1 /* Copyright (c) 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License. */
17 #include "ofproto/ofproto-dpif-xlate.h"
23 #include "byte-order.h"
28 #include "dynamic-string.h"
32 #include "mac-learning.h"
33 #include "meta-flow.h"
34 #include "multipath.h"
35 #include "netdev-vport.h"
38 #include "odp-execute.h"
39 #include "ofp-actions.h"
40 #include "ofproto/ofproto-dpif-ipfix.h"
41 #include "ofproto/ofproto-dpif-sflow.h"
42 #include "ofproto/ofproto-dpif.h"
46 COVERAGE_DEFINE(ofproto_dpif_xlate);
48 VLOG_DEFINE_THIS_MODULE(ofproto_dpif_xlate);
50 /* Maximum depth of flow table recursion (due to resubmit actions) in a
51 * flow translation. */
52 #define MAX_RESUBMIT_RECURSION 64
56 struct xlate_out *xout;
58 struct ofproto_dpif *ofproto;
60 /* Flow at the last commit. */
61 struct flow base_flow;
63 /* Tunnel IP destination address as received. This is stored separately
64 * as the base_flow.tunnel is cleared on init to reflect the datapath
65 * behavior. Used to make sure not to send tunneled output to ourselves,
66 * which might lead to an infinite loop. This could happen easily
67 * if a tunnel is marked as 'ip_remote=flow', and the flow does not
68 * actually set the tun_dst field. */
69 ovs_be32 orig_tunnel_ip_dst;
71 /* Stack for the push and pop actions. Each stack element is of type
72 * "union mf_subvalue". */
73 union mf_subvalue init_stack[1024 / sizeof(union mf_subvalue)];
76 /* The rule that we are currently translating, or NULL. */
77 struct rule_dpif *rule;
79 int recurse; /* Recursion level, via xlate_table_action. */
80 bool max_resubmit_trigger; /* Recursed too deeply during translation. */
81 uint32_t orig_skb_priority; /* Priority when packet arrived. */
82 uint8_t table_id; /* OpenFlow table ID where flow was found. */
83 uint32_t sflow_n_outputs; /* Number of output ports. */
84 odp_port_t sflow_odp_port; /* Output port for composing sFlow action. */
85 uint16_t user_cookie_offset;/* Used for user_action_cookie fixup. */
86 bool exit; /* No further actions should be processed. */
89 /* A controller may use OFPP_NONE as the ingress port to indicate that
90 * it did not arrive on a "real" port. 'ofpp_none_bundle' exists for
91 * when an input bundle is needed for validation (e.g., mirroring or
92 * OFPP_NORMAL processing). It is not connected to an 'ofproto' or have
93 * any 'port' structs, so care must be taken when dealing with it. */
94 static struct ofbundle ofpp_none_bundle = {
96 .vlan_mode = PORT_VLAN_TRUNK
99 static bool may_receive(const struct ofport_dpif *, struct xlate_ctx *);
100 static void do_xlate_actions(const struct ofpact *, size_t ofpacts_len,
102 static void xlate_normal(struct xlate_ctx *);
103 static void xlate_report(struct xlate_ctx *, const char *);
104 static void xlate_table_action(struct xlate_ctx *, ofp_port_t in_port,
105 uint8_t table_id, bool may_packet_in);
106 static bool input_vid_is_valid(uint16_t vid, struct ofbundle *, bool warn);
107 static uint16_t input_vid_to_vlan(const struct ofbundle *, uint16_t vid);
108 static void output_normal(struct xlate_ctx *, const struct ofbundle *,
110 static void compose_output_action(struct xlate_ctx *, ofp_port_t ofp_port);
112 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
115 ofbundle_trunks_vlan(const struct ofbundle *bundle, uint16_t vlan)
117 return (bundle->vlan_mode != PORT_VLAN_ACCESS
118 && (!bundle->trunks || bitmap_is_set(bundle->trunks, vlan)));
122 ofbundle_includes_vlan(const struct ofbundle *bundle, uint16_t vlan)
124 return vlan == bundle->vlan || ofbundle_trunks_vlan(bundle, vlan);
128 vlan_is_mirrored(const struct ofmirror *m, int vlan)
130 return !m->vlans || bitmap_is_set(m->vlans, vlan);
133 static struct ofbundle *
134 lookup_input_bundle(const struct ofproto_dpif *ofproto, ofp_port_t in_port,
135 bool warn, struct ofport_dpif **in_ofportp)
137 struct ofport_dpif *ofport;
139 /* Find the port and bundle for the received packet. */
140 ofport = get_ofp_port(ofproto, in_port);
142 *in_ofportp = ofport;
144 if (ofport && ofport->bundle) {
145 return ofport->bundle;
148 /* Special-case OFPP_NONE, which a controller may use as the ingress
149 * port for traffic that it is sourcing. */
150 if (in_port == OFPP_NONE) {
151 return &ofpp_none_bundle;
154 /* Odd. A few possible reasons here:
156 * - We deleted a port but there are still a few packets queued up
159 * - Someone externally added a port (e.g. "ovs-dpctl add-if") that
160 * we don't know about.
162 * - The ofproto client didn't configure the port as part of a bundle.
163 * This is particularly likely to happen if a packet was received on the
164 * port after it was created, but before the client had a chance to
165 * configure its bundle.
168 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
170 VLOG_WARN_RL(&rl, "bridge %s: received packet on unknown "
171 "port %"PRIu16, ofproto->up.name, in_port);
177 add_mirror_actions(struct xlate_ctx *ctx, const struct flow *orig_flow)
179 struct ofproto_dpif *ofproto = ctx->ofproto;
180 mirror_mask_t mirrors;
181 struct ofbundle *in_bundle;
184 const struct nlattr *a;
187 in_bundle = lookup_input_bundle(ctx->ofproto, orig_flow->in_port.ofp_port,
188 ctx->xin->packet != NULL, NULL);
192 mirrors = in_bundle->src_mirrors;
194 /* Drop frames on bundles reserved for mirroring. */
195 if (in_bundle->mirror_out) {
196 if (ctx->xin->packet != NULL) {
197 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
198 VLOG_WARN_RL(&rl, "bridge %s: dropping packet received on port "
199 "%s, which is reserved exclusively for mirroring",
200 ctx->ofproto->up.name, in_bundle->name);
206 vid = vlan_tci_to_vid(orig_flow->vlan_tci);
207 if (!input_vid_is_valid(vid, in_bundle, ctx->xin->packet != NULL)) {
210 vlan = input_vid_to_vlan(in_bundle, vid);
212 /* Look at the output ports to check for destination selections. */
214 NL_ATTR_FOR_EACH (a, left, ctx->xout->odp_actions.data,
215 ctx->xout->odp_actions.size) {
216 enum ovs_action_attr type = nl_attr_type(a);
217 struct ofport_dpif *ofport;
219 if (type != OVS_ACTION_ATTR_OUTPUT) {
223 ofport = get_odp_port(ofproto, nl_attr_get_odp_port(a));
224 if (ofport && ofport->bundle) {
225 mirrors |= ofport->bundle->dst_mirrors;
233 /* Restore the original packet before adding the mirror actions. */
234 ctx->xin->flow = *orig_flow;
239 m = ofproto->mirrors[mirror_mask_ffs(mirrors) - 1];
242 ctx->xout->wc.masks.vlan_tci |= htons(VLAN_CFI | VLAN_VID_MASK);
245 if (!vlan_is_mirrored(m, vlan)) {
246 mirrors = zero_rightmost_1bit(mirrors);
250 mirrors &= ~m->dup_mirrors;
251 ctx->xout->mirrors |= m->dup_mirrors;
253 output_normal(ctx, m->out, vlan);
254 } else if (vlan != m->out_vlan
255 && !eth_addr_is_reserved(orig_flow->dl_dst)) {
256 struct ofbundle *bundle;
258 HMAP_FOR_EACH (bundle, hmap_node, &ofproto->bundles) {
259 if (ofbundle_includes_vlan(bundle, m->out_vlan)
260 && !bundle->mirror_out) {
261 output_normal(ctx, bundle, m->out_vlan);
268 /* Given 'vid', the VID obtained from the 802.1Q header that was received as
269 * part of a packet (specify 0 if there was no 802.1Q header), and 'in_bundle',
270 * the bundle on which the packet was received, returns the VLAN to which the
273 * Both 'vid' and the return value are in the range 0...4095. */
275 input_vid_to_vlan(const struct ofbundle *in_bundle, uint16_t vid)
277 switch (in_bundle->vlan_mode) {
278 case PORT_VLAN_ACCESS:
279 return in_bundle->vlan;
282 case PORT_VLAN_TRUNK:
285 case PORT_VLAN_NATIVE_UNTAGGED:
286 case PORT_VLAN_NATIVE_TAGGED:
287 return vid ? vid : in_bundle->vlan;
294 /* Checks whether a packet with the given 'vid' may ingress on 'in_bundle'.
