2 * Copyright (c) 2015, 2016 Nicira, Inc.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 #include "conntrack.h"
21 #include <sys/types.h>
22 #include <netinet/in.h>
23 #include <netinet/icmp6.h>
26 #include "conntrack-private.h"
30 #include "dp-packet.h"
33 #include "odp-netlink.h"
34 #include "openvswitch/hmap.h"
35 #include "openvswitch/vlog.h"
37 #include "ovs-thread.h"
38 #include "poll-loop.h"
43 VLOG_DEFINE_THIS_MODULE(conntrack
);
45 COVERAGE_DEFINE(conntrack_full
);
46 COVERAGE_DEFINE(conntrack_long_cleanup
);
48 struct conn_lookup_ctx
{
56 static bool conn_key_extract(struct conntrack
*, struct dp_packet
*,
57 ovs_be16 dl_type
, struct conn_lookup_ctx
*,
59 static uint32_t conn_key_hash(const struct conn_key
*, uint32_t basis
);
60 static void conn_key_reverse(struct conn_key
*);
61 static void conn_key_lookup(struct conntrack_bucket
*ctb
,
62 struct conn_lookup_ctx
*ctx
,
64 static bool valid_new(struct dp_packet
*pkt
, struct conn_key
*);
65 static struct conn
*new_conn(struct conntrack_bucket
*, struct dp_packet
*pkt
,
66 struct conn_key
*, long long now
);
67 static void delete_conn(struct conn
*);
68 static enum ct_update_res
conn_update(struct conn
*,
69 struct conntrack_bucket
*ctb
,
70 struct dp_packet
*, bool reply
,
72 static bool conn_expired(struct conn
*, long long now
);
73 static void set_mark(struct dp_packet
*, struct conn
*,
74 uint32_t val
, uint32_t mask
);
75 static void set_label(struct dp_packet
*, struct conn
*,
76 const struct ovs_key_ct_labels
*val
,
77 const struct ovs_key_ct_labels
*mask
);
78 static void *clean_thread_main(void *f_
);
80 static struct nat_conn_key_node
*
81 nat_conn_keys_lookup(struct hmap
*nat_conn_keys
,
82 const struct conn_key
*key
,
86 nat_conn_keys_remove(struct hmap
*nat_conn_keys
,
87 const struct conn_key
*key
,
91 nat_select_range_tuple(struct conntrack
*ct
, const struct conn
*conn
,
92 struct conn
*nat_conn
);
95 reverse_icmp_type(uint8_t type
);
97 reverse_icmp6_type(uint8_t type
);
99 extract_l3_ipv4(struct conn_key
*key
, const void *data
, size_t size
,
100 const char **new_data
, bool validate_checksum
);
102 extract_l3_ipv6(struct conn_key
*key
, const void *data
, size_t size
,
103 const char **new_data
);
105 static struct ct_l4_proto
*l4_protos
[] = {
106 [IPPROTO_TCP
] = &ct_proto_tcp
,
107 [IPPROTO_UDP
] = &ct_proto_other
,
108 [IPPROTO_ICMP
] = &ct_proto_icmp4
,
109 [IPPROTO_ICMPV6
] = &ct_proto_icmp6
,
112 long long ct_timeout_val
[] = {
113 #define CT_TIMEOUT(NAME, VAL) [CT_TM_##NAME] = VAL,
118 /* If the total number of connections goes above this value, no new connections
119 * are accepted; this is for CT_CONN_TYPE_DEFAULT connections. */
120 #define DEFAULT_N_CONN_LIMIT 3000000
122 /* Initializes the connection tracker 'ct'. The caller is responsible for
123 * calling 'conntrack_destroy()', when the instance is not needed anymore */
125 conntrack_init(struct conntrack
*ct
)
128 long long now
= time_msec();
130 ct_rwlock_init(&ct
->resources_lock
);
131 ct_rwlock_wrlock(&ct
->resources_lock
);
132 hmap_init(&ct
->nat_conn_keys
);
133 ct_rwlock_unlock(&ct
->resources_lock
);
135 for (i
= 0; i
< CONNTRACK_BUCKETS
; i
++) {
136 struct conntrack_bucket
*ctb
= &ct
->buckets
[i
];
138 ct_lock_init(&ctb
->lock
);
139 ct_lock_lock(&ctb
->lock
);
140 hmap_init(&ctb
->connections
);
141 for (j
= 0; j
< ARRAY_SIZE(ctb
->exp_lists
); j
++) {
142 ovs_list_init(&ctb
->exp_lists
[j
]);
144 ct_lock_unlock(&ctb
->lock
);
145 ovs_mutex_init(&ctb
->cleanup_mutex
);
146 ovs_mutex_lock(&ctb
->cleanup_mutex
);
147 ctb
->next_cleanup
= now
+ CT_TM_MIN
;
148 ovs_mutex_unlock(&ctb
->cleanup_mutex
);
150 ct
->hash_basis
= random_uint32();
151 atomic_count_init(&ct
->n_conn
, 0);
152 atomic_init(&ct
->n_conn_limit
, DEFAULT_N_CONN_LIMIT
);
153 latch_init(&ct
->clean_thread_exit
);
154 ct
->clean_thread
= ovs_thread_create("ct_clean", clean_thread_main
, ct
);
157 /* Destroys the connection tracker 'ct' and frees all the allocated memory. */
159 conntrack_destroy(struct conntrack
*ct
)
163 latch_set(&ct
->clean_thread_exit
);
164 pthread_join(ct
->clean_thread
, NULL
);
165 latch_destroy(&ct
->clean_thread_exit
);
166 for (i
= 0; i
< CONNTRACK_BUCKETS
; i
++) {
167 struct conntrack_bucket
*ctb
= &ct
->buckets
[i
];
170 ovs_mutex_destroy(&ctb
->cleanup_mutex
);
171 ct_lock_lock(&ctb
->lock
);
172 HMAP_FOR_EACH_POP(conn
, node
, &ctb
->connections
) {
173 if (conn
->conn_type
== CT_CONN_TYPE_DEFAULT
) {
174 atomic_count_dec(&ct
->n_conn
);
178 hmap_destroy(&ctb
->connections
);
179 ct_lock_unlock(&ctb
->lock
);
180 ct_lock_destroy(&ctb
->lock
);
182 ct_rwlock_wrlock(&ct
->resources_lock
);
183 struct nat_conn_key_node
*nat_conn_key_node
;
184 HMAP_FOR_EACH_POP (nat_conn_key_node
, node
, &ct
->nat_conn_keys
) {
185 free(nat_conn_key_node
);
187 hmap_destroy(&ct
->nat_conn_keys
);
188 ct_rwlock_unlock(&ct
->resources_lock
);
189 ct_rwlock_destroy(&ct
->resources_lock
);
192 static unsigned hash_to_bucket(uint32_t hash
)
194 /* Extracts the most significant bits in hash. The least significant bits
195 * are already used internally by the hmap implementation. */
196 BUILD_ASSERT(CONNTRACK_BUCKETS_SHIFT
< 32 && CONNTRACK_BUCKETS_SHIFT
>= 1);
198 return (hash
>> (32 - CONNTRACK_BUCKETS_SHIFT
)) % CONNTRACK_BUCKETS
;
202 write_ct_md(struct dp_packet
*pkt
, uint16_t zone
, const struct conn
*conn
,
203 const struct conn_key
*key
)
205 pkt
->md
.ct_state
|= CS_TRACKED
;
206 pkt
->md
.ct_zone
= zone
;
207 pkt
->md
.ct_mark
= conn
? conn
->mark
: 0;
208 pkt
->md
.ct_label
= conn
? conn
->label
: OVS_U128_ZERO
;
210 /* Use the original direction tuple if we have it. */
214 pkt
->md
.ct_orig_tuple_ipv6
= false;
216 if (key
->dl_type
== htons(ETH_TYPE_IP
)) {
217 pkt
->md
.ct_orig_tuple
.ipv4
= (struct ovs_key_ct_tuple_ipv4
) {
218 key
->src
.addr
.ipv4_aligned
,
219 key
->dst
.addr
.ipv4_aligned
,
220 key
->nw_proto
!= IPPROTO_ICMP
221 ? key
->src
.port
: htons(key
->src
.icmp_type
),
222 key
->nw_proto
!= IPPROTO_ICMP
223 ? key
->dst
.port
: htons(key
->src
.icmp_code
),
227 pkt
->md
.ct_orig_tuple_ipv6
= true;
228 pkt
->md
.ct_orig_tuple
.ipv6
= (struct ovs_key_ct_tuple_ipv6
) {
229 key
->src
.addr
.ipv6_aligned
,
230 key
->dst
.addr
.ipv6_aligned
,
231 key
->nw_proto
!= IPPROTO_ICMPV6
232 ? key
->src
.port
: htons(key
->src
.icmp_type
),
233 key
->nw_proto
!= IPPROTO_ICMPV6
234 ? key
->dst
.port
: htons(key
->src
.icmp_code
),
239 memset(&pkt
->md
.ct_orig_tuple
, 0, sizeof pkt
->md
.ct_orig_tuple
);
245 pat_packet(struct dp_packet
*pkt
, const struct conn
*conn
)
247 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
248 if (conn
->key
.nw_proto
== IPPROTO_TCP
) {
249 struct tcp_header
*th
= dp_packet_l4(pkt
);
250 packet_set_tcp_port(pkt
, conn
->rev_key
.dst
.port
, th
->tcp_dst
);
251 } else if (conn
->key
.nw_proto
== IPPROTO_UDP
) {
252 struct udp_header
*uh
= dp_packet_l4(pkt
);
253 packet_set_udp_port(pkt
, conn
->rev_key
.dst
.port
, uh
->udp_dst
);
255 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
256 if (conn
->key
.nw_proto
== IPPROTO_TCP
) {
257 struct tcp_header
*th
= dp_packet_l4(pkt
);
258 packet_set_tcp_port(pkt
, th
->tcp_src
, conn
->rev_key
.src
.port
);
259 } else if (conn
->key
.nw_proto
== IPPROTO_UDP
) {
260 struct udp_header
*uh
= dp_packet_l4(pkt
);
261 packet_set_udp_port(pkt
