[ovs-dev] [PATCH] netdev-vport: Add Stateless TCP Tunneling protocol
Pravin B Shelar
pshelar at nicira.com
Tue Jan 20 20:26:43 UTC 2015
From: Jesse Gross <jesse at nicira.com>
Add STT netev-vport so that vswitchd can create STT vport in kernel
datapath.
Signed-off-by: Jesse Gross <jesse at nicira.com>
Signed-off-by: Pravin B Shelar <pshelar at nicira.com>
---
Datapath patches are posted on netdev mailing list. Once those
patches are reviewed they will be backported to external ovs repo.
---
NEWS | 1 +
datapath/linux/compat/include/linux/openvswitch.h | 1 +
lib/dpif-netlink.c | 5 ++++
lib/netdev-vport.c | 13 ++++++++---
ofproto/ofproto-dpif-ipfix.c | 20 ++++++++++++----
vswitchd/vswitch.xml | 28 +++++++++++++++++------
6 files changed, 54 insertions(+), 14 deletions(-)
diff --git a/NEWS b/NEWS
index 0a54820..70f61dd 100644
--- a/NEWS
+++ b/NEWS
@@ -61,6 +61,7 @@ Post-v2.3.0
- The documentation now use the term 'destination' to mean one of syslog,
console or file for vlog logging instead of the previously used term
'facility'.
+ - Added support for STT.
v2.3.0 - 14 Aug 2014
diff --git a/datapath/linux/compat/include/linux/openvswitch.h b/datapath/linux/compat/include/linux/openvswitch.h
index a59e109..097ba67 100644
--- a/datapath/linux/compat/include/linux/openvswitch.h
+++ b/datapath/linux/compat/include/linux/openvswitch.h
@@ -227,6 +227,7 @@ enum ovs_vport_type {
OVS_VPORT_TYPE_GRE, /* GRE tunnel. */
OVS_VPORT_TYPE_VXLAN, /* VXLAN tunnel. */
OVS_VPORT_TYPE_GENEVE, /* Geneve tunnel. */
+ OVS_VPORT_TYPE_STT, /* STT tunnel. */
OVS_VPORT_TYPE_GRE64 = 104, /* GRE tunnel with 64-bit keys */
OVS_VPORT_TYPE_LISP = 105, /* LISP tunnel */
__OVS_VPORT_TYPE_MAX
diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c
index a9d60f7..b5ee11b 100644
--- a/lib/dpif-netlink.c
+++ b/lib/dpif-netlink.c
@@ -767,6 +767,9 @@ get_vport_type(const struct dpif_netlink_vport *vport)
case OVS_VPORT_TYPE_LISP:
return "lisp";
+ case OVS_VPORT_TYPE_STT:
+ return "stt";
+
case OVS_VPORT_TYPE_UNSPEC:
case __OVS_VPORT_TYPE_MAX:
break;
@@ -786,6 +789,8 @@ netdev_to_ovs_vport_type(const struct netdev *netdev)
return OVS_VPORT_TYPE_NETDEV;
} else if (!strcmp(type, "internal")) {
return OVS_VPORT_TYPE_INTERNAL;
+ } else if (strstr(type, "stt")) {
+ return OVS_VPORT_TYPE_STT;
} else if (!strcmp(type, "geneve")) {
return OVS_VPORT_TYPE_GENEVE;
} else if (strstr(type, "gre64")) {
diff --git a/lib/netdev-vport.c b/lib/netdev-vport.c
index 91acabb..629e53f 100644
--- a/lib/netdev-vport.c
+++ b/lib/netdev-vport.c
@@ -55,6 +55,7 @@ static struct vlog_rate_limit err_rl = VLOG_RATE_LIMIT_INIT(60, 5);
#define GENEVE_DST_PORT 6081
#define VXLAN_DST_PORT 4789
#define LISP_DST_PORT 4341
+#define STT_DST_PORT 7471
#define VXLAN_HLEN (sizeof(struct eth_header) + \
sizeof(struct ip_header) + \
@@ -153,7 +154,7 @@ netdev_vport_needs_dst_port(const struct netdev *dev)
return (class->get_config == get_tunnel_config &&
(!strcmp("geneve", type) || !strcmp("vxlan", type) ||
- !strcmp("lisp", type)));
