group_set_datapath(sbmc, mc->datapath->sb); | |
2175 | sbrec_multicast_group_set_name(sbmc, mc->group->name); | |
2176 | sbrec_multicast_group_set_tunnel_key(sbmc, mc->group->key); | |
2177 | ovn_multicast_update_sbrec(mc, sbmc); | |
2178 | ovn_multicast_destroy(&mcgroups, mc); | |
4edcdcf4 | 2179 | } |
5868eb24 | 2180 | hmap_destroy(&mcgroups); |
4edcdcf4 | 2181 | } |
5868eb24 | 2182 | \f |
4edcdcf4 | 2183 | static void |
331e7aef | 2184 | ovnnb_db_run(struct northd_context *ctx) |
4edcdcf4 | 2185 | { |
331e7aef NS |
2186 | if (!ctx->ovnsb_txn) { |
2187 | return; | |
2188 | } | |
5868eb24 BP |
2189 | struct hmap datapaths, ports; |
2190 | build_datapaths(ctx, &datapaths); | |
2191 | build_ports(ctx, &datapaths, &ports); | |
2192 | build_lflows(ctx, &datapaths, &ports); | |
2193 | ||
2194 | struct ovn_datapath *dp, *next_dp; | |
2195 | HMAP_FOR_EACH_SAFE (dp, next_dp, key_node, &datapaths) { | |
2196 | ovn_datapath_destroy(&datapaths, dp); | |
2197 | } | |
2198 | hmap_destroy(&datapaths); | |
2199 | ||
2200 | struct ovn_port *port, *next_port; | |
2201 | HMAP_FOR_EACH_SAFE (port, next_port, key_node, &ports) { | |
2202 | ovn_port_destroy(&ports, port); | |
2203 | } | |
2204 | hmap_destroy(&ports); | |
ac0630a2 RB |
2205 | } |
2206 | ||
f93818dd RB |
2207 | /* |
2208 | * The only change we get notified about is if the 'chassis' column of the | |
dcda6e0d BP |
2209 | * 'Port_Binding' table changes. When this column is not empty, it means we |
2210 | * need to set the corresponding logical port as 'up' in the northbound DB. | |
f93818dd | 2211 | */ |
ac0630a2 | 2212 | static void |
331e7aef | 2213 | ovnsb_db_run(struct northd_context *ctx) |
ac0630a2 | 2214 | { |
331e7aef NS |
2215 | if (!ctx->ovnnb_txn) { |
2216 | return; | |
2217 | } | |
fc3113bc | 2218 | struct hmap lports_hmap; |
5868eb24 BP |
2219 | const struct sbrec_port_binding *sb; |
2220 | const struct nbrec_logical_port *nb; | |
fc3113bc RB |
2221 | |
2222 | struct lport_hash_node { | |
2223 | struct hmap_node node; | |
5868eb24 | 2224 | const struct nbrec_logical_port *nb; |
fc3113bc | 2225 | } *hash_node, *hash_node_next; |
f93818dd | 2226 | |
fc3113bc | 2227 | hmap_init(&lports_hmap); |
f93818dd | 2228 | |
5868eb24 | 2229 | NBREC_LOGICAL_PORT_FOR_EACH(nb, ctx->ovnnb_idl) { |
fc3113bc | 2230 | hash_node = xzalloc(sizeof *hash_node); |
5868eb24 BP |
2231 | hash_node->nb = nb; |
2232 | hmap_insert(&lports_hmap, &hash_node->node, hash_string(nb->name, 0)); | |
fc3113bc RB |
2233 | } |
2234 | ||
5868eb24 BP |
2235 | SBREC_PORT_BINDING_FOR_EACH(sb, ctx->ovnsb_idl) { |
2236 | nb = NULL; | |
fc3113bc | 2237 | HMAP_FOR_EACH_WITH_HASH(hash_node, node, |
5868eb24 BP |
2238 | hash_string(sb->logical_port, 0), |
2239 | &lports_hmap) { | |
2240 | if (!strcmp(sb->logical_port, hash_node->nb->name)) { | |
2241 | nb = hash_node->nb; | |
fc3113bc RB |
2242 | break; |
2243 | } | |
f93818dd RB |
2244 | } |
2245 | ||
5868eb24 | 2246 | if (!nb) { |
dcda6e0d | 2247 | /* The logical port doesn't exist for this port binding. This can |