295 * If so, returns true. Otherwise, returns false and, if 'warn' is true, logs
298 * 'vid' should be the VID obtained from the 802.1Q header that was received as
299 * part of a packet (specify 0 if there was no 802.1Q header), in the range
302 input_vid_is_valid(uint16_t vid, struct ofbundle *in_bundle, bool warn)
304 /* Allow any VID on the OFPP_NONE port. */
305 if (in_bundle == &ofpp_none_bundle) {
309 switch (in_bundle->vlan_mode) {
310 case PORT_VLAN_ACCESS:
313 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
314 VLOG_WARN_RL(&rl, "bridge %s: dropping VLAN %"PRIu16" tagged "
315 "packet received on port %s configured as VLAN "
316 "%"PRIu16" access port",
317 in_bundle->ofproto->up.name, vid,
318 in_bundle->name, in_bundle->vlan);
324 case PORT_VLAN_NATIVE_UNTAGGED:
325 case PORT_VLAN_NATIVE_TAGGED:
327 /* Port must always carry its native VLAN. */
331 case PORT_VLAN_TRUNK:
332 if (!ofbundle_includes_vlan(in_bundle, vid)) {
334 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
335 VLOG_WARN_RL(&rl, "bridge %s: dropping VLAN %"PRIu16" packet "
336 "received on port %s not configured for trunking "
338 in_bundle->ofproto->up.name, vid,
339 in_bundle->name, vid);
351 /* Given 'vlan', the VLAN that a packet belongs to, and
352 * 'out_bundle', a bundle on which the packet is to be output, returns the VID
353 * that should be included in the 802.1Q header. (If the return value is 0,
354 * then the 802.1Q header should only be included in the packet if there is a
357 * Both 'vlan' and the return value are in the range 0...4095. */
359 output_vlan_to_vid(const struct ofbundle *out_bundle, uint16_t vlan)
361 switch (out_bundle->vlan_mode) {
362 case PORT_VLAN_ACCESS:
365 case PORT_VLAN_TRUNK:
366 case PORT_VLAN_NATIVE_TAGGED:
369 case PORT_VLAN_NATIVE_UNTAGGED:
370 return vlan == out_bundle->vlan ? 0 : vlan;
378 output_normal(struct xlate_ctx *ctx, const struct ofbundle *out_bundle,
381 ovs_be16 *flow_tci = &ctx->xin->flow.vlan_tci;
382 struct ofport_dpif *port;
384 ovs_be16 tci, old_tci;
386 vid = output_vlan_to_vid(out_bundle, vlan);
387 if (!out_bundle->bond) {
388 port = ofbundle_get_a_port(out_bundle);
390 port = bond_choose_output_slave(out_bundle->bond, &ctx->xin->flow,
391 &ctx->xout->wc, vid, &ctx->xout->tags);
393 /* No slaves enabled, so drop packet. */
400 if (tci || out_bundle->use_priority_tags) {
401 tci |= *flow_tci & htons(VLAN_PCP_MASK);
403 tci |= htons(VLAN_CFI);
408 compose_output_action(ctx, port->up.ofp_port);
412 /* A VM broadcasts a gratuitous ARP to indicate that it has resumed after
413 * migration. Older Citrix-patched Linux DomU used gratuitous ARP replies to
414 * indicate this; newer upstream kernels use gratuitous ARP requests. */
416 is_gratuitous_arp(const struct flow *flow, struct flow_wildcards *wc)
418 if (flow->dl_type != htons(ETH_TYPE_ARP)) {
422 memset(&wc->masks.dl_dst, 0xff, sizeof wc->masks.dl_dst);
423 if (!eth_addr_is_broadcast(flow->dl_dst)) {
427 memset(&wc->masks.nw_proto, 0xff, sizeof wc->masks.nw_proto);
428 if (flow->nw_proto == ARP_OP_REPLY) {
430 } else if (flow->nw_proto == ARP_OP_REQUEST) {
431 memset(&wc->masks.nw_src, 0xff, sizeof wc->masks.nw_src);
432 memset(&wc->masks.nw_dst, 0xff, sizeof wc->masks.nw_dst);
434 return flow->nw_src == flow->nw_dst;
441 update_learning_table(struct ofproto_dpif *ofproto,
442 const struct flow *flow, struct flow_wildcards *wc,
443 int vlan, struct ofbundle *in_bundle)
445 struct mac_entry *mac;
447 /* Don't learn the OFPP_NONE port. */
448 if (in_bundle == &ofpp_none_bundle) {
452 if (!mac_learning_may_learn(ofproto->ml, flow->dl_src, vlan)) {
456 mac = mac_learning_insert(ofproto->ml, flow->dl_src, vlan);
457 if (is_gratuitous_arp(flow, wc)) {
458 /* We don't want to learn from gratuitous ARP packets that are
459 * reflected back over bond slaves so we lock the learning table. */
460 if (!in_bundle->bond) {
461 mac_entry_set_grat_arp_lock(mac);
462 } else if (mac_entry_is_grat_arp_locked(mac)) {
467 if (mac_entry_is_new(mac) || mac->port.p != in_bundle) {
468 /* The log messages here could actually be useful in debugging,
469 * so keep the rate limit relatively high. */
470 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(30, 300);
471 VLOG_DBG_RL(&rl, "bridge %s: learned that "ETH_ADDR_FMT" is "
472 "on port %s in VLAN %d",
473 ofproto->up.name, ETH_ADDR_ARGS(flow->dl_src),
474 in_bundle->name, vlan);
476 mac->port.p = in_bundle;
477 mac_learning_changed(ofproto->ml, mac);
481 /* Determines whether packets in 'flow' within 'ofproto' should be forwarded or
482 * dropped. Returns true if they may be forwarded, false if they should be
485 * 'in_port' must be the ofport_dpif that corresponds to flow->in_port.
486 * 'in_port' must be part of a bundle (e.g. in_port->bundle must be nonnull).
488 * 'vlan' must be the VLAN that corresponds to flow->vlan_tci on 'in_port', as
489 * returned by input_vid_to_vlan(). It must be a valid VLAN for 'in_port', as
490 * checked by input_vid_is_valid().
492 * May also add tags to '*tags', although the current implementation only does
493 * so in one special case.