+ !strcmp("lisp", type) || !strcmp("stt", type)) );
}
const char *
@@ -426,7 +427,7 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args)
struct netdev_tunnel_config tnl_cfg;
struct smap_node *node;
- has_csum = strstr(type, "gre");
+ has_csum = strstr(type, "gre") || strstr(type, "stt");
ipsec_mech_set = false;
memset(&tnl_cfg, 0, sizeof tnl_cfg);
@@ -443,6 +444,10 @@ set_tunnel_config(struct netdev *dev_, const struct smap *args)
tnl_cfg.dst_port = htons(LISP_DST_PORT);
}
+ if (!strcmp(type, "stt")) {
+ tnl_cfg.dst_port = htons(STT_DST_PORT);
+ }
+
needs_dst_port = netdev_vport_needs_dst_port(dev_);
tnl_cfg.ipsec = strstr(type, "ipsec");
tnl_cfg.dont_fragment = true;
@@ -1295,7 +1300,9 @@ netdev_vport_tunnel_register(void)
TUNNEL_CLASS("vxlan", "vxlan_sys", netdev_vxlan_build_header,
netdev_vxlan_push_header,
netdev_vxlan_pop_header),
- TUNNEL_CLASS("lisp", "lisp_sys", NULL, NULL, NULL)
+ TUNNEL_CLASS("lisp", "lisp_sys", NULL, NULL, NULL),
+ TUNNEL_CLASS("stt", "stt_sys", NULL, NULL, NULL),
+ TUNNEL_CLASS("ipsec_stt", "stt_sys", NULL, NULL, NULL),
};
static struct ovsthread_once once = OVSTHREAD_ONCE_INITIALIZER;
diff --git a/ofproto/ofproto-dpif-ipfix.c b/ofproto/ofproto-dpif-ipfix.c
index 3ba6dce..65d42c4 100644
--- a/ofproto/ofproto-dpif-ipfix.c
+++ b/ofproto/ofproto-dpif-ipfix.c
@@ -47,8 +47,8 @@ static struct ovs_mutex mutex = OVS_MUTEX_INITIALIZER;
* used to indicate the type of tunnel (0x01 = VxLAN, 0x02 = GRE) and the three
* least significant bytes hold the value of the layer 2 overlay network
* segment identifier: a 24-bit VxLAN tunnel's VNI or a 24-bit GRE tunnel's
- * TNI. This is not compatible with GRE-64, as implemented in OVS, as its
- * tunnel IDs are 64-bit.
+ * TNI. This is not compatible with GRE-64 or STT, as implemented in OVS, as
+ * their tunnel IDs are 64-bit.
*
* Two new enterprise information elements are defined which are similar to
* laryerSegmentId but support 64-bit IDs:
@@ -63,7 +63,9 @@ enum dpif_ipfix_tunnel_type {
DPIF_IPFIX_TUNNEL_VXLAN = 0x01,
DPIF_IPFIX_TUNNEL_GRE = 0x02,
DPIF_IPFIX_TUNNEL_LISP = 0x03,
+ DPIF_IPFIX_TUNNEL_STTv0 = 0x04,
DPIF_IPFIX_TUNNEL_IPSEC_GRE = 0x05,
+ DPIF_IPFIX_TUNNEL_IPSEC_STTv0 = 0x06,
DPIF_IPFIX_TUNNEL_GENEVE = 0x07,
NUM_DPIF_IPFIX_TUNNEL
};
@@ -298,9 +300,9 @@ static uint8_t tunnel_protocol[NUM_DPIF_IPFIX_TUNNEL] = {
IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_VXLAN */
IPPROTO_GRE, /* DPIF_IPFIX_TUNNEL_GRE */
IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_LISP*/
- 0 , /* reserved */
+ IPPROTO_TCP, /* DPIF_IPFIX_TUNNEL_STT*/
IPPROTO_GRE, /* DPIF_IPFIX_TUNNEL_IPSEC_GRE */
- 0 , /* reserved */
+ IPPROTO_TCP, /* DPIF_IPFIX_TUNNEL_IPSEC_STTv0*/
IPPROTO_UDP, /* DPIF_IPFIX_TUNNEL_GENEVE*/
};
@@ -352,6 +354,7 @@ BUILD_ASSERT_DECL(sizeof(struct ipfix_data_record_aggregated_ip) == 32);
* VxLAN: 24-bit VIN,
* GRE: 32- or 64-bit key,
* LISP: 24-bit instance ID
+ * STT: 64-bit key
*/
#define MAX_TUNNEL_KEY_LEN 8
@@ -606,6 +609,12 @@ dpif_ipfix_add_tunnel_port(struct dpif_ipfix *di, struct ofport *ofport,
