From a26ef51703333b9ab337ba13f397c28c062422fd Mon Sep 17 00:00:00 2001 From: Justin Pettit Date: Thu, 16 Jul 2009 12:58:28 -0700 Subject: [PATCH] Add ability for the datapath to match IP address in ARPs The ability to match the IP addresses in ARP packets allows for fine-grained control of ARP processing. Some forthcoming changes to allow in-band control to operate over L3 requires this support if we don't want to allow overly broad rules regarding ARPs to always be white-listed. Unfortunately, OpenFlow does not support this sort of processing yet, so we must treat OpenFlow ARP rules as having wildcarded those L3 fields. --- datapath/flow.c | 43 +++++++++++++++++++ include/openvswitch/datapath-protocol.h | 3 +- lib/flow.c | 57 ++++++++++++++++++++++++- lib/flow.h | 1 + secchan/ofproto.c | 2 +- 5 files changed, 103 insertions(+), 3 deletions(-) diff --git a/datapath/flow.c b/datapath/flow.c index 2ac79e70f..ae60617dd 100644 --- a/datapath/flow.c +++ b/datapath/flow.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include #include @@ -29,6 +30,27 @@ struct kmem_cache *flow_cache; +struct arp_eth_header +{ + __be16 ar_hrd; /* format of hardware address */ + __be16 ar_pro; /* format of protocol address */ + unsigned char ar_hln; /* length of hardware address */ + unsigned char ar_pln; /* length of protocol address */ + __be16 ar_op; /* ARP opcode (command) */ + + /* Ethernet+IPv4 specific members. */ + unsigned char ar_sha[ETH_ALEN]; /* sender hardware address */ + unsigned char ar_sip[4]; /* sender IP address */ + unsigned char ar_tha[ETH_ALEN]; /* target hardware address */ + unsigned char ar_tip[4]; /* target IP address */ +} __attribute__((packed)); + +static inline int arphdr_ok(struct sk_buff *skb) +{ + int nh_ofs = skb_network_offset(skb); + return pskb_may_pull(skb, nh_ofs + sizeof(struct arp_eth_header)); +} + static inline int iphdr_ok(struct sk_buff *skb) { int nh_ofs = skb_network_offset(skb); @@ -266,6 +288,27 @@ int flow_extract(struct sk_buff *skb, u16 in_port, struct odp_flow_key *key) } else { retval = 1; } + } else if (key->dl_type == htons(ETH_P_ARP) && arphdr_ok(skb)) { + struct arp_eth_header *arp; + + arp = (struct arp_eth_header *)skb_network_header(skb); + + if (arp->ar_hrd == htons(1) + && arp->ar_pro == htons(ETH_P_IP) + && arp->ar_hln == ETH_ALEN + && arp->ar_pln == 4) { + + /* We only match on the lower 8 bits of the opcode. */ + if (ntohs(arp->ar_op) <= 0xff) { + key->nw_proto = ntohs(arp->ar_op); + } + + if (key->nw_proto == ARPOP_REQUEST + || key->nw_proto == ARPOP_REPLY) { + memcpy(&key->nw_src, arp->ar_sip, sizeof(key->nw_src)); + memcpy(&key->nw_dst, arp->ar_tip, sizeof(key->nw_dst)); + } + } } else { skb_reset_transport_header(skb); } diff --git a/include/openvswitch/datapath-protocol.h b/include/openvswitch/datapath-protocol.h index 951664a45..bbc29f6d0 100644 --- a/include/openvswitch/datapath-protocol.h +++ b/include/openvswitch/datapath-protocol.h @@ -162,7 +162,8 @@ struct odp_flow_key { __be16 tp_dst; /* TCP/UDP destination port. */ __u8 dl_src[ETH_ALEN]; /* Ethernet source address. */ __u8 dl_dst[ETH_ALEN]; /* Ethernet destination address. */ - __u8 nw_proto; /* IP protocol. */ + __u8 nw_proto; /* IP protocol or lower 8 bits of + ARP opcode. */ __u8 reserved; /* Pad to 64 bits. */ }; diff --git a/lib/flow.c b/lib/flow.c index 1801d4ded..c1f6240f0 100644 --- a/lib/flow.c +++ b/lib/flow.c @@ -31,6 +31,12 @@ #include "vlog.h" #define THIS_MODULE VLM_flow +static struct arp_eth_header * +pull_arp(struct ofpbuf *packet) +{ + return ofpbuf_try_pull(packet, ARP_ETH_HEADER_LEN); +} + static struct ip_header * pull_ip(struct ofpbuf *packet) { @@ -185,6 +191,23 @@ flow_extract(struct ofpbuf *packet, uint16_t in_port, flow_t *flow) retval = 1; } } + } else if (flow->dl_type == htons(ETH_TYPE_ARP)) { + const struct arp_eth_header *arp = pull_arp(&b); + if (arp && arp->ar_hrd == htons(1) + && arp->ar_pro == htons(ETH_TYPE_IP) + && arp->ar_hln == ETH_ADDR_LEN + && arp->ar_pln == 4) { + /* We only match on the lower 8 bits of the opcode. */ + if (ntohs(arp->ar_op) <= 0xff) { + flow->nw_proto = ntohs(arp->ar_op); + } + + if ((flow->nw_proto == ARP_OP_REQUEST) + || (flow->nw_proto == ARP_OP_REPLY)) { + flow->nw_src = arp->ar_spa; + flow->nw_dst = arp->ar_tpa; + } + } } } return retval; @@ -212,8 +235,12 @@ flow_extract_stats(const flow_t *flow, struct ofpbuf *packet, stats->n_packets = 1; } +/* The Open vSwitch datapath supports matching on ARP payloads, which + * OpenFlow does not. This function is identical to 'flow_to_match', + * but does not hide the datapath's ability to match on ARP. */ void -flow_to_match(const flow_t *flow, uint32_t wildcards, struct ofp_match *match) +flow_to_ovs_match(const flow_t *flow, uint32_t wildcards, + struct ofp_match *match) { match->wildcards = htonl(wildcards); match->in_port = htons(flow->in_port == ODPP_LOCAL ? OFPP_LOCAL @@ -230,6 +257,26 @@ flow_to_match(const flow_t *flow, uint32_t wildcards, struct ofp_match *match) match->pad = 0; } +/* Extract 'flow' with 'wildcards' into the OpenFlow match structure + * 'match'. */ +void +flow_to_match(const flow_t *flow, uint32_t wildcards, struct ofp_match *match) +{ + flow_to_ovs_match(flow, wildcards, match); + + /* The datapath supports matching on an ARP's opcode and IP addresses, + * but OpenFlow does not. We wildcard and zero out the appropriate + * fields so that OpenFlow is unaware of our trickery. */ + if (flow->dl_type == htons(ETH_TYPE_ARP)) { + wildcards |= (OFPFW_NW_PROTO | OFPFW_NW_SRC_ALL | OFPFW_NW_DST_ALL); + match->nw_src = 0; + match->nw_dst = 0; + match->nw_proto = 0; + } + match->wildcards = htonl(wildcards); +} + + void flow_from_match(flow_t *flow, uint32_t *wildcards, const struct ofp_match *match) @@ -237,6 +284,14 @@ flow_from_match(flow_t *flow, uint32_t *wildcards, if (wildcards) { *wildcards = ntohl(match->wildcards); } + /* The datapath supports matching on an ARP's opcode and IP addresses, + * but OpenFlow does not. In case the controller hasn't, we need to + * set the appropriate wildcard bits so that we're externally + * OpenFlow-compliant. */ + if (match->dl_type == htons(ETH_TYPE_ARP)) { + *wildcards |= (OFPFW_NW_PROTO | OFPFW_NW_SRC_ALL | OFPFW_NW_DST_ALL); + } + flow->nw_src = match->nw_src; flow->nw_dst = match->nw_dst; flow->in_port = (match->in_port == htons(OFPP_LOCAL) ? ODPP_LOCAL diff --git a/lib/flow.h b/lib/flow.h index 35415057c..cb2010996 100644 --- a/lib/flow.h +++ b/lib/flow.h @@ -36,6 +36,7 @@ int flow_extract(struct ofpbuf *, uint16_t in_port, flow_t *); void flow_extract_stats(const flow_t *flow, struct ofpbuf *packet, struct odp_flow_stats *stats); void flow_to_match(const flow_t *, uint32_t wildcards, struct ofp_match *); +void flow_to_ovs_match(const flow_t *, uint32_t wildcards, struct ofp_match *); void flow_from_match(flow_t *, uint32_t *wildcards, const struct ofp_match *); char *flow_to_string(const flow_t *); void flow_format(struct ds *, const flow_t *); diff --git a/secchan/ofproto.c b/secchan/ofproto.c index c29ddfb14..e68dc494a 100644 --- a/secchan/ofproto.c +++ b/secchan/ofproto.c @@ -2512,7 +2512,7 @@ flow_stats_ds_cb(struct cls_rule *rule_, void *cbdata_) } query_stats(cbdata->ofproto, rule, &packet_count, &byte_count); - flow_to_match(&rule->cr.flow, rule->cr.wc.wildcards, &match); + flow_to_ovs_match(&rule->cr.flow, rule->cr.wc.wildcards, &match); ds_put_format(results, "duration=%llds, ", (time_msec() - rule->created) / 1000); -- 2.43.0