datapath-windows: Add Connection Tracking Support

Enable support for Stateful Firewall in Hyper-V by adding a Connection Tracking module. The module has been ported over from the userspace implementation patch of a similar name. The current version of the module supports ct - zone, mark and label for TCP packets. Support for other packet formats will be added in subsequent patches. The conntrack-tcp module is adapted from FreeBSD's pf subsystem and hence the BSD license. It has been ported over to match OVS Hyper-V coding style. Signed-off-by: Sairam Venugopal <[email protected]> Signed-off-by: Daniele Di Proietto <[email protected]> Co-Authored-by: Daniele Di Proietto <[email protected]> Acked-by: Nithin Raju <[email protected]> Signed-off-by: Ben Pfaff <[email protected]>
openvswitch · Apr 14, 2016 · 792d377 · 792d377
1 parent ce05810
commit 792d377
Show file tree

Hide file tree

Showing 14 changed files with 1,350 additions and 4 deletions.
diff --git a/NOTICE b/NOTICE
@@ -38,3 +38,8 @@ Copyright (c) 2008, 2009, 2010 Sten Spans <[email protected]>
 Auto Attach implementation
 Copyright (c) 2014, 2015 WindRiver, Inc
 Copyright (c) 2014, 2015 Avaya, Inc
+
+TCP connection tracker from FreeBSD pf, BSD licensed
+Copyright (c) 2001 Daniel Hartmeier
+Copyright (c) 2002 - 2008 Henning Brauer
+Copyright (c) 2012 Gleb Smirnoff <[email protected]>
diff --git a/datapath-windows/automake.mk b/datapath-windows/automake.mk
@@ -13,6 +13,9 @@ EXTRA_DIST += \
 	datapath-windows/ovsext/Atomic.h \
 	datapath-windows/ovsext/BufferMgmt.c \
 	datapath-windows/ovsext/BufferMgmt.h \
+	datapath-windows/ovsext/Conntrack-tcp.c \
+	datapath-windows/ovsext/Conntrack.c \
+	datapath-windows/ovsext/Conntrack.h \
 	datapath-windows/ovsext/Datapath.c \
 	datapath-windows/ovsext/Datapath.h \
 	datapath-windows/ovsext/Debug.c \

diff --git a/datapath-windows/ovsext/Actions.c b/datapath-windows/ovsext/Actions.c
@@ -17,6 +17,7 @@
 #include "precomp.h"
 
 #include "Actions.h"
+#include "Conntrack.h"
 #include "Debug.h"
 #include "Event.h"
 #include "Flow.h"
@@ -1786,6 +1787,28 @@ OvsDoExecuteActions(POVS_SWITCH_CONTEXT switchContext,
             break;
         }
 
+        case OVS_ACTION_ATTR_CT:
+        {
+            if (ovsFwdCtx.destPortsSizeOut > 0
+                || ovsFwdCtx.tunnelTxNic != NULL
+                || ovsFwdCtx.tunnelRxNic != NULL) {
+                status = OvsOutputBeforeSetAction(&ovsFwdCtx);
+                if (status != NDIS_STATUS_SUCCESS) {
+                    dropReason = L"OVS-adding destination failed";
+                    goto dropit;
+                }
+            }
+
+            status = OvsExecuteConntrackAction(ovsFwdCtx.curNbl, layers,
+                                               key, (const PNL_ATTR)a);
+            if (status != NDIS_STATUS_SUCCESS) {
+                OVS_LOG_ERROR("CT Action failed");
+                dropReason = L"OVS-conntrack action failed";
+                goto dropit;
+            }
+            break;
+        }
+
         case OVS_ACTION_ATTR_RECIRC:
         {
             if (ovsFwdCtx.destPortsSizeOut > 0 || ovsFwdCtx.tunnelTxNic != NULL