2 * Copyright (c) 2008, 2009 Nicira Networks.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
19 #include <arpa/inet.h>
28 #include "mac-learning.h"
31 #include "ofp-print.h"
34 #include "openflow/openflow.h"
35 #include "openvswitch/datapath-protocol.h"
37 #include "poll-loop.h"
43 #define THIS_MODULE VLM_in_band
46 /* In-band control allows a single network to be used for OpenFlow
47 * traffic and other data traffic. Refer to ovs-vswitchd.conf(5) and
48 * secchan(8) for a description of configuring in-band control.
50 * This comment is an attempt to describe how in-band control works at a
51 * wire- and implementation-level. Correctly implementing in-band
52 * control has proven difficult due to its many subtleties, and has thus
53 * gone through many iterations. Please read through and understand the
54 * reasoning behind the chosen rules before making modifications.
56 * In Open vSwitch, in-band control is implemented as "hidden" flows (in
57 * that they are not visible through OpenFlow) and at a higher priority
58 * than wildcarded flows can be setup by the controller. This is done
59 * so that the controller cannot interfere with them and possibly break
60 * connectivity with its switches. It is possible to see all flows,
61 * including in-band ones, with the ovs-appctl "bridge/dump-flows"
64 * The following rules are always enabled with the "normal" action by a
65 * switch with in-band control:
67 * a. DHCP requests sent from the local port.
68 * b. ARP replies to the local port's MAC address.
69 * c. ARP requests from the local port's MAC address.
70 * d. ARP replies to the remote side's MAC address. Note that the
71 * remote side is either the controller or the gateway to reach
73 * e. ARP requests from the remote side's MAC address. Note that
74 * like (d), the MAC is either for the controller or gateway.
75 * f. ARP replies containing the controller's IP address as a target.
76 * g. ARP requests containing the controller's IP address as a source.
77 * h. OpenFlow (6633/tcp) traffic to the controller's IP.
78 * i. OpenFlow (6633/tcp) traffic from the controller's IP.
80 * The goal of these rules is to be as narrow as possible to allow a
81 * switch to join a network and be able to communicate with a
82 * controller. As mentioned earlier, these rules have higher priority
83 * than the controller's rules, so if they are too broad, they may
84 * prevent the controller from implementing its policy. As such,
85 * in-band actively monitors some aspects of flow and packet processing
86 * so that the rules can be made more precise.
88 * In-band control monitors attempts to add flows into the datapath that
89 * could interfere with its duties. The datapath only allows exact
90 * match entries, so in-band control is able to be very precise about
91 * the flows it prevents. Flows that miss in the datapath are sent to
92 * userspace to be processed, so preventing these flows from being
93 * cached in the "fast path" does not affect correctness. The only type
94 * of flow that is currently prevented is one that would prevent DHCP
95 * replies from being seen by the local port. For example, a rule that
96 * forwarded all DHCP traffic to the controller would not be allowed,
97 * but one that forwarded to all ports (including the local port) would.
99 * As mentioned earlier, packets that miss in the datapath are sent to
100 * the userspace for processing. The userspace has its own flow table,
101 * the "classifier", so in-band checks whether any special processing
102 * is needed before the classifier is consulted. If a packet is a DHCP
103 * response to a request from the local port, the packet is forwarded to
104 * the local port, regardless of the flow table. Note that this requires
105 * L7 processing of DHCP replies to determine whether the 'chaddr' field
106 * matches the MAC address of the local port.
108 * It is interesting to note that for an L3-based in-band control
109 * mechanism, the majority of rules are devoted to ARP traffic. At first
110 * glance, some of these rules appear redundant. However, each serves an
111 * important role. First, in order to determine the MAC address of the
112 * remote side (controller or gateway) for other ARP rules, we must allow
113 * ARP traffic for our local port with rules (b) and (c). If we are
114 * between a switch and its connection to the controller, we have to
115 * allow the other switch's ARP traffic to through. This is done with
116 * rules (d) and (e), since we do not know the addresses of the other
117 * switches a priori, but do know the controller's or gateway's. Finally,
118 * if the controller is running in a local guest VM that is not reached
119 * through the local port, the switch that is connected to the VM must
120 * allow ARP traffic based on the controller's IP address, since it will
121 * not know the MAC address of the local port that is sending the traffic
122 * or the MAC address of the controller in the guest VM.
124 * With a few notable exceptions below, in-band should work in most
125 * network setups. The following are considered "supported' in the
126 * current implementation:
128 * - Locally Connected. The switch and controller are on the same
129 * subnet. This uses rules (a), (b), (c), (h), and (i).
