[ovs-dev] [PATCHv3 3/3] tunnel: set skb mark for IPsec tunnel packets

Ansis Atteka aatteka at nicira.com
Fri Feb 15 18:53:15 UTC 2013


On Fri, Feb 15, 2013 at 10:42 AM, Ansis Atteka <aatteka at nicira.com> wrote:
> The new ovs-monitor-ipsec implementation will use skb marks in
> IPsec policies. This patch will configure datapath to use these
> skb marks for IPsec tunnel packets.
>
> Issue: 14870
> Signed-off-by: Ansis Atteka <aatteka at nicira.com>
> ---
>  lib/odp-util.c         |   12 ++++++++++--
>  lib/odp-util.h         |    2 ++
>  ofproto/ofproto-dpif.c |    1 +
>  ofproto/tunnel.c       |    9 ++++++++-
>  ofproto/tunnel.h       |    1 +
>  5 files changed, 22 insertions(+), 3 deletions(-)
>
> diff --git a/lib/odp-util.c b/lib/odp-util.c
> index 7e48981..f74b031 100644
> --- a/lib/odp-util.c
> +++ b/lib/odp-util.c
> @@ -2049,6 +2049,15 @@ odp_put_tunnel_action(const struct flow_tnl *tunnel,
>      tun_key_to_attr(odp_actions, tunnel);
>      nl_msg_end_nested(odp_actions, offset);
>  }
> +
> +void
> +odp_put_skb_mark_action(const uint32_t skb_mark,
> +                        struct ofpbuf *odp_actions)
> +{
> +    size_t offset = nl_msg_start_nested(odp_actions, OVS_ACTION_ATTR_SET);
> +    nl_msg_put_u32(odp_actions, OVS_KEY_ATTR_SKB_MARK, skb_mark);
> +    nl_msg_end_nested(odp_actions, offset);
> +}
>
>  /* The commit_odp_actions() function and its helpers. */
>
> @@ -2255,8 +2264,7 @@ commit_set_skb_mark_action(const struct flow *flow, struct flow *base,
>      }
>      base->skb_mark = flow->skb_mark;
>
> -    commit_set_action(odp_actions, OVS_KEY_ATTR_SKB_MARK,
> -                      &base->skb_mark, sizeof(base->skb_mark));
> +    odp_put_skb_mark_action(base->skb_mark, odp_actions);
>  }
>  /* If any of the flow key data that ODP actions can modify are different in
>   * 'base' and 'flow', appends ODP actions to 'odp_actions' that change the flow
> diff --git a/lib/odp-util.h b/lib/odp-util.h
> index ccf6c2a..ff87bf1 100644
> --- a/lib/odp-util.h
> +++ b/lib/odp-util.h
> @@ -156,6 +156,8 @@ size_t odp_put_userspace_action(uint32_t pid,
>                                  struct ofpbuf *odp_actions);
>  void odp_put_tunnel_action(const struct flow_tnl *tunnel,
>                             struct ofpbuf *odp_actions);
> +void odp_put_skb_mark_action(const uint32_t skb_mark,
> +                             struct ofpbuf *odp_actions);
>
>  /* Reasons why a subfacet might not be fast-pathable. */
>  enum slow_path_reason {
> diff --git a/ofproto/ofproto-dpif.c b/ofproto/ofproto-dpif.c
> index b1ec3fb..8191f81 100644
> --- a/ofproto/ofproto-dpif.c
> +++ b/ofproto/ofproto-dpif.c
> @@ -5521,6 +5521,7 @@ send_packet(const struct ofport_dpif *ofport, struct ofpbuf *packet)
>          dpif_flow_stats_extract(&flow, packet, time_msec(), &stats);
>          netdev_vport_inc_tx(ofport->up.netdev, &stats);
>          odp_put_tunnel_action(&flow.tunnel, &odp_actions);
> +        odp_put_skb_mark_action(flow.skb_mark, &odp_actions);
>      } else {
>          odp_port = vsp_realdev_to_vlandev(ofproto, ofport->odp_port,
>                                            flow.vlan_tci);
> diff --git a/ofproto/tunnel.c b/ofproto/tunnel.c
> index 5a4607e..7d45930 100644
> --- a/ofproto/tunnel.c
> +++ b/ofproto/tunnel.c
> @@ -34,18 +34,21 @@
>   *
>   * Ability to generate actions on input for ECN
>   * Ability to generate metadata for packet-outs
> - * IPsec using skb mark.
>   * VXLAN.
>   * Multicast group management (possibly).
>   * Disallow netdevs with names like "gre64_system" to prevent collisions. */
>
>  VLOG_DEFINE_THIS_MODULE(tunnel);
>
> +/* skb mark used for IPsec tunnel packets */
> +#define IPSEC_MARK 1
> +
>  struct tnl_match {
>      ovs_be64 in_key;
>      ovs_be32 ip_src;
>      ovs_be32 ip_dst;
>      uint32_t odp_port;
> +    uint32_t skb_mark;
>      bool in_key_flow;
>  };
>
> @@ -94,6 +97,7 @@ tnl_port_add__(const struct ofport *ofport, uint32_t odp_port,
>      tnl_port->match.in_key = cfg->in_key;
>      tnl_port->match.ip_src = cfg->ip_src;
>      tnl_port->match.ip_dst = cfg->ip_dst;
> +    tnl_port->match.skb_mark = cfg->ipsec ? IPSEC_MARK : 0;
>      tnl_port->match.in_key_flow = cfg->in_key_flow;
>      tnl_port->match.odp_port = odp_port;
>
> @@ -183,6 +187,7 @@ tnl_port_receive(struct flow *flow)
>      match.ip_src = flow->tunnel.ip_dst;
>      match.ip_dst = flow->tunnel.ip_src;
>      match.in_key = flow->tunnel.tun_id;
> +    match.skb_mark = flow->skb_mark;
>
>      tnl_port = tnl_find(&match);
>      if (!tnl_port) {
> @@ -248,6 +253,7 @@ tnl_port_send(const struct tnl_port *tnl_port, struct flow *flow)
>
>      flow->tunnel.ip_src = tnl_port->match.ip_src;
>      flow->tunnel.ip_dst = tnl_port->match.ip_dst;
> +    flow->skb_mark = tnl_port->match.skb_mark;
>
>      if (!cfg->out_key_flow) {
>          flow->tunnel.tun_id = cfg->out_key;
> @@ -393,6 +399,7 @@ tnl_match_fmt(const struct tnl_match *match, struct ds *ds)
>      }
>
>      ds_put_format(ds, ", dp port=%"PRIu32, match->odp_port);
> +    ds_put_format(ds, ", skb mark=%"PRIu32, match->skb_mark);
>  }
>
>  static void
> diff --git a/ofproto/tunnel.h b/ofproto/tunnel.h
> index acb69a8..d46238c 100644
> --- a/ofproto/tunnel.h
> +++ b/ofproto/tunnel.h
> @@ -25,6 +25,7 @@
>   * These functions emulate tunnel virtual ports based on the outer
>   * header information from the kernel. */
>
> +
I somehow missed to remove this blank line before sending out the
patch.  I already removed it locally.
>  struct ofport;
>  struct tnl_port;
>
> --
> 1.7.9.5
>



More information about the dev mailing list