[ovs-dev] [PATCH ovn 3/5] actions: Add a new OVN action - reject {}.
numans at ovn.org
numans at ovn.org
Mon Oct 5 17:49:25 UTC 2020
From: Numan Siddique <numans at ovn.org>
This action is similar to tcp_reset and icmp4/icmp6 action. If the matching
packet is an IPv4 of IPv6 TCP packet, it sends out TCP RST packet else it
sends out ICMPv4 or ICMPv6 Destination unreachable packet.
A future patch will make use of this action for reject ACL.
Signed-off-by: Numan Siddique <numans at ovn.org>
---
controller/pinctrl.c | 17 +++++++++++++++++
include/ovn/actions.h | 9 ++++++++-
lib/actions.c | 22 ++++++++++++++++++++++
ovn-sb.xml | 10 ++++++++++
tests/ovn.at | 12 ++++++++++++
utilities/ovn-trace.c | 22 ++++++++++++++++++++++
6 files changed, 91 insertions(+), 1 deletion(-)
diff --git a/controller/pinctrl.c b/controller/pinctrl.c
index 0a7020533b..631d058458 100644
--- a/controller/pinctrl.c
+++ b/controller/pinctrl.c
@@ -1670,6 +1670,18 @@ pinctrl_handle_tcp_reset(struct rconn *swconn, const struct flow *ip_flow,
dp_packet_uninit(&packet);
}
+static void
+pinctrl_handle_reject(struct rconn *swconn, const struct flow *ip_flow,
+ struct dp_packet *pkt_in,
+ const struct match *md, struct ofpbuf *userdata)
+{
+ if (ip_flow->nw_proto == IPPROTO_TCP) {
+ pinctrl_handle_tcp_reset(swconn, ip_flow, pkt_in, md, userdata);
+ } else {
+ pinctrl_handle_icmp(swconn, ip_flow, pkt_in, md, userdata, true);
+ }
+}
+
static bool
is_dhcp_flags_broadcast(ovs_be16 flags)
{
@@ -2787,6 +2799,11 @@ process_packet_in(struct rconn *swconn, const struct ofp_header *msg)
&userdata);
break;
+ case ACTION_OPCODE_REJECT:
+ pinctrl_handle_reject(swconn, &headers, &packet, &pin.flow_metadata,
+ &userdata);
+ break;
+
case ACTION_OPCODE_PUT_ICMP4_FRAG_MTU:
case ACTION_OPCODE_PUT_ICMP6_FRAG_MTU:
pinctrl_handle_put_icmp_frag_mtu(swconn, &headers, &packet, &pin,
diff --git a/include/ovn/actions.h b/include/ovn/actions.h
index 636cb4bc1a..b4e5acabb9 100644
--- a/include/ovn/actions.h
+++ b/include/ovn/actions.h
@@ -95,7 +95,8 @@ struct ovn_extend_table;
OVNACT(HANDLE_SVC_CHECK, ovnact_handle_svc_check) \
OVNACT(FWD_GROUP, ovnact_fwd_group) \
OVNACT(DHCP6_REPLY, ovnact_null) \
- OVNACT(ICMP6_ERROR, ovnact_nest)
+ OVNACT(ICMP6_ERROR, ovnact_nest) \
+ OVNACT(REJECT, ovnact_nest) \
/* enum ovnact_type, with a member OVNACT_<ENUM> for each action. */
enum OVS_PACKED_ENUM ovnact_type {
@@ -605,6 +606,12 @@ enum action_opcode {
/* MTU value (to put in the icmp6 header field - frag_mtu) follow the
* action header. */
ACTION_OPCODE_PUT_ICMP6_FRAG_MTU,
+
+ /* "reject { ...actions... }".
+ *
+ * The actions, in OpenFlow 1.3 format, follow the action_header.
+ */
+ ACTION_OPCODE_REJECT,
};
/* Header. */
diff --git a/lib/actions.c b/lib/actions.c
index 5fe0a3897e..1e1bdeff24 100644
--- a/lib/actions.c
+++ b/lib/actions.c
@@ -1386,6 +1386,12 @@ parse_CLONE(struct action_context *ctx)
parse_nested_action(ctx, OVNACT_CLONE, NULL, WR_DEFAULT);
}
+static void
+parse_REJECT(struct action_context *ctx)
+{
+ parse_nested_action(ctx, OVNACT_REJECT, NULL, ctx->scope);
+}
+
static void
format_nested_action(const struct ovnact_nest *on, const char *name,
struct ds *s)
@@ -1479,6 +1485,12 @@ format_TRIGGER_EVENT(const struct ovnact_controller_event *event,
ds_put_cstr(s, ");");
}
+static void
+format_REJECT(const struct ovnact_nest *nest, struct ds *s)
+{
+ format_nested_action(nest, "reject", s);
+}
+
static void
encode_nested_actions(const struct ovnact_nest *on,
const struct ovnact_encode_params *ep,
@@ -1560,6 +1572,14 @@ encode_TCP_RESET(const struct ovnact_nest *on,
encode_nested_actions(on, ep, ACTION_OPCODE_TCP_RESET, ofpacts);
}
+static void
+encode_REJECT(const struct ovnact_nest *on,
+ const struct ovnact_encode_params *ep,
+ struct ofpbuf *ofpacts)
+{
+ encode_nested_actions(on, ep, ACTION_OPCODE_REJECT, ofpacts);
+}
+
static void
encode_ND_NA(const struct ovnact_nest *on,
const struct ovnact_encode_params *ep,
@@ -3567,6 +3587,8 @@ parse_action(struct action_context *ctx)
parse_fwd_group_action(ctx);
} else if (lexer_match_id(ctx->lexer, "handle_dhcpv6_reply")) {
ovnact_put_DHCP6_REPLY(ctx->ovnacts);
+ } else if (lexer_match_id(ctx->lexer, "reject")) {
+ parse_REJECT(ctx);
} else {
lexer_syntax_error(ctx->lexer, "expecting action");
}
diff --git a/ovn-sb.xml b/ovn-sb.xml
index 59888a1553..2fc84f54ee 100644
--- a/ovn-sb.xml
+++ b/ovn-sb.xml
@@ -2191,6 +2191,16 @@ tcp.flags = RST;
<p><b>Prerequisite:</b> <code>tcp</code></p>
</dd>
+ <dt><code>reject { <var>action</var>; </code>...<code> };</code></dt>
+ <dd>
+ <p>
+ If the original packet is IPv4 or IPv6 TCP packet, it replaces it
+ with IPv4 or IPv6 TCP RST packet and executes the inner actions.