, uh
->udp_src
, conn
->rev_key
.src
.port
);
267 nat_packet(struct dp_packet
*pkt
, const struct conn
*conn
, bool related
)
269 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
270 pkt
->md
.ct_state
|= CS_SRC_NAT
;
271 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
272 struct ip_header
*nh
= dp_packet_l3(pkt
);
273 packet_set_ipv4_addr(pkt
, &nh
->ip_src
,
274 conn
->rev_key
.dst
.addr
.ipv4_aligned
);
276 struct ovs_16aligned_ip6_hdr
*nh6
= dp_packet_l3(pkt
);
277 packet_set_ipv6_addr(pkt
, conn
->key
.nw_proto
,
279 &conn
->rev_key
.dst
.addr
.ipv6_aligned
,
283 pat_packet(pkt
, conn
);
285 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
286 pkt
->md
.ct_state
|= CS_DST_NAT
;
287 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
288 struct ip_header
*nh
= dp_packet_l3(pkt
);
289 packet_set_ipv4_addr(pkt
, &nh
->ip_dst
,
290 conn
->rev_key
.src
.addr
.ipv4_aligned
);
292 struct ovs_16aligned_ip6_hdr
*nh6
= dp_packet_l3(pkt
);
293 packet_set_ipv6_addr(pkt
, conn
->key
.nw_proto
,
295 &conn
->rev_key
.src
.addr
.ipv6_aligned
,
299 pat_packet(pkt
, conn
);
305 un_pat_packet(struct dp_packet
*pkt
, const struct conn
*conn
)
307 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
308 if (conn
->key
.nw_proto
== IPPROTO_TCP
) {
309 struct tcp_header
*th
= dp_packet_l4(pkt
);
310 packet_set_tcp_port(pkt
, th
->tcp_src
, conn
->key
.src
.port
);
311 } else if (conn
->key
.nw_proto
== IPPROTO_UDP
) {
312 struct udp_header
*uh
= dp_packet_l4(pkt
);
313 packet_set_udp_port(pkt
, uh
->udp_src
, conn
->key
.src
.port
);
315 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
316 if (conn
->key
.nw_proto
== IPPROTO_TCP
) {
317 struct tcp_header
*th
= dp_packet_l4(pkt
);
318 packet_set_tcp_port(pkt
, conn
->key
.dst
.port
, th
->tcp_dst
);
319 } else if (conn
->key
.nw_proto
== IPPROTO_UDP
) {
320 struct udp_header
*uh
= dp_packet_l4(pkt
);
321 packet_set_udp_port(pkt
, conn
->key
.dst
.port
, uh
->udp_dst
);
327 reverse_pat_packet(struct dp_packet
*pkt
, const struct conn
*conn
)
329 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
330 if (conn
->key
.nw_proto
== IPPROTO_TCP
) {
331 struct tcp_header
*th_in
= dp_packet_l4(pkt
);
332 packet_set_tcp_port(pkt
, conn
->key
.src
.port
,
334 } else if (conn
->key
.nw_proto
== IPPROTO_UDP
) {
335 struct udp_header
*uh_in
= dp_packet_l4(pkt
);
336 packet_set_udp_port(pkt
, conn
->key
.src
.port
,
339 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
340 if (conn
->key
.nw_proto
== IPPROTO_TCP
) {
341 struct tcp_header
*th_in
= dp_packet_l4(pkt
);
342 packet_set_tcp_port(pkt
, th_in
->tcp_src
,
344 } else if (conn
->key
.nw_proto
== IPPROTO_UDP
) {
345 struct udp_header
*uh_in
= dp_packet_l4(pkt
);
346 packet_set_udp_port(pkt
, uh_in
->udp_src
,
353 reverse_nat_packet(struct dp_packet
*pkt
, const struct conn
*conn
)
355 char *tail
= dp_packet_tail(pkt
);
356 char pad
= dp_packet_l2_pad_size(pkt
);
357 struct conn_key inner_key
;
358 const char *inner_l4
= NULL
;
359 uint16_t orig_l3_ofs
= pkt
->l3_ofs
;
360 uint16_t orig_l4_ofs
= pkt
->l4_ofs
;
362 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
363 struct ip_header
*nh
= dp_packet_l3(pkt
);
364 struct icmp_header
*icmp
= dp_packet_l4(pkt
);
365 struct ip_header
*inner_l3
= (struct ip_header
*) (icmp
+ 1);
366 extract_l3_ipv4(&inner_key
, inner_l3
, tail
- ((char *)inner_l3
)
367 -pad
, &inner_l4
, false);
369 pkt
->l3_ofs
+= (char *) inner_l3
- (char *) nh
;
370 pkt
->l4_ofs
+= inner_l4
- (char *) icmp
;
372 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
373 packet_set_ipv4_addr(pkt
, &inner_l3
->ip_src
,
374 conn
->key
.src
.addr
.ipv4_aligned
);
375 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
376 packet_set_ipv4_addr(pkt
, &inner_l3
->ip_dst
,
377 conn
->key
.dst
.addr
.ipv4_aligned
);
379 reverse_pat_packet(pkt
, conn
);
381 icmp
->icmp_csum
= csum(icmp
, tail
- (char *) icmp
- pad
);
383 struct ovs_16aligned_ip6_hdr
*nh6
= dp_packet_l3(pkt
);
384 struct icmp6_error_header
*icmp6
= dp_packet_l4(pkt
);
385 struct ovs_16aligned_ip6_hdr
*inner_l3_6
=
386 (struct ovs_16aligned_ip6_hdr
*) (icmp6
+ 1);
387 extract_l3_ipv6(&inner_key
, inner_l3_6
,
388 tail
- ((char *)inner_l3_6
) - pad
,
390 pkt
->l3_ofs
+= (char *) inner_l3_6
- (char *) nh6
;
391 pkt
->l4_ofs
+= inner_l4
- (char *) icmp6
;
393 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
394 packet_set_ipv6_addr(pkt
, conn
->key
.nw_proto
,
395 inner_l3_6
->ip6_src
.be32
,
396 &conn
->key
.src
.addr
.ipv6_aligned
,
398 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
399 packet_set_ipv6_addr(pkt
, conn
->key
.nw_proto
,
400 inner_l3_6
->ip6_dst
.be32
,
401 &conn
->key
.dst
.addr
.ipv6_aligned
,
404 reverse_pat_packet(pkt
, conn
);
405 uint32_t icmp6_csum
= packet_csum_pseudoheader6(nh6
);
406 icmp6
->icmp6_base
.icmp6_cksum
= 0;
407 icmp6
->icmp6_base
.icmp6_cksum
= csum_finish(
408 csum_continue(icmp6_csum
, icmp6
, tail
- (char *) icmp6
- pad
));
410 pkt
->l3_ofs
= orig_l3_ofs
;
411 pkt
->l4_ofs
= orig_l4_ofs
;
415 un_nat_packet(struct dp_packet
*pkt
, const struct conn
*conn
,
418 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
419 pkt
->md
.ct_state
|= CS_DST_NAT
;
420 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
421 struct ip_header
*nh
= dp_packet_l3(pkt
);
422 packet_set_ipv4_addr(pkt
, &nh
->ip_dst
,
423 conn
->key
.src
.addr
.ipv4_aligned
);
425 struct ovs_16aligned_ip6_hdr
*nh6
= dp_packet_l3(pkt
);
426 packet_set_ipv6_addr(pkt
, conn
->key
.nw_proto
,
428 &conn
->key
.src
.addr
.ipv6_aligned
, true);
431 if (OVS_UNLIKELY(related
)) {
432 reverse_nat_packet(pkt
, conn
);
434 un_pat_packet(pkt
, conn
);
436 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_DST
) {
437 pkt
->md
.ct_state
|= CS_SRC_NAT
;
438 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
439 struct ip_header
*nh
= dp_packet_l3(pkt
);
440 packet_set_ipv4_addr(pkt
, &nh
->ip_src
,
441 conn
->key
.dst
.addr
.ipv4_aligned
);
443 struct ovs_16aligned_ip6_hdr
*nh6
= dp_packet_l3(pkt
);
444 packet_set_ipv6_addr(pkt
, conn
->key
.nw_proto
,
446 &conn
->key
.dst
.addr
.ipv6_aligned
, true);
449 if (OVS_UNLIKELY(related
)) {
450 reverse_nat_packet(pkt
, conn
);
452 un_pat_packet(pkt
, conn
);
457 /* Typical usage of this helper is in non per-packet code;
458 * this is because the bucket lock needs to be held for lookup
459 * and a hash would have already been needed. Hence, this function
460 * is just intended for code clarity. */
462 conn_lookup(struct conntrack
*ct
, struct conn_key
*key
, long long now
)
464 struct conn_lookup_ctx ctx
;
467 ctx
.hash
= conn_key_hash(key
, ct
->hash_basis
);
468 unsigned bucket
= hash_to_bucket(ctx
.hash
);
469 conn_key_lookup(&ct
->buckets
[bucket
], &ctx
, now
);
474 nat_clean(struct conntrack
*ct
, struct conn
*conn
,
475 struct conntrack_bucket
*ctb
)
476 OVS_REQUIRES(ctb
->lock
)
478 long long now
= time_msec();
479 ct_rwlock_wrlock(&ct
->resources_lock
);
480 nat_conn_keys_remove(&ct
->nat_conn_keys
, &conn
->rev_key
, ct
->hash_basis
);
481 ct_rwlock_unlock(&ct
->resources_lock
);
482 ct_lock_unlock(&ctb
->lock
);
484 uint32_t hash_rev_conn
= conn_key_hash(&conn
->rev_key
, ct
->hash_basis
);
485 unsigned bucket_rev_conn
= hash_to_bucket(hash_rev_conn
);
487 ct_lock_lock(&ct
->buckets
[bucket_rev_conn
].lock
);
488 ct_rwlock_wrlock(&ct