2e2762d4 | 2248 | * happen under normal circumstances when ovn-northd hasn't gotten |
dcda6e0d | 2249 | * around to pruning the Port_Binding yet. */ |
f93818dd RB |
2250 | continue; |
2251 | } | |
2252 | ||
5868eb24 | 2253 | if (sb->chassis && (!nb->up || !*nb->up)) { |
f93818dd | 2254 | bool up = true; |
5868eb24 BP |
2255 | nbrec_logical_port_set_up(nb, &up, 1); |
2256 | } else if (!sb->chassis && (!nb->up || *nb->up)) { | |
f93818dd | 2257 | bool up = false; |
5868eb24 | 2258 | nbrec_logical_port_set_up(nb, &up, 1); |
f93818dd RB |
2259 | } |
2260 | } | |
fc3113bc RB |
2261 | |
2262 | HMAP_FOR_EACH_SAFE(hash_node, hash_node_next, node, &lports_hmap) { | |
2263 | hmap_remove(&lports_hmap, &hash_node->node); | |
2264 | free(hash_node); | |
2265 | } | |
2266 | hmap_destroy(&lports_hmap); | |
ac0630a2 RB |
2267 | } |
2268 | \f | |
45f98d4c | 2269 | |
60bdd011 | 2270 | static char *default_nb_db_; |
45f98d4c | 2271 | |
ac0630a2 | 2272 | static const char * |
60bdd011 | 2273 | default_nb_db(void) |
ac0630a2 | 2274 | { |
60bdd011 RM |
2275 | if (!default_nb_db_) { |
2276 | default_nb_db_ = xasprintf("unix:%s/ovnnb_db.sock", ovs_rundir()); | |
ac0630a2 | 2277 | } |
60bdd011 RM |
2278 | return default_nb_db_; |
2279 | } | |
2280 | ||
2281 | static char *default_sb_db_; | |
2282 | ||
2283 | static const char * | |
2284 | default_sb_db(void) | |
2285 | { | |
2286 | if (!default_sb_db_) { | |
2287 | default_sb_db_ = xasprintf("unix:%s/ovnsb_db.sock", ovs_rundir()); | |
2288 | } | |
2289 | return default_sb_db_; | |
ac0630a2 RB |
2290 | } |
2291 | ||
2292 | static void | |
2293 | parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) | |
2294 | { | |
2295 | enum { | |
67d9b930 | 2296 | DAEMON_OPTION_ENUMS, |
ac0630a2 RB |
2297 | VLOG_OPTION_ENUMS, |
2298 | }; | |
2299 | static const struct option long_options[] = { | |
ec78987f | 2300 | {"ovnsb-db", required_argument, NULL, 'd'}, |
ac0630a2 RB |
2301 | {"ovnnb-db", required_argument, NULL, 'D'}, |
2302 | {"help", no_argument, NULL, 'h'}, | |
2303 | {"options", no_argument, NULL, 'o'}, | |
2304 | {"version", no_argument, NULL, 'V'}, | |
67d9b930 | 2305 | DAEMON_LONG_OPTIONS, |
ac0630a2 RB |
2306 | VLOG_LONG_OPTIONS, |
2307 | STREAM_SSL_LONG_OPTIONS, | |
2308 | {NULL, 0, NULL, 0}, | |
2309 | }; | |
2310 | char *short_options = ovs_cmdl_long_options_to_short_options(long_options); | |
2311 | ||
2312 | for (;;) { | |
2313 | int c; | |
2314 | ||
2315 | c = getopt_long(argc, argv, short_options, long_options, NULL); | |
2316 | if (c == -1) { | |
2317 | break; | |
2318 | } | |
2319 | ||
2320 | switch (c) { | |
67d9b930 | 2321 | DAEMON_OPTION_HANDLERS; |
ac0630a2 RB |
2322 | VLOG_OPTION_HANDLERS; |
2323 | STREAM_SSL_OPTION_HANDLERS; | |
2324 | ||
2325 | case 'd': | |
ec78987f | 2326 | ovnsb_db = optarg; |
ac0630a2 RB |
2327 | break; |
2328 | ||
2329 | case 'D': | |
2330 | ovnnb_db = optarg; | |
2331 | break; | |
2332 | ||
2333 | case 'h': | |
2334 | usage(); | |
