[ovs-dev] [PATCH 1/1] datapath: add key support to CAPWAP tunnel
Valient Gough
vgough at pobox.com
Mon Jul 11 01:18:31 UTC 2011
Add tunnel key support to CAPWAP vport. Uses the optional WSI field in a
CAPWAP header to store a 64bit key. It can also be used without keys, in which
case it is backward compatible with the old code. Documentation about the
WSI field format is in CAPWAP.txt.
Signed-off-by: Valient Gough <vgough at pobox.com>
---
datapath/CAPWAP.txt | 80 ++++++++++++++++++
datapath/Makefile.am | 2 +-
datapath/Modules.mk | 4 +
datapath/vport-capwap.c | 209 +++++++++++++++++++++++++++++++++++++---------
lib/netdev-vport.c | 12 +--
vswitchd/vswitch.xml | 26 ++++++
6 files changed, 284 insertions(+), 49 deletions(-)
create mode 100644 datapath/CAPWAP.txt
diff --git a/datapath/CAPWAP.txt b/datapath/CAPWAP.txt
new file mode 100644
index 0000000..151ad59
--- /dev/null
+++ b/datapath/CAPWAP.txt
@@ -0,0 +1,80 @@
+
+References:
+* http://www.rfc-editor.org/rfc/rfc5415.txt
+
+
+The CAPWAP header layout is summarized as follows:
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |CAPWAP Preamble| HLEN | RID | WBID |T|F|L|W|M|K|Flags|
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Fragment ID | Frag Offset |Rsvd |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | (optional) Radio MAC Address |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | (optional) Wireless Specific Information |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Payload .... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+The spec defines an optional Wireless Specific Information field which can be
+used to pass arbitrary data in the encapsulation layer:
+
+ Wireless Specific Information: This optional field may be used to carry
+ per-packet information. This field is only present if the
+ 'W' bit is set. The WBID field in the CAPWAP Header is used to
+ identify the format of the WSI optional field. The HLEN field assumes
+ 4-byte alignment, and this field MUST be padded with zeroes (0x00) if it
+ is not 4-byte aligned.
+
+ The Wireless-Specific Information field uses the following format:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Length | Data...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Length: The 8-bit field contains the length of the data field,
+ with a maximum size of 255.
+
+ Data: Wireless-specific information, defined by the wireless-
+ specific binding specified in the CAPWAP Header's WBID field.
+
+
+ WBID: A 5-bit field that is the wireless binding identifier. The
+ identifier will indicate the type of wireless packet associated
+ with the radio. The following values are defined:
+
+ 0 - Reserved
+ 1 - IEEE 802.11
+ 2 - Reserved
+ 3 - EPCGlobal [EPCGlobal]
+
+ When Open vSwitch uses this field, it writes the value:
+ 30 - Open vSwitch data
+
+
+Open vSwitch can make use of this field to pass additional packet routing
+information. When needed, it sets the 'W' bit to indicates the WSI field is
+added, and fills the field as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | WSI_LEN |K| Flags | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | (optional) 64bit Tunnel Key |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ K - flag bit to identify presence of a 64bit tunnel key.
+
+
+Adding WSI fields: Fields must be written and read in consitent order. New
+fields may be added, but the existing fields always come first.
+
+
+
diff --git a/datapath/Makefile.am b/datapath/Makefile.am
index e1bd3e6..fb1453c 100644
--- a/datapath/Makefile.am
+++ b/datapath/Makefile.am
@@ -3,7 +3,7 @@ if LINUX_ENABLED
SUBDIRS += linux
endif
-EXTRA_DIST = $(dist_headers) $(dist_sources)
+EXTRA_DIST = $(dist_headers) $(dist_sources) $(dist_extras)
# Suppress warnings about GNU extensions in Modules.mk files.
AUTOMAKE_OPTIONS = -Wno-portability
diff --git a/datapath/Modules.mk b/datapath/Modules.mk
index 587569f..894c41d 100644
--- a/datapath/Modules.mk
+++ b/datapath/Modules.mk
@@ -45,8 +45,12 @@ openvswitch_headers = \
vport-internal_dev.h \
vport-netdev.h
+openvswitch_extras = \
+ CAPWAP.txt
+
dist_sources = $(foreach module,$(dist_modules),$($(module)_sources))
dist_headers = $(foreach module,$(dist_modules),$($(module)_headers))
+dist_extras = $(foreach module,$(dist_modules),$($(module)_extras))
build_sources = $(foreach module,$(build_modules),$($(module)_sources))
build_headers = $(foreach module,$(build_modules),$($(module)_headers))
build_links = $(notdir $(build_sources))
diff --git a/datapath/vport-capwap.c b/datapath/vport-capwap.c
index f0bb327..c338685 100644
--- a/datapath/vport-capwap.c
+++ b/datapath/vport-capwap.c
@@ -42,21 +42,62 @@
* statically create them and we can do very fast parsing by checking all 12
* fields in one go.
