delta/openvswitch.git/include/sparse/netinet, branch master github.com: openvswitch/ovs.git userspace: Add SRv6 tunnel support. 2023-03-29T20:16:04+00:00 Nobuhiro MIKI nmiki@yahoo-corp.jp 2023-03-29T05:51:17+00:00 03fc1ad78521544c7269355ec72fec8c2373b96d SRv6 (Segment Routing IPv6) tunnel vport is responsible for encapsulation and decapsulation the inner packets with IPv6 header and an extended header called SRH (Segment Routing Header). See spec in: https://datatracker.ietf.org/doc/html/rfc8754 This patch implements SRv6 tunneling in userspace datapath. It uses `remote_ip` and `local_ip` options as with existing tunnel protocols. It also adds a dedicated `srv6_segs` option to define a sequence of routers called segment list. Signed-off-by: Nobuhiro MIKI <nmiki@yahoo-corp.jp> Signed-off-by: Ilya Maximets <i.maximets@ovn.org> 
SRv6 (Segment Routing IPv6) tunnel vport is responsible
for encapsulation and decapsulation the inner packets with
IPv6 header and an extended header called SRH
(Segment Routing Header). See spec in:

https://datatracker.ietf.org/doc/html/rfc8754

This patch implements SRv6 tunneling in userspace datapath.
It uses `remote_ip` and `local_ip` options as with existing
tunnel protocols. It also adds a dedicated `srv6_segs` option
to define a sequence of routers called segment list.

Signed-off-by: Nobuhiro MIKI <nmiki@yahoo-corp.jp>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
sparse: Add a guard for netinet/ip6.h header on FreeBSD. 2022-10-06T19:58:16+00:00 Ilya Maximets i.maximets@ovn.org 2022-09-26T21:18:48+00:00 46606cb2d6089dc473025d681a45757343539c6b Same as arpa/inet.h, the netinet/ip6.h on FreeBSD requires netinet/in.h to be included first. So, adding a similar guard. Also fixing one instance where this is not respected at the moment. We do have FreeBSD CI these days, but it is still nice to have a more clear error message. Fixes: b2befd5bb2db ("sparse: Add guards to prevent FreeBSD-incompatible #include order.") Acked-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org> 
Same as arpa/inet.h, the netinet/ip6.h on FreeBSD requires
netinet/in.h to be included first.  So, adding a similar guard.

Also fixing one instance where this is not respected at the moment.

We do have FreeBSD CI these days, but it is still nice to have
a more clear error message.

Fixes: b2befd5bb2db ("sparse: Add guards to prevent FreeBSD-incompatible #include order.")
Acked-by: Mike Pattrick <mkp@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Userspace datapath: Add fragmentation handling. 2019-02-14T22:18:56+00:00 Darrell Ball dlu998@gmail.com 2019-02-13T23:34:21+00:00 4ea96698f66792302b88b06c756862e24cc5b88e Fragmentation handling is added for supporting conntrack. Both v4 and v6 are supported. After discussion with several people, I decided to not store configuration state in the database to be more consistent with the kernel in future, similarity with other conntrack configuration which will not be in the database as well and overall simplicity. Accordingly, fragmentation handling is enabled by default. This patch enables fragmentation tests for the userspace datapath. Signed-off-by: Darrell Ball <dlu998@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org> 
Fragmentation handling is added for supporting conntrack.
Both v4 and v6 are supported.

After discussion with several people, I decided to not store
configuration state in the database to be more consistent with
the kernel in future, similarity with other conntrack configuration
which will not be in the database as well and overall simplicity.
Accordingly, fragmentation handling is enabled by default.

This patch enables fragmentation tests for the userspace datapath.

Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
sparse: Make IN6_IS_ADDR_MC_LINKLOCAL and IN6_ARE_ADDR_EQUAL pickier. 2018-07-11T15:28:33+00:00 Ben Pfaff blp@ovn.org 2018-07-10T16:27:18+00:00 0b9cf44914cbe959427124c7e24de575bac782e6 On GNU systems these macros work with arbitrary pointers, but the relevant standards only require IN6_IS_ADDR_MC_LINKLOCAL to work with in6_addr (and don't specify IN6_ARE_ADDR_EQUAL at all). Make the "sparse" implementations correspondingly pickier so that we catch any introduced problems more quickly. CC: Aaron Conole <aconole@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Aaron Conole <aconole@redhat.com> 
On GNU systems these macros work with arbitrary pointers, but the relevant
standards only require IN6_IS_ADDR_MC_LINKLOCAL to work with in6_addr (and
don't specify IN6_ARE_ADDR_EQUAL at all).  Make the "sparse"
implementations correspondingly pickier so that we catch any introduced
problems more quickly.