2335 | exit(EXIT_SUCCESS); | |
2336 | ||
2337 | case 'o': | |
2338 | ovs_cmdl_print_options(long_options); | |
2339 | exit(EXIT_SUCCESS); | |
2340 | ||
2341 | case 'V': | |
2342 | ovs_print_version(0, 0); | |
2343 | exit(EXIT_SUCCESS); | |
2344 | ||
2345 | default: | |
2346 | break; | |
2347 | } | |
2348 | } | |
2349 | ||
ec78987f | 2350 | if (!ovnsb_db) { |
60bdd011 | 2351 | ovnsb_db = default_sb_db(); |
ac0630a2 RB |
2352 | } |
2353 | ||
2354 | if (!ovnnb_db) { | |
60bdd011 | 2355 | ovnnb_db = default_nb_db(); |
ac0630a2 RB |
2356 | } |
2357 | ||
2358 | free(short_options); | |
2359 | } | |
2360 | ||
5868eb24 BP |
2361 | static void |
2362 | add_column_noalert(struct ovsdb_idl *idl, | |
2363 | const struct ovsdb_idl_column *column) | |
2364 | { | |
2365 | ovsdb_idl_add_column(idl, column); | |
2366 | ovsdb_idl_omit_alert(idl, column); | |
2367 | } | |
2368 | ||
ac0630a2 RB |
2369 | int |
2370 | main(int argc, char *argv[]) | |
2371 | { | |
ac0630a2 | 2372 | int res = EXIT_SUCCESS; |
7b303ff9 AW |
2373 | struct unixctl_server *unixctl; |
2374 | int retval; | |
2375 | bool exiting; | |
ac0630a2 RB |
2376 | |
2377 | fatal_ignore_sigpipe(); | |
2378 | set_program_name(argv[0]); | |
485f0696 | 2379 | service_start(&argc, &argv); |
ac0630a2 | 2380 | parse_options(argc, argv); |
67d9b930 | 2381 | |
e91b927d | 2382 | daemonize_start(false); |
7b303ff9 AW |
2383 | |
2384 | retval = unixctl_server_create(NULL, &unixctl); | |
2385 | if (retval) { | |
2386 | exit(EXIT_FAILURE); | |
2387 | } | |
2388 | unixctl_command_register("exit", "", 0, 0, ovn_northd_exit, &exiting); | |
2389 | ||
2390 | daemonize_complete(); | |
67d9b930 | 2391 | |
ac0630a2 | 2392 | nbrec_init(); |
ec78987f | 2393 | sbrec_init(); |
ac0630a2 RB |
2394 | |
2395 | /* We want to detect all changes to the ovn-nb db. */ | |
331e7aef NS |
2396 | struct ovsdb_idl_loop ovnnb_idl_loop = OVSDB_IDL_LOOP_INITIALIZER( |
2397 | ovsdb_idl_create(ovnnb_db, &nbrec_idl_class, true, true)); | |
2398 | ||
2399 | struct ovsdb_idl_loop ovnsb_idl_loop = OVSDB_IDL_LOOP_INITIALIZER( | |
2400 | ovsdb_idl_create(ovnsb_db, &sbrec_idl_class, false, true)); | |
2401 | ||
2402 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_logical_flow); | |
2403 | add_column_noalert(ovnsb_idl_loop.idl, | |
2404 | &sbrec_logical_flow_col_logical_datapath); | |
2405 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_pipeline); | |
2406 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_table_id); | |
2407 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_priority); | |
2408 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_match); | |
2409 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_logical_flow_col_actions); | |
2410 | ||
2411 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_multicast_group); | |
2412 | add_column_noalert(ovnsb_idl_loop.idl, | |
2413 | &sbrec_multicast_group_col_datapath); | |
2414 | add_column_noalert(ovnsb_idl_loop.idl, | |
2415 | &sbrec_multicast_group_col_tunnel_key); | |