*/
-#define CAPWAP_BEGIN_HLEN __cpu_to_be32(0x00100000)
-#define CAPWAP_BEGIN_WBID __cpu_to_be32(0x00000200)
#define CAPWAP_BEGIN_FRAG __cpu_to_be32(0x00000080)
-#define CAPWAP_BEGIN_LAST __cpu_to_be32(0x00000040)
+#define CAPWAP_BEGIN_FRAG_LAST __cpu_to_be32(0x00000040)
+#define CAPWAP_BEGIN_HLEN_2 __cpu_to_be32(0x00100000)
+#define CAPWAP_BEGIN_HLEN_5 __cpu_to_be32(0x00280000)
+#define CAPWAP_BEGIN_HLEN_MASK __cpu_to_be32(0x00F80000)
+
+/* Old capwap code is hard-coded to look for a WBID value of 2.
+ * When we insert WSI field, use WBID value of 30, which has been
+ * proposed for all "experimental" usage - users with no reserved WBID value
+ * of their own.
+*/
+#define CAPWAP_WBID_30 __cpu_to_be32(0x00003C00)
+#define CAPWAP_WBID_2 __cpu_to_be32(0x00000200)
+#define CAPWAP_WBID_MASK __cpu_to_be32(0x00003E00)
-#define NO_FRAG_HDR (CAPWAP_BEGIN_HLEN | CAPWAP_BEGIN_WBID)
-#define FRAG_HDR (NO_FRAG_HDR | CAPWAP_BEGIN_FRAG)
-#define FRAG_LAST_HDR (FRAG_HDR | CAPWAP_BEGIN_LAST)
+/*
+ * CAPWAP allows an optional 'Wireless Specific Information' field, which is
+ * length prefixed and can contain any data. If keys are configured for the
+ * vport, then the key will be placed in the WSI field and recovered by the
+ * receiver.
+ */
+#define CAPWAP_FLAG_WSI __cpu_to_be32(0x00000020)
+
+#define FRAG_HDR (CAPWAP_BEGIN_FRAG)
+#define FRAG_LAST_HDR (FRAG_HDR | CAPWAP_BEGIN_FRAG_LAST)
+
+/* Keyed packet, WBID 30, and length long enough to include WSI key */
+#define CAPWAP_KEYED (CAPWAP_WBID_30 | CAPWAP_FLAG_WSI | CAPWAP_BEGIN_HLEN_5)
+/* A backward-compatible packet, WBID 2 and length of 2 words (no WSI fields) */
+#define CAPWAP_WO_WSI (CAPWAP_WBID_2 | CAPWAP_BEGIN_HLEN_2)
+#define CAPWAP_COMPAT_MASK (CAPWAP_WBID_MASK | CAPWAP_BEGIN_HLEN_MASK)
struct capwaphdr {
__be32 begin;
__be16 frag_id;
+ /* low 3 bits of frag_off are reserved */
__be16 frag_off;
};
+/*
+ * We use the WSI field to hold additional tunnel data.
+ * The first eight bits store the size of the wsi data in bytes.
+ */
+struct capwaphdr_wsi {
+ u8 wsi_len;
+ u8 flags;
+ __be16 reserved_padding;
+};
+
+struct capwaphdr_wsi_key {
+ __be64 key;
+};
+
+/* Flag indicating a 64bit key is stored in WSI data field */
+#define CAPWAP_WSI_FLAG_KEY64 0x80
+
static inline struct capwaphdr *capwap_hdr(const struct sk_buff *skb)
{
return (struct capwaphdr *)(udp_hdr(skb) + 1);
@@ -70,7 +111,11 @@ static inline struct capwaphdr *capwap_hdr(const struct sk_buff *skb)
*/
#define FRAG_OFF_MASK (~0x7U)
-#define CAPWAP_HLEN (sizeof(struct udphdr) + sizeof(struct capwaphdr))
+/*
+ * The minimum header length. The header may be longer if the optional
+ * WSI field is used.