131 * - Reached through Gateway. The switch and controller are on
132 * different subnets and must go through a gateway. This uses
133 * rules (a), (b), (c), (h), and (i).
135 * - Between Switch and Controller. This switch is between another
136 * switch and the controller, and we want to allow the other
137 * switch's traffic through. This uses rules (d), (e), (h), and
138 * (i). It uses (b) and (c) indirectly in order to know the MAC
139 * address for rules (d) and (e). Note that DHCP for the other
140 * switch will not work unless the controller explicitly lets this
141 * switch pass the traffic.
143 * - Between Switch and Gateway. This switch is between another
144 * switch and the gateway, and we want to allow the other switch's
145 * traffic through. This uses the same rules and logic as the
146 * "Between Switch and Controller" configuration described earlier.
148 * - Controller on Local VM. The controller is a guest VM on the
149 * system running in-band control. This uses rules (a), (b), (c),
152 * - Controller on Local VM with Different Networks. The controller
153 * is a guest VM on the system running in-band control, but the
154 * local port is not used to connect to the controller. For
155 * example, an IP address is configured on eth0 of the switch. The
156 * controller's VM is connected through eth1 of the switch, but an
157 * IP address has not been configured for that port on the switch.
158 * As such, the switch will use eth0 to connect to the controller,
159 * and eth1's rules about the local port will not work. In the
160 * example, the switch attached to eth0 would use rules (a), (b),
161 * (c), (h), and (i) on eth0. The switch attached to eth1 would use
162 * rules (f), (g), (h), and (i).
164 * The following are explicitly *not* supported by in-band control:
166 * - Specify Controller by Name. Currently, the controller must be
167 * identified by IP address. A naive approach would be to permit
168 * all DNS traffic. Unfortunately, this would prevent the
169 * controller from defining any policy over DNS. Since switches
170 * that are located behind us need to connect to the controller,
171 * in-band cannot simply add a rule that allows DNS traffic from
172 * the local port. The "correct" way to support this is to parse
173 * DNS requests to allow all traffic related to a request for the
174 * controller's name through. Due to the potential security
175 * problems and amount of processing, we decided to hold off for
178 * - Multiple Controllers. There is nothing intrinsic in the high-
179 * level design that prevents using multiple (known) controllers,
180 * however, the current implementation's data structures assume
183 * - Differing Controllers for Switches. All switches must know
184 * the L3 addresses for all the controllers that other switches
185 * may use, since rules need to be setup to allow traffic related
186 * to those controllers through. See rules (f), (g), (h), and (i).
188 * - Differing Routes for Switches. In order for the switch to
189 * allow other switches to connect to a controller through a
190 * gateway, it allows the gateway's traffic through with rules (d)
191 * and (e). If the routes to the controller differ for the two
192 * switches, we will not know the MAC address of the alternate
196 #define IB_BASE_PRIORITY 18181800
199 IBR_FROM_LOCAL_DHCP, /* (a) From local port, DHCP. */
200 IBR_TO_LOCAL_ARP, /* (b) To local port, ARP. */
201 IBR_FROM_LOCAL_ARP, /* (c) From local port, ARP. */
202 IBR_TO_REMOTE_ARP, /* (d) To remote MAC, ARP. */
203 IBR_FROM_REMOTE_ARP, /* (e) From remote MAC, ARP. */
204 IBR_TO_CTL_ARP, /* (f) To controller IP, ARP. */
205 IBR_FROM_CTL_ARP, /* (g) From controller IP, ARP. */
206 IBR_TO_CTL_OFP, /* (h) To controller, OpenFlow port. */
207 IBR_FROM_CTL_OFP, /* (i) From controller, OpenFlow port. */
208 #if OFP_TCP_PORT != OFP_SSL_PORT
209 #error Need to support separate TCP and SSL flows.