CC: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
xlate: Move tnl_neigh_snoop() to terminate_native_tunnel() 2018-04-18T23:38:26+00:00 Zoltan Balogh zoltan.balogh.eth@gmail.com 2018-04-04T21:57:54+00:00 83c2757bd16e86f6a2d5a69e94f890087e8df294 Currently OVS snoops any ARP or ND packets in any bridge and populates the tunnel neighbor cache with the retreived data. For instance, when an ARP reply originated by a tenant is received in an overlay bridge, the ARP packet is snooped and tunnel neighbor cache is filled with tenant address information. This is at best useless as tunnel endpoints can only reside on an underlay bridge. The real problem starts if different tenants on the overlay bridge have overlapping IP addresses such that they keep overwriting each other's pseudo tunnel neighbor entries. These frequent updates are treated as configuration changes and trigger revalidation each time, thus causing a lot of useless revalidation load on the system. To keep the ARP neighbor cache clean, this patch moves tunnel neighbor snooping from the generic function do_xlate_actions() to the specific funtion terminate_native_tunnel() in compose_output_action(). Thus, only ARP and Neighbor Advertisement packets addressing a local tunnel endpoint (on the LOCAL port of the underlay bridge) are snooped. In order to achieve this, IP addresses of the bridge ports are retrieved and then stored in xbridge by calling xlate_xbridge_set(). The destination address extracted from the ARP or Neighbor Advertisement packet is then matched against the known xbridge addresses in is_neighbor_reply_correct() to filter the snooped packets further. Signed-off-by: Zoltan Balogh <zoltan.balogh.eth@gmail.com> Co-authored-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com> Signed-off-by: Ben Pfaff <blp@ovn.org> 
Currently OVS snoops any ARP or ND packets in any bridge and populates
the tunnel neighbor cache with the retreived data. For instance, when
an ARP reply originated by a tenant is received in an overlay bridge, the
ARP packet is snooped and tunnel neighbor cache is filled with tenant
address information. This is at best useless as tunnel endpoints can only
reside on an underlay bridge.

The real problem starts if different tenants on the overlay bridge have
overlapping IP addresses such that they keep overwriting each other's
pseudo tunnel neighbor entries. These frequent updates are treated as
configuration changes and trigger revalidation each time, thus causing
a lot of useless revalidation load on the system.

To keep the ARP neighbor cache clean, this patch moves tunnel neighbor
snooping from the generic function do_xlate_actions() to the specific
funtion terminate_native_tunnel() in compose_output_action(). Thus,
only ARP and Neighbor Advertisement packets addressing a local
tunnel endpoint (on the LOCAL port of the underlay bridge) are snooped.

In order to achieve this, IP addresses of the bridge ports are retrieved
and then stored in xbridge by calling xlate_xbridge_set(). The
destination address extracted from the ARP or Neighbor Advertisement
packet is then matched against the known xbridge addresses in
is_neighbor_reply_correct() to filter the snooped packets further.

Signed-off-by: Zoltan Balogh <zoltan.balogh.eth@gmail.com>
Co-authored-by: Jan Scheurich <jan.scheurich@ericsson.com>
Signed-off-by: Jan Scheurich <jan.scheurich@ericsson.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
sparse: Add guards to prevent FreeBSD-incompatible #include order. 2017-12-22T20:58:02+00:00 Ben Pfaff blp@ovn.org 2017-11-06T22:42:32+00:00 b2befd5bb2db811ac0273bc52be158d3476a5ff7 FreeBSD insists that <sys/types.h> be included before <netinet/in.h> and that <netinet/in.h> be included before <arpa/inet.h>. This adds guards to the "sparse" headers to yield a warning if this order is violated. This commit also adjusts the order of many #includes to suit this requirement. Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org> 
FreeBSD insists that <sys/types.h> be included before <netinet/in.h> and
that <netinet/in.h> be included before <arpa/inet.h>.  This adds guards to
the "sparse" headers to yield a warning if this order is violated.  This
commit also adjusts the order of many #includes to suit this requirement.

Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
Userspace Datapath: Add TFTP support. 2017-08-07T18:17:42+00:00 Darrell Ball dlu998@gmail.com 2017-08-06T17:51:15+00:00 7be77cb0d3378a71a18b0d1d0f3513da16f071c6 Both ipv4 and ipv6 are supported. Also, NAT support is included. Signed-off-by: Darrell Ball <dlu998@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org> 
Both ipv4 and ipv6 are supported. Also, NAT support is included.

Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
sparse: Fix conflict between netinet/in.h and linux/in.h 2016-06-08T20:39:43+00:00 Daniele Di Proietto diproiettod@vmware.com 2016-06-02T01:35:55+00:00 c663749d398fa1cd2ea5ad9ff96996c4356c3db6 linux/in.h (from linux uapi headers) carries many of the same definitions as netinet/in.h (from glibc). If linux/in.h is included after netinet/in.h, conflicts are avoided in two ways: 1) linux/libc-compat.h (included by linux/in.h) detects the include guard of netinet/in.h and defines some macros (e.g. __UAPI_DEF_IN_IPPROTO) to 0. linux/in.h avoids exporting the same enums if those macros are 0. 2) The two files are allowed to redefine the same macros as long as the values are the same. Our include/sparse/netinet/in.h creates problems, because: 1) It uses a custom include guard 2) It uses dummy values for some macros. This commit changes include/sparse/netinet/in.h to use the same include guard as glibc netinet/in.h, and to use the same values for some macros. I think this problem is present with linux headers after a263653ed798("netfilter: don't pull include/linux/netfilter.h from netns headers") which cause our lib/netlink-conntrack.c to include linux/in.h after netinet/in.h. sample output from sparse: /usr/include/linux/in.h:29:9: warning: preprocessor token IPPROTO_IP redefined ../include/sparse/netinet/in.h:60:9: this was the original definition /usr/include/linux/in.h:31:9: warning: preprocessor token IPPROTO_ICMP redefined ../include/sparse/netinet/in.h:63:9: this was the original definition [...] /usr/include/linux/in.h:28:3: error: bad enum definition /usr/include/linux/in.h:28:3: error: Expected } at end of specifier /usr/include/linux/in.h:28:3: error: got 0 /usr/include/linux/in.h:84:16: error: redefinition of struct in_addr Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com> Tested-by: Joe Stringer <joe@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org> 
linux/in.h (from linux uapi headers) carries many of the same
definitions as netinet/in.h (from glibc).

If linux/in.h is included after netinet/in.h, conflicts are avoided in
two ways:

1) linux/libc-compat.h (included by linux/in.h) detects the include
   guard of netinet/in.h and defines some macros (e.g.
   __UAPI_DEF_IN_IPPROTO) to 0.  linux/in.h avoids exporting the same
   enums if those macros are 0.

2) The two files are allowed to redefine the same macros as long as the
   values are the same.

Our include/sparse/netinet/in.h creates problems, because:

1) It uses a custom include guard
2) It uses dummy values for some macros.

This commit changes include/sparse/netinet/in.h to use the same include
guard as glibc netinet/in.h, and to use the same values for some macros.

I think this problem is present with linux headers after
a263653ed798("netfilter: don't pull include/linux/netfilter.h from netns
headers") which cause our lib/netlink-conntrack.c to include linux/in.h
after netinet/in.h.

sample output from sparse:

/usr/include/linux/in.h:29:9: warning: preprocessor token IPPROTO_IP
redefined
../include/sparse/netinet/in.h:60:9: this was the original definition
/usr/include/linux/in.h:31:9: warning: preprocessor token IPPROTO_ICMP
redefined
../include/sparse/netinet/in.h:63:9: this was the original definition
[...]
/usr/include/linux/in.h:28:3: error: bad enum definition
/usr/include/linux/in.h:28:3: error: Expected } at end of specifier
/usr/include/linux/in.h:28:3: error: got 0
/usr/include/linux/in.h:84:16: error: redefinition of struct in_addr

Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
Tested-by: Joe Stringer <joe@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
sparse: Define INET_ADDRSTRLEN. 2015-12-16T02:00:10+00:00 Ben Pfaff blp@ovn.org 2015-12-03T02:04:35+00:00 1f632fff5e88abe28f9a8642c318d8927e51ea1e POSIX defines this but it was missing from the OVS header file definitions for "sparse". Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org> 
POSIX defines this but it was missing from the OVS header file definitions
for "sparse".

Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
Add support for connection tracking helper/ALGs. 2015-10-13T22:34:16+00:00 Joe Stringer joestringer@nicira.com 2015-09-15T21:29:16+00:00 d787ad39b8eb8fb9136837e1c65d0a18a1056eda This patch adds support for specifying a "helper" or ALG to assist connection tracking for protocols that consist of multiple streams. Initially, only support for FTP is included. Below is an example set of flows to allow FTP control connections from port 1->2 to establish active data connections in the reverse direction: table=0,priority=1,action=drop table=0,arp,action=normal table=0,in_port=1,tcp,action=ct(alg=ftp,commit),2 table=0,in_port=2,tcp,ct_state=-trk,action=ct(table=1) table=1,in_port=2,tcp,ct_state=+trk+est,action=1 table=1,in_port=2,tcp,ct_state=+trk+rel,action=ct(commit),1 Signed-off-by: Joe Stringer <joestringer@nicira.com> Acked-by: Jarno Rajahalme <jrajahalme@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com> 
This patch adds support for specifying a "helper" or ALG to assist
connection tracking for protocols that consist of multiple streams.
Initially, only support for FTP is included.

Below is an example set of flows to allow FTP control connections from
port 1->2 to establish active data connections in the reverse direction:

    table=0,priority=1,action=drop
    table=0,arp,action=normal
    table=0,in_port=1,tcp,action=ct(alg=ftp,commit),2
    table=0,in_port=2,tcp,ct_state=-trk,action=ct(table=1)
    table=1,in_port=2,tcp,ct_state=+trk+est,action=1
    table=1,in_port=2,tcp,ct_state=+trk+rel,action=ct(commit),1

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>