+ */
+#define CAPWAP_MIN_HLEN (sizeof(struct udphdr) + sizeof(struct capwaphdr))
struct frag_match {
__be32 saddr;
@@ -89,7 +134,7 @@ struct frag_skb_cb {
#define FRAG_CB(skb) ((struct frag_skb_cb *)(skb)->cb)
static struct sk_buff *fragment(struct sk_buff *, const struct vport *,
- struct dst_entry *);
+ struct dst_entry *dst, unsigned int hlen);
static void defrag_init(void);
static void defrag_exit(void);
static struct sk_buff *defrag(struct sk_buff *, bool frag_last);
@@ -117,18 +162,19 @@ static struct socket *capwap_rcv_socket;
static int capwap_hdr_len(const struct tnl_mutable_config *mutable)
{
+ int size = CAPWAP_MIN_HLEN;
+
/* CAPWAP has no checksums. */
if (mutable->flags & TNL_F_CSUM)
return -EINVAL;
- /* CAPWAP has no keys, so check that the configuration for keys is the
- * default if no key-specific attributes are used.
- */
- if ((mutable->flags & (TNL_F_IN_KEY_MATCH | TNL_F_OUT_KEY_ACTION)) !=
- (TNL_F_IN_KEY_MATCH | TNL_F_OUT_KEY_ACTION))
- return -EINVAL;
+ /* if keys are specified, then add WSI field */
+ if (mutable->out_key || (mutable->flags & TNL_F_OUT_KEY_ACTION)) {
+ size += sizeof(struct capwaphdr_wsi) +
+ sizeof(struct capwaphdr_wsi_key);
+ }
- return CAPWAP_HLEN;
+ return size;
}
static void capwap_build_header(const struct vport *vport,
@@ -142,9 +188,31 @@ static void capwap_build_header(const struct vport *vport,
udph->dest = htons(CAPWAP_DST_PORT);
udph->check = 0;
- cwh->begin = NO_FRAG_HDR;
cwh->frag_id = 0;
cwh->frag_off = 0;
+
+ if (mutable->out_key || (mutable->flags & TNL_F_OUT_KEY_ACTION)) {
+ struct capwaphdr_wsi *wsi = (struct capwaphdr_wsi *)(cwh + 1);
+
+ cwh->begin = CAPWAP_KEYED;
+
+ /* -1 for wsi_len byte, not included in length as per spec */
+ wsi->wsi_len = sizeof(struct capwaphdr_wsi) - 1
+ + sizeof(struct capwaphdr_wsi_key);
+ wsi->flags = CAPWAP_WSI_FLAG_KEY64;
+ wsi->reserved_padding = 0;
+
+ if (mutable->out_key) {
+ struct capwaphdr_wsi_key *opt = (struct capwaphdr_wsi_key *)(wsi + 1);
+ opt->key = mutable->out_key;
+ } else {
+ /* key left intentionally blank, to be filled in
+ by capwap_update_header */
+ }
+ } else {
+ /* make packet readable by old capwap code */
+ cwh->begin = CAPWAP_WO_WSI;
+ }
}
static struct sk_buff *capwap_update_header(const struct vport *vport,
@@ -154,31 +222,88 @@ static struct sk_buff *capwap_update_header(const struct vport *vport,
{
struct udphdr *udph = udp_hdr(skb);
+ if (mutable->flags & TNL_F_OUT_KEY_ACTION) {
+ /* first field in WSI is key */
+ struct capwaphdr *cwh = (struct capwaphdr *)(udph + 1);
+ struct capwaphdr_wsi *wsi = (struct capwaphdr_wsi *)(cwh + 1);
+ struct capwaphdr_wsi_key *opt = (struct capwaphdr_wsi_key *)(wsi + 1);
+
+ opt->key = OVS_CB(skb)->tun_id;
+ }
+
udph->len = htons(skb->len - skb_transport_offset(skb));
- if (unlikely(skb->len - skb_network_offset(skb) > dst_mtu(dst)))
- skb = fragment(skb, vport, dst);
+ if (unlikely(skb->len - skb_network_offset(skb) > dst_mtu(dst))) {
+ unsigned int hlen = skb_transport_offset(skb) + capwap_hdr_len(mutable);
+ skb = fragment(skb, vport, dst, hlen);
+ }
return skb;
}
-static inline struct sk_buff *process_capwap_proto(struct sk_buff *skb)
+static int process_capwap_wsi(struct sk_buff *skb, __be64 *key)
{
struct capwaphdr *cwh = capwap_hdr(skb);
+ struct capwaphdr_wsi *wsi;