218 unsigned int priority;
222 struct ofproto *ofproto;
223 struct rconn *controller;
224 struct status_category *ss_cat;
226 /* Keep track of local port's information. */
227 uint8_t local_mac[ETH_ADDR_LEN]; /* Current MAC. */
228 char local_name[IF_NAMESIZE]; /* Local device name. */
229 time_t next_local_refresh;
231 /* Keep track of controller and next hop's information. */
232 uint32_t controller_ip; /* Controller IP, 0 if unknown. */
233 uint8_t remote_mac[ETH_ADDR_LEN]; /* Remote MAC. */
234 uint8_t last_remote_mac[ETH_ADDR_LEN]; /* Previous remote MAC. */
235 time_t next_remote_refresh;
237 /* Rules that we set up. */
238 struct ib_rule rules[N_IB_RULES];
241 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(60, 60);
243 static const uint8_t *
244 get_remote_mac(struct in_band *ib)
248 struct in_addr c_in4, r_in4;
250 time_t now = time_now();
252 if (now >= ib->next_remote_refresh) {
253 c_in4.s_addr = ib->controller_ip;
254 memset(ib->remote_mac, 0, sizeof ib->remote_mac);
255 retval = netdev_get_next_hop(&c_in4, &r_in4, &dev_name);
257 VLOG_WARN("cannot find route for controller ("IP_FMT"): %s",
258 IP_ARGS(&ib->controller_ip), strerror(retval));
259 ib->next_remote_refresh = now + 1;
263 r_in4.s_addr = c_in4.s_addr;
266 retval = netdev_nodev_arp_lookup(dev_name, r_in4.s_addr,
269 VLOG_DBG_RL(&rl, "cannot look up remote MAC address ("IP_FMT"): %s",
270 IP_ARGS(&r_in4.s_addr), strerror(retval));
272 have_mac = !eth_addr_is_zero(ib->remote_mac);
276 && !eth_addr_equals(ib->last_remote_mac, ib->remote_mac)) {
277 VLOG_DBG("remote MAC address changed from "ETH_ADDR_FMT" to "
279 ETH_ADDR_ARGS(ib->last_remote_mac),
280 ETH_ADDR_ARGS(ib->remote_mac));
281 memcpy(ib->last_remote_mac, ib->remote_mac, ETH_ADDR_LEN);
284 /* Schedule next refresh.
286 * If we have an IP address but not a MAC address, then refresh
287 * quickly, since we probably will get a MAC address soon (via ARP).
288 * Otherwise, we can afford to wait a little while. */
289 ib->next_remote_refresh
290 = now + (!ib->controller_ip || have_mac ? 10 : 1);
293 return !eth_addr_is_zero(ib->remote_mac) ? ib->remote_mac : NULL;
296 static const uint8_t *
297 get_local_mac(struct in_band *ib)
299 time_t now = time_now();
300 if (now >= ib->next_local_refresh) {
301 uint8_t ea[ETH_ADDR_LEN];
302 if (!netdev_nodev_get_etheraddr(ib->local_name, ea)) {
303 memcpy(ib->local_mac, ea, ETH_ADDR_LEN);
305 ib->next_local_refresh = now + 1;
307 return !eth_addr_is_zero(ib->local_mac) ? ib->local_mac : NULL;
311 in_band_status_cb(struct status_reply *sr, void *in_band_)
313 struct in_band *in_band = in_band_;
315 if (!eth_addr_is_zero(in_band->local_mac)) {
316 status_reply_put(sr, "local-mac="ETH_ADDR_FMT,
317 ETH_ADDR_ARGS(in_band->local_mac));
320 if (!eth_addr_is_zero(in_band->remote_mac)) {
321 status_reply_put(sr, "remote-mac="ETH_ADDR_FMT,
322 ETH_ADDR_ARGS(in_band->remote_mac));
327 drop_flow(struct in_band *in_band, int rule_idx)
329 struct ib_rule *rule = &in_band->rules[rule_idx];
331 if (rule->installed) {
332 rule->installed = false;
333 ofproto_delete_flow(in_band->ofproto, &rule->flow, rule->wildcards,
338 /* out_port and fixed_fields are assumed never to change. */
340 setup_flow(struct in_band *in_band, int rule_idx, const flow_t *flow,
341 uint32_t fixed_fields, uint16_t out_port)
343 struct ib_rule *rule = &in_band->rules[rule_idx];
345 if (!rule->installed || memcmp(flow, &rule->flow, sizeof *flow)) {
346 union ofp_action action;
348 drop_flow(in_band, rule_idx);