->resources_lock
);
490 struct conn
*rev_conn
= conn_lookup(ct
, &conn
->rev_key
, now
);
492 struct nat_conn_key_node
*nat_conn_key_node
=
493 nat_conn_keys_lookup(&ct
->nat_conn_keys
, &conn
->rev_key
,
496 /* In the unlikely event, rev conn was recreated, then skip
497 * rev_conn cleanup. */
498 if (rev_conn
&& (!nat_conn_key_node
||
499 memcmp(&nat_conn_key_node
->value
, &rev_conn
->rev_key
,
500 sizeof nat_conn_key_node
->value
))) {
501 hmap_remove(&ct
->buckets
[bucket_rev_conn
].connections
,
507 ct_rwlock_unlock(&ct
->resources_lock
);
508 ct_lock_unlock(&ct
->buckets
[bucket_rev_conn
].lock
);
509 ct_lock_lock(&ctb
->lock
);
513 conn_clean(struct conntrack
*ct
, struct conn
*conn
,
514 struct conntrack_bucket
*ctb
)
515 OVS_REQUIRES(ctb
->lock
)
517 ovs_list_remove(&conn
->exp_node
);
518 hmap_remove(&ctb
->connections
, &conn
->node
);
519 atomic_count_dec(&ct
->n_conn
);
520 if (conn
->nat_info
) {
521 nat_clean(ct
, conn
, ctb
);
527 /* This function is called with the bucket lock held. */
529 conn_not_found(struct conntrack
*ct
, struct dp_packet
*pkt
,
530 struct conn_lookup_ctx
*ctx
, bool commit
, long long now
,
531 const struct nat_action_info_t
*nat_action_info
,
532 struct conn
*conn_for_un_nat_copy
)
534 unsigned bucket
= hash_to_bucket(ctx
->hash
);
535 struct conn
*nc
= NULL
;
537 if (!valid_new(pkt
, &ctx
->key
)) {
538 pkt
->md
.ct_state
= CS_INVALID
;
541 pkt
->md
.ct_state
= CS_NEW
;
544 unsigned int n_conn_limit
;
546 atomic_read_relaxed(&ct
->n_conn_limit
, &n_conn_limit
);
548 if (atomic_count_get(&ct
->n_conn
) >= n_conn_limit
) {
549 COVERAGE_INC(conntrack_full
);
553 nc
= new_conn(&ct
->buckets
[bucket
], pkt
, &ctx
->key
, now
);
555 nc
->rev_key
= nc
->key
;
556 conn_key_reverse(&nc
->rev_key
);
558 if (nat_action_info
) {
559 nc
->nat_info
= xmemdup(nat_action_info
, sizeof *nc
->nat_info
);
560 ct_rwlock_wrlock(&ct
->resources_lock
);
562 bool nat_res
= nat_select_range_tuple(ct
, nc
,
563 conn_for_un_nat_copy
);
569 ct_rwlock_unlock(&ct
->resources_lock
);
573 if (conn_for_un_nat_copy
&&
574 nc
->conn_type
== CT_CONN_TYPE_DEFAULT
) {
575 *nc
= *conn_for_un_nat_copy
;
576 conn_for_un_nat_copy
->conn_type
= CT_CONN_TYPE_UN_NAT
;
577 conn_for_un_nat_copy
->nat_info
= NULL
;
579 ct_rwlock_unlock(&ct
->resources_lock
);
581 nat_packet(pkt
, nc
, ctx
->icmp_related
);
583 hmap_insert(&ct
->buckets
[bucket
].connections
, &nc
->node
, ctx
->hash
);
584 atomic_count_inc(&ct
->n_conn
);
590 conn_update_state(struct conntrack
*ct
, struct dp_packet
*pkt
,
591 struct conn_lookup_ctx
*ctx
, struct conn
**conn
,
592 long long now
, unsigned bucket
)
593 OVS_REQUIRES(ct
->buckets
[bucket
].lock
)
595 bool create_new_conn
= false;
597 if (ctx
->icmp_related
) {
598 pkt
->md
.ct_state
|= CS_RELATED
;
600 pkt
->md
.ct_state
|= CS_REPLY_DIR
;
603 enum ct_update_res res
= conn_update(*conn
, &ct
->buckets
[bucket
],
604 pkt
, ctx
->reply
, now
);
607 case CT_UPDATE_VALID
:
608 pkt
->md
.ct_state
|= CS_ESTABLISHED
;
609 pkt
->md
.ct_state
&= ~CS_NEW
;
611 pkt
->md
.ct_state
|= CS_REPLY_DIR
;
614 case CT_UPDATE_INVALID
:
615 pkt
->md
.ct_state
= CS_INVALID
;
618 conn_clean(ct
, *conn
, &ct
->buckets
[bucket
]);
619 create_new_conn
= true;
625 return create_new_conn
;
629 create_un_nat_conn(struct conntrack
*ct
, struct conn
*conn_for_un_nat_copy
,
632 struct conn
*nc
= xmemdup(conn_for_un_nat_copy
, sizeof *nc
);
633 nc
->key
= conn_for_un_nat_copy
->rev_key
;
634 nc
->rev_key
= conn_for_un_nat_copy
->key
;
635 uint32_t un_nat_hash
= conn_key_hash(&nc
->key
, ct
->hash_basis
);
636 unsigned un_nat_conn_bucket
= hash_to_bucket(un_nat_hash
);
637 ct_lock_lock(&ct
->buckets
[un_nat_conn_bucket
].lock
);
638 ct_rwlock_rdlock(&ct
->resources_lock
);
640 struct conn
*rev_conn
= conn_lookup(ct
, &nc
->key
, now
);
642 struct nat_conn_key_node
*nat_conn_key_node
=
643 nat_conn_keys_lookup(&ct
->nat_conn_keys
, &nc
->key
, ct
->hash_basis
);
644 if (nat_conn_key_node
645 && !memcmp(&nat_conn_key_node
->value
, &nc
->rev_key
,
646 sizeof nat_conn_key_node
->value
)
648 hmap_insert(&ct
->buckets
[un_nat_conn_bucket
].connections
,
649 &nc
->node
, un_nat_hash
);
653 ct_rwlock_unlock(&ct
->resources_lock
);
654 ct_lock_unlock(&ct
->buckets
[un_nat_conn_bucket
].lock
);
658 handle_nat(struct dp_packet
*pkt
, struct conn
*conn
,
659 uint16_t zone
, bool reply
, bool related
)
661 if (conn
->nat_info
&&
662 (!(pkt
->md
.ct_state
& (CS_SRC_NAT
| CS_DST_NAT
)) ||
663 (pkt
->md
.ct_state
& (CS_SRC_NAT
| CS_DST_NAT
) &&
664 zone
!= pkt
->md
.ct_zone
))) {
665 if (pkt
->md
.ct_state
& (CS_SRC_NAT
| CS_DST_NAT
)) {
666 pkt
->md
.ct_state
&= ~(CS_SRC_NAT
| CS_DST_NAT
);
669 un_nat_packet(pkt
, conn
, related
);
671 nat_packet(pkt
, conn
, related
);
677 check_orig_tuple(struct conntrack
*ct
, struct dp_packet
*pkt
,
678 struct conn_lookup_ctx
*ctx_in
, long long now
,
679 unsigned *bucket
, struct conn
**conn
,
680 const struct nat_action_info_t
*nat_action_info
)
681 OVS_REQUIRES(ct
->buckets
[*bucket
].lock
)
683 if ((ctx_in
->key
.dl_type
== htons(ETH_TYPE_IP
) &&
684 !pkt
->md
.ct_orig_tuple
.ipv4
.ipv4_proto
) ||
685 (ctx_in
->key
.dl_type
== htons(ETH_TYPE_IPV6
) &&
686 !pkt
->md
.ct_orig_tuple
.ipv6
.ipv6_proto
) ||
687 !(pkt
->md
.ct_state
& (CS_SRC_NAT
| CS_DST_NAT
)) ||
692 ct_lock_unlock(&ct
->buckets
[*bucket
].lock
);
693 struct conn_lookup_ctx ctx
;
694 memset(&ctx
, 0 , sizeof ctx
);
697 if (ctx_in
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
698 ctx
.key
.src
.addr
.ipv4_aligned
= pkt
->md
.ct_orig_tuple
.ipv4
.ipv4_src
;
699 ctx
.key
.dst
.addr
.ipv4_aligned
= pkt
->md
.ct_orig_tuple
.ipv4
.ipv4_dst
;
701 if (ctx_in
->key
.nw_proto
== IPPROTO_ICMP
) {
702 ctx
.key
.src
.icmp_id
= ctx_in
->key
.src
.icmp_id
;
703 ctx
.key
.dst
.icmp_id
= ctx_in
->key
.dst
.icmp_id
;
704 uint16_t src_port
= ntohs(pkt
->md
.ct_orig_tuple
.ipv4
.src_port
);
705 ctx
.key
.src
.icmp_type
= (uint8_t) src_port
;
706 ctx
.key
.dst
.icmp_type
= reverse_icmp_type(ctx
.key
.src
.icmp_type
);
708 ctx
.key
.src
.port
= pkt
->md
.ct_orig_tuple
.ipv4
.src_port
;
709 ctx
.key
.dst
.port
= pkt
->md
.ct_orig_tuple
.ipv4
.dst_port
;
711 ctx
.key
.nw_proto
= pkt
->md
.ct_orig_tuple
.ipv4
.ipv4_proto
;
713 ctx
.key
.src
.addr
.ipv6_aligned
= pkt
->md
.ct_orig_tuple
.ipv6
.ipv6_src
;
714 ctx
.key
.dst
.addr
.ipv6_aligned
= pkt
->md
.ct_orig_tuple
.ipv6
.ipv6_dst
;
716 if (ctx_in
->key
.nw_proto
== IPPROTO_ICMPV6
) {
717 ctx
.key
.src
.icmp_id
= ctx_in
->key
.src
.icmp_id
;
718 ctx
.key
.dst
.icmp_id
= ctx_in
->key
.dst
.icmp_id
;
719 uint16_t src_port
= ntohs(pkt
->md
.ct_orig_tuple
.ipv6
.src_port
);
720 ctx
.key
.src
.icmp_type
= (uint8_t) src_port
;
721 ctx
.key
.dst
.icmp_type
= reverse_icmp6_type(ctx
.key
.src
.icmp_type
);
723 ctx
.key
.src
.port
= pkt
->md
.ct_orig_tuple
.ipv6
.src_port
;
724 ctx
.key
.dst
.port
= pkt
->md
.ct_orig_tuple
.ipv6
.dst_port
;
726 ctx
.key
.nw_proto
= pkt
->md
.ct_orig_tuple
.ipv6
.ipv6_proto
;
729 ctx
.key
.dl_type
= ctx_in
->key
.dl_type
;
730 ctx
.key
.zone
= pkt
->md
.ct_zone
;
732 ctx
.hash
= conn_key_hash(&ctx
.key
, ct
->hash_basis
);
733 *bucket
= hash_to_bucket(ctx
.hash
);
734 ct_lock_lock(&ct
->buckets
[*bucket
].lock
);
735 conn_key_lookup(&ct
->buckets
[*bucket
], &ctx
, now
);
738 return *conn
? true : false;
