From patchwork Mon Feb 12 22:02:37 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yi-Hung Wei <yihung.wei@gmail.com>
X-Patchwork-Id: 872418
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="lvEdCFwI"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3zgKRP3BcQz9s7f
	for <incoming@patchwork.ozlabs.org>;
	Tue, 13 Feb 2018 09:02:57 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id D14F0E3E;
	Mon, 12 Feb 2018 22:02:54 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 159AAE39
	for <dev@openvswitch.org>; Mon, 12 Feb 2018 22:02:54 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-io0-f195.google.com (mail-io0-f195.google.com
	[209.85.223.195])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6D499D0
	for <dev@openvswitch.org>; Mon, 12 Feb 2018 22:02:53 +0000 (UTC)
Received: by mail-io0-f195.google.com with SMTP id e7so4781348ioj.1
	for <dev@openvswitch.org>; Mon, 12 Feb 2018 14:02:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=kqdkjwegiugUjL/VE0BZ+P4rewWoCJ4UISUQON3/NeE=;
	b=lvEdCFwIdcIL8ahNmEL6FP5wQLS6yGSBzqY8ncKXt9nu3ZGY5eDzPo52NUvpMfJzu1
	WwY5tdv3Toc49Db3ZVzMUjWkxOKNp7+LSFcfyXNj1HnEoNqMYB3VFYC4r8cTLPPxV0Np
	yHbbdU2vmNCUnNqyG2Z6a3I7zS2T1VBQ9Vdc89K67WVNq2KbCcsEqt6sy0yxO3yK31wk
	nTTuYulls8NOY4OO9NgmVAM0FWIC9G0lzv71dJePjtYSKC93SND96nmYmkhB/EzWQMWM
	7G8BHGXCfAz+JLXJ1UASni2ur/0t1gxG6lG8rEfV8g4sZDIv5wqEa68sRJS8/hFVj1AN
	9ZRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=kqdkjwegiugUjL/VE0BZ+P4rewWoCJ4UISUQON3/NeE=;
	b=P0ILz5BpZOzrrHWZssGsfLmLehKpLF9cIJ0/1c9Zkcc2xqlfKMJOcAslckdcLgOfn8
	7wKGdgPI8pMkDMxv/iR2xAIARbC8LmpUuVnzpWjw6FOpHKeI2hLmJHTYyg25opWqySvP
	UTRcX0MuNV+hPLkIttEbQpvp9tr2tDMq3bf6ZZmRbSH/kD7Qa/Uu5gI6yWv0YJ00+QJ8
	SEVzuUXdmG4ynfpEUWhsS9b35IHHhhBBizF1atsf3c2CtwT8cnp39iEYdtLj9mWftHD8
	CXaohoyLv8/C8B+ND86e3GPuKefwJrBfxqww9YCKftXM2oSHhGKz1dVBIj3fIufnh2EE
	3XGQ==
X-Gm-Message-State: APf1xPBnkFhh1psXCNeVLm48eidVncH0v4/yddsTwiVbbcD/El9pph7W
	NnKi8Se32uEbmLUgMMfeGs5Ux+5O
X-Google-Smtp-Source: 
 AH8x226hxst3LwPHmz8x3UDpKw8mD3yc1QhCagKncRcVyRb9TDMKiwfqQQFXVC8HXQy+mijJe+FDPA==
X-Received: by 10.107.50.210 with SMTP id y201mr9685513ioy.224.1518472972239;
	Mon, 12 Feb 2018 14:02:52 -0800 (PST)
Received: from Husky.eng.vmware.com ([208.91.1.34])
	by smtp.gmail.com with ESMTPSA id
	b13sm11831329ioe.77.2018.02.12.14.02.50
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 12 Feb 2018 14:02:51 -0800 (PST)
From: Yi-Hung Wei <yihung.wei@gmail.com>
To: dev@openvswitch.org
Date: Mon, 12 Feb 2018 14:02:37 -0800
Message-Id: <1518472957-6020-1-git-send-email-yihung.wei@gmail.com>
X-Mailer: git-send-email 2.7.4
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [ovs-dev] [PATCH] conntrack: Support conntrack flush by ct 5-tuple
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

This patch adds support of flushing a conntrack entry specified by the
conntrack 5-tuple in dpif-netdev.

Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Acked-by: Darrell Ball <dlu998@gmail.com>
---
Respin this patch since userspace conntrack now clears out the expectation
when a conntrack entry is deleted.
---
 lib/conntrack.c                  | 72 ++++++++++++++++++++++++++++++++++++++++
 lib/conntrack.h                  |  3 ++
 lib/dpif-netdev.c                |  2 +-
 tests/system-kmod-macros.at      |  8 -----
 tests/system-traffic.at          |  1 -
 tests/system-userspace-macros.at | 10 ------
 6 files changed, 76 insertions(+), 20 deletions(-)

diff --git a/lib/conntrack.c b/lib/conntrack.c
index fe5fd0fe8be1..c05b3901d7af 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -2368,6 +2368,10 @@ delete_conn(struct conn *conn)
     free(conn);
 }
 
+/* Convert a conntrack address 'a' into an IP address 'b' based on 'dl_type'.
+ *
+ * Note that 'dl_type' should be either "ETH_TYPE_IP" or "ETH_TYPE_IPv6"
+ * in network-byte order. */
 static void
 ct_endpoint_to_ct_dpif_inet_addr(const struct ct_addr *a,
                                  union ct_dpif_inet_addr *b,
@@ -2380,6 +2384,22 @@ ct_endpoint_to_ct_dpif_inet_addr(const struct ct_addr *a,
     }
 }
 
+/* Convert an IP address 'a' into a conntrack address 'b' based on 'dl_type'.
+ *
+ * Note that 'dl_type' should be either "ETH_TYPE_IP" or "ETH_TYPE_IPv6"
+ * in network-byte order. */
+static void
+ct_dpif_inet_addr_to_ct_endpoint(const union ct_dpif_inet_addr *a,
+                                 struct ct_addr *b,
+                                 ovs_be16 dl_type)
+{
+    if (dl_type == htons(ETH_TYPE_IP)) {
+        b->ipv4_aligned = a->ip;
+    } else if (dl_type == htons(ETH_TYPE_IPV6)){
+        b->ipv6_aligned = a->in6;
+    }
+}
+
 static void
 conn_key_to_tuple(const struct conn_key *key, struct ct_dpif_tuple *tuple)
 {
@@ -2405,6 +2425,35 @@ conn_key_to_tuple(const struct conn_key *key, struct ct_dpif_tuple *tuple)
 }
 
 static void
+tuple_to_conn_key(const struct ct_dpif_tuple *tuple, uint16_t zone,
+                  struct conn_key *key)
+{
+    if (tuple->l3_type == AF_INET) {
+        key->dl_type = htons(ETH_TYPE_IP);
+    } else if (tuple->l3_type == AF_INET6) {
+        key->dl_type = htons(ETH_TYPE_IPV6);
+    }
+    key->nw_proto = tuple->ip_proto;
+    ct_dpif_inet_addr_to_ct_endpoint(&tuple->src, &key->src.addr,
+                                     key->dl_type);
+    ct_dpif_inet_addr_to_ct_endpoint(&tuple->dst, &key->dst.addr,
+                                     key->dl_type);
+
+    if (tuple->ip_proto == IPPROTO_ICMP || tuple->ip_proto == IPPROTO_ICMPV6) {
+        key->src.icmp_id = tuple->icmp_id;
+        key->src.icmp_type = tuple->icmp_type;
+        key->src.icmp_code = tuple->icmp_code;
+        key->dst.icmp_id = tuple->icmp_id;
+        key->dst.icmp_type = reverse_icmp_type(tuple->icmp_type);
+        key->dst.icmp_code = tuple->icmp_code;
+    } else {
+        key->src.port = tuple->src_port;
+        key->dst.port = tuple->dst_port;
+    }
+    key->zone = zone;
+}
+
+static void
 conn_to_ct_dpif_entry(const struct conn *conn, struct ct_dpif_entry *entry,
                       long long now, int bkt)
 {
@@ -2517,6 +2566,29 @@ conntrack_flush(struct conntrack *ct, const uint16_t *zone)
 }
 