496 is_admissible(struct xlate_ctx *ctx, struct ofport_dpif *in_port,
499 struct ofproto_dpif *ofproto = ctx->ofproto;
500 struct flow *flow = &ctx->xin->flow;
501 struct ofbundle *in_bundle = in_port->bundle;
503 /* Drop frames for reserved multicast addresses
504 * only if forward_bpdu option is absent. */
505 if (!ofproto->up.forward_bpdu && eth_addr_is_reserved(flow->dl_dst)) {
506 xlate_report(ctx, "packet has reserved destination MAC, dropping");
510 if (in_bundle->bond) {
511 struct mac_entry *mac;
513 switch (bond_check_admissibility(in_bundle->bond, in_port,
514 flow->dl_dst, &ctx->xout->tags)) {
519 xlate_report(ctx, "bonding refused admissibility, dropping");
522 case BV_DROP_IF_MOVED:
523 mac = mac_learning_lookup(ofproto->ml, flow->dl_src, vlan, NULL);
524 if (mac && mac->port.p != in_bundle &&
525 (!is_gratuitous_arp(flow, &ctx->xout->wc)
526 || mac_entry_is_grat_arp_locked(mac))) {
527 xlate_report(ctx, "SLB bond thinks this packet looped back, "
539 xlate_normal(struct xlate_ctx *ctx)
541 struct flow_wildcards *wc = &ctx->xout->wc;
542 struct flow *flow = &ctx->xin->flow;
543 struct ofport_dpif *in_port;
544 struct ofbundle *in_bundle;
545 struct mac_entry *mac;
549 ctx->xout->has_normal = true;
551 /* Check the dl_type, since we may check for gratuituous ARP. */
552 memset(&wc->masks.dl_src, 0xff, sizeof wc->masks.dl_src);
553 memset(&wc->masks.dl_dst, 0xff, sizeof wc->masks.dl_dst);
554 wc->masks.vlan_tci |= htons(VLAN_VID_MASK | VLAN_CFI);
556 in_bundle = lookup_input_bundle(ctx->ofproto, flow->in_port.ofp_port,
557 ctx->xin->packet != NULL, &in_port);
559 xlate_report(ctx, "no input bundle, dropping");
563 /* Drop malformed frames. */
564 if (flow->dl_type == htons(ETH_TYPE_VLAN) &&
565 !(flow->vlan_tci & htons(VLAN_CFI))) {
566 if (ctx->xin->packet != NULL) {
567 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
568 VLOG_WARN_RL(&rl, "bridge %s: dropping packet with partial "
569 "VLAN tag received on port %s",
570 ctx->ofproto->up.name, in_bundle->name);
572 xlate_report(ctx, "partial VLAN tag, dropping");
576 /* Drop frames on bundles reserved for mirroring. */
577 if (in_bundle->mirror_out) {
578 if (ctx->xin->packet != NULL) {
579 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
580 VLOG_WARN_RL(&rl, "bridge %s: dropping packet received on port "
581 "%s, which is reserved exclusively for mirroring",
582 ctx->ofproto->up.name, in_bundle->name);
584 xlate_report(ctx, "input port is mirror output port, dropping");
589 vid = vlan_tci_to_vid(flow->vlan_tci);
590 if (!input_vid_is_valid(vid, in_bundle, ctx->xin->packet != NULL)) {
591 xlate_report(ctx, "disallowed VLAN VID for this input port, dropping");
594 vlan = input_vid_to_vlan(in_bundle, vid);
596 /* Check other admissibility requirements. */
597 if (in_port && !is_admissible(ctx, in_port, vlan)) {
601 /* Learn source MAC. */
602 if (ctx->xin->may_learn) {
603 update_learning_table(ctx->ofproto, flow, wc, vlan, in_bundle);
606 /* Determine output bundle. */
607 mac = mac_learning_lookup(ctx->ofproto->ml, flow->dl_dst, vlan,
610 if (mac->port.p != in_bundle) {
611 xlate_report(ctx, "forwarding to learned port");
612 output_normal(ctx, mac->port.p, vlan);
614 xlate_report(ctx, "learned port is input port, dropping");
617 struct ofbundle *bundle;
619 xlate_report(ctx, "no learned MAC for destination, flooding");
620 HMAP_FOR_EACH (bundle, hmap_node, &ctx->ofproto->bundles) {
621 if (bundle != in_bundle
622 && ofbundle_includes_vlan(bundle, vlan)
624 && !bundle->mirror_out) {
625 output_normal(ctx, bundle, vlan);
628 ctx->xout->nf_output_iface = NF_OUT_FLOOD;
632 /* Compose SAMPLE action for sFlow or IPFIX. The given probability is
633 * the number of packets out of UINT32_MAX to sample. The given
634 * cookie is passed back in the callback for each sampled packet.
637 compose_sample_action(const struct ofproto_dpif *ofproto,
638 struct ofpbuf *odp_actions,
639 const struct flow *flow,
640 const uint32_t probability,
641 const union user_action_cookie *cookie,
642 const size_t cookie_size)
644 size_t sample_offset, actions_offset;
647 sample_offset = nl_msg_start_nested(odp_actions, OVS_ACTION_ATTR_SAMPLE);
649 nl_msg_put_u32(odp_actions, OVS_SAMPLE_ATTR_PROBABILITY, probability);
651 actions_offset = nl_msg_start_nested(odp_actions, OVS_SAMPLE_ATTR_ACTIONS);
652 cookie_offset = put_userspace_action(ofproto, odp_actions, flow, cookie,
655 nl_msg_end_nested(odp_actions, actions_offset);
656 nl_msg_end_nested(odp_actions, sample_offset);
657 return cookie_offset;
661 compose_sflow_cookie(const struct ofproto_dpif *ofproto,
662 ovs_be16 vlan_tci, odp_port_t odp_port,
663 unsigned int n_outputs, union user_action_cookie *cookie)
667 cookie->type = USER_ACTION_COOKIE_SFLOW;
668 cookie->sflow.vlan_tci = vlan_tci;
670 /* See http://www.sflow.org/sflow_version_5.txt (search for "Input/output
671 * port information") for the interpretation of cookie->output. */
674 /* 0x40000000 | 256 means "packet dropped for unknown reason". */
675 cookie->sflow.output = 0x40000000 | 256;
679 ifindex = dpif_sflow_odp_port_to_ifindex(ofproto->sflow, odp_port);
681 cookie->sflow.output = ifindex;
686 /* 0x80000000 means "multiple output ports. */
687 cookie->sflow.output = 0x80000000 | n_outputs;
692 /* Compose SAMPLE action for sFlow bridge sampling. */
694 compose_sflow_action(const struct ofproto_dpif *ofproto,
695 struct ofpbuf *odp_actions,
696 const struct flow *flow,
699 uint32_t probability;
700 union user_action_cookie cookie;
702 if (!ofproto->sflow || flow->in_port.ofp_port == OFPP_NONE) {
706 probability = dpif_sflow_get_probability(ofproto->sflow);
707 compose_sflow_cookie(ofproto, htons(0), odp_port,
708 odp_port == ODPP_NONE ? 0 : 1, &cookie);
710 return compose_sample_action(ofproto, odp_actions, flow, probability,
711 &cookie, sizeof cookie.sflow);
715 compose_flow_sample_cookie(uint16_t probability, uint32_t collector_set_id,
716 uint32_t obs_domain_id, uint32_t obs_point_id,
717 union user_action_cookie *cookie)
719 cookie->type = USER_ACTION_COOKIE_FLOW_SAMPLE;
720 cookie->flow_sample.probability = probability;
721 cookie->flow_sample.collector_set_id = collector_set_id;
722 cookie->flow_sample.obs_domain_id = obs_domain_id;
723 cookie->flow_sample.obs_point_id = obs_point_id;
727 compose_ipfix_cookie(union user_action_cookie *cookie)
729 cookie->type = USER_ACTION_COOKIE_IPFIX;
732 /* Compose SAMPLE action for IPFIX bridge sampling. */
734 compose_ipfix_action(const struct ofproto_dpif *ofproto,
735 struct ofpbuf *odp_actions,
736 const struct flow *flow)
738 uint32_t probability;
739 union user_action_cookie cookie;
741 if (!ofproto->ipfix || flow->in_port.ofp_port == OFPP_NONE) {
745 probability = dpif_ipfix_get_bridge_exporter_probability(ofproto->ipfix);
746 compose_ipfix_cookie(&cookie);
748 compose_sample_action(ofproto, odp_actions, flow, probability,
749 &cookie, sizeof cookie.ipfix);
752 /* SAMPLE action for sFlow must be first action in any given list of
753 * actions. At this point we do not have all information required to
754 * build it. So try to build sample action as complete as possible. */
756 add_sflow_action(struct xlate_ctx *ctx)
758 ctx->user_cookie_offset = compose_sflow_action(ctx->ofproto,
759 &ctx->xout->odp_actions,
760 &ctx->xin->flow, ODPP_NONE);
761 ctx->sflow_odp_port = 0;
762 ctx->sflow_n_outputs = 0;
765 /* SAMPLE action for IPFIX must be 1st or 2nd action in any given list
766 * of actions, eventually after the SAMPLE action for sFlow. */
768 add_ipfix_action(struct xlate_ctx *ctx)
770 compose_ipfix_action(ctx->ofproto, &ctx->xout->odp_actions,
774 /* Fix SAMPLE action according to data collected while composing ODP actions.