742 process_one(struct conntrack
*ct
, struct dp_packet
*pkt
,
743 struct conn_lookup_ctx
*ctx
, uint16_t zone
,
744 bool force
, bool commit
, long long now
, const uint32_t *setmark
,
745 const struct ovs_key_ct_labels
*setlabel
,
746 const struct nat_action_info_t
*nat_action_info
)
749 unsigned bucket
= hash_to_bucket(ctx
->hash
);
750 ct_lock_lock(&ct
->buckets
[bucket
].lock
);
751 conn_key_lookup(&ct
->buckets
[bucket
], ctx
, now
);
754 /* Delete found entry if in wrong direction. 'force' implies commit. */
755 if (conn
&& force
&& ctx
->reply
) {
756 conn_clean(ct
, conn
, &ct
->buckets
[bucket
]);
760 if (OVS_LIKELY(conn
)) {
761 if (conn
->conn_type
== CT_CONN_TYPE_UN_NAT
) {
765 struct conn_lookup_ctx ctx2
;
767 ctx2
.key
= conn
->rev_key
;
768 ctx2
.hash
= conn_key_hash(&conn
->rev_key
, ct
->hash_basis
);
770 ct_lock_unlock(&ct
->buckets
[bucket
].lock
);
771 bucket
= hash_to_bucket(ctx2
.hash
);
773 ct_lock_lock(&ct
->buckets
[bucket
].lock
);
774 conn_key_lookup(&ct
->buckets
[bucket
], &ctx2
, now
);
779 /* It is a race condition where conn has timed out and removed
780 * between unlock of the rev_conn and lock of the forward conn;
782 pkt
->md
.ct_state
|= CS_TRACKED
| CS_INVALID
;
783 ct_lock_unlock(&ct
->buckets
[bucket
].lock
);
789 bool create_new_conn
= false;
790 struct conn conn_for_un_nat_copy
;
791 conn_for_un_nat_copy
.conn_type
= CT_CONN_TYPE_DEFAULT
;
792 if (OVS_LIKELY(conn
)) {
793 create_new_conn
= conn_update_state(ct
, pkt
, ctx
, &conn
, now
, bucket
);
794 if (nat_action_info
&& !create_new_conn
) {
795 handle_nat(pkt
, conn
, zone
, ctx
->reply
, ctx
->icmp_related
);
797 } else if (check_orig_tuple(ct
, pkt
, ctx
, now
, &bucket
, &conn
,
799 create_new_conn
= conn_update_state(ct
, pkt
, ctx
, &conn
, now
, bucket
);
801 if (ctx
->icmp_related
) {
802 pkt
->md
.ct_state
= CS_INVALID
;
804 create_new_conn
= true;
808 if (OVS_UNLIKELY(create_new_conn
)) {
809 conn
= conn_not_found(ct
, pkt
, ctx
, commit
, now
, nat_action_info
,
810 &conn_for_un_nat_copy
);
813 write_ct_md(pkt
, zone
, conn
, &ctx
->key
);
814 if (conn
&& setmark
) {
815 set_mark(pkt
, conn
, setmark
[0], setmark
[1]);
818 if (conn
&& setlabel
) {
819 set_label(pkt
, conn
, &setlabel
[0], &setlabel
[1]);
822 ct_lock_unlock(&ct
->buckets
[bucket
].lock
);
824 if (conn_for_un_nat_copy
.conn_type
== CT_CONN_TYPE_UN_NAT
) {
825 create_un_nat_conn(ct
, &conn_for_un_nat_copy
, now
);
829 /* Sends the packets in '*pkt_batch' through the connection tracker 'ct'. All
830 * the packets should have the same 'dl_type' (IPv4 or IPv6) and should have
831 * the l3 and and l4 offset properly set.
833 * If 'commit' is true, the packets are allowed to create new entries in the
834 * connection tables. 'setmark', if not NULL, should point to a two
835 * elements array containing a value and a mask to set the connection mark.
836 * 'setlabel' behaves similarly for the connection label.*/
838 conntrack_execute(struct conntrack
*ct
, struct dp_packet_batch
*pkt_batch
,
839 ovs_be16 dl_type
, bool force
, bool commit
, uint16_t zone
,
840 const uint32_t *setmark
,
841 const struct ovs_key_ct_labels
*setlabel
,
843 const struct nat_action_info_t
*nat_action_info
)
845 struct dp_packet
**pkts
= pkt_batch
->packets
;
846 size_t cnt
= pkt_batch
->count
;
847 long long now
= time_msec();
848 struct conn_lookup_ctx ctx
;
851 static struct vlog_rate_limit rl
= VLOG_RATE_LIMIT_INIT(5, 5);
853 VLOG_WARN_RL(&rl
, "ALG helper \"%s\" not supported", helper
);
854 /* Continue without the helper */
857 for (size_t i
= 0; i
< cnt
; i
++) {
858 if (!conn_key_extract(ct
, pkts
[i
], dl_type
, &ctx
, zone
)) {
859 pkts
[i
]->md
.ct_state
= CS_INVALID
;
860 write_ct_md(pkts
[i
], zone
, NULL
, NULL
);
863 process_one(ct
, pkts
[i
], &ctx
, zone
, force
, commit
,
864 now
, setmark
, setlabel
, nat_action_info
);
871 set_mark(struct dp_packet
*pkt
, struct conn
*conn
, uint32_t val
, uint32_t mask
)
873 pkt
->md
.ct_mark
= val
| (pkt
->md
.ct_mark
& ~(mask
));
874 conn
->mark
= pkt
->md
.ct_mark
;
878 set_label(struct dp_packet
*pkt
, struct conn
*conn
,
879 const struct ovs_key_ct_labels
*val
,
880 const struct ovs_key_ct_labels
*mask
)
884 memcpy(&v
, val
, sizeof v
);
885 memcpy(&m
, mask
, sizeof m
);
887 pkt
->md
.ct_label
.u64
.lo
= v
.u64
.lo
888 | (pkt
->md
.ct_label
.u64
.lo
& ~(m
.u64
.lo
));
889 pkt
->md
.ct_label
.u64
.hi
= v
.u64
.hi
890 | (pkt
->md
.ct_label
.u64
.hi
& ~(m
.u64
.hi
));
891 conn
->label
= pkt
->md
.ct_label
;
895 /* Delete the expired connections from 'ctb', up to 'limit'. Returns the
896 * earliest expiration time among the remaining connections in 'ctb'. Returns
897 * LLONG_MAX if 'ctb' is empty. The return value might be smaller than 'now',
898 * if 'limit' is reached */
900 sweep_bucket(struct conntrack
*ct
, struct conntrack_bucket
*ctb
, long long now
,
902 OVS_REQUIRES(ctb
->lock
)
904 struct conn
*conn
, *next
;
905 long long min_expiration
= LLONG_MAX
;
909 for (i
= 0; i
< N_CT_TM
; i
++) {
910 LIST_FOR_EACH_SAFE (conn
, next
, exp_node
, &ctb
->exp_lists
[i
]) {
911 if (conn
->conn_type
== CT_CONN_TYPE_DEFAULT
) {
912 if (!conn_expired(conn
, now
) || count
>= limit
) {
913 min_expiration
= MIN(min_expiration
, conn
->expiration
);
914 if (count
>= limit
) {
915 /* Do not check other lists. */
916 COVERAGE_INC(conntrack_long_cleanup
);
917 return min_expiration
;
921 conn_clean(ct
, conn
, ctb
);
927 return min_expiration
;
930 /* Cleans up old connection entries from 'ct'. Returns the time when the
931 * next expiration might happen. The return value might be smaller than
932 * 'now', meaning that an internal limit has been reached, and some expired
933 * connections have not been deleted. */
935 conntrack_clean(struct conntrack
*ct
, long long now
)
937 long long next_wakeup
= now
+ CT_TM_MIN
;
938 unsigned int n_conn_limit
;
939 size_t clean_count
= 0;
942 atomic_read_relaxed(&ct
->n_conn_limit
, &n_conn_limit
);
944 for (i
= 0; i
< CONNTRACK_BUCKETS
; i
++) {
945 struct conntrack_bucket
*ctb
= &ct
->buckets
[i
];
949 ovs_mutex_lock(&ctb
->cleanup_mutex
);
950 if (ctb
->next_cleanup
> now
) {
954 ct_lock_lock(&ctb
->lock
);
955 prev_count
= hmap_count(&ctb
->connections
);
956 /* If the connections are well distributed among buckets, we want to
957 * limit to 10% of the global limit equally split among buckets. If
958 * the bucket is busier than the others, we limit to 10% of its
960 min_exp
= sweep_bucket(ct
, ctb
, now
,
961 MAX(prev_count
/10, n_conn_limit
/(CONNTRACK_BUCKETS
*10)));
962 clean_count
+= prev_count
- hmap_count(&ctb
->connections
);
965 /* We call hmap_shrink() only if sweep_bucket() managed to delete
966 * every expired connection. */
967 hmap_shrink(&ctb
->connections
);
970 ct_lock_unlock(&ctb
->lock
);
972 ctb
->next_cleanup
= MIN(min_exp
, now
+ CT_TM_MIN
);
975 next_wakeup
= MIN(next_wakeup
, ctb
->next_cleanup
);
976 ovs_mutex_unlock(&ctb
->cleanup_mutex
);
979 VLOG_DBG("conntrack cleanup %"PRIuSIZE
" entries in %lld msec",
980 clean_count
, time_msec() - now
);
987 * We must call conntrack_clean() periodically. conntrack_clean() return
988 * value gives an hint on when the next cleanup must be done (either because
989 * there is an actual connection that expires, or because a new connection
990 * might be created with the minimum timeout).
