datapath-windows: Add IPv6 conntrack support on Windows.

Implementation on Windows: Currently, IPv4 conntrack was supported on the windows platform. In this patch we have implemented ipv6 conntrack functions according to the current logic of the IPv4 conntrack. This implementation has included TcpV6(nat and normal scenario), UdpV6(nat and normal scenario), IcmpV6 conntrack of echo request/reply packet and FtpV6(nat and normal scenario). Testing Topology: On the Windows VM runs on the ESXi host, two hyper-v ports attached to the ovs bridge; one hyper-v port worked as client and the other port worked as server. Testing Case: 1. TcpV6 a) Tcp request/reply conntrack for normal scenario. In this scenario, 20::1 as client, 20::2 as server, it will generate following conntrack entry: (Origin(src=20::1, src_port=1555, dst=20::2, dst_port=1556), reply(src=20::2,src_port=1556,dst=20::1,dst_port=1555),protocol=tcp) b) Tcp request/reply conntrack for nat scenario. In this scenario, 20::1 as client, 20::10 as floating ip, 21::3 as server, it will generate following conntrack entry: (Origin(src=20::1, src_port=1555, dst=20::10, dst_port=1556), reply(src=21::3, src_port=1556, dst=20::1, dst_port= 1555),protocol=tcp) 2. UdpV6 a) Udp request/reply conntrack for normal scenario. (Origin(src=20::1, src_port=1555, dst=20::2, dst_port=1556), reply(src=20::2,src_port=1556,dst=20::1,dst_port=1555),protocol=udp) b) Udp request/reply conntrack for nat scenario. (Origin(src=20::1, src_port=1555, dst=20::10, dst_port=1556), reply(src=21::3, src_port=1556, dst=20::1, dst_port= 1555),protocol=udp) 3. IcmpV6: a) Icmpv6 request/reply conntrack for normal scenario. Currently Icmpv6 only support to construct conntrack for echo request/reply packet, take (20::1 -> 20::2) for example, it will generate following conntrack entry: (origin(src = 20::1, dst=20::2), reply(src=20::2, dst=20::1), protocol=icmp) b) Icmp request/reply conntrack for dnat scenario, for example (20::1->20::10->21::3), 20::1 is client, 20::10 is floating ip, 21::3 is server ip. It will generate flow like below: (origin(src=20::1, dst=20::10), reply(src=21::3, dst=20::1), protocol=icmp) 4. FtpV6 a) Ftp request/reply conntrack for normal scenario. In this scenario, take 20::1 as client, 20::2 as server, it will generate two conntrack entries: Ftp active mode (Origin(src=20::1, src_port=1555, dst=20::2, dst_port=21), reply(src=20::2, src_port=21, dst=20::1, dst_port=1555), protocol=tcp) (Origin(src=20::2, src_port=20, dst=20::1, dst_port=1556), reply(src=20::1, src_port=1556, dst=20::2, dst_port=20), protocol=tcp) Ftp passive mode (Origin(src=20::1, src_port=1555, dst=20::2, dst_port=21), reply(src=20::2,src_port=21,dst=20::1,dst_port=1555),protocol=tcp) (Origin(src=20::1, src_port=1556, dst=20::2, dst_port=1557), reply(src=20::2,src_port=1557, dst=20::1, dst_port=1556) protocol=tcp) b) Ftp request/reply conntrack for nat scenario. Ftp passive mode, In this secnario, 20::1 as client, 20::10 as floating ip, 21::3 as server ip. It will generate following flow: (Origin(src=20::1, src_port=1555, dst=20::10, dst_port=21), reply(src=21::3, src_port=21, dst=20::1, dst_port= 1555),protocol=tcp) (Origin(src=20::1, src_port=1556, dst=20::10, dst_port=1557), reply(src=21::3, src_port=1557, dst=20::1, dst_port= 1556),protocol=tcp) 5. Regression test for IpV4 in Antrea project (about 60 test case) Future work: 1) IcmpV6 redirect packet conntrack. 2) IpV6 fragment support on Udp. 3) Support napt for IPv6. 4) FtpV6 active mode for nat. Signed-off-by: ldejing <ldejing@vmware.com> Signed-off-by: Alin-Gabriel Serdean <aserdean@ovn.org>
author: ldejing <ldejing@vmware.com> 2022-04-11 18:07:11 +0800
committer: Alin-Gabriel Serdean <aserdean@ovn.org> 2022-04-22 12:08:38 +0300
commit: 53b75e91ded95d25c6cae5698ad242ad775ebb40 (patch)
tree: 913638673d2db7d164b1a07b989167d490efb670 /Documentation/intro
parent: 96dc66ddadc35475ed93b25a84874c926f4d9dd3 (diff)
download: openvswitch-53b75e91ded95d25c6cae5698ad242ad775ebb40.tar.gz
1 files changed, 172 insertions, 0 deletions
diff --git a/Documentation/intro/install/windows.rst b/Documentation/intro/install/windows.rst
index 8e9442efb..0a392d781 100644
--- a/Documentation/intro/install/windows.rst
+++ b/Documentation/intro/install/windows.rst
@@ -758,6 +758,178 @@ Add tunnels
       Till the checksum offload support is complete we recommend
       disabling TX/RX offloads for IPV6 on Windows VM.
 
+Add conntrack for ipv6
+~~~~~~~~~~~~~~~~~~~~~~
+
+The Windows Open vSwitch implementation support conntrack ipv6. To use the
+conntrack ipv6. Using the following commands. Take tcp6(replace Protocol to
+icmp6, udp6 to other protocol) for example.
+
+::
+
+   normal scenario
+   Vif38(20::1, ofport:2)->Vif40(20:2, ofport:3)
+   Vif38Name="podvif38"
+   Vif40Name="podvif40"
+   Vif38Port=2
+   Vif38Address="20::1"
+   Vif40Port=3
+   Vif40Address="20::2"
+   Vif40MacAddressCli="00-15-5D-F0-01-0C"
+   Vif38MacAddressCli="00-15-5D-F0-01-0b"
+   Protocol="tcp6"
+   > netsh int ipv6 set neighbors $Vif38Name $Vif40Address \
+     Vif40MacAddressCli
+   > netsh int ipv6 set neighbors $Vif40Name $Vif38Address \
+     $Vif38MacAddressCli
+   > ovs-ofctl del-flows --strict br-int "table=0,priority=0"
+   > ovs-ofctl add-flow br-int "table=0,priority=1,ip6, \
+     ipv6_dst=$Vif40Address,$Protocol,actions=ct(table=1)"
+   > ovs-ofctl add-flow br-int "table=0,priority=1,ip6, \
+     ipv6_dst=$Vif38Address,$Protocol,actions=ct(table=1)"
+   > ovs-ofctl add-flow br-int "table=1,priority=1,ip6,ct_state=+new+trk, \
+     $Protocol,actions=ct(commit,table=2)"
+   > ovs-ofctl add-flow br-int "table=1,priority=2,ip6, \
+     ct_state=-new+rpl+trk,$Protocol,actions=ct(commit,table=2)"
+   > ovs-ofctl add-flow br-int "table=1,priority=1,ip6, \
+     ct_state=+trk+est-new,$Protocol,actions=ct(commit,table=2)"
+   > ovs-ofctl add-flow br-int "table=2,priority=1,ip6, \
+     ipv6_dst=$Vif38Address,$Protocol,actions=output:$Vif38Port"
+   > ovs-ofctl add-flow br-int "table=2,priority=1,ip6, \
+     ipv6_dst=$Vif40Address,$Protocol,actions=output:$Vif40Port"
+
+
+::
+
+   nat scenario
+   Vif38(20::1, ofport:2) -> nat address(20::9) -> Vif42(21::3, ofport:4)
+   Due to not construct flow to return neighbor mac address,
+   we set the neighbor mac address manually.
+   Vif38Name="podvif38"
+   Vif42Name="podvif42"
+   Vif38Ip="20::1"
+   Vif38Port=2
+   Vif42Port=4
+   NatAddress="20::9"
+   NatMacAddress="aa:bb:cc:dd:ee:ff"
+   NatMacAddressForCli="aa-bb-cc-dd-ee-ff"
+   Vif42Ip="21::3"
+   Vif38MacAddress="00:15:5D:F0:01:0B"
+   Vif38MacAddressCli="00-15-5D-F0-01-0B"
+   Vif42MacAddress="00:15:5D:F0:01:0D"
+   Protocol="tcp6"
+   > netsh int ipv6 set neighbors $Vif38Name $NatAddress \
+     $NatMacAddressForCli
+   > netsh int ipv6 set neighbors $Vif42Name $Vif38Ip \
+     $Vif38MacAddressCli
+   > ovs-ofctl del-flows --strict br-int "table=0,priority=0"
+   > ovs-ofctl add-flow br-int "table=0, priority=2,ipv6, \
+     dl_dst=$NatMacAddress,ct_state=-trk,$Protocol \
+     actions=ct(table=1,zone=456,nat)"
+   > ovs-ofctl add-flow br-int "table=0, priority=1,ipv6,ct_state=-trk, \
+     ip6,$Protocol actions=ct(nat, zone=456,table=1)"
+   > ovs-ofctl add-flow br-int "table=1, ipv6,in_port=$Vif38Port, \
+     ipv6_dst=$NatAddress,$Protocol,ct_state=+trk+new, \
+     actions=ct(commit,nat(dst=$Vif42Ip),zone=456, \
+     exec(set_field:1->ct_mark)),mod_dl_src=$NatMacAddress, \
+     mod_dl_dst=$Vif42MacAddress,output:$Vif42Port"
+   > ovs-ofctl add-flow br-int "table=1, ipv6,ct_state=+dnat,$Protocol, \
+     action=resubmit(,2)"
+   > ovs-ofctl add-flow br-int "table=1, ipv6,ct_state=+trk+snat, \
+     $Protocol, action=resubmit(,2)"
+   > ovs-ofctl add-flow br-int "table=2, ipv6,in_port=$Vif38Port, \
+     ipv6_dst=$Vif42Ip,$Protocol, actions=mod_dl_src=$NatMacAddress, \
+     mod_dl_dst=$Vif42MacAddress,output:$Vif42Port"
+   > ovs-ofctl add-flow br-int "table=2, ipv6,in_port=$Vif42Port, \
+     ct_state=-new+est,ct_mark=1,ct_zone=456,$Protocol, \
+     actions=mod_dl_src=$NatMacAddress,mod_dl_dst=$Vif38MacAddress, \
+     output:$Vif38Port"
+
+Ftp is a specific protocol, it contains an related flow, we need to match is
+related state.
+
+::
+
+   normal scenario
+   Vif38(20::1, ofport:2)->Vif40(20:2, ofport:3)
+   Vif38Name="podvif38"
+   Vif40Name="podvif40"
+   Vif38Port=2
+   Vif38Address="20::1"
+   Vif38MacAddressCli="00-15-5D-F0-01-0b"
+   Vif40Port=3
+   Vif40Address="20::2"
+   Vif40MacAddressCli="00-15-5D-F0-01-0C"
+   Protocol="tcp6"
+   > netsh int ipv6 set neighbors $Vif38Name $Vif40Address \
+     $Vif40MacAddressCli
+   > netsh int ipv6 set neighbors $Vif40Name $Vif38Address \
+     $Vif38MacAddressCli
+   > ovs-ofctl del-flows br-int --strict "table=0,priority=0"
+   > ovs-ofctl add-flow br-int "table=0,priority=1,$Protocol \
+     actions=ct(table=1)"
+   > ovs-ofctl add-flow br-int "table=1,priority=1,ct_state=+new+trk-est, \
+     $Protocol,actions=ct(commit,table=2)"
+   > ovs-ofctl add-flow br-int "table=1,priority=1, \
+     ct_state=-new+trk+est-rel, $Protocol,actions=ct(commit,table=2)"
+   > ovs-ofctl add-flow br-int "table=1,priority=1, \
+     ct_state=-new+trk+est+rel, $Protocol,actions=ct(commit,table=2)"
+   > ovs-ofctl add-flow br-int "table=2,priority=1,ip6, \
+     ipv6_dst=$Vif38Address,$Protocol,actions=output:$Vif38Port"
+   > ovs-ofctl add-flow br-int "table=2,priority=1,ip6, \
+     ipv6_dst=$Vif40Address,$Protocol,actions=output:$Vif40Port"
+
+::
+
+   nat scenario
+   Vif38(20::1, ofport:2) -> nat address(20::9) -> Vif42(21::3, ofport:4)
+   Due to not construct flow to return neighbor mac address, we set the
+   neighbor mac address manually
+   Vif38Port=2
+   Vif42Port=4
+   Vif38Name="podvif38"
+   Vif42Name="podvif42"
+   NatAddress="20::9"
+   NatMacAddress="aa:bb:cc:dd:ee:ff"
+   NatMacAddressForCli="aa-bb-cc-dd-ee-ff"
+   Vif42Ip="21::3"
+   Vif38MacAddress="00:15:5D:F0:01:0B"
+   Vif42MacAddress="00:15:5D:F0:01:0D"
+   Protocol="tcp6"
+   > netsh int ipv6 set neighbors $Vif38Name $NatAddress \
+     $NatMacAddressForCli
+   > netsh int ipv6 set neighbors $Vif42Name $NatAddress \
+     $NatMacAddressForCli
+   > ovs-ofctl del-flows br-int --strict "table=0,priority=0"
+   > ovs-ofctl add-flow br-int "table=0,priority=2,ipv6, \
+     dl_dst=$NatMacAddress,ct_state=-trk,$Protocol \
+     actions=ct(table=1,zone=456,nat)"
+   > ovs-ofctl add-flow br-int "table=0,priority=1,ipv6, \
+     ct_state=-trk,ip6,$Protocol actions=ct(nat, zone=456,table=1)"
+   > ovs-ofctl add-flow br-int "table=1,ipv6,in_port=$Vif38Port, \
+     ipv6_dst=$NatAddress,ct_state=+trk+new,$Protocol \
+     actions=ct(commit,nat(dst=$Vif42Ip),zone=456, \
+     exec(set_field:1->ct_mark)),mod_dl_src=$NatMacAddress, \
+     mod_dl_dst=$Vif42MacAddress,output:$Vif42Port"
+   > ovs-ofctl add-flow br-int "table=1,ipv6,ct_state=+dnat,$Protocol, \
+     action=resubmit(,2)"
+   > ovs-ofctl add-flow br-int "table=1,ipv6,ct_state=+trk+snat, \
+     $Protocol,action=resubmit(,2)"
+   > ovs-ofctl add-flow br-int "table=1,ipv6,ct_state=+trk+rel,$Protocol, \
+     action=resubmit(,2)"
+   > ovs-ofctl add-flow br-int "table=2,ipv6,in_port=$Vif38Port, \
+     ipv6_dst=$Vif42Ip,$Protocol, actions=mod_dl_src=$NatMacAddress, \
+     mod_dl_dst=$Vif42MacAddress,output:$Vif42Port"
+   > ovs-ofctl add-flow br-int "table=2,ipv6,in_port=$Vif42Port, \
+     ct_state=-new+est,ct_mark=1,ct_zone=456,$Protocol, \
+     actions=mod_dl_src=$NatMacAddress,mod_dl_dst=$Vif38MacAddress, \
+     output:$Vif38Port"
+
+.. note::
+
+    Till the checksum offload support is complete we recommend
+    disabling TX/RX offloads for IPV6 on Windows VM.
+
 Windows Services
 ----------------
author	ldejing <ldejing@vmware.com>	2022-04-11 18:07:11 +0800
committer	Alin-Gabriel Serdean <aserdean@ovn.org>	2022-04-22 12:08:38 +0300
commit	53b75e91ded95d25c6cae5698ad242ad775ebb40 (patch)
tree	913638673d2db7d164b1a07b989167d490efb670 /Documentation/intro
parent	96dc66ddadc35475ed93b25a84874c926f4d9dd3 (diff)
download	openvswitch-53b75e91ded95d25c6cae5698ad242ad775ebb40.tar.gz