Merge pull request #3959 from gizmoguy/conntrack

Add support for using openvswitch conntrack in faucet ACLs

Author: anarkiwi

docs/configuration.rst

@@ -959,6 +959,10 @@ Actions is a dictionary of actions to apply upon match.
       - dictionary or list
       - None
       - Used to apply more specific output actions for an ACL
+    * - ct
+      - dictionary
+      - None
+      - Used to apply connection tracking to the specified flow.
 
 The output action contains a dictionary with the following elements:
 

faucet/acl.py

@@ -87,6 +87,7 @@ class ACL(Conf):
         'output': (dict, list),
         'allow': int,
         'force_port_vlan': int,
+        'ct': dict,
     }
     output_actions_types = {
         'tunnel': dict,
@@ -99,6 +100,24 @@ class ACL(Conf):
         'vlan_vid': int,
         'vlan_vids': list,
     }
+    ct_action_types = {
+        'flags': int,
+        'alg': int,
+        'table': int,
+        'zone': int,
+        'zone_src': int,
+        'clear': bool,
+        'nat': dict,
+    }
+    ct_action_nat_types = {
+        'flags': int,
+        'range_ipv4_min': str,
+        'range_ipv4_max': str,
+        'range_ipv6_min': str,
+        'range_ipv6_max': str,
+        'range_proto_min': int,
+        'range_proto_max': int
+    }
     tunnel_types = {
         'type': (str, None),
         'tunnel_id': (str, int, None),
@@ -186,6 +205,23 @@ def check_config(self):
                                 # Old format
                                 self._check_conf_types(
                                     action_conf, self.output_actions_types)
+                        elif action_name == 'ct':
+                            self._check_conf_types(action_conf, self.ct_action_types)
+                            # if clear set, make sure nothing else is
+                            if 'clear' in action_conf and action_conf['clear']:
+                                test_config_condition(
+                                    len(action_conf) != 1,
+                                    "no other parameters can be set when 'clear' set on "
+                                    "conntrack ACL")
+                            else:
+                                test_config_condition(
+                                    'table' not in action_conf,
+                                    "required parameter 'table' not set for conntrack ACL")
+                                test_config_condition(
+                                    'zone' not in action_conf,
+                                    "required parameter 'zone' not set for conntrack ACL")
+                            if 'nat' in action_conf:
+                                self._check_conf_types(action_conf['nat'], self.ct_action_nat_types)
 
     def build(self, meters, vid, port_num):
         """Check that ACL can be built from config."""

faucet/valve_acl.py

@@ -105,6 +105,38 @@ def rewrite_vlan(acl_table, output_dict):
     return vlan_actions
 
 
+def build_ct_actions(acl_table, ct_dict):
+    """Build conntrack action from ACL rule"""
+
+    if 'clear' in ct_dict and ct_dict['clear']:
+        return valve_of.ct_clear()
+
+    ct_actions = []
+
+    if 'nat' in ct_dict:
+        nat_args = {
+            'flags': ct_dict['nat'].get('flags', 0),
+            'range_ipv4_min': ct_dict['nat'].get('range_ipv4_min', ''),
+            'range_ipv4_max': ct_dict['nat'].get('range_ipv4_max', ''),
+            'range_ipv6_min': ct_dict['nat'].get('range_ipv6_min', ''),
+            'range_ipv6_max': ct_dict['nat'].get('range_ipv6_max', ''),
+            'range_proto_min': ct_dict['nat'].get('range_proto_min', None),
+            'range_proto_max': ct_dict['nat'].get('range_proto_max', None),
+        }
+        ct_actions.append(valve_of.ct_nat(**nat_args))
+
+    ct_args = {
+        'flags': ct_dict.get('flags', 0),
+        'actions': ct_actions,
+        'alg': ct_dict.get('alg', 0),
+        'recirc_table': ct_dict.get('table'),
+        'zone_ofs_nbits': ct_dict.get('zone'),
+        'zone_src': ct_dict.get('zone_src', None),
+    }
+
+    return valve_of.ct(**ct_args)
+
+
 def build_output_actions(acl_table, output_dict, tunnel_rules=None, source_id=None):
     """Implement actions to alter packet/output."""
     if isinstance(output_dict, (list, tuple)):
@@ -195,6 +227,9 @@ def build_acl_entry(  # pylint: disable=too-many-arguments,too-many-branches,too
                 # if port specified, output packet now and exit pipeline.
                 if not allow and output_port is not None:
                     continue
+            if 'ct' in attrib_value:
+                ct_action = build_ct_actions(acl_table, attrib_value['ct'])
+                acl_act.append(ct_action)
 