992 * The logic below has two goals:
994 * - We want to reduce the number of wakeups and batch connection cleanup
995 * when the load is not very high. CT_CLEAN_INTERVAL ensures that if we
996 * are coping with the current cleanup tasks, then we wait at least
997 * 5 seconds to do further cleanup.
999 * - We don't want to keep the buckets locked too long, as we might prevent
1000 * traffic from flowing. CT_CLEAN_MIN_INTERVAL ensures that if cleanup is
1001 * behind, there is at least some 200ms blocks of time when buckets will be
1002 * left alone, so the datapath can operate unhindered.
1004 #define CT_CLEAN_INTERVAL 5000 /* 5 seconds */
1005 #define CT_CLEAN_MIN_INTERVAL 200 /* 0.2 seconds */
1008 clean_thread_main(void *f_
)
1010 struct conntrack
*ct
= f_
;
1012 while (!latch_is_set(&ct
->clean_thread_exit
)) {
1013 long long next_wake
;
1014 long long now
= time_msec();
1016 next_wake
= conntrack_clean(ct
, now
);
1018 if (next_wake
< now
) {
1019 poll_timer_wait_until(now
+ CT_CLEAN_MIN_INTERVAL
);
1021 poll_timer_wait_until(MAX(next_wake
, now
+ CT_CLEAN_INTERVAL
));
1023 latch_wait(&ct
->clean_thread_exit
);
1030 /* Key extraction */
1032 /* The function stores a pointer to the first byte after the header in
1033 * '*new_data', if 'new_data' is not NULL. If it is NULL, the caller is
1034 * not interested in the header's tail, meaning that the header has
1035 * already been parsed (e.g. by flow_extract): we take this as a hint to
1036 * save a few checks. If 'validate_checksum' is true, the function returns
1037 * false if the IPv4 checksum is invalid. */
1039 extract_l3_ipv4(struct conn_key
*key
, const void *data
, size_t size
,
1040 const char **new_data
, bool validate_checksum
)
1042 const struct ip_header
*ip
= data
;
1046 if (OVS_UNLIKELY(size
< IP_HEADER_LEN
)) {
1051 ip_len
= IP_IHL(ip
->ip_ihl_ver
) * 4;
1054 if (OVS_UNLIKELY(ip_len
< IP_HEADER_LEN
)) {
1057 if (OVS_UNLIKELY(size
< ip_len
)) {
1061 *new_data
= (char *) data
+ ip_len
;
1064 if (IP_IS_FRAGMENT(ip
->ip_frag_off
)) {
1068 if (validate_checksum
&& csum(data
, ip_len
) != 0) {
1072 key
->src
.addr
.ipv4
= ip
->ip_src
;
1073 key
->dst
.addr
.ipv4
= ip
->ip_dst
;
1074 key
->nw_proto
= ip
->ip_proto
;
1079 /* The function stores a pointer to the first byte after the header in
1080 * '*new_data', if 'new_data' is not NULL. If it is NULL, the caller is
1081 * not interested in the header's tail, meaning that the header has
1082 * already been parsed (e.g. by flow_extract): we take this as a hint to
1083 * save a few checks. */
1085 extract_l3_ipv6(struct conn_key
*key
, const void *data
, size_t size
,
1086 const char **new_data
)
1088 const struct ovs_16aligned_ip6_hdr
*ip6
= data
;
1091 if (OVS_UNLIKELY(size
< sizeof *ip6
)) {
1096 uint8_t nw_proto
= ip6
->ip6_nxt
;
1097 uint8_t nw_frag
= 0;
1100 size
-= sizeof *ip6
;
1102 if (!parse_ipv6_ext_hdrs(&data
, &size
, &nw_proto
, &nw_frag
)) {
1114 key
->src
.addr
.ipv6
= ip6
->ip6_src
;
1115 key
->dst
.addr
.ipv6
= ip6
->ip6_dst
;
1116 key
->nw_proto
= nw_proto
;
1122 checksum_valid(const struct conn_key
*key
, const void *data
, size_t size
,
1127 if (key
->dl_type
== htons(ETH_TYPE_IP
)) {
1128 csum
= packet_csum_pseudoheader(l3
);
1129 } else if (key
->dl_type
== htons(ETH_TYPE_IPV6
)) {
1130 csum
= packet_csum_pseudoheader6(l3
);
1135 csum
= csum_continue(csum
, data
, size
);
1137 return csum_finish(csum
) == 0;
1141 check_l4_tcp(const struct conn_key
*key
, const void *data
, size_t size
,
1142 const void *l3
, bool validate_checksum
)
1144 const struct tcp_header
*tcp
= data
;
1145 if (size
< sizeof *tcp
) {
1149 size_t tcp_len
= TCP_OFFSET(tcp
->tcp_ctl
) * 4;
1150 if (OVS_UNLIKELY(tcp_len
< TCP_HEADER_LEN
|| tcp_len
> size
)) {
1154 return validate_checksum
? checksum_valid(key
, data
, size
, l3
) : true;
1158 check_l4_udp(const struct conn_key
*key
, const void *data
, size_t size
,
1159 const void *l3
, bool validate_checksum
)
1161 const struct udp_header
*udp
= data
;
1162 if (size
< sizeof *udp
) {
1166 size_t udp_len
= ntohs(udp
->udp_len
);
1167 if (OVS_UNLIKELY(udp_len
< UDP_HEADER_LEN
|| udp_len
> size
)) {
1171 /* Validation must be skipped if checksum is 0 on IPv4 packets */
1172 return (udp
->udp_csum
== 0 && key
->dl_type
== htons(ETH_TYPE_IP
))
1173 || (validate_checksum
? checksum_valid(key
, data
, size
, l3
) : true);
1177 check_l4_icmp(const void *data
, size_t size
, bool validate_checksum
)
1179 return validate_checksum
? csum(data
, size
) == 0 : true;
1183 check_l4_icmp6(const struct conn_key
*key
, const void *data
, size_t size
,
1184 const void *l3
, bool validate_checksum
)
1186 return validate_checksum
? checksum_valid(key
, data
, size
, l3
) : true;
1190 extract_l4_tcp(struct conn_key
*key
, const void *data
, size_t size
)
1192 const struct tcp_header
*tcp
= data
;
1194 if (OVS_UNLIKELY(size
< TCP_HEADER_LEN
)) {
1198 key
->src
.port
= tcp
->tcp_src
;
1199 key
->dst
.port
= tcp
->tcp_dst
;
1201 /* Port 0 is invalid */
1202 return key
->src
.port
&& key
->dst
.port
;
1206 extract_l4_udp(struct conn_key
*key
, const void *data
, size_t size
)
1208 const struct udp_header
*udp
= data
;
1210 if (OVS_UNLIKELY(size
< UDP_HEADER_LEN
)) {
1214 key
->src
.port
= udp
->udp_src
;
1215 key
->dst
.port
= udp
->udp_dst
;
1217 /* Port 0 is invalid */
1218 return key
->src
.port
&& key
->dst
.port
;
1221 static inline bool extract_l4(struct conn_key
*key
, const void *data
,
1222 size_t size
, bool *related
, const void *l3
,
1223 bool validate_checksum
);
1226 reverse_icmp_type(uint8_t type
)
1229 case ICMP4_ECHO_REQUEST
:
1230 return ICMP4_ECHO_REPLY
;
1231 case ICMP4_ECHO_REPLY
:
1232 return ICMP4_ECHO_REQUEST
;
1234 case ICMP4_TIMESTAMP
:
1235 return ICMP4_TIMESTAMPREPLY
;
1236 case ICMP4_TIMESTAMPREPLY
:
1237 return ICMP4_TIMESTAMP
;
1239 case ICMP4_INFOREQUEST
:
1240 return ICMP4_INFOREPLY
;
1241 case ICMP4_INFOREPLY
:
1242 return ICMP4_INFOREQUEST
;
1248 /* If 'related' is not NULL and the function is processing an ICMP
1249 * error packet, extract the l3 and l4 fields from the nested header
1250 * instead and set *related to true. If 'related' is NULL we're
1251 * already processing a nested header and no such recursion is
1254 extract_l4_icmp(struct conn_key
*key
, const void *data
, size_t size
,
1257 const struct icmp_header
*icmp
= data
;
1259 if (OVS_UNLIKELY(size
< ICMP_HEADER_LEN
)) {
1263 switch (icmp
->icmp_type
) {
1264 case ICMP4_ECHO_REQUEST
:
1265 case ICMP4_ECHO_REPLY
:
1266 case ICMP4_TIMESTAMP
:
1267 case ICMP4_TIMESTAMPREPLY
:
1268 case ICMP4_INFOREQUEST
:
1269 case ICMP4_INFOREPLY
:
1270 if (icmp
->icmp_code
!= 0) {
1273 /* Separate ICMP connection: identified using id */
1274 key
->src
.icmp_id
= key
->dst
.icmp_id
= icmp
->icmp_fields
.echo
.id
;
1275 key
->src
.icmp_type
= icmp
->icmp_type
;
1276 key
->dst
.icmp_type
= reverse_icmp_type(icmp
->icmp_type
);
1278 case ICMP4_DST_UNREACH
:
1279 case ICMP4_TIME_EXCEEDED
:
1280 case ICMP4_PARAM_PROB
:
1281 case ICMP4_SOURCEQUENCH
:
1282 case ICMP4_REDIRECT
: {
1283 /* ICMP packet part of another connection. We should
1284 * extract the key from embedded packet header */
1285 struct conn_key inner_key
;
1286 const char *l3
= (const char *) (icmp
+ 1);
1287 const char *tail
= (const char *) data
+ size
;
1295 memset(&inner_key
, 0, sizeof inner_key
);
1296 inner_key
.dl_type
= htons(ETH_TYPE_IP
);
1297 ok
= extract_l3_ipv4(&inner_key
, l3
, tail
- l3
, &l4
, false);
1302 if (inner_key
.src
.addr
.ipv4_aligned
!= key
->dst
.addr
.ipv4_aligned
1303 || inner_key
.dst
.addr
.ipv4_aligned
!= key
->src
.addr
.ipv4_aligned
) {
1307 key
->src
= inner_key
.src
;
1308 key
->dst
= inner_key
.dst
;
1309 key
->nw_proto
= inner_key
.nw_proto
;
1311 ok
= extract_l4(key
, l4
, tail
- l4
, NULL
, l3
, false);
1313 conn_key_reverse(key
);
1326 reverse_icmp6_type(uint8_t type
)
1329 case ICMP6_ECHO_REQUEST
:
1330 return ICMP6_ECHO_REPLY
;
1331 case ICMP6_ECHO_REPLY
:
1332 return ICMP6_ECHO_REQUEST
;
1338 /* If 'related' is not NULL and the function is processing an ICMP
1339 * error packet, extract the l3 and l4 fields from the nested header
1340 * instead and set *related to true. If 'related' is NULL we're
1341 * already processing a nested header and no such recursion is
1344 extract_l4_icmp6(struct conn_key
*key
, const void *data
, size_t size
,
1347 const struct icmp6_header
*icmp6
= data
;
1349 /* All the messages that we support need at least 4 bytes after
1351 if (size
< sizeof *icmp6
+ 4) {
1355 switch (icmp6
->icmp6_type
) {
1356 case ICMP6_ECHO_REQUEST
:
1357 case ICMP6_ECHO_REPLY
:
1358 if (icmp6
->icmp6_code
!= 0) {
1361 /* Separate ICMP connection: identified using id */
1362 key
->src
.icmp_id
= key
->dst
.icmp_id
= *(ovs_be16
*) (icmp6
+ 1);
1363 key
->src
.icmp_type
= icmp6
->icmp6_type
;
1364 key
->dst
.icmp_type
= reverse_icmp6_type(icmp6
->icmp6_type
);
1366 case ICMP6_DST_UNREACH
:
1367 case ICMP6_PACKET_TOO_BIG
:
1368 case ICMP6_TIME_EXCEEDED
:
1369 case ICMP6_PARAM_PROB
: {
1370 /* ICMP packet part of another connection. We should
1371 * extract the key from embedded packet header */
1372 struct conn_key inner_key
;
1373 const char *l3
= (const char *) icmp6
+ 8;
1374 const char *tail
= (const char *) data
+ size
;
1375 const char *l4
= NULL
;
1382 memset(&inner_key
, 0, sizeof inner_key
);
1383 inner_key
.dl_type
= htons(ETH_TYPE_IPV6
);
1384 ok
= extract_l3_ipv6(&inner_key
, l3
, tail
- l3
, &l4
);
1389 /* pf doesn't do this, but it seems a good idea */
1390 if (!ipv6_addr_equals(&inner_key
.src
.addr
.ipv6_aligned
,
1391 &key
->dst
.addr
.ipv6_aligned
)
1392 || !ipv6_addr_equals(&inner_key
.dst
.addr
.ipv6_aligned
,
1393 &key
->src
.addr
.ipv6_aligned
)) {
1397 key
->src
= inner_key
.src
;
1398 key
->dst
= inner_key
.dst
;
1399 key
->nw_proto
= inner_key
.nw_proto
;
1401 ok
= extract_l4(key
, l4
, tail
- l4
, NULL
, l3
, false);
1403 conn_key_reverse(key
);
1415 /* Extract l4 fields into 'key', which must already contain valid l3
1418 * If 'related' is not NULL and an ICMP error packet is being
1419 * processed, the function will extract the key from the packet nested
1420 * in the ICMP payload and set '*related' to true.
1422 * If 'related' is NULL, it means that we're already parsing a header nested
1423 * in an ICMP error. In this case, we skip checksum and length validation. */
1425 extract_l4(struct conn_key
*key
, const void *data
, size_t size
, bool *related
,
1426 const void *l3
, bool validate_checksum
)
1428 if (key
->nw_proto
== IPPROTO_TCP
) {
1429 return (!related
|| check_l4_tcp(key
, data
, size
, l3
,
1430 validate_checksum
)) && extract_l4_tcp(key
, data
, size
);
1431 } else if (key
->nw_proto
== IPPROTO_UDP
) {
1432 return (!related
|| check_l4_udp(key
, data
, size
, l3
,
1433 validate_checksum
)) && extract_l4_udp(key
, data
, size
);
1434 } else if (key
->dl_type
== htons(ETH_TYPE_IP
)
1435 && key
->nw_proto
== IPPROTO_ICMP
) {
1436 return (!related
|| check_l4_icmp(data
, size
, validate_checksum
))
1437 && extract_l4_icmp(key
, data
, size
, related
);
1438 } else if (key
->dl_type
== htons(ETH_TYPE_IPV6
)
1439 && key
->nw_proto
== IPPROTO_ICMPV6
) {
1440 return (!related
|| check_l4_icmp6(key
, data
, size
, l3
,
1441 validate_checksum
)) && extract_l4_icmp6(key
, data
, size
,
1449 conn_key_extract(struct conntrack
*ct
, struct dp_packet
*pkt
, ovs_be16 dl_type
,
1450 struct conn_lookup_ctx
*ctx
, uint16_t zone
)
1452 const struct eth_header
*l2
= dp_packet_eth(pkt
);
1453 const struct ip_header
*l3
= dp_packet_l3(pkt
);
1454 const char *l4
= dp_packet_l4(pkt
);
1455 const char *tail
= dp_packet_tail(pkt
);
1458 memset(ctx
, 0, sizeof *ctx
);
1460 if (!l2
|| !l3
|| !l4
) {
1464 ctx
->key
.zone
= zone
;
1466 /* XXX In this function we parse the packet (again, it has already
1467 * gone through miniflow_extract()) for two reasons:
1469 * 1) To extract the l3 addresses and l4 ports.
1470 * We already have the l3 and l4 headers' pointers. Extracting
1471 * the l3 addresses and the l4 ports is really cheap, since they
1472 * can be found at fixed locations.
1473 * 2) To extract the l4 type.
1474 * Extracting the l4 types, for IPv6 can be quite expensive, because
1475 * it's not at a fixed location.
1477 * Here's a way to avoid (2) with the help of the datapath.
1478 * The datapath doesn't keep the packet's extracted flow[1], so
1479 * using that is not an option. We could use the packet's matching
1480 * megaflow, but we have to make sure that the l4 type (nw_proto)
1481 * is unwildcarded. This means either:
1483 * a) dpif-netdev unwildcards the l4 type when a new flow is installed
1484 * if the actions contains ct().
1486 * b) ofproto-dpif-xlate unwildcards the l4 type when translating a ct()
1487 * action. This is already done in different actions, but it's
1488 * unnecessary for the kernel.
1491 * [1] The reasons for this are that keeping the flow increases
1492 * (slightly) the cache footprint and increases computation
1493 * time as we move the packet around. Most importantly, the flow
1494 * should be updated by the actions and this can be slow, as
1495 * we use a sparse representation (miniflow).
