openvswitch: TCP flags matching support.

    tcp_flags=flags/mask
        Bitwise  match on TCP flags.  The flags and mask are 16-bit num‐
        bers written in decimal or in hexadecimal prefixed by 0x.   Each
        1-bit  in  mask requires that the corresponding bit in port must
        match.  Each 0-bit in mask causes the corresponding  bit  to  be
        ignored.

        TCP  protocol  currently  defines  9 flag bits, and additional 3
        bits are reserved (must be transmitted as zero), see  RFCs  793,
        3168, and 3540.  The flag bits are, numbering from the least
        significant bit:

        0: FIN No more data from sender.

        1: SYN Synchronize sequence numbers.

        2: RST Reset the connection.

        3: PSH Push function.

        4: ACK Acknowledgement field significant.

        5: URG Urgent pointer field significant.

        6: ECE ECN Echo.

        7: CWR Congestion Windows Reduced.

        8: NS  Nonce Sum.

        9-11:  Reserved.

        12-15: Not matchable, must be zero.

Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>

diff --git a/include/uapi/linux/openvswitch.h b/include/uapi/linux/openvswitch.h
index 2cc4644f68efa7e6453b354be578715e297d18cb..d120f9fe001783754bf27bcce1f4f4ebcf7e694e 100644 (file)
--- a/include/uapi/linux/openvswitch.h
+++ b/include/uapi/linux/openvswitch.h
@@ -271,6 +271,7 @@ enum ovs_key_attr {
        OVS_KEY_ATTR_SKB_MARK,  /* u32 skb mark */
        OVS_KEY_ATTR_TUNNEL,    /* Nested set of ovs_tunnel attributes */
        OVS_KEY_ATTR_SCTP,      /* struct ovs_key_sctp */
+       OVS_KEY_ATTR_TCP_FLAGS, /* be16 TCP flags. */
 
 #ifdef __KERNEL__
        OVS_KEY_ATTR_IPV4_TUNNEL,  /* struct ovs_key_ipv4_tunnel */

diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index b73c7680a3d2afb464b574a16838619f75a96e9f..b409f527960178bdef6936361952a8d320d85859 100644 (file)
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -428,6 +428,7 @@ int ovs_flow_extract(struct sk_buff *skb, u16 in_port, struct sw_flow_key *key)
                                struct tcphdr *tcp = tcp_hdr(skb);
                                key->ipv4.tp.src = tcp->source;
                                key->ipv4.tp.dst = tcp->dest;
+                               key->ipv4.tp.flags = TCP_FLAGS_BE16(tcp);
                        }
                } else if (key->ip.proto == IPPROTO_UDP) {
                        if (udphdr_ok(skb)) {
@@ -496,6 +497,7 @@ int ovs_flow_extract(struct sk_buff *skb, u16 in_port, struct sw_flow_key *key)
                                struct tcphdr *tcp = tcp_hdr(skb);
                                key->ipv6.tp.src = tcp->source;
                                key->ipv6.tp.dst = tcp->dest;
+                               key->ipv6.tp.flags = TCP_FLAGS_BE16(tcp);
                        }
                } else if (key->ip.proto == NEXTHDR_UDP) {
                        if (udphdr_ok(skb)) {

diff --git a/net/openvswitch/flow.h b/net/openvswitch/flow.h
index 204e0ccd116d3ed90be19e750321e92c38093002..1510f51dbf74b9f3850ac3ef39fc3ec5d31e6dd3 100644 (file)
--- a/net/openvswitch/flow.h
+++ b/net/openvswitch/flow.h
@@ -93,6 +93,7 @@ struct sw_flow_key {
                                struct {
                                        __be16 src;             /* TCP/UDP/SCTP source port. */
                                        __be16 dst;             /* TCP/UDP/SCTP destination port. */
+                                       __be16 flags;           /* TCP flags. */
                                } tp;
                                struct {
                                        u8 sha[ETH_ALEN];       /* ARP source hardware address. */
@@ -109,6 +110,7 @@ struct sw_flow_key {
                        struct {
                                __be16 src;             /* TCP/UDP/SCTP source port. */
                                __be16 dst;             /* TCP/UDP/SCTP destination port. */
+                               __be16 flags;           /* TCP flags. */
                        } tp;
                        struct {
                                struct in6_addr target; /* ND target address. */

diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index e04649c56a966cd4079f6f99eec5a902a54c47e0..2bc1bc1aca3bfc2fd149ba88c86b4eaf88aed00e 100644 (file)
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -114,6 +114,7 @@ static bool match_validate(const struct sw_flow_match *match,
        mask_allowed &= ~((1 << OVS_KEY_ATTR_IPV4)
                        | (1 << OVS_KEY_ATTR_IPV6)
                        | (1 << OVS_KEY_ATTR_TCP)
+                       | (1 << OVS_KEY_ATTR_TCP_FLAGS)
                        | (1 << OVS_KEY_ATTR_UDP)
                        | (1 << OVS_KEY_ATTR_SCTP)
                        | (1 << OVS_KEY_ATTR_ICMP)
@@ -154,8 +155,11 @@ static bool match_validate(const struct sw_flow_match *match,
 
                        if (match->key->ip.proto == IPPROTO_TCP) {
                                key_expected |= 1 << OVS_KEY_ATTR_TCP;
-                               if (match->mask && (match->mask->key.ip.proto == 0xff))
+                               key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS;
+                               if (match->mask && (match->mask->key.ip.proto == 0xff)) {
                                        mask_allowed |= 1 << OVS_KEY_ATTR_TCP;
+                                       mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS;
+                               }
                        }
 
                        if (match->key->ip.proto == IPPROTO_ICMP) {
@@ -186,8 +190,11 @@ static bool match_validate(const struct sw_flow_match *match,
 
                        if (match->key->ip.proto == IPPROTO_TCP) {
                                key_expected |= 1 << OVS_KEY_ATTR_TCP;
-                               if (match->mask && (match->mask->key.ip.proto == 0xff))
+                               key_expected |= 1 << OVS_KEY_ATTR_TCP_FLAGS;
+                               if (match->mask && (match->mask->key.ip.proto == 0xff)) {
                                        mask_allowed |= 1 << OVS_KEY_ATTR_TCP;
+                                       mask_allowed |= 1 << OVS_KEY_ATTR_TCP_FLAGS;
+                               }
                        }
 
                        if (match->key->ip.proto == IPPROTO_ICMPV6) {
@@ -235,6 +242,7 @@ static const int ovs_key_lens[OVS_KEY_ATTR_MAX + 1] = {
        [OVS_KEY_ATTR_IPV4] = sizeof(struct ovs_key_ipv4),
        [OVS_KEY_ATTR_IPV6] = sizeof(struct ovs_key_ipv6),
        [OVS_KEY_ATTR_TCP] = sizeof(struct ovs_key_tcp),
+       [OVS_KEY_ATTR_TCP_FLAGS] = sizeof(__be16),
        [OVS_KEY_ATTR_UDP] = sizeof(struct ovs_key_udp),
        [OVS_KEY_ATTR_SCTP] = sizeof(struct ovs_key_sctp),
        [OVS_KEY_ATTR_ICMP] = sizeof(struct ovs_key_icmp),
@@ -634,6 +642,19 @@ static int ovs_key_from_nlattrs(struct sw_flow_match *match,  u64 attrs,
                attrs &= ~(1 << OVS_KEY_ATTR_TCP);
        }
 
+       if (attrs & (1 << OVS_KEY_ATTR_TCP_FLAGS)) {
+               if (orig_attrs & (1 << OVS_KEY_ATTR_IPV4)) {
+                       SW_FLOW_KEY_PUT(match, ipv4.tp.flags,
+                                       nla_get_be16(a[OVS_KEY_ATTR_TCP_FLAGS]),
+                                       is_mask);
+               } else {
+                       SW_FLOW_KEY_PUT(match, ipv6.tp.flags,
+                                       nla_get_be16(a[OVS_KEY_ATTR_TCP_FLAGS]),
+                                       is_mask);
+               }
+               attrs &= ~(1 << OVS_KEY_ATTR_TCP_FLAGS);
+       }
+
        if (attrs & (1 << OVS_KEY_ATTR_UDP)) {
                const struct ovs_key_udp *udp_key;
 
@@ -1004,9 +1025,15 @@ int ovs_nla_put_flow(const struct sw_flow_key *swkey,
                        if (swkey->eth.type == htons(ETH_P_IP)) {
                                tcp_key->tcp_src = output->ipv4.tp.src;
                                tcp_key->tcp_dst = output->ipv4.tp.dst;
+                               if (nla_put_be16(skb, OVS_KEY_ATTR_TCP_FLAGS,
+                                                output->ipv4.tp.flags))
+                                       goto nla_put_failure;
                        } else if (swkey->eth.type == htons(ETH_P_IPV6)) {
                                tcp_key->tcp_src = output->ipv6.tp.src;
                                tcp_key->tcp_dst = output->ipv6.tp.dst;
+                               if (nla_put_be16(skb, OVS_KEY_ATTR_TCP_FLAGS,
+                                                output->ipv6.tp.flags))
+                                       goto nla_put_failure;
                        }
                } else if (swkey->ip.proto == IPPROTO_UDP) {
                        struct ovs_key_udp *udp_key;