775 * We need to fix SAMPLE actions OVS_SAMPLE_ATTR_ACTIONS attribute, i.e. nested
776 * USERSPACE action's user-cookie which is required for sflow. */
778 fix_sflow_action(struct xlate_ctx *ctx)
780 const struct flow *base = &ctx->base_flow;
781 union user_action_cookie *cookie;
783 if (!ctx->user_cookie_offset) {
787 cookie = ofpbuf_at(&ctx->xout->odp_actions, ctx->user_cookie_offset,
788 sizeof cookie->sflow);
789 ovs_assert(cookie->type == USER_ACTION_COOKIE_SFLOW);
791 compose_sflow_cookie(ctx->ofproto, base->vlan_tci,
792 ctx->sflow_odp_port, ctx->sflow_n_outputs, cookie);
795 static enum slow_path_reason
796 process_special(struct xlate_ctx *ctx, const struct flow *flow,
797 const struct ofport_dpif *ofport, const struct ofpbuf *packet)
799 struct ofproto_dpif *ofproto = ctx->ofproto;
800 struct flow_wildcards *wc = &ctx->xout->wc;
804 } else if (ofport->cfm && cfm_should_process_flow(ofport->cfm, flow, wc)) {
806 cfm_process_heartbeat(ofport->cfm, packet);
809 } else if (ofport->bfd && bfd_should_process_flow(flow, wc)) {
811 bfd_process_packet(ofport->bfd, flow, packet);
814 } else if (ofport->bundle && ofport->bundle->lacp
815 && flow->dl_type == htons(ETH_TYPE_LACP)) {
817 lacp_process_packet(ofport->bundle->lacp, ofport, packet);
820 } else if (ofproto->stp && stp_should_process_flow(flow, wc)) {
822 stp_process_packet(ofport, packet);
831 compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port,
834 const struct ofport_dpif *ofport = get_ofp_port(ctx->ofproto, ofp_port);
835 struct flow_wildcards *wc = &ctx->xout->wc;
836 struct flow *flow = &ctx->xin->flow;
837 ovs_be16 flow_vlan_tci;
838 uint32_t flow_skb_mark;
840 odp_port_t out_port, odp_port;
843 /* If 'struct flow' gets additional metadata, we'll need to zero it out
844 * before traversing a patch port. */
845 BUILD_ASSERT_DECL(FLOW_WC_SEQ == 20);
848 xlate_report(ctx, "Nonexistent output port");
850 } else if (ofport->up.pp.config & OFPUTIL_PC_NO_FWD) {
851 xlate_report(ctx, "OFPPC_NO_FWD set, skipping output");
853 } else if (check_stp && !stp_forward_in_state(ofport->stp_state)) {
854 xlate_report(ctx, "STP not in forwarding state, skipping output");
859 struct ofport_dpif *peer = ofport->peer;
860 struct flow old_flow = ctx->xin->flow;
861 enum slow_path_reason special;
863 ctx->ofproto = ofproto_dpif_cast(peer->up.ofproto);
864 flow->in_port.ofp_port = peer->up.ofp_port;
865 flow->metadata = htonll(0);
866 memset(&flow->tunnel, 0, sizeof flow->tunnel);
867 memset(flow->regs, 0, sizeof flow->regs);
869 special = process_special(ctx, &ctx->xin->flow, peer,
872 ctx->xout->slow = special;
873 } else if (may_receive(peer, ctx)) {
874 if (stp_forward_in_state(peer->stp_state)) {
875 xlate_table_action(ctx, flow->in_port.ofp_port, 0, true);
877 /* Forwarding is disabled by STP. Let OFPP_NORMAL and the
878 * learning action look at the packet, then drop it. */
879 struct flow old_base_flow = ctx->base_flow;
880 size_t old_size = ctx->xout->odp_actions.size;
881 xlate_table_action(ctx, flow->in_port.ofp_port, 0, true);
882 ctx->base_flow = old_base_flow;
883 ctx->xout->odp_actions.size = old_size;
887 ctx->xin->flow = old_flow;
888 ctx->ofproto = ofproto_dpif_cast(ofport->up.ofproto);
890 if (ctx->xin->resubmit_stats) {
891 netdev_vport_inc_tx(ofport->up.netdev, ctx->xin->resubmit_stats);
892 netdev_vport_inc_rx(peer->up.netdev, ctx->xin->resubmit_stats);
898 flow_vlan_tci = flow->vlan_tci;
899 flow_skb_mark = flow->skb_mark;
900 flow_nw_tos = flow->nw_tos;
902 if (ofproto_dpif_dscp_from_priority(ofport, flow->skb_priority, &dscp)) {
903 wc->masks.nw_tos |= IP_ECN_MASK;
904 flow->nw_tos &= ~IP_DSCP_MASK;
905 flow->nw_tos |= dscp;
908 if (ofport->tnl_port) {
909 /* Save tunnel metadata so that changes made due to
910 * the Logical (tunnel) Port are not visible for any further
911 * matches, while explicit set actions on tunnel metadata are.
913 struct flow_tnl flow_tnl = flow->tunnel;
914 odp_port = tnl_port_send(ofport->tnl_port, flow, &ctx->xout->wc);
915 if (odp_port == ODPP_NONE) {
916 xlate_report(ctx, "Tunneling decided against output");
917 goto out; /* restore flow_nw_tos */
919 if (flow->tunnel.ip_dst == ctx->orig_tunnel_ip_dst) {
920 xlate_report(ctx, "Not tunneling to our own address");
921 goto out; /* restore flow_nw_tos */
923 if (ctx->xin->resubmit_stats) {
924 netdev_vport_inc_tx(ofport->up.netdev, ctx->xin->resubmit_stats);
927 commit_odp_tunnel_action(flow, &ctx->base_flow,
928 &ctx->xout->odp_actions);
929 flow->tunnel = flow_tnl; /* Restore tunnel metadata */
931 ofp_port_t vlandev_port;
933 odp_port = ofport->odp_port;
934 if (!hmap_is_empty(&ctx->ofproto->realdev_vid_map)) {
935 wc->masks.vlan_tci |= htons(VLAN_VID_MASK | VLAN_CFI);
937 vlandev_port = vsp_realdev_to_vlandev(ctx->ofproto, ofp_port,
939 if (vlandev_port == ofp_port) {
942 out_port = ofp_port_to_odp_port(ctx->ofproto, vlandev_port);
943 flow->vlan_tci = htons(0);
945 flow->skb_mark &= ~IPSEC_MARK;
948 if (out_port != ODPP_NONE) {
949 commit_odp_actions(flow, &ctx->base_flow,
950 &ctx->xout->odp_actions, &ctx->xout->wc);
951 nl_msg_put_odp_port(&ctx->xout->odp_actions, OVS_ACTION_ATTR_OUTPUT,
954 ctx->sflow_odp_port = odp_port;
955 ctx->sflow_n_outputs++;
956 ctx->xout->nf_output_iface = ofp_port;
961 flow->vlan_tci = flow_vlan_tci;
962 flow->skb_mark = flow_skb_mark;
963 flow->nw_tos = flow_nw_tos;
967 compose_output_action(struct xlate_ctx *ctx, ofp_port_t ofp_port)
969 compose_output_action__(ctx, ofp_port, true);
973 tag_the_flow(struct xlate_ctx *ctx, struct rule_dpif *rule)
975 struct ofproto_dpif *ofproto = ctx->ofproto;
976 uint8_t table_id = ctx->table_id;
978 if (table_id > 0 && table_id < N_TABLES) {
979 struct table_dpif *table = &ofproto->tables[table_id];
980 if (table->other_table) {
981 ctx->xout->tags |= (rule && rule->tag
983 : rule_calculate_tag(&ctx->xin->flow,
984 &table->other_table->mask,
990 /* Common rule processing in one place to avoid duplicating code. */
991 static struct rule_dpif *
992 ctx_rule_hooks(struct xlate_ctx *ctx, struct rule_dpif *rule,
995 if (ctx->xin->resubmit_hook) {
996 ctx->xin->resubmit_hook(ctx->xin, rule, ctx->recurse);
998 if (rule == NULL && may_packet_in) {
1000 * check if table configuration flags
1001 * OFPTC_TABLE_MISS_CONTROLLER, default.
1002 * OFPTC_TABLE_MISS_CONTINUE,
1003 * OFPTC_TABLE_MISS_DROP
1004 * When OF1.0, OFPTC_TABLE_MISS_CONTINUE is used. What to do?