 int
+conntrack_flush_tuple(struct conntrack *ct, const struct ct_dpif_tuple *tuple,
+                      uint16_t zone)
+{
+    struct conn_lookup_ctx ctx;
+    int error = 0;
+
+    memset(&ctx, 0, sizeof(ctx));
+    tuple_to_conn_key(tuple, zone, &ctx.key);
+    ctx.hash = conn_key_hash(&ctx.key, ct->hash_basis);
+    unsigned bucket = hash_to_bucket(ctx.hash);
+
+    ct_lock_lock(&ct->buckets[bucket].lock);
+    conn_key_lookup(&ct->buckets[bucket], &ctx, time_msec());
+    if (ctx.conn) {
+        conn_clean(ct, ctx.conn, &ct->buckets[bucket]);
+    } else {
+        error = ENOENT;
+    }
+    ct_lock_unlock(&ct->buckets[bucket].lock);
+    return error;
+}
+
+int
 conntrack_set_maxconns(struct conntrack *ct, uint32_t maxconns)
 {
     atomic_store_relaxed(&ct->n_conn_limit, maxconns);
diff --git a/lib/conntrack.h b/lib/conntrack.h
index ac650304a41f..e3a5dcc8023f 100644
--- a/lib/conntrack.h
+++ b/lib/conntrack.h
@@ -109,6 +109,7 @@ struct conntrack_dump {
 };
 
 struct ct_dpif_entry;
+struct ct_dpif_tuple;
 
 int conntrack_dump_start(struct conntrack *, struct conntrack_dump *,
                          const uint16_t *pzone, int *);
@@ -116,6 +117,8 @@ int conntrack_dump_next(struct conntrack_dump *, struct ct_dpif_entry *);
 int conntrack_dump_done(struct conntrack_dump *);
 
 int conntrack_flush(struct conntrack *, const uint16_t *zone);
+int conntrack_flush_tuple(struct conntrack *, const struct ct_dpif_tuple *,
+                          uint16_t zone);
 int conntrack_set_maxconns(struct conntrack *ct, uint32_t maxconns);
 int conntrack_get_maxconns(struct conntrack *ct, uint32_t *maxconns);
 int conntrack_get_nconns(struct conntrack *ct, uint32_t *nconns);
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index ba62128c758c..b06caa281afc 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -5842,7 +5842,7 @@ dpif_netdev_ct_flush(struct dpif *dpif, const uint16_t *zone,
     struct dp_netdev *dp = get_dp_netdev(dpif);
 
     if (tuple) {
-        return EOPNOTSUPP;
+        return conntrack_flush_tuple(&dp->conntrack, tuple, zone ? *zone : 0);
     }
     return conntrack_flush(&dp->conntrack, zone);
 }
diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at
index 12b0adf7190e..f23a4063375c 100644
--- a/tests/system-kmod-macros.at
+++ b/tests/system-kmod-macros.at
@@ -97,14 +97,6 @@ m4_define([CHECK_CONNTRACK_LOCAL_STACK])
 #
 m4_define([CHECK_CONNTRACK_NAT])
 
-# CHECK_CT_DPIF_FLUSH_BY_CT_TUPLE()
-#
-# Perform requirements checks for running ovs-dpctl flush-conntrack by
-# conntrack 5-tuple test. The kernel datapath does support this
-# feature. Will remove this check after both kernel and userspace datapath
-# support it.
-m4_define([CHECK_CT_DPIF_FLUSH_BY_CT_TUPLE])
-
 # CHECK_CT_DPIF_SET_GET_MAXCONNS()
 #
 # Perform requirements checks for running ovs-dpctl ct-set-maxconns or
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index dbd56405d1fd..2afadec15827 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -834,7 +834,6 @@ AT_CLEANUP
 
 AT_SETUP([conntrack - ct flush by 5-tuple])
 CHECK_CONNTRACK()
-CHECK_CT_DPIF_FLUSH_BY_CT_TUPLE()
 OVS_TRAFFIC_VSWITCHD_START()
 
 ADD_NAMESPACES(at_ns0, at_ns1)
diff --git a/tests/system-userspace-macros.at b/tests/system-userspace-macros.at
index 20a8635f9e39..00e1f817ff78 100644
--- a/tests/system-userspace-macros.at
+++ b/tests/system-userspace-macros.at
@@ -100,16 +100,6 @@ m4_define([CHECK_CONNTRACK_LOCAL_STACK],
 #
 m4_define([CHECK_CONNTRACK_NAT])
 
-# CHECK_CT_DPIF_FLUSH_BY_CT_TUPLE()
-#
-# Perform requirements checks for running ovs-dpctl flush-conntrack by
-# conntrack 5-tuple test. The userspace datapath does not support
-# this feature yet.
-m4_define([CHECK_CT_DPIF_FLUSH_BY_CT_TUPLE],
-[
-    AT_SKIP_IF([:])
-])
-
 # CHECK_CT_DPIF_SET_GET_MAXCONNS()
 #
 # Perform requirements checks for running ovs-dpctl ct-set-maxconns or