350 rule->installed = true;
352 rule->wildcards = OFPFW_ALL & ~fixed_fields;
353 rule->priority = IB_BASE_PRIORITY + (N_IB_RULES - rule_idx);
355 action.type = htons(OFPAT_OUTPUT);
356 action.output.len = htons(sizeof action);
357 action.output.port = htons(out_port);
358 action.output.max_len = htons(0);
359 ofproto_add_flow(in_band->ofproto, &rule->flow, rule->wildcards,
360 rule->priority, &action, 1, 0);
364 /* Returns true if 'packet' should be sent to the local port regardless
365 * of the flow table. */
367 in_band_msg_in_hook(struct in_band *in_band, const flow_t *flow,
368 const struct ofpbuf *packet)
374 /* Regardless of how the flow table is configured, we want to be
375 * able to see replies to our DHCP requests. */
376 if (flow->dl_type == htons(ETH_TYPE_IP)
377 && flow->nw_proto == IP_TYPE_UDP
378 && flow->tp_src == htons(DHCP_SERVER_PORT)
379 && flow->tp_dst == htons(DHCP_CLIENT_PORT)
381 struct dhcp_header *dhcp;
382 const uint8_t *local_mac;
384 dhcp = ofpbuf_at(packet, (char *)packet->l7 - (char *)packet->data,
390 local_mac = get_local_mac(in_band);
391 if (eth_addr_equals(dhcp->chaddr, local_mac)) {
399 /* Returns true if the rule that would match 'flow' with 'actions' is
400 * allowed to be set up in the datapath. */
402 in_band_rule_check(struct in_band *in_band, const flow_t *flow,
403 const struct odp_actions *actions)
409 /* Don't allow flows that would prevent DHCP replies from being seen
410 * by the local port. */
411 if (flow->dl_type == htons(ETH_TYPE_IP)
412 && flow->nw_proto == IP_TYPE_UDP
413 && flow->tp_src == htons(DHCP_SERVER_PORT)
414 && flow->tp_dst == htons(DHCP_CLIENT_PORT)) {
417 for (i=0; i<actions->n_actions; i++) {
418 if (actions->actions[i].output.type == ODPAT_OUTPUT
419 && actions->actions[i].output.port == ODPP_LOCAL) {
430 in_band_run(struct in_band *in_band)
432 time_t now = time_now();
433 uint32_t controller_ip;
434 const uint8_t *remote_mac;
435 const uint8_t *local_mac;
438 if (now < in_band->next_remote_refresh
439 && now < in_band->next_local_refresh) {
443 controller_ip = rconn_get_remote_ip(in_band->controller);
444 if (in_band->controller_ip && controller_ip != in_band->controller_ip) {
445 VLOG_DBG("controller IP address changed from "IP_FMT" to "IP_FMT,
446 IP_ARGS(&in_band->controller_ip),
447 IP_ARGS(&controller_ip));
449 in_band->controller_ip = controller_ip;
451 remote_mac = get_remote_mac(in_band);
452 local_mac = get_local_mac(in_band);
455 /* Allow DHCP requests to be sent from the local port. */
456 memset(&flow, 0, sizeof flow);
457 flow.in_port = ODPP_LOCAL;
458 flow.dl_type = htons(ETH_TYPE_IP);
459 memcpy(flow.dl_src, local_mac, ETH_ADDR_LEN);
460 flow.nw_proto = IP_TYPE_UDP;
461 flow.tp_src = htons(DHCP_CLIENT_PORT);
462 flow.tp_dst = htons(DHCP_SERVER_PORT);
463 setup_flow(in_band, IBR_FROM_LOCAL_DHCP, &flow,
464 (OFPFW_IN_PORT | OFPFW_DL_TYPE | OFPFW_DL_SRC
465 | OFPFW_NW_PROTO | OFPFW_TP_SRC | OFPFW_TP_DST),
468 /* Allow the connection's interface to receive directed ARP traffic. */
469 memset(&flow, 0, sizeof flow);
470 flow.dl_type = htons(ETH_TYPE_ARP);
471 memcpy(flow.dl_dst, local_mac, ETH_ADDR_LEN);
472 flow.nw_proto = ARP_OP_REPLY;
473 setup_flow(in_band, IBR_TO_LOCAL_ARP, &flow,
474 (OFPFW_DL_TYPE | OFPFW_DL_DST | OFPFW_NW_PROTO),
477 /* Allow the connection's interface to be the source of ARP traffic. */
478 memset(&flow, 0, sizeof flow);
479 flow.dl_type = htons(ETH_TYPE_ARP);
480 memcpy(flow.dl_src, local_mac, ETH_ADDR_LEN);
481 flow.nw_proto = ARP_OP_REQUEST;