2416 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_multicast_group_col_name); | |
2417 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_multicast_group_col_ports); | |
2418 | ||
2419 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_datapath_binding); | |
2420 | add_column_noalert(ovnsb_idl_loop.idl, | |
2421 | &sbrec_datapath_binding_col_tunnel_key); | |
2422 | add_column_noalert(ovnsb_idl_loop.idl, | |
2423 | &sbrec_datapath_binding_col_external_ids); | |
2424 | ||
2425 | ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_port_binding); | |
2426 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_datapath); | |
2427 | add_column_noalert(ovnsb_idl_loop.idl, | |
2428 | &sbrec_port_binding_col_logical_port); | |
2429 | add_column_noalert(ovnsb_idl_loop.idl, | |
2430 | &sbrec_port_binding_col_tunnel_key); | |
2431 | add_column_noalert(ovnsb_idl_loop.idl, | |
2432 | &sbrec_port_binding_col_parent_port); | |
2433 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_tag); | |
2434 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_type); | |
2435 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_options); | |
2436 | add_column_noalert(ovnsb_idl_loop.idl, &sbrec_port_binding_col_mac); | |
2437 | ovsdb_idl_add_column(ovnsb_idl_loop.idl, &sbrec_port_binding_col_chassis); | |
2438 | ||
2439 | /* Main loop. */ | |
7b303ff9 AW |
2440 | exiting = false; |
2441 | while (!exiting) { | |
331e7aef NS |
2442 | struct northd_context ctx = { |
2443 | .ovnnb_idl = ovnnb_idl_loop.idl, | |
2444 | .ovnnb_txn = ovsdb_idl_loop_run(&ovnnb_idl_loop), | |
2445 | .ovnsb_idl = ovnsb_idl_loop.idl, | |
2446 | .ovnsb_txn = ovsdb_idl_loop_run(&ovnsb_idl_loop), | |
2447 | }; | |
ac0630a2 | 2448 | |
8c0fae89 NS |
2449 | ovnnb_db_run(&ctx); |
2450 | ovnsb_db_run(&ctx); | |
f93818dd | 2451 | |
331e7aef NS |
2452 | unixctl_server_run(unixctl); |
2453 | unixctl_server_wait(unixctl); | |
2454 | if (exiting) { | |
2455 | poll_immediate_wake(); | |
ac0630a2 | 2456 | } |
331e7aef NS |
2457 | ovsdb_idl_loop_commit_and_wait(&ovnnb_idl_loop); |
2458 | ovsdb_idl_loop_commit_and_wait(&ovnsb_idl_loop); | |
ac0630a2 | 2459 | |
331e7aef | 2460 | poll_block(); |
485f0696 GS |
2461 | if (should_service_stop()) { |
2462 | exiting = true; | |
2463 | } | |
ac0630a2 RB |
2464 | } |
2465 | ||
7b303ff9 | 2466 | unixctl_server_destroy(unixctl); |
331e7aef NS |
2467 | ovsdb_idl_loop_destroy(&ovnnb_idl_loop); |
2468 | ovsdb_idl_loop_destroy(&ovnsb_idl_loop); | |
485f0696 | 2469 | service_stop(); |
ac0630a2 | 2470 | |
60bdd011 RM |
2471 | free(default_nb_db_); |
2472 | free(default_sb_db_); | |
ac0630a2 RB |
2473 | exit(res); |
2474 | } | |
7b303ff9 AW |
2475 | |
2476 | static void | |
2477 | ovn_northd_exit(struct unixctl_conn *conn, int argc OVS_UNUSED, | |
2478 | const char *argv[] OVS_UNUSED, void *exiting_) | |
2479 | { | |
2480 | bool *exiting = exiting_; | |
2481 | *exiting = true; | |
2482 | ||
2483 | unixctl_command_reply(conn, NULL); | |
2484 | } |