} else if (strcmp(type, "geneve") == 0) {
dip->tunnel_type = DPIF_IPFIX_TUNNEL_GENEVE;
dip->tunnel_key_length = 3;
+ } else if (strcmp(type, "stt") == 0) {
+ dip->tunnel_type = DPIF_IPFIX_TUNNEL_STTv0;
+ dip->tunnel_key_length = 8;
+ } else if (strcmp(type, "ipsec_stt") == 0) {
+ dip->tunnel_type = DPIF_IPFIX_TUNNEL_IPSEC_STTv0;
+ dip->tunnel_key_length = 8;
} else {
free(dip);
goto out;
@@ -1518,6 +1527,9 @@ ipfix_cache_entry_init(struct ipfix_flow_cache_entry *entry,
* E.g:
* The protocol identifier of DPIF_IPFIX_TUNNEL_IPSEC_GRE is IPPROTO_GRE,
* and both tp_src and tp_dst are zero.
+ * The protocol identifier of the DPIF_IPFIX_TUNNEL_IPSEC_STTv0 is
+ * IPPROTO_TCP, which is the protocol identifier STT, and the tp_src
+ * and tp_dat are the exact TCP ports.
*/
data_tunnel->tunnel_protocol_identifier =
tunnel_protocol[tunnel_port->tunnel_type];
diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index 37a33a6..7533330 100644
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -1723,6 +1723,19 @@
</p>
</dd>
+ <dt><code>stt</code></dt>
+ <dd>
+ The Stateless TCP Tunnel (STT) protocol encapsulates traffic in
+ IPv4/TCP packets. All traffic uses a destination port of 7471.
+ The STT protocol does not engage in the usual TCP 3-way handshake,
+ so it will have difficulty traversing stateful firewalls.
+ </dd>
+
+ <dt><code>ipsec_stt</code></dt>
+ <dd>
+ A Stateless TCP Tunnel encapsulated over an IPsec tunnel.
+ </dd>
+
<dt><code>patch</code></dt>
<dd>
A pair of virtual devices that act as a patch cable.
@@ -1740,7 +1753,7 @@
These options apply to interfaces with <ref column="type"/> of
<code>geneve</code>, <code>gre</code>, <code>ipsec_gre</code>,
<code>gre64</code>, <code>ipsec_gre64</code>, <code>vxlan</code>,
- and <code>lisp</code>.
+ <code>lisp</code>, <code>stt</code>, and <code>ipsec_stt</code>.
</p>
<p>
@@ -1829,8 +1842,8 @@
</li>
<li>
A positive 24-bit (for Geneve, VXLAN, and LISP), 32-bit (for GRE)
- or 64-bit (for GRE64) number. The tunnel receives only packets
- with the specified key.
+ or 64-bit (for GRE64 and STT) number. The tunnel receives only
+ packets with the specified key.
</li>
<li>
The word <code>flow</code>. The tunnel accepts packets with any
@@ -1856,8 +1869,8 @@
</li>
<li>
A positive 24-bit (for Geneve, VXLAN and LISP), 32-bit (for GRE) or
- 64-bit (for GRE64) number. Packets sent through the tunnel will
- have the specified key.
+ 64-bit (for GRE64 and STT) number. Packets sent through the tunnel
+ will have the specified key.
</li>
<li>
The word <code>flow</code>. Packets sent through the tunnel will
@@ -1925,9 +1938,10 @@
</column>
</group>
- <group title="Tunnel Options: ipsec_gre only">
+ <group title="Tunnel Options: ipsec_gre and ipsec_stt only">
<p>
- Only <code>ipsec_gre</code> interfaces support these options.
+ Only <code>ipsec_gre</code> and <code>ipsec_stt</code> interfaces
+ support these options.
</p>
<column name="options" key="peer_cert">
--
1.9.1
More information about the dev
mailing list