1498 ctx
->key
.dl_type
= dl_type
;
1499 if (ctx
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
1500 bool hwol_bad_l3_csum
= dp_packet_ip_checksum_bad(pkt
);
1501 if (hwol_bad_l3_csum
) {
1504 bool hwol_good_l3_csum
= dp_packet_ip_checksum_valid(pkt
);
1505 /* Validate the checksum only when hwol is not supported. */
1506 ok
= extract_l3_ipv4(&ctx
->key
, l3
, tail
- (char *) l3
, NULL
,
1507 !hwol_good_l3_csum
);
1509 } else if (ctx
->key
.dl_type
== htons(ETH_TYPE_IPV6
)) {
1510 ok
= extract_l3_ipv6(&ctx
->key
, l3
, tail
- (char *) l3
, NULL
);
1517 bool hwol_bad_l4_csum
= dp_packet_l4_checksum_bad(pkt
);
1518 if (!hwol_bad_l4_csum
) {
1519 bool hwol_good_l4_csum
= dp_packet_l4_checksum_valid(pkt
);
1520 /* Validate the checksum only when hwol is not supported. */
1521 if (extract_l4(&ctx
->key
, l4
, tail
- l4
, &ctx
->icmp_related
, l3
,
1522 !hwol_good_l4_csum
)) {
1523 ctx
->hash
= conn_key_hash(&ctx
->key
, ct
->hash_basis
);
1533 ct_addr_hash_add(uint32_t hash
, const struct ct_addr
*addr
)
1535 BUILD_ASSERT_DECL(sizeof *addr
% 4 == 0);
1536 return hash_add_bytes32(hash
, (const uint32_t *) addr
, sizeof *addr
);
1540 ct_endpoint_hash_add(uint32_t hash
, const struct ct_endpoint
*ep
)
1542 BUILD_ASSERT_DECL(sizeof *ep
% 4 == 0);
1543 return hash_add_bytes32(hash
, (const uint32_t *) ep
, sizeof *ep
);
1548 conn_key_hash(const struct conn_key
*key
, uint32_t basis
)
1550 uint32_t hsrc
, hdst
, hash
;
1552 hsrc
= hdst
= basis
;
1553 hsrc
= ct_endpoint_hash_add(hsrc
, &key
->src
);
1554 hdst
= ct_endpoint_hash_add(hdst
, &key
->dst
);
1556 /* Even if source and destination are swapped the hash will be the same. */
1559 /* Hash the rest of the key(L3 and L4 types and zone). */
1560 hash
= hash_words((uint32_t *) (&key
->dst
+ 1),
1561 (uint32_t *) (key
+ 1) - (uint32_t *) (&key
->dst
+ 1),
1564 return hash_finish(hash
, 0);
1568 conn_key_reverse(struct conn_key
*key
)
1570 struct ct_endpoint tmp
;
1573 key
->src
= key
->dst
;
1578 nat_ipv6_addrs_delta(struct in6_addr
*ipv6_aligned_min
,
1579 struct in6_addr
*ipv6_aligned_max
)
1581 uint8_t *ipv6_min_hi
= &ipv6_aligned_min
->s6_addr
[0];
1582 uint8_t *ipv6_min_lo
= &ipv6_aligned_min
->s6_addr
[0] + sizeof(uint64_t);
1583 uint8_t *ipv6_max_hi
= &ipv6_aligned_max
->s6_addr
[0];
1584 uint8_t *ipv6_max_lo
= &ipv6_aligned_max
->s6_addr
[0] + sizeof(uint64_t);
1586 ovs_be64 addr6_64_min_hi
;
1587 ovs_be64 addr6_64_min_lo
;
1588 memcpy(&addr6_64_min_hi
, ipv6_min_hi
, sizeof addr6_64_min_hi
);
1589 memcpy(&addr6_64_min_lo
, ipv6_min_lo
, sizeof addr6_64_min_lo
);
1591 ovs_be64 addr6_64_max_hi
;
1592 ovs_be64 addr6_64_max_lo
;
1593 memcpy(&addr6_64_max_hi
, ipv6_max_hi
, sizeof addr6_64_max_hi
);
1594 memcpy(&addr6_64_max_lo
, ipv6_max_lo
, sizeof addr6_64_max_lo
);
1597 if (addr6_64_min_hi
== addr6_64_max_hi
&&
1598 ntohll(addr6_64_min_lo
) <= ntohll(addr6_64_max_lo
)) {
1599 diff
= ntohll(addr6_64_max_lo
) - ntohll(addr6_64_min_lo
);
1600 } else if (ntohll(addr6_64_min_hi
) + 1 == ntohll(addr6_64_max_hi
) &&
1601 ntohll(addr6_64_min_lo
) > ntohll(addr6_64_max_lo
)) {
1602 diff
= UINT64_MAX
- (ntohll(addr6_64_min_lo
) -
1603 ntohll(addr6_64_max_lo
) - 1);
1605 /* Limit address delta supported to 32 bits or 4 billion approximately.
1606 * Possibly, this should be visible to the user through a datapath
1607 * support check, however the practical impact is probably nil. */
1610 if (diff
> 0xfffffffe) {
1616 /* This function must be used in tandem with nat_ipv6_addrs_delta(), which
1617 * restricts the input parameters. */
1619 nat_ipv6_addr_increment(struct in6_addr
*ipv6_aligned
, uint32_t increment
)
1621 uint8_t *ipv6_hi
= &ipv6_aligned
->s6_addr
[0];
1622 uint8_t *ipv6_lo
= &ipv6_aligned
->s6_addr
[0] + sizeof(ovs_be64
);
1623 ovs_be64 addr6_64_hi
;
1624 ovs_be64 addr6_64_lo
;
1625 memcpy(&addr6_64_hi
, ipv6_hi
, sizeof addr6_64_hi
);
1626 memcpy(&addr6_64_lo
, ipv6_lo
, sizeof addr6_64_lo
);
1628 if (UINT64_MAX
- increment
>= ntohll(addr6_64_lo
)) {
1629 addr6_64_lo
= htonll(increment
+ ntohll(addr6_64_lo
));
1630 } else if (addr6_64_hi
!= OVS_BE64_MAX
) {
1631 addr6_64_hi
= htonll(1 + ntohll(addr6_64_hi
));
1632 addr6_64_lo
= htonll(increment
- (UINT64_MAX
-
1633 ntohll(addr6_64_lo
) + 1));
1638 memcpy(ipv6_hi
, &addr6_64_hi
, sizeof addr6_64_hi
);
1639 memcpy(ipv6_lo
, &addr6_64_lo
, sizeof addr6_64_lo
);
1645 nat_range_hash(const struct conn
*conn
, uint32_t basis
)
1647 uint32_t hash
= basis
;
1649 hash
= ct_addr_hash_add(hash
, &conn
->nat_info
->min_addr
);
1650 hash
= ct_addr_hash_add(hash
, &conn
->nat_info
->max_addr
);
1651 hash
= hash_add(hash
,
1652 (conn
->nat_info
->max_port
<< 16)
1653 | conn
->nat_info
->min_port
);
1655 hash
= ct_endpoint_hash_add(hash
, &conn
->key
.src
);
1656 hash
= ct_endpoint_hash_add(hash
, &conn
->key
.dst
);
1658 hash
= hash_add(hash
, (OVS_FORCE
uint32_t) conn
->key
.dl_type
);
1659 hash
= hash_add(hash
, conn
->key
.nw_proto
);
1660 hash
= hash_add(hash
, conn
->key
.zone
);
1662 /* The purpose of the second parameter is to distinguish hashes of data of
1663 * different length; our data always has the same length so there is no
1664 * value in counting. */
1665 return hash_finish(hash
, 0);
1669 nat_select_range_tuple(struct conntrack
*ct
, const struct conn
*conn
,
1670 struct conn
*nat_conn
)
1672 #define MIN_NAT_EPHEMERAL_PORT 1024
1673 #define MAX_NAT_EPHEMERAL_PORT 65535
1677 uint16_t first_port
;
1679 uint32_t hash
= nat_range_hash(conn
, ct
->hash_basis
);
1681 if ((conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) &&
1682 (!(conn
->nat_info
->nat_action
& NAT_ACTION_SRC_PORT
))) {
1683 min_port
= ntohs(conn
->key
.src
.port
);
1684 max_port
= ntohs(conn
->key
.src
.port
);
1685 first_port
= min_port
;
1686 } else if ((conn
->nat_info
->nat_action
& NAT_ACTION_DST
) &&
1687 (!(conn
->nat_info
->nat_action
& NAT_ACTION_DST_PORT
))) {
1688 min_port
= ntohs(conn
->key
.dst
.port
);
1689 max_port
= ntohs(conn
->key
.dst
.port
);
1690 first_port
= min_port
;
1692 uint16_t deltap
= conn
->nat_info
->max_port
- conn
->nat_info
->min_port
;
1693 uint32_t port_index
= hash
% (deltap
+ 1);
1694 first_port
= conn
->nat_info
->min_port
+ port_index
;
1695 min_port
= conn
->nat_info
->min_port
;
1696 max_port
= conn
->nat_info
->max_port
;
1699 uint32_t deltaa
= 0;
1700 uint32_t address_index
;
1701 struct ct_addr ct_addr
;
1702 memset(&ct_addr
, 0, sizeof ct_addr
);
1703 struct ct_addr max_ct_addr
;
1704 memset(&max_ct_addr
, 0, sizeof max_ct_addr
);
1705 max_ct_addr
= conn
->nat_info
->max_addr
;
1707 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
1708 deltaa
= ntohl(conn
->nat_info
->max_addr
.ipv4_aligned
) -
1709 ntohl(conn
->nat_info
->min_addr
.ipv4_aligned
);
1710 address_index
= hash
% (deltaa
+ 1);
1711 ct_addr
.ipv4_aligned
= htonl(
1712 ntohl(conn
->nat_info
->min_addr
.ipv4_aligned
) + address_index
);
1714 deltaa
= nat_ipv6_addrs_delta(&conn
->nat_info
->min_addr
.ipv6_aligned
,
1715 &conn
->nat_info
->max_addr
.ipv6_aligned
);
1716 /* deltaa must be within 32 bits for full hash coverage. A 64 or
1717 * 128 bit hash is unnecessary and hence not used here. Most code
1718 * is kept common with V4; nat_ipv6_addrs_delta() will do the
1719 * enforcement via max_ct_addr. */
1720 max_ct_addr
= conn
->nat_info
->min_addr
;
1721 nat_ipv6_addr_increment(&max_ct_addr
.ipv6_aligned
, deltaa
);
1723 address_index
= hash
% (deltaa
+ 1);
1724 ct_addr
.ipv6_aligned
= conn
->nat_info
->min_addr
.ipv6_aligned
;
1725 nat_ipv6_addr_increment(&ct_addr
.ipv6_aligned
, address_index
);
1728 uint16_t port
= first_port
;
1729 bool all_ports_tried
= false;