+ Otherwise it replaces it with an ICMPv4 or ICMPv6 packet and
+ executes the inner actions.
+ </p>
+ </dd>
+
<dt><code>trigger_event;</code></dt>
<dd>
<p>
diff --git a/tests/ovn.at b/tests/ovn.at
index 7769b69ed0..d849425f00 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -1593,6 +1593,18 @@ tcp_reset { };
encodes as controller(userdata=00.00.00.0b.00.00.00.00)
has prereqs tcp
+# reject
+reject { eth.dst = ff:ff:ff:ff:ff:ff; output; }; output;
+ encodes as controller(userdata=00.00.00.16.00.00.00.00.00.19.00.10.80.00.06.06.ff.ff.ff.ff.ff.ff.00.00.ff.ff.00.10.00.00.23.20.00.0e.ff.f8.40.00.00.00),resubmit(,64)
+
+reject { eth.dst <-> eth.src; ip4.src <-> ip4.dst; output; };
+ encodes as controller(userdata=00.00.00.16.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1b.00.00.00.00.04.06.00.30.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1b.00.00.00.00.02.06.00.30.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1c.00.00.00.00.04.06.00.30.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1c.00.00.00.00.02.06.00.30.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1b.00.00.00.00.10.04.00.20.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1b.00.00.00.00.0e.04.00.20.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1c.00.00.00.00.10.04.00.20.00.00.00.00.00.00.ff.ff.00.18.00.00.23.20.00.1c.00.00.00.00.0e.04.00.20.00.00.00.00.00.00.ff.ff.00.10.00.00.23.20.00.0e.ff.f8.40.00.00.00)
+ has prereqs eth.type == 0x800 && eth.type == 0x800
+
+reject { };
+ formats as reject { drop; };
+ encodes as controller(userdata=00.00.00.16.00.00.00.00)
+
# trigger_event
trigger_event(event = "empty_lb_backends", vip = "10.0.0.1:80", protocol = "tcp", load_balancer = "12345678-abcd-9876-fedc-11119f8e7d6c");
encodes as controller(userdata=00.00.00.0f.00.00.00.00.00.00.00.00.00.01.00.0b.31.30.2e.30.2e.30.2e.31.3a.38.30.00.02.00.03.74.63.70.00.03.00.24.31.32.33.34.35.36.37.38.2d.61.62.63.64.2d.39.38.37.36.2d.66.65.64.63.2d.31.31.31.31.39.66.38.65.37.64.36.63)
diff --git a/utilities/ovn-trace.c b/utilities/ovn-trace.c
index 0920ae1599..38aee6081b 100644
--- a/utilities/ovn-trace.c
+++ b/utilities/ovn-trace.c
@@ -1711,6 +1711,23 @@ execute_tcp_reset(const struct ovnact_nest *on,
table_id, pipeline, &node->subs);
}
+static void
+execute_reject(const struct ovnact_nest *on,
+ const struct ovntrace_datapath *dp,
+ const struct flow *uflow, uint8_t table_id,
+ enum ovnact_pipeline pipeline, struct ovs_list *super)
+{
+ if (uflow->nw_proto == IPPROTO_TCP) {
+ execute_tcp_reset(on, dp, uflow, table_id, pipeline, super);
+ } else {
+ if (get_dl_type(uflow) == htons(ETH_TYPE_IP)) {
+ execute_icmp4(on, dp, uflow, table_id, pipeline, super);
+ } else {
+ execute_icmp6(on, dp, uflow, table_id, pipeline, super);
+ }
+ }
+}
+
static void
execute_get_mac_bind(const struct ovnact_get_mac_bind *bind,
const struct ovntrace_datapath *dp,
@@ -2347,6 +2364,11 @@ trace_actions(const struct ovnact *ovnacts, size_t ovnacts_len,
execute_ovnfield_load(ovnact_get_OVNFIELD_LOAD(a), super);
break;
+ case OVNACT_REJECT:
+ execute_reject(ovnact_get_REJECT(a), dp, uflow, table_id,
+ pipeline, super);
+ break;
+
case OVNACT_TRIGGER_EVENT:
break;
--
2.26.2
More information about the dev
mailing list