1006 rule = rule_dpif_miss_rule(ctx->ofproto, &ctx->xin->flow);
1008 if (rule && ctx->xin->resubmit_stats) {
1009 rule_credit_stats(rule, ctx->xin->resubmit_stats);
1015 xlate_table_action(struct xlate_ctx *ctx,
1016 ofp_port_t in_port, uint8_t table_id, bool may_packet_in)
1018 if (ctx->recurse < MAX_RESUBMIT_RECURSION) {
1019 struct rule_dpif *rule;
1020 ofp_port_t old_in_port = ctx->xin->flow.in_port.ofp_port;
1021 uint8_t old_table_id = ctx->table_id;
1023 ctx->table_id = table_id;
1025 /* Look up a flow with 'in_port' as the input port. */
1026 ctx->xin->flow.in_port.ofp_port = in_port;
1027 rule = rule_dpif_lookup_in_table(ctx->ofproto, &ctx->xin->flow,
1028 &ctx->xout->wc, table_id);
1030 tag_the_flow(ctx, rule);
1032 /* Restore the original input port. Otherwise OFPP_NORMAL and
1033 * OFPP_IN_PORT will have surprising behavior. */
1034 ctx->xin->flow.in_port.ofp_port = old_in_port;
1036 rule = ctx_rule_hooks(ctx, rule, may_packet_in);
1039 struct rule_dpif *old_rule = ctx->rule;
1043 do_xlate_actions(rule->up.ofpacts, rule->up.ofpacts_len, ctx);
1044 ctx->rule = old_rule;
1048 ctx->table_id = old_table_id;
1050 static struct vlog_rate_limit recurse_rl = VLOG_RATE_LIMIT_INIT(1, 1);
1052 VLOG_ERR_RL(&recurse_rl, "resubmit actions recursed over %d times",
1053 MAX_RESUBMIT_RECURSION);
1054 ctx->max_resubmit_trigger = true;
1059 xlate_ofpact_resubmit(struct xlate_ctx *ctx,
1060 const struct ofpact_resubmit *resubmit)
1065 in_port = resubmit->in_port;
1066 if (in_port == OFPP_IN_PORT) {
1067 in_port = ctx->xin->flow.in_port.ofp_port;
1070 table_id = resubmit->table_id;
1071 if (table_id == 255) {
1072 table_id = ctx->table_id;
1075 xlate_table_action(ctx, in_port, table_id, false);
1079 flood_packets(struct xlate_ctx *ctx, bool all)
1081 struct ofport_dpif *ofport;
1083 HMAP_FOR_EACH (ofport, up.hmap_node, &ctx->ofproto->up.ports) {
1084 ofp_port_t ofp_port = ofport->up.ofp_port;
1086 if (ofp_port == ctx->xin->flow.in_port.ofp_port) {
1091 compose_output_action__(ctx, ofp_port, false);
1092 } else if (!(ofport->up.pp.config & OFPUTIL_PC_NO_FLOOD)) {
1093 compose_output_action(ctx, ofp_port);
1097 ctx->xout->nf_output_iface = NF_OUT_FLOOD;
1101 execute_controller_action(struct xlate_ctx *ctx, int len,
1102 enum ofp_packet_in_reason reason,
1103 uint16_t controller_id)
1105 struct ofputil_packet_in pin;
1106 struct ofpbuf *packet;
1109 ovs_assert(!ctx->xout->slow || ctx->xout->slow == SLOW_CONTROLLER);
1110 ctx->xout->slow = SLOW_CONTROLLER;
1111 if (!ctx->xin->packet) {
1115 packet = ofpbuf_clone(ctx->xin->packet);
1117 key.skb_priority = 0;
1119 memset(&key.tunnel, 0, sizeof key.tunnel);
1121 commit_odp_actions(&ctx->xin->flow, &ctx->base_flow,
1122 &ctx->xout->odp_actions, &ctx->xout->wc);
1124 odp_execute_actions(NULL, packet, &key, ctx->xout->odp_actions.data,
1125 ctx->xout->odp_actions.size, NULL, NULL);
1127 pin.packet = packet->data;
1128 pin.packet_len = packet->size;
1129 pin.reason = reason;
1130 pin.controller_id = controller_id;
1131 pin.table_id = ctx->table_id;
1132 pin.cookie = ctx->rule ? ctx->rule->up.flow_cookie : 0;
1135 flow_get_metadata(&ctx->xin->flow, &pin.fmd);
1137 connmgr_send_packet_in(ctx->ofproto->up.connmgr, &pin);
1138 ofpbuf_delete(packet);
1142 compose_mpls_push_action(struct xlate_ctx *ctx, ovs_be16 eth_type)
1144 struct flow_wildcards *wc = &ctx->xout->wc;
1145 struct flow *flow = &ctx->xin->flow;
1147 ovs_assert(eth_type_mpls(eth_type));
1149 memset(&wc->masks.mpls_lse, 0xff, sizeof wc->masks.mpls_lse);
1150 memset(&wc->masks.mpls_depth, 0xff, sizeof wc->masks.mpls_depth);
1152 if (flow->mpls_depth) {
1153 flow->mpls_lse &= ~htonl(MPLS_BOS_MASK);
1159 if (flow->dl_type == htons(ETH_TYPE_IPV6)) {
1160 label = htonl(0x2); /* IPV6 Explicit Null. */
1162 label = htonl(0x0); /* IPV4 Explicit Null. */
1164 wc->masks.nw_tos |= IP_DSCP_MASK;
1165 wc->masks.nw_ttl = 0xff;
1166 tc = (flow->nw_tos & IP_DSCP_MASK) >> 2;
1167 ttl = flow->nw_ttl ? flow->nw_ttl : 0x40;
1168 flow->mpls_lse = set_mpls_lse_values(ttl, tc, 1, label);
1169 flow->mpls_depth = 1;
1171 flow->dl_type = eth_type;
1175 compose_mpls_pop_action(struct xlate_ctx *ctx, ovs_be16 eth_type)
1177 struct flow_wildcards *wc = &ctx->xout->wc;
1178 struct flow *flow = &ctx->xin->flow;
1180 ovs_assert(eth_type_mpls(ctx->xin->flow.dl_type));
1181 ovs_assert(!eth_type_mpls(eth_type));
1183 memset(&wc->masks.mpls_lse, 0xff, sizeof wc->masks.mpls_lse);
1184 memset(&wc->masks.mpls_depth, 0xff, sizeof wc->masks.mpls_depth);
1186 if (flow->mpls_depth) {
1188 flow->mpls_lse = htonl(0);
1189 if (!flow->mpls_depth) {
1190 flow->dl_type = eth_type;
1196 compose_dec_ttl(struct xlate_ctx *ctx, struct ofpact_cnt_ids *ids)
1198 struct flow *flow = &ctx->xin->flow;
1200 if (!is_ip_any(flow)) {
1204 ctx->xout->wc.masks.nw_ttl = 0xff;
1205 if (flow->nw_ttl > 1) {
1211 for (i = 0; i < ids->n_controllers; i++) {
1212 execute_controller_action(ctx, UINT16_MAX, OFPR_INVALID_TTL,
1216 /* Stop processing for current table. */
1222 compose_set_mpls_ttl_action(struct xlate_ctx *ctx, uint8_t ttl)
1224 if (!eth_type_mpls(ctx->xin->flow.dl_type)) {
1228 set_mpls_lse_ttl(&ctx->xin->flow.mpls_lse, ttl);
1233 compose_dec_mpls_ttl_action(struct xlate_ctx *ctx)
1235 struct flow *flow = &ctx->xin->flow;
1236 uint8_t ttl = mpls_lse_to_ttl(flow->mpls_lse);
1237 struct flow_wildcards *wc = &ctx->xout->wc;
1239 memset(&wc->masks.mpls_lse, 0xff, sizeof wc->masks.mpls_lse);
1241 if (!eth_type_mpls(flow->dl_type)) {
1247 set_mpls_lse_ttl(&flow->mpls_lse, ttl);
1250 execute_controller_action(ctx, UINT16_MAX, OFPR_INVALID_TTL, 0);
1252 /* Stop processing for current table. */
1258 xlate_output_action(struct xlate_ctx *ctx,
1259 ofp_port_t port, uint16_t max_len, bool may_packet_in)
1261 ofp_port_t prev_nf_output_iface = ctx->xout->nf_output_iface;
1263 ctx->xout->nf_output_iface = NF_OUT_DROP;
1267 compose_output_action(ctx, ctx->xin->flow.in_port.ofp_port);
1270 xlate_table_action(ctx, ctx->xin->flow.in_port.ofp_port,
1277 flood_packets(ctx, false);
1280 flood_packets(ctx, true);
1282 case OFPP_CONTROLLER:
1283 execute_controller_action(ctx, max_len, OFPR_ACTION, 0);
1289 if (port != ctx->xin->flow.in_port.ofp_port) {
1290 compose_output_action(ctx, port);
1292 xlate_report(ctx, "skipping output to input port");
1297 if (prev_nf_output_iface == NF_OUT_FLOOD) {
1298 ctx->xout->nf_output_iface = NF_OUT_FLOOD;
1299 } else if (ctx->xout->nf_output_iface == NF_OUT_DROP) {
1300 ctx->xout->nf_output_iface = prev_nf_output_iface;
1301 } else if (prev_nf_output_iface != NF_OUT_DROP &&
1302 ctx->xout->nf_output_iface != NF_OUT_FLOOD) {
