diff options
| author | Joe Stringer <joestringer@nicira.com> | 2015-09-15 14:29:16 -0700 |
|---|---|---|
| committer | Joe Stringer <joestringer@nicira.com> | 2015-10-13 15:34:16 -0700 |
| commit | d787ad39b8eb8fb9136837e1c65d0a18a1056eda (patch) | |
| tree | c233e0ce5d00b526d3316c4c70028b2156f39123 /ofproto/ofproto-dpif-xlate.c | |
| parent | 9daf23484fb1f0d8fe8bf807a82c3d5b571a3dea (diff) | |
| download | openvswitch-d787ad39b8eb8fb9136837e1c65d0a18a1056eda.tar.gz | |
Add support for connection tracking helper/ALGs.
This patch adds support for specifying a "helper" or ALG to assist
connection tracking for protocols that consist of multiple streams.
Initially, only support for FTP is included.
Below is an example set of flows to allow FTP control connections from
port 1->2 to establish active data connections in the reverse direction:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,action=ct(alg=ftp,commit),2
table=0,in_port=2,tcp,ct_state=-trk,action=ct(table=1)
table=1,in_port=2,tcp,ct_state=+trk+est,action=1
table=1,in_port=2,tcp,ct_state=+trk+rel,action=ct(commit),1
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Diffstat (limited to 'ofproto/ofproto-dpif-xlate.c')
| -rw-r--r-- | ofproto/ofproto-dpif-xlate.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c index 26460c3b3..a4007e31c 100644 --- a/ofproto/ofproto-dpif-xlate.c +++ b/ofproto/ofproto-dpif-xlate.c @@ -4185,6 +4185,18 @@ put_ct_label(const struct flow *flow, struct flow *base_flow, } static void +put_ct_helper(struct ofpbuf *odp_actions, struct ofpact_conntrack *ofc) +{ + if (ofc->alg) { + if (ofc->alg == IPPORT_FTP) { + nl_msg_put_string(odp_actions, OVS_CT_ATTR_HELPER, "ftp"); + } else { + VLOG_WARN("Cannot serialize ct_helper %d\n", ofc->alg); + } + } +} + +static void compose_conntrack_action(struct xlate_ctx *ctx, struct ofpact_conntrack *ofc) { ovs_u128 old_ct_label = ctx->base_flow.ct_label; @@ -4212,6 +4224,7 @@ compose_conntrack_action(struct xlate_ctx *ctx, struct ofpact_conntrack *ofc) nl_msg_put_u16(ctx->odp_actions, OVS_CT_ATTR_ZONE, zone); put_ct_mark(&ctx->xin->flow, &ctx->base_flow, ctx->odp_actions, ctx->wc); put_ct_label(&ctx->xin->flow, &ctx->base_flow, ctx->odp_actions, ctx->wc); + put_ct_helper(ctx->odp_actions, ofc); nl_msg_end_nested(ctx->odp_actions, ct_offset); /* Restore the original ct fields in the key. These should only be exposed |