482 setup_flow(in_band, IBR_FROM_LOCAL_ARP, &flow,
483 (OFPFW_DL_TYPE | OFPFW_DL_SRC | OFPFW_NW_PROTO),
486 drop_flow(in_band, IBR_TO_LOCAL_ARP);
487 drop_flow(in_band, IBR_FROM_LOCAL_ARP);
491 /* Allow ARP replies to the remote side's MAC. */
492 memset(&flow, 0, sizeof flow);
493 flow.dl_type = htons(ETH_TYPE_ARP);
494 memcpy(flow.dl_dst, remote_mac, ETH_ADDR_LEN);
495 flow.nw_proto = ARP_OP_REPLY;
496 setup_flow(in_band, IBR_TO_REMOTE_ARP, &flow,
497 (OFPFW_DL_TYPE | OFPFW_DL_DST | OFPFW_NW_PROTO),
500 /* Allow ARP requests from the remote side's MAC. */
501 memset(&flow, 0, sizeof flow);
502 flow.dl_type = htons(ETH_TYPE_ARP);
503 memcpy(flow.dl_src, remote_mac, ETH_ADDR_LEN);
504 flow.nw_proto = ARP_OP_REQUEST;
505 setup_flow(in_band, IBR_FROM_REMOTE_ARP, &flow,
506 (OFPFW_DL_TYPE | OFPFW_DL_SRC | OFPFW_NW_PROTO),
509 drop_flow(in_band, IBR_TO_REMOTE_ARP);
510 drop_flow(in_band, IBR_FROM_REMOTE_ARP);
514 /* Allow ARP replies to the controller's IP. */
515 memset(&flow, 0, sizeof flow);
516 flow.dl_type = htons(ETH_TYPE_ARP);
517 flow.nw_proto = ARP_OP_REPLY;
518 flow.nw_dst = controller_ip;
519 setup_flow(in_band, IBR_TO_CTL_ARP, &flow,
520 (OFPFW_DL_TYPE | OFPFW_NW_PROTO | OFPFW_NW_DST_MASK),
523 /* Allow ARP requests from the controller's IP. */
524 memset(&flow, 0, sizeof flow);
525 flow.dl_type = htons(ETH_TYPE_ARP);
526 flow.nw_proto = ARP_OP_REQUEST;
527 flow.nw_src = controller_ip;
528 setup_flow(in_band, IBR_FROM_CTL_ARP, &flow,
529 (OFPFW_DL_TYPE | OFPFW_NW_PROTO | OFPFW_NW_SRC_MASK),
532 /* OpenFlow traffic to or from the controller.
534 * (A given field's value is completely ignored if it is wildcarded,
535 * which is why we can get away with using a single 'flow' in each
537 memset(&flow, 0, sizeof flow);
538 flow.dl_type = htons(ETH_TYPE_IP);
539 flow.nw_proto = IP_TYPE_TCP;
540 flow.nw_src = controller_ip;
541 flow.nw_dst = controller_ip;
542 flow.tp_src = htons(OFP_TCP_PORT);
543 flow.tp_dst = htons(OFP_TCP_PORT);
544 setup_flow(in_band, IBR_TO_CTL_OFP, &flow,
545 (OFPFW_DL_TYPE | OFPFW_NW_PROTO | OFPFW_NW_DST_MASK
546 | OFPFW_TP_DST), OFPP_NORMAL);
547 setup_flow(in_band, IBR_FROM_CTL_OFP, &flow,
548 (OFPFW_DL_TYPE | OFPFW_NW_PROTO | OFPFW_NW_SRC_MASK
549 | OFPFW_TP_SRC), OFPP_NORMAL);
551 drop_flow(in_band, IBR_TO_CTL_ARP);
552 drop_flow(in_band, IBR_FROM_CTL_ARP);
553 drop_flow(in_band, IBR_TO_CTL_OFP);
554 drop_flow(in_band, IBR_FROM_CTL_OFP);
559 in_band_wait(struct in_band *in_band)
561 time_t now = time_now();
563 = MIN(in_band->next_remote_refresh, in_band->next_local_refresh);
565 poll_timer_wait((wakeup - now) * 1000);
567 poll_immediate_wake();
572 in_band_flushed(struct in_band *in_band)
576 for (i = 0; i < N_IB_RULES; i++) {
577 in_band->rules[i].installed = false;
582 in_band_create(struct ofproto *ofproto, struct dpif *dpif,
583 struct switch_status *ss, struct rconn *controller,
584 struct in_band **in_bandp)
586 struct in_band *in_band;
589 in_band = xcalloc(1, sizeof *in_band);
590 error = dpif_port_get_name(dpif, ODPP_LOCAL, in_band->local_name,
591 sizeof in_band->local_name);
597 in_band->ofproto = ofproto;
598 in_band->controller = controller;
599 in_band->ss_cat = switch_status_register(ss, "in-band",
600 in_band_status_cb, in_band);
601 in_band->next_remote_refresh = TIME_MIN;
602 in_band->next_local_refresh = TIME_MIN;
608 in_band_destroy(struct in_band *in_band)
611 switch_status_unregister(in_band->ss_cat);
612 /* We don't own the rconn. */
git://git.onelab.eu / sliver-openvswitch.git / blob