1303 ctx->xout->nf_output_iface = NF_OUT_MULTI;
1308 xlate_output_reg_action(struct xlate_ctx *ctx,
1309 const struct ofpact_output_reg *or)
1311 uint64_t port = mf_get_subfield(&or->src, &ctx->xin->flow);
1312 if (port <= UINT16_MAX) {
1313 union mf_subvalue value;
1315 memset(&value, 0xff, sizeof value);
1316 mf_write_subfield_flow(&or->src, &value, &ctx->xout->wc.masks);
1317 xlate_output_action(ctx, u16_to_ofp(port),
1318 or->max_len, false);
1323 xlate_enqueue_action(struct xlate_ctx *ctx,
1324 const struct ofpact_enqueue *enqueue)
1326 ofp_port_t ofp_port = enqueue->port;
1327 uint32_t queue_id = enqueue->queue;
1328 uint32_t flow_priority, priority;
1331 /* Translate queue to priority. */
1332 error = ofproto_dpif_queue_to_priority(ctx->ofproto, queue_id, &priority);
1334 /* Fall back to ordinary output action. */
1335 xlate_output_action(ctx, enqueue->port, 0, false);
1339 /* Check output port. */
1340 if (ofp_port == OFPP_IN_PORT) {
1341 ofp_port = ctx->xin->flow.in_port.ofp_port;
1342 } else if (ofp_port == ctx->xin->flow.in_port.ofp_port) {
1346 /* Add datapath actions. */
1347 flow_priority = ctx->xin->flow.skb_priority;
1348 ctx->xin->flow.skb_priority = priority;
1349 compose_output_action(ctx, ofp_port);
1350 ctx->xin->flow.skb_priority = flow_priority;
1352 /* Update NetFlow output port. */
1353 if (ctx->xout->nf_output_iface == NF_OUT_DROP) {
1354 ctx->xout->nf_output_iface = ofp_port;
1355 } else if (ctx->xout->nf_output_iface != NF_OUT_FLOOD) {
1356 ctx->xout->nf_output_iface = NF_OUT_MULTI;
1361 xlate_set_queue_action(struct xlate_ctx *ctx, uint32_t queue_id)
1363 uint32_t skb_priority;
1365 if (!ofproto_dpif_queue_to_priority(ctx->ofproto, queue_id,
1367 ctx->xin->flow.skb_priority = skb_priority;
1369 /* Couldn't translate queue to a priority. Nothing to do. A warning
1370 * has already been logged. */
1375 slave_enabled_cb(ofp_port_t ofp_port, void *ofproto_)
1377 struct ofproto_dpif *ofproto = ofproto_;
1378 struct ofport_dpif *port;
1388 case OFPP_CONTROLLER: /* Not supported by the bundle action. */
1391 port = get_ofp_port(ofproto, ofp_port);
1392 return port ? port->may_enable : false;
1397 xlate_bundle_action(struct xlate_ctx *ctx,
1398 const struct ofpact_bundle *bundle)
1402 port = bundle_execute(bundle, &ctx->xin->flow, &ctx->xout->wc,
1403 slave_enabled_cb, ctx->ofproto);
1404 if (bundle->dst.field) {
1405 nxm_reg_load(&bundle->dst, ofp_to_u16(port), &ctx->xin->flow);
1407 xlate_output_action(ctx, port, 0, false);
1412 xlate_learn_action(struct xlate_ctx *ctx,
1413 const struct ofpact_learn *learn)
1415 static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1);
1416 struct ofputil_flow_mod fm;
1417 uint64_t ofpacts_stub[1024 / 8];
1418 struct ofpbuf ofpacts;
1421 ctx->xout->has_learn = true;
1423 learn_mask(learn, &ctx->xout->wc);
1425 if (!ctx->xin->may_learn) {
1429 ofpbuf_use_stack(&ofpacts, ofpacts_stub, sizeof ofpacts_stub);
1430 learn_execute(learn, &ctx->xin->flow, &fm, &ofpacts);
1432 error = ofproto_flow_mod(&ctx->ofproto->up, &fm);
1433 if (error && !VLOG_DROP_WARN(&rl)) {
1434 VLOG_WARN("learning action failed to modify flow table (%s)",
1435 ofperr_get_name(error));
1438 ofpbuf_uninit(&ofpacts);
1441 /* Reduces '*timeout' to no more than 'max'. A value of zero in either case
1442 * means "infinite". */
1444 reduce_timeout(uint16_t max, uint16_t *timeout)
1446 if (max && (!*timeout || *timeout > max)) {
1452 xlate_fin_timeout(struct xlate_ctx *ctx,
1453 const struct ofpact_fin_timeout *oft)
1455 if (ctx->xin->tcp_flags & (TCP_FIN | TCP_RST) && ctx->rule) {
1456 struct rule_dpif *rule = ctx->rule;
1458 reduce_timeout(oft->fin_idle_timeout, &rule->up.idle_timeout);
1459 reduce_timeout(oft->fin_hard_timeout, &rule->up.hard_timeout);
1464 xlate_sample_action(struct xlate_ctx *ctx,
1465 const struct ofpact_sample *os)
1467 union user_action_cookie cookie;
1468 /* Scale the probability from 16-bit to 32-bit while representing
1469 * the same percentage. */
1470 uint32_t probability = (os->probability << 16) | os->probability;
1472 commit_odp_actions(&ctx->xin->flow, &ctx->base_flow,
1473 &ctx->xout->odp_actions, &ctx->xout->wc);
1475 compose_flow_sample_cookie(os->probability, os->collector_set_id,
1476 os->obs_domain_id, os->obs_point_id, &cookie);
1477 compose_sample_action(ctx->ofproto, &ctx->xout->odp_actions, &ctx->xin->flow,
1478 probability, &cookie, sizeof cookie.flow_sample);
1482 may_receive(const struct ofport_dpif *port, struct xlate_ctx *ctx)
1484 if (port->up.pp.config & (eth_addr_equals(ctx->xin->flow.dl_dst,
1486 ? OFPUTIL_PC_NO_RECV_STP
1487 : OFPUTIL_PC_NO_RECV)) {
1491 /* Only drop packets here if both forwarding and learning are
1492 * disabled. If just learning is enabled, we need to have
1493 * OFPP_NORMAL and the learning action have a look at the packet
1494 * before we can drop it. */
1495 if (!stp_forward_in_state(port->stp_state)
1496 && !stp_learn_in_state(port->stp_state)) {
1504 tunnel_ecn_ok(struct xlate_ctx *ctx)
1506 if (is_ip_any(&ctx->base_flow)
1507 && (ctx->xin->flow.tunnel.ip_tos & IP_ECN_MASK) == IP_ECN_CE) {
1508 if ((ctx->base_flow.nw_tos & IP_ECN_MASK) == IP_ECN_NOT_ECT) {
1509 VLOG_WARN_RL(&rl, "dropping tunnel packet marked ECN CE"
1510 " but is not ECN capable");
1513 /* Set the ECN CE value in the tunneled packet. */
1514 ctx->xin->flow.nw_tos |= IP_ECN_CE;
1522 do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len,
1523 struct xlate_ctx *ctx)
1525 struct flow_wildcards *wc = &ctx->xout->wc;
1526 struct flow *flow = &ctx->xin->flow;
1527 bool was_evictable = true;
1528 const struct ofpact *a;
1531 /* Don't let the rule we're working on get evicted underneath us. */
1532 was_evictable = ctx->rule->up.evictable;
1533 ctx->rule->up.evictable = false;
1536 do_xlate_actions_again:
1537 OFPACT_FOR_EACH (a, ofpacts, ofpacts_len) {
1538 struct ofpact_controller *controller;
1539 const struct ofpact_metadata *metadata;
1547 xlate_output_action(ctx, ofpact_get_OUTPUT(a)->port,
1548 ofpact_get_OUTPUT(a)->max_len, true);
1551 case OFPACT_CONTROLLER:
1552 controller = ofpact_get_CONTROLLER(a);
1553 execute_controller_action(ctx, controller->max_len,
1555 controller->controller_id);
1558 case OFPACT_ENQUEUE:
1559 xlate_enqueue_action(ctx, ofpact_get_ENQUEUE(a));
1562 case OFPACT_SET_VLAN_VID:
1563 flow->vlan_tci &= ~htons(VLAN_VID_MASK);
1564 flow->vlan_tci |= (htons(ofpact_get_SET_VLAN_VID(a)->vlan_vid)
1568 case OFPACT_SET_VLAN_PCP:
1569 flow->vlan_tci &= ~htons(VLAN_PCP_MASK);
1571 htons((ofpact_get_SET_VLAN_PCP(a)->vlan_pcp << VLAN_PCP_SHIFT)
1575 case OFPACT_STRIP_VLAN:
1576 flow->vlan_tci = htons(0);
1579 case OFPACT_PUSH_VLAN:
1580 /* XXX 802.1AD(QinQ) */
1581 flow->vlan_tci = htons(VLAN_CFI);
1584 case OFPACT_SET_ETH_SRC:
1585 memcpy(flow->dl_src, ofpact_get_SET_ETH_SRC(a)->mac, ETH_ADDR_LEN);
1588 case OFPACT_SET_ETH_DST:
1589 memcpy(flow->dl_dst, ofpact_get_SET_ETH_DST(a)->mac, ETH_ADDR_LEN);
1592 case OFPACT_SET_IPV4_SRC:
1593 if (flow->dl_type == htons(ETH_TYPE_IP)) {
1594 flow->nw_src = ofpact_get_SET_IPV4_SRC(a)->ipv4;
1598 case OFPACT_SET_IPV4_DST:
1599 if (flow->dl_type == htons(ETH_TYPE_IP)) {
1600 flow->nw_dst = ofpact_get_SET_IPV4_DST(a)->ipv4;
1604 case OFPACT_SET_IPV4_DSCP:
1605 /* OpenFlow 1.0 only supports IPv4. */
1606 if (flow->dl_type == htons(ETH_TYPE_IP)) {
1607 flow->nw_tos &= ~IP_DSCP_MASK;
1608 flow->nw_tos |= ofpact_get_SET_IPV4_DSCP(a)->dscp;
1612 case OFPACT_SET_L4_SRC_PORT:
1613 memset(&wc->masks.nw_proto, 0xff, sizeof wc->masks.nw_proto);
1614 if (is_ip_any(flow)) {
1615 flow->tp_src = htons(ofpact_get_SET_L4_SRC_PORT(a)->port);
1619 case OFPACT_SET_L4_DST_PORT:
1620 memset(&wc->masks.nw_proto, 0xff, sizeof wc->masks.nw_proto);
1621 if (is_ip_any(flow)) {
1622 flow->tp_dst = htons(ofpact_get_SET_L4_DST_PORT(a)->port);
1626 case OFPACT_RESUBMIT:
1627 xlate_ofpact_resubmit(ctx, ofpact_get_RESUBMIT(a));
1630 case OFPACT_SET_TUNNEL:
1631 flow->tunnel.tun_id = htonll(ofpact_get_SET_TUNNEL(a)->tun_id);
1634 case OFPACT_SET_QUEUE:
1635 xlate_set_queue_action(ctx, ofpact_get_SET_QUEUE(a)->queue_id);
1638 case OFPACT_POP_QUEUE:
1639 flow->skb_priority = ctx->orig_skb_priority;
1642 case OFPACT_REG_MOVE:
1643 nxm_execute_reg_move(ofpact_get_REG_MOVE(a), flow, wc);
1646 case OFPACT_REG_LOAD:
1647 nxm_execute_reg_load(ofpact_get_REG_LOAD(a), flow);
1650 case OFPACT_STACK_PUSH:
1651 nxm_execute_stack_push(ofpact_get_STACK_PUSH(a), flow, wc,
1655 case OFPACT_STACK_POP:
1656 nxm_execute_stack_pop(ofpact_get_STACK_POP(a), flow, &ctx->stack);
1659 case OFPACT_PUSH_MPLS:
1660 compose_mpls_push_action(ctx, ofpact_get_PUSH_MPLS(a)->ethertype);
1663 case OFPACT_POP_MPLS:
1664 compose_mpls_pop_action(ctx, ofpact_get_POP_MPLS(a)->ethertype);
1667 case OFPACT_SET_MPLS_TTL:
1668 if (compose_set_mpls_ttl_action(ctx,
1669 ofpact_get_SET_MPLS_TTL(a)->ttl)) {
1674 case OFPACT_DEC_MPLS_TTL:
1675 if (compose_dec_mpls_ttl_action(ctx)) {
1680 case OFPACT_DEC_TTL:
1681 if (compose_dec_ttl(ctx, ofpact_get_DEC_TTL(a))) {
1687 /* Nothing to do. */
1690 case OFPACT_MULTIPATH:
1691 multipath_execute(ofpact_get_MULTIPATH(a), flow, wc);
1695 xlate_bundle_action(ctx, ofpact_get_BUNDLE(a));
1698 case OFPACT_OUTPUT_REG:
1699 xlate_output_reg_action(ctx, ofpact_get_OUTPUT_REG(a));
1703 xlate_learn_action(ctx, ofpact_get_LEARN(a));
1710 case OFPACT_FIN_TIMEOUT:
1711 memset(&wc->masks.nw_proto, 0xff, sizeof wc->masks.nw_proto);
1712 ctx->xout->has_fin_timeout = true;
1713 xlate_fin_timeout(ctx, ofpact_get_FIN_TIMEOUT(a));
1716 case OFPACT_CLEAR_ACTIONS:
1718 * Nothing to do because writa-actions is not supported for now.
1719 * When writa-actions is supported, clear-actions also must
1720 * be supported at the same time.
1724 case OFPACT_WRITE_METADATA:
1725 metadata = ofpact_get_WRITE_METADATA(a);
1726 flow->metadata &= ~metadata->mask;
1727 flow->metadata |= metadata->metadata & metadata->mask;
1731 /* Not implemented yet. */
1734 case OFPACT_GOTO_TABLE: {
1735 /* It is assumed that goto-table is the last action. */
1736 struct ofpact_goto_table *ogt = ofpact_get_GOTO_TABLE(a);
1737 struct rule_dpif *rule;
1739 ovs_assert(ctx->table_id < ogt->table_id);
1741 ctx->table_id = ogt->table_id;
1743 /* Look up a flow from the new table. */
1744 rule = rule_dpif_lookup_in_table(ctx->ofproto, flow, wc,
1747 tag_the_flow(ctx, rule);
1749 rule = ctx_rule_hooks(ctx, rule, true);
1753 ctx->rule->up.evictable = was_evictable;
1756 was_evictable = rule->up.evictable;
1757 rule->up.evictable = false;
1759 /* Tail recursion removal. */
1760 ofpacts = rule->up.ofpacts;
1761 ofpacts_len = rule->up.ofpacts_len;
1762 goto do_xlate_actions_again;
1768 xlate_sample_action(ctx, ofpact_get_SAMPLE(a));
1775 ctx->rule->up.evictable = was_evictable;
1780 xlate_in_init(struct xlate_in *xin, struct ofproto_dpif *ofproto,
1781 const struct flow *flow, struct rule_dpif *rule,
1782 uint8_t tcp_flags, const struct ofpbuf *packet)
1784 xin->ofproto = ofproto;
1786 xin->packet = packet;
1787 xin->may_learn = packet != NULL;
1789 xin->ofpacts = NULL;
1790 xin->ofpacts_len = 0;
1791 xin->tcp_flags = tcp_flags;
1792 xin->resubmit_hook = NULL;
1793 xin->report_hook = NULL;
1794 xin->resubmit_stats = NULL;
1798 xlate_out_uninit(struct xlate_out *xout)
1801 ofpbuf_uninit(&xout->odp_actions);
1805 /* Translates the 'ofpacts_len' bytes of "struct ofpact"s starting at 'ofpacts'
1806 * into datapath actions, using 'ctx', and discards the datapath actions. */
1808 xlate_actions_for_side_effects(struct xlate_in *xin)
1810 struct xlate_out xout;
1812 xlate_actions(xin, &xout);
1813 xlate_out_uninit(&xout);
1817 xlate_report(struct xlate_ctx *ctx, const char *s)
1819 if (ctx->xin->report_hook) {
1820 ctx->xin->report_hook(ctx->xin, s, ctx->recurse);
1825 xlate_out_copy(struct xlate_out *dst, const struct xlate_out *src)
1828 dst->tags = src->tags;
1829 dst->slow = src->slow;
1830 dst->has_learn = src->has_learn;
1831 dst->has_normal = src->has_normal;
1832 dst->has_fin_timeout = src->has_fin_timeout;
1833 dst->nf_output_iface = src->nf_output_iface;
1834 dst->mirrors = src->mirrors;
1836 ofpbuf_use_stub(&dst->odp_actions, dst->odp_actions_stub,
1837 sizeof dst->odp_actions_stub);
1838 ofpbuf_put(&dst->odp_actions, src->odp_actions.data,
1839 src->odp_actions.size);
1843 /* Translates the 'ofpacts_len' bytes of "struct ofpacts" starting at 'ofpacts'
1844 * into datapath actions in 'odp_actions', using 'ctx'. */
1846 xlate_actions(struct xlate_in *xin, struct xlate_out *xout)
1848 /* Normally false. Set to true if we ever hit MAX_RESUBMIT_RECURSION, so
1849 * that in the future we always keep a copy of the original flow for
1850 * tracing purposes. */
1851 static bool hit_resubmit_limit;
1853 struct flow_wildcards *wc = &xout->wc;
1854 struct flow *flow = &xin->flow;
1856 enum slow_path_reason special;
1857 const struct ofpact *ofpacts;
1858 struct ofport_dpif *in_port;
1859 struct flow orig_flow;
1860 struct xlate_ctx ctx;
1863 COVERAGE_INC(ofproto_dpif_xlate);
1865 /* Flow initialization rules:
1866 * - 'base_flow' must match the kernel's view of the packet at the
1867 * time that action processing starts. 'flow' represents any
1868 * transformations we wish to make through actions.
1869 * - By default 'base_flow' and 'flow' are the same since the input
1870 * packet matches the output before any actions are applied.
1871 * - When using VLAN splinters, 'base_flow''s VLAN is set to the value
1872 * of the received packet as seen by the kernel. If we later output
1873 * to another device without any modifications this will cause us to
1874 * insert a new tag since the original one was stripped off by the
1876 * - Tunnel metadata as received is retained in 'flow'. This allows
1877 * tunnel metadata matching also in later tables.
1878 * Since a kernel action for setting the tunnel metadata will only be
1879 * generated with actual tunnel output, changing the tunnel metadata
1880 * values in 'flow' (such as tun_id) will only have effect with a later
1881 * tunnel output action.
1882 * - Tunnel 'base_flow' is completely cleared since that is what the
1883 * kernel does. If we wish to maintain the original values an action
1884 * needs to be generated. */
1889 ctx.ofproto = xin->ofproto;
1890 ctx.rule = xin->rule;
1892 ctx.base_flow = *flow;
1893 memset(&ctx.base_flow.tunnel, 0, sizeof ctx.base_flow.tunnel);
1894 ctx.orig_tunnel_ip_dst = flow->tunnel.ip_dst;
1896 flow_wildcards_init_catchall(wc);
1897 memset(&wc->masks.in_port, 0xff, sizeof wc->masks.in_port);
1898 memset(&wc->masks.skb_priority, 0xff, sizeof wc->masks.skb_priority);
1899 memset(&wc->masks.dl_type, 0xff, sizeof wc->masks.dl_type);
1900 wc->masks.nw_frag |= FLOW_NW_FRAG_MASK;
1902 if (tnl_port_should_receive(&ctx.xin->flow)) {
1903 memset(&wc->masks.tunnel, 0xff, sizeof wc->masks.tunnel);
1905 if (xin->ofproto->netflow) {
1906 netflow_mask_wc(wc);
1911 ctx.xout->has_learn = false;
1912 ctx.xout->has_normal = false;
1913 ctx.xout->has_fin_timeout = false;
1914 ctx.xout->nf_output_iface = NF_OUT_DROP;
1915 ctx.xout->mirrors = 0;
1917 ofpbuf_use_stub(&ctx.xout->odp_actions, ctx.xout->odp_actions_stub,
1918 sizeof ctx.xout->odp_actions_stub);
1919 ofpbuf_reserve(&ctx.xout->odp_actions, NL_A_U32_SIZE);
1922 ctx.max_resubmit_trigger = false;
1923 ctx.orig_skb_priority = flow->skb_priority;
1928 ofpacts = xin->ofpacts;
1929 ofpacts_len = xin->ofpacts_len;
1930 } else if (xin->rule) {
1931 ofpacts = xin->rule->up.ofpacts;
1932 ofpacts_len = xin->rule->up.ofpacts_len;
1937 ofpbuf_use_stub(&ctx.stack, ctx.init_stack, sizeof ctx.init_stack);
1939 if (ctx.ofproto->has_mirrors || hit_resubmit_limit) {
1940 /* Do this conditionally because the copy is expensive enough that it
1941 * shows up in profiles. */
1945 if (flow->nw_frag & FLOW_NW_FRAG_ANY) {
1946 switch (ctx.ofproto->up.frag_handling) {
1947 case OFPC_FRAG_NORMAL:
1948 /* We must pretend that transport ports are unavailable. */
1949 flow->tp_src = ctx.base_flow.tp_src = htons(0);
1950 flow->tp_dst = ctx.base_flow.tp_dst = htons(0);
1953 case OFPC_FRAG_DROP:
1956 case OFPC_FRAG_REASM:
1959 case OFPC_FRAG_NX_MATCH:
1960 /* Nothing to do. */
1963 case OFPC_INVALID_TTL_TO_CONTROLLER:
1968 in_port = get_ofp_port(ctx.ofproto, flow->in_port.ofp_port);
1969 special = process_special(&ctx, flow, in_port, ctx.xin->packet);
1971 ctx.xout->slow = special;
1973 static struct vlog_rate_limit trace_rl = VLOG_RATE_LIMIT_INIT(1, 1);
1974 size_t sample_actions_len;
1975 odp_port_t local_odp_port;
1977 if (flow->in_port.ofp_port
1978 != vsp_realdev_to_vlandev(ctx.ofproto, flow->in_port.ofp_port,
1980 ctx.base_flow.vlan_tci = 0;
1983 add_sflow_action(&ctx);
1984 add_ipfix_action(&ctx);
1985 sample_actions_len = ctx.xout->odp_actions.size;
1987 if (tunnel_ecn_ok(&ctx) && (!in_port || may_receive(in_port, &ctx))) {
1988 do_xlate_actions(ofpacts, ofpacts_len, &ctx);
1990 /* We've let OFPP_NORMAL and the learning action look at the
1991 * packet, so drop it now if forwarding is disabled. */
1992 if (in_port && !stp_forward_in_state(in_port->stp_state)) {
1993 ctx.xout->odp_actions.size = sample_actions_len;
1997 if (ctx.max_resubmit_trigger && !ctx.xin->resubmit_hook) {
1998 if (!hit_resubmit_limit) {
1999 /* We didn't record the original flow. Make sure we do from
2001 hit_resubmit_limit = true;
2002 } else if (!VLOG_DROP_ERR(&trace_rl)) {
2003 struct ds ds = DS_EMPTY_INITIALIZER;
2005 ofproto_trace(ctx.ofproto, &orig_flow, ctx.xin->packet, &ds);
2006 VLOG_ERR("Trace triggered by excessive resubmit "
2007 "recursion:\n%s", ds_cstr(&ds));
2012 local_odp_port = ofp_port_to_odp_port(ctx.ofproto, OFPP_LOCAL);
2013 if (connmgr_has_in_band(ctx.ofproto->up.connmgr)
2014 && !in_band_rule_check(flow, local_odp_port,
2015 ctx.xout->odp_actions.data,
2016 ctx.xout->odp_actions.size)) {
2017 compose_output_action(&ctx, OFPP_LOCAL);
2019 if (ctx.ofproto->has_mirrors) {
2020 add_mirror_actions(&ctx, &orig_flow);
2022 fix_sflow_action(&ctx);
2025 ofpbuf_uninit(&ctx.stack);
2027 /* Clear the metadata and register wildcard masks, because we won't
2028 * use non-header fields as part of the cache. */
2029 memset(&wc->masks.metadata, 0, sizeof wc->masks.metadata);
2030 memset(&wc->masks.regs, 0, sizeof wc->masks.regs);