1730 bool original_ports_tried
= false;
1731 struct ct_addr first_addr
= ct_addr
;
1735 if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
1736 nat_conn
->rev_key
.dst
.addr
= ct_addr
;
1738 nat_conn
->rev_key
.src
.addr
= ct_addr
;
1741 if ((conn
->key
.nw_proto
== IPPROTO_ICMP
) ||
1742 (conn
->key
.nw_proto
== IPPROTO_ICMPV6
)) {
1743 all_ports_tried
= true;
1744 } else if (conn
->nat_info
->nat_action
& NAT_ACTION_SRC
) {
1745 nat_conn
->rev_key
.dst
.port
= htons(port
);
1747 nat_conn
->rev_key
.src
.port
= htons(port
);
1750 struct nat_conn_key_node
*nat_conn_key_node
=
1751 nat_conn_keys_lookup(&ct
->nat_conn_keys
, &nat_conn
->rev_key
,
1754 if (!nat_conn_key_node
) {
1755 struct nat_conn_key_node
*nat_conn_key
=
1756 xzalloc(sizeof *nat_conn_key
);
1757 nat_conn_key
->key
= nat_conn
->rev_key
;
1758 nat_conn_key
->value
= nat_conn
->key
;
1759 uint32_t nat_conn_key_hash
= conn_key_hash(&nat_conn_key
->key
,
1761 hmap_insert(&ct
->nat_conn_keys
, &nat_conn_key
->node
,
1764 } else if (!all_ports_tried
) {
1765 if (min_port
== max_port
) {
1766 all_ports_tried
= true;
1767 } else if (port
== max_port
) {
1772 if (port
== first_port
) {
1773 all_ports_tried
= true;
1776 if (memcmp(&ct_addr
, &max_ct_addr
, sizeof ct_addr
)) {
1777 if (conn
->key
.dl_type
== htons(ETH_TYPE_IP
)) {
1778 ct_addr
.ipv4_aligned
= htonl(
1779 ntohl(ct_addr
.ipv4_aligned
) + 1);
1781 nat_ipv6_addr_increment(&ct_addr
.ipv6_aligned
, 1);
1784 ct_addr
= conn
->nat_info
->min_addr
;
1786 if (!memcmp(&ct_addr
, &first_addr
, sizeof ct_addr
)) {
1787 if (!original_ports_tried
) {
1788 original_ports_tried
= true;
1789 ct_addr
= conn
->nat_info
->min_addr
;
1790 min_port
= MIN_NAT_EPHEMERAL_PORT
;
1791 max_port
= MAX_NAT_EPHEMERAL_PORT
;
1796 first_port
= min_port
;
1798 all_ports_tried
= false;
1804 /* This function must be called with the ct->resources lock taken. */
1805 static struct nat_conn_key_node
*
1806 nat_conn_keys_lookup(struct hmap
*nat_conn_keys
,
1807 const struct conn_key
*key
,
1810 struct nat_conn_key_node
*nat_conn_key_node
;
1811 uint32_t nat_conn_key_hash
= conn_key_hash(key
, basis
);
1813 HMAP_FOR_EACH_WITH_HASH (nat_conn_key_node
, node
, nat_conn_key_hash
,
1815 if (!memcmp(&nat_conn_key_node
->key
, key
,
1816 sizeof nat_conn_key_node
->key
)) {
1817 return nat_conn_key_node
;
1823 /* This function must be called with the ct->resources write lock taken. */
1825 nat_conn_keys_remove(struct hmap
*nat_conn_keys
, const struct conn_key
*key
,
1828 struct nat_conn_key_node
*nat_conn_key_node
;
1829 uint32_t nat_conn_key_hash
= conn_key_hash(key
, basis
);
1831 HMAP_FOR_EACH_WITH_HASH (nat_conn_key_node
, node
, nat_conn_key_hash
,
1833 if (!memcmp(&nat_conn_key_node
->key
, key
,
1834 sizeof nat_conn_key_node
->key
)) {
1835 hmap_remove(nat_conn_keys
, &nat_conn_key_node
->node
);
1836 free(nat_conn_key_node
);
1843 conn_key_lookup(struct conntrack_bucket
*ctb
, struct conn_lookup_ctx
*ctx
,
1845 OVS_REQUIRES(ctb
->lock
)
1847 uint32_t hash
= ctx
->hash
;
1852 HMAP_FOR_EACH_WITH_HASH (conn
, node
, hash
, &ctb
->connections
) {
1853 if (!memcmp(&conn
->key
, &ctx
->key
, sizeof conn
->key
)
1854 && !conn_expired(conn
, now
)) {
1859 if (!memcmp(&conn
->rev_key
, &ctx
->key
, sizeof conn
->rev_key
)
1860 && !conn_expired(conn
, now
)) {
1868 static enum ct_update_res
1869 conn_update(struct conn
*conn
, struct conntrack_bucket
*ctb
,
1870 struct dp_packet
*pkt
, bool reply
, long long now
)
1872 return l4_protos
[conn
->key
.nw_proto
]->conn_update(conn
, ctb
, pkt
,
1877 conn_expired(struct conn
*conn
, long long now
)
1879 if (conn
->conn_type
== CT_CONN_TYPE_DEFAULT
) {
1880 return now
>= conn
->expiration
;
1886 valid_new(struct dp_packet
*pkt
, struct conn_key
*key
)
1888 return l4_protos
[key
->nw_proto
]->valid_new(pkt
);
1891 static struct conn
*
1892 new_conn(struct conntrack_bucket
*ctb
, struct dp_packet
*pkt
,
1893 struct conn_key
*key
, long long now
)
1895 struct conn
*newconn
;
1897 newconn
= l4_protos
[key
->nw_proto
]->new_conn(ctb
, pkt
, now
);
1900 newconn
->key
= *key
;
1907 delete_conn(struct conn
*conn
)
1909 free(conn
->nat_info
);
1914 ct_endpoint_to_ct_dpif_inet_addr(const struct ct_addr
*a
,
1915 union ct_dpif_inet_addr
*b
,
1918 if (dl_type
== htons(ETH_TYPE_IP
)) {
1919 b
->ip
= a
->ipv4_aligned
;
1920 } else if (dl_type
== htons(ETH_TYPE_IPV6
)){
1921 b
->in6
= a
->ipv6_aligned
;
1926 conn_key_to_tuple(const struct conn_key
*key
, struct ct_dpif_tuple
*tuple
)
1928 if (key
->dl_type
== htons(ETH_TYPE_IP
)) {
1929 tuple
->l3_type
= AF_INET
;
1930 } else if (key
->dl_type
== htons(ETH_TYPE_IPV6
)) {
1931 tuple
->l3_type
= AF_INET6
;
1933 tuple
->ip_proto
= key
->nw_proto
;
1934 ct_endpoint_to_ct_dpif_inet_addr(&key
->src
.addr
, &tuple
->src
,
1936 ct_endpoint_to_ct_dpif_inet_addr(&key
->dst
.addr
, &tuple
->dst
,
1939 if (key
->nw_proto
== IPPROTO_ICMP
|| key
->nw_proto
== IPPROTO_ICMPV6
) {
1940 tuple
->icmp_id
= key
->src
.icmp_id
;
1941 tuple
->icmp_type
= key
->src
.icmp_type
;
1942 tuple
->icmp_code
= key
->src
.icmp_code
;
1944 tuple
->src_port
= key
->src
.port
;
1945 tuple
->dst_port
= key
->dst
.port
;
1950 conn_to_ct_dpif_entry(const struct conn
*conn
, struct ct_dpif_entry
*entry
,
1951 long long now
, int bkt
)
1953 struct ct_l4_proto
*class;
1954 long long expiration
;
1955 memset(entry
, 0, sizeof *entry
);
1956 conn_key_to_tuple(&conn
->key
, &entry
->tuple_orig
);
1957 conn_key_to_tuple(&conn
->rev_key
, &entry
->tuple_reply
);
1959 entry
->zone
= conn
->key
.zone
;
1960 entry
->mark
= conn
->mark
;
1962 memcpy(&entry
->labels
, &conn
->label
, sizeof entry
->labels
);
1963 /* Not implemented yet */
1964 entry
->timestamp
.start
= 0;
1965 entry
->timestamp
.stop
= 0;
1967 expiration
= conn
->expiration
- now
;
1968 entry
->timeout
= (expiration
> 0) ? expiration
/ 1000 : 0;
1970 class = l4_protos
[conn
->key
.nw_proto
];
1971 if (class->conn_get_protoinfo
) {
1972 class->conn_get_protoinfo(conn
, &entry
->protoinfo
);
1978 conntrack_dump_start(struct conntrack
*ct
, struct conntrack_dump
*dump
,
1979 const uint16_t *pzone
, int *ptot_bkts
)
1981 memset(dump
, 0, sizeof(*dump
));
1983 dump
->zone
= *pzone
;
1984 dump
->filter_zone
= true;
1988 *ptot_bkts
= CONNTRACK_BUCKETS
;
1994 conntrack_dump_next(struct conntrack_dump
*dump
, struct ct_dpif_entry
*entry
)
1996 struct conntrack
*ct
= dump
->ct
;
1997 long long now
= time_msec();
1999 while (dump
->bucket
< CONNTRACK_BUCKETS
) {
2000 struct hmap_node
*node
;
2002 ct_lock_lock(&ct
->buckets
[dump
->bucket
].lock
);
2006 node
= hmap_at_position(&ct
->buckets
[dump
->bucket
].connections
,
2011 INIT_CONTAINER(conn
, node
, node
);
2012 if ((!dump
->filter_zone
|| conn
->key
.zone
== dump
->zone
) &&
2013 (conn
->conn_type
!= CT_CONN_TYPE_UN_NAT
)) {
2014 conn_to_ct_dpif_entry(conn
, entry
, now
, dump
->bucket
);
2017 /* Else continue, until we find an entry in the appropriate zone
2018 * or the bucket has been scanned completely. */
2020 ct_lock_unlock(&ct
->buckets
[dump
->bucket
].lock
);
2023 memset(&dump
->bucket_pos
, 0, sizeof dump
->bucket_pos
);
2033 conntrack_dump_done(struct conntrack_dump
*dump OVS_UNUSED
)
2039 conntrack_flush(struct conntrack
*ct
, const uint16_t *zone
)
2043 for (i
= 0; i
< CONNTRACK_BUCKETS
; i
++) {
2044 struct conn
*conn
, *next
;
2046 ct_lock_lock(&ct
->buckets
[i
].lock
);
2047 HMAP_FOR_EACH_SAFE(conn
, next
, node
, &ct
->buckets
[i
].connections
) {
2048 if ((!zone
|| *zone
== conn
->key
.zone
) &&
2049 (conn
->conn_type
== CT_CONN_TYPE_DEFAULT
)) {
2050 conn_clean(ct
, conn
, &ct
->buckets
[i
]);
2053 ct_lock_unlock(&ct
->buckets
[i
].lock
);