+ int min_wsi_len = sizeof(struct capwaphdr_wsi);
+ int wsi_len;
+
+ /* ensure we have at least a minimal wsi header */
+ if (unlikely(!pskb_may_pull(skb, CAPWAP_MIN_HLEN + min_wsi_len + ETH_HLEN)))
+ return 1;
+
+ /* read wsi header to find out how big it really is */
+ wsi = (struct capwaphdr_wsi *)(cwh + 1);
+ /* +1 for length byte not included in wsi_len */
+ wsi_len = 1 + (unsigned int)wsi->wsi_len;
+ if (unlikely(!pskb_may_pull(skb, CAPWAP_MIN_HLEN + wsi_len + ETH_HLEN)))
+ return 1;
+
+ /* parse wsi field */
+ if (wsi->flags & CAPWAP_WSI_FLAG_KEY64) {
+ struct capwaphdr_wsi_key *opt = (struct capwaphdr_wsi_key *)(wsi + 1);
+ if (unlikely(wsi_len <= sizeof(struct capwaphdr_wsi_key)))
+ return 1;
+
+ *key = opt->key;
+ }
- if (likely(cwh->begin == NO_FRAG_HDR))
- return skb;
- else if (cwh->begin == FRAG_HDR)
- return defrag(skb, false);
- else if (cwh->begin == FRAG_LAST_HDR)
- return defrag(skb, true);
- else {
- if (net_ratelimit())
- pr_warn("unparsable packet receive on capwap socket\n");
+ return 0;
+}
- kfree_skb(skb);
- return NULL;
+static inline struct sk_buff *process_capwap_proto(struct sk_buff *skb,
+ __be64 *key)
+{
+ struct capwaphdr *cwh = capwap_hdr(skb);
+ int hdr_len = CAPWAP_MIN_HLEN;
+
+ if ((cwh->begin & CAPWAP_WBID_MASK) != CAPWAP_WBID_30) {
+ if (unlikely((cwh->begin & CAPWAP_COMPAT_MASK) != CAPWAP_WO_WSI))
+ goto error;
+ } else if (cwh->begin & CAPWAP_FLAG_WSI) {
+ struct capwaphdr_wsi *wsi = (struct capwaphdr_wsi *)(cwh + 1);
+ hdr_len += 1 + (unsigned int)wsi->wsi_len;
+
+ if (unlikely(process_capwap_wsi(skb, key)))
+ goto error;
}
+
+ __skb_pull(skb, hdr_len);
+ skb_postpull_rcsum(skb, skb_transport_header(skb), hdr_len + ETH_HLEN);
+
+ if (likely((cwh->begin & CAPWAP_BEGIN_FRAG) == 0)) {
+ return skb;
+ } else {
+ bool last_frag = (__force bool)(cwh->begin & CAPWAP_BEGIN_FRAG_LAST);
+ return defrag(skb, last_frag);
+ }
+
+error:
+ if (net_ratelimit())
+ pr_warn("unparsable packet receive on capwap socket\n");
+
+ kfree_skb(skb);
+ return NULL;
}
/* Called with rcu_read_lock and BH disabled. */
@@ -187,25 +312,28 @@ static int capwap_rcv(struct sock *sk, struct sk_buff *skb)
struct vport *vport;
const struct tnl_mutable_config *mutable;
struct iphdr *iph;
+ __be64 key = 0;
- if (unlikely(!pskb_may_pull(skb, CAPWAP_HLEN + ETH_HLEN)))
+ if (unlikely(!pskb_may_pull(skb, CAPWAP_MIN_HLEN + ETH_HLEN)))
goto error;
- __skb_pull(skb, CAPWAP_HLEN);
- skb_postpull_rcsum(skb, skb_transport_header(skb), CAPWAP_HLEN + ETH_HLEN);
-
- skb = process_capwap_proto(skb);
+ skb = process_capwap_proto(skb, &key);
if (unlikely(!skb))
goto out;
iph = ip_hdr(skb);
- vport = tnl_find_port(iph->daddr, iph->saddr, 0,
- TNL_T_PROTO_CAPWAP | TNL_T_KEY_EXACT, &mutable);
+ vport = tnl_find_port(iph->daddr, iph->saddr, key,
+ TNL_T_PROTO_CAPWAP | TNL_T_KEY_EITHER, &mutable);
if (unlikely(!vport)) {
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
goto error;
}
+ if (mutable->flags & TNL_F_IN_KEY_MATCH)
+ OVS_CB(skb)->tun_id = key;
+ else
+ OVS_CB(skb)->tun_id = 0;
+
tnl_rcv(vport, skb, iph->tos);
goto out;
@@ -290,10 +418,9 @@ static void copy_skb_metadata(struct sk_buff *from, struct sk_buff *to)
}
static struct sk_buff *fragment(struct sk_buff *skb, const struct vport *vport,
- struct dst_entry *dst)