             if allow:
                 acl_inst.extend(allow_inst)

faucet/valve_of.py

@@ -384,6 +384,10 @@ def is_set_field(action):
     return isinstance(action, parser.OFPActionSetField)
 
 
+def is_ct(action):
+    return isinstance(action, parser.NXActionCT)
+
+
 def apply_meter(meter_id):
     """Return instruction to apply a meter."""
     return parser.OFPInstructionMeter(meter_id, ofp.OFPIT_METER)
@@ -513,6 +517,39 @@ def pop_vlan():
     return parser.OFPActionPopVlan()
 
 
+def ct(**kwds):  # pylint: disable=invalid-name
+    """Return connection tracker action.
+
+    Args:
+        kwds (dict): exactly one connection tracker action.
+    Returns:
+        ryu.ofproto.nx_actions.NXActionCT: connection tracker action.
+    """
+    return parser.NXActionCT(**kwds)  # pylint: disable=no-member
+
+
+def ct_clear():
+    """Return clear connection tracker state action.
+
+    Args:
+        kwds (dict): exactly one clear connection tracker state action.
+    Returns:
+        ryu.ofproto.nx_actions.NXActionCTClear: clear connection tracker state action.
+    """
+    return parser.NXActionCTClear()  # pylint: disable=no-member
+
+
+def ct_nat(**kwds):
+    """Return network address translation connection tracker action.
+
+    Args:
+        kwds (dict): exactly one network address translation connection tracker action.
+    Returns:
+        ryu.ofproto.nx_actions.NXActionNAT: network address translation connection tracker action.
+    """
+    return parser.NXActionNAT(**kwds)  # pylint: disable=no-member
+
+
 @functools.lru_cache(maxsize=1024)
 def output_port(port_num, max_len=0):
     """Return OpenFlow action to output to a port.
@@ -662,8 +699,8 @@ def valve_match_vid(value):
     return to_match_vid(value, ofp.OFPVID_PRESENT)
 
 
-# See 7.2.3.7 Flow Match Fields (OF 1.3.5)
 MATCH_FIELDS = {
+    # See 7.2.3.7 Flow Match Fields (OF 1.3.5)
     'in_port': OFCtlUtil(ofp).ofp_port_from_user,
     'in_phy_port': str_to_int,
     'metadata': to_match_masked_int,
@@ -703,7 +740,13 @@ def valve_match_vid(value):
     'mpls_bos': str_to_int,
     'pbb_isid': to_match_masked_int,
     'tunnel_id': to_match_masked_int,
-    'ipv6_exthdr': to_match_masked_int
+    'ipv6_exthdr': to_match_masked_int,
+
+    # Nicira extensions, see ovs-fields(7)
+    'ct_state': to_match_masked_int,
+    'ct_zone': str_to_int,
+    'ct_mark': to_match_masked_int,
+    'ct_label': to_match_masked_int
 }
 
 

faucet/valve_table.py

@@ -157,8 +157,12 @@ def _trim_inst(self, inst):
             new_inst = []
             for instruction in inst:
                 if instruction.type == valve_of.ofp.OFPIT_APPLY_ACTIONS:
+                    recirc_present = any((
+                        True for action in instruction.actions
+                        if valve_of.is_ct(action) and hasattr(action, 'recirc_table')
+                    ))
                     # If no goto present, this is the last set of actions that can take place
-                    if not goto_present:
+                    if not goto_present and not recirc_present:
                         instruction.actions = self._trim_actions(instruction.actions)
                     # Always drop an apply actions instruction with no actions.
                     if not instruction.actions: