diff options
| author | Tonghao Zhang <xiangxia.m.yue@gmail.com> | 2020-06-02 21:50:24 +0800 |
|---|---|---|
| committer | Simon Horman <simon.horman@netronome.com> | 2020-06-03 09:56:07 +0200 |
| commit | 5f568d049130fb481e41fdf9a290b6d1e3a7f23a (patch) | |
| tree | ecb70b16e656f96ee50c7152af60eff1ec97ec92 /include | |
| parent | 4f4be08e4713941285ecb71555c9a64c46cdb8ae (diff) | |
| download | openvswitch-5f568d049130fb481e41fdf9a290b6d1e3a7f23a.tar.gz | |
netdev-offload-tc: Allow to match the IP and port mask of tunnel
This patch allows users to offload the TC flower rules with
tunnel mask. This patch allows masked match of the following,
where previously supported an exact match was supported:
* Remote (dst) tunnel endpoint address
* Local (src) tunnel endpoint address
* Remote (dst) tunnel endpoint UDP port
And also allows masked match of the following, where previously
no match was supported:
* Local (src) tunnel endpoint UDP port
In some case, mask is useful as wildcards. For example, DDOS,
in that case, we don’t want to allow specified hosts IPs or
only source Ports to access the targeted host. For example:
$ ovs-appctl dpctl/add-flow "tunnel(dst=2.2.2.100,src=2.2.2.0/255.255.255.0,tp_dst=4789),\
recirc_id(0),in_port(3),eth(),eth_type(0x0800),ipv4()" ""
$ tc filter show dev vxlan_sys_4789 ingress
...
eth_type ipv4
enc_dst_ip 2.2.2.100
enc_src_ip 2.2.2.0/24
enc_dst_port 4789
enc_ttl 64
in_hw in_hw_count 2
action order 1: gact action drop
...
Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>
Acked-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/openvswitch/match.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/include/openvswitch/match.h b/include/openvswitch/match.h index 8af3b74ed..3b196c7fa 100644 --- a/include/openvswitch/match.h +++ b/include/openvswitch/match.h @@ -105,6 +105,9 @@ void match_set_tun_flags(struct match *match, uint16_t flags); void match_set_tun_flags_masked(struct match *match, uint16_t flags, uint16_t mask); void match_set_tun_tp_dst(struct match *match, ovs_be16 tp_dst); void match_set_tun_tp_dst_masked(struct match *match, ovs_be16 port, ovs_be16 mask); +void match_set_tun_tp_src(struct match *match, ovs_be16 tp_src); +void match_set_tun_tp_src_masked(struct match *match, + ovs_be16 port, ovs_be16 mask); void match_set_tun_gbp_id_masked(struct match *match, ovs_be16 gbp_id, ovs_be16 mask); void match_set_tun_gbp_id(struct match *match, ovs_be16 gbp_id); void match_set_tun_gbp_flags_masked(struct match *match, uint8_t flags, uint8_t mask); |