From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755532AbbCBWBw (ORCPT ); Mon, 2 Mar 2015 17:01:52 -0500 Received: from na3sys009aog118.obsmtp.com ([74.125.149.244]:44429 "HELO na3sys009aog118.obsmtp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1752896AbbCBWBu (ORCPT ); Mon, 2 Mar 2015 17:01:50 -0500 From: Joe Stringer To: netdev@vger.kernel.org, Pablo Neira Ayuso Cc: linux-kernel@vger.kernel.org, Justin Pettit , Andy Zhou , Thomas Graf , Patrick McHardy Subject: [RFCv2 net-next 0/7] OVS conntrack support Date: Mon, 2 Mar 2015 13:54:58 -0800 Message-Id: <1425333305-19702-1-git-send-email-joestringer@nicira.com> X-Mailer: git-send-email 1.7.10.4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The goal of this series is to allow OVS to send packets through the Linux kernel connection tracker, and subsequently match on fields populated by conntrack. Sending this out as another RFC change as this is the first time IP fragment support is included. Only IPv4 is added right now, as we'd like to get some feedback on that approach before we implement IPv6 frag support. Helper support is also yet to be addressed, for tracking a particular flow a la iptables CT targets. I think this is just a matter of having userspace specify the helper to use (eg via 8-bit field in conntrack action), and setting up the conntrack template accordingly when OVS first installs the flow containing a conntrack action. There are some additional related items that I intend to work on, which I do not see as prerequisite for this series: - OVS Connlabel support. - Allow OVS to register logging facilities for conntrack. - Conntrack per-zone configuration. The branch below has been updated with the corresponding userspace pieces: https://github.com/justinpettit/ovs/tree/conntrack RFCv2: - Support IPv4 fragments - Warn when ct->net is different from skb net in skb_has_valid_nfct(). - Set OVS_CS_F_TRACKED when a flow cannot be identified ("invalid") - Continue processing packets when conntrack marks the flow invalid. - Use PF_INET6 family when sending IPv6 packets to conntrack. - Verify conn_* matches when deserializing metadata from netlink. - Only allow conntrack action on IPv4/IPv6 packets. - Remove explicit dependencies on conn_zone, conn_mark. - General tidyups RFCv1: - Rebase to net-next. - Add conn_zone field to the flow key. - Add explicit dependencies on conn_zone, conn_mark. - Refactor conntrack changes into net/openvswitch/ovs_conntrack.*. - Don't allow set_field() actions to change conn_state, conn_zone. - Add OVS_CS_F_* flags to indicate connection state. - Add "invalid" connection state. Andy Zhou (3): net: refactor ip_fragment() net: Refactor ip_defrag() APIs openvswitch: Support fragmented IPv4 packets for conntrack Joe Stringer (2): openvswitch: Serialize acts with original netlink len openvswitch: Move MASKED* macros to datapath.h Justin Pettit (2): openvswitch: Add conntrack action openvswitch: Allow matching on conntrack mark drivers/net/macvlan.c | 2 +- include/net/ip.h | 13 +- include/uapi/linux/openvswitch.h | 42 +++- net/ipv4/ip_fragment.c | 46 ++-- net/ipv4/ip_input.c | 5 +- net/ipv4/ip_output.c | 113 +++++---- net/ipv4/netfilter/nf_defrag_ipv4.c | 2 +- net/netfilter/ipvs/ip_vs_core.c | 2 +- net/openvswitch/Kconfig | 11 + net/openvswitch/Makefile | 1 + net/openvswitch/actions.c | 140 +++++++++--- net/openvswitch/conntrack.c | 427 +++++++++++++++++++++++++++++++++++ net/openvswitch/conntrack.h | 91 ++++++++ net/openvswitch/datapath.c | 60 +++-- net/openvswitch/datapath.h | 10 + net/openvswitch/flow.c | 4 + net/openvswitch/flow.h | 4 + net/openvswitch/flow_netlink.c | 95 ++++++-- net/openvswitch/flow_netlink.h | 4 +- net/openvswitch/vport.c | 1 + net/packet/af_packet.c | 2 +- 21 files changed, 938 insertions(+), 137 deletions(-) create mode 100644 net/openvswitch/conntrack.c create mode 100644 net/openvswitch/conntrack.h -- 1.7.10.4