+ struct dst_entry *dst, unsigned int hlen)
{
struct tnl_vport *tnl_vport = tnl_vport_priv(vport);
- unsigned int hlen = skb_transport_offset(skb) + CAPWAP_HLEN;
unsigned int headroom;
unsigned int max_frame_len = dst_mtu(dst) + skb_network_offset(skb);
struct sk_buff *result = NULL, *list_cur = NULL;
@@ -352,9 +479,9 @@ static struct sk_buff *fragment(struct sk_buff *skb, const struct vport *vport,
cwh = capwap_hdr(skb2);
if (remaining > frag_size)
- cwh->begin = FRAG_HDR;
+ cwh->begin |= FRAG_HDR;
else
- cwh->begin = FRAG_LAST_HDR;
+ cwh->begin |= FRAG_LAST_HDR;
cwh->frag_id = frag_id;
cwh->frag_off = htons(offset);
diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c
index b9c1bfe..9ca636d 100644
--- a/lib/netdev-vport.c
+++ b/lib/netdev-vport.c
@@ -668,9 +668,9 @@ parse_tunnel_config(const char *name, const char *type,
|| !strcmp(node->name, "private_key")
|| !strcmp(node->name, "use_ssl_cert"))) {
/* Ignore options not used by the netdev. */
- } else if (is_gre && (!strcmp(node->name, "key") ||
- !strcmp(node->name, "in_key") ||
- !strcmp(node->name, "out_key"))) {
+ } else if (!strcmp(node->name, "key") ||
+ !strcmp(node->name, "in_key") ||
+ !strcmp(node->name, "out_key")) {
/* Handled separately below. */
} else {
VLOG_WARN("%s: unknown %s argument '%s'", name, type, node->name);
@@ -700,10 +700,8 @@ parse_tunnel_config(const char *name, const char *type,
}
}
- if (is_gre) {
- set_key(args, "in_key", ODP_TUNNEL_ATTR_IN_KEY, options);
- set_key(args, "out_key", ODP_TUNNEL_ATTR_OUT_KEY, options);
- }
+ set_key(args, "in_key", ODP_TUNNEL_ATTR_IN_KEY, options);
+ set_key(args, "out_key", ODP_TUNNEL_ATTR_OUT_KEY, options);
if (!daddr) {
VLOG_ERR("%s: %s type requires valid 'remote_ip' argument",
diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index 6199938..5f74e84 100644
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -1056,6 +1056,32 @@
Default is the system default TTL.</dd>
</dl>
<dl>
+ <dt><code>in_key</code></dt>
+ <dd>Optional. The WSI key that received packets must contain.
+ It may either be a 64-bit number (no key and a key of 0 are
+ treated as equivalent) or the word <code>flow</code>. If
+ <code>flow</code> is specified then any key will be accepted
+ and the key will be placed in the <code>tun_id</code> field
+ for matching in the flow table. The ovs-ofctl manual page
+ contains additional information about matching fields in
+ OpenFlow flows. Default is no key.</dd>
+ </dl>
+ <dl>
+ <dt><code>out_key</code></dt>
+ <dd>Optional. The WSI key to be set on outgoing packets. It may
+ either be a 64-bit number or the word <code>flow</code>. If
+ <code>flow</code> is specified then the key may be set using
+ the <code>set_tunnel</code> Nicira OpenFlow vendor extension (0
+ is used in the absence of an action). The ovs-ofctl manual
+ page contains additional information about the Nicira OpenFlow
+ vendor extensions. Default is no key.</dd>
+ </dl>
+ <dl>
+ <dt><code>key</code></dt>
+ <dd>Optional. Shorthand to set <code>in_key</code> and
+ <code>out_key</code> at the same time.</dd>
+ </dl>
+ <dl>
<dt><code>df_inherit</code></dt>
<dd>Optional. If enabled, the Don't Fragment bit will be copied
from the inner IP headers (those of the encapsulated traffic)
--
1.7.6
